Re: [pfSense Support] PPPoE gets disconnected on WAN port
On Tue, 2008-04-01 at 08:46 +0200, Olivier Mueller wrote: > pfSense Version: 1.2-Release. Still looking for a solution too... :) > Activated syslog to a remote pc to be able to debug this problem if > it occurs again today. Et voila, it just happened again: Apr 1 08:39:34 gw kernel: pflog0: promiscuous mode disabled Apr 1 08:39:34 gw login: login on console as root Apr 1 08:39:34 gw kernel: pflog0: promiscuous mode enabled Apr 1 08:53:00 gw mpd: [pppoe] PPPoE connection closed Apr 1 08:53:00 gw mpd: [pppoe] device: DOWN event in state UP Apr 1 08:53:00 gw mpd: [pppoe] device is now in state DOWN Apr 1 08:53:00 gw mpd: [pppoe] link: DOWN event Apr 1 08:53:00 gw mpd: [pppoe] LCP: Down event Apr 1 08:53:00 gw mpd: [pppoe] LCP: state change Opened --> Starting Apr 1 08:53:00 gw mpd: [pppoe] LCP: phase shift NETWORK --> DEAD Apr 1 08:53:00 gw mpd: [pppoe] setting interface ng0 MTU to 1500 bytes Apr 1 08:53:00 gw mpd: [pppoe] up: 0 links, total bandwidth 9600 bps Apr 1 08:53:00 gw mpd: [pppoe] IPCP: Down event Apr 1 08:53:00 gw mpd: [pppoe] IPCP: state change Opened --> Starting Apr 1 08:53:00 gw mpd: [pppoe] IPCP: LayerDown Apr 1 08:53:00 gw mpd: [pppoe] IFACE: Down event Apr 1 08:53:00 gw mpd: [pppoe] exec: /sbin/route delete 0.0.0.0 80.254.x.y Apr 1 08:53:00 gw mpd: [pppoe] exec: /sbin/route delete 80.254.w.z -iface lo0 Apr 1 08:53:00 gw mpd: [pppoe] exec: /sbin/ifconfig ng0 down delete -link0 Apr 1 08:53:00 gw mpd: [pppoe] LCP: LayerDown Apr 1 08:53:00 gw mpd: [pppoe] device: OPEN event in state DOWN Apr 1 08:53:00 gw mpd: [pppoe] pausing 6 seconds before open Apr 1 08:53:00 gw mpd: [pppoe] device is now in state DOWN Apr 1 08:53:03 gw mpd: [pppoe] closing link "pppoe"... Apr 1 08:53:03 gw mpd: [pppoe] link: CLOSE event Apr 1 08:53:03 gw mpd: [pppoe] LCP: Close event Apr 1 08:53:03 gw mpd: [pppoe] LCP: state change Starting --> Initial Apr 1 08:53:03 gw mpd: [pppoe] LCP: LayerFinish Apr 1 08:53:03 gw mpd: [pppoe] device: CLOSE event in state DOWN Apr 1 08:53:03 gw mpd: [pppoe] device is now in state DOWN Apr 1 08:53:06 gw mpd: [pppoe] opening link "pppoe"... [...] Apr 1 08:56:54 gw mpd: [pppoe] device is now in state DOWN Apr 1 08:56:58 gw mpd: [pppoe] device: OPEN event in state DOWN Apr 1 08:56:58 gw mpd: [pppoe] pausing 1 seconds before open Apr 1 08:56:58 gw mpd: [pppoe] device is now in state DOWN Apr 1 08:56:59 gw mpd: [pppoe] device: OPEN event in state DOWN Apr 1 08:56:59 gw mpd: [pppoe] device is now in state OPENING Apr 1 08:56:59 gw mpd: [pppoe] rec'd ACNAME "ipc-zhb790-r-br-03" Apr 1 08:56:59 gw mpd: [pppoe] PPPoE connection successful Apr 1 08:56:59 gw mpd: [pppoe] device: UP event in state OPENING Apr 1 08:56:59 gw mpd: [pppoe] device is now in state UP Apr 1 08:56:59 gw mpd: [pppoe] link: UP event Apr 1 08:56:59 gw mpd: [pppoe] link: origination is local Apr 1 08:56:59 gw mpd: [pppoe] LCP: Up event Apr 1 08:56:59 gw mpd: [pppoe] LCP: state change Starting --> Req-Sent Apr 1 08:56:59 gw mpd: [pppoe] LCP: phase shift DEAD --> ESTABLISH Apr 1 08:56:59 gw mpd: [pppoe] LCP: SendConfigReq #12 Apr 1 08:56:59 gw mpd: MRU 1492 Apr 1 08:56:59 gw mpd: MAGICNUM ce56dc0c [...] then Auth, IF Up, Rules reload, all services back online. According to the VDSL router, link was always up, so it "should" be an issue on the pfsense box? But where... ? At least the auto-reconnect worked this time :-) regards, Olivier - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP
On Mon, Mar 31, 2008 at 11:40 PM, Anil Garg <[EMAIL PROTECTED]> wrote: > Say we have one www.server on lan or dmz. If this server to die, we want > the system to point to another www.server on the same subnet. Yes, you can do this with the Load Balancing feature. -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP
Anil Garg wrote: I have seen some documentation that shows how two pfsense can act as back up to the other (hot standby).. Is it possible for servers behind pfsense to exploit the same capability? Say we have one www.server on lan or dmz. If this server to die, we want the system to point to another www.server on the same subnet. Thanks much. Yes, there are a number of mechanisms that allow this to happen. It depends entirely on the type of operating system and applications you are using. Many database server software offer a clustering feature. Linux has clustering capabilities through a couple of different facilities. Spend some quality time with Google, I'm sure you'll find what you need. -Gary - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP
Thanks David and Thanks Gary. I spent a lot of time reading and a few things are somewhat becoming clear.. CARP uses a trusted (preferably dedicated) link to send heartbeat signals to keep who is alive. This common knowledge enables some pfsense to stay inactive (to either act as dhcp server or act as a gateway). When something happens to master next in succession line takes over. Very unique and innovative simple. However most examples are for WAN side traffic and for keeping internet alive. I will keep trying to find something that shows how servers can be balanced. Its amazing because it even keeps the state. Best Regards Anil Garg Gary Buckmaster <[EMAIL PROTECTED]> wrote: Anil Garg wrote: > I have seen some documentation that shows how two pfsense can act as > back up to the other (hot standby).. > > > Is it possible for servers behind pfsense to exploit the same capability? > > Say we have one www.server on lan or dmz. If this server to die, we > want the system to point to another www.server on the same subnet. > > Thanks much. Yes, there are a number of mechanisms that allow this to happen. It depends entirely on the type of operating system and applications you are using. Many database server software offer a clustering feature. Linux has clustering capabilities through a couple of different facilities. Spend some quality time with Google, I'm sure you'll find what you need. -Gary - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP
Then David is right, you want load balancing, not CARP high availability. Look at the pfSense documentation for load balancing. -Gary Anil Garg wrote: Thanks David and Thanks Gary. I spent a lot of time reading and a few things are somewhat becoming clear.. CARP uses a trusted (preferably dedicated) link to send heartbeat signals to keep who is alive. This common knowledge enables some pfsense to stay inactive (to either act as dhcp server or act as a gateway). When something happens to master next in succession line takes over. Very unique and innovative simple. However most examples are for WAN side traffic and for keeping internet alive. I will keep trying to find something that shows how servers can be balanced. Its amazing because it even keeps the state. Best Regards Anil Garg */Gary Buckmaster <[EMAIL PROTECTED]>/* wrote: Anil Garg wrote: > I have seen some documentation that shows how two pfsense can act as > back up to the other (hot standby).. > > > Is it possible for servers behind pfsense to exploit the same capability? > > Say we have one www.server on lan or dmz. If this server to die, we > want the system to point to another www.server on the same subnet. > > Thanks much. Yes, there are a number of mechanisms that allow this to happen. It depends entirely on the type of operating system and applications you are using. Many database server software offer a clustering feature. Linux has clustering capabilities through a couple of different facilities. Spend some quality time with Google, I'm sure you'll find what you need. -Gary - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP
On Tue, Apr 1, 2008 at 9:44 AM, Anil Garg <[EMAIL PROTECTED]> wrote: > However most examples are for WAN side traffic and for keeping internet > alive. I will keep trying to find something that shows how servers can be > balanced. If balancing is what you need, then use the load balancer built into pfSense. If active/passive, then while the load balancer will also work fine, you might try one of the server high availability solutions available outside of pfSense (CARP for the BSDs, linux's HA stuff, etc - again Google will get you going there) > Its amazing because it even keeps the state. FWIW, to correct a few misstatements you've made in this thread. "CARP requires a dedicated cable" - not correct, CARP is a multi-cast protocol that is broadcast on the same network segment as the address for it. "it (CARP) even keeps the state" - not correct, pfsync keeps state synchronization. It's also highly recommended (as it's not cryptographically secure) to run this on a dedicated cable. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP
Bill Thanks for correcting. I am quite green on this stuff and as they say little knowledge is dangerous! Load balance built in is a great idea. I will test that out too... Bill Marquette <[EMAIL PROTECTED]> wrote: On Tue, Apr 1, 2008 at 9:44 AM, Anil Garg wrote: > However most examples are for WAN side traffic and for keeping internet > alive. I will keep trying to find something that shows how servers can be > balanced. If balancing is what you need, then use the load balancer built into pfSense. If active/passive, then while the load balancer will also work fine, you might try one of the server high availability solutions available outside of pfSense (CARP for the BSDs, linux's HA stuff, etc - again Google will get you going there) > Its amazing because it even keeps the state. FWIW, to correct a few misstatements you've made in this thread. "CARP requires a dedicated cable" - not correct, CARP is a multi-cast protocol that is broadcast on the same network segment as the address for it. "it (CARP) even keeps the state" - not correct, pfsync keeps state synchronization. It's also highly recommended (as it's not cryptographically secure) to run this on a dedicated cable. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] ICMP not Replying on Virtual IPs
Hi Tim, I am using port forward. Right now I am forwarding a TCP port (lets say 3389 for RDP) to the internal server and I have a rule setup for that and it works perfect. What packets are you suggesting I am to forward? There is no forward rule for ICMP. Thanks. From: Tim Dickson [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2008 3:26 PM To: support@pfsense.com Subject: RE: [pfSense Support] ICMP not Replying on Virtual IPs What kind of NAT are you using? If it is port forward you'll have to forward the packets as well as adding the rule to your Wan ruleset If it is 1:1 it should work for you as long as then respond correctly within your network -tim From: Ron Lemon [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2008 12:06 PM To: support@pfsense.com Subject: [pfSense Support] ICMP not Replying on Virtual IPs I have setup a rule to allow all ICMP types from any source any port to any destination on any port via any gateway. If I ping my WAN IP it responds correctly. My WAN link also has 6 Virtual Ips of type other configured. I can access the resources via NAT that are on these virtual Ips but when I ping one of them I never get a response. What else do I need to do to get the virtual Ips to respond to ICMP requests. Thanks Ron.
RE: [pfSense Support] ICMP not Replying on Virtual IPs
Hi Gary, My virtual Ips are of type Other not ProxyARP (unless other is another type of ProxyARP). When I try and convert one of them to Carp it tells me I have to put in a password so I do. Then it tells me that it can not locate an interface with a matching subnet for IP/32. It says I have to setup an IP in this subnet on a real interface. Since I want this IP to appear on my WAN interface how do I add this ip in addition to the one currently on it? Thanks. -Original Message- From: Gary Buckmaster [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2008 3:33 PM To: support@pfsense.com Subject: Re: [pfSense Support] ICMP not Replying on Virtual IPs Ron Lemon wrote: > > I have setup a rule to allow all ICMP types from any source any port > to any destination on any port via any gateway. > > If I ping my WAN IP it responds correctly. > > > My WAN link also has 6 Virtual Ips of type other configured. I can > access the resources via NAT that are on these virtual Ips but when I > ping one of them I never get a response. What else do I need to do to > get the virtual Ips to respond to ICMP requests. > > > Thanks > > Ron. > ProxyARP virtual IPs don't respond to ping. CARP virtual IPS do, if ping is necessary, convert your virtual IPs over to CARP. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] problem report with default routes
Randy Schultz wrote: Ah. Now I remember why I used the LAN i'face instead of the WAN i'face - because the WAN is DHCP only whereas with the LAN I can set the static address. You can configure a static IP on the WAN. In fact you have to configure the IP on the WAN in this case, because that's the interface where your default gateway resides. None of the nets involved have a DHCP server running on them. Also, (a lesser reason is) the LAN has the auto anti-lockout rule for the webUI. Just add appropriate firewall rules to let you in on the WAN IP. I tried re-installing from scratch. Since there is no way AFAIK to set a static on the WAN that early, Oh, I see what you're saying. You'll need to get the LAN interface up to do the initial configuration of the WAN interface, static IP, gateway, and rules. Which brings us full-circle. It seems to me that the webUI really needs to be contacted on the LAN i'face at least for initial configuration, however the route for it goes away whenever something is done on the interfaces tab. I could be doing something improper but do not know what it is or where to examine what I'm doing. Thoughts? You have to do the initial configuration connected directly to the LAN subnet, there is no supported way around that. You just have to get into the web interface, assign the WAN IP and gateway info, configure the firewall rules, and then you can finish the configuration from where ever you want. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] openvpn tunnel using public ip's from 1 side
So I have a scenario that I wanna run by all you gurus. In my colo, where I have lots of public IPs, and my openvpn server, id like to use these ip's at a remote location on the other end of a vpn tunnel. so basically, at the remote end, it would be as if they wer in my colo. has anyone done this sort of setup using pfsense. right now, i use openvpn server, and connect clients to it, but more for a secure connection/safety solution, when im in a coffee shop. So i get a 172.xxx on my laptop. any ideas, or if there are how-to's that would rock too. thanks in advance. -topher - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
