Re: [pfSense Support] PPPOE Connection / Packages are getting lost || tcpdump
Hi Tim, thanks for the answer and your effort to help me. I finally gave up. Now i'm using ubuntu6.10 server with iptables and pppoe. Everything works perfectly for every client in every operating system. Still the same server is using the same hardware in the same network. Not using pfsense is the only solution which works for me. Regards, Richard Am Montag, den 19.02.2007, 15:34 -0500 schrieb Tim Allender: Richard wrote: Hello, thanks for your answer. You can ping or traceroute snort.org all day long from anywhere in the world and your not going to get through. 63.240.198.67 (where you stop) is your first hop in the SourceFire network. And, they don't pass ICMP traffic. I know, my can not reach snort.org was realted to www though a browser. You have verified that an MTU of 1500 is too large for your pppoe connection. So, verify that you have set the MTU for all interfaces (the router lan/wan and all the boxes in question) to 1400. The largest frame on the wire in your dumps is 1214. I don't know why, you've indicated you'd set 1300 on your client host and 1400 on your pfsense box. Try dropping them all down to MTU 1200. Okay, i changed every interface who is involved: Client: [EMAIL PROTECTED]:~$ ifconfig eth0 eth0 Protokoll:Ethernet Hardware Adresse 00:C0:9F:30:37:EF inet Adresse:192.168.150.50 Bcast:192.168.150.255 UP BROADCAST RUNNING MULTICAST MTU:1300 Metric:1 Firewall: (extern) xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1400 (pppoe) ng0: flags=88d1UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST mtu 1400 inet6 fe80::20b:6aff:fe85:1745%ng0 prefixlen 64 scopeid 0xa inet 212.51.25.1 -- 212.51.31.92 netmask 0x (intern) dc0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1400 options=8VLAN_MTU inet 192.168.150.254 netmask 0xff00 broadcast192.168.150.255 media: Ethernet autoselect (100baseTX full-duplex) status: active If you're still not getting the web page in your browser, verify the MTU on both interfaces of the router, start full content dumps on both your wan and lan ports, go to one of the afflicted hosts and verify MTU on it's interface. I did, as you can see in the ifconfig quoted above. Please find attached tcpdumps from intern extern and pppoe interfaces. Establish the telnet connection, like before: [EMAIL PROTECTED]:~$ telnet snort.org 80 Trying 199.107.65.177... Connected to snort.org. Escape character is '^]'. GET / HTTP/1.1 HTTP/1.1 400 Bad Request Date: Sat, 17 Feb 2007 16:09:41 GMT Server: Apache Content-Length: 226 Connection: close Content-Type: text/html; charset=iso-8859-1 !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN htmlhead title400 Bad Request/title /headbody h1Bad Request/h1 pYour browser sent a request that this server could not understand.br / /p /body/html Connection closed by foreign host. [EMAIL PROTECTED]:~$ (note i did copy your GET command and did hit enter twice) (Note that you hit enter twice, an empty newline transmits). Make a note of the response. By the way, note that, sites that have virtual hosts setup also require you specify the host, like so: GET / HTTP/1.1 Host: snort.org That's the reason for your error here. From your dumps, on the wan side dump, single out all snort.org traffic; on the lan side dump, single out all traffic to/from the host you were using. Post those dumps. Dumps from all interfaces are attached. I'm really looking forward to your next mail. Thanks a lot for taking the time! Your dumps are not full content: Packet size limited during transfer: HTTP Truncated. Which means, what? Besides the fact that we can't visually verify expected server responses, there are no tcp checksums available for frames larger than 96 bytes, which could indicate a faulty NIC somewhere, or other problems. But, no big deal. Besides that, you obviously have some issues. I'm not so familiar with pppoe these days. It's been years since I had to deal with it. However, I see your pppoe frames are 10 bytes smaller than the ethernet frames. I guess that's normal (null header 4 bytes, ethernet 14, 14-4=10). So it doesn't look like anythings getting lost there. Ultimately, your side is resetting the sessions, getting lots of duplicate acks and crap. So... ya gotta try something. Have you tried doing what Scott suggested to you? Start with an MTU of 500 and see if that works, first. And then start raising it until it doesn't. Find the threshold. And then set it to the largest MTU that works. Since your largest pppoe frames are 1204, I would think your looking for 1200. But, play
RE: [pfSense Support] supported Hardware?
Try the suggestions from http://wiki.pfsense.com/wikka.php?wakka=BootOptions and http://wiki.pfsense.com/wikka.php?wakka=BootTroubleShooting Holger From: Abdul Aziz [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 20, 2007 7:47 AM To: support@pfsense.com Subject: [pfSense Support] supported Hardware? Dear Sir, i'm trying to install pfSense-1.0.1-LIVE-CD on hard disk(ata3-master SATA150) with ASUS AM2 [M2V-TVM]- VIA(r) K8M890 + VIA(r) VT8237R Plus Chipset (64 bit) but can't install default setup after that try safeMode successfully installed but after reboot the system error 128 lba 42173327 invalid format again reboot ad6: TIMEOUT-READ_DMA retrying (1 retry left) LBA=4781234 than continuesly reboot which problem? plz define me Regards: aaziz - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Snort whitelist
Hi, I want to whitelist my WAN address in snort, is it correct if I put my IP xxx.xxx.xxx.xxx/32 my WAN subnet is 255.255.255.0 and my WAN IP is assigned by DHCP only 1 IP address. Thanks, Sam.
[pfSense Support] Some stuff I really need
Hi folks, OK I don't wanna waste your time with some intros, so: - Does pfsense provide support for SMP (Xeons and Opterons)? - Does pfsense provide NIC aggregation (I need to aggregate 2 NICs - 2x100Mbps)? - I see package FreeRADIUS - what is that, is it complete FRee RADIUS or something else? - Can anybody create tutorial: how to configure pfsense with external FreeRADIUS or explane to me how to do that - I see the similar tutorial but with WIndows2003 AD/IAS. Thanks in advance Mirsad - Looking for earth-friendly autos? Browse Top Cars by Green Rating at Yahoo! Autos' Green Center.
Re: [pfSense Support] Some stuff I really need
On Tuesday 20 February 2007 14:14, mirso klepic wrote: Hi folks, OK I don't wanna waste your time with some intros, so: - Does pfsense provide support for SMP (Xeons and Opterons)? I have compiled a SMP kernel on a FreeBSD box , copyed it on the pfSense Box and works fine. - Does pfsense provide NIC aggregation (I need to aggregate 2 NICs - 2x100Mbps)? Load Balancing ? - I see package FreeRADIUS - what is that, is it complete FRee RADIUS or something else? - Can anybody create tutorial: how to configure pfsense with external FreeRADIUS or explane to me how to do that - I see the similar tutorial but with WIndows2003 AD/IAS. You mean ... haveing freeRadius installed on another box ? Thanks in advance Mirsad - Looking for earth-friendly autos? Browse Top Cars by Green Rating at Yahoo! Autos' Green Center. -- In case something goes worong use : BOFH excuse #397: T1's congested due to porn traffic to the news server PGP: http://new-order.org/public.key pgp6xgMGVuPke.pgp Description: PGP signature
Re: [pfSense Support] Snort whitelist
Hi there, I want to whitelist my WAN address in snort, is it correct if I put my IP xxx.xxx.xxx.xxx/32 my WAN subnet is 255.255.255.0 and my WAN IP is assigned by DHCP only 1 IP address. if you try to list an IP address with it's subnet, you might fail also, as we did. We whitelisted our subnet in snort, but snort wasn't interested in the whitelist entry if a subnet was mentioned too... So it blocked some of our hosts, which had been on the whitelist... The host IPs without any subnet declaration worked all just fine... Tim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Some stuff I really need
pfSense has an SMP kernel by default, no need to compile your own kernel. Bonding 2 nics to one pipe is not supported. Holger -Original Message- From: Vasile Cristescu [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 20, 2007 2:24 PM To: support@pfsense.com Subject: Re: [pfSense Support] Some stuff I really need On Tuesday 20 February 2007 14:14, mirso klepic wrote: Hi folks, OK I don't wanna waste your time with some intros, so: - Does pfsense provide support for SMP (Xeons and Opterons)? I have compiled a SMP kernel on a FreeBSD box , copyed it on the pfSense Box and works fine. - Does pfsense provide NIC aggregation (I need to aggregate 2 NICs - 2x100Mbps)? Load Balancing ? - I see package FreeRADIUS - what is that, is it complete FRee RADIUS or something else? - Can anybody create tutorial: how to configure pfsense with external FreeRADIUS or explane to me how to do that - I see the similar tutorial but with WIndows2003 AD/IAS. You mean ... haveing freeRadius installed on another box ? Thanks in advance Mirsad - Looking for earth-friendly autos? Browse Top Cars by Green Rating at Yahoo! Autos' Green Center. -- In case something goes worong use : BOFH excuse #397: T1's congested due to porn traffic to the news server PGP: http://new-order.org/public.key - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Loading Full pfSense onto CompactFlash cards
I'm aware of the dangers of loading a CompactFlash with the full version of pfSense but I'm wanting to put packages on the device. Is there any method for getting this loaded? I tried doing a normal install with VMWare writing directly to the card for a hard drive but when I put it into the machine, it doesn't work. Can anyone point me to a tutorial or anything that would provide me with a method for doing this?
RE: [pfSense Support] Loading Full pfSense onto CompactFlash cards
This is unsupported but http://forum.pfsense.org/index.php/topic,2811.msg22278.html#msg22278 might help you if you really want to go this way. Holger From: William Somerset [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 20, 2007 4:37 PM To: support@pfsense.com Subject: [pfSense Support] Loading Full pfSense onto CompactFlash cards I'm aware of the dangers of loading a CompactFlash with the full version of pfSense but I'm wanting to put packages on the device. Is there any method for getting this loaded? I tried doing a normal install with VMWare writing directly to the card for a hard drive but when I put it into the machine, it doesn't work. Can anyone point me to a tutorial or anything that would provide me with a method for doing this? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] supported Hardware?
Unless I've missed an update along the way... 64bit is not supported. -Tim _ From: Abdul Aziz [mailto:[EMAIL PROTECTED] Sent: Monday, February 19, 2007 10:47 PM To: support@pfsense.com Subject: [pfSense Support] supported Hardware? Dear Sir, i'm trying to install pfSense-1.0.1-LIVE-CD on hard disk(ata3-master SATA150) with ASUS AM2 [M2V-TVM]- VIA(r) K8M890 + VIA(r) VT8237R Plus Chipset (64 bit) but can't install default setup after that try safeMode successfully installed but after reboot the system error 128 lba 42173327 invalid format again reboot ad6: TIMEOUT-READ_DMA retrying (1 retry left) LBA=4781234 than continuesly reboot which problem? plz define me Regards: aaziz
RE: [pfSense Support] Loading Full pfSense onto CompactFlash cards
Works fine for me - a 256 Mb CF card is relatively cheap, and when it does die they'll be even cheaper. I did a full install from CD by adding a CD drive temporarily to my machine. Because you're using another machine, it may be detecting the wrong or a weird disk geometry. Try using CHS rather than LBA mode. Or do the install on the target machine if you can. Also - what brand of CF card are you using? Some of the uber-fast ones don't work so good. It pays to buy a cheaper CF card for pfSense. -Original Message- From: William Somerset [mailto:[EMAIL PROTECTED] Sent: Wednesday, 21 February 2007 4:37 a.m. To: support@pfsense.com Subject: [pfSense Support] Loading Full pfSense onto CompactFlash cards I'm aware of the dangers of loading a CompactFlash with the full version of pfSense but I'm wanting to put packages on the device. Is there any method for getting this loaded? I tried doing a normal install with VMWare writing directly to the card for a hard drive but when I put it into the machine, it doesn't work. Can anyone point me to a tutorial or anything that would provide me with a method for doing this?
Re: [pfSense Support] PPPOE Connection / Packages are getting lost || tcpdump
Ubuntu is nice. Will give you a lot more options. Then again, straight up FreeBSD gives you a lot more options. Toss Webmin on either and, wallah! It's like an uncapped pfsense If carp was ever an interest to you, there's ucarp. Both those platforms offer a lot more support as well. pfSense doesn't really compare. It's advantage is the size and stripped / locked down nature mixed with convenience. You can't run Ubuntu or FreeBSD from a 50Mb CF card. It's a shame this didn't sort out for you. Really weird. I can only imagine, ultimately, it was a driver problem. I've encountered those on pfsense before. I mean, I don't use pppoe myself, but apparently others are using it without this problem. Good luck! Richard wrote: Hi Tim, thanks for the answer and your effort to help me. I finally gave up. Now i'm using ubuntu6.10 server with iptables and pppoe. Everything works perfectly for every client in every operating system. Still the same server is using the same hardware in the same network. Not using pfsense is the only solution which works for me. Regards, Richard Am Montag, den 19.02.2007, 15:34 -0500 schrieb Tim Allender: Richard wrote: Hello, thanks for your answer. You can ping or traceroute snort.org all day long from anywhere in the world and your not going to get through. 63.240.198.67 (where you stop) is your first hop in the SourceFire network. And, they don't pass ICMP traffic. I know, my can not reach snort.org was realted to www though a browser. You have verified that an MTU of 1500 is too large for your pppoe connection. So, verify that you have set the MTU for all interfaces (the router lan/wan and all the boxes in question) to 1400. The largest frame on the wire in your dumps is 1214. I don't know why, you've indicated you'd set 1300 on your client host and 1400 on your pfsense box. Try dropping them all down to MTU 1200. Okay, i changed every interface who is involved: Client: [EMAIL PROTECTED]:~$ ifconfig eth0 eth0 Protokoll:Ethernet Hardware Adresse 00:C0:9F:30:37:EF inet Adresse:192.168.150.50 Bcast:192.168.150.255 UP BROADCAST RUNNING MULTICAST MTU:1300 Metric:1 Firewall: (extern) xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1400 (pppoe) ng0: flags=88d1UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST mtu 1400 inet6 fe80::20b:6aff:fe85:1745%ng0 prefixlen 64 scopeid 0xa inet 212.51.25.1 -- 212.51.31.92 netmask 0x (intern) dc0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1400 options=8VLAN_MTU inet 192.168.150.254 netmask 0xff00 broadcast192.168.150.255 media: Ethernet autoselect (100baseTX full-duplex) status: active If you're still not getting the web page in your browser, verify the MTU on both interfaces of the router, start full content dumps on both your wan and lan ports, go to one of the afflicted hosts and verify MTU on it's interface. I did, as you can see in the ifconfig quoted above. Please find attached tcpdumps from intern extern and pppoe interfaces. Establish the telnet connection, like before: [EMAIL PROTECTED]:~$ telnet snort.org 80 Trying 199.107.65.177... Connected to snort.org. Escape character is '^]'. GET / HTTP/1.1 HTTP/1.1 400 Bad Request Date: Sat, 17 Feb 2007 16:09:41 GMT Server: Apache Content-Length: 226 Connection: close Content-Type: text/html; charset=iso-8859-1 !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN htmlhead title400 Bad Request/title /headbody h1Bad Request/h1 pYour browser sent a request that this server could not understand.br / /p /body/html Connection closed by foreign host. [EMAIL PROTECTED]:~$ (note i did copy your GET command and did hit enter twice) (Note that you hit enter twice, an empty newline transmits). Make a note of the response. By the way, note that, sites that have virtual hosts setup also require you specify the host, like so: GET / HTTP/1.1 Host: snort.org That's the reason for your error here. From your dumps, on the wan side dump, single out all snort.org traffic; on the lan side dump, single out all traffic to/from the host you were using. Post those dumps. Dumps from all interfaces are attached. I'm really looking forward to your next mail. Thanks a lot for taking the time! Your dumps are not full content: Packet size limited during transfer: HTTP Truncated. Which means, what? Besides the fact that we can't visually verify expected server responses, there are no tcp checksums available for frames larger than 96 bytes, which could indicate a faulty NIC somewhere, or other problems. But, no big deal. Besides that, you obviously have some issues. I'm not so familiar with pppoe these days. It's been years since I had to deal with it. However, I see your pppoe frames
RE: [pfSense Support] HEADS UP -- IPSEC Filtering now in recent snapshots
Catching up on the list here and I saw this, that awesome work! Curious does this mean we are any closer to doing NAT for traffic in/out of a IPSec tunnel. Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Friday, February 09, 2007 2:01 PM To: support @ pfsense. com Subject: [pfSense Support] HEADS UP -- IPSEC Filtering now in recent snapshots HEADS UP! IPSEC Filtering is now present in the 1.0.X branch first appearing in todays snapshot. By default on upgrade we will install a default PASS rule for the IPSEC interface to permit traffic. So basically anyone upgrading will not see a difference. However, you can edit the default rule and introduce fine grain control of the IPSEC tunnels if you wish. The feature will appear in todays snapshot which is currently building located at http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/ Have fun! Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]