Re: [pfSense Support] Another Multiple WAN question
(Assuming we are talking about load balancing) To differentiate the 3 modems, just use different monitor IPs for each. You dont have to use the gateway IP address as a monitor ip. You can use your ISPs DNS servers , web servers , routers - anything that will respond to a ping. To find these IP addresses you can run a traceroute or use something like nmap. You can even use google.com as a monitor. sai On 7/20/07, William Smith [EMAIL PROTECTED] wrote: Hi Again, I've asked questions about this previously and have gotten much help, Thank You. Now I have some questions that will help me clarify in my own mind the best approach to my specific network. I will state some facts to begin with. 1 I have 3 separate DSL lines all from the same provider, each is given a static ip based on login name/password 2 I am content with the load balance function with no other needs to direct or traffic shape certain traffic to a specific wan. my modems can be setup several different ways, I would prefer to go the bridged ethernet, and have pfsense do the PPPoE authentication on all interfaces but seems not doable on the pfsense opt interfaces so I can set up my DSL modem/router to DMZ the ip that is handed off to pfsense WAN, OPT1 and OPT2 When the modem is setup that way, and its DHCP enabled, and pfsense gets its ip via DHCP client, the modem hands it the outside static ip NOT an ip in the subnet of the DHCP server in the DSL modem/router. If i look at the status of the interfaces in pfsense I will see Statusup DHCP up MAC IPmy static ip Subnet mask255.0.0.0 Gateway68.152.xxx.xxx DNS etc... One of the problems is that ALL 3 of my gateways are the same. I've double checked this by using each wan dsl modem and my laptop. So how does pfsense distiguish each wan if they all use same gateway on the other side at the ISP? Or is this simply not a good way to do this. I know that I can just assign public ips 192.168.0.1, 192.168.1.1 and 192.168.2.1 to my dsl modems and use them as the gateways for the load balanceing setup but isn't this an unneeded router hop and just adds to the latency time? Then it seems to get messy if I need to access the web config for the dsl modems from the LAN side and my DSL modems have no web authentication so they are vulnerable from inside my LAN so more rules would be needed. Well, maybe I am just being too picky? But the one main reason for now is that I want my pfsense ips to be my outside static ips so that I dont have to monkey around with both pfsense AND the dsl modem/router just to pinhole the firewall. I'm not having to much luck getting through both the dsl modem/router and pfsense. Any ideas, thoughts? Thanks for listening to my rambling and any wisdom you might impart my way. Cheers, Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DNS forwarder timeouts/failures
I've always had problems with MS DNS implementations. They have messed around with DNS and so it exhibits strange behaviour. I'd suggest that you get rid of the MS machines IP as a DNS server on the firewall. On your XP PCs have the firewall as the primary DNS, and the MS machine as secondary. sai On 7/18/07, Volker Kuhlmann [EMAIL PROTECTED] wrote: I have installed pfsense 1.2beta1 built on Mon Apr 30 10:47:18 EDT 2007, LAN with half a dozen XP and a few Linux machines. ADSL. Primary name server on the general setup tab is fixed to the ISP's name server, secondary name server is set to the MS business server 2003. DHCP server and DNS forwarder are used on pfsense. Client machines are set to use the pfsense firewall as name server. Frequently name lookups in browsers fail. On page reload in the browser they are always fine. The problem is more pronounced on the XP clients but also exists on the Linux clients. To check that it isn't the ISP's name server (which has a bad reputation), I configured a name server of another ISP instead. Timeouts occur as frequently. My analysis of the problem is that pfsense's DNS forwarder's timeouts are too short. How can I increase those? Thanks for any tips. Volker - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] DNS forwarder timeouts/failures
If this is a domain environment this will likely slow down domain functions as the XP machines will be asking the ISP server for domain information. I think a better way is to have MS DNS have a forwarder for external lookups setup (right click on dns server in mmc, and select the forwarder tab there you can specify your ISP's dns or even better yet use OPENDNS 208.67.222.222. Then have DHCP assign the MS DNS as the only DNS server. -Original Message- From: sai [mailto:[EMAIL PROTECTED] Sent: Friday, July 20, 2007 6:48 AM To: support@pfsense.com Subject: Re: [pfSense Support] DNS forwarder timeouts/failures I've always had problems with MS DNS implementations. They have messed around with DNS and so it exhibits strange behaviour. I'd suggest that you get rid of the MS machines IP as a DNS server on the firewall. On your XP PCs have the firewall as the primary DNS, and the MS machine as secondary. sai On 7/18/07, Volker Kuhlmann [EMAIL PROTECTED] wrote: I have installed pfsense 1.2beta1 built on Mon Apr 30 10:47:18 EDT 2007, LAN with half a dozen XP and a few Linux machines. ADSL. Primary name server on the general setup tab is fixed to the ISP's name server, secondary name server is set to the MS business server 2003. DHCP server and DNS forwarder are used on pfsense. Client machines are set to use the pfsense firewall as name server. Frequently name lookups in browsers fail. On page reload in the browser they are always fine. The problem is more pronounced on the XP clients but also exists on the Linux clients. To check that it isn't the ISP's name server (which has a bad reputation), I configured a name server of another ISP instead. Timeouts occur as frequently. My analysis of the problem is that pfsense's DNS forwarder's timeouts are too short. How can I increase those? Thanks for any tips. Volker - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] DNS forwarder timeouts/failures
I second this method as it will also use the internal DNS server to cache the results. made a noticeable difference on my network WAN usage. -Sean Date: Fri, 20 Jul 2007 06:59:12 -0400 From: [EMAIL PROTECTED] To: support@pfsense.com Subject: RE: [pfSense Support] DNS forwarder timeouts/failures If this is a domain environment this will likely slow down domain functions as the XP machines will be asking the ISP server for domain information. I think a better way is to have MS DNS have a forwarder for external lookups setup (right click on dns server in mmc, and select the forwarder tab there you can specify your ISP's dns or even better yet use OPENDNS 208.67.222.222. Then have DHCP assign the MS DNS as the only DNS server.-Original Message- From: sai [mailto:[EMAIL PROTECTED] Sent: Friday, July 20, 2007 6:48 AM To: support@pfsense.com Subject: Re: [pfSense Support] DNS forwarder timeouts/failures I've always had problems with MS DNS implementations. They have messed around with DNS and so it exhibits strange behaviour. I'd suggest that you get rid of the MS machines IP as a DNS server on the firewall. On your XP PCs have the firewall as the primary DNS, and the MS machine as secondary. sai On 7/18/07, Volker Kuhlmann [EMAIL PROTECTED] wrote: I have installed pfsense 1.2beta1 built on Mon Apr 30 10:47:18 EDT 2007, LAN with half a dozen XP and a few Linux machines. ADSL. Primary name server on the general setup tab is fixed to the ISP's name server, secondary name server is set to the MS business server 2003. DHCP server and DNS forwarder are used on pfsense. Client machines are set to use the pfsense firewall as name server. Frequently name lookups in browsers fail. On page reload in the browser they are always fine. The problem is more pronounced on the XP clients but also exists on the Linux clients. To check that it isn't the ISP's name server (which has a bad reputation), I configured a name server of another ISP instead. Timeouts occur as frequently. My analysis of the problem is that pfsense's DNS forwarder's timeouts are too short. How can I increase those? Thanks for any tips. Volker - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ See what you’re getting into…before you go there. http://newlivehotmail.com
[pfSense Support] IPSEC Compressione enabled?
First of all let me say that pfsense rocks... A simple question: is the ipsec compression enabled by default on the pfsense ipsec implementation? If so, are you going to provide a check box to disable this setting? Thanks in advance. r3N0oV4
Re: [pfSense Support] Programming pfSense to Reboot and Dump LAN / WAN traffic
On Jul 19, 2007, at 7:41 PM, Tortise wrote: 1) LAN and WAN traffic dumps to a Centos HDD on the LAN, in an attempt to catch the traffic that may be causing pf Sense to intermittently hang and require rebooting. connect both systems to a hub and run tcpdump on the other machine logging all traffic some place. 2) Somehow setup a cron job to ping the ISP every minute - and reboot pfSense if the pings fail for 20 mins. Buy hardware that's not faulty. pfsense is *way* more robust than what it seems to be for you. what network interfaces do you have? if other than broadcom or intel, switch to intel. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Captive Portal kills my firewall rules
When I enable the Captive Portal on my LAN interface in either 1.2 BETA version 1 or 2, it messes with my WAN firewall rules. When enabled, the only rule that works is an allow in to pfSense's web admin from outside on HTTPS. Anyone else experience this or know of any fixes?
Re: [pfSense Support] CARP, pfSense latest snapshot
Send me the resultant config.xml that causes the problem and I'll look at it when I get a chance (probably in a week or so). Dimitri Rodis wrote: Ok, traced my steps *exactly* except I used VMware Server 1.0.3 and I get the exact same error. I also tried it on another physical machine running VMware server with the exact same results... So, it's not a Virtual Server issue or a hardware issue. Where do we go from here? Dimitri Rodis Integrita Systems LLC -Original Message- From: Dimitri Rodis [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 17, 2007 3:31 PM To: support@pfsense.com Subject: RE: [pfSense Support] CARP, pfSense latest snapshot Ok, I can do VMware on that host machine also. I will give it a shot. For what it's worth, however, I have a number of fresh installations (meaning, I didn't attempt to upload a m0n0 config, but was set up from scratch) at other sites running just fine on VS 2005 R2. I'll post back later once I get it up in VMware server. Dimitri Rodis Integrita Systems LLC -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 17, 2007 2:34 PM To: support@pfsense.com Subject: Re: [pfSense Support] CARP, pfSense latest snapshot Dimitri Rodis wrote: FWIW, this is running in a MS Virtual Server 2005 R2 SP1 virtual machine, so it shouldn't have anything to do with the hardware, as there are 10 other virtual machines running without issue. MS VS is the hardware in this case, and can be extremely flaky with FreeBSD. It sounds like that might be what you're seeing. I'm pretty certain you won't be able to replicate that using the exact same config on real hardware or VMware. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Captive Portal kills my firewall rules
Nate Stiller wrote: When I enable the Captive Portal on my LAN interface in either 1.2 BETA version 1 or 2, it messes with my WAN firewall rules. When enabled, the only rule that works is an allow in to pfSense's web admin from outside on HTTPS. Anyone else experience this or know of any fixes? You have to exempt any hosts with ports open to them from the WAN, as CP will block all reply traffic from those hosts otherwise. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] PFSense with PPTP and external FreeRadius
Hello All, I have recently tried to setup PFSense 1.2 B2 with pptp and Radius auth against an external radius server that uses an LDAP backend. I was just wondering if anyone on the list had done this already and would be able to give me a few pointers and share some gotcha's (if any). Thanks, Joel Robison
Re: [pfSense Support] Captive Portal kills my firewall rules
I forgot to say that this happens even on the clients that I use the pass through MAC filtering. On 7/20/07, Chris Buechler [EMAIL PROTECTED] wrote: Nate Stiller wrote: When I enable the Captive Portal on my LAN interface in either 1.2 BETA version 1 or 2, it messes with my WAN firewall rules. When enabled, the only rule that works is an allow in to pfSense's web admin from outside on HTTPS. Anyone else experience this or know of any fixes? You have to exempt any hosts with ports open to them from the WAN, as CP will block all reply traffic from those hosts otherwise. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: [pfSense Support] Gateway in rules
Hmmm, strange... When defining another gateway and making a traceroute it shows me the default gateway as the first hop... Any logic-error of mine ? We have an net with 8 IPs so the first and the last cannot be used... the others are defined by the loadbalancer as gateways... But as i said above it only shows the default gateway in traceroute... ? Regards, Martin -Ursprüngliche Nachricht- Von: Scott Ullrich [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 20. Juli 2007 01:15 An: support@pfsense.com Betreff: Re: [pfSense Support] Gateway in rules You can fake it by setting up a load balancing pool and enter only one gateway and use the gateway ip as a monitor ip. Scott On 7/19/07, Fuchs, Martin [EMAIL PROTECTED] wrote: Hi ! How can I chose a different gateway than default in the rules ? We have multiple external IPs at work (on one interface per proxy-arp) and pfsense just shows the default gateway... Would be a cool feature for policy based routing... Any ideas ? Regards, Martin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Programming pfSense to Reboot and Dump LAN / WAN traffic
Thank you Vivek connect both systems to a hub and run tcpdump on the other machine logging all traffic some place. Yes they are already on a LAN with a switch. I didn't realise TCPDump could be run from another machine other than the one being dumped from. From what you suggest it can. I'll study it up and see if I can get it to! (Unless someone here knows the syntax for this well and can just roll it off?) Buy hardware that's not faulty. pfsense is *way* more robust than what it seems to be for you. what network interfaces do you have? if other than broadcom or intel, switch to intel. We (3 of us) believe this is not a hardware issue. 3 of us are on the same ISP here in NZ, and experiencing the same issues for many months. The ISP uses much the same Motorola Cable modem to interface into our static IP's. The same fault occurs using completely different hardware here also. I have another pfSense box running at alternative premises connected to quite a different ISP and that box just goes, in line with what we believe we should be expecting. Swapping the boxes also suggests it is not a hardware problem as they all work at the alternative ISP / venue. I find running Monowall also has the same experience here, - the same Monowall box is stable for months off site. I have been tempted to post to the monowall list also, cross posts are considered bad etiquette and I presume the monowall folks are also on both lists, I have refrained. (Is this correct?) It suggests to me there is something about our ISP which is a problem, perhaps their hardware or perhaps something about their traffic. Clearly this should not be the case, but the onus falls on us (rightly or wrongly) to prove this. It also suggests to me there is a vulnerability in FreeBSD as the problem occurs in both Monowall and pfSense with this cable ISP. I'd prefer my firewall not need random rebooting. We'd all like to help within our power and ability to move this forwards as FreeBSD and its children (pfSense and Monowall) are largely fantastic! Kind regards David Hingston - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]