Re: [pfSense Support] blocking RFC1918 and bogons on 2nd WAN
Chris Buechler wrote: On Fri, Jun 12, 2009 at 9:10 AM, Paul Mansfieldit-admin-pfse...@taptu.com wrote: suppose we have two WAN ports and have turned on the automatic RFC1918 and bogon blocking; you can see the grey-ed out rules on WAN1 interface. what's the best way to also do this on WAN2? in particular, how to put the list of RFC1918 and bogons into the rule so that their values are updated automatically? you can't for bogons until 2.0. for RFC1918 you can create an alias and add the rule manually. thanks for that. I did notice in the config file for the WAN there's a bogons attribute, if pondered copying it to WAN2, but was worried it would destroy the universe or break pfSense? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Inbound load balancer performance under heavy load.
we've also had problems with inbound load balancing which we thought was just crappy ISP - a small number of http connections would quietly fail, or take a very long time and then fail, so we ended up using haproxy instead; this on 1.2-release as well as 1.2.2. (note to people: please trim replies when quoting and turn off HTML, this thread has become unreadable due to bad quoting and horrible HTML styles). - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP and Bridging
Joseph Hardeman wrote: One other question now that I think of it. Does CARP work between two firewalls that are running in full Bridge mode, no NATing done at all, just port blocking on the WAN interface? We have two firewalls and I want to make sure any states are kept intact on the chance we have to failover to the secondary. I've done something similar with a CARP cluster that has a LAN and DMZ, where the DMZ is bridged to WAN. I have my switches doing STP and shutting down the ports for the inactive firewall, but there are other ways to get it done, too. There are a couple concepts discussed in this forum thread: http://forum.pfsense.org/index.php/topic,4984.0.html Those involve keeping the bridge interface on the backup unit down until it becomes master. The first is a script that runs from cron that checks every minute to see if the change has happened, and keeps brings the bridge up if a system is master. The main downside is that you have to wait on the cron script to run to see the change. The second is only possible in 1.2.3-RC snapshots and on 2.0, where you can use devd to catch the transition event and call a script to change the bridge accordingly at the exact moment it happens, no waiting for cron to run and pick up on the change. Going this route is faster, but may cause some weirdness if you see the CARP transition flapping at all. In 2.0 I believe you can configure STP right on the bridge interface which may be the better way in the long run. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] blocking RFC1918 and bogons on 2nd WAN
On Fri, Jun 26, 2009 at 7:19 AM, Paul Mansfieldit-admin-pfse...@taptu.com wrote: I did notice in the config file for the WAN there's a bogons attribute, if pondered copying it to WAN2, but was worried it would destroy the universe or break pfSense? Not recommended. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] pfsense lighttp and php services
Hi Dear All, I need run a php file with zend guard 5 encode. Install zend optimize and change php.ini but reboot pfSense my configuration deleted : ( What should I do ? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsense lighttp and php services
2009/6/26 ozan ucar m...@ozanucar.com: Hi Dear All, I need run a php file with zend guard 5 encode. Install zend optimize and change php.ini but reboot pfSense my configuration deleted : ( What should I do ? Don't do that. You will probably want to install another web server to use for whatever your doing which is outside of the scope of this support list. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Inbound load balancer performance under heavy load.
On Fri, Jun 26, 2009 at 11:25 AM, Scott Ullrichsullr...@gmail.com wrote: On Fri, Jun 26, 2009 at 8:07 AM, Paul Mansfieldit-admin-pfse...@taptu.com wrote: we've also had problems with inbound load balancing which we thought was just crappy ISP - a small number of http connections would quietly fail, or take a very long time and then fail, so we ended up using haproxy instead; this on 1.2-release as well as 1.2.2. (note to people: please trim replies when quoting and turn off HTML, this thread has become unreadable due to bad quoting and horrible HTML styles). If you get a chance, please grab a 2.0 snapshot ISO and test our new haproxy package (it is for 2.0 only right now). Please e-mail me off list if you need help getting this going. I just remembered its a rcs branch but it would be easy to get going. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Statically-defined DHCP clients with dynamic addressing not entered into DNS
Hi all, We're running DHCP and DNS on a pair of CARPed pfSense 1.2.1 boxen. Other than the fact that they don't sync DCHP entries, it's been working OK for us. However, we've currently got them configured to assign static IPs to specific MACs, and that's becoming difficult to manage. We'd prefer to add an entry for each host's MAC and a hostname, but omit the IP address assignment. While we can do this currently - said hosts do receive an IP address is the dynamic pool - the hosts' hostname fails to be assigned in DNS. Remember, statically- assigned IP hosts (hence, hosts added to /etc/hosts) DO get added to DNS. Interestingly, our DHCP leases on the responding DHCP server show: IP address MAC address HostnameOnline Lease Type 10.0.9.200 00:0c:f1:aa:c2:27 sniponline active 00:0c:f1:aa:c2:27 ian-testpc sniponline static and the non-responding DHCP server shows only: 00:0c:f1:aa:c2:27 ian-testpc sniponline static Is this a known limitation? Thanks! Ian - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org