[pfSense Support] Minor traffic shaper ?

2007-07-08 Thread Jaye Mathisen 


OK, haven't run into this before.


WAN is a 1.5meg DSL, OPT1 is a 10 meg cable connection.  The
10 meg connection supports a VPN connection for backups and such.

So I have a rule that says any traffic to x.x.x.x goes out OPT1,
everything else out the WAN.

The traffic shaper is taking all that traffic, and merrily shaping it,
even though the traffic is to/from OPT1.

What's the best solutino for me?  Either traffic on OPT1 (to and from) it,
needs to bypass the shaper completely, or somehow I need to specify that
whiel for most connections, the WAN speed is 1.5meg, for this one host,
it's the 10 meg...

How do I make this right?  (I've just started re-using the shaper, before
OPT1 was antoher 1.5meg DSL, and to be honest, I don't think I noticed
that problem, although it was most likely happening.

THanks in advance.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] Quick comments on 1.2 beta2 on soekris 4801

2007-07-08 Thread Jaye Mathisen 



Add support for prioritizing ssh traffic on port 22, and
an easy way to specify a specific port for BT traffic, since the
default isn't always used.  

Anyway, 1.2 beta 2 is working pretty well for me.  I think the php
process is using less memory for HTTP sessions, which is helping.





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Multiple WANs

2007-07-08 Thread sai 

You do not need Advanced Outbound NAT.

In your firewall rules , on the LAN interface change the default rule
so that the gateway is your pool. This will load balance your traffic.

Take a look at http://doc.pfsense.org/index.php/Multi-Wan/Load-Balancing
- this is a recently updated doc and will help.

sai

On 7/5/07, William Smith [EMAIL PROTECTED] wrote:

Hi,
I have 3 WANS. Each has a static ip assigned by the ISP based on login. I
have the router/modems set to login and give each of my WAN interfaces an
IP. 192.168.2.10, 192.168.1.10 and 192.168.0.10. (I also DMZed those IPs in
the router/modems so that I can do NAT with pfsense) I setup a pool in load
balancer to point to the ips of the router/modems, 192.168.2.1, 192.168.1.1
and 192.168.0.1. These show up as online in the load balace status. Now
this is where I am stuck. I enable advanced outbound nat, and at this point
I need some definitive instruction. I have read the load balace pdf but I
must be missing something. I know I need rules but I am totally confused.
Thanks in advance for any help or pointers. Oh, in addition my LAN is
10.20.100.0/24 and as long as I leave advanced outbound nat off, I get
traffic through one of the WANS. And by the way, we could never afford the
appliance to do this, pfsense is great for non profit orgs like our
library, keep up the EXCELLENT work. This thing is awsome.

Best Regards,
Bill
[EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: [pfSense Support] Latest build - IPSec broken

2007-07-08 Thread Fuchs, Martin 
Same problem here L

 

Von: David L. Strout [mailto:[EMAIL PROTECTED] 
Gesendet: Sonntag, 8. Juli 2007 20:38
An: pfSense Support
Betreff: [pfSense Support] Latest build - IPSec broken

 

I have been running 1.2-BETA-2 since early last week and all seems great.  I 
just upgraded two test boxes (with pre-configured  working IPSec tunnels) to 
the latest 1.2-BETA-2 SNAP and it severely broke IPSec.

racoon.conf:

path pre_shared_key /var/etc/psk.txt;

path certificate  /var/etc;

remote 63.63.63.63{
exchange_mode main;
my_identifier address 63.63.63.64;

peers_identifier address 63.63.63.63;
initial_contact on;
support_proxy on;
proposal_check obey;

proposal {
encryption_algorithm rijndael 256;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 5;
lifetime time 28800 secs;
}
lifetime time 28800 secs;
}

sainfo address 192.168.168.0/24 any address 10.10.10.0/24any {
encryption_algorithm rijndael 256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
pfs_group 5;
lifetime time 3600 secs;
}

I have recently switched my test tunnels to rijndael 256 w/ SHA1  
everythings works great when I downgraded back to the original 1.2-BETA-2.

Re: AW: [pfSense Support] Latest build - IPSec broken

2007-07-08 Thread Scott Ullrich 

On 7/8/07, Heiko Garbe [EMAIL PROTECTED] wrote:

also, same problem


Try a snapshot later today or run this command and reboot:

chmod a+rx /usr/local/bin/*.sh

Scott

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: AW: [pfSense Support] Latest build - IPSec broken

2007-07-08 Thread Fuchs, Martin 
Hmmm, did so... but ping tells me that destination host is unreachable...

-Ursprüngliche Nachricht-
Von: Scott Ullrich [mailto:[EMAIL PROTECTED] 
Gesendet: Sonntag, 8. Juli 2007 21:47
An: support@pfsense.com
Betreff: Re: AW: [pfSense Support] Latest build - IPSec broken

On 7/8/07, Heiko Garbe [EMAIL PROTECTED] wrote:
 also, same problem

Try a snapshot later today or run this command and reboot:

chmod a+rx /usr/local/bin/*.sh

Scott

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: AW: [pfSense Support] Latest build - IPSec broken

2007-07-08 Thread Scott Ullrich 

On 7/8/07, Fuchs, Martin [EMAIL PROTECTED] wrote:

Hmmm, did so... but ping tells me that destination host is unreachable...


Try a snapshot 2 hours from now.  Seth commited a fix just now.

Scott

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: AW: [pfSense Support] Latest build - IPSec broken

2007-07-08 Thread David L. Strout 


All is working as expected  great fix  thanks Scott and pfS
dev team! 
 - Original Message -
 Subject: Re: AW: [pfSense Support] Latest build - IPSec broken
 From:  Scott Ullrich 
 To: support@pfsense.com
 Date: 08-07-2007 5:11 pm
 On 7/8/07, Fuchs, Martin  wrote:
  Hmmm, did so... but ping tells me that destination host is
unreachable...
 Try a snapshot 2 hours from now. Seth commited a fix just now.
 Scott

-
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] Latest build 1.2-BETA-2-SNAP

2007-07-08 Thread David L. Strout 


Just a few observations . 

In upgrading to the new 1.2-BETA-2-TESTING-SNAP (built on Sun Jul 8
19:46:55 EDT 2007 ), I noticed a few things .. 

1. The webConfigurator is so much faster, especially on the log
filter/NAT/rules screens. 

2. I noticed you abandoned the dynamic filter view (although a
little skewed and not formatted) ... it might be helpful for those
who don't understand the tcpdump CLI option in the future. 

3. IPSec seems to be super fast at establishing tunnels . great
speed on the nail-up!! 
All in all  another fine step in the pfS eveloution  once
again, thanks Scott and devs  great SNAP! 
 - Original Message -
 Subject: Re: AW: [pfSense Support] Latest build - IPSec broken
 From:  Scott Ullrich 
 To: support@pfsense.com
 Date: 08-07-2007 5:11 pm
 On 7/8/07, Fuchs, Martin  wrote:
  Hmmm, did so... but ping tells me that destination host is
unreachable...
 Try a snapshot 2 hours from now. Seth commited a fix just now.
 Scott

-
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]