Re: [pfSense Support] pfSense Hanging...
This is a shot in the dark, but is there a chance that you're on a PPPoE (or similar) connection, even with a statically assigned IP? Is there a chance that your connection becomes dormant enough for your ISP to time out your connection, obligating you to re-dial? Tortise wrote: Thanks Chris The answers to your questions are: Strictly it is not a hang as the system does not freeze, it largely functions normally, just loses Internet transparency. LAN functions normally, DHCP on the LAN, and the pfSense webGUI functions normally, can read logs, reboot from this etc. Reloading the filters functions as one would expect, however the connection is not established. The System Overview readings appear normal, states is now currently 110. The LAN and WAN graphs appear the same as when it is functioning normally. If there was a worm sending out screeds I would hope I'd be aware if it. WAN is statically assigned an Internet address. Modem links lights remain up and the modem continues to function normally. One can replace pfSense and connect a notebook PC Card NIC, configured with the Static IP and resume Internet access, proving the modem has not failed. I can ping the LAN nic but can't ping my ISP thru pfSense, although I can when I reboot and it is again normally functioning. Essentially it appears to be functioning normally, except the connection through stops / disappears! Everyone on the LAN loses Internet connectivity. Anything else I can advise I'll be delighted to do so, although it might be when it next happens. Kind regards David Hingston - Original Message - From: Chris Buechler [EMAIL PROTECTED] To: support@pfsense.com Sent: Monday, June 04, 2007 3:13 PM Subject: Re: [pfSense Support] pfSense Hanging... On Mon, 2007-06-04 at 12:27 +1200, Tortise wrote: Thanks Bill Gosh, thats got to presumably use more than the default of 10,000! Currently there are 116 there. Easier than you might think. If you have a worm infected laptop plugged into your network only periodically it can cause state table exhaustion and the type of symptoms you describe. It wouldn't be (even close to) the first time I've seen that. When it hangs, what exactly do you mean? There are tons of possibilities for hangs. Does it become completely non-responsive, console dead and all? Does the console work but it falls off the network completely? Is the LAN still up and the webGUI functional but Internet just doesn't work? If that's the case, you said cable modem, I presume that's DHCP, do you have a valid WAN IP when it happens? Do you have link light on WAN? Are all the lights on your cable modem normal? Can you ping your default gateway? etc. etc. etc. Be as specific as you can be, the details you gave lead to a lot of questions and not a lot of specific recommendations. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Whatever I do DNS doesn't work!
Hi! We've been successfully using PfSense for over a year now on our corporate WAN and mighty pleased we are with it! So PfSense was the obvious choice for a specific, seemingly straightforward project - one server on the end of its own dedicated DSL line with a two-NIC PfSense box in between. Thus; one LAN one WAN interface that's it. It really couldn't be a more simple setup; DSL router on the WAN interface, 4-port hub on the LAN interface and one server. (Oh and currently my laptop for testing purposes). Yet whatever I do I can't resolve external hosts. It's driving me mad, I've tried explicitly allowing all traffic on the WAN interface to all destinations, even though I appreciate that shouldn't be necessary. I've tried setting up my test laptop with a manual IP and DNS server address of the ISP's name server, having an address served by the PfSense DHCP server, setting up Enable DNS Forwarding so the address of the PfSense box is used as DNS by the test laptop Nothing. Sure I can ping any dot address I like on the outside world just fine so connectivity is OK. Frustratingly there isn't anything showing up in the firewall log either as if port 53 traffic is mysteriously being blocked somehow. I'm all out of ideas - does anyone else have any? Thanks in advance, Steve
[pfSense Support] bandwidth limit
Hello, Can you limit the bandwidth of individual IP's in the LAN using pfsense or what extra packages are needed for this ? If so would you please point me in the right direction? 10x
RE: [pfSense Support] bandwidth limit
No. You can't. From: Alin Badea [mailto:[EMAIL PROTECTED] Sent: segunda-feira, 4 de junho de 2007 12:24 To: support@pfsense.com Subject: [pfSense Support] bandwidth limit Hello, Can you limit the bandwidth of individual IP's in the LAN using pfsense or what extra packages are needed for this ? If so would you please point me in the right direction? 10x
Re: [pfSense Support] pfSense Hanging...
It occurred again this morning. From the LAN and the Serial pfSense Console I can ping the LAN NIC, as well as the Motorola Modem on 192.168.100.1 From the LAN and Console I can also ping the static IP on the WAN in form of a.b.c.x but I cannot ping the ISP or a.b.c.1. Rebooting pfSense fixes all this, restores Internet access and allows pings to a.b.c.1 and the ISP again. The modem lights remain on and I do nothing else to fix it. I do not think it is PPPoE, but will check it out, there is no dialling involved with password that I am aware of, unless this is ISP configured in the setup they send the modem, in any event the modem is still functioning with all lights up. There is a web server which has varying low volume activity and I am also recording pings every 30s to the ISP, to keep a record when it all goes down. I don't think the modem is timing out due inactivity. Also it occurs during terminal sessions, which is infuriating, as one might imagine! Sometimes outages are ISP caused and they have extensively looked at the setup, recut cable ends etc. and they also suspect my firewall. Kind regards David Hingston - Original Message - From: Tortise [EMAIL PROTECTED] To: support@pfsense.com Sent: Monday, June 04, 2007 3:59 PM Subject: Re: [pfSense Support] pfSense Hanging... Thanks Chris The answers to your questions are: Strictly it is not a hang as the system does not freeze, it largely functions normally, just loses Internet transparency. LAN functions normally, DHCP on the LAN, and the pfSense webGUI functions normally, can read logs, reboot from this etc. Reloading the filters functions as one would expect, however the connection is not established. The System Overview readings appear normal, states is now currently 110. The LAN and WAN graphs appear the same as when it is functioning normally. If there was a worm sending out screeds I would hope I'd be aware if it. WAN is statically assigned an Internet address. Modem links lights remain up and the modem continues to function normally. One can replace pfSense and connect a notebook PC Card NIC, configured with the Static IP and resume Internet access, proving the modem has not failed. I can ping the LAN nic but can't ping my ISP thru pfSense, although I can when I reboot and it is again normally functioning. Essentially it appears to be functioning normally, except the connection through stops / disappears! Everyone on the LAN loses Internet connectivity. Anything else I can advise I'll be delighted to do so, although it might be when it next happens. Kind regards David Hingston - Original Message - From: Chris Buechler [EMAIL PROTECTED] To: support@pfsense.com Sent: Monday, June 04, 2007 3:13 PM Subject: Re: [pfSense Support] pfSense Hanging... On Mon, 2007-06-04 at 12:27 +1200, Tortise wrote: Thanks Bill Gosh, thats got to presumably use more than the default of 10,000! Currently there are 116 there. Easier than you might think. If you have a worm infected laptop plugged into your network only periodically it can cause state table exhaustion and the type of symptoms you describe. It wouldn't be (even close to) the first time I've seen that. When it hangs, what exactly do you mean? There are tons of possibilities for hangs. Does it become completely non-responsive, console dead and all? Does the console work but it falls off the network completely? Is the LAN still up and the webGUI functional but Internet just doesn't work? If that's the case, you said cable modem, I presume that's DHCP, do you have a valid WAN IP when it happens? Do you have link light on WAN? Are all the lights on your cable modem normal? Can you ping your default gateway? etc. etc. etc. Be as specific as you can be, the details you gave lead to a lot of questions and not a lot of specific recommendations. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense Hanging...
Visit status - Interfaces when this happens. Do you have an IP address assigned? Scott On 6/4/07, Tortise [EMAIL PROTECTED] wrote: It occurred again this morning. From the LAN and the Serial pfSense Console I can ping the LAN NIC, as well as the Motorola Modem on 192.168.100.1 From the LAN and Console I can also ping the static IP on the WAN in form of a.b.c.x but I cannot ping the ISP or a.b.c.1. Rebooting pfSense fixes all this, restores Internet access and allows pings to a.b.c.1 and the ISP again. The modem lights remain on and I do nothing else to fix it. I do not think it is PPPoE, but will check it out, there is no dialling involved with password that I am aware of, unless this is ISP configured in the setup they send the modem, in any event the modem is still functioning with all lights up. There is a web server which has varying low volume activity and I am also recording pings every 30s to the ISP, to keep a record when it all goes down. I don't think the modem is timing out due inactivity. Also it occurs during terminal sessions, which is infuriating, as one might imagine! Sometimes outages are ISP caused and they have extensively looked at the setup, recut cable ends etc. and they also suspect my firewall. Kind regards David Hingston - Original Message - From: Tortise [EMAIL PROTECTED] To: support@pfsense.com Sent: Monday, June 04, 2007 3:59 PM Subject: Re: [pfSense Support] pfSense Hanging... Thanks Chris The answers to your questions are: Strictly it is not a hang as the system does not freeze, it largely functions normally, just loses Internet transparency. LAN functions normally, DHCP on the LAN, and the pfSense webGUI functions normally, can read logs, reboot from this etc. Reloading the filters functions as one would expect, however the connection is not established. The System Overview readings appear normal, states is now currently 110. The LAN and WAN graphs appear the same as when it is functioning normally. If there was a worm sending out screeds I would hope I'd be aware if it. WAN is statically assigned an Internet address. Modem links lights remain up and the modem continues to function normally. One can replace pfSense and connect a notebook PC Card NIC, configured with the Static IP and resume Internet access, proving the modem has not failed. I can ping the LAN nic but can't ping my ISP thru pfSense, although I can when I reboot and it is again normally functioning. Essentially it appears to be functioning normally, except the connection through stops / disappears! Everyone on the LAN loses Internet connectivity. Anything else I can advise I'll be delighted to do so, although it might be when it next happens. Kind regards David Hingston - Original Message - From: Chris Buechler [EMAIL PROTECTED] To: support@pfsense.com Sent: Monday, June 04, 2007 3:13 PM Subject: Re: [pfSense Support] pfSense Hanging... On Mon, 2007-06-04 at 12:27 +1200, Tortise wrote: Thanks Bill Gosh, thats got to presumably use more than the default of 10,000! Currently there are 116 there. Easier than you might think. If you have a worm infected laptop plugged into your network only periodically it can cause state table exhaustion and the type of symptoms you describe. It wouldn't be (even close to) the first time I've seen that. When it hangs, what exactly do you mean? There are tons of possibilities for hangs. Does it become completely non-responsive, console dead and all? Does the console work but it falls off the network completely? Is the LAN still up and the webGUI functional but Internet just doesn't work? If that's the case, you said cable modem, I presume that's DHCP, do you have a valid WAN IP when it happens? Do you have link light on WAN? Are all the lights on your cable modem normal? Can you ping your default gateway? etc. etc. etc. Be as specific as you can be, the details you gave lead to a lot of questions and not a lot of specific recommendations. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Starnge routing issue
Hi All, Thanks for the posts, nut it seems that not only ICMP traffic is being routed improperly. When I try to connect to any of the resources on th other side of the VPN, the traffic is routed improperly. KHK - Original Message - From: Peter Allgeyer [EMAIL PROTECTED] To: support@pfsense.com Sent: Sunday, June 3, 2007 2:06:36 AM (GMT-0800) America/Los_Angeles Subject: Re: [pfSense Support] Starnge routing issue Hi Konrad! Am Samstag, den 02.06.2007, 20:30 -0500 schrieb Chris Daniel This sounds like an ICMP redirect issue. I have seen problems on pretty much every release of pfsense I have used where ICMP redirects have been rather flaky (one should never rely on ICMP redirects for routing, anyway), but I remember some thread from a while back regarding redirects and 1.0.1. Make sure you are running a recent snapshot. Here is the thread I remember: http://www.mail-archive.com/support@pfsense.com/msg07839.html I've never solved the problems with ICMP redirects. But as Chris said, it's better to not rely on them anyway. My problem was solved with passing incoming and outgoing traffic on the same interface. I saw an option in m0n0wall for that and suggested adding the possibility to bypass firewall rules for traffic on the same interface to pfsense, too. You can find a menu entry for that under System - Advanced - Miscellaneous - Static route filtering. Also, I decided to change the whole internal routing through our layer 3 core switch (with icmp redirects switched off), because routing through it is much more performant than through the firewall and you'll have no problems with filter rules (ok, there are some ACLs on it, but I'm directly responsible for them, because there are no default rules set like in pfsense). I hope, that this helps solving your problems. BR, PIT --- copyleft(c) by | _-_ LOAD LINUX,8,1 -- Topic on #LinuxGER Peter Allgeyer | 0(o_o)0 ---oOO--(_)--OOo--- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense Hanging...
On Tue 05 Jun 2007 12:51:04 NZST +1200, Volker Kuhlmann wrote: [..] When the packets stop going to the ISP there is no indication with the modem lights that anything is wrong. Curiously the RRD graphs keep showing unabated traffic on the WAN interface. There is nothing I can see the new modem's web pages how the connection to the ISP is made. I'd also be interested in a solution to this. Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense Hanging...
Visit status - Interfaces when this happens. Do you have an IP address assigned? Scott On 6/4/07, Volker Kuhlmann [EMAIL PROTECTED] wrote: On Tue 05 Jun 2007 12:51:04 NZST +1200, Volker Kuhlmann wrote: [..] When the packets stop going to the ISP there is no indication with the modem lights that anything is wrong. Curiously the RRD graphs keep showing unabated traffic on the WAN interface. There is nothing I can see the new modem's web pages how the connection to the ISP is made. I'd also be interested in a solution to this. Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] NTP server on multiple interfaces
On 6/4/07, Volker Kuhlmann [EMAIL PROTECTED] wrote: Is there a reason not to have the NTP daemon running on more than one interface? On Service-OpenNTPD I can select both LAN and DMZ interfaces, although the text says Select the interface the NTP server will listen on (singular). But it doesn't seem to cause the ntpd to listen on all the selected ones. No reasons that I can think of. Submitting a patch will surely help us speed up fixing the situation as I am fixing a million other items and this is not high on my priority list. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] NTP server on multiple interfaces
Is there a reason not to have the NTP daemon running on more than one interface? On Service-OpenNTPD I can select both LAN and DMZ interfaces, although the text says Select the interface the NTP server will listen on (singular). But it doesn't seem to cause the ntpd to listen on all the selected ones. Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense Hanging...
On Tue, 2007-06-05 at 12:51 +1200, Volker Kuhlmann wrote: I am having exactly the same problem. pfSense 1...? RC1 (I think) on a jokebox with 64MB RAM, so I replaced the box and all NICs with something bigger, running pfSense 1 final (from Dec 06). Hosts on the DMZ remain reachable from LAN, Motorola cable modem (since replaced with a newer model) is reachable from the LAN via the WAN interface, proving there is no hardware fault. ISP's gateway is not rechable from LAN or the pfSense machine. Everything looks as if the cable service has gone down, except that I am certain it has not - each time I reboot the pfsense machine, and Internet connectivity is back immediately. First, if you're not running 1.2b1, you should try it. I'm going to assume cable service in .nz works the same as it does in .us, though that could be a wildly incorrect assumption. If it does, your modem does nothing but bridge between your cable provider's network and whatever you have plugged into the Ethernet port. There is no connection like PPPoE, no username or password, etc. As long as you have sync, it's good. If your cable Internet service uses the DOCSIS standard, it's the same as here, and as I describe. Next time this happens, SSH in and run 'tcpdump -i fxp0 -s 1500 -w capture.pcap' replacing fxp0 with whatever your WAN NIC is. Then run a constant ping to your WAN gateway from your LAN, try to access websites, etc. Wait about 5 minutes and ctrl-c to break out of the tcpdump. Then you can use the webGUI to download that 'capture.pcap' file, or scp it off to another host. Send it to me via email and I should be able to see what's happening on the wire. At this point, without that, it's anybody's guess as to what's happening. If your cable company is twice as competent as our local cable company here, they'd still be completely inept. In other words, I wouldn't rule out a weird network issue on their end. Scott and I spent countless hours tracking down a really screwy issue that turned out to be something they screwed up on their network, when they claimed repeatedly they hadn't changed anything and it was a firewall problem. One other thing to try after getting the tcpdump - if you unplug the WAN NIC from the cable modem and plug it back in, without rebooting, does that bring it up? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense Hanging...
Below, I think I confused two people since two posted to this thread. Both seem to be using cable, and at least the first has a static IP. The advice below is meant for the person with the static IP. The one I actually replied to, I don't believe you stated if you were using DHCP or not. If using DHCP, make sure you have an IP as Scott suggested before going any further. Also for DHCP, if you're having problems with connections dropping, there are issues with ISP's that do stupid stuff with DHCP with older versions. 1.2b1 fixes all known issues with that. On Mon, 2007-06-04 at 22:10 -0400, Chris Buechler wrote: On Tue, 2007-06-05 at 12:51 +1200, Volker Kuhlmann wrote: I am having exactly the same problem. pfSense 1...? RC1 (I think) on a jokebox with 64MB RAM, so I replaced the box and all NICs with something bigger, running pfSense 1 final (from Dec 06). Hosts on the DMZ remain reachable from LAN, Motorola cable modem (since replaced with a newer model) is reachable from the LAN via the WAN interface, proving there is no hardware fault. ISP's gateway is not rechable from LAN or the pfSense machine. Everything looks as if the cable service has gone down, except that I am certain it has not - each time I reboot the pfsense machine, and Internet connectivity is back immediately. First, if you're not running 1.2b1, you should try it. I'm going to assume cable service in .nz works the same as it does in .us, though that could be a wildly incorrect assumption. If it does, your modem does nothing but bridge between your cable provider's network and whatever you have plugged into the Ethernet port. There is no connection like PPPoE, no username or password, etc. As long as you have sync, it's good. If your cable Internet service uses the DOCSIS standard, it's the same as here, and as I describe. Next time this happens, SSH in and run 'tcpdump -i fxp0 -s 1500 -w capture.pcap' replacing fxp0 with whatever your WAN NIC is. Then run a constant ping to your WAN gateway from your LAN, try to access websites, etc. Wait about 5 minutes and ctrl-c to break out of the tcpdump. Then you can use the webGUI to download that 'capture.pcap' file, or scp it off to another host. Send it to me via email and I should be able to see what's happening on the wire. At this point, without that, it's anybody's guess as to what's happening. If your cable company is twice as competent as our local cable company here, they'd still be completely inept. In other words, I wouldn't rule out a weird network issue on their end. Scott and I spent countless hours tracking down a really screwy issue that turned out to be something they screwed up on their network, when they claimed repeatedly they hadn't changed anything and it was a firewall problem. One other thing to try after getting the tcpdump - if you unplug the WAN NIC from the cable modem and plug it back in, without rebooting, does that bring it up? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense Hanging...
Thank you indeed Chris I understand the modem is largely bridging, as I think you are suggesting, given the Internet IP address appears on the pfSense WAN NIC. This is the sort of approach I was looking for. Given my ISP is declared on my email address here I won't comment about New Zealand ISP's here. I might however point out that I have not disagreed with you in any way. My presumption is that it is either coming from pfSense or indeed, as you suggest, the ISP. There are some TiVo's on the LAN here that also are intermittently having issues downloading data for no apparent reason when everything is connected, also using a proxy. (VOIP and Skype also running) I'll install 1.2b1 on another CF card and see what transpires. I am pretty sure the unplug / plug in has been tried in the past, without success, will try again to be sure. Kind regards David Hingston. - Original Message - From: Chris Buechler [EMAIL PROTECTED] To: support@pfsense.com Sent: Tuesday, June 05, 2007 2:10 PM Subject: Re: [pfSense Support] pfSense Hanging... First, if you're not running 1.2b1, you should try it. I'm going to assume cable service in .nz works the same as it does in .us, though that could be a wildly incorrect assumption. If it does, your modem does nothing but bridge between your cable provider's network and whatever you have plugged into the Ethernet port. There is no connection like PPPoE, no username or password, etc. As long as you have sync, it's good. If your cable Internet service uses the DOCSIS standard, it's the same as here, and as I describe. Next time this happens, SSH in and run 'tcpdump -i fxp0 -s 1500 -w capture.pcap' replacing fxp0 with whatever your WAN NIC is. Then run a constant ping to your WAN gateway from your LAN, try to access websites, etc. Wait about 5 minutes and ctrl-c to break out of the tcpdump. Then you can use the webGUI to download that 'capture.pcap' file, or scp it off to another host. Send it to me via email and I should be able to see what's happening on the wire. At this point, without that, it's anybody's guess as to what's happening. If your cable company is twice as competent as our local cable company here, they'd still be completely inept. In other words, I wouldn't rule out a weird network issue on their end. Scott and I spent countless hours tracking down a really screwy issue that turned out to be something they screwed up on their network, when they claimed repeatedly they hadn't changed anything and it was a firewall problem. One other thing to try after getting the tcpdump - if you unplug the WAN NIC from the cable modem and plug it back in, without rebooting, does that bring it up? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
