Re: [pfSense Support] Multiple Subnets From ISP Same Interface

[Victor Padro]

On Tue, Aug 18, 2009 at 1:52 AM, Chris Buechler wrote:
> On Mon, Aug 17, 2009 at 5:33 PM, Jesse Vollmar wrote:
>> Hey guys,
>> after googling this for a while, I'm not finding any clear instructions for
>> doing this. I currently have a multi-wan scenario with failover configured.
>> I just purchased another static IP block from one of the ISPs and they are
>> now routing those to me (so they say). I would like to use this new subnet
>> in concurrence with my old subnet, both on the same interface (OPT1). The
>> subnets do not share the same gateway. What is the proper way to configure
>> this?
>
> Depends on exactly how they're routing them to you, and how you want
> to use them. If you want to use them with NAT, and you aren't using
> CARP, just add them as Other VIPs. IPs that are routed to you do not
> need ARP. If you're using CARP, add them as Other VIPs and make sure
> the ISP is routing that new subnet to a CARP VIP.
>
> If you want to directly assign the public IPs on inside systems, add
> another interface for the new subnet, whether physical or VLAN (this
> has nothing to do with the ISP, it's your internal network).
> Alternatively you can put both subnets on the same inside interface,
> but I would avoid that.
> http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>

So, in a way I was right...sometimes I get nervous speaking in English.

-- 
Linux User #452368
http://twitter.com/vpadro

Manifiesto por una cultura libre:
http://culturalibre.org/

"Doing a thing well is often a waste of time."

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Multiple Subnets From ISP Same Interface

[Jesse Vollmar]

>
> Depends on exactly how they're routing them to you, and how you want
>  to use them. If you want to use them with NAT, and you aren't using
> CARP, just add them as Other VIPs. IPs that are routed to you do not
> need ARP. If you're using CARP, add them as Other VIPs and make sure
> the ISP is routing that new subnet to a CARP VIP.
>
> If you want to directly assign the public IPs on inside systems, add
> another interface for the new subnet, whether physical or VLAN (this
> has nothing to do with the ISP, it's your internal network).
> Alternatively you can put both subnets on the same inside interface,
> but I would avoid that.
> http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>

> Commercial support available - https://portal.pfsense.org
>

I'm not using CARP and I would like to use them with NAT. According to that,
your reccomendation would be to use "other" VIPs. My only question is, will
they route properly since the ISP has this new subnet using a different
gateway address than the first subnet. On my interface the gateway is
defined, but it isn't be the gateway for my new VIPs. I think they would
need a different route.

This makes me think that I either have to add another interface, or do
multiple subnets on the same interface. Am I right?  Thanks for the help
everyone!

[pfSense Support] Triple CARP setup

[Veiko Kukk]

How should I configure pfsync if I want to use three machines?

##
Synchronize to IP   
Enter the IP address of the firewall you are synchronizing with.
##

Should I list there all IP-s I want to sync to? Separated by commas or 
spaces?


--
Veiko

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] XMLRPC debugging

[Ian Levesque]

Hello,

I just noticed that my two pfSense boxen aren't syncing anymore. In  
the logs, I see:


An error code was received while attempting XMLRPC sync with username  
admin https://192.168.8.1:443 - Code 2: Invalid return payload: enable  
debugging to examine incoming payload


How can I enable XMLRPC debugging and run it from the CLI?

Thanks,
Ian

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Triple CARP setup

[Evgeny Yurchenko]

Veiko Kukk wrote:

How should I configure pfsync if I want to use three machines?

##
Synchronize to IP   
Enter the IP address of the firewall you are synchronizing with.

##

Should I list there all IP-s I want to sync to? Separated by commas or 
spaces?


As far as I know carp + pfsync(states) communication goes on using 
multicast addresses no matter what you configure in "pfSync sync peer 
IP" field.
Not sure what happens when you change rule on active. Probably in this 
case destination IP is taken from "Synchronize to IP" field.

Eugene.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Triple CARP setup

[Scott Ullrich]

On Tue, Aug 18, 2009 at 10:28 AM, Veiko Kukk wrote:
> How should I configure pfsync if I want to use three machines?
>
> ##
> Synchronize to IP
> Enter the IP address of the firewall you are synchronizing with.
> ##
>
> Should I list there all IP-s I want to sync to? Separated by commas or

No.

Put the next cluster member in this box (only one host).

On the next host put the next members IP in creating a chain.

Cluster Primary ->  Backup -> Tertiary

Scott

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] Using a different gateway reply-to IP in PF rules

[Ian Levesque]

Hello,

I've got a WAN rule that allows traffic from a specific subnet in our  
university's private network direct access to our LAN. We're basically  
bridging two LANs across a WAN interface. The generated rule looks  
like this, where 1.2.3.4 is our default gateway:


pass in log quick on $wan reply-to (em2 1.2.3.4) proto { tcp udp }  
from {  10.11.143.0/24 } to {  10.0.8.0/23 } keep state  label  
"USER_RULE: Outside LAN"


The problem we have is that we're using a static route to access the  
gateway to this "outside LAN", let's say that's "1.2.3.5". What we  
need is for traffic that comes in from 1.2.3.5 for our LAN to go back  
out to 1.2.3.5, not to the default route. We do have the static route  
defined:


default1.2.3.4  UGS 0  5766491em2

10.11.143.0/24 1.2.3.5  UGS 0  384em2

From the rule editing page, it appears that a gateway can be defined,  
but I'm only given the option of using "default" or my default route  
(1.2.3.4). The description below says "Leave as 'default' to use the  
system routing table", but with the way the rules are generated by  
pfSense, all of our WAN traffic is sent back out the default gateway  
instead of the more precise match.


I understand that the solution to this is to change the above  
generated rule to use "reply-to (em2 1.2.3.5)" or to omit the reply-to  
altogether. Is there any way to accommodate this rather obscure use- 
case in pfSense? Can we add additional routes to the "Gateway" drop- 
down?


Thanks,
Ian

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Using a different gateway reply-to IP in PF rules

[Chris Buechler]

On Tue, Aug 18, 2009 at 6:44 PM, Ian Levesque wrote:
> Hello,
>
> I've got a WAN rule that allows traffic from a specific subnet in our
> university's private network direct access to our LAN. We're basically
> bridging two LANs across a WAN interface. The generated rule looks like
> this, where 1.2.3.4 is our default gateway:
>
> pass in log quick on $wan reply-to (em2 1.2.3.4) proto { tcp udp } from {
>  10.11.143.0/24 } to {  10.0.8.0/23 } keep state  label "USER_RULE: Outside
> LAN"
>
> The problem we have is that we're using a static route to access the gateway
> to this "outside LAN", let's say that's "1.2.3.5". What we need is for
> traffic that comes in from 1.2.3.5 for our LAN to go back out to 1.2.3.5,
> not to the default route. We do have the static route defined:
>
> default            1.2.3.4      UGS         0  5766491    em2
> 
> 10.11.143.0/24     1.2.3.5      UGS         0      384    em2
>
> From the rule editing page, it appears that a gateway can be defined, but
> I'm only given the option of using "default" or my default route (1.2.3.4).
> The description below says "Leave as 'default' to use the system routing
> table", but with the way the rules are generated by pfSense, all of our WAN
> traffic is sent back out the default gateway instead of the more precise
> match.
>
> I understand that the solution to this is to change the above generated rule
> to use "reply-to (em2 1.2.3.5)" or to omit the reply-to altogether. Is there
> any way to accommodate this rather obscure use-case in pfSense? Can we add
> additional routes to the "Gateway" drop-down?
>

What you're seeing is this:
http://redmine.pfsense.org/issues/show/14

Gateway is for route-to, there is no way to specify reply-to, as
that's handled automatically. 1.2.3 does have a checkbox under System
-> Advanced to disable adding reply-to entirely, which is a solution
as long as you aren't using multi-WAN (you can just comment out the
reply-to line in /etc/inc/filter.inc too). We don't have a solution
for multi-WAN cases combined with WAN static routes to something other
than your gateway on that interface at this time. Either the static
route won't work for traffic initiated from that router, or you
disable reply-to and break reply routing for multi-WAN.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Using a different gateway reply-to IP in PF rules

[Ian Levesque]

On Aug 18, 2009, at 6:51 PM, Chris Buechler wrote:

On Tue, Aug 18, 2009 at 6:44 PM, Ian  
Levesque wrote:


From the rule editing page, it appears that a gateway can be  
defined, but
I'm only given the option of using "default" or my default route  
(1.2.3.4).
The description below says "Leave as 'default' to use the system  
routing
table", but with the way the rules are generated by pfSense, all of  
our WAN
traffic is sent back out the default gateway instead of the more  
precise

match.

I understand that the solution to this is to change the above  
generated rule
to use "reply-to (em2 1.2.3.5)" or to omit the reply-to altogether.  
Is there
any way to accommodate this rather obscure use-case in pfSense? Can  
we add

additional routes to the "Gateway" drop-down?



What you're seeing is this:
http://redmine.pfsense.org/issues/show/14

Gateway is for route-to, there is no way to specify reply-to, as
that's handled automatically. 1.2.3 does have a checkbox under System
-> Advanced to disable adding reply-to entirely, which is a solution
as long as you aren't using multi-WAN (you can just comment out the
reply-to line in /etc/inc/filter.inc too).


Hi Chris - thanks for the reply.

I'm still on 1.2.1 and am waiting to upgrade with the final 1.2.3  
release. If I make a change to /etc/inc/filter.inc now, it would be  
lost when I upgraded pfSense, correct? I just want to avoid getting  
hit with this again after the 1.2.3 release is installed (at which  
point, this network bridging will be live).




We don't have a solution
for multi-WAN cases combined with WAN static routes to something other
than your gateway on that interface at this time. Either the static
route won't work for traffic initiated from that router, or you
disable reply-to and break reply routing for multi-WAN.


Indeed, I knew that the solution would break multi-WAN so I wasn't  
hopeful that there'd even be a solution in pfSense. I'm happy to hear  
that you've added the ability to effectively disable reply-to. Many  
thanks, I've been recommending pfSense heartily for the past year and  
I'm glad that I can continue to use it for our needs.


Ian

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Using a different gateway reply-to IP in PF rules

[Chris Buechler]

On Tue, Aug 18, 2009 at 7:07 PM, Ian Levesque wrote:
>
>
> I'm still on 1.2.1 and am waiting to upgrade with the final 1.2.3 release.
> If I make a change to /etc/inc/filter.inc now, it would be lost when I
> upgraded pfSense, correct? I just want to avoid getting hit with this again
> after the 1.2.3 release is installed (at which point, this network bridging
> will be live).
>

Yes, it will be lost. It's reasonably easy to pull in that diff though.
https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/efefb2a1e860d082a6024b7c6b67c646b1e8aa6e

actually just need that one line filter.inc change and manually add
 line under  to your config. The filter.inc
will get overwritten when you upgrade, but with the same thing so it
won't matter.


> Indeed, I knew that the solution would break multi-WAN so I wasn't hopeful
> that there'd even be a solution in pfSense. I'm happy to hear that you've
> added the ability to effectively disable reply-to. Many thanks, I've been
> recommending pfSense heartily for the past year and I'm glad that I can
> continue to use it for our needs.
>

We'll have a solution of some sort in case anyone needs to combine
static routes like that and multi-WAN, that's a rare scenario though,
and not an easy nut to crack, so it'll be 2.0 at soonest.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Multiple Subnets From ISP Same Interface

[Chris Buechler]

On Tue, Aug 18, 2009 at 8:59 AM, Jesse Vollmar wrote:
>
> I'm not using CARP and I would like to use them with NAT. According to that,
> your reccomendation would be to use "other" VIPs. My only question is, will
> they route properly since the ISP has this new subnet using a different
> gateway address than the first subnet.

Is it really a gateway address, i.e. they have it assigned on their
router, or are they actually routing you the entire IP block? Ideally
it will be the latter, they can and should be routing additional space
to one of your existing addresses. Then you can setup the full subnet
on an internal interface or VLAN without any ARP, or use it in
combination with NAT using Other VIPs. If they insist on having the
gateway IP on their equipment (they shouldn't, I would refuse that if
it were my ISP), you're probably stuck bridging an internal interface
or VLAN to WAN, though proxy ARP might work depending on how they have
things setup.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] LSI boot issues - liveCD not booting

[Leon Strong]

Hi all,

I'm wondering if you could provide some help with an issue i'm having 
installing pfsense on an IBM HS20 blade system, both the 1.2.2 and 
1.2.3RC1 snapshots hang when booting.. (it stalls after mounting the 
filesystem from cdrom) - booting in verbose mode, it seems to get an 
unrecoverable error, and deadlocks.


I read on the forums there was a few MTP patches that may fix this 
issue, is there a recent build that incorporates these fixes?


Cheers,

Leon.
--

*Leon Strong *| Technical Engineer
*DDI:* +64 9 950 2203 *Fax:* +64 9 302 0518
*Mobile:* +64 21 0202 8870 *Freephone:* 0800 SMX SMX (769 769)
Level 11, 290 Queen Street, Auckland, New Zealand | SMX Ltd | smx.co.nz 


SMX | Business Email Specialists
The information contained in this email and any attachments is 
confidential. If you are not
the intended recipient then you must not use, disseminate, distribute or 
copy any information
contained in this email or any attachments. If you have received this 
email in error or you
are not the originally intended recipient please contact SMX immediately 
and destroy this email.



__

This email has been scrubbed for your protection by SMX.
For more information visit http://smx.co.nz
__

Re: [pfSense Support] Multiple Subnets From ISP Same Interface

[Jesse Vollmar]

On Tue, Aug 18, 2009 at 8:39 PM, Chris Buechler  wrote:

> Is it really a gateway address, i.e. they have it assigned on their
> router, or are they actually routing you the entire IP block? Ideally
> it will be the latter, they can and should be routing additional space
> to one of your existing addresses. Then you can setup the full subnet
> on an internal interface or VLAN without any ARP, or use it in
> combination with NAT using Other VIPs. If they insist on having the
> gateway IP on their equipment (they shouldn't, I would refuse that if
> it were my ISP), you're probably stuck bridging an internal interface
> or VLAN to WAN, though proxy ARP might work depending on how they have
> things setup.
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>

Part of the problem is that I am not exactly sure how they are delivering
the IPs. The ISP is Charter. I purchased from them a "static 5 pack" which
is a /29 routed subnet according to them. Here is what they sent me (I
replaced the actual numbers):
"Ok got the 5pack on the router:

IP 66.188.xx.b to .c

*Subnet 255.255.255.248
Gateway 66.188.xx.a"*
I am going to ask that technician about it tomorrow and see what exactly he
configured. Just to recap though, that IP info above doesn't line up with
the ranges from my other subnet. The info for the other subnet has a
different "Gateway" address than that one.

Re: [pfSense Support] LSI boot issues - liveCD not booting

[Chris Buechler]

On Tue, Aug 18, 2009 at 9:30 PM, Leon Strong wrote:
> Hi all,
>
> I'm wondering if you could provide some help with an issue i'm having
> installing pfsense on an IBM HS20 blade system, both the 1.2.2 and 1.2.3RC1
> snapshots hang when booting.. (it stalls after mounting the filesystem from
> cdrom) - booting in verbose mode, it seems to get an unrecoverable error,
> and deadlocks.
>
> I read on the forums there was a few MTP patches that may fix this issue, is
> there a recent build that incorporates these fixes?
>

Not sure what you're referring to, but try the FreeBSD 7.2 based 1.2.3
snapshots at http://snapshots.pfsense.org

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] LSI boot issues - liveCD not booting

[Lenny]

Leon Strong wrote:

Hi all,

I'm wondering if you could provide some help with an issue i'm having 
installing pfsense on an IBM HS20 blade system, both the 1.2.2 and 
1.2.3RC1 snapshots hang when booting.. (it stalls after mounting the 
filesystem from cdrom) - booting in verbose mode, it seems to get an 
unrecoverable error, and deadlocks.


I read on the forums there was a few MTP patches that may fix this 
issue, is there a recent build that incorporates these fixes?


Cheers,

Leon.
--

*Leon Strong *| Technical Engineer
*DDI:* +64 9 950 2203 *Fax:* +64 9 302 0518
*Mobile:* +64 21 0202 8870 *Freephone:* 0800 SMX SMX (769 769)
Level 11, 290 Queen Street, Auckland, New Zealand | SMX Ltd | 
smx.co.nz 

SMX | Business Email Specialists
The information contained in this email and any attachments is 
confidential. If you are not
the intended recipient then you must not use, disseminate, distribute 
or copy any information
contained in this email or any attachments. If you have received this 
email in error or you
are not the originally intended recipient please contact SMX 
immediately and destroy this email.


This email has been scrubbed for your protection by SMX. For more 
information visit smx.co.nz 


Hi,
Actually, I believe it was my post you were reading, as I was the one to 
ask to patch the recent version.


Anyway, I never had the chance to install pfsense on HS20, but I did 
install on multiple x335 and x3550 and it works without a problem. I 
also think it's the same controller. By the way, the 1.2.2 version 
didn't have this problem at all, it started with 1.2.3 (FreeBSD 7.1 I 
think). But the current version of 1.2.3 does include those patches 
(approximately since 1.7.09).


So unless it's a different controller, maybe you should start digging in 
other direction.


Lenny.

Re: [pfSense Support] Multiple Subnets From ISP Same Interface

[Chris Buechler]

On Tue, Aug 18, 2009 at 10:08 PM, Jesse Vollmar wrote:
>
> Part of the problem is that I am not exactly sure how they are delivering
> the IPs. The ISP is Charter. I purchased from them a "static 5 pack" which
> is a /29 routed subnet according to them. Here is what they sent me (I
> replaced the actual numbers):
> "Ok got the 5pack on the router:
>
> IP 66.188.xx.b to .c
>
> Subnet 255.255.255.248
> Gateway 66.188.xx.a"
>
> I am going to ask that technician about it tomorrow and see what exactly he
> configured. Just to recap though, that IP info above doesn't line up with
> the ranges from my other subnet. The info for the other subnet has a
> different "Gateway" address than that one.

On cable you may be stuck with no other option than NAT or bridging,
cable ISPs tend to be much less flexible with routing. Proxy ARP + NAT
should work, you can disregard the gateway in that case assuming it's
an IP alias on your current WAN gateway. If you bridge, you're going
to need extra routing setup to get from the public IP hosts on the
bridge to the other networks behind the firewall, since Charter isn't
going to route your internal networks back to your firewall and your
gateway is going to be that IP on your cable modem.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Multiple Subnets From ISP Same Interface

[Jesse Vollmar]

>
>
> On cable you may be stuck with no other option than NAT or bridging,
> cable ISPs tend to be much less flexible with routing. Proxy ARP + NAT
> should work, you can disregard the gateway in that case assuming it's
> an IP alias on your current WAN gateway. If you bridge, you're going
> to need extra routing setup to get from the public IP hosts on the
> bridge to the other networks behind the firewall, since Charter isn't
> going to route your internal networks back to your firewall and your
> gateway is going to be that IP on your cable modem.
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
> NAT is fine with me, but that gateway isn't a VIP on my WAN. Are you saying
that I would need to add it?

Re: [pfSense Support] Multiple Subnets From ISP Same Interface

[Chris Buechler]

On Tue, Aug 18, 2009 at 10:39 PM, Jesse Vollmar wrote:
>
> NAT is fine with me, but that gateway isn't a VIP on my WAN. Are you saying
> that I would need to add it?

Ignore the gateway, you just need proxy ARP VIPs for the usable IPs.
The gateway is just an alias on your cable modem, same as your WAN
gateway, so you don't need it.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org