Re: [pfSense Support] Can't connect to subaru.com on port 80
Coming late into this thread, I think I can add some salt to it :) I have the exact same problem to one of the sites, one I actually worked for two years ago, so I know about the setup there. At home I have pppoe to ISP and pfsense 1.2.1, problematic site has (probalby still) pfsense 0.9.6 and 100mbit ethernet to the same ISP. I could access their web server for as long it was running apache. After the switch to nginx, I could no longer access the web with exact same symptoms as described in this thread. Syn goes there, no ack ever comes back. Lowering mtu all the way down to 500 does not help. It seems I'm the only one who can't access the web service. Funny, smtp works ok in the initial greeting phase, trying to send a mail times out. Does that give some additional insight? -- Jure Pečar http://jure.pecar.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Too Many CARP VIP cause auto failover?
Dear all, I have found pfsense a very nice opensource firewall since half-an-year ago. After intensive digging at google and testing, i had decided to migrate the firewall to pfsense. And it always looks good, failover are always smooth and without service interruption. However problem arise since a month ago, i had found the firewall will automatically failover to the standby pfsense... This won cause any interruption to the service, so i may notice at after daily check... It always failover in the busiest time when the bandwidth usage suddenly surge for 2xMB in a minute. I have used to switch on ntop for monitoring the server usage and it eat up almost half of the CPU usage, so i decide to turn it off but it is no luck. Here are the detail of my firewall configuration. Hardware : PE 1950 with 4GB of RAM Pfsense version : 1.2 RELEASE Bandwidth usage: 20Mbit/s at non business hour, will surge to 60 Mbit/s during business hour CPU Usage : Under 10 % with ntop switch off CARP VIP : over 150 I had search through the forum and mailing list and i think it it relativly small scale. And i suspect the problem are cause by the CARP??, coz i only got about 100 VIP only half-an-year ago. How is the mechanise of pfsense for monitoring the link status? Thanks all for reading and hope i may be able to find some help to find the cause of this problem. Regards, Frankie
Re: [pfSense Support] Too Many CARP VIP cause auto failover?
Thanks Paul Yes i do have a dedicated sync interface Both of the WAN and LAN interface are connected to a cisco 3750 switch I also have the port-mirroring on the WAN link for my IDS I may check out the speed/duplex config on the switch to see Frankie On Tue, Oct 7, 2008 at 8:37 PM, Paul Mansfield [EMAIL PROTECTED]wrote: do you have a dedicated sync interface? what kind of switch are you connected into - I've seen problems a bit like this when the pfsense NICs were set to auto speed/duplex but the ISP has them fixed - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Too Many CARP VIP cause auto failover?
General question to developers: which are usually problems which make PF sense failover to anoter unit? Can an intense CRC problem cause a failover, or only a link down state can make this happen? Tonino frankie wong ha scritto: Dear all, I have found pfsense a very nice opensource firewall since half-an-year ago. After intensive digging at google and testing, i had decided to migrate the firewall to pfsense. And it always looks good, failover are always smooth and without service interruption. However problem arise since a month ago, i had found the firewall will automatically failover to the standby pfsense... This won cause any interruption to the service, so i may notice at after daily check... It always failover in the busiest time when the bandwidth usage suddenly surge for 2xMB in a minute. I have used to switch on ntop for monitoring the server usage and it eat up almost half of the CPU usage, so i decide to turn it off but it is no luck. Here are the detail of my firewall configuration. Hardware : PE 1950 with 4GB of RAM Pfsense version : 1.2 RELEASE Bandwidth usage: 20Mbit/s at non business hour, will surge to 60 Mbit/s during business hour CPU Usage : Under 10 % with ntop switch off CARP VIP : over 150 I had search through the forum and mailing list and i think it it relativly small scale. And i suspect the problem are cause by the CARP??, coz i only got about 100 VIP only half-an-year ago. How is the mechanise of pfsense for monitoring the link status? Thanks all for reading and hope i may be able to find some help to find the cause of this problem. Regards, Frankie -- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
Re: [pfSense Support] Too Many CARP VIP cause auto failover?
Sure i am very careful on the VHID. It had causeme a lot of trouble because of the duplicated VHID Also i had a weird experience on the CARP name. I have a lot carp name which will be duplicate when there are more than 56 CARP VIP. Let 's say carp56 192.168.10.56 carp0 192.168.10.57 carp58 192.168.10.58 The VHID are normal, may be it is the error at web console? On Tue, Oct 7, 2008 at 9:14 PM, Paul Mansfield [EMAIL PROTECTED]wrote: frankie wong wrote: Thanks Paul Yes i do have a dedicated sync interface Both of the WAN and LAN interface are connected to a cisco 3750 switch I also have the port-mirroring on the WAN link for my IDS I may check out the speed/duplex config on the switch to see we don't have as many carp interfaces as you, but we do have about 30 one one cluster with no ill effects. we've been very careful to keep carp VHIDs unique across our system. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] snort and ntop
1.2 or 1.2.1 full install both run snort and/or ntop. embedded image does not support packages. Also if the package is marked as broken, then it will not be listed in the package list as available for install ( I believe snort was still marked as broken, havent checked in a while) From: [EMAIL PROTECTED] To: support@pfsense.com Date: Mon, 6 Oct 2008 19:40:18 -0400 Subject: Re: [pfSense Support] snort and ntop hmmm the 1.2.1 i am running does not perhaps I need a snapshot... Glenn On Oct 6, 2008, at 10:09 AM, Curtis LaMasters wrote:If I'm not mistaken, 1.2.1 will allow this. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Sun, Oct 5, 2008 at 11:08 AM, Glenn Kelley [EMAIL PROTECTED] wrote: Greetings: I am looking for a version of pfSense that will allow us to run both snort and ntop. Glenn - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Too Many CARP VIP cause auto failover?
do you have a dedicated sync interface? what kind of switch are you connected into - I've seen problems a bit like this when the pfsense NICs were set to auto speed/duplex but the ISP has them fixed - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Too Many CARP VIP cause auto failover?
frankie wong wrote: Thanks Paul Yes i do have a dedicated sync interface Both of the WAN and LAN interface are connected to a cisco 3750 switch I also have the port-mirroring on the WAN link for my IDS I may check out the speed/duplex config on the switch to see we don't have as many carp interfaces as you, but we do have about 30 one one cluster with no ill effects. we've been very careful to keep carp VHIDs unique across our system. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] snort and ntop
ok Strange - Mine shows snort (running) but not ntop ... go figure :-) glenn On Oct 7, 2008, at 7:16 AM, Sean Cavanaugh wrote: 1.2 or 1.2.1 full install both run snort and/or ntop. embedded image does not support packages. Also if the package is marked as broken, then it will not be listed in the package list as available for install ( I believe snort was still marked as broken, havent checked in a while) From: [EMAIL PROTECTED] To: support@pfsense.com Date: Mon, 6 Oct 2008 19:40:18 -0400 Subject: Re: [pfSense Support] snort and ntop hmmm the 1.2.1 i am running does not perhaps I need a snapshot... Glenn On Oct 6, 2008, at 10:09 AM, Curtis LaMasters wrote: If I'm not mistaken, 1.2.1 will allow this. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Sun, Oct 5, 2008 at 11:08 AM, Glenn Kelley [EMAIL PROTECTED] wrote: Greetings: I am looking for a version of pfSense that will allow us to run both snort and ntop. Glenn - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Very urgent - DHCP server failure
Hi, I'm using pfSense 1.2 , and suddenly DHCP seems to have stopped working. On the system log, i see the following: Oct 7 22:23:34 dhcpd: Internet Systems Consortium DHCP Server V3.0.5 Oct 7 22:23:34 dhcpd: Copyright 2004-2006 Internet Systems Consortium. Oct 7 22:23:34 dhcpd: All rights reserved. Oct 7 22:23:34 dhcpd: For info, please visit http://www.isc.org/sw/dhcp/ Oct 7 22:23:34 dhcpd: failover peer declaration with no referring pools. Oct 7 22:23:34 dhcpd: In order to use failover, you MUST refer to your main failover declaration Oct 7 22:23:34 dhcpd: in each pool declaration. You MUST NOT use range declarations outside Oct 7 22:23:34 dhcpd: of pool declarations. Any idea? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Very urgent - DHCP server failure
That's a pretty helpful log message. Looks like you declared a failover peer incorrectly. Please review your configuration with that in mind. Matias Surdi wrote: Hi, I'm using pfSense 1.2 , and suddenly DHCP seems to have stopped working. On the system log, i see the following: Oct 7 22:23:34 dhcpd: Internet Systems Consortium DHCP Server V3.0.5 Oct 7 22:23:34 dhcpd: Copyright 2004-2006 Internet Systems Consortium. Oct 7 22:23:34 dhcpd: All rights reserved. Oct 7 22:23:34 dhcpd: For info, please visit http://www.isc.org/sw/dhcp/ Oct 7 22:23:34 dhcpd: failover peer declaration with no referring pools. Oct 7 22:23:34 dhcpd: In order to use failover, you MUST refer to your main failover declaration Oct 7 22:23:34 dhcpd: in each pool declaration. You MUST NOT use range declarations outside Oct 7 22:23:34 dhcpd: of pool declarations. Any idea? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Too Many CARP VIP cause auto failover?
On Tue, Oct 7, 2008 at 9:24 AM, Tonix (Antonio Nati) [EMAIL PROTECTED] wrote: General question to developers: which are usually problems which make PF sense failover to anoter unit? The most common cause of failing over when it shouldn't is switches that hose or block multicast. Can an intense CRC problem cause a failover, or only a link down state can make this happen? Yes, anything that causes packet loss can make the backup switch to master. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]