Re: [pfSense Support] 2 networks on the LAN interface, vlan, trunk?

[Paul M]

Ugo Bellavance wrote:
 VLAN 101 contains ports that are connected directly to the internet
 (PfSense WAN port, internet port (it is in colocation), other servers
 that would be connected directly to the internet (not behind PfSense).
 
 VLAN 102 contains ports that are connected to devices in the Subnet1,
 let's say 10.10.10.0/24.
 
 VLAN 103 contains ports that are connected to devices in the Subnet2,
 let's say 192.168.10.0/24.

this seems OK, I think, once you've created vlans you assign the wan and
lan ports appropriately, then make vlan103 be say OPT1 (and rename it to
LAN2?)

 However, subnet2 is completely isolated.  It cannot talk to anyone, nor
 to the fw, nor the subnet1, nor the internet.

if you manually add static routes to hosts on vlan103, does it work?
what are you seeing in the arp tables on the hosts?

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] Small correction for script tools/builder_scripts/cvsup_current

[Angelo Turetta]

Attached is a patch with a couple 'cutpaste' typos corrections, plus a 
conditional for not installing fastest_cvsup if you have set 
OVERRIDE_FREEBSD_CVSUP_HOST


Hope this can be included in the repository.

Angelo Turetta
Modena - Italy
Index: cvsup_current
===
RCS file: /home/pfsense/cvsroot/tools/builder_scripts/cvsup_current,v
retrieving revision 1.164
diff -u -r1.164 cvsup_current
--- cvsup_current   12 Sep 2007 15:56:57 -  1.164
+++ cvsup_current   27 Sep 2007 14:58:37 -
@@ -81,16 +81,18 @@
env FTP_PASSIVE_MODE=yes /usr/sbin/pkg_add -r cvsup-without-gui
 fi
 
+if [ -z ${OVERRIDE_FREEBSD_CVSUP_HOST:-} ]; then
 # Add fastest-cvsup
 if [ ! -f /usr/local/bin/fastest_cvsup ]; then
-   echo Cannot find cvsup, pkg_add in progress...
+   echo Cannot find fastest_cvsup, pkg_add in progress...
/usr/sbin/pkg_add -r fastest_cvsup
 fi
 # Failed, lets try with passive mode
 if [ ! -f /usr/local/bin/fastest_cvsup ]; then
-   echo Cannot find cvsup, pkg_add in progress (PASSIVE FTP)...
+   echo Cannot find fastest_cvsup, pkg_add in progress (PASSIVE FTP)...
env FTP_PASSIVE_MODE=yes /usr/sbin/pkg_add -r fastest_cvsup
 fi
+fi
 
 # Add pcre
 if [ ! -f /usr/local/lib/libpcre.so.0 ]; then
@@ -114,7 +116,7 @@
env FTP_PASSIVE_MODE=yes /usr/sbin/pkg_add -r lighttpd
 fi
 
-# Add cvsup
+# Add curl
 if [ ! -f /usr/local/bin/curl ]; then
echo Cannot find curl, pkg_add in progress...
/usr/sbin/pkg_add -r curl

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Issue with stalling on static route

[jamespev]

 check the box to bypass firewall rules for traffic leaving the same
interface it enters on the Advanced page.

This seems to have fixed it.  Odd that there were no entries in the firewall 
logs about blocking traffic... and how it was so erratic.
Thanks for the help!
James-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Small correction for script tools/builder_scripts/cvsup_current

[Scott Ullrich]

On 9/27/07, Angelo Turetta [EMAIL PROTECTED] wrote:
 Attached is a patch with a couple 'cutpaste' typos corrections, plus a
 conditional for not installing fastest_cvsup if you have set
 OVERRIDE_FREEBSD_CVSUP_HOST

 Hope this can be included in the repository.

 Angelo Turetta
 Modena - Italy

 Index: cvsup_current
 ===
 RCS file: /home/pfsense/cvsroot/tools/builder_scripts/cvsup_current,v
 retrieving revision 1.164
 diff -u -r1.164 cvsup_current
 --- cvsup_current   12 Sep 2007 15:56:57 -  1.164
 +++ cvsup_current   27 Sep 2007 14:58:37 -
 @@ -81,16 +81,18 @@
 env FTP_PASSIVE_MODE=yes /usr/sbin/pkg_add -r cvsup-without-gui
  fi

 +if [ -z ${OVERRIDE_FREEBSD_CVSUP_HOST:-} ]; then
  # Add fastest-cvsup
  if [ ! -f /usr/local/bin/fastest_cvsup ]; then
 -   echo Cannot find cvsup, pkg_add in progress...
 +   echo Cannot find fastest_cvsup, pkg_add in progress...
 /usr/sbin/pkg_add -r fastest_cvsup
  fi
  # Failed, lets try with passive mode
  if [ ! -f /usr/local/bin/fastest_cvsup ]; then
 -   echo Cannot find cvsup, pkg_add in progress (PASSIVE FTP)...
 +   echo Cannot find fastest_cvsup, pkg_add in progress (PASSIVE FTP)...
 env FTP_PASSIVE_MODE=yes /usr/sbin/pkg_add -r fastest_cvsup
  fi
 +fi

  # Add pcre
  if [ ! -f /usr/local/lib/libpcre.so.0 ]; then
 @@ -114,7 +116,7 @@
 env FTP_PASSIVE_MODE=yes /usr/sbin/pkg_add -r lighttpd
  fi

 -# Add cvsup
 +# Add curl
  if [ ! -f /usr/local/bin/curl ]; then
 echo Cannot find curl, pkg_add in progress...
 /usr/sbin/pkg_add -r curl

Commited, thanks!

Scott

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] Poor DNS performances and websurfing...

[tester]

Hello,
In the last week I noticed poor DNS performances and
obviously web surfing suffers, too.
This is the output from a PC configured to use the IP
address of the main pfSense machine:

$time nslookup www.google.com

nslookup can take from 0.022s to 5.004s or even
10.04s!
I have to click twice or three times a link in a web
page to successfully connect to it without timeout
error.
Bandwidth from the ISP seems to be OK.
I noticed if a PC download near at the max speed from
a HTTP page, DNS performance becomes worst. I didn't
experience this behaviour in the previous release of
pfSense. Previous one seemed to handle better a high
load.
Maybe a re-installation of pfSense (1.2RC2) can
improve this situation or some network settings have
been changed in the latest release?
Notice that no P2P programs were or are running.

I heard about BIND: does pfSense already offer its
features?

I've a further question to pfSense's developer about
the 'at' command: is it broken in the 1.2RC-2 version
(see message entitled: How to schedule shutdown and
box heartbeat)?

Thanks.


  ___
Yahoo! Answers - Got a question? Someone out there knows the answer. Try it
now.
http://uk.answers.yahoo.com/ 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Poor DNS performances and websurfing...

[Rainer Duffner]

Am 27.09.2007 um 23:17 schrieb tester:


Hello,
In the last week I noticed poor DNS performances and
obviously web surfing suffers, too.
This is the output from a PC configured to use the IP
address of the main pfSense machine:




What DNS-servers did the pfsense get from the ISP?
Do they work?
Could it be that one of them is dead?
Try with [EMAIL PROTECTED] www.somedomainyouvenotcheckedbefore.com
and
[EMAIL PROTECTED] www.someotherdomain.com




cheers,
Rainer
--
Rainer Duffner
CISSP, LPI, MCSE
[EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] Poor DNS performances and websurfing...

[Tim Dickson]

And just for the sake of trying... give opendns.com a shot.
-Tim

-Original Message-
From: Rainer Duffner [mailto:[EMAIL PROTECTED] 
Sent: Thursday, September 27, 2007 3:18 PM
To: support@pfsense.com
Subject: Re: [pfSense Support] Poor DNS performances and websurfing...


Am 27.09.2007 um 23:17 schrieb tester:

 Hello,
 In the last week I noticed poor DNS performances and
 obviously web surfing suffers, too.
 This is the output from a PC configured to use the IP
 address of the main pfSense machine:



What DNS-servers did the pfsense get from the ISP?
Do they work?
Could it be that one of them is dead?
Try with [EMAIL PROTECTED] www.somedomainyouvenotcheckedbefore.com
and
[EMAIL PROTECTED] www.someotherdomain.com




cheers,
Rainer
-- 
Rainer Duffner
CISSP, LPI, MCSE
[EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: [pfSense Support] Poor DNS performances and websurfing...

[Fuchs, Martin]

Perhaps you should try to use the traffic shaper to give dns a higher 
priority...

It's running in this constellation at all my systems and it's running fine...

It's obvious that when the wan-pipe is heavily loaded, dns packets have to wait 
if there's not qos...

-Ursprüngliche Nachricht-
Von: tester [mailto:[EMAIL PROTECTED] 
Gesendet: Donnerstag, 27. September 2007 23:18
An: support@pfsense.com
Betreff: [pfSense Support] Poor DNS performances and websurfing...

Hello,
In the last week I noticed poor DNS performances and
obviously web surfing suffers, too.
This is the output from a PC configured to use the IP
address of the main pfSense machine:

$time nslookup www.google.com

nslookup can take from 0.022s to 5.004s or even
10.04s!
I have to click twice or three times a link in a web
page to successfully connect to it without timeout
error.
Bandwidth from the ISP seems to be OK.
I noticed if a PC download near at the max speed from
a HTTP page, DNS performance becomes worst. I didn't
experience this behaviour in the previous release of
pfSense. Previous one seemed to handle better a high
load.
Maybe a re-installation of pfSense (1.2RC2) can
improve this situation or some network settings have
been changed in the latest release?
Notice that no P2P programs were or are running.

I heard about BIND: does pfSense already offer its
features?

I've a further question to pfSense's developer about
the 'at' command: is it broken in the 1.2RC-2 version
(see message entitled: How to schedule shutdown and
box heartbeat)?

Thanks.


  ___
Yahoo! Answers - Got a question? Someone out there knows the answer. Try it
now.
http://uk.answers.yahoo.com/ 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] Adding new NIC drivers

[Bennett Lee]

I figured this out by adding if_myk_load=YES to /boot/loader.conf.  I
don't know if this is where it's supposed to go, but it works.

Now the million-dollar question: can I do a firmware upgrade without
loosing this entry in the /boot/loader.conf?  I'm confident the .ko
files I copied to /boot/kernel won't get deleted during updates, but I
want to make sure that the /boot/loader.conf doesn't get overwritten.
Otherwise, I'll have a bunch of pissed off clients and a trip to our
colocation on my next update.  :)

--Bennett



Bennett Lee wrote:
OK, after many problems, like couldn't install because of no known
NICs, installing NICs in a 1U case with no riser, figuring out how
to mount, if_myk.ko requiring libmbpool.ko, etc., I finally got the
drivers installed with kldload and they appear to work.

Until I rebooted.  The drivers don't reload.  What to do I need to
change in order to get them to install permanently?

--Bennett


Bill Marquette wrote:

Probably easiest to load them onto a USB keyfob and mount it after
boot.  Then kldload the if_myk.ko module.

--Bill

On 9/25/07, Bennett Lee [EMAIL PROTECTED] wrote:
 I've got a new motherboard with quad-GB LANs that all use Marvell 
 8056, which isn't supported by pfSense/FreeBSD.  I d/l Marvell's
Yukon
 FreeBSD drivers, which supposedly support this board.  Their .tgz 
 contains if_myk.ko, +CONTENTS, and myk.4.gz.  Inside myk.4.gz is
myk.4.

 How do I add these drivers to the LiveCD so I can try them out?  Is
it 
 as easy as injecting the files into the CD into some particular
folder 
 and maybe adding them to a boot config file?  (I hope so--haven't
done 
 anything in *nix since I wrote a crappy little client/server app
back

 in college [many, many, many] years ago.)

 --Bennett

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] jabber and NAT woes

[Geoff Crompton]

Will Miles wrote:
 Hi,
 
 I ran in to this one too.  The basic issue is that jabber leaves its TCP 
 connection open but idle when there's no actual messaging traffic going on, 
 and pfSense's scheme to implement NAT reflection (ie. accessing the public 
 IP address from the LAN) depends on the use of a TCP proxy that has a fixed 
 timeout (although IIRC there's currently a hidden option that allows 
 adjusting the specific timeout).  In this case adjusting the state timeout 
 won't help because it's not the state table that's timing out - it's the TCP 
 proxy.
 
 The quickest fix is to use the DNS proxy on your pfSense box and set a 
 fixed mapping of the external name to the internal IP of the server.  This 
 forces the internal client boxes to connect directly, and still allows 
 external clients to operate normally through the firewall (since they resolve 
 DNS against the public DNS servers that carry the correct external IP).
 
 Another fix is to adjust the TCP proxy timeout - I'm not sure where that 
 lives currently, although IIRC it's not accessible from the GUI; the details 
 are in the forums somewhere.  Unfortunately, this can lead to dead proxy 
 processes kicking around on your pfSense box for long periods of time before 
 they time out, but at least the live connections don't go with them.
 
 The Linux kernel supports doing NAT reflection directly in the kernel, which 
 is why it 'just works' with IPCop.  Unfortunately, the FreeBSD gurus claim 
 that their NAT system is not capable of doing this within the packet 
 filtering framework.  That said, it /is/ possible to trick it into behaving 
 this way, and I assembled a patch for my own usage to solve this specific 
 problem, but since the experts claim it's not possible there's no guarantee 
 it will behave correctly in all circumstances.  I'll see if I can get it 
 together over the weekend - I'm still using one of the 1.2 betas, though, so 
 it'd take me a bit to update it for the RC build.  That said, it doesn't 
 remove the proxy-based reflection scheme, so if you're interested in the 
 patch you can always go back to whichever model you find works best for you.
 
 -Will Miles

Thanks for the detailed explanation Will. We'll try adjusting the tcp
proxy timeout. I think we found some sort of timeout setting we tried to
set in the config file, but I'm not sure it was the tcp proxy timeout.
And when we tried it, we hand hacked the xml, and broke the syntax
(didn't close a tag), which confused us. We've reverted to IPcop until
we can schedule another maintenance window to sort this out.

Cheers
-- 
Geoff Crompton
Debian System Administrator
http://www.strategicdata.com.au
Phone: +61 3 9340 9000
Fax:   +61 3 9348 2015

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] disable console menu

[Jan Hoevers]

Two small remarks on the disable console menu option in the 
miscellaneous subsection of the system - advanced page (1.2-RC2).

Nothing serious; only cosmetic issues.

1. The page says Changes to this option will take effect after a 
reboot. This is not the case; changes take effect immediately.

I would suggest to remove this remark in a future release.

2. I was a bit surprised about the effect of this option: the console 
menu is not at all disabled, but a login is required before it is displayed.

I would suggest to change the options title in a future release.

I like this option: it increases security and saves a job running. 
Furthermore, the it saves those false alarm messages in the system log 
(root login on console), when the menu refreshes a few times a day.

Of course it should not be used by people who forget passwords.;-)

regards,
Jan Hoevers

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]