[pfSense Support] no job control

2009-08-05 Thread David Burgess 
http://www.mail-archive.com/support@pfsense.com/msg05025.html

After about 4 months on pfsense I'm now seeing this message in the
console, "Warning: no access to tty (Inappropriate ioctl for device).
Thus no job control in this shell." The above-linked thread is over
three years old now, do we have any new insight into this message?

db

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] PfSense_advanced_etherchannel_and_vlan_howto_with_cisco_2900

2009-08-05 Thread luismi 
Hi all,

I was reviewing the document
http://chaos.untouchable.net/index.php/PfSense_advanced_etherchannel_and_vlan_howto_with_cisco_2900

And I was looking for the way to do that in our pfsense 1.2.2 but I
didn't see any option in the web interface, so, should it be done at low
level with the shell?

Is there anyone here using Etherchannel against a PFSense box with a
Cisco 2960 or 3750 stack?

Thanks.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] PfSense_advanced_etherchannel_and_vlan_howto_with_cisco_2900

2009-08-05 Thread Aarno Aukia 
Hi luismi,

On Wed, Aug 5, 2009 at 11:58, luismi wrote:
> Hi all,
>
> I was reviewing the document
> http://chaos.untouchable.net/index.php/PfSense_advanced_etherchannel_and_vlan_howto_with_cisco_2900
>
> And I was looking for the way to do that in our pfsense 1.2.2 but I
> didn't see any option in the web interface, so, should it be done at low
> level with the shell?

In the wiki "Using a recent version of HEAD" means pfSense 2.0 (alpha).

> Is there anyone here using Etherchannel against a PFSense box with a
> Cisco 2960 or 3750 stack?

Yes, I am, against 2950/60/60G.
I'm using shell commands with the Shellcmd-package as earlyshellcmds:
ifconfig lagg0 create
ifconfig lagg0 up laggproto lacp laggport em2 laggport em3
an then as shellcmds:
ifconfig em2 up
ifconfig em3 up

Regards,
Aarno
-- 
Aarno Aukia
Atrila GmbH
Switzerland

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] PfSense_advanced_etherchannel_and_vlan_howto_with_cisco_2900

2009-08-05 Thread luismi 
Yes, I didn't take note about the HEAD version, I read the document just
putting focus on the Etherchannel configuration :-D
>From the point of view of Cisco, what type of FEC are you using? LACP?
LAGP? on?


El mié, 05-08-2009 a las 12:12 +0200, Aarno Aukia escribió:
> Hi luismi,
> 
> On Wed, Aug 5, 2009 at 11:58, luismi wrote:
> > Hi all,
> >
> > I was reviewing the document
> > http://chaos.untouchable.net/index.php/PfSense_advanced_etherchannel_and_vlan_howto_with_cisco_2900
> >
> > And I was looking for the way to do that in our pfsense 1.2.2 but I
> > didn't see any option in the web interface, so, should it be done at low
> > level with the shell?
> 
> In the wiki "Using a recent version of HEAD" means pfSense 2.0 (alpha).
> 
> > Is there anyone here using Etherchannel against a PFSense box with a
> > Cisco 2960 or 3750 stack?
> 
> Yes, I am, against 2950/60/60G.
> I'm using shell commands with the Shellcmd-package as earlyshellcmds:
> ifconfig lagg0 create
> ifconfig lagg0 up laggproto lacp laggport em2 laggport em3
> an then as shellcmds:
> ifconfig em2 up
> ifconfig em3 up
> 
> Regards,
> Aarno


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] PfSense_advanced_etherchannel_and_vlan_howto_with_cisco_2900

2009-08-05 Thread Aarno Aukia 
Hi Luismi,

On Wed, Aug 5, 2009 at 12:19, luismi wrote:
> Yes, I didn't take note about the HEAD version, I read the document just
> putting focus on the Etherchannel configuration :-D
> >From the point of view of Cisco, what type of FEC are you using? LACP?
> LAGP? on?

I'm alo using LACP on the cisco-side:

interface Port-channel1
 switchport mode trunk
 flowcontrol send off
!
interface FastEthernet0/1
 switchport mode trunk
 channel-group 1 mode active
 channel-protocol lacp
!
interface FastEthernet0/2
 switchport mode trunk
 channel-group 1 mode active
 channel-protocol lacp

Regards,
Aarno
-- 
Aarno Aukia
Atrila GmbH
Switzerland

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] AINA Bogon List Update

2009-08-05 Thread Joseph Hardeman 

Greetings Everyone,

Just wanted to make you aware, if you weren't already, that on Aug 3rd 
2009 IANA has recently assigned two IP Ranges that were previously Bogon 
Ranges out to the wild.  The IP Ranges are:


  175/8  APNIC   2009-08   whois.apnic.net   ALLOCATED
  182/8  APNIC   2009-08   whois.apnic.net   ALLOCATED

I received the notification from the Team Cymru group, their master 
bogon list can be found here:




Just wanted to let everyone know, so you don't block legitimate traffic 
thinking its from Bogon networks like has happened to me in the past. *S*


Have a great day

Joseph

--
This message has been scanned for viruses by Colocube's AV Scanner


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] Dual LAN DHCP gateway address

2009-08-05 Thread Pete Boyd 
Hi. I've added a second network card to an existing functioning pfSense
1.2.2 firewall and setup dual LAN successfully apart from, unless I set a
gateway address (of the new LAN IP interface) in the new LAN interface's
DHCP server, I can neither ping the pfSense new LAN interface or an
Internet address.

Why is this, when that gateway setting seems to say that inserting this IP
address is the default anyway? Beside the gateway option it says "The
default is to use the IP on this interface of the firewall as the gateway.
Specify an alternate gateway here if this is not the correct gateway for
your network."

Here are all the configuration options I've made in order to set this up:

* Interfaces -> OPT1

- [*] Enable Optional 1 interface

- Description: LAN2

- IP address: 10.1.0.1/24


* Services -> DHCP server -> LAN2

- [*] Enable DHCP server on LAN2 interface

- Range: 10.1.0.100 to 10.1.0.255

- Gateway: 10.1.0.1


* Add a firewall rule to block traffic from LAN2 to LAN:

- Action: Block

- Interface: LAN2

- Protocol: any

- Source: Type: any (or maybe 'LAN2 subnet'?) I think any is best for a
deny rule

- Destination: LAN subnet

- Description: Block LAN2 -> LAN


* Add a firewall rule to block traffic from LAN to LAN2:

- Action: Block

- Interface: LAN

- Protocol: any

- Source: Type: any (or maybe 'LAN subnet'?) I think any is best for a
deny rule

- Destination: LAN2 subnet

- Description: Block LAN -> LAN2


* Add a firewall rule to allow traffic of any protocol from the LAN2
subnet to any address:

- Protocol: any

- Source: Type: LAN2 subnet

- Description: Default LAN2 -> any

Any help is very appreciated.

-- 
Pete Boyd

Open Plan IT - http://openplanit.co.uk
The Golden Ear - http://thegoldenear.org



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] no job control

2009-08-05 Thread Jim Pingle 
David Burgess wrote:
> http://www.mail-archive.com/support@pfsense.com/msg05025.html
> 
> After about 4 months on pfsense I'm now seeing this message in the
> console, "Warning: no access to tty (Inappropriate ioctl for device).
> Thus no job control in this shell." The above-linked thread is over
> three years old now, do we have any new insight into this message?

IIRC it was due to something trying to mute the video console while it
is really using serial. It is fixed (mostly?) on the 1.2.3-RC2 nanobsd
snapshots, and doesn't seem to happen on 2.0 either.

Jim

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] AINA Bogon List Update

2009-08-05 Thread Evgeny Yurchenko 

Joseph Hardeman wrote:

Greetings Everyone,

Just wanted to make you aware, if you weren't already, that on Aug 3rd 
2009 IANA has recently assigned two IP Ranges that were previously 
Bogon Ranges out to the wild.  The IP Ranges are:


  175/8  APNIC   2009-08   whois.apnic.net   ALLOCATED
  182/8  APNIC   2009-08   whois.apnic.net   ALLOCATED

I received the notification from the Team Cymru group, their master 
bogon list can be found here:




Just wanted to let everyone know, so you don't block legitimate 
traffic thinking its from Bogon networks like has happened to me in 
the past. *S*


Have a great day

Joseph

Thanks for update. Could somebody explain when /etc/rc.update_bogons.sh 
is supposed to run on pfSense?
Joseph, I could not find any subscription available on their site, how 
are you receiving notifications?


Thanks.
Eugene

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] AINA Bogon List Update

2009-08-05 Thread Joseph Hardeman 

Evgeny Yurchenko wrote:

Joseph Hardeman wrote:

Greetings Everyone,

Just wanted to make you aware, if you weren't already, that on Aug 
3rd 2009 IANA has recently assigned two IP Ranges that were 
previously Bogon Ranges out to the wild.  The IP Ranges are:


  175/8  APNIC   2009-08   whois.apnic.net   ALLOCATED
  182/8  APNIC   2009-08   whois.apnic.net   ALLOCATED

I received the notification from the Team Cymru group, their master 
bogon list can be found here:




Just wanted to let everyone know, so you don't block legitimate 
traffic thinking its from Bogon networks like has happened to me in 
the past. *S*


Have a great day

Joseph

Thanks for update. Could somebody explain when 
/etc/rc.update_bogons.sh is supposed to run on pfSense?
Joseph, I could not find any subscription available on their site, how 
are you receiving notifications?


Thanks.
Eugene



Hi Eugene,

I joined their mailing list at:
bogon-announce mailing list

bogon-annou...@puck.nether.net
https://puck.nether.net/mailman/listinfo/bogon-announce

As for the rc.update_bogons.sh, you can look in /etc/crontabs and see 
that, at least my setup, is set to run:


1   3   1   *   *   root/usr/bin/nice -n20 
/etc/rc.update_bogons.sh


on the first day of each month at 3:01 am.

Joe

--
This message has been scanned for viruses by Colocube's AV Scanner


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] vpn problems

2009-08-05 Thread Lyle Giese 
Recently I have been moving some nat/vpn equipment over to pfSense 1.2.3RC1.

At location A, I have two Soekris Net4801 appliances and 1.2.3RC1
embedded. They are independent units.  One is the nat/firewall facing
our DSL which is used for office surfing.  The other is our primary VPN
server and facing our bonded T1's, very little outgoing traffic on this
unit.  At location B, I installed 1.2.3RC1 from the live CD on an older
dual PIII motherboard with dual Intel Nics.  Not that it appears to
matter, location B is using Radius for user authentication and location
A uses the included user table and we set up PPTP vpn connectivity for
end users.

The issue I have is from location A through either of the Soekris
appliances, I can not get a VPN connect(PPTP) to location B from WinXP
or Linux(Ubuntu or openSuSE).  We can connect to location B from other
locations.  Also at location A, I can connect (bypassing the Soekris
units running pfSense embedded) to our T1's with a laptop running WinXP
or Ubuntu(dual boot) and I can connect.

I am getting no errors from the packet rules.  From my reading of the
logs at location B comparing a good vs bad connect, the attempt never
successfully negotiates a connection and does not get to the user
id/password stage.

Below are what I thought were the revelent portions of the syslogs from
the receiving pfSense computer.  It's an older dual PIII computer with
two Intel 10/100 nics.

Any suggestions or is this a bug?

Lyle Giese
LCR Computer Services, Inc.

Bad connect:

Aug  5 08:14:07 vpngw mpd: [pt0] LCP: SendConfigReq #125
Aug  5 08:14:07 vpngw mpd:  ACFCOMP
Aug  5 08:14:07 vpngw mpd:  PROTOCOMP
Aug  5 08:14:07 vpngw mpd:  MRU 1500
Aug  5 08:14:07 vpngw mpd:  MAGICNUM 9f01cb88
Aug  5 08:14:07 vpngw mpd:  AUTHPROTO CHAP MSOFTv2
Aug  5 08:14:07 vpngw mpd:  MP MRRU 1600
Aug  5 08:14:07 vpngw mpd:  MP SHORTSEQ
Aug  5 08:14:07 vpngw mpd:  ENDPOINTDISC [802.1] 00 e0 81 26 02 4a
Aug  5 08:14:09 vpngw mpd: [pt0] LCP: SendConfigReq #126
Aug  5 08:14:09 vpngw mpd:  ACFCOMP
Aug  5 08:14:09 vpngw mpd:  PROTOCOMP
Aug  5 08:14:09 vpngw mpd:  MRU 1500
Aug  5 08:14:09 vpngw mpd:  MAGICNUM 9f01cb88
Aug  5 08:14:09 vpngw mpd:  AUTHPROTO CHAP MSOFTv2
Aug  5 08:14:09 vpngw mpd:  MP MRRU 1600
Aug  5 08:14:09 vpngw mpd:  MP SHORTSEQ
Aug  5 08:14:09 vpngw mpd:  ENDPOINTDISC [802.1] 00 e0 81 26 02 4a
Aug  5 08:14:09 vpngw mpd: pptp0-0: call cleared by peer
Aug  5 08:14:09 vpngw mpd: pptp0-0: killing channel
Aug  5 08:14:09 vpngw mpd: [pt0] PPTP call terminated


Good connect:
Aug  5 08:36:32 vpngw mpd: [pt1] LCP: rec'd Configure Request #0 link 0
(Req-Sent)
Aug  5 08:36:32 vpngw mpd:  MRU 1400
Aug  5 08:36:32 vpngw mpd:  MAGICNUM 7f9a3790
Aug  5 08:36:32 vpngw mpd:  PROTOCOMP
Aug  5 08:36:32 vpngw mpd:  ACFCOMP
Aug  5 08:36:32 vpngw mpd:  CALLBACK
Aug  5 08:36:32 vpngw mpd:Not supported
Aug  5 08:36:32 vpngw mpd: [pt1] LCP: SendConfigRej #0
Aug  5 08:36:32 vpngw mpd:  CALLBACK
Aug  5 08:36:32 vpngw mpd: [pt1] LCP: rec'd Configure Request #1 link 0
(Req-Sent)
Aug  5 08:36:32 vpngw mpd:  MRU 1400
Aug  5 08:36:32 vpngw mpd:  MAGICNUM 7f9a3790
Aug  5 08:36:32 vpngw mpd:  PROTOCOMP
Aug  5 08:36:32 vpngw mpd:  ACFCOMP
Aug  5 08:36:32 vpngw mpd: [pt1] LCP: SendConfigAck #1
Aug  5 08:36:32 vpngw mpd:  MRU 1400
Aug  5 08:36:32 vpngw mpd:  MAGICNUM 7f9a3790
Aug  5 08:36:32 vpngw mpd:  PROTOCOMP
Aug  5 08:36:32 vpngw mpd:  ACFCOMP
Aug  5 08:36:32 vpngw mpd: [pt1] LCP: state change Req-Sent --> Ack-Sent
Aug  5 08:36:34 vpngw mpd: [pt1] LCP: SendConfigReq #2
Aug  5 08:36:34 vpngw mpd:  ACFCOMP
Aug  5 08:36:34 vpngw mpd:  PROTOCOMP
Aug  5 08:36:34 vpngw mpd:  MRU 1500
Aug  5 08:36:34 vpngw mpd:  MAGICNUM 8c782bd4
Aug  5 08:36:34 vpngw mpd:  AUTHPROTO CHAP MSOFTv2
Aug  5 08:36:34 vpngw mpd:  MP MRRU 1600
Aug  5 08:36:34 vpngw mpd:  MP SHORTSEQ
Aug  5 08:36:34 vpngw mpd:  ENDPOINTDISC [802.1] 00 e0 81 26 02 4a
Aug  5 08:36:34 vpngw mpd: [pt1] LCP: rec'd Configure Reject #2 link 0
(Ack-Sent)
Aug  5 08:36:34 vpngw mpd:  MP MRRU 1600
Aug  5 08:36:34 vpngw mpd:  MP SHORTSEQ
Aug  5 08:36:34 vpngw mpd:  ENDPOINTDISC [802.1] 00 e0 81 26 02 4a
Aug  5 08:36:34 vpngw mpd: [pt1] LCP: SendConfigReq #3
Aug  5 08:36:34 vpngw mpd:  ACFCOMP
Aug  5 08:36:34 vpngw mpd:  PROTOCOMP
Aug  5 08:36:34 vpngw mpd:  MRU 1500
Aug  5 08:36:34 vpngw mpd:  MAGICNUM 8c782bd4
Aug  5 08:36:34 vpngw mpd:  AUTHPROTO CHAP MSOFTv2
Aug  5 08:36:34 vpngw mpd: [pt1] LCP: rec'd Ident #3 link 0 (Ack-Sent)
Aug  5 08:36:34 vpngw mpd:  MESG: MSRAS-0-shuttle2
Aug  5 08:36:34 vpngw mpd: pptp1-0: ignoring SetLinkInfo
Aug  5 08:36:36 vpngw mpd: [pt1] LCP: SendConfigReq #4
Aug  5 08:36:36 vpngw mpd:  ACFCOMP
Aug  5 08:36:36 vpngw mpd:  PROTOCOMP
Aug  5 08:36:36 vpngw mpd:  MRU 1500
Aug  5 08:36:36 vpngw mpd:  MAGICNUM 8c782bd4
Aug  5 08:36:36 vpngw mpd:  AUTHPROTO CHAP MSOFTv2
Aug  5 08:36:36 vpngw mpd: pptp1-0: ignoring SetLinkInfo
Aug  5 08:36:36 vpngw mpd: [pt1] LCP: rec'd Configure Request #4 link 0
(Ack-Sent)
Aug  5 08:36:36 vpngw mpd:  MRU 1400
Aug  5 0

Re: [pfSense Support] vpn problems

2009-08-05 Thread Tim Nelson 
- "Lyle Giese"  wrote:
> The issue I have is from location A through either of the Soekris
> appliances, I can not get a VPN connect(PPTP) to location B from
> WinXP
> or Linux(Ubuntu or openSuSE).  We can connect to location B from
> other
> locations.  Also at location A, I can connect (bypassing the Soekris
> units running pfSense embedded) to our T1's with a laptop running
> WinXP
> or Ubuntu(dual boot) and I can connect.
> 
> I am getting no errors from the packet rules.  From my reading of the
> logs at location B comparing a good vs bad connect, the attempt never
> successfully negotiates a connection and does not get to the user
> id/password stage.
> 
> Any suggestions or is this a bug?
> 

It sounds like you're hitting a known bug with NAT and PPTP/GRE. Check info 
here under 'NAT Limitations':

http://www.pfsense.org/index.php?option=com_content&task=view&id=40&Itemid=43

Tim Nelson
Systems/Network Support
Rockbochs Inc.
(218)727-4332 x105

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] vpn problems

2009-08-05 Thread Lyle Giese 
Tim Nelson wrote:
> - "Lyle Giese"  wrote:
>   
>> The issue I have is from location A through either of the Soekris
>> appliances, I can not get a VPN connect(PPTP) to location B from
>> WinXP
>> or Linux(Ubuntu or openSuSE).  We can connect to location B from
>> other
>> locations.  Also at location A, I can connect (bypassing the Soekris
>> units running pfSense embedded) to our T1's with a laptop running
>> WinXP
>> or Ubuntu(dual boot) and I can connect.
>>
>> I am getting no errors from the packet rules.  From my reading of the
>> logs at location B comparing a good vs bad connect, the attempt never
>> successfully negotiates a connection and does not get to the user
>> id/password stage.
>>
>> Any suggestions or is this a bug?
>>
>> 
>
> It sounds like you're hitting a known bug with NAT and PPTP/GRE. Check info 
> here under 'NAT Limitations':
>
> http://www.pfsense.org/index.php?option=com_content&task=view&id=40&Itemid=43
>
> Tim Nelson
> Systems/Network Support
> Rockbochs Inc.
> (218)727-4332 x105
>
>   
I have only one client computer at location A trying to connect to
location B and was the only one trying to connect to location B during
testing.  I can not go back to retest, but I was using Wolverine at
location B and could connect from location A with no problem(until I
converted B to pfSense).  This note specifically seems to indicate one
session should be supported. 

I won't be at location B until next week to recheck, but yesterday, I
was able to connect from B to A...

Makes this seem  to be more an embedded only bug?  Or is there a
difference between the liveCD and embedded image?

Lyle

Re: [pfSense Support] no job control

2009-08-05 Thread David Burgess 
On Wed, Aug 5, 2009 at 6:10 AM, Jim Pingle wrote:

> IIRC it was due to something trying to mute the video console while it
> is really using serial. It is fixed (mostly?) on the 1.2.3-RC2 nanobsd
> snapshots, and doesn't seem to happen on 2.0 either.

I'm using 1.2.3-RC1 on a (headless) soekris net5501, so I gather I can
just ignore the messages then.

db

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] vpn problems

2009-08-05 Thread Tim Nelson 
- "Lyle Giese"  wrote: 
I have only one client computer at location A trying to connect to location B 
and was the only one trying to connect to location B during testing. I can not 
go back to retest, but I was using Wolverine at location B and could connect 
from location A with no problem(until I converted B to pfSense). This note 
specifically seems to indicate one session should be supported. 

--- 

Ooops, well, it seems your problem *IS* related to the PPTP/GRE bug with NAT 
but it wasn't spelled out in that link I sent. Sorry. :-) 

The issue is that when you have the PPTP server enabled on the local device, 
outbound PPTP connections will fail. I bet if you disable PPTP(and clear your 
state tables) at the location you're initiating the outbound PPTP connection 
from, the connection will work just fine. You'll still have that single session 
limit though. 

If you're going to have mutiple connections from each site to the other site, 
you may want to look at a "site to site" connection using OpenVPN or IPSEC 
where the VPN sessions termiate on the routers themselves. Otherwise, if you 
just really need end-user access, OpenVPN can't be beat for reliability and 
performance. Plus, there are no odd firewall limitations. 

Tim Nelson 
Systems/Network Support 
Rockbochs Inc. 
(218)727-4332 x105

Re: [pfSense Support] no job control

2009-08-05 Thread Jim Pingle 
David Burgess wrote:
> On Wed, Aug 5, 2009 at 6:10 AM, Jim Pingle wrote:
> 
>> IIRC it was due to something trying to mute the video console while it
>> is really using serial. It is fixed (mostly?) on the 1.2.3-RC2 nanobsd
>> snapshots, and doesn't seem to happen on 2.0 either.
> 
> I'm using 1.2.3-RC1 on a (headless) soekris net5501, so I gather I can
> just ignore the messages then.

They have some side effects, like not being able to use CTRL-C to break
out of things like ping, so they aren't entirely ignorable, but are
typically just an annoyance.

You should probably be running one of the more recent nanobsd snapshots
anyhow, they can use all the testing they can get. :-)

Jim

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] no job control

2009-08-05 Thread David Burgess 
On Wed, Aug 5, 2009 at 9:11 AM, Jim Pingle wrote:

> You should probably be running one of the more recent nanobsd snapshots
> anyhow, they can use all the testing they can get. :-)

I didn't look at those because I'm running the FreeSwitch package. The
blog post (http://blog.pfsense.org/?tag=nanobsd) indicates that
"packages that are suitable for an embedded platform are supported."
Anybody know if that would include Freeswitch? I'm guessing not, but
if it's doable I'll try it. I'm running off a 100GB hard drive right
now. Also using squid, but I wouldn't mind giving that up to try the
nanobsd version.

db

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Small remarks about OpenBGPD packaget

2009-08-05 Thread Scott Ullrich 
On Wed, Aug 5, 2009 at 12:35 AM, Evgeny
Yurchenko wrote:
> Hi!
> 1) I find it a little bit inconvenient that you can not add a neighbor
> when you do not have any group configured. Suppose I want to add just
> two neighbors without messing with groups set up.
> This small thing solves it:
> # diff -rub openbgpd_neighbors.xml.bak openbgpd_neighbors.xml
> --- openbgpd_neighbors.xml.bak  2009-07-22 21:31:13.0 +
> +++ openbgpd_neighbors.xml      2009-08-05 04:11:06.0 +
> @@ -171,6 +171,11 @@
>                                $counter++;
>                        }
>                }
> +               else{
> +                       $newoptions['option'][0]['name'] = "";
> +                       $newoptions['option'][0]['value'] = "";
> +                       $pkg['fields']['field'][2]['options'] =
> $newoptions;
> +               }
>        
>        
>        
>
>
> 2) Cosmetic but may be you would wish to implement it. Neighbors not
> belonging to any group not aligned properly:
> group "G1" {
>        remote-as 11
>        neighbor 1.1.1.1 {
>                descr "N1"
>                announce all
>                remote-as 1
>        }
> }
>        neighbor 2.2.2.2 {
>                descr "N2"
>                announce all
>                holdtime 300
>                remote-as 2
>        }
>
>
> This small patch
> # diff -rub openbgpd.inc.bak openbgpd.inc
> --- openbgpd.inc.bak    2009-07-22 21:31:13.0 +
> +++ openbgpd.inc        2009-08-05 03:31:14.0 +
> @@ -103,14 +103,14 @@
>       foreach($openbgpd_neighbors as $neighbor) {
>         $used_this_item = false;
>         if($neighbor['groupname'] == "") {
> -          $conffile .= "       neighbor {$neighbor['neighbor']} {\n";
> +          $conffile .= "neighbor {$neighbor['neighbor']} {\n";
>           $conffile .= "               descr
> \"{$neighbor['descr']}\"\n";
>           $used_this_item = true;
>           foreach($neighbor['row'] as $row) {
>             $conffile .= "             {$row['paramaters']}
> {$row['parmvalue']} \n";
>           }
>           if($used_this_item)
> -            $conffile .= "     }\n";
> +            $conffile .= "}\n";
>         }
>       }
>       if($used_this_item)
>
>  makes it more intuitive (at least for me)
> group "G1" {
>        remote-as 11
>        neighbor 1.1.1.1 {
>                descr "N1"
>                announce all
>                remote-as 1
>        }
> }
> neighbor 2.2.2.2 {
>       descr "N2"
>       announce all
>       holdtime 300
>       remote-as 2
> }
>
> Eugene

Thanks, I commited this.

Scott

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] OpenVPN, Vlans and filtering

2009-08-05 Thread Joseph L. Casale 
First off,
Thanks everyone who helped me get my setup running so far, the erroneous subnet
and the embedded image on the HP server.

So now that the server is running minimally configured, I have a built-in bge0
interface and a quad port Intel nic. I have the WAN setup on bge0 (no VLANs)
and hope to actually use the device to route between VLANs securely based on 
rules
at the gig speeds (our pix used to do this at _low_ speeds) as well.

Based on previous input, I understand that I should setup phys switch ports for 
all
4 internal interfaces as tagged into each vlan I require. So after creating 
VLANs
on each Parent interface, I then intend to create Opt interfaces assignments 
for each of
those VLANs.

Most important to us will be the vpn filtering, most users will need very few 
port/host
provisions whereas admin users might need whole subnets unfiltered. In reading 
the end of
http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN#Filtering_OpenVPN_Traffic
I am still unsure how this works.

Previously with my pix, I created various VPN groups, (RDPgroup, AdminGroup) 
etc and gave
them each unique subnets, then simply wrote rules from the WAN interface with 
those source subnets
to the internal interface with the lan subnets governing what traffic was 
permitted. So a user
with connection credentials to RDPGroup would get on a subnet that could that 
only passed TCP 3389
to certain hosts on the Lan.

Can I still replicate this with my intended setup?

Thanks!
jlc

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] vpn problems

2009-08-05 Thread mayak chunder-qwern 
On Wed, 2009-08-05 at 09:36 -0500, Tim Nelson wrote:
> - "Lyle Giese"  wrote: 
> I have only one client computer at location A trying to connect to
> location B and was the only one trying to connect to location B during
> testing.  I can not go back to retest, but I was using Wolverine at
> location B and could connect from location A with no problem(until I
> converted B to pfSense).  This note specifically seems to indicate one
> session should be supported.  


I'm having the same problems -- pptp on embedded doesn't behave like
full. I have now emabrked on the journey to openvpn ...

Otherwise said, pptp on embedded just doesn't stand up.

Cheers

Mayak


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] Firewall ignores packets delivered via static routes

2009-08-05 Thread Bastian Schern 
Hi,

I'm using pfSense as a Firewall and Router. It works very well except
one thing:

If a packet arrives from a networks via a static route all firewall
rules are ignored. Everything passes. :-(
If the Packets arrive via the default route it works as expected.

The configured static routes are applied to the WAN interface and most
of the Interfaces have real public IPs. For this Interfaces NAT is not used.

Does anybody knows what's going wrong?

Regards
Bastian

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Firewall ignores packets delivered via static routes

2009-08-05 Thread Keenan Tims 

If a packet arrives from a networks via a static route all firewall
rules are ignored. Everything passes. :-(
If the Packets arrive via the default route it works as expected.


Packets don't arrive 'from' a static route; the static routes only  
affect outgoing traffic. Incoming packets will arrive on an interface  
and have a source and destination (end machine) address that you can  
use to filter them. As long as the rule is created on the *interface*  
the traffic arrives on, and has the appropriate filters set, it should  
apply to any traffic regardless of routing tables. Same goes for  
outgoing traffic destined to other routers.


Is this not what's happening? If not, can you give us more information  
(what interface it arrives on, what you want to block and address and  
rule details), as your rules probably just need some tweaks.


Keenan

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Firewall ignores packets delivered via static routes

2009-08-05 Thread Chris Buechler 
On Wed, Aug 5, 2009 at 6:53 PM, Keenan Tims wrote:
>> If a packet arrives from a networks via a static route all firewall
>> rules are ignored. Everything passes. :-(
>> If the Packets arrive via the default route it works as expected.
>
> Packets don't arrive 'from' a static route; the static routes only affect
> outgoing traffic. Incoming packets will arrive on an interface and have a
> source and destination (end machine) address that you can use to filter
> them. As long as the rule is created on the *interface* the traffic arrives
> on, and has the appropriate filters set, it should apply to any traffic
> regardless of routing tables. Same goes for outgoing traffic destined to
> other routers.
>

That's correct. The only way traffic related to a static route
wouldn't be filtered by the ruleset is if you have "bypass filtering
for traffic on same interface" checked under System -> Advanced.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] AINA Bogon List Update

2009-08-05 Thread Chris Buechler 
On Wed, Aug 5, 2009 at 7:27 AM, Joseph Hardeman wrote:
> Greetings Everyone,
>
> Just wanted to make you aware, if you weren't already, that on Aug 3rd 2009
> IANA has recently assigned two IP Ranges that were previously Bogon Ranges
> out to the wild.  The IP Ranges are:
>
>  175/8  APNIC       2009-08   whois.apnic.net   ALLOCATED
>  182/8  APNIC       2009-08   whois.apnic.net   ALLOCATED
>
> I received the notification from the Team Cymru group, their master bogon
> list can be found here:
>

The bogon list on our servers updates automatically, which your
firewalls pull from automatically on the first of each month. It's
generally updated well in advance of new IP space being used, so it's
not anything you need to be concerned about, or even pay attention to
their mailing list unless you manually maintain bogon listings
elsewhere.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Firewall ignores packets delivered via static routes

2009-08-05 Thread Bastian Schern 
Hi Keenan,

thanks for quick answer.
I know that packets don't arrive via static routes. It was only a bad
description of the problem.

All static routes are created on the WAN interface. I don't know if it
is important for this case, but I'm using CARP for all interfaces to
create a HA router/firewall.

Here are some more details:

Interfaces
~~
WAN em0: xxx.xxx.196.108/28
WAN CARP: xxx.xxx.196.110/28
VLAN128 bge0: xxx.xxx.196.130/26
VLAN128 CARP: xxx.xxx.196.129/26

Static routes
~
dev:WAN  net:xxx.xxx.92.0/19  gw:xxx.xxx.196.107
dev:WAN  net:xxx.xxx.93.0/19  gw:xxx.xxx.196.107

Not working rules
~
WAN: Block, ICMP, src: any, dst: any


Regards
Bastian

Keenan Tims schrieb:
>> If a packet arrives from a networks via a static route all firewall
>> rules are ignored. Everything passes. :-(
>> If the Packets arrive via the default route it works as expected.
> 
> Packets don't arrive 'from' a static route; the static routes only
> affect outgoing traffic. Incoming packets will arrive on an interface
> and have a source and destination (end machine) address that you can use
> to filter them. As long as the rule is created on the *interface* the
> traffic arrives on, and has the appropriate filters set, it should apply
> to any traffic regardless of routing tables. Same goes for outgoing
> traffic destined to other routers.
> 
> Is this not what's happening? If not, can you give us more information
> (what interface it arrives on, what you want to block and address and
> rule details), as your rules probably just need some tweaks.
> 
> Keenan

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] vpn problems

2009-08-05 Thread Chris Buechler 
On Wed, Aug 5, 2009 at 4:35 PM, mayak chunder-qwern wrote:
>
> I'm having the same problems -- pptp on embedded doesn't behave like
> full. I have now emabrked on the journey to openvpn ...
>
> Otherwise said, pptp on embedded just doesn't stand up.
>

PPTP on embedded has the exact same issues as every other platform,
the two described in the link Tim sent earlier in the thread, as well
as here:
http://doc.pfsense.org/index.php/What_are_the_limitations_of_PPTP_in_pfSense%3F

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] AINA Bogon List Update

2009-08-05 Thread Evgeny Yurchenko 




Chris Buechler wrote:

  On Wed, Aug 5, 2009 at 7:27 AM, Joseph Hardeman wrote:
  
  
Greetings Everyone,

Just wanted to make you aware, if you weren't already, that on Aug 3rd 2009
IANA has recently assigned two IP Ranges that were previously Bogon Ranges
out to the wild.  The IP Ranges are:

 175/8  APNIC       2009-08   whois.apnic.net   ALLOCATED
 182/8  APNIC       2009-08   whois.apnic.net   ALLOCATED

I received the notification from the Team Cymru group, their master bogon
list can be found here:


  
  
The bogon list on our servers updates automatically, which your
firewalls pull from automatically on the first of each month. It's
generally updated well in advance of new IP space being used, so it's
not anything you need to be concerned about, or even pay attention to
their mailing list unless you manually maintain bogon listings
elsewhere.

  

Nevertheless once I run into this issue
http://forum.pfsense.org/index.php/topic,12603.0.html
So, it's better to be informed
Eugene.



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] AINA Bogon List Update

2009-08-05 Thread Chuck Benson 

Evgeny Yurchenko wrote:

Chris Buechler wrote:

On Wed, Aug 5, 2009 at 7:27 AM, Joseph Hardeman wrote:
  

Greetings Everyone,

Just wanted to make you aware, if you weren't already, that on Aug 3rd 2009
IANA has recently assigned two IP Ranges that were previously Bogon Ranges
out to the wild.  The IP Ranges are:

  

---clipped
The bogon list on our servers updates automatically, which your
firewalls pull from automatically on the first of each month. It's
generally updated well in advance of new IP space being used, so it's
not anything you need to be concerned about, or even pay attention to
their mailing list unless you manually maintain bogon listings
elsewhere.

  
Nevertheless once I run into this issue 
http://forum.pfsense.org/index.php/topic,12603.0.html

So, it's better to be informed
Eugene.
---clipped 
As an example of why someone might be doing this elsewhere, if you are 
using a dual-wan configuration, checking bogons on the second network 
can be useful.


Unfortunately, when I went to look this month, the site was not 
available. A temporary flag was in its place.


Chuck Benson

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org