Re: [pfSense Support] Re: ntp startup question
On 4/5/06, Vivek Khera <[EMAIL PROTECTED]> wrote:> ISC's ntp is well known and understood and considered very accurate.> I see no other choice. After Running OpenNTP for a while now, I feel less uncomfortable with it - after the first 12 hours or so, the clock swings (+/-12ms) evened out, and it's staying quite comfortably within +/- 2-3ms with very little jitter. In the following output of 'ntpq -c peers', the system in question is 'balrog-priv'; note the odd reference clock - I think that's an artifact of the minimal implementation that doesn't allow that level of querying. In fact, for the most part it seems to stay well within 1ms (it refers to no-such-system, dies-irae, and the local system I'm querying from). remote refid st t when poll reach delay offset jitter==localhost .INIT. 16 l- 10240 0.0000.000 4000.00+balrog-priv 17.4.247.255 5 u 125 1024 3770.182 -0.056 0.040-no-such-system 192.168.225.101 3 u 129 1024 377 0.5272.654 0.171-dies-irae 192.168.225.102 4 u 129 1024 3771.359 -1.548 0.216-helmsdeep 192.168.225.101 3 u 69 1024 377 0.312 -1.994 0.200-barad-dur 192.168.132.249 4 u 115 1024 3770.243 -1.300 0.401-orthanc 192.168.225.101 3 u 114 1024 377 4.2820.208 0.017*bo-peep 192.168.225.101 3 u 49 1024 3770.887 -0.048 0.046-sheep 192.168.192.60 3 u 75 1024 377 0.657 -0.695 0.073-sparky 192.168.225.102 4 u 113 1024 3770.992 -1.055 1.515-trogdor 192.168.252.191 4 u 14 1024 377 0.960 -4.816 0.671+pudge 192.168.225.101 3 u 128 1024 3770.489 -0.214 0.132
Re: [pfSense Support] Re: ntp startup question
On 4/11/06, Randy B <[EMAIL PROTECTED]> wrote: > > On 4/5/06, Vivek Khera <[EMAIL PROTECTED]> wrote: > > ISC's ntp is well known and understood and considered very accurate. > > I see no other choice. > > > > After Running OpenNTP for a while now, I feel less uncomfortable with it - > after the first 12 hours or so, the clock swings (+/-12ms) evened out, and > it's staying quite comfortably within +/- 2-3ms with very little jitter. In > the following output of 'ntpq -c peers', the system in question is > 'balrog-priv'; note the odd reference clock - I think that's an artifact of > the minimal implementation that doesn't allow that level of querying. In > fact, for the most part it seems to stay well within 1ms (it refers to > no-such-system, dies-irae, and the local system I'm querying from). I might have to give it a try on my boxes (running OpenBSD) at work. ISC ntpd can't keep the clock sync'd when you have lots of jitter (which we do - due to traffic loads on the box trying to be sync'd). It eventually gives up attempting to sync the clock. A ntp daemon "that works" it better than an ntp daemon that when it works, is millisecond precise, but "doesn't work". FWIW, when a carp pair gets it's dates out of sync by more than a second or two, hilarity ensues and it's _not_ a pretty sight (that was my joy first thing yesterday morning). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] dumb routing question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sorry to bore the list. Problem finally solved by swapping out the Wrap board with another one. I don't know whether something was loose. Or why (if it really was a hardware problem) it even booted. My blood pressure is back down and it doesn't look like this has anything to do with Pfsense. Eric W. Bates wrote: > I'm tired and I'm making stupid mistakes. My claim that the fault was > Windoze was incorrect. I still do not have proper packet forwarding. > > I have more data. > > If I check the option under system_advanced labeled 'Disable the > firewalls filter altogether', the icmp packets start to go thru (there > is no reply because they are not NAT'd). I see this as an improvement. > > When I turn the firewall back on, the 'destination unreachable' response > resumes. > > I'm using ~default~ firewall settings. No changes at all. I don't read > pf very well; but I don't see a rule here that allows traffic from the LAN: > - -- Eric W. Bates [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFEO8nnD1roJTQ4LlERArtOAJ4lWkuNFd9DNHbWDGC3iJMTXu8OOQCgvnHA SfZmyISdm3X/p6AcXdSCj6M= =LQi8 -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Interface aliases
I tried, but its telling me the filesystem is read only. How can I change the filesystem to read/write so that I can add the file. -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 11, 2006 12:55 AM To: support@pfsense.com Subject: Re: [pfSense Support] Interface aliases Add a file to /usr/local/etc/rc.d Scott On 4/11/06, William M. Sandiford <[EMAIL PROTECTED]> wrote: > Understood that their won't be support.is there a particular > config file or rc startup file that this command could be added to so > that that alias is added at startup? > > > -Original Message- > From: Bill Marquette [mailto:[EMAIL PROTECTED] > Sent: Tuesday, April 11, 2006 12:50 AM > To: support@pfsense.com > Subject: Re: [pfSense Support] Interface aliases > > On 4/10/06, William M. Sandiford <[EMAIL PROTECTED]> wrote: > > I want to do the equivalent of the following from a FreeBSD rc.conf > > file where fxp0 is the interface (can be sis0 or whatever) > > > > ifconfig_fxp0="inet 1.1.1.1 netmask 255.255.255.0" > > ifconfig_fxp0_alias0="inet 2.2.2.2 netmask 255.255.255.0" > > > > I don't care if it has to be done from an ssh prompt. > > It's FreeBSD under the covers, it's possible. We naturally won't > support it though. > > --Bill > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] For additional > commands, e-mail: [EMAIL PROTECTED] > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] For additional > commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Interface aliases
FYI, it's a CF on a WRAP.forgot to add that -Original Message- From: William M. Sandiford Sent: Tuesday, April 11, 2006 2:39 PM To: support@pfsense.com Subject: RE: [pfSense Support] Interface aliases I tried, but its telling me the filesystem is read only. How can I change the filesystem to read/write so that I can add the file. -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 11, 2006 12:55 AM To: support@pfsense.com Subject: Re: [pfSense Support] Interface aliases Add a file to /usr/local/etc/rc.d Scott On 4/11/06, William M. Sandiford <[EMAIL PROTECTED]> wrote: > Understood that their won't be support.is there a particular > config file or rc startup file that this command could be added to so > that that alias is added at startup? > > > -Original Message- > From: Bill Marquette [mailto:[EMAIL PROTECTED] > Sent: Tuesday, April 11, 2006 12:50 AM > To: support@pfsense.com > Subject: Re: [pfSense Support] Interface aliases > > On 4/10/06, William M. Sandiford <[EMAIL PROTECTED]> wrote: > > I want to do the equivalent of the following from a FreeBSD rc.conf > > file where fxp0 is the interface (can be sis0 or whatever) > > > > ifconfig_fxp0="inet 1.1.1.1 netmask 255.255.255.0" > > ifconfig_fxp0_alias0="inet 2.2.2.2 netmask 255.255.255.0" > > > > I don't care if it has to be done from an ssh prompt. > > It's FreeBSD under the covers, it's possible. We naturally won't > support it though. > > --Bill > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] For additional > commands, e-mail: [EMAIL PROTECTED] > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] For additional > commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Interface aliases
/etc/rc.conf_mount_rw /etc/rc.conf_mount_ro Should be pretty self-explanatory. On 4/11/06, William M. Sandiford <[EMAIL PROTECTED]> wrote: > FYI, it's a CF on a WRAP.forgot to add that > > > -Original Message- > From: William M. Sandiford > Sent: Tuesday, April 11, 2006 2:39 PM > To: support@pfsense.com > Subject: RE: [pfSense Support] Interface aliases > > I tried, but its telling me the filesystem is read only. How can I > change the filesystem to read/write so that I can add the file. > > > -Original Message- > From: Scott Ullrich [mailto:[EMAIL PROTECTED] > Sent: Tuesday, April 11, 2006 12:55 AM > To: support@pfsense.com > Subject: Re: [pfSense Support] Interface aliases > > Add a file to /usr/local/etc/rc.d > > Scott > > > On 4/11/06, William M. Sandiford <[EMAIL PROTECTED]> wrote: > > Understood that their won't be support.is there a particular > > config file or rc startup file that this command could be added to so > > that that alias is added at startup? > > > > > > -Original Message- > > From: Bill Marquette [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, April 11, 2006 12:50 AM > > To: support@pfsense.com > > Subject: Re: [pfSense Support] Interface aliases > > > > On 4/10/06, William M. Sandiford <[EMAIL PROTECTED]> wrote: > > > I want to do the equivalent of the following from a FreeBSD rc.conf > > > file where fxp0 is the interface (can be sis0 or whatever) > > > > > > ifconfig_fxp0="inet 1.1.1.1 netmask 255.255.255.0" > > > ifconfig_fxp0_alias0="inet 2.2.2.2 netmask 255.255.255.0" > > > > > > I don't care if it has to be done from an ssh prompt. > > > > It's FreeBSD under the covers, it's possible. We naturally won't > > support it though. > > > > --Bill > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] For additional > > > commands, e-mail: [EMAIL PROTECTED] > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] For additional > > > commands, e-mail: [EMAIL PROTECTED] > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] For additional > commands, e-mail: [EMAIL PROTECTED] > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] For additional > commands, e-mail: [EMAIL PROTECTED] > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Passive FTP - sorry
Sorry... But I seem to be brain dead... Co-location server (Downtown): I have an FTP server behind a 1:1 NAT on the OPT1 interface and FTP Proxy enabled only on OPT1 (disabled/checked on WAN). Personal client (Home): I have an FTP client behind a normal NAT on the LAN interface and FTP Proxy enabled only on LAN (disabled/checked on WAN). Active FTP works fine. However, passive does not. The "PASV" is sent by the client and seen by the server just fine. The "227 Entering Passive Mode (10,0,0,2,5,24)" is sent back by the sever, but the client does not see it at all. Is the 1:1 NAT confusing the OPT1 FTP Proxy? Perhaps the proxy is resending the packet out the WAN using the pfSense WAN IP and not the external IP in the 1:1 NAT that it should. Sound right? It would explain why the client isn't seeing it... The packet is coming from the wrong IP. - Jason - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Passive FTP - sorry
This was fixed a few days ago. cvs_sync.sh releng_1 or update to the latest snapshot. On 4/11/06, Jason J Ellingson <[EMAIL PROTECTED]> wrote: > Sorry... But I seem to be brain dead... > > Co-location server (Downtown): > I have an FTP server behind a 1:1 NAT on the OPT1 interface and FTP Proxy > enabled only on OPT1 (disabled/checked on WAN). > > Personal client (Home): > I have an FTP client behind a normal NAT on the LAN interface and FTP Proxy > enabled only on LAN (disabled/checked on WAN). > > Active FTP works fine. However, passive does not. > > The "PASV" is sent by the client and seen by the server just fine. > The "227 Entering Passive Mode (10,0,0,2,5,24)" is sent back by the sever, > but the client does not see it at all. > > Is the 1:1 NAT confusing the OPT1 FTP Proxy? Perhaps the proxy is resending > the packet out the WAN using the pfSense WAN IP and not the external IP in > the 1:1 NAT that it should. Sound right? It would explain why the client > isn't seeing it... The packet is coming from the wrong IP. > > - Jason > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Passive FTP - sorry
Both pfSense boxes are using 4-08-2006 snapshot. I'll give the sync command a try. - Jason -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 11, 2006 3:21 PM To: support@pfsense.com Subject: Re: [pfSense Support] Passive FTP - sorry This was fixed a few days ago. cvs_sync.sh releng_1 or update to the latest snapshot. On 4/11/06, Jason J Ellingson <[EMAIL PROTECTED]> wrote: > Sorry... But I seem to be brain dead... > > Co-location server (Downtown): > I have an FTP server behind a 1:1 NAT on the OPT1 interface and FTP > Proxy enabled only on OPT1 (disabled/checked on WAN). > > Personal client (Home): > I have an FTP client behind a normal NAT on the LAN interface and FTP > Proxy enabled only on LAN (disabled/checked on WAN). > > Active FTP works fine. However, passive does not. > > The "PASV" is sent by the client and seen by the server just fine. > The "227 Entering Passive Mode (10,0,0,2,5,24)" is sent back by the > sever, but the client does not see it at all. > > Is the 1:1 NAT confusing the OPT1 FTP Proxy? Perhaps the proxy is > resending the packet out the WAN using the pfSense WAN IP and not the > external IP in the 1:1 NAT that it should. Sound right? It would > explain why the client isn't seeing it... The packet is coming from the wrong IP. > > - Jason > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] For additional > commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Load Balancing question
Can anyone tell me what the "Monitor IP" field is supposed to be on the Load Balancer:Pool:Edit screen is supposed to be? I would think that the load balancer daemon would query each IP in the pool. Thanx, Roy
Re: [pfSense Support] Load Balancing question
The Monitor IP is an IP address upstream that is polled from time to time to ensure the upstream link is live. A good Monitor IP might be your upstream gateway. PS: You're still using Beta-2. Upgrade to the most recent snapshot. Roy Walker wrote: Can anyone tell me what the "Monitor IP" field is supposed to be on the Load Balancer:Pool:Edit screen is supposed to be? I would think that the load balancer daemon would query each IP in the pool. Thanx, Roy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load Balancing question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gary Buckmaster wrote: > PS: You're still using Beta-2. Upgrade to the most recent snapshot. Where do you find a snapshot? - -- Eric W. Bates [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFEPEj1D1roJTQ4LlERAoYAAJ9f34R3XIGi+LOmOMaugPv6/JTLDgCgjftf F0MSl17e1Z6DAAA4PXtAnKg= =YG59 -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load Balancing question
The most current snapshot (today anyhow) is here: http://www.pfsense.com/~sullrich/RELENG_1_SNAPSHOT_04-08-2006/ Eric W. Bates wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gary Buckmaster wrote: PS: You're still using Beta-2. Upgrade to the most recent snapshot. Where do you find a snapshot? - -- Eric W. Bates [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFEPEj1D1roJTQ4LlERAoYAAJ9f34R3XIGi+LOmOMaugPv6/JTLDgCgjftf F0MSl17e1Z6DAAA4PXtAnKg= =YG59 -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load Balancing question
On 4/11/06, Eric W. Bates <[EMAIL PROTECTED]> wrote: > Where do you find a snapshot? http://www.pfsense.com/~sullrich/RELENG_1_SNAPSHOT_04-08-2006/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Load Balancing question
Forgive me, I must not be understanding you. You mean something upstream from the firewall, like your ISP's gateway address? That doesn't make any sense. Why would you take a web cluster off-line because the upstream gateway went down? What version would you recommend I be running? Scott and company seem to put a lot of work into testing the major releases, so figured this would be the most stable. Roy -Original Message- From: Gary Buckmaster [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 11, 2006 7:01 PM To: support@pfsense.com Subject: Re: [pfSense Support] Load Balancing question The Monitor IP is an IP address upstream that is polled from time to time to ensure the upstream link is live. A good Monitor IP might be your upstream gateway. PS: You're still using Beta-2. Upgrade to the most recent snapshot. Roy Walker wrote: > > Can anyone tell me what the "Monitor IP" field is supposed to be on > the Load Balancer:Pool:Edit screen is supposed to be? > > > > I would think that the load balancer daemon would query each IP in the > pool. > > > > Thanx, > > Roy > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load Balancing question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Scott Ullrich wrote: > On 4/11/06, Eric W. Bates <[EMAIL PROTECTED]> wrote: > >>Where do you find a snapshot? > > > http://www.pfsense.com/~sullrich/RELENG_1_SNAPSHOT_04-08-2006/ Thanks. I can't use this with the embedded version, can I? > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - -- Eric W. Bates [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFEPFKDD1roJTQ4LlERAookAJ0UCNwlbp7NEmisyGgOS9vGyfwnowCeJHge CRM2V4BjIkuHfAlJWxNyuJc= =jTBd -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load Balancing question
On 4/11/06, Eric W. Bates <[EMAIL PROTECTED]> wrote: > Thanks. I can't use this with the embedded version, can I? Yes, reflash with http://www.pfsense.com/~sullrich/RELENG_1_SNAPSHOT_04-08-2006/pfSense.img.gz . Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load Balancing question
On 4/11/06, Roy Walker <[EMAIL PROTECTED]> wrote: > Forgive me, I must not be understanding you. You mean something > upstream from the firewall, like your ISP's gateway address? That > doesn't make any sense. Why would you take a web cluster off-line > because the upstream gateway went down? The point is that you're running Beta 2 and what you are asking about is for gateway pools - something that isn't enabled for server pools post Beta 2 > What version would you recommend I be running? Scott and company seem > to put a lot of work into testing the major releases, so figured this > would be the most stable. We do. But there have been 639 commits to the RELENG_1 branch since Beta 2, most of these have been bug fixes and a few small features that we decided we couldn't live without for 1.0 (and went in with much more testing than stuff that goes into HEAD). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]