Re: [pfSense] WiFi with Compex WLE600VX card
Hi Alex Am 24.01.2016 um 14:05 schrieb Alexander Hofmann: [...] > The device shows up as: > none1@pci0:4:0:0: > class=0x028000 card=0x chip=0x003c168c rev=0x00 hdr=0x00 > but no device driver is associated with the device. > > Does anyone of you know if this device is already supported by > FreeBSD/pfSense and can give me a hint? Doesn't seem to be even remotely supported by FreeBSD-CURRENT as of writing. However a quick google search revealed this: https://github.com/erikarn/otus/blob/master/otus/freebsd/src/sys/dev/athp/if_athp_pci.c If Adrian Chadd's writing in the root of his git repository is still up-to-date then it means that he is / was working at some time in late 2015 on updating some Qualcomm Atheros drivers and it happens that your device at least gets mentioned there. I'm not into drivers and can't tell you anything about the state. > If not: do you know if this device will be supported in a future release? *cough* talk Adrian into polishing / finishing the port *cough*, be his guinea pig, send him a sample card if he hasn't that particular card at hand. I'd say that FreeBSD owes a couple of not-so unimportant wireless advancements to Adrian, so be nice to him. :-) Other than that, you might check the pfSense FreBSD source tree which contains the patches and backported drivers to see what cards are really already supported. -- Mathieu ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] SCVMM Agent
Hi, Am 09.01.2016 um 18:47 schrieb Jim Thompson: > We have an official image for Azure coming. > Should be available soon. We're in final stages with Microsoft. That's one thing, but the OP is asking about the SCVMM agent, that's another (additional thing) on top of Hyper-V integration services. I don't use SCVMM, was able to get a hold on the install ISO and check a bit against the documentation for SCVMM 2012 R2. >From what I saw the Linux scvmmagent installer archives it contains have some scripts looking for /bin/bash and at least one binary called scvmmagent.bin which definitely is compiled for Linux, not FreeBSD. The scripts seem to look for some some (Linux) distro-specific locations, nothing mendionted about FreeBSD. pfSense neither ships bash, nor linux.ko for Linux ABI compatibility etc. In contrast to the Hyper-V integration stuff these bits are definitely closed source and available to those with a license for SCVMM. Maybe ESF has possibilities to work with MS, but I doubt that MS are already working on supporting FreeBSD with SCVMM. I also doubt that ESF would be very happy to ship linux.ko + linux_base + bash (+ maybe else + some hackeries) with pfSense just for this one agent. -- Mathieu ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] github.com/google/google-authenticator/ on pfSense 2.2x
Hi Am 13.10.2015 um 14:30 schrieb Olivier Mascia: > I guess I first need to setup a development environment en BSD, then I should > be flying? Seems to build here (simply following the instructions, without testing) Ideally by getting a FreeBSD (virtual) machine running the same or closest-to what pfSense's base is. That would be like FreeBSD 10.2. > Are there some recommended guidelines for porting and debugging (if needed) > things to the specific BSD environment of pfSense 2.2x? It seems that a port actually exists already: https://www.freshports.org/security/pam_google_authenticator/ See if it's in an updated and working shape for your usage, you can likely install it from the binary packages repo, otherwise if you need to tweak it (it last updated 2014), consider the porters handbook. -- Mathieu ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Question on WiFi frequency change
Hi there I've an ALIX board still doing its daily routing job on pfSense 2.2.4 where a MiniPCI card serves as simple AP. I recently swapped out the Atheros 802.11abg card for an AR9220-based Compex WLM200NX while I was upgrading to a faster CF card. Almost all settings from the previous card were imported properly (almost) all I had to select was the channel/frequency. What happened was, that the card came up on the selected 5GHz channel, but since I had a (single) 2.4GHz client I had to switch back to 2.4Ghz for now. Now I realized that the card, even after applying the (several different) frequency settings, it stayed on the first 5GHz channel when checking ifconfig's output. The channel switching got applied after I had rebooted pfSense. Could anyone with a miniPCI(e) card confirm this behaviour? - Get a console on your pfSense box and get the output of ifconfig where for ath_wlan you can see the current channel. - In the UI switch to another frequency (maybe 2.4 -> 5 like myself) and apply the settings - Check the output of ifconfig again I'd be interested to know what you're seeing. Thanks, Mat ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] NetFlow analysis tools
Hi Am 15.01.2015 um 17:08 schrieb b...@todoo.biz: > I am particularly interested in GUI back-end. For a students project on the Uni's HPC cluster co-students and I were also looking at first for such a tool and stumbled on FlowViewer used and largely developed at NASA ESDIS: http://sourceforge.net/projects/flowviewer/ FlowViewer was a beast to compile from source, but we made it run and it look pretty good including graphs and had quite some documentation. Its collector side supports NetFlow 5, 9 and IPFIX. Back then when we looked at it looked promising but too big for our needs of a 1-semester project. If it would have been for a serious deployment, we may have ended up with that. Because of our tight schedule and the excellent examples found in 'Network Flow Analysis' from the known BSD author Michael W. Lucas we ended up filtering our NetFlow 5 data using good ol' flow-tools and plotting data with gnuplot for our final report. -- Mathieu --- Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft. http://www.avast.com ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] OT: Good network switch for 10 machines?
Am 25.09.2014 um 12:50 schrieb Josh Reynolds: > EdgeRouters offer great performance and a good featureset, although for > hardcore business/commercial use, there's still some things missing > (features similar to carp/pfsync, HA, needs redundant power supply > options, etc.). Just as reminder: EdgeOS, the OS on Ubiquiti routers (a Ubiquiti-internal Vyatta fork) is NOT what runs EdgeSwitches. I remember reading on their forums that we can assume (strong CLI similarity w. Netgear) that they run a branded Broadcom FastPath switching software. Netgear managed switches definitely run on FastPath (do an snmpwalk). FastPath itself often runs on top of an embededded Linux. For Ubiquiti's wireless stuff, I agree, they don't do everything as good as other big players, but at the price tey offer their devices, they offer a lot bang for the buck with ease of management. I've given a look at the EdgeSwitches but the following downsides made me a bit hesitant: - Almost no documentation, no CLI reference manual (yet). Cisco, HP, even Netgear have such documents, they are not only handy, but quite essential to look up i.e. default behaviour. Not all mentioned do top-notch documentation, but at least it's there. - No console port current shipping models, though I've seen they strongly considered adding one in future revisions. On a managed switch with CLI, it's quite a must (at least for me) - Fan control seems ot be absent, they tend to run quite noisy > > They are incredibly fast though, and Dave Taht (cero-wrt fame, > bufferbloat project) has been working with the directly to get fq_codel > added in. For the EdgeOS yes, they seem to be loosely tracking and sometimes even contributing back to the open source Vyatta fork VyOS (by looking at the VyOS release notes). -- Mathieu --- Diese E-Mail ist frei von Viren und Malware, denn der avast! Antivirus Schutz ist aktiv. http://www.avast.com ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [SOLVED] Re: Captive portal and RADIUS authentication
Hi Nicola Am 11.07.2014 11:04, schrieb Nicola Ferrari (#554252): > OK, now it's working with NDS Radius on Win2008R2 and radius settings > directly in Captive Portal. > > I think the problem was simply a "too strong"/too long shared secret > with non standard characters such as @, commas and others... > maybe encoding problems?? Very likely, even on other environemts it happens that the supplicant doesn't handle encoding as you'd expect. - Some OS X versions had issues with special characters as well an users were unable to connect via WiFi unless they removed those special characters from their passwords. Glad to hear you worked out a solution for your environment and thanks for sharing your howto with NPS and pfSense captive portal. :-) -- Mathieu ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Captive portal and RADIUS authentication
Hi Nicola Am 10.07.2014 12:31, schrieb Nicola Ferrari (#554252): > I tried to config the internal freeradius2 package with ldap to > interface with the win2008ad, but it doesn't seem to work. Because it cannot verify passwords in LDAP as AD doesn't store passwords in plaintext which is what FreeRADIUS would do against a LDAP server. If you have a standalone RADIUS server on BSD/Linux you have to use Samba and let FreeRADIUS check the passwords with 'ntlm_auth', which is part of Samba. I guess Brian is using FreeRADIUS locally with a local user database, that should work as is. Since FR with AD is one of the most-asked questions on, the FR developers have made pretty comprehensive howtos for that precise use-case. (freeradius.org wiki and Alan Dekok's deployingradius.com) I don't thinkg installing a full-blown Samba on pfSense is what you want (there is no binary Samba package for pfSense either) > could you please explain me your config? I guess since if you have an NPS up and running that it's better to try this route. Are you positive that you entered the hostname or IP, port and shared secret in Service: Captive portal: ? I'm asking since youre initial error message with PAP told you so. You mention configuring RADIUS in User management -> Servers. In my understanding this can be used for admin access, VPN etc, but captive portal is independent. That's why there are the fields in the captive portal to use RADIUS and then place to put the IP/port/shared secret. In fact I configured a pfSense box to authenticate admins against an existing AD so they don't get used to login as root. (and if someone breaks things we know who it was, not just admin/root) - and that was simply by using LDAP authentication, not extra RADIUS required in this case. Hope that helps a little -- Mathieu --- Diese E-Mail ist frei von Viren und Malware, denn der avast! Antivirus Schutz ist aktiv. http://www.avast.com ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pkg_add
Hi Martin Am 09.07.2014 16:30, schrieb Martin Fuchs: > Is there a possibility to install a package from the ports tree for testing > purposes ? Just a search away... (1) Technically yes but not directly from the base OS, you'll need a FreeBSD 8.3 machine to build packages for. Remember that pfSense 2.1 is based on 8.3 and that current ports tree has removed support for this FreeBSD release. You'll have to use an older version of the ports tree. Read more here in the forums(2) concerning this topic. > Somethink like pkg_add or else ? Also a search away... (3) pkg_add is available right in the base OS. However again: pkg_tools will be phased out this year too in favour of pkg-ng(4). pfSense 2.1 is a quite nicely update-date-patched 8.3 but but the base is aging. That is why 2.2 is going to be based on 10.x :-) Currently no pkg-ng is inside pfSense base system. Be cautious with it (i.e. installing things that depend on openssl from ports, as some software inside the base OS does use OpenSSL from ports located in /usr/local/ (i.e. OpenVPN). If you overwrite it with your own it will likely break things in the base OS. -- Mathieu (1) https://doc.pfsense.org/index.php/Can_I_use_FreeBSD_ports_with_pfSense (2) https://forum.pfsense.org/index.php?topic=77406.0 (3) https://doc.pfsense.org/index.php/Installing_FreeBSD_Packages (4) http://blogs.freebsdish.org/portmgr/2014/02/03/time-to-bid-farewell-to-the-old-pkg_-tools/ --- Diese E-Mail ist frei von Viren und Malware, denn der avast! Antivirus Schutz ist aktiv. http://www.avast.com ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Thermal Sensors
Am 02.06.2014 10:33, schrieb Ulrik Lunddahl: > Are you running pfSense as a VM? > > In that case you will not be able to, as HOST hardware instrumentations is > not propagated to VM's. Yup, the OP he won't be able to if this is the case, for physical installation pfSense there is something we the OP should be able to do. I haven't read through the results of last-month's thread on this machine, anyhow for physical installation of pfSense... >> What's the trick to get the thermal sensors to work on pfSense? I'm using a >> power edge 2850 and they clearly show up in VMWare 4.1 Magical google search words: "pfSense sensors" ;-) See: https://doc.pfsense.org/index.php/What_Hardware_Monitoring_Is_Supported In short: You should be able to get the CPU thermal sensor shown in the UI, for this enable loading the coretemp (Intel CPUs) module in Systems -> Advanced -> Miscellaneous. However when it comes to ACPI or IPMI sensors, well then it's more about luck if you can get them working / if FreeBSD understands your hardware. (As the docs page states). You might want to more specifically search on FreeBSD list/forum archives. (AFAIK) FreeBSD still doesn't have an equivalent to Linux lm-sensors or OpenBSD's sensorsd(8) -- Mathieu --- Diese E-Mail ist frei von Viren und Malware, denn der avast! Antivirus Schutz ist aktiv. http://www.avast.com ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] apu.4c silently dies
Hi mayak > Many roads lead to ... gut says SSD - I'd try running off CD first. Seems apu1.4c (guess that's what you meant) has a SATA port, now you only need to get find way for powering a desktop CD/DVD drive (i.e. spare ATX power supply) > On Mon, May 19, 2014 at 10:15 PM, mayak wrote: > >> hi all, >> >> i have a new apu.4c with a Kingston SSD >> >> unit will run sometimes for days, or sometimes for several hours, before >> becoming unresponsive: >> >> - no mac response from ethernet cards >> - serial console dies -- no errors displayed Have you actually left serial console attached and kept logging the output? I did that once with a whacky but important network switch since syslog didn't give enough info. (i.e. tools like PuTTY can log output to a text file) >> - no errors in system log >> - no crash report on reboot Another idea would be to set up remote syslog logging so you can possibly store more data off the device than is staying within the circular logging on the box. >> >> what is the best approach to finding out what is happening? Ideally if someone knows how to set up serial crash console, but I'm not enough knowledgable in this area :-\ -- Mathieu P.S. I don't know if that makes any difference but it seems PC Engines is still labeling APU's BIOS as beta so you might want to check out (http://pcengines.ch/apu1c4.htm) ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] supermicro A1SRI-2758F-O igb0: Could not setup recieve structures
Hi Kevin Am 12.05.2014 09:34, schrieb Kevin Boatswain: > > Thank you for the response I wasn't sure if anyone would be up at this time > to help (2:30 am central time us where i am at). That's when it's morning in other regions. > > I ended up trying these settings in the /boot/loader.conf.local > > kern.ipc.nmbclusters="131072" > hw.igb.num_queues=4 Depending on available memory look at the mbuf usage in pfSense UI if it exhausts it under load inclrease it, otherwise leave as is. However i.e. for 10GE adapters Intel recommends larger nmbcluster size.* > I however am not sure if these settings are appropiate for my setup or not. There is no patented recipe for this, however the values in the pfSense Wiki correlate with other known good values shared n the FreeBSD universe (i.e. FreeNAS). So they must be pretty much proven / OK. > My box does currently have 4 igb nics (intel i354 x 4) and also currently > has 8 cores (c2756) . > > Does this mean I should try hw.igb.num_queues=8 instead of > hw.igb.num_queues=4 ? Also here it depends: Test and see if you are fine with the results, otherwise tune. It depends on the workload you throw at the box and also how many other services you gonna run on it. > I am not familiar with these settings just trying to figure out what > settings I should apply for stability and out of the box performance. I wasn't too and neither am familiar now. The base pfSense settings are often chosen on the basis of less-powerful boxes ** (to not exhaust limited resources) that's why you have to tune things a bit. -- Mathieu * http://downloadmirror.intel.com/14688/eng/README.txt ** Something like chooseable pre-tunings for slower or or larger systems would be interesting. :-) ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] supermicro A1SRI-2758F-O igb0: Could not setup recieve structures
Hi Kevin Am 12.05.2014 08:37, schrieb Kevin Boatswain: > Has anyone that recently build or purchased the supermicro 2758 (Rangley) > seen these errors before? > > This box would be somewhat identical to what is sold in the pfsense store > and netgate minus the support and custom tuning, > > http://store.netgate.com/Firewall/C2758.aspx > > http://store.pfsense.org/c2758/ > > > > I seem to get the message "*igb0: Could not setup recieve structures*" > multiple times on my LAN interface. > > I found this case documented here as a bug for the igb driver but it has > been marked as resolve and is over three years old so didnt figure it was > still a problem. > > https://redmine.pfsense.org/issues/1221 I've seen such errors on a system with quad i350 NICs where I could only enable 2 out of 4 ports if I remember correctly. Have you tried the loader.conf.local changes as reference in the bug tracker? Also see the wiki on this topic: https://doc.pfsense.org/index.php/Tuning_and_Troubleshooting_Network_Cards If you have built it yourself you don't a Netgate-flavoured but vanilla image, the images on Netgate appliances (as Jim T. mentioned once on the list) contain some pre-tuning in order to run pfSense smoothly out-of-the-box. The tuning is specific per system which is why it isn't applied to the standard image. -- Mathieu --- Diese E-Mail ist frei von Viren und Malware, denn der avast! Antivirus Schutz ist aktiv. http://www.avast.com ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Intel Pro/1000 PT Quad Port PCI-e Gigabit Ethernet
Am 10.05.2014 00:34, schrieb Chris Bagnall: > On 9 May 2014, at 23:25, Dave Warren wrote: >> I'm looking on eBay as well, it's worth the gamble vs buying new. > > Not pfSense-specific, but I've used quite a few from eBay (both dual and quad > port cards) in generic FreeBSD installs and not had a problem with them. > > As others have said, they're so cheap (by comparison to new prices) on eBay > that it's a gamble worth taking. Those cards were launched between 7-9 years back ago and some of the models are now EoL-ed by Intel, the servers that had them installed are now aged too, that's why they become easily available. (look at http://ark.intel.com/) A more modern I350-T4 uses less power (5 instead of 12W for the PT quad) and has some fancy virtualization features. Other than that - solid and almost-never failing cards. HCL: If it's listed it means a someone reported it was actually working with FreeBSD. Sometimes you can find about it when searching for the network controller on the card. pfSense 2.1.1+ ships with quite recent Intel NIC drivers, even I210 (2013) are supported. -- Mathieu --- Diese E-Mail ist frei von Viren und Malware, denn der avast! Antivirus Schutz ist aktiv. http://www.avast.com ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] HP DL160 for pfSense in a datacenter
Am 23.04.2014 15:24, schrieb Erik Anderson: > On Wed, Apr 23, 2014 at 8:14 AM, mayak wrote: >> The machine has one of those stupid raid chips that works for software >> raid -- pfSense knows about these kinds of cards, but nonetheless, I >> would like to make this machine as bullet proof as possible (in terms of >> disk failure). > > You're not going to want to hear this, but... > > ...purchase a real hardware RAID card. FakeRAID cards are horrible, > and I'd never trust them for something as critical as a > firewall/router device. You don't need anything fancy - you should be > able to source a used RAID controller for a very reasonable price. Unfortunately you don't tell us what controller (dmesg ?) it is nor the DL160's generation (G6, G7...). Some of those lower-end rackserver are able to run in plain AHCI (if SATA) or SAS HBA-mode (i.e. LSI's in IT-mode). If that is possible you may just go with that and install pfSense on a geom mirror. The installer should (if I remember right) have such an option. -- Mathieu --- Diese E-Mail ist frei von Viren und Malware, denn der avast! Antivirus Schutz ist aktiv. http://www.avast.com ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate's customized pfSense release
Am 13.02.2014 17:54, schrieb Andrew Hull: > [...] I've noticed that the pfSense pre-install image was > customized with Netgate branding and the firmware auto-update mechanism > was set to a Netgate URL. > > Has this been discussed on the list before? I don't think often for what I can remember. > > My knee jerk reaction is that this is A Bad Thing(tm), and I reloaded > the devices with images from ESF. Does anyone here have a strong opinion > one way or the other? No worries, that's how open source works, and in case of the BSD license there are are almost all liberties to do derivative products, as long as you follow minimal rules and trademark (pfSense and the logo are trademarks of ESF). Netgate allows you to run what image you like, other (non pfSense) appliance vendors are way less nice :-) Common guess: Beyond branding, their images may contain pre-done tuning for the hardware that makes it perform at its best without extra user intervention. In comparison, at one place I have a 3-letter brand server running pfSense and I had to spend some time on loader.conf.local and tunings to make all NICs work and work good (props to ESF staff who assisted). Quick history: BSD Perimeter moved from Kentucky (in 2012) to Texas and reinstated as ESF. Jim Thompson from Netgate (also Texas) got involved with ESF, he is actually active in both companies. That may explain why Netgate is permitted to redistribute modifed images without the need to rename the resulting product binaries or replacing the logos. (Jim, correct me I'm writing this out of my memory, I remember there was once a post or a mailing list discussion) -- Mat ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Recent FreeBSD Security Vulnerabilities
Hi In Addition to Moshe's answer, they're working hard on fixing a couple of bugs that were detected in 2.1 as well as including the FreeBSD advisories where applicable, read: https://doc.pfsense.org/index.php/2.1.1_New_Features_and_Changes and follow the discussion in the Development and Documentation section of the forum. -- Mat ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list