[pfSense Support] PF and UT not working
Hi I have installed Untangle and PF together in the network the flow looks like below users-crosscableeth0(untangle-bridgemode)-eth1(croscable)eth1---PF---eth0--Internet above setup works fine , with out any issue but when i enable capitive portal iam not able to access the login page, in the browser of PC type google.com it keep searches, i dont get any results but when i disable capitive portal, iam able to browse google.com what is wrong, can some one suggest me where to test, what is the way to make itwork above config ram
[pfSense Support] Manual Outbound NAT Question
QUESTION: I've always assumed that Manual Outbound NAT rules are applied in the top-to-bottom order they are listed via Firewall - NAT - Outbound but, given some of the strange routing behaviors I get when I turn off some of the WANs, I'm wondering whether that's a valid assumption ... is it/are they? Specifically, is the following configuration OK ... seems to work but I'm a little leery of the overlapping NAT rules (may be related to my Loss of webConfigurator access when disabling WANs posting.) OBJECTIVE: The Goal is to support the multiple domains via a single multi-WAN pfSense box and a single web/mail/etc. server and have the server reside on the LAN and behind the firewall, since it also performs other duties. CONFIGURATION INFO: - pfSense 1.2 Config with 5 WANs: see screenshots at http://www.derman.com/Misc/router/pfSense.html - 5 static IPs from DSL assigned via DHCP via 1 device (WANS - switch - DSL modem) where each static IP corresponds to a separate domain - 2 of the static IPs are on 1 subnet and 3 are on a different subnet ... this means that the WANs use only 2 next-hop routers at the ISP for all 5 WANs so ...suppress ARP messages when interfaces share the same physical network is checked - IPs 172.16.10.4-5-6-7-22 are all on 1 server/1 NIC (1 IP + 4 alias IPs) and the web server's vhost config is based upon the 172.16.10.4-5-6-7 IPs -- --- Bryan DermanDerman Enterprises Incorporated http://www.derman.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Loss of webConfigurator access when disabling WANs
PROBLEM (see detailed CONFIGURATION INFO near bottom of posting): Disabling interfaces on pfSense can cause permanent loss of ability to connect to webConfigurator. Here's what's happening: - I have a second/testing pfSense box configured almost identically to the production one (only 6 ports instead of 7 and only the 4-port Sun card is the same brand of NIC). When I try to clone the production configuration onto the test system, I do the following (detailed CONFIGURATION INFO near bottom of posting): - edit the port names for the 2 interfaces/NICs that are different (e.g., sk0 - dc0, etc.) and remove the blocks related to the 6th/opt5 WAN port (i.e., opt5.../opt5, rule...interfaceopt5/interface.../rule, etc.) - boot the test box and load the cloned/edited production config ... note that only the LAN and WAN have cables attached - with WANs 2 through 4 down (no cables attached), I am unable to connect to pfSense's webConfigurator (even after restarting both the webConfigurator or rebooting pfSense) -- 'Though I can't access the webConfigurator, I can still log in via ssh - it seems like there's same kind of routing issue ... here's what I see: * ifconfig shows (dc0 is LAN): dc0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet 172.16.10.1 netmask 0xff00 broadcast 172.16.10.255 inet6 ... ether 00:00:94:ec:59:eb media: Ethernet autoselect (100baseTX full-duplex) status: active hme0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=bRXCSUM,TXCSUM,VLAN_MTU inet 24.207.77.100 netmask 0xfc00 broadcast 24.207.79.255 inet6 ... ether 00:03:93:98:d6:d6 media: Ethernet autoselect (100baseTX full-duplex) status: active * netstat -r shows (verrry slooowly ... like there's some kind of network timeout for each entry) Internet: DestinationGatewayFlagsRefs Use Netif Expire 0 link#6 UC 00de0 = default24.207.76.1UGS 0 146 hme0 24.207.76/22 link#2 UC 00 hme0 24.207.76.100:ef:90:27:9f:7d UHLW2 50 hme0 1191 24.207.77.100 localhost UGHS00lo0 localhost localhost UH 10lo0 172.16.10/24 link#1 UC 00dc0 gateway00:00:94:ec:59:eb UHLW20lo0 172.16.10.5link#1 UHLW19dc0 172.16.10.98 00:17:e2:c3:5a:06 UHLW10dc0454 172.16.10.104 00:17:e2:c3:5a:06 UHLW10dc0447 172.16.10.105 00:17:e2:c3:5a:06 UHLW10dc0440 172.16.10.106 00:17:e2:c3:5a:06 UHLW10dc0433 172.16.10.107 00:17:e2:c3:5a:06 UHLW10dc0426 172.16.10.109 00:17:e2:c3:5a:06 UHLW10dc0419 172.16.10.220 link#1 UHLW1 78dc0 172.16.10.233 00:17:ee:c3:5a:06 UHLW1 272dc0406 Note that neither 172.16.10.5 nor 172.16.10.220 are IP addresses of any device on the test network so I have no idea where these came from. 172.16.10.233 is the IP of the laptop being used for testing and it has 172.16.10.98/104/105/106/107/109 IP aliases. There is only a single/direct cable between a laptop and the LAN/dc0 interface and a single/direct cable between the WAN interface and a cable modem so there were no other systems on the network. It's also interesting that the non-connected hme1-3 interfaces each show an ifconfig of no carrier but the non-connected de0 interface shows an ifconfig of active and gets an IP of 0.0.0.0 (and appears in the routing table, unlike the hme1-3 interfaces) Here are some other things I see while pfSense is in this mode: from fpSense's shell: --- any ping to a FDQN gets ping: cannot resolve the-name: Host name lookup failure ... makes sense 'cause DNS is set incorrectly for test network ping to an Internet/WAN-accessible IP works --- from laptop on LAN, ping to 172.16.10.1 (pfSense's LAN) works from laptop on LAN, ssh connection to 172.16.10.1 (pfSense's LAN) works from laptop on LAN, attempts to HTTP to 172.16.10.1 (pfSense's LAN) don't work --- Safari can't open the page http://172.16.10.1/;. The error was: Operation could not be completed. (kCFErrorDomainCFNetwork error 302.) curl: (52) Empty reply from server --- What's strange is that pftop shows, for each attempted HTTP connection, an entry like: tcp Out 172.16.10.1:55385 172.16.10.5:80 SYN_SENT:CLOSED tcp Out 172.16.10.1:14473 172.16.10.5:80 SYN_SENT:CLOSED My interpretation is that pfSense is trying to route its own incoming 172.16.10.1/LAN out to 172.16.10.5 ... which isn't even on the network. Why it'd be trying to do this, I can't figure out. In
Re: [pfSense Support] alix (any verison) on a CF harddisk - full version ?
Its funny you should mention this as I am in the middle of doing exactly the same thing with an ALIX board from http://www.yawarra.com.au/hw-alix2.php I installed the 2GB CF card in a card reader on my PC and booted off the CD and installed pfSense onto the card. I then inserted the card in my very bright new ALIX appliance and everything appeared to go quite well but half way through the boot up it stopped and asked where my root partition was. It appears that /etc/fstab had different device names for my partitions. Instead of /dev/ad0s1a for / I had /dev/da0s1a. A quick edit of fstab and another reboot and everything started perfectly. The end result is I can confirm that the full version does happily run on a CF card and ALIX board. Regards, Digger. Chris Buechler wrote: On Wed, Jul 23, 2008 at 4:23 PM, Michel Servaes [EMAIL PROTECTED] wrote: I want to buy an Alix (or Wrap), and plug in a CF Harddisk. Would it be possible to push a full version (instead of the embedded ?). Yep. You have to use grub (check the box on the boot loader screen) to boot full installs on ALIX boards but they do work. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] pfSense on Wrap - Issues
Hi, For some time now I have been running monowall on a Wrap board on CF without issues, however I came across some rather lovely features of pfSense I would love to have, mainly: * Support for my Wireless mini-pci card - Wiston * Rule Schedules * RDD Graphs and more However, after installing pfSense (1.2 STABLE) and getting it all setup with my /29 range etc, I ran into a couple of small snags. 1. I have a Server called 'Max' - when adding this to the aliases (as I have prev done under mono) I would get an error on the reload of the config :( It would appear I am unable to add this host name as an alias. I presume max is a reserved word ? However the only workaround I can do is not to have an alias for this host and enter the ip address for now - which I can live with (Just wanted to point out in case this was a bug or error). 2. Outbound NAT - As I have 3 mail servers here, I wanted each server to go out on its own IP address rather than the default interface address, simple enough (and currently have working under mono) - however as much as I try all IP's are presented as my firewall IP :( I have the relevant entries in Virtual IPs (Proxy ARP) and set the required rules for Outbound NAT - but they seem to get ignored, however as I said I do have this working fine at the mo under mono so I think its correct how I have it setup :( Sorry to compare against mono but I understand pfSense was forked from monowall, and to show that I have setup (many times) a lot of these firewalls - but I may be overlooking something here Any help or clarification would be appreciated. Thanks in advance. Matt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] alix (any verison) on a CF harddisk - full version ?
On Thu, Jul 24, 2008 at 09:31:29PM +1000, digger wrote: The end result is I can confirm that the full version does happily run on a CF card and ALIX board. If this is a consumer flash device mounted r/w probability of failure will go up considerably after half a year, or so. Unfortunately, there's no CF card with wear-levelling hardware as far as I know. This is very different from real SSDs which by now have surpassed hard drives in MTBF. -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] alix (any verison) on a CF harddisk - full version ?
Am Donnerstag, den 24.07.2008, 13:53 +0200 schrieb Eugen Leitl: If this is a consumer flash device mounted r/w probability of failure will go up considerably after half a year, or so. Unfortunately, there's no CF card with wear-levelling hardware as far as I know. This is very different from real SSDs which by now have surpassed hard drives in MTBF. That's tru, in 4 to 6 months the Flash will crash wen r/w mounted. Readonly i Have 30 WRAPS without any Problem. greets Heribert Tockner - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] PF and UT not working
It sounds like google.com is not resolving when you have captive portal enabled. Make sure you have the DNS servers that are assigned to your users in the list of allowed outbound IPs in captive portal. Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 - Original Message - From: ram [EMAIL PROTECTED] To: support@pfsense.com Sent: Thursday, July 24, 2008 4:19:04 AM GMT -06:00 Guadalajara / Mexico City / Monterrey Subject: [pfSense Support] PF and UT not working Hi I have installed Untangle and PF together in the network the flow looks like below users-crosscableeth0(untangle-bridgemode)-eth1(croscable)eth1---PF---eth0--Internet above setup works fine , with out any issue but when i enable capitive portal iam not able to access the login page, in the browser of PC type google.com it keep searches, i dont get any results but when i disable capitive portal, iam able to browse google.com what is wrong, can some one suggest me where to test, what is the way to make itwork above config ram
Re: [pfSense Support] alix (any verison) on a CF harddisk - full version ?
Heribert Tockner [EMAIL PROTECTED] ha escrito: Am Donnerstag, den 24.07.2008, 13:53 +0200 schrieb Eugen Leitl: If this is a consumer flash device mounted r/w probability of failure will go up considerably after half a year, or so. Unfortunately, there's no CF card with wear-levelling hardware as far as I know. This is very different from real SSDs which by now have surpassed hard drives in MTBF. That's tru, in 4 to 6 months the Flash will crash wen r/w mounted. Readonly i Have 30 WRAPS without any Problem. With a CF of bad mark (very cheap) in RO mounted, crash on about 3 years, in R/W about 4/6 months... Regards. -- Linux is for people who hate Windows, BSD is for people who love UNIX Social Engineer - Because there is no patch for human stupidity - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] How to limit numbers of sessions per IP?
Hi guys! Just wondering how to limit the session for each IP on PfSense 1.2? We do have so many P2P traffics which are not able to completely blocked. Many thanks! Regards, Aldo Chiu
Re: [pfSense Support] How to limit numbers of sessions per IP?
On Thu, Jul 24, 2008 at 10:33 AM, Aldo Chiu [EMAIL PROTECTED] wrote: Hi guys! Just wondering how to limit the session for each IP on PfSense 1.2? We do have so many P2P traffics which are not able to completely blocked. Look under Advanced on each firewall rule. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] alix (any verison) on a CF harddisk - full version ?
On Thu, Jul 24, 2008 at 7:53 AM, Eugen Leitl [EMAIL PROTECTED] wrote: On Thu, Jul 24, 2008 at 09:31:29PM +1000, digger wrote: The end result is I can confirm that the full version does happily run on a CF card and ALIX board. If this is a consumer flash device mounted r/w probability of failure will go up considerably after half a year, or so. This is technically correct, but we have several developers who run full installs on run of the mill CF cards and have yet to kill a single one. I know there are a number of end users running full installs on CF and I haven't heard of any of them killing a CF either. Theoretically the card should die in less than a year, but I know of installs running much longer than that with no problems. Just be aware that this is a possibility. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] alix (any verison) on a CF harddisk - full version ?
re: I know there are a number of end users running full installs on CF and I haven't heard of any of them killing a CF either. Theoretically the card should die in less than a year To me the card is not so likely as to die wholesale as it is to have sectors die here and there. These deaths may be much less obvious, especially with most of the OS running in RAM. How much disk handling of errors does FreeBSD cope with? It seems to me it may be prudent to have some sort of automated CF scan should be done checking its memory spaces. Should we CF users add a cron job for something to proactively pick up errors? Kind regards David Hingston - Original Message - From: Chris Buechler [EMAIL PROTECTED] To: support@pfsense.com Sent: Friday, July 25, 2008 4:05 AM Subject: Re: [pfSense Support] alix (any verison) on a CF harddisk - full version ? On Thu, Jul 24, 2008 at 7:53 AM, Eugen Leitl [EMAIL PROTECTED] wrote: On Thu, Jul 24, 2008 at 09:31:29PM +1000, digger wrote: The end result is I can confirm that the full version does happily run on a CF card and ALIX board. If this is a consumer flash device mounted r/w probability of failure will go up considerably after half a year, or so. This is technically correct, but we have several developers who run full installs on run of the mill CF cards and have yet to kill a single one. but I know of installs running much longer than that with no problems. Just be aware that this is a possibility. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense on Wrap - Issues
On Thu, Jul 24, 2008 at 8:06 AM, Matt Brown [EMAIL PROTECTED] wrote: Hi, For some time now I have been running monowall on a Wrap board on CF without issues, however I came across some rather lovely features of pfSense I would love to have, mainly: * Support for my Wireless mini-pci card - Wiston * Rule Schedules * RDD Graphs and more However, after installing pfSense (1.2 STABLE) and getting it all setup with my /29 range etc, I ran into a couple of small snags. 1. I have a Server called 'Max' - when adding this to the aliases (as I have prev done under mono) I would get an error on the reload of the config :( It would appear I am unable to add this host name as an alias. I presume max is a reserved word ? However the only workaround I can do is not to have an alias for this host and enter the ip address for now - which I can live with (Just wanted to point out in case this was a bug or error). There are certain keywords that can't be used in an alias, looks like our input validation missed one. Ticket opened, thanks for the report. 2. Outbound NAT - As I have 3 mail servers here, I wanted each server to go out on its own IP address rather than the default interface address, simple enough (and currently have working under mono) - however as much as I try all IP's are presented as my firewall IP :( I have the relevant entries in Virtual IPs (Proxy ARP) and set the required rules for Outbound NAT - but they seem to get ignored, however as I said I do have this working fine at the mo under mono so I think its correct how I have it setup :( It's the same to configure as in m0n0, and it works fine. How do you have it setup? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense on Wrap - Issues
Hi Chirs, 1. I have a Server called 'Max' - when adding this to the aliases (as I have prev done under mono) I would get an error on the reload of the config :( It would appear I am unable to add this host name as an alias. I presume max is a reserved word ? However the only workaround I can do is not to have an alias for this host and enter the ip address for now - which I can live with (Just wanted to point out in case this was a bug or error). There are certain keywords that can't be used in an alias, looks like our input validation missed one. Ticket opened, thanks for the report. No worries, glad it helped :) I have the relevant entries in Virtual IPs (Proxy ARP) and set the required rules for Outbound NAT - but they seem to get ignored, however as I said I do have this working fine at the mo under mono so I think its correct how I have it setup :( It's the same to configure as in m0n0, and it works fine. How do you have it setup? Ok... well under m0n0 I have the following: .190 is the firewall WAN IP Under Proxy ARP I have .186 .187 .188 .189 So I created these under the Virtual IP section in the interface - and selected ARP as the option ?. (Working from memory here, please bear with me) In m0no: Under NAT - OUTBOUND NAT I have the following entries. INTERFACE - SOURCE - DESTINATION - TARGET - DESC WAN - 192.168.102.3/32 - * - x.x.x.186 - Orion - .186 WAN - 192.168.102.10/32 - * - x.x.x.187 - Pegasus - .187 WAN - 192.168.102.2/32 - * - x.x.x.188 - Max - .188 WAN - 192.168.102.14/32 - * - x.x.x.189 - Lyra - .189 So if I SSH into any of these boxes and launch $ lynx http://www.whatismyip.com - each box reports the correct WAN IP I require... so appears to be fine. However under pfSense - all the boxes report (using the same method above) .190 - which is the firewall WAN IP Enable advanced outbound NAT - Ticked Thanks for you help with this... Regards Matt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense on Wrap - Issues
On Thu, Jul 24, 2008 at 5:06 PM, Matt Brown [EMAIL PROTECTED] wrote: snip In m0no: Under NAT - OUTBOUND NAT I have the following entries. INTERFACE - SOURCE - DESTINATION - TARGET - DESC WAN - 192.168.102.3/32 - * - x.x.x.186 - Orion - .186 WAN - 192.168.102.10/32 - * - x.x.x.187 - Pegasus - .187 WAN - 192.168.102.2/32 - * - x.x.x.188 - Max - .188 WAN - 192.168.102.14/32 - * - x.x.x.189 - Lyra - .189 So if I SSH into any of these boxes and launch $ lynx http://www.whatismyip.com - each box reports the correct WAN IP I require... so appears to be fine. However under pfSense - all the boxes report (using the same method above) .190 - which is the firewall WAN IP Enable advanced outbound NAT - Ticked Config looks fine. Do you have any packages installed? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense on Wrap - Issues
In m0no: Under NAT - OUTBOUND NAT I have the following entries. INTERFACE - SOURCE - DESTINATION - TARGET - DESC WAN - 192.168.102.3/32 - * - x.x.x.186 - Orion - .186 WAN - 192.168.102.10/32 - * - x.x.x.187 - Pegasus - .187 WAN - 192.168.102.2/32 - * - x.x.x.188 - Max - .188 WAN - 192.168.102.14/32 - * - x.x.x.189 - Lyra - .189 So if I SSH into any of these boxes and launch $ lynx http://www.whatismyip.com - each box reports the correct WAN IP I require... so appears to be fine. However under pfSense - all the boxes report (using the same method above) .190 - which is the firewall WAN IP Enable advanced outbound NAT - Ticked Config looks fine. Do you have any packages installed? Nope, just using the Embedded version onto a CF (1GB). Matt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]