Re: [pfSense Support] Does anybody have working dual wan failover with pfsense?
Bill Marquette wrote: Setup a load balancer entry with an active node and a failover node. As I previously said, I dont want load balancing, I only need failover. If wan fails then opt1 is used until wan returns. As simple as that. How to configure pfsense to accomplish that? Currently I'm having one failover pool (Type: Gateway; Behavior: Failover): wan|wan gateway opt1|opt1 gateway Use that entry as your gateway in your rules. I have one firewall rule for LAN to accept all traffic from one host in LAN and gateway is that pool. It's really not rocket science. I'm still unable to get packages list in pfsense web interface, thought I'm able to ping outside world from that one LAN host. When I ping google.ee from command line, I get: # ping google.ee PING google.ee (64.233.161.104): 56 data bytes ping: sendto: No buffer space available ping: sendto: No buffer space available ... If the WAN connection is up, I'm able to get packages list and ping from command line. -- Veiko - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] adding carp in firewall cluster
Paul Mansfield wrote: I note that when I add a new carp interface on the master, when it gets replicated to slave, the carp status page on the slave has a blank field in the carp interface column of the table. is this a known bug? does it matter, or should I reboot slave? I was reconfiguring my routers today and encountered that bug myself too. Stop carp/Start carp on slave helped to get correct status information on slave. What causes that bug, I have no idea... - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Does anybody have working dual wan failover with pfsense?
Bill Marquette wrote: Or your missing something, I think is the correct statement. I my previous e-mail today i got it working without carp, when I added 3 carp interfaces (I have two identical servers because I need hardware failover too.): LAN - carp0 WAN - carp1 OPT1 - carp2 During failover testing I found out that: If LAN, WAN or OPT1 was unplugged from only one server, everything worked fine. Now, when unplugging the WAN cable from second server too, (imitating hardware failover with WAN failover), then WAN link is marked down almost immediately on second router, but no wan failover occurs. Web interface and log file are showing that WAN links on both routers are down and OPT1 links are up. carp1 is in INIT state on both machines, carp0 and carp2 are masters on slave router (the one whose WAN cable was removed later). No traffic from LAN is forwarded through OPT1 :( What might be wrong? --- Veiko - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Does anybody have working dual wan failover with pfsense?
On Mon, Jan 19, 2009 at 4:07 AM, Veiko Kukk veiko.k...@krediidipank.ee wrote: If the WAN connection is up, I'm able to get packages list and ping from command line. Traffic from the firewall itself, like the packages list, follows its default route which is on WAN and will never switch automatically to another interface. You can manually switch it if desired, though traffic from the firewall isn't crucial (aside from DNS if you're using the forwarder, which is why that's accommodated with static routes) so generally it doesn't matter. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Does anybody have working dual wan failover with pfsense?
On Mon, Jan 19, 2009 at 3:07 AM, Veiko Kukk veiko.k...@krediidipank.ee wrote: Bill Marquette wrote: Setup a load balancer entry with an active node and a failover node. As I previously said, I dont want load balancing, I only need failover. duh, what do you think this provides? Rhetorical question, obviously you think a load balancer pool of ONE entry and a failover entry somehow magically balances multiple entries. If wan fails then opt1 is used until wan returns. As simple as that. How to configure pfsense to accomplish that? Currently I'm having one failover pool (Type: Gateway; Behavior: Failover): wan|wan gateway opt1|opt1 gateway yup, that's it. Use that entry as your gateway in your rules. I have one firewall rule for LAN to accept all traffic from one host in LAN and gateway is that pool. good It's really not rocket science. I'm still unable to get packages list in pfsense web interface, thought I'm able to ping outside world from that one LAN host. When I ping google.ee from command line, I get: And we finally get to your misunderstanding. Failover is for traffic routed _through_ pfsense. During a failover situation as you've described, pfsense itself will not have a route to the internet. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Solved: Re: Bandwidth problems/collisions/packet loss
Paul Mansfield a écrit : Ugo Bellavance wrote: In fact, I tried fixing it on the PfSense (the client asked me to try...), without changing the switch (on which I have no control). But if my PfSense is choosing 100basetx half, does that mean that the switch is auto-sense? Just curious. almost sounds like a switch or cable fault! The ISP set its switch to Auto and our PFsense sync'd with it and now all is well! Thanks all, Ugo - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] FTP Server in Routed DMZ
Hi ! I have set up a FTP server in my DMZ with an official IP address. From WAN - DMZ the IPs are routed (no NAT). I opened up port 21 from WAN - DMZ for FTP but of course I cannot transfer any files. It seems to require some more ports, so I thought the FTP-helper on the WAN-side could be helpful, but this also does not work... Does anyone have any idea how to set this up without opening this ton of ports FTP requires ? I know FTP is not the preferred way, but we need this :-( I'd be thankful for every hint... Active FTP is not really an option because most FTP-clients live behind NAT devices so there's the problem of the data-connection again... Regards, Martin - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] FTP Server in Routed DMZ
Hi, solution: Open the Ports described in man 4 ip IP_PORTRANGE_HIGH referenced by man ftp-proxy or lookup in sysctl net.inet.ip.portrange like: net.inet.ip.portrange.hilast: 65535 net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.last: 65535 net.inet.ip.portrange.first: 49152 from WAN to your FTP server and all gets fine. regards michael. 2009/1/20 Fuchs, Martin martin.fu...@trendchiller.com: Hi ! I have set up a FTP server in my DMZ with an official IP address. From WAN - DMZ the IPs are routed (no NAT). I opened up port 21 from WAN - DMZ for FTP but of course I cannot transfer any files. It seems to require some more ports, so I thought the FTP-helper on the WAN-side could be helpful, but this also does not work... Does anyone have any idea how to set this up without opening this ton of ports FTP requires ? I know FTP is not the preferred way, but we need this :-( I'd be thankful for every hint... Active FTP is not really an option because most FTP-clients live behind NAT devices so there's the problem of the data-connection again... Regards, Martin - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 === - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
AW: [pfSense Support] FTP Server in Routed DMZ
Should the FTP-helper service be activated or deactivated on the WAN-Interface ? -Ursprüngliche Nachricht- Von: Michael Schuh [mailto:michael.sc...@gmail.com] Gesendet: Dienstag, 20. Januar 2009 00:14 An: support@pfsense.com Betreff: Re: [pfSense Support] FTP Server in Routed DMZ Hi, solution: Open the Ports described in man 4 ip IP_PORTRANGE_HIGH referenced by man ftp-proxy or lookup in sysctl net.inet.ip.portrange like: net.inet.ip.portrange.hilast: 65535 net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.last: 65535 net.inet.ip.portrange.first: 49152 from WAN to your FTP server and all gets fine. regards michael. 2009/1/20 Fuchs, Martin martin.fu...@trendchiller.com: Hi ! I have set up a FTP server in my DMZ with an official IP address. From WAN - DMZ the IPs are routed (no NAT). I opened up port 21 from WAN - DMZ for FTP but of course I cannot transfer any files. It seems to require some more ports, so I thought the FTP-helper on the WAN-side could be helpful, but this also does not work... Does anyone have any idea how to set this up without opening this ton of ports FTP requires ? I know FTP is not the preferred way, but we need this :-( I'd be thankful for every hint... Active FTP is not really an option because most FTP-clients live behind NAT devices so there's the problem of the data-connection again... Regards, Martin - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 === - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] FTP Server in Routed DMZ
Hi, in my possible solution NO, because you use the ftp-server w/o Proxy. Communication goes directly to your ftp-server. Please checkout also the portranges from your ftp-server if it is not an OpenFTPD (used by FreeBSD/OpenBSD). It can differ from the ports that i have described. (sorry i have forgotten to say, that my tips are related to this ftpd). The proxy is needed for the users in your holy internal LAN. 2009/1/20 Fuchs, Martin martin.fu...@trendchiller.com: Should the FTP-helper service be activated or deactivated on the WAN-Interface ? -Ursprüngliche Nachricht- Von: Michael Schuh [mailto:michael.sc...@gmail.com] Gesendet: Dienstag, 20. Januar 2009 00:14 An: support@pfsense.com Betreff: Re: [pfSense Support] FTP Server in Routed DMZ Hi, solution: Open the Ports described in man 4 ip IP_PORTRANGE_HIGH referenced by man ftp-proxy or lookup in sysctl net.inet.ip.portrange like: net.inet.ip.portrange.hilast: 65535 net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.last: 65535 net.inet.ip.portrange.first: 49152 from WAN to your FTP server and all gets fine. regards michael. 2009/1/20 Fuchs, Martin martin.fu...@trendchiller.com: Hi ! I have set up a FTP server in my DMZ with an official IP address. From WAN - DMZ the IPs are routed (no NAT). I opened up port 21 from WAN - DMZ for FTP but of course I cannot transfer any files. It seems to require some more ports, so I thought the FTP-helper on the WAN-side could be helpful, but this also does not work... Does anyone have any idea how to set this up without opening this ton of ports FTP requires ? I know FTP is not the preferred way, but we need this :-( I'd be thankful for every hint... Active FTP is not really an option because most FTP-clients live behind NAT devices so there's the problem of the data-connection again... Regards, Martin - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 === - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 === - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
AW: [pfSense Support] FTP Server in Routed DMZ
No problem ;-) Thats the answer i expected... So there is really no way to accomplish this with some kind of FTP-helper used in pfSense to open up just a few ports... ? I really need the whole portrange for FTP to be opened as defined in the FTP-server ? Thanks so far for your help ;-) Regards, martin -Ursprüngliche Nachricht- Von: Michael Schuh [mailto:michael.sc...@gmail.com] Gesendet: Dienstag, 20. Januar 2009 00:27 An: support@pfsense.com Betreff: Re: [pfSense Support] FTP Server in Routed DMZ Hi, in my possible solution NO, because you use the ftp-server w/o Proxy. Communication goes directly to your ftp-server. Please checkout also the portranges from your ftp-server if it is not an OpenFTPD (used by FreeBSD/OpenBSD). It can differ from the ports that i have described. (sorry i have forgotten to say, that my tips are related to this ftpd). The proxy is needed for the users in your holy internal LAN. 2009/1/20 Fuchs, Martin martin.fu...@trendchiller.com: Should the FTP-helper service be activated or deactivated on the WAN-Interface ? -Ursprüngliche Nachricht- Von: Michael Schuh [mailto:michael.sc...@gmail.com] Gesendet: Dienstag, 20. Januar 2009 00:14 An: support@pfsense.com Betreff: Re: [pfSense Support] FTP Server in Routed DMZ Hi, solution: Open the Ports described in man 4 ip IP_PORTRANGE_HIGH referenced by man ftp-proxy or lookup in sysctl net.inet.ip.portrange like: net.inet.ip.portrange.hilast: 65535 net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.last: 65535 net.inet.ip.portrange.first: 49152 from WAN to your FTP server and all gets fine. regards michael. 2009/1/20 Fuchs, Martin martin.fu...@trendchiller.com: Hi ! I have set up a FTP server in my DMZ with an official IP address. From WAN - DMZ the IPs are routed (no NAT). I opened up port 21 from WAN - DMZ for FTP but of course I cannot transfer any files. It seems to require some more ports, so I thought the FTP-helper on the WAN-side could be helpful, but this also does not work... Does anyone have any idea how to set this up without opening this ton of ports FTP requires ? I know FTP is not the preferred way, but we need this :-( I'd be thankful for every hint... Active FTP is not really an option because most FTP-clients live behind NAT devices so there's the problem of the data-connection again... Regards, Martin - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 === - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 === - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] FTP Server in Routed DMZ
Hmm, hi martin, i has made such a config, and i have for me realized, that i have 2 options a) ftp-Server w/ ftp-proxy on WAN, IIRC this needs special setup in XML-Config also result is : i can't use the ftp-proxy on lan interface I be not 100% sure but i believe i remember me that the activation of ftp-proxy on WAN is not possible from Browser-User-Interface, b) open ftp-highrange-ports from wan to ftp-server and you can use ftp-proxy for users from lan.if you like to do so i have used option b) because it is no security risk if no other services listen on such a port on the ftp-server-system, the port on the ftp-servers system is only opened if a ftp-user made a transferthis behavior underlays the ftp-protocols features of PASV switching. Other words active ftp-transfer or passive. this is handled by the ftp-protocol between server and each individual client. with option b) you are on the secure side that every User ( if it has experiences or not) can make transfers from and to the ftp-server, regardless of transfer-mode. Works all the time. Special attention is only needed if another Service listen on the ports that you must open for ftp-server ( in almost cases not given). cheers michael 2009/1/20 Fuchs, Martin martin.fu...@trendchiller.com: No problem ;-) Thats the answer i expected... So there is really no way to accomplish this with some kind of FTP-helper used in pfSense to open up just a few ports... ? I really need the whole portrange for FTP to be opened as defined in the FTP-server ? Thanks so far for your help ;-) Regards, martin -Ursprüngliche Nachricht- Von: Michael Schuh [mailto:michael.sc...@gmail.com] Gesendet: Dienstag, 20. Januar 2009 00:27 An: support@pfsense.com Betreff: Re: [pfSense Support] FTP Server in Routed DMZ Hi, in my possible solution NO, because you use the ftp-server w/o Proxy. Communication goes directly to your ftp-server. Please checkout also the portranges from your ftp-server if it is not an OpenFTPD (used by FreeBSD/OpenBSD). It can differ from the ports that i have described. (sorry i have forgotten to say, that my tips are related to this ftpd). The proxy is needed for the users in your holy internal LAN. 2009/1/20 Fuchs, Martin martin.fu...@trendchiller.com: Should the FTP-helper service be activated or deactivated on the WAN-Interface ? -Ursprüngliche Nachricht- Von: Michael Schuh [mailto:michael.sc...@gmail.com] Gesendet: Dienstag, 20. Januar 2009 00:14 An: support@pfsense.com Betreff: Re: [pfSense Support] FTP Server in Routed DMZ Hi, solution: Open the Ports described in man 4 ip IP_PORTRANGE_HIGH referenced by man ftp-proxy or lookup in sysctl net.inet.ip.portrange like: net.inet.ip.portrange.hilast: 65535 net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.last: 65535 net.inet.ip.portrange.first: 49152 from WAN to your FTP server and all gets fine. regards michael. 2009/1/20 Fuchs, Martin martin.fu...@trendchiller.com: Hi ! I have set up a FTP server in my DMZ with an official IP address. From WAN - DMZ the IPs are routed (no NAT). I opened up port 21 from WAN - DMZ for FTP but of course I cannot transfer any files. It seems to require some more ports, so I thought the FTP-helper on the WAN-side could be helpful, but this also does not work... Does anyone have any idea how to set this up without opening this ton of ports FTP requires ? I know FTP is not the preferred way, but we need this :-( I'd be thankful for every hint... Active FTP is not really an option because most FTP-clients live behind NAT devices so there's the problem of the data-connection again... Regards, Martin - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 === - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 === -
[pfSense Support] installing pfSense via pxeboot and nfs
Greetings, I'm trying to install pfSense embeded using only network and serial console on soekris net5501. I'm following the steps from this document - http://devwiki.pfsense.org/wikka.php?wakka=NetBootSoekrisEmbedded Unfortunately I'm unable to finish the installation because the boot process stops at: Trying to mount root from nfs:10.1.1.1:/usr/local/tftpboot/4801-60 vr0: link state changed to UP NFS ROOT: 10.1.1.1:/usr/local/tftpboot/4801-60/ I tried and with the iso/livecd but with it I cannot even see the kernel booting (dmesg) nor the welcome menu. Is it possible at all to install pfSense using pxeboot,tfpt and nfs over serial console? -- Best Wishes, Stefan Lambrev ICQ# 24134177
Re: [pfSense Support] installing pfSense via pxeboot and nfs
HI, is it possible that you not have installed the bootloader to the mbr? I do not know if the boot0cfg is included in the pfsense distribution, but here is a link to the man-page: http://www.freebsd.org/cgi/man.cgi?query=boot0cfgapropos=0sektion=0manpath=FreeBSD+7.1-RELEASEformat=html good luck michael 2009/1/20 Stefan Lambrev stefan.lamb...@moneybookers.com: Greetings, I'm trying to install pfSense embeded using only network and serial console on soekris net5501. I'm following the steps from this document - http://devwiki.pfsense.org/wikka.php?wakka=NetBootSoekrisEmbedded Unfortunately I'm unable to finish the installation because the boot process stops at: Trying to mount root from nfs:10.1.1.1:/usr/local/tftpboot/4801-60 vr0: link state changed to UP NFS ROOT: 10.1.1.1:/usr/local/tftpboot/4801-60/ I tried and with the iso/livecd but with it I cannot even see the kernel booting (dmesg) nor the welcome menu. Is it possible at all to install pfSense using pxeboot,tfpt and nfs over serial console? -- Best Wishes, Stefan Lambrev ICQ# 24134177 -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 === - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
AW: [pfSense Support] FTP Server in Routed DMZ
Hi ! I opened up port 20 for active FTP data from the DMZ now and the upper ports defined in the server for passive FTP data from WAN to DMZ... I works... Any objections against active FTP data ? Regards, martin -Ursprüngliche Nachricht- Von: Michael Schuh [mailto:michael.sc...@gmail.com] Gesendet: Dienstag, 20. Januar 2009 00:41 An: support@pfsense.com Betreff: Re: [pfSense Support] FTP Server in Routed DMZ Hmm, hi martin, i has made such a config, and i have for me realized, that i have 2 options a) ftp-Server w/ ftp-proxy on WAN, IIRC this needs special setup in XML-Config also result is : i can't use the ftp-proxy on lan interface I be not 100% sure but i believe i remember me that the activation of ftp-proxy on WAN is not possible from Browser-User-Interface, b) open ftp-highrange-ports from wan to ftp-server and you can use ftp-proxy for users from lan.if you like to do so i have used option b) because it is no security risk if no other services listen on such a port on the ftp-server-system, the port on the ftp-servers system is only opened if a ftp-user made a transferthis behavior underlays the ftp-protocols features of PASV switching. Other words active ftp-transfer or passive. this is handled by the ftp-protocol between server and each individual client. with option b) you are on the secure side that every User ( if it has experiences or not) can make transfers from and to the ftp-server, regardless of transfer-mode. Works all the time. Special attention is only needed if another Service listen on the ports that you must open for ftp-server ( in almost cases not given). cheers michael 2009/1/20 Fuchs, Martin martin.fu...@trendchiller.com: No problem ;-) Thats the answer i expected... So there is really no way to accomplish this with some kind of FTP-helper used in pfSense to open up just a few ports... ? I really need the whole portrange for FTP to be opened as defined in the FTP-server ? Thanks so far for your help ;-) Regards, martin -Ursprüngliche Nachricht- Von: Michael Schuh [mailto:michael.sc...@gmail.com] Gesendet: Dienstag, 20. Januar 2009 00:27 An: support@pfsense.com Betreff: Re: [pfSense Support] FTP Server in Routed DMZ Hi, in my possible solution NO, because you use the ftp-server w/o Proxy. Communication goes directly to your ftp-server. Please checkout also the portranges from your ftp-server if it is not an OpenFTPD (used by FreeBSD/OpenBSD). It can differ from the ports that i have described. (sorry i have forgotten to say, that my tips are related to this ftpd). The proxy is needed for the users in your holy internal LAN. 2009/1/20 Fuchs, Martin martin.fu...@trendchiller.com: Should the FTP-helper service be activated or deactivated on the WAN-Interface ? -Ursprüngliche Nachricht- Von: Michael Schuh [mailto:michael.sc...@gmail.com] Gesendet: Dienstag, 20. Januar 2009 00:14 An: support@pfsense.com Betreff: Re: [pfSense Support] FTP Server in Routed DMZ Hi, solution: Open the Ports described in man 4 ip IP_PORTRANGE_HIGH referenced by man ftp-proxy or lookup in sysctl net.inet.ip.portrange like: net.inet.ip.portrange.hilast: 65535 net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.last: 65535 net.inet.ip.portrange.first: 49152 from WAN to your FTP server and all gets fine. regards michael. 2009/1/20 Fuchs, Martin martin.fu...@trendchiller.com: Hi ! I have set up a FTP server in my DMZ with an official IP address. From WAN - DMZ the IPs are routed (no NAT). I opened up port 21 from WAN - DMZ for FTP but of course I cannot transfer any files. It seems to require some more ports, so I thought the FTP-helper on the WAN-side could be helpful, but this also does not work... Does anyone have any idea how to set this up without opening this ton of ports FTP requires ? I know FTP is not the preferred way, but we need this :-( I'd be thankful for every hint... Active FTP is not really an option because most FTP-clients live behind NAT devices so there's the problem of the data-connection again... Regards, Martin - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 === - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail:
[pfSense Support] carp question
Hello everybody I am working with a 2 node failover of 2 pfsense 1.2.2 and it its great!! It works perfect, but I ask you that if its possible to define upscript of carp via web interface, or modifying php code. I think this is a good feature for pfsense 2.0, and in general the magic box of custom options, like in openvpn (1.2.2) is very good for advanced and not standar configurations. Here for example, I can define tap mode openvpn, instead of tun, link-mtu... I don't think that is a good idea to suprime this text box anywhere that could be usefull. I look that in pfsense 2.0 this text box in openvpn doesn't appear. Why? Sorry for my English Thanks!!1 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] FTP Server in Routed DMZ
:-D Any objections against active FTP data ? No. Not really (i think so), ftp-protocol is ftp-protocol regardless of the used ports But objections against some ftp-Server-software *grin* like proftpd or some others with sporadic but serious bugs. every time hold an open eye on Bug-Lists and Security Certs ... in my own experience, most servers getting defaced through an buggy ftp-server.first target for hackers, because many ftp-servers allow anonymous ftp-login or have weak user accounts or passwords, this in combination with an buggy ftp-server is really dangerous but this is eventually off topic.for this list 2009/1/20 Fuchs, Martin martin.fu...@trendchiller.com: Hi ! I opened up port 20 for active FTP data from the DMZ now and the upper ports defined in the server for passive FTP data from WAN to DMZ... I works... Any objections against active FTP data ? Regards, martin -Ursprüngliche Nachricht- Von: Michael Schuh [mailto:michael.sc...@gmail.com] Gesendet: Dienstag, 20. Januar 2009 00:41 An: support@pfsense.com Betreff: Re: [pfSense Support] FTP Server in Routed DMZ Hmm, hi martin, i has made such a config, and i have for me realized, that i have 2 options a) ftp-Server w/ ftp-proxy on WAN, IIRC this needs special setup in XML-Config also result is : i can't use the ftp-proxy on lan interface I be not 100% sure but i believe i remember me that the activation of ftp-proxy on WAN is not possible from Browser-User-Interface, b) open ftp-highrange-ports from wan to ftp-server and you can use ftp-proxy for users from lan.if you like to do so i have used option b) because it is no security risk if no other services listen on such a port on the ftp-server-system, the port on the ftp-servers system is only opened if a ftp-user made a transferthis behavior underlays the ftp-protocols features of PASV switching. Other words active ftp-transfer or passive. this is handled by the ftp-protocol between server and each individual client. with option b) you are on the secure side that every User ( if it has experiences or not) can make transfers from and to the ftp-server, regardless of transfer-mode. Works all the time. Special attention is only needed if another Service listen on the ports that you must open for ftp-server ( in almost cases not given). cheers michael 2009/1/20 Fuchs, Martin martin.fu...@trendchiller.com: No problem ;-) Thats the answer i expected... So there is really no way to accomplish this with some kind of FTP-helper used in pfSense to open up just a few ports... ? I really need the whole portrange for FTP to be opened as defined in the FTP-server ? Thanks so far for your help ;-) Regards, martin -Ursprüngliche Nachricht- Von: Michael Schuh [mailto:michael.sc...@gmail.com] Gesendet: Dienstag, 20. Januar 2009 00:27 An: support@pfsense.com Betreff: Re: [pfSense Support] FTP Server in Routed DMZ Hi, in my possible solution NO, because you use the ftp-server w/o Proxy. Communication goes directly to your ftp-server. Please checkout also the portranges from your ftp-server if it is not an OpenFTPD (used by FreeBSD/OpenBSD). It can differ from the ports that i have described. (sorry i have forgotten to say, that my tips are related to this ftpd). The proxy is needed for the users in your holy internal LAN. 2009/1/20 Fuchs, Martin martin.fu...@trendchiller.com: Should the FTP-helper service be activated or deactivated on the WAN-Interface ? -Ursprüngliche Nachricht- Von: Michael Schuh [mailto:michael.sc...@gmail.com] Gesendet: Dienstag, 20. Januar 2009 00:14 An: support@pfsense.com Betreff: Re: [pfSense Support] FTP Server in Routed DMZ Hi, solution: Open the Ports described in man 4 ip IP_PORTRANGE_HIGH referenced by man ftp-proxy or lookup in sysctl net.inet.ip.portrange like: net.inet.ip.portrange.hilast: 65535 net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.last: 65535 net.inet.ip.portrange.first: 49152 from WAN to your FTP server and all gets fine. regards michael. 2009/1/20 Fuchs, Martin martin.fu...@trendchiller.com: Hi ! I have set up a FTP server in my DMZ with an official IP address. From WAN - DMZ the IPs are routed (no NAT). I opened up port 21 from WAN - DMZ for FTP but of course I cannot transfer any files. It seems to require some more ports, so I thought the FTP-helper on the WAN-side could be helpful, but this also does not work... Does anyone have any idea how to set this up without opening this ton of ports FTP requires ? I know FTP is not the preferred way, but we need this :-( I'd be thankful for every hint... Active FTP is not really an option because most FTP-clients live behind NAT devices so there's the problem of the data-connection again... Regards, Martin - To unsubscribe, e-mail:
Re: [pfSense Support] installing pfSense via pxeboot and nfs
fwiw, that's not an install guide, it was really a how to make it boot over the network guide - very helpful for development. I don't know of anyone that has had a successful install to a soekris over the network. Not to say it can't be done, but you've got a lot of exploring ahead of you. Chances are in the below, your IP changed (ie, you didn't update config.xml before booting). --Bill On Mon, Jan 19, 2009 at 5:41 PM, Stefan Lambrev stefan.lamb...@moneybookers.com wrote: Greetings, I'm trying to install pfSense embeded using only network and serial console on soekris net5501. I'm following the steps from this document - http://devwiki.pfsense.org/wikka.php?wakka=NetBootSoekrisEmbedded Unfortunately I'm unable to finish the installation because the boot process stops at: Trying to mount root from nfs:10.1.1.1:/usr/local/tftpboot/4801-60 vr0: link state changed to UP NFS ROOT: 10.1.1.1:/usr/local/tftpboot/4801-60/ I tried and with the iso/livecd but with it I cannot even see the kernel booting (dmesg) nor the welcome menu. Is it possible at all to install pfSense using pxeboot,tfpt and nfs over serial console? -- Best Wishes, Stefan Lambrev ICQ# 24134177 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] How to reset Captive back to default
On Mon, Jan 19, 2009 at 9:01 PM, k_o_l k_...@hotmail.com wrote: Is it possible to reset the captive portal page contents back to default? Backup your config, manually remove that portion and save, then restore. Or upload the default, you can find the HTML in /etc/inc/captiveportal.inc. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
