[pfSense Support] DNS - Problems
Hi all ! Im at the end of my DNS-understanding of pfSense ;-) Ok, not that bad, but: I got a Domain-Controller that hosts a DNS-Server in my LAN for my local domain. This DC forwards unknown DNS-requests to my pfSense, which gets the DNS from my ISP. In pfSense I have configured the DNS-Forwarder so that it resolves DNS-requests from the DC. In General-Setup I have set my internal DNS and activated the option "Allow DNS server list to be overridden by DHCP/PPP on WAN" Now when I look at ARP-tables or Routing table pfSense does not resolve my hostnames (which are hosted on my DC) but shows "localhost" for all hosts except some ISPs adresses. Seems logical to me at all, but at another location it works without these localhost-problems, it is resolved correctly... I also would like to have my IPs / localhosts ;-) resolved correctly and for that already entered an override domain in pfSenses DNS-forwarder for my local domain by domainname (xyz.xyz). It does not work... even if I ping my DC from pfSenses shell with the fqdn it tells me "ping: cannot resolve server.xyz.xyz: Unknown host" (btw. how can I nslookup under BSD ? [command unknown]). When I disable the checkbox "Allow DNS server list to be overridden..." it works well, it resolves my hosts and everything, but what happens with the DNS-forwarder in the pfsense ? Does it redirect all DNS-requests to my DC by now ? How is DNS-traffic handled then ? I want to resolve DNS-traffic over my ISPs DNS-servers, not the root DNS servers as I support it happens when I disable this option ? I'm a bit ittitated because at another location it works, but not at mine... What's the clue ? Looking forward to some hints ! Thanks in advance... Martin
Re: [pfSense Support] interface deletion breaks pf.conf rules
On 8/7/06, Scott Ullrich [EMAIL PROTECTED] wrote: On 8/6/06, Raja Subramanian [EMAIL PROTECTED] wrote: I have an RC2 setup with load balancing going on multiple WAN interfaces (WAN, OPT1, 2). I deleted the OPT3 interfacee, but did not delete the corresponding NAT rules associated with OPT3. Upon applying changes, I realised that I had shot myself in the foot! My /tmp/rules.debug had a line like: nat on $ from ... Note that the interface name is just $. I've opened a ticket for this. We either need to: I just tested this out on RC2e and rdr, pass/block rules are behaving themselves. However, NAT rules are still broken and after deleting my interface, my rules.debug reads: nat on $ from 192.168.0.0/24 to any - () An improvement now is that I can still ssh to the box, while previously I was getting completely locked out and required console access to fix things. I'm unable to update the ticket directly (sorry, my bad). http://cvstrac.pfsense.com/tktview?tn=1061 - Raja - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Is the CVS down?
Woops! Forgot the firewall rule *BLUSH*. Can you try again? Due to time-zone stuff came in this morning and all was shiny. Thanks Robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Configuring pfSense box with same range of static IPs?
Thanks for everyone's responses. I have it setup like Robert suggested, with 192.168.2.x on OPT1 and doing dns views and port forwarding. It all seems to be working as it should. Is there any way to share the block of static IP addresses across the WAN and OPT interfaces so no port forwarding/NATing needs to take place? I'm not quite sure what you are looking to do but I think I know the following If an external machine asks for a service and it resolves to one of your ISP allocated static IP addresses then either the NIC with that address needs to be in the machine providing that service or you will need to forward/bridge the request. If you want multiple internal machines to see the internet through a lesser number of ISP allocated static IP addresses you need some form of NAT If you do not want split DNS you can simply add rules on your LAN interface to redirect outbound HTTP HTTPS and SSH requests for your static IP addresses to the relevant addresses on OPT ---Robert At this point, I'm more than content leaving it as it is, but I'm more curious than anything now. Thanks, Geoff. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Is the CVS down?
Woops! Forgot the firewall rule *BLUSH*. Can you try again? And the pfsense.loquefaltaba.com firewall rule... Can you add this rule again? Regards. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DNS - Problems
The DNS override only works for items querying pfsense, not for pfsense itself. It and the daemon that does the DNS overriding (dnsmasq) use resolv.conf which should be populated with your ISPs DNS servers. You appear to have a bit of a catch-22. Since you have a FULL resolver internal to your network, let it do the internet resolving and point the pfsense box at it for DNS. --Bill On 8/16/06, Fuchs, Martin [EMAIL PROTECTED] wrote: Hi all ! Im at the end of my DNS-understanding of pfSense ;-) Ok, not that bad, but: I got a Domain-Controller that hosts a DNS-Server in my LAN for my local domain. This DC forwards unknown DNS-requests to my pfSense, which gets the DNS from my ISP. In pfSense I have configured the DNS-Forwarder so that it resolves DNS-requests from the DC. In General-Setup I have set my internal DNS and activated the option Allow DNS server list to be overridden by DHCP/PPP on WAN Now when I look at ARP-tables or Routing table pfSense does not resolve my hostnames (which are hosted on my DC) but shows localhost for all hosts except some ISPs adresses. Seems logical to me at all, but at another location it works without these localhost-problems, it is resolved correctly... I also would like to have my IPs / localhosts ;-) resolved correctly and for that already entered an override domain in pfSenses DNS-forwarder for my local domain by domainname (xyz.xyz). It does not work... even if I ping my DC from pfSenses shell with the fqdn it tells me ping: cannot resolve server.xyz.xyz: Unknown host (btw. how can I nslookup under BSD ? [command unknown]). When I disable the checkbox Allow DNS server list to be overridden... it works well, it resolves my hosts and everything, but what happens with the DNS-forwarder in the pfsense ? Does it redirect all DNS-requests to my DC by now ? How is DNS-traffic handled then ? I want to resolve DNS-traffic over my ISPs DNS-servers, not the root DNS servers as I support it happens when I disable this option ? I'm a bit ittitated because at another location it works, but not at mine... What's the clue ? Looking forward to some hints ! Thanks in advance... Martin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] interface deletion breaks pf.conf rules
On 8/16/06, Raja Subramanian [EMAIL PROTECTED] wrote: I just tested this out on RC2e and rdr, pass/block rules are behaving themselves. However, NAT rules are still broken and after deleting my interface, my rules.debug reads: nat on $ from 192.168.0.0/24 to any - () An improvement now is that I can still ssh to the box, while previously I was getting completely locked out and required console access to fix things. I'm unable to update the ticket directly (sorry, my bad). http://cvstrac.pfsense.com/tktview?tn=1061 Please try this patch: http://cvstrac.pfsense.com/patchset?cn=13791 Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Cannot show queues in RRD graphs
Bill Plein wrote: Hello, all. I am running RC2, and have just added a new set of queues in order to put my Carbonite traffic into a low priority queue. I created my queues by copying a queue configuration created by the Traffic Shaping wizard. (by the way, Carbonite is a very cool and cheap offsite backup utility... ). I just installed RC2 last night, embedded on WRAP. Now, after creating qCarboniteUp, and seeing that my Carbonite backups are flowing through this queue, I now get bad images in the RRD graphing, and they say: Failed to create graph with error code 1, the error is: ERROR: No DS called 'qCarboniteUp' in '/var/db/rrd/wan-queues.rrd' Where to go from here? I hope that I didn't miss any replies. RRD graphs are broken on my RC2 WRAP system. Seems to be related to a new queue I created. Has anyone else seen the error I quoted? -- Bill Plein [EMAIL PROTECTED]
Re: [pfSense Support] Cannot show queues in RRD graphs
On 8/16/06, Bill Plein [EMAIL PROTECTED] wrote: Bill Plein wrote: Hello, all. I am running RC2, and have just added a new set of queues in order to put my Carbonite traffic into a low priority queue. I created my queues by copying a queue configuration created by the Traffic Shaping wizard. (by the way, Carbonite is a very cool and cheap offsite backup utility... ). I just installed RC2 last night, embedded on WRAP. Now, after creating qCarboniteUp, and seeing that my Carbonite backups are flowing through this queue, I now get bad images in the RRD graphing, and they say: Failed to create graph with error code 1, the error is: ERROR: No DS called 'qCarboniteUp' in '/var/db/rrd/wan-queues.rrd' Where to go from here? I hope that I didn't miss any replies. RRD graphs are broken on my RC2 WRAP system. Seems to be related to a new queue I created. Has anyone else seen the error I quoted? This is a known problem. You need to instruct the system to recreate the RRD queues after changing their names. To do so, rm -rf /var/db/rrd* Then from exec.php's Execute PHP command box type in: enable_rrd_graphing(); And click execute. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Cannot show queues in RRD graphs
Scott Ullrich wrote: RRD graphs are broken on my RC2 WRAP system. Seems to be related to a new queue I created. Has anyone else seen the error I quoted? This is a known problem. You need to instruct the system to recreate the RRD queues after changing their names. To do so, rm -rf /var/db/rrd* Then from exec.php's Execute PHP command box type in: enable_rrd_graphing(); And click execute. Thanks, Scott. That cleared it up. I was unsubbed from the list for the last couple of months or so, I missed this. -- Bill Plein [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Cannot show queues in RRD graphs
On 8/16/06, Bill Plein [EMAIL PROTECTED] wrote: Thanks, Scott. That cleared it up. I was unsubbed from the list for the last couple of months or so, I missed this. No problem. I just commited a few changes to ensure this won't be an issue going forward. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] interface deletion breaks pf.conf rules
On 8/16/06, Scott Ullrich [EMAIL PROTECTED] wrote: Please try this patch: http://cvstrac.pfsense.com/patchset?cn=13791 That's fixed it. Two thumbs up! Thanks! - Raja - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] New Pfsense setup question?
Hello all, new to the list and pfsense. What we are wanting to do is setup a bridge basically. We like IPCOP as a managed Firewall option, but for redundancy reasons, have had to add a DSL and Cable Broadband connection to our Network. Previously we only had a DSL connection from verizon. It has issues more often than not. We have added now the cable connection. The IPCOP setup is work very nicely as a single DSL firewall, but obviously we want to have load balancing or at least failover setup between the two broadband connections. This can't be done easily if at all on IPCOP. OK, that is what is going on. Now, the setup we want to do is Use the pfsense box as a load balancer/failover point to bring the two Broadband connections into. It would handle these and route them to one internal connection (The RED zone) on the ipcop. We would then use IPCOP as the firewall between our network and the rest of the world. I assume this is possible? Will the pfsense box be secure? Do we need to setup special routing on it. Is there a documented setup for this. Being new, I found some howto pdfs, but wasn't sure if it would apply here. Anyway help or suggestions would be welcome. Thanks -- Heath Henderson [EMAIL PROTECTED] 1800 288 7750 -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] rules not blocking for bridge interface
Hi all, I setup a new 1.0-RC2 box yesterday with a fairly simple config. On the wan side a /29 is available and the pfsense box has the second IP of that block for the wan interface and the first as the gateway. The lan side is all nat with simple shaper rules (just voip priority). A third interface is bridged with the WAN to make the additional IPs in our /29 available for some servers that want routable IPs. There are some simple allow rules for ports 22, 25, 53, 80, and 443 that specify any src address and the destination address(es) (as an alias) of the hosts on the bridged subnet. Everything is working fine with the LAN, and I have no issues getting traffic in/out a host on the bridged interface. However I'm seeing that the default block action does not seem to be blocking anything to the bridged hosts. Nmap from outside shows everything open, and netcat confirms that I can pass two-way traffic initiated from outside to any bridged host. Additionally if I mark the pass rules for these hosts with the log flag and send traffic matching those pass rules, nothing is logged. If I setup an explicit deny rule for a bridged host that also has no effect. What am I missing here? I have a similar setup at home and I don't recall doing anything special to block traffic to the bridged IPs. Nothing looks strange to me in rules.debug, but then again I have a very hard time reading through the traffic shaping parts of the config... Thanks, Charles - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rules not blocking for bridge interface
On 8/16/06, Charles Sprickman [EMAIL PROTECTED] wrote: Hi all, I setup a new 1.0-RC2 box yesterday with a fairly simple config. On the wan side a /29 is available and the pfsense box has the second IP of that block for the wan interface and the first as the gateway. The lan side is all nat with simple shaper rules (just voip priority). A third interface is bridged with the WAN to make the additional IPs in our /29 available for some servers that want routable IPs. There are some simple allow rules for ports 22, 25, 53, 80, and 443 that specify any src address and the destination address(es) (as an alias) of the hosts on the bridged subnet. Everything is working fine with the LAN, and I have no issues getting traffic in/out a host on the bridged interface. However I'm seeing that the default block action does not seem to be blocking anything to the bridged hosts. Nmap from outside shows everything open, and netcat confirms that I can pass two-way traffic initiated from outside to any bridged host. Additionally if I mark the pass rules for these hosts with the log flag and send traffic matching those pass rules, nothing is logged. If I setup an explicit deny rule for a bridged host that also has no effect. What am I missing here? I have a similar setup at home and I don't recall doing anything special to block traffic to the bridged IPs. Nothing looks strange to me in rules.debug, but then again I have a very hard time reading through the traffic shaping parts of the config... Traffic shaping does not work with bridging. Turn off the traffic shaper, reset the states and test again. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rules not blocking for bridge interface
On 8/16/06, Scott Ullrich [EMAIL PROTECTED] wrote: On 8/16/06, Charles Sprickman [EMAIL PROTECTED] wrote: Hi all, I setup a new 1.0-RC2 box yesterday with a fairly simple config. On the wan side a /29 is available and the pfsense box has the second IP of that block for the wan interface and the first as the gateway. The lan side is all nat with simple shaper rules (just voip priority). A third interface is bridged with the WAN to make the additional IPs in our /29 available for some servers that want routable IPs. There are some simple allow rules for ports 22, 25, 53, 80, and 443 that specify any src address and the destination address(es) (as an alias) of the hosts on the bridged subnet. Everything is working fine with the LAN, and I have no issues getting traffic in/out a host on the bridged interface. However I'm seeing that the default block action does not seem to be blocking anything to the bridged hosts. Nmap from outside shows everything open, and netcat confirms that I can pass two-way traffic initiated from outside to any bridged host. Additionally if I mark the pass rules for these hosts with the log flag and send traffic matching those pass rules, nothing is logged. If I setup an explicit deny rule for a bridged host that also has no effect. What am I missing here? I have a similar setup at home and I don't recall doing anything special to block traffic to the bridged IPs. Nothing looks strange to me in rules.debug, but then again I have a very hard time reading through the traffic shaping parts of the config... Traffic shaping does not work with bridging. Turn off the traffic shaper, reset the states and test again. Holger just tested this configuration and found it to work as advertised. You do have enable filtering bridge checked in system - advanced? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Pfsense Bridge/Router 2WANs
What we are wanting to do is setup a bridge basically. We like IPCOP as a managed Firewall option, but for redundancy reasons, have had to add a DSL and Cable Broadband connection to our Network. Previously we only had a DSL connection from verizon. It has issues more often than not. We have added now the cable connection. The IPCOP setup is work very nicely as a single DSL firewall, but obviously we want to have load balancing or at least failover setup between the two broadband connections. This can't be done easily if at all on IPCOP. OK, that is what is going on. Now, the setup we want to do is Use the pfsense box as a load balancer/failover point to bring the two Broadband connections into. It would handle these and route them to one internal connection (The RED zone) on the ipcop. We would then use IPCOP as the firewall between our network and the rest of the world. I assume this is possible? Will the pfsense box be secure? Do we need to setup special routing on it. Is there a documented setup for this. Being new, I found some howto pdfs, but wasn't sure if it would apply here. Anyway help or suggestions would be welcome. Thanks Heath - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] pptp address allocation
In the config for a user with pptp there is the option to allocate a specific ip address. Ive done this but given I allocated the first one in the range notice that it is provided to other users as well. How do you configure it so that a specific user gets only that one address and its not allocated to anyone else? Tia -- Craig Silva. IT Manager. ABX Logistics, Australia. http://www.abxlogistics.com.au 9 Trade Park Dve. Tullamarine. Vic. 3043 Tel: +61 3 9 335 8250, Mob: 0408408748 email: [EMAIL PROTECTED]
RE: [pfSense Support] Pfsense Bridge/Router 2WANs
-Original Message- From: Heath Henderson [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 3:21 AM To: support@pfsense.com Subject: [pfSense Support] Pfsense Bridge/Router 2WANs What we are wanting to do is setup a bridge basically. Loadbalancing and/or policybasedrouting is not working for bridgemode. We like IPCOP as a managed Firewall option, but for redundancy reasons, have had to add a DSL and Cable Broadband connection to our Network. Previously we only had a DSL connection from verizon. It has issues more often than not. We have added now the cable connection. The IPCOP setup is work very nicely as a single DSL firewall, but obviously we want to have load balancing or at least failover setup between the two broadband connections. This can't be done easily if at all on IPCOP. OK, that is what is going on. Now, the setup we want to do is Use the pfsense box as a load balancer/failover point to bring the two Broadband connections into. It would handle these and route them to one internal connection (The RED zone) on the ipcop. We would then use IPCOP as the firewall between our network and the rest of the world. I assume this is possible? Will the pfsense box be secure? It's as secure as you configure it. Or do you think a firewall was build to be insecure? :-P Do we need to setup special routing on it. Is there a documented setup for this. Being new, I found some howto pdfs, but wasn't sure if it would apply here. The setup would be much easier if you drop the ipcop. Less points of failure. Less administration. Anyway help or suggestions would be welcome. Thanks Heath - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Holger - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] pptp address allocation
Either assign this user an IP outside the pool or assign all users specific IPs so the pool won't be used. Holger -Original Message- From: Craig Silva [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 3:42 AM To: support@pfsense.com Subject: [pfSense Support] pptp address allocation In the config for a user with pptp there is the option to allocate a specific ip address. I've done this but given I allocated the first one in the range notice that it is provided to other users as well. How do you configure it so that a specific user gets only that one address and its not allocated to anyone else? Tia -- Craig Silva. IT Manager. ABX Logistics, Australia. http://www.abxlogistics.com.au 9 Trade Park Dve. Tullamarine. Vic. 3043 Tel: +61 3 9 335 8250, Mob: 0408408748 email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rules not blocking for bridge interface
On Wed, 16 Aug 2006, Scott Ullrich wrote: On 8/16/06, Scott Ullrich [EMAIL PROTECTED] wrote: On 8/16/06, Charles Sprickman [EMAIL PROTECTED] wrote: Hi all, I setup a new 1.0-RC2 box yesterday with a fairly simple config. On the wan side a /29 is available and the pfsense box has the second IP of that block for the wan interface and the first as the gateway. The lan side is all nat with simple shaper rules (just voip priority). A third interface is bridged with the WAN to make the additional IPs in our /29 available for some servers that want routable IPs. There are some simple allow rules for ports 22, 25, 53, 80, and 443 that specify any src address and the destination address(es) (as an alias) of the hosts on the bridged subnet. Everything is working fine with the LAN, and I have no issues getting traffic in/out a host on the bridged interface. However I'm seeing that the default block action does not seem to be blocking anything to the bridged hosts. Nmap from outside shows everything open, and netcat confirms that I can pass two-way traffic initiated from outside to any bridged host. Additionally if I mark the pass rules for these hosts with the log flag and send traffic matching those pass rules, nothing is logged. If I setup an explicit deny rule for a bridged host that also has no effect. What am I missing here? I have a similar setup at home and I don't recall doing anything special to block traffic to the bridged IPs. Nothing looks strange to me in rules.debug, but then again I have a very hard time reading through the traffic shaping parts of the config... Traffic shaping does not work with bridging. Turn off the traffic shaper, reset the states and test again. Holger just tested this configuration and found it to work as advertised. You do have enable filtering bridge checked in system - advanced? Oh. :) Sorry, it's been a long time since I started from scratch. All is well now. Also just out of curiousity, does the traffic shaping do anything at all to the bridged interface traffic for upload since it is hitting the outbound queue on the wan interface? That would be good enough for most purposes... IIRC, there are plans to enable shaping on more than two interfaces, but not in 1.0, correct? Thanks, Charles - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] RC2 ?
I notice that the date on the embedded rc2 image available on the mirrors changes regularly - does this mean that it incorporates released patches or should I follow the procedure outlined below to get to the most correct/fixed release? -- Craig Silva. IT Manager. ABX Logistics, Australia. http://www.abxlogistics.com.au 9 Trade Park Dve. Tullamarine. Vic. 3043 Tel: +61 3 9 335 8250, Mob: 0408408748 email: [EMAIL PROTECTED] -Original Message- From: Holger Bauer [mailto:[EMAIL PROTECTED] Sent: Tuesday, 15 August 2006 12:54 PM To: support@pfsense.com Subject: RE: [pfSense Support] RC2 ? run fetch -q -o http://www.pfsense.com/~sullrich/update_to_rc2a.sh | sh - from a shell. You need to do that in alphabetical order (a,b,c,..) as these are incremental updates (don't worrys, it will check for the installed version; you can't destroy anything). These patches work for embedded and full installs as well. Holger -Original Message- From: David Strout [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 15, 2006 1:39 AM To: support@pfsense.com Subject: [pfSense Support] RC2 ? Just a quick question about the RC2a,b,c,d,e.tgz files ... should we be applying these to an existing RC2 install, and if so what is the preferred method of applying these patches? -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]