[pfSense Support] squid clobbering performance
hi all, any reason (or what can i look at) to see why squid transparent proxying is heavily slowing web access ... (w/out proxy, dell.fr takes 3-5 secs, with proxy, dell.fr takes 20+ or more) running latest stable version in a vmware virtual machine with nice hardware. thanks mcq - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] squid clobbering performance
Simply bypass this website from squid..make your squid to do not cache any content of this site... On Thu, Oct 1, 2009 at 12:38 PM, mayak chunder-qwern wrote: > hi all, > > any reason (or what can i look at) to see why squid transparent proxying > is heavily slowing web access ... (w/out proxy, dell.fr takes 3-5 secs, > with proxy, dell.fr takes 20+ or more) > > running latest stable version in a vmware virtual machine with nice > hardware. > > thanks > > mcq > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- Regards Abdulrehman
Re: [pfSense Support] squid clobbering performance
On Thu, 2009-10-01 at 13:06 +0500, Abdulrehman wrote: > Simply bypass this website from squid..make your squid to do not cache > any content of this site... > Regards > Abdulrehman i should have been more specific -- all web traffic is slowed, i just gave dell.fr as an example ... cheers mcq - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] One check-box is missing in Rules-Edit-Advanced of 1.2.3-RC3 snapshot
On Wed, Sep 30, 2009 at 11:48 PM, Evgeny Yurchenko wrote:
> Scott Ullrich wrote:
>>
>> On Wed, Sep 30, 2009 at 5:27 PM, Evgeny Yurchenko
>> wrote:
>>
>>>
>>> Well, I am sorry for confusion... but could you please confirm that this
>>> is
>>> from 2.0 filter.inc, starting at line 1961:
>>> if ($type == "pass") {
>>> if (isset($rule['allowopts']))
>>> $aline['allowopts'] = " allow-opts
>>> ";
>>> if( isset($rule['source-track']) or
>>> isset($rule['max-src-nodes']) or isset($rule['max-src-states']) )
>>> if($rule['protocol'] == "tcp")
>>> $aline['flags'] = "flags
>>> S/SA
>>> ";
>>>
>>
>> No, I see:
>>
>> $cron_item = array();
>>
>>
>>>
>>> PS: I must stop playing with pfSense -(((
>>>
>>
>> Why do you say that?
>>
>> Scott
>>
>
> Because it would be stupid to copy at least two files filter.inc and
> firewall_rules_edit.php from 2.0 to 1.2.2. And I do not recall I modified
Good luck in doing this!
> this part of these files on any of my test boxes, but I do remember I was
> happy when I discovered this check-box... Now I am not sure on which version
> I discovered it first... Mystery...
> firewall_rules_edit.php on my 1.2.2 box is 35773 bytes in size. On 2.0 it
> is 49332. Ok, may be I am too tired today. Just note for myself: this
> check-box is available starting from 2.0.
>
> Thanks anyway and sorry for this mess.
> Evgeny.
>
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>
--
Ermal
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] squid clobbering performance
check your cache management settings...i guess there something wrong with cache...check on which interface your squid is listening...it should be LAN interface. On Thu, Oct 1, 2009 at 1:18 PM, mayak chunder-qwern wrote: > On Thu, 2009-10-01 at 13:06 +0500, Abdulrehman wrote: > > Simply bypass this website from squid..make your squid to do not cache > > any content of this site... > > > Regards > > Abdulrehman > > i should have been more specific -- all web traffic is slowed, i just > gave dell.fr as an example ... > > cheers > > mcq > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- Regards Abdulrehman
Re: [pfSense Support] squid clobbering performance
On 01/10/09 08:38, mayak chunder-qwern wrote: hi all, any reason (or what can i look at) to see why squid transparent proxying is heavily slowing web access ... (w/out proxy, dell.fr takes 3-5 secs, with proxy, dell.fr takes 20+ or more) have you restricted the amount of memory squid can use? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] squid clobbering performance
On Thu, Oct 1, 2009 at 17:38, mayak chunder-qwern wrote: > any reason (or what can i look at) to see why squid transparent proxying > is heavily slowing web access ... (w/out proxy, dell.fr takes 3-5 secs, > with proxy, dell.fr takes 20+ or more) Are you using Squid for caching? If you are your cache is most likely misconfigured. If you don't require caching turn it off and see how it behaves itself. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] squid clobbering performance
On Thu, 2009-10-01 at 10:33 +0100, Paul Mansfield wrote: > On 01/10/09 08:38, mayak chunder-qwern wrote: > > hi all, > > > > any reason (or what can i look at) to see why squid transparent proxying > > is heavily slowing web access ... (w/out proxy, dell.fr takes 3-5 secs, > > with proxy, dell.fr takes 20+ or more) > > > have you restricted the amount of memory squid can use? hi paul, hi morgan, i thought to cache corruption, so i killed squid, did a squid -z, squid -k reconfigure -- still no joy. un-installed squid, reinstalled, etc., and i still get enormous lag. below is config ... cheers mcq General Settings proxy interface: lan allow users on interface: checked transparent proxy: checked bypass for rfc 1918: no bypass source ips: no enable logging: no log store: /var/squid/log log rotate: empty proxy port: 3128 icp port: empty visible hostname: localhost admin mail: ad...@localhost lang: english disable x-forward: checked disable via: checked requests with whitespace: allow alternate dns: empty suppress version: checked custom options: empty Cache Management cache size 1500 cache fs: aufs cache loc: /var/squid/cache mem chache size: 64 minimum object: 1000 max object: 10 level 1 dirs: 16 mem replacement: Heap GDSF cache replacement: Heap LFUDA low water: 90 high water: 95 don't cache: empty enable offline: no - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] squid clobbering performance
I assume you're retyping the config rather than giving us "grep -v ^# squid.conf" you sure the cache size 1500 is 1500MB and not 1500KB? is it using sufficient disk space? if the disk cache is too small it'll be pointless having it. also, have you turned logging level up too far, if you log too much it can thrash a small system. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] why delete captive portal accts on expiry?
Why are captive portal accounts automatically deleted when they expire? To my mind, it would be more useful if they were left in place, expired, so that to re-enable them for the admin person was an easy task of just choosing a new expiry date. As it is, when we have a user pay again for their Internet access, rather than just paying remotely and telephoning in that they've done so, they have to come in to where the admin person is in order to re-enter their password (for privacy/security reasons). Pete Boyd - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] squid clobbering performance
On Thu, 2009-10-01 at 14:02 +0100, Paul Mansfield wrote: > > I assume you're retyping the config rather than giving us > "grep -v ^# squid.conf" > > you sure the cache size 1500 is 1500MB and not 1500KB? is it using > sufficient disk space? if the disk cache is too small it'll be pointless > having it. > > also, have you turned logging level up too far, if you log too much it > can thrash a small system. "grep -v ^# squid.conf" doh!!! mcq here's the conf in its entirety http_port 172.16.32.254:3128 http_port 127.0.0.1:80 transparent icp_port 0 pid_filename /var/run/squid.pid cache_effective_user proxy cache_effective_group proxy error_directory /usr/local/etc/squid/errors/English icon_directory /usr/local/etc/squid/icons visible_hostname localhost cache_mgr ad...@localhost access_log /dev/null cache_log /var/squid/log/cache.log cache_store_log none shutdown_lifetime 3 seconds acl localnet src 172.16.32.0/255.255.255.0 forwarded_for off via off httpd_suppress_version_string on uri_whitespace allow cache_dir aufs /var/squid/cache 1500 16 256 cache_mem 64 MB maximum_object_size 100 KB minimum_object_size 100 KB cache_replacement_policy heap LFUDA memory_replacement_policy heap GDSF offline_mode off dns_children 32 cache_swap_low 90 cache_swap_high 95 acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 1025-65535 acl sslports port 443 563 acl manager proto cache_object acl purge method PURGE acl connect method CONNECT acl dynamic urlpath_regex cgi-bin \? cache deny dynamic http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports http_access allow localhost request_body_max_size 0 KB reply_body_max_size 0 allow all delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow all http_access allow localnet http_access deny all - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] squid clobbering performance
mayak chunder-qwern wrote: > hi all, > > any reason (or what can i look at) to see why squid transparent proxying > is heavily slowing web access ... (w/out proxy, dell.fr takes 3-5 secs, > with proxy, dell.fr takes 20+ or more) > > running latest stable version in a vmware virtual machine with nice > hardware. Have you tried the suggestion listed here? http://doc.pfsense.org/index.php/Squid_Package_Tuning#Performance_Tweaks Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] squid clobbering performance
On Thu, Oct 1, 2009 at 7:57 AM, Jim Pingle wrote: > mayak chunder-qwern wrote: >> hi all, >> >> any reason (or what can i look at) to see why squid transparent proxying >> is heavily slowing web access ... (w/out proxy, dell.fr takes 3-5 secs, >> with proxy, dell.fr takes 20+ or more) My connection speed would undulate with squid until I followed the instructions in the last post here: http://forum.pfsense.org/index.php/topic,7186.msg59302.html#msg59302 Careful, the syntax is a little inconsistent in the post. Mine looks like this: # cat /boot/loader.conf autoboot_delay="1" vm.kmem_size="435544320" vm.kmem_size_max="535544320" console="comconsole" #squid custom hint.apic.0.disabled=1 kern.ipc.nmbclusters="32768" kern.maxfiles="65536" kern.maxfilesperproc="32768" net.inet.ip.portrange.last="65535" and works great. My internet is a solid 5.5mbps as it should be, and I've seen downloads come out of cache at 30 mbps. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] PORT command in ftp proxy
I'm trying to figure out how to make my ftp service pass the PCI security compliance (we take credit cards, so need the compliance). I have pfSense 1.2.2 running the ftp proxy to my internal box, which is a FreeBSD 7.2 server running the stock ftpd. A probe from the outside looks like this: >telnet 66.250.193.115 21 USER anonymous PASS word PORT 66,250,193,115,21,178 and it responds 200 PORT command successful. In fact, it responds successful to connect to any IP and any port. If I telnet to port 21 from inside the lan to the same freebsd server and issue a PORT command to any host other than the one from where I am connecting I get: 500 Illegal PORT range rejected. The FreeBSD ftpd's PORT command by default is limited to privileged ports on the same host as is connected to it. It seems that the PORT command is handled directly by the proxy (which makes sense). Is there a way to restrict the proxy to this same security restriction? I understand it violates the FTP protocol technically, but in practice it doesn't break anything other than abuse attempts. Sort of disabling the ftp service altogether (which would be a hassle for customers uploading data to us) what can I do to tighten the ftp proxy? Relevant section from ftpd man page: -R With this option set, ftpd will revert to historical behavior with regard to security checks on user operations and restric- tions on PORT requests. Currently, ftpd will only honor PORT commands directed to unprivileged ports on the remote user's host (which violates the FTP protocol specification but closes some security holes). and from the security scanning company's description: It is possible to force the FTP server to connect to third parties hosts, by using the PORT command, aka FTP bounce. The FTP bounce attack is used for establishing a connection to an arbitrary machine by exploiting the PORT command. The basis for successful attacks is in the RFC requirements. The RFC allows the originating server to specify an arbitrary host and port to establish a data connection. This gives an attacker the ability to specify any host and port of their choosing. If the target host is in a protected network, an attacker can use FTP bounce to bypass firewall restrictions as well as have the ability to discreetly perform port scans from the connected host. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] squid clobbering performance [solved]
On Thu, 2009-10-01 at 08:18 -0600, David Burgess wrote: > On Thu, Oct 1, 2009 at 7:57 AM, Jim Pingle wrote: > > mayak chunder-qwern wrote: > >> hi all, > >> > >> any reason (or what can i look at) to see why squid transparent proxying > >> is heavily slowing web access ... (w/out proxy, dell.fr takes 3-5 secs, > >> with proxy, dell.fr takes 20+ or more) > > > My connection speed would undulate with squid until I followed the > instructions in the last post here: > http://forum.pfsense.org/index.php/topic,7186.msg59302.html#msg59302 > > Careful, the syntax is a little inconsistent in the post. Mine looks like > this: > > # cat /boot/loader.conf > autoboot_delay="1" > vm.kmem_size="435544320" > vm.kmem_size_max="535544320" > console="comconsole" > #squid custom > hint.apic.0.disabled=1 > kern.ipc.nmbclusters="32768" > kern.maxfiles="65536" > kern.maxfilesperproc="32768" > net.inet.ip.portrange.last="65535" > > and works great. My internet is a solid 5.5mbps as it should be, and > I've seen downloads come out of cache at 30 mbps. david, oh yea ... boom, boom, boom ... amazing difference. thanks a million mcq - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PORT command in ftp proxy
On Thu, Oct 1, 2009 at 10:41 AM, Vick Khera wrote: > I'm trying to figure out how to make my ftp service pass the PCI > security compliance (we take credit cards, so need the compliance). I > have pfSense 1.2.2 running the ftp proxy to my internal box, which is > a FreeBSD 7.2 server running the stock ftpd. > > A probe from the outside looks like this: > >>telnet 66.250.193.115 21 > USER anonymous > PASS word > PORT 66,250,193,115,21,178 > > and it responds > > 200 PORT command successful. > > In fact, it responds successful to connect to any IP and any port. > There's quite a bit of irony in using FTP yet wanting to be PCI compliant. But to the point, what exactly is the setup you have here? NAT, public IPs routed, bridged? I get dropped when trying an invalid port. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PORT command in ftp proxy
Vick Khera wrote: I'm trying to figure out how to make my ftp service pass the PCI security compliance (we take credit cards, so need the compliance). I have pfSense 1.2.2 running the ftp proxy to my internal box, which is a FreeBSD 7.2 server running the stock ftpd. A probe from the outside looks like this: telnet 66.250.193.115 21 USER anonymous PASS word PORT 66,250,193,115,21,178 and it responds 200 PORT command successful. In fact, it responds successful to connect to any IP and any port. If I telnet to port 21 from inside the lan to the same freebsd server and issue a PORT command to any host other than the one from where I am connecting I get: 500 Illegal PORT range rejected. The FreeBSD ftpd's PORT command by default is limited to privileged ports on the same host as is connected to it. I do not believe pftpx has setting this. I would disable ftp-helper on WAN and use NAT port-forwarding top you FreeBSD ftp-server (I use pfSense in this way). Evgeny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PORT command in ftp proxy
On Thu, Oct 1, 2009 at 1:25 PM, Chris Buechler wrote: > There's quite a bit of irony in using FTP yet wanting to be PCI compliant. > I suppose to some extent. However, it is the ideal tool for the job of collecting large data files from arbitrary customers who do not have their own servers, and only need to upload a file once ever. If only sftp had "anonymous" mode I'd be a happy guy :-) > But to the point, what exactly is the setup you have here? NAT, public > IPs routed, bridged? I get dropped when trying an invalid port. > Plain old NAT on the firewall. There's a hardware load balancer in front, but it is just doing pass-thru for this IP. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PORT command in ftp proxy
On Thu, Oct 1, 2009 at 1:41 PM, Evgeny Yurchenko wrote: > I do not believe pftpx has setting this. I would disable ftp-helper on WAN > and use NAT port-forwarding top you FreeBSD ftp-server (I use pfSense in > this way). How portable is this to various ftp clients? I've done this in the past but it failed with some ftp clients, as I recall. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PORT command in ftp proxy
It works fine if you set everything up properly, but since many clients will use passive mode by default to get through NAT, you will need to forward a port range for passive mode use and configure your FTP server to use that port range. Unfortunately, as far as I know there's no (easy, anyway...) way to have the firewall/NAT rules triggered automagically when a PASV request is made, so those ports will always be open to the internal machine, which might cause you other certification issues. I seem to recall that when I was using Linux iptables to do NAT there was an ftp connection tracking module that could do this automatically, but as far as I can tell FreeBSD (or at least pfSense) doesn't have this capability. Keenan Quoting Vick Khera : On Thu, Oct 1, 2009 at 1:41 PM, Evgeny Yurchenko wrote: I do not believe pftpx has setting this. I would disable ftp-helper on WAN and use NAT port-forwarding top you FreeBSD ftp-server (I use pfSense in this way). How portable is this to various ftp clients? I've done this in the past but it failed with some ftp clients, as I recall. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PORT command in ftp proxy
Hi I personally think that FTP could never pass the pci criteria as the transmission has no encryption and the "anonymous" does not comply anyway. (you always need that user authentication so as to log who tried/ succeeded etc) So sftp is perhaps your best alternative . Maybe you play with a pam module for ldap or AD in order to have a central authentication for your customers Kind regards, Nikos Walking with Zimbra mobile ...using iPhone Zaharioudakis Nikos +30 694 720 40 63 On 01 Οκτ 2009, at 17:41, Vick Khera wrote: I'm trying to figure out how to make my ftp service pass the PCI security compliance (we take credit cards, so need the compliance). I have pfSense 1.2.2 running the ftp proxy to my internal box, which is a FreeBSD 7.2 server running the stock ftpd. A probe from the outside looks like this: telnet 66.250.193.115 21 USER anonymous PASS word PORT 66,250,193,115,21,178 and it responds 200 PORT command successful. In fact, it responds successful to connect to any IP and any port. If I telnet to port 21 from inside the lan to the same freebsd server and issue a PORT command to any host other than the one from where I am connecting I get: 500 Illegal PORT range rejected. The FreeBSD ftpd's PORT command by default is limited to privileged ports on the same host as is connected to it. It seems that the PORT command is handled directly by the proxy (which makes sense). Is there a way to restrict the proxy to this same security restriction? I understand it violates the FTP protocol technically, but in practice it doesn't break anything other than abuse attempts. Sort of disabling the ftp service altogether (which would be a hassle for customers uploading data to us) what can I do to tighten the ftp proxy? Relevant section from ftpd man page: -R With this option set, ftpd will revert to historical behavior with regard to security checks on user operations and restric- tions on PORT requests. Currently, ftpd will only honor PORT commands directed to unprivileged ports on the remote user's host (which violates the FTP protocol specification but closes some security holes). and from the security scanning company's description: It is possible to force the FTP server to connect to third parties hosts, by using the PORT command, aka FTP bounce. The FTP bounce attack is used for establishing a connection to an arbitrary machine by exploiting the PORT command. The basis for successful attacks is in the RFC requirements. The RFC allows the originating server to specify an arbitrary host and port to establish a data connection. This gives an attacker the ability to specify any host and port of their choosing. If the target host is in a protected network, an attacker can use FTP bounce to bypass firewall restrictions as well as have the ability to discreetly perform port scans from the connected host. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Sorry for top posting
I apologize top posting on my previous message. I was on the run with a mobile device. Regards, Nikos Walking with Zimbra mobile ...using iPhone Zaharioudakis Nikos +30 694 720 40 63 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PORT command in ftp proxy
Vick Khera wrote: On Thu, Oct 1, 2009 at 1:41 PM, Evgeny Yurchenko wrote: I do not believe pftpx has setting this. I would disable ftp-helper on WAN and use NAT port-forwarding top you FreeBSD ftp-server (I use pfSense in this way). How portable is this to various ftp clients? I've done this in the past but it failed with some ftp clients, as I recall. It is 100% (well let's put 99%) portable if you know what you are doing. Set up test box and we'll configure it for this mode. As was fairly mentioned you will have to have some port range mapped to your FTP server, but this port range is fixed and I can't see if it can be used somehow to hack your FTP server as any way if this port is listening on FTP server it means ftp process expects connection on it in passive mode. No other process takes any port from this range starting listening on it. Evgeny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Vista DHCP Issue
I've searched around and read about others with this issue. Basically I have 5 different Vista laptops that cannot get a DHCP address unless I modify the registry and disable a broadcast setting. Does anybody have a solution to this that would prevent me from having to touch each workstation? They are public computers and not part of a domain otherwise I would just do it via GPO. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Load Balanced Passive FTP?
Is there a way to load balance a range of ports with one rule? For example, I have a 100 port passive FTP range defined. Do I have to create 100 load balancer rules? 1.2.3 Best Regards, Nathan Eisenberg Sr. Systems Administrator - Atlas Networks, LLC office: 206.577.3078 | suncadia: 206.210.5450 www.atlasnetworks.us | www.suncadianet.com <>- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Load Balanced Passive FTP?
On Thu, Oct 1, 2009 at 3:57 PM, Nathan Eisenberg wrote: > Is there a way to load balance a range of ports with one rule? For example, > I have a 100 port passive FTP range defined. Do I have to create 100 load > balancer rules? > > 1.2.3 > > Best Regards, > Nathan Eisenberg > Sr. Systems Administrator - Atlas Networks, LLC > office: 206.577.3078 | suncadia: 206.210.5450 > www.atlasnetworks.us | www.suncadianet.com Would an alias work? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Vista DHCP Issue
Curtis LaMasters wrote: > I've searched around and read about others with this issue. Basically > I have 5 different Vista laptops that cannot get a DHCP address unless > I modify the registry and disable a broadcast setting. Does anybody > have a solution to this that would prevent me from having to touch > each workstation? They are public computers and not part of a domain > otherwise I would just do it via GPO. This one is new to me. I have Vista machines at home and at work, and at customer sites all behind pfSense and I've never had a problem obtaining an IP address from DHCP. Is there some other contributing factor perhaps? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Vista DHCP Issue
On Thu, Oct 1, 2009 at 4:10 PM, Curtis LaMasters wrote: > I've searched around and read about others with this issue. Basically > I have 5 different Vista laptops that cannot get a DHCP address unless > I modify the registry and disable a broadcast setting. Does anybody > have a solution to this that would prevent me from having to touch > each workstation? If you can find a solution for ISC dhcpd we'd implement it. I'm not sure exactly how that ends up set on some Vista systems but not others. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Load Balanced Passive FTP?
On Thu, Oct 1, 2009 at 4:57 PM, Nathan Eisenberg wrote: > Is there a way to load balance a range of ports with one rule? Same way you load balance one port. Create a rule that specifies the range. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Vista DHCP Issue
Chris Buechler wrote: > On Thu, Oct 1, 2009 at 4:10 PM, Curtis LaMasters > wrote: >> I've searched around and read about others with this issue. Basically >> I have 5 different Vista laptops that cannot get a DHCP address unless >> I modify the registry and disable a broadcast setting. Does anybody >> have a solution to this that would prevent me from having to touch >> each workstation? > > If you can find a solution for ISC dhcpd we'd implement it. I'm not > sure exactly how that ends up set on some Vista systems but not > others. My repair bench segment is also behind pfSense, and it has seen hundreds of different machines of all makes and models, many of them using Vista, and I've not had one yet that couldn't pull an IP address from DHCP on pfSense. It's always Just Worked(tm) Could this be induced by the switch, perhaps? Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Vista DHCP Issue
On Thu, Oct 1, 2009 at 6:07 PM, Jim Pingle wrote: > Chris Buechler wrote: >> On Thu, Oct 1, 2009 at 4:10 PM, Curtis LaMasters >> wrote: >>> I've searched around and read about others with this issue. Basically >>> I have 5 different Vista laptops that cannot get a DHCP address unless >>> I modify the registry and disable a broadcast setting. Does anybody >>> have a solution to this that would prevent me from having to touch >>> each workstation? >> >> If you can find a solution for ISC dhcpd we'd implement it. I'm not >> sure exactly how that ends up set on some Vista systems but not >> others. > > My repair bench segment is also behind pfSense, and it has seen hundreds > of different machines of all makes and models, many of them using Vista, > and I've not had one yet that couldn't pull an IP address from DHCP on > pfSense. It's always Just Worked(tm) > > Could this be induced by the switch, perhaps? > It's the DHCP broadcast flag that causes problems. http://support.microsoft.com/kb/928233 I'm not sure why it's inconsistent. I suspect some PC manufacturers probably changed that default to avoid support headaches. Windows 7 switched it back to "off" by default so obviously MS realized what a wreck that one was in Vista (one of a long list). - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Load Balanced Passive FTP?
> -Original Message- > From: Chris Buechler [mailto:cbuech...@gmail.com] > Sent: Thursday, October 01, 2009 2:58 PM > To: support@pfsense.com > Subject: Re: [pfSense Support] Load Balanced Passive FTP? > > On Thu, Oct 1, 2009 at 4:57 PM, Nathan Eisenberg > wrote: > > Is there a way to load balance a range of ports with one rule? > > Same way you load balance one port. Create a rule that specifies the > range. > Not sure I follow... If I go to set up a new pool with a port-range, I get : 'The following input errors were detected: * The port must be an integer between 1 and 65535.' Best Regards, Nathan Eisenberg - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Load Balanced Passive FTP?
On Thu, Oct 1, 2009 at 7:02 PM, Nathan Eisenberg wrote: > >> -Original Message- >> From: Chris Buechler [mailto:cbuech...@gmail.com] >> Sent: Thursday, October 01, 2009 2:58 PM >> To: support@pfsense.com >> Subject: Re: [pfSense Support] Load Balanced Passive FTP? >> >> On Thu, Oct 1, 2009 at 4:57 PM, Nathan Eisenberg >> wrote: >> > Is there a way to load balance a range of ports with one rule? >> >> Same way you load balance one port. Create a rule that specifies the >> range. >> > > Not sure I follow... If I go to set up a new pool with a port-range, I get : > > 'The following input errors were detected: > * The port must be an integer between 1 and 65535.' > Oh, for inbound load balancing, I thought you meant outbound. No, no way to do that for a range without putting in one for each port. You can't balance passive FTP port range like that anyway, there's no correspondence between the state on the control channel and the data channel, they would likely end up going to different servers. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Quad NIC's?
On 9/22/09 8:07 PM, Morgan Reed wrote: On Wed, Sep 23, 2009 at 10:26, Luke Jaeger wrote: Are there any known issues with quad NIC cards on a pfSense box? Should be fine, your average (decent) quad NIC is a PCI(express) bridge on a card with what essentially amounts to 4 individual network adapters on it, far as pfSense is concerned there's 4 NICs (of whatever variety) plugged in. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I have a box with 2 Quad-port E1000 cards in it, actually, two, because I am using CARP for HA. js - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Load Balanced Passive FTP?
> -Original Message- > From: Chris Buechler [mailto:cbuech...@gmail.com] > Sent: Thursday, October 01, 2009 4:24 PM > To: support@pfsense.com > Subject: Re: [pfSense Support] Load Balanced Passive FTP? > > Oh, for inbound load balancing, I thought you meant outbound. No, no > way to do that for a range without putting in one for each port. You > can't balance passive FTP port range like that anyway, there's no > correspondence between the state on the control channel and the data > channel, they would likely end up going to different servers. Yep - inbound! While I respect the marvel that is PFSense's outbound load balancing, I prefer using BGP costs and IS-IS weights at the router. By the way, when will PFSense support OSPF and IS-IS? ;) On topic - failover mode (as opposed to load balanced mode) should work correctly if I can get the virtual servers set up, correct? This is one more reason why FTP sucks. Not that the world needed another one. Best Regards, Nathan Eisenberg Sr. Systems Administrator - Atlas Networks, LLC office: 206.577.3078 | suncadia: 206.210.5450 www.atlasnetworks.us | www.suncadianet.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Vista DHCP Issue
Chris Buechler wrote: On Thu, Oct 1, 2009 at 6:07 PM, Jim Pingle wrote: Chris Buechler wrote: On Thu, Oct 1, 2009 at 4:10 PM, Curtis LaMasters wrote: I've searched around and read about others with this issue. Basically I have 5 different Vista laptops that cannot get a DHCP address unless I modify the registry and disable a broadcast setting. Does anybody have a solution to this that would prevent me from having to touch each workstation? If you can find a solution for ISC dhcpd we'd implement it. I'm not sure exactly how that ends up set on some Vista systems but not others. My repair bench segment is also behind pfSense, and it has seen hundreds of different machines of all makes and models, many of them using Vista, and I've not had one yet that couldn't pull an IP address from DHCP on pfSense. It's always Just Worked(tm) Could this be induced by the switch, perhaps? It's the DHCP broadcast flag that causes problems. http://support.microsoft.com/kb/928233 I'm not sure why it's inconsistent. I suspect some PC manufacturers probably changed that default to avoid support headaches. Windows 7 switched it back to "off" by default so obviously MS realized what a wreck that one was in Vista (one of a long list). I have also had this problem with Vista clients and pfSense DHCP. I have seen it first hand, my XP laptop will grab it while the Vista won't on the same exact connection. Generally i tell my customer that it's not our problem and Vista is broken. Call Microsoft and explain that Windows XP can get online and Vista can't. I also tell my customers to run windows update and make sure the system is patched up. In one situation we had a HP procurve switch installed. We had tons of complaints that vista would not work but XP would. We replaced it with a Cisco 2950 and the complaints stopped. I have no idea why that would cause it to work. I have just come to believe Vista is on par with Windows ME for the worst OS ever. I've heard nothing but good things from windows 7 so far. I really hope Microsoft got it together this time. Adam - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Vista DHCP Issue
apiase...@midatlanticbb.com wrote: > In one situation we had a HP procurve switch installed. We had tons of > complaints that vista would not work but XP would. We replaced it with a > Cisco 2950 and the complaints stopped. I have no idea why that would > cause it to work. I have just come to believe Vista is on par with > Windows ME for the worst OS ever. My switches at work are all Cisco 2924 and 2950s. My one at home is just the back end of a Linksys WRT54Gv5 though. Haven't had a problem with either one. One customer site off the top of my head that also has pfSense+Vista has a 24 port Netgear 10/100 switch. I don't know of anyone with HP switches though personally. A couple of the threads I read suggested that the replies to a "broken" Vista request might not be making out of the NIC on the server side, or if it is, it may not be making it back to the clients. Some tcpdump/wireshark output from a broken request and reply from the server and client might be enlightening. If the packets don't leave the server NIC, you could try a few random things like disabling checksums to see if it makes any difference (not that it should, but it's something to try...) Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Vista DHCP Issue
On Thu, Oct 1, 2009 at 6:07 PM, Jim Pingle wrote: > Chris Buechler wrote: >> On Thu, Oct 1, 2009 at 4:10 PM, Curtis LaMasters >> wrote: >>> I've searched around and read about others with this issue. Basically >>> I have 5 different Vista laptops that cannot get a DHCP address unless >>> I modify the registry and disable a broadcast setting. Does anybody >>> have a solution to this that would prevent me from having to touch >>> each workstation? >> >> If you can find a solution for ISC dhcpd we'd implement it. I'm not >> sure exactly how that ends up set on some Vista systems but not >> others. > > My repair bench segment is also behind pfSense, and it has seen hundreds > of different machines of all makes and models, many of them using Vista, > and I've not had one yet that couldn't pull an IP address from DHCP on > pfSense. It's always Just Worked(tm) > > Could this be induced by the switch, perhaps? > I've had it happen first hand... it's a pain in the *ss!!! Sometimes an elevated CMD prompt - ipconfig /release /renew works But I'd say it's about an 45% success rate. Next step is to disable/renew the adapter - that brings it to about a 65% success rate. This is after following the broadcast regedits - turning off IP6, etc on this machine btw. The good news is that it only happens about once a month, but when it does - man it's annoying. I do run procurve switches on my network - by dhcp server is a windows 2003 server. (pfSense being the gateway though) If anyone else finds a permanent solution - shout it out - because I've yet to find one. (My only "permanent" solution so far - was to upgrade to the RTM of win7) -Tim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Vista DHCP Issue
Tim Dickson wrote: On Thu, Oct 1, 2009 at 6:07 PM, Jim Pingle wrote: Chris Buechler wrote: On Thu, Oct 1, 2009 at 4:10 PM, Curtis LaMasters wrote: I've searched around and read about others with this issue. Basically I have 5 different Vista laptops that cannot get a DHCP address unless I modify the registry and disable a broadcast setting. Does anybody have a solution to this that would prevent me from having to touch each workstation? If you can find a solution for ISC dhcpd we'd implement it. I'm not sure exactly how that ends up set on some Vista systems but not others. My repair bench segment is also behind pfSense, and it has seen hundreds of different machines of all makes and models, many of them using Vista, and I've not had one yet that couldn't pull an IP address from DHCP on pfSense. It's always Just Worked(tm) Could this be induced by the switch, perhaps? I've had it happen first hand... it's a pain in the *ss!!! Sometimes an elevated CMD prompt - ipconfig /release /renew works But I'd say it's about an 45% success rate. Next step is to disable/renew the adapter - that brings it to about a 65% success rate. This is after following the broadcast regedits - turning off IP6, etc on this machine btw. The good news is that it only happens about once a month, but when it does - man it's annoying. I do run procurve switches on my network - by dhcp server is a windows 2003 server. (pfSense being the gateway though) If anyone else finds a permanent solution - shout it out - because I've yet to find one. (My only "permanent" solution so far - was to upgrade to the RTM of win7) -Tim I'm wondering if a patch was added to windows update at some point to fix the problem. Is your Vista totally updated? I find it really interesting, that your using Microsoft DHCP service. According to Microsft should be fully compatible with Vista. I would suggest swapping your switch out, to see if it helps. Cisco or Linksys seem to be okay. Adam - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Vista DHCP Issue
apiase...@midatlanticbb.com wrote:
> I'm wondering if a patch was added to windows update at some point to
> fix the problem. Is your Vista totally updated?
Just this week I've had my hands on several fully patched Vista machines
(including my laptop) as well as two other laptops -- one with Vista and
no service packs or updates at all, and one with only SP1 present. All
of them worked.
It's very inconsistent. I wish I could reproduce it somewhere, it would
make investigating it easier.
I just checked on my laptop, http://support.microsoft.com/kb/928233 (the
KB article linked by Chris in another post in this threat) mentions a
registry setting to force the broadcast flag off for non-Windows DHCP
Servers:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID}
"DhcpConnForceBroadcastFlag"=dword:
On my laptop this is set to 1, and it still works for me. I've even
plugged directly into my ALIX with no switch and pulled an IP from there
with this laptop, no switch involved.
Makes me really suspect some kind of combination of switch, NIC
brand/driver on the pfSense box, or some other interaction of that
nature. The only way to track it down is probably to collect more data
about setups where the problem appears. When it comes to managed
switches, there could even be a setting on the switch that causes (or
prevents) the problem from appearing.
Jim
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Vista DHCP Issue
On Fri, Oct 2, 2009 at 1:06 AM, Jim Pingle wrote:
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID}
>
> "DhcpConnForceBroadcastFlag"=dword:
>
> On my laptop this is set to 1, and it still works for me. I've even
> plugged directly into my ALIX with no switch and pulled an IP from there
> with this laptop, no switch involved.
>
Interesting. I long ago blew away every Vista install I had, mind
sending me a pcap of a DHCP request from a host with that enabled?
Curtis, or anyone else who can replicate problems with a Vista client,
ditto, capturing the DHCP request in Wireshark and sending me the pcap
would be appreciated.
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
[pfSense Support] Wierd issue with 1:1 NAT
Hey, I've not had this problem before - I have a PFSense firewall with a lot of 1:1 NATs. For almost every outbound connection, the traffic seems to originate from the correct IP. For example, if I SSH from behind the firewall to a server outside of the firewall, and then use 'last', I see the 1:1 IP. However, if I visit a web site, like http://whatismyip.com, I get the IP address of the firewall. Very odd... Thoughts? Best Regards, Nathan Eisenberg Sr. Systems Administrator - Atlas Networks, LLC office: 206.577.3078 | suncadia: 206.210.5450 www.atlasnetworks.us | www.suncadianet.com <>- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Wierd issue with 1:1 NAT
On Fri, Oct 2, 2009 at 1:25 AM, Nathan Eisenberg wrote: > Hey, > > I've not had this problem before - I have a PFSense firewall with a lot of > 1:1 NATs. For almost every outbound connection, the traffic seems to > originate from the correct IP. For example, if I SSH from behind the > firewall to a server outside of the firewall, and then use 'last', I see the > 1:1 IP. However, if I visit a web site, like http://whatismyip.com, I get > the IP address of the firewall. Very odd... > > Thoughts? > Using Squid? http://doc.pfsense.org/index.php/Why_does_my_system_using_1:1_NAT_still_appear_to_access_the_web_via_the_pfSense_router%27s_WAN_IP%3F - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Wierd issue with 1:1 NAT
> -Original Message- > From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of > Chris Buechler > Sent: Thursday, October 01, 2009 10:34 PM > To: support@pfsense.com > Subject: Re: [pfSense Support] Wierd issue with 1:1 NAT > > > Using Squid? > http://doc.pfsense.org/index.php/Why_does_my_system_using_1:1_NAT_still > _appear_to_access_the_web_via_the_pfSense_router%27s_WAN_IP%3F > Bingo. Obvious in retrospect. Thanks! Best Regards, Nathan Eisenberg Sr. Systems Administrator - Atlas Networks, LLC office: 206.577.3078 | suncadia: 206.210.5450 www.atlasnetworks.us | www.suncadianet.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Wierd issue with 1:1 NAT
On Fri, Oct 2, 2009 at 7:33 AM, Chris Buechler wrote: > On Fri, Oct 2, 2009 at 1:25 AM, Nathan Eisenberg > wrote: >> Hey, >> I've not had this problem before - I have a PFSense firewall with a lot of >> 1:1 NATs. For almost every outbound connection, the traffic seems to >> originate from the correct IP. For example, if I SSH from behind the >> firewall to a server outside of the firewall, and then use 'last', I see the >> 1:1 IP. However, if I visit a web site, like http://whatismyip.com, I get >> the IP address of the firewall. Very odd... >> Thoughts? > Using Squid? Hehe, good to see that so "many" make this mistake, as I felt like a fool when I realised this mistake myself. And when you think of it, it's bloody obvious and logical too. Though, I'm not Klingon :)) -- Yours sincerely Jostein Elvaker Haande A free society is a place where it is safe to be unpopular http://tolecnal.net -- tolecnal at tolecnal dot net - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
