[pfSense Support] policy routing openvpn -- how to select interface/gateway for openvpn
hi all, i have a pfsense box with two interfaces (not sharing the same media or gateway). i need for openvpn to use a specific interface/gateway to bind to. as packets are internally generated, standard policy routing won't work here -- i tried the openvpn --bind option to no avail. any suggestions? thanks m - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] openvpn TLS
so far it's not working with tls,I've been concentrating on other areas but expect to return to this shortly On 17 April 2010 19:27, i...@unseregedanken.de wrote: > Nick, > > can you please give some feedback? > > jan > > i...@unseregedanken.de wrote: >> Hi Nick, >> >> Nick Upson wrote: >>> thanks, I now get >>> >>> openvpn[24699]: Options error: Unrecognized option or missing >>> parameter(s) in /var/etc/openvpn_server0.conf:22: tls_auth (2.0.6) >>> when trying to start the server, the key was generated on our >>> certificates machine if that makes any difference >> >> you have a typo in your syntax just try it with "tls-auth" instead of >> "tls_auth" :-) >> >> kind regards >> Jan > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] openvpn TLS
okay, just let us know when your focus changes. Nick Upson wrote: > so far it's not working with tls,I've been concentrating on other > areas but expect to return to this shortly > > On 17 April 2010 19:27, i...@unseregedanken.de wrote: >> Nick, >> >> can you please give some feedback? >> >> jan >> >> i...@unseregedanken.de wrote: >>> Hi Nick, >>> >>> Nick Upson wrote: thanks, I now get openvpn[24699]: Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn_server0.conf:22: tls_auth (2.0.6) when trying to start the server, the key was generated on our certificates machine if that makes any difference >>> you have a typo in your syntax just try it with "tls-auth" instead of >>> "tls_auth" :-) >>> >>> kind regards >>> Jan >> - >> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >> For additional commands, e-mail: support-h...@pfsense.com >> >> Commercial support available - https://portal.pfsense.org >> >> > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] how do i install firewall setting for the Lan & Wan
Hi, I have Lan and Wan in my organization i want to create gateway for internet please guide me. Thanks, Mir
Re: [pfSense Support] how do i install firewall setting for the Lan & Wan
RTFM On Mon, Apr 19, 2010 at 3:20 PM, Barkat ali wrote: > Hi, > I have Lan and Wan in my organization i want to create gateway for internet > please guide me. > > Thanks, > Mir > > -- Regards Abdulrehman
Re: [pfSense Support] how do i install firewall setting for the Lan & Wan
Hi Before look this tutorials: http://doc.pfsense.org/index.php/Tutorials Regards, Sergey. - Original Message - From: Barkat ali To: support@pfsense.com Sent: Monday, April 19, 2010 2:20 PM Subject: [pfSense Support] how do i install firewall setting for the Lan & Wan Hi, I have Lan and Wan in my organization i want to create gateway for internet please guide me. Thanks, Mir
Re: [pfSense Support] openvpn TLS
right, I took a working openvpn tunnel, added "tls-auth /var/etc/openvpn_server0.tls" to the server (pfsense) and enabled tls-auth in the client. then made the client reconnect, the file is the same one copied to both machines. I just get "TLS error: TLS key negociation failed to occur within 60 seconds" On 17 April 2010 19:27, i...@unseregedanken.de wrote: > Nick, > > can you please give some feedback? > > jan > > i...@unseregedanken.de wrote: >> Hi Nick, >> >> Nick Upson wrote: >>> thanks, I now get >>> >>> openvpn[24699]: Options error: Unrecognized option or missing >>> parameter(s) in /var/etc/openvpn_server0.conf:22: tls_auth (2.0.6) >>> when trying to start the server, the key was generated on our >>> certificates machine if that makes any difference >> >> you have a typo in your syntax just try it with "tls-auth" instead of >> "tls_auth" :-) >> >> kind regards >> Jan > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] policy routing openvpn -- how to select interface/gateway for openvpn
On 4/19/2010 5:40 AM, mayak-cq wrote: > i have a pfsense box with two interfaces (not sharing the same media or > gateway). > > i need for openvpn to use a specific interface/gateway to bind to. > > as packets are internally generated, standard policy routing won't work > here -- i tried the openvpn --bind option to no avail. Try adding 'local x.x.x.x;' to the custom options box on the config, that should allow it to use a specific local IP on the box from which to source its traffic. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] policy routing openvpn -- how to select interface/gateway for openvpn
On Mon, 2010-04-19 at 07:27 -0400, Jim Pingle wrote: > On 4/19/2010 5:40 AM, mayak-cq wrote: > > i have a pfsense box with two interfaces (not sharing the same media or > > gateway). > > > > i need for openvpn to use a specific interface/gateway to bind to. > > > > as packets are internally generated, standard policy routing won't work > > here -- i tried the openvpn --bind option to no avail. > > Try adding 'local x.x.x.x;' to the custom options box on the config, > that should allow it to use a specific local IP on the box from which to > source its traffic. brain dead -- i meant "local" instead of "bind" turns out that the problem is running 2 openvpn instances -- if i use "local" for different openvpn declarations, its doesn't seem to work. cant reboot the unit until tonight. have you successfully bound openvpn to two different adapters in pfsense? thanks m - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] openvpn TLS
you will have to add the side identication integer to the string of the tls-auth directive. for the server sided configuration use .. "tls-auth /var/etc/openvpn_server0.tls 0" ^ and for the client .. "tls-auth /var/etc/openvpn_server0.tls 1" ^ hope this helps .. for more information have an eye on the openvpn configuration howto :-) http://openvpn.net/index.php/open-source/documentation/howto.html#security Nick Upson wrote: > right, I took a working openvpn tunnel, added "tls-auth > /var/etc/openvpn_server0.tls" to the server (pfsense) and enabled > tls-auth in the client. then made the client reconnect, the file is > the same one copied to both machines. I just get > > "TLS error: TLS key negociation failed to occur within 60 seconds" > > On 17 April 2010 19:27, i...@unseregedanken.de wrote: >> Nick, >> >> can you please give some feedback? >> >> jan >> >> i...@unseregedanken.de wrote: >>> Hi Nick, >>> >>> Nick Upson wrote: thanks, I now get openvpn[24699]: Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn_server0.conf:22: tls_auth (2.0.6) when trying to start the server, the key was generated on our certificates machine if that makes any difference >>> you have a typo in your syntax just try it with "tls-auth" instead of >>> "tls_auth" :-) >>> >>> kind regards >>> Jan >> - >> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >> For additional commands, e-mail: support-h...@pfsense.com >> >> Commercial support available - https://portal.pfsense.org >> >> > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] openvpn TLS
On 19 April 2010 13:20, i...@unseregedanken.de wrote: > you will have to add the side identication integer to the string of the > tls-auth directive. > > for the server sided configuration use .. > > "tls-auth /var/etc/openvpn_server0.tls 0" > ^ > > and for the client .. > > "tls-auth /var/etc/openvpn_server0.tls 1" openvpn[50734]: Key file '/var/etc/openvpn_server0.tls' used in --tls-auth contains insufficient key material [keys found=1 required=2] -- try generating a new key file with 'openvpn --genkey --secret [file]', or use the existing key file in bidirectional mode by specifying --tls-auth without a key direction parameter - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] openvpn TLS
can you try to regenerate the tls key file on your pfsense box and then copy it to your clients? afaik your current key has not been generated on your pfsense box, right? maybe thats why it says that there is not enough key material to proceed .. pfbox # openvpn --genkey --secret /var/etc/openvpn_server0.tls pfbox # scp /var/etc/openvpn_server0.tls @:/path/to/dir/ and then retry. at the beginning I mentioned a similiar procedure but also had a typo in it - sorry for that (in the "openvpn --genkey.." two genkey parameters were included ..). Nick Upson wrote: > openvpn[50734]: Key file '/var/etc/openvpn_server0.tls' used in > --tls-auth contains insufficient key material [keys found=1 > required=2] -- try generating a new key file with 'openvpn --genkey > --secret [file]', or use the existing key file in bidirectional mode > by specifying --tls-auth without a key direction parameter - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] openvpn TLS
I can try that out but the permanent solution needs to use the existing tls key, as it's also used, without problems, elsewhere and we don't want the headache of more key files than necessary On 19 April 2010 14:36, i...@unseregedanken.de wrote: > can you try to regenerate the tls key file on your pfsense box and then > copy it to your clients? afaik your current key has not been generated on > your pfsense box, right? maybe thats why it says that there is not enough > key material to proceed .. > > pfbox # openvpn --genkey --secret /var/etc/openvpn_server0.tls > pfbox # scp /var/etc/openvpn_server0.tls @:/path/to/dir/ > > and then retry. at the beginning I mentioned a similiar procedure but also > had a typo in it - sorry for that (in the "openvpn --genkey.." two genkey > parameters were included ..). > > Nick Upson wrote: >> openvpn[50734]: Key file '/var/etc/openvpn_server0.tls' used in >> --tls-auth contains insufficient key material [keys found=1 >> required=2] -- try generating a new key file with 'openvpn --genkey >> --secret [file]', or use the existing key file in bidirectional mode >> by specifying --tls-auth without a key direction parameter > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] openvpn TLS
Nick Upson wrote: > I can try that out but the permanent solution needs to use the > existing tls key, as it's also used, without problems, elsewhere and > we don't want the headache of more key files than necessary So you're already using the respective key with other openvpn instances? can you post your client and server configs? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] openvpn TLS
yes, the ta key works fine against an openvpn server on fedora over wlan which part of the configs do you need? On 19 April 2010 14:46, i...@unseregedanken.de wrote: > Nick Upson wrote: >> I can try that out but the permanent solution needs to use the >> existing tls key, as it's also used, without problems, elsewhere and >> we don't want the headache of more key files than necessary > > So you're already using the respective key with other openvpn instances? > can you post your client and server configs? > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] openvpn TLS
On 04/19/2010 03:54 PM Nick Upson wrote: > yes, the ta key works fine against an openvpn server on fedora over wlan > > which part of the configs do you need? would be great to have a look on both; the client and the server config. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] policy routing openvpn -- how to select interface/gateway for openvpn HELP!
On Mon, 2010-04-19 at 14:07 +0200, mayak-cq wrote: > On Mon, 2010-04-19 at 07:27 -0400, Jim Pingle wrote: > > On 4/19/2010 5:40 AM, mayak-cq wrote: > > > i have a pfsense box with two interfaces (not sharing the same media or > > > gateway). > > > > > > i need for openvpn to use a specific interface/gateway to bind to. > > > > > > as packets are internally generated, standard policy routing won't work > > > here -- i tried the openvpn --bind option to no avail. > > > > Try adding 'local x.x.x.x;' to the custom options box on the config, > > that should allow it to use a specific local IP on the box from which to > > source its traffic. > > brain dead -- i meant "local" instead of "bind" > > turns out that the problem is running 2 openvpn instances -- if i use > "local" for different openvpn declarations, its doesn't seem to work. > > cant reboot the unit until tonight. > > have you successfully bound openvpn to two different adapters in > pfsense? ok -- so i have used the "local" option for each openvpn instance, but the openvpn client process still uses the lowest numbered gateway and starts the packets going out the wrong interface. i guess the question is: how do you tell openvpn what gateway to use to establish the vpn? one would have thought that if the openvpn process was bound to sis4's interface, that it would have used sis4's gateway to send packets. indeed, it does not. badly need help! thanks m - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] no packages for 2.0
The Available Packages page for 2.0 beta x86_64 full snapshot from Friday shows no packages, with the warning "Unable to communicate with www.pfsense.com. Please verify DNS and interface configuration, and that pfSense has functional Internet connectivity." My DNS works. I don't see anything related in the forum. Am I doing it wrong? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
AW: [pfSense Support] no packages for 2.0
Same here -Ursprüngliche Nachricht- Von: David Burgess [mailto:apt@gmail.com] Gesendet: Montag, 19. April 2010 19:58 An: support Betreff: [pfSense Support] no packages for 2.0 The Available Packages page for 2.0 beta x86_64 full snapshot from Friday shows no packages, with the warning "Unable to communicate with www.pfsense.com. Please verify DNS and interface configuration, and that pfSense has functional Internet connectivity." My DNS works. I don't see anything related in the forum. Am I doing it wrong? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Wierd CARP problem
I have a site in Jacksonville, FL. We have two Watchguard Firebox X700s, with upgraded RAM and a pfSense embedded deployment. Since installation we have had WEIRD problems with the VPN. We THOUGHT it was the vpn. However, weeks and work revealed an apparent switch problem. Basically, what we've determined is happening is that our HP 2524 is getting confused and moving the internal CARP address over to the second firewall. Our firewalls are designated "JAX1" and "JAX2". Our switch is "JAX". The Config is like this: 10.5.1.1 -- CARP0, Default Gateway 10.5.1.2 -- JAX1 10.5.1.3 -- JAX2 10.5.1.10 -- HPSW When we startup, we get this: (from the swtich CLI) JAX LAN# show arp IP ARP table IP Address MAC Address TypePort --- - --- 10.5.1.15e-000102 dynamic 10.5.1.200907f-321b15 dynamic 18 10.5.1.52 002682-2dadc0 dynamic 3 When the tunnel goes down, we get this: JAX LAN# show arp IP ARP table IP Address MAC Address TypePort --- - --- 10.5.1.15e-000102 dynamic 24 10.5.1.200907f-321b15 dynamic 18 10.5.1.52 002682-2dadc0 dynamic 3 In this case, port 24 is JAX2. The switch never seems pickup 10.5.1.3, which is JAX2, and only the tunnel/routing traffic becomes diverted. Does anyone have any idea / practical advice? The only other idea which I have it to purchase a cheap-ass 5 port switch and interpose that to eliminate the HP needing to think at all. I have Spanning Tree disabled, and no VLANs or other config adjustments. I just upgraded firmware to latest and I have no clue what is causing this. Please help. Sincerely, Joshua - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Wierd CARP problem
Joshua Schmidlkofer wrote: I have a site in Jacksonville, FL. We have two Watchguard Firebox X700s, with upgraded RAM and a pfSense embedded deployment. Since installation we have had WEIRD problems with the VPN. We THOUGHT it was the vpn. However, weeks and work revealed an apparent switch problem. Basically, what we've determined is happening is that our HP 2524 is getting confused and moving the internal CARP address over to the second firewall. ... Sincerely, Joshua Does pfSense' log say CARP is moved from Active to Passive? Evgeny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] no packages for 2.0
On 4/19/2010 1:57 PM, David Burgess wrote: > The Available Packages page for 2.0 beta x86_64 full snapshot from > Friday shows no packages, with the warning "Unable to communicate with > www.pfsense.com. Please verify DNS and interface configuration, and > that pfSense has functional Internet connectivity." My DNS works. I > don't see anything related in the forum. Am I doing it wrong? It's probably looking for a package file that doesn't exist. Did this ever work before? I'm not sure if there are any 64-bit packages setup in the repo yet. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] no packages for 2.0
On Mon, Apr 19, 2010 at 1:29 PM, Jim Pingle wrote: > It's probably looking for a package file that doesn't exist. Did this > ever work before? It's the first time I've tried PFS on 64-bit. > I'm not sure if there are any 64-bit packages setup in the repo yet. That's possible, and unfortunate. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Wierd CARP problem
> Does pfSense' log say CARP is moved from Active to Passive? > Evgeny. Evgeny, It appears we are getting some of that: (JAX2) Apr 19 14:48:13 kernel: carp1: link state changed to DOWN Apr 19 14:48:13 kernel: carp1: MASTER -> BACKUP (more frequent advertisement received) Apr 19 14:48:10 kernel: carp1: link state changed to UP Apr 19 14:48:07 kernel: carp1: link state changed to DOWN Apr 19 14:48:07 kernel: carp1: MASTER -> BACKUP (more frequent advertisement received) .. Apr 19 14:31:22 kernel: carp1: MASTER -> BACKUP (more frequent advertisement received) Apr 19 14:31:14 kernel: carp1: link state changed to UP Apr 19 14:31:10 kernel: carp1: link state changed to DOWN Apr 19 14:31:10 kernel: carp1: MASTER -> BACKUP (more frequent advertisement received) Apr 19 14:31:07 kernel: carp1: link state changed to UP I have just been brought in (again) for this problem, and I now see another correlation. I just realized that the timestamps of the CARP1 UP match a message from JAX1: kernel: re1: watchdog timeout Apparently, this may be the source of my problem. Sincerely, Joshua - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Wierd CARP problem
Joshua Schmidlkofer wrote: Does pfSense' log say CARP is moved from Active to Passive? Evgeny. Evgeny, It appears we are getting some of that: (JAX2) Apr 19 14:48:13 kernel: carp1: link state changed to DOWN Apr 19 14:48:13 kernel: carp1: MASTER -> BACKUP (more frequent advertisement received) Apr 19 14:48:10 kernel: carp1: link state changed to UP Apr 19 14:48:07 kernel: carp1: link state changed to DOWN Apr 19 14:48:07 kernel: carp1: MASTER -> BACKUP (more frequent advertisement received) .. Apr 19 14:31:22 kernel: carp1: MASTER -> BACKUP (more frequent advertisement received) Apr 19 14:31:14 kernel: carp1: link state changed to UP Apr 19 14:31:10 kernel: carp1: link state changed to DOWN Apr 19 14:31:10 kernel: carp1: MASTER -> BACKUP (more frequent advertisement received) Apr 19 14:31:07 kernel: carp1: link state changed to UP I have just been brought in (again) for this problem, and I now see another correlation. I just realized that the timestamps of the CARP1 UP match a message from JAX1: kernel: re1: watchdog timeout Apparently, this may be the source of my problem. Sincerely, Joshua Yes, do not blame your switch, something is wrong with your pfSense cluster. Most probably your re1 becomes overloaded with traffic. Evgeny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] no packages for 2.0
David Burgess wrote: On Mon, Apr 19, 2010 at 1:29 PM, Jim Pingle wrote: It's probably looking for a package file that doesn't exist. Did this ever work before? It's the first time I've tried PFS on 64-bit. I'm not sure if there are any 64-bit packages setup in the repo yet. That's possible, and unfortunate. db Apparently there is no proper pkg_conifg.8.xml.XXX (or pkg_conifg.7.xml.XXX - depends on FreeBSD version) file for these boxes. From xmlrpc.php: if($params['freebsd_machine']) if($params['freebsd_machine'] != "i386") $freebsd_machine = "." . $params['freebsd_machine']; Can you trace what request is generated by your pfSense when you try to access list of available packages? For example my 32-bit system generates: pfsense.get_pkgs pkg all info noembedded name category website version status descr maintainer required_version pkginfolink freebsd_version 7 I think yours inserts freebsd_machine parameter in its request. Evgeny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] no packages for 2.0
On Mon, Apr 19, 2010 at 2:03 PM, Evgeny Yurchenko wrote: > Can you trace what request is generated by your pfSense when you try to > access list of available packages? Where would I find that? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] no packages for 2.0
David Burgess wrote: On Mon, Apr 19, 2010 at 2:03 PM, Evgeny Yurchenko wrote: Can you trace what request is generated by your pfSense when you try to access list of available packages? Where would I find that? db tcpdump -ni -s0 -wpfSensePkg.cap host 69.64.6.21 Then load pfSensePkg.cap into Wireshark and see (or send it to me off-list). Evgeny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] no packages for 2.0
On Mon, Apr 19, 2010 at 3:31 PM, David Burgess wrote: > On Mon, Apr 19, 2010 at 1:29 PM, Jim Pingle wrote: > > > It's probably looking for a package file that doesn't exist. Did this > > ever work before? > > It's the first time I've tried PFS on 64-bit. > > > I'm not sure if there are any 64-bit packages setup in the repo yet. > > That's possible, and unfortunate. > > That is correct, I have not finished adding all of the 64 bit packages and there are still a few math bugs in the base pfSense system when using amd64 versions of pfSense. Scott
Re: [pfSense Support] Wierd CARP problem
>> >> >> > > Yes, do not blame your switch, something is wrong with your pfSense cluster. > Most probably your re1 becomes overloaded with traffic. > Evgeny. > Ok new problem: re:1 watchdog timeout. I think we have properly disabled ACPI. Anyone have any other advice? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Wierd CARP problem
On Mon, Apr 19, 2010 at 4:38 PM, Joshua Schmidlkofer wrote: > > Ok new problem: re:1 watchdog timeout. I think we have properly > disabled ACPI. Anyone have any other advice? > Change hardware. Those cheap NICs in the Watchguards have all kinds of problems. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Wierd CARP problem
>> Ok new problem: re:1 watchdog timeout. I think we have properly >> disabled ACPI. Anyone have any other advice? >> > > Change hardware. Those cheap NICs in the Watchguards have all kinds of > problems. Chris, Thanks, I appreciate your input. I think we'll take your advice. =( Weak-sauce hardware! Sincerely, Joshua - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Wierd CARP problem
Joshua Schmidlkofer wrote: Ok new problem: re:1 watchdog timeout. I think we have properly disabled ACPI. Anyone have any other advice? Change hardware. Those cheap NICs in the Watchguards have all kinds of problems. Chris, Thanks, I appreciate your input. I think we'll take your advice. =( Weak-sauce hardware! Just to confirm, I've seen the same watchdog timeout problem on two salvaged Firebox X500's running pfsense 1.x.x a few years ago. Back then I tried about anything I could think of, never found a solution. Finally replaced the hardware to get it fixed. There are a few forum threads about this as well. Although it is definately related to the type of NIC's in the watchguard boards, I'm still not completely convinced this is 100% a hardware problem since the Watchguard Linux OS seems to work just fine on it. Sounds more like a FreeBSD driver problem to me, and therefore not directly related to pfsense. Has anyone tested pfsense 2.0 on these fireboxes ? Since it is based on a newer version of FreeBSD, maybe an updated NIC driver solves these issues ? Regards, H.
Re: [pfSense Support] Wierd CARP problem
On Mon, Apr 19, 2010 at 6:56 PM, Hans Maes wrote: > > Although it is definately related to the type of NIC's in the watchguard > boards, I'm still not completely convinced this is 100% a hardware problem > since the Watchguard Linux OS seems to work just fine on it. Sounds more > like a FreeBSD driver problem to me, and therefore not directly related to > pfsense. > It's not a hardware problem any more than the countless workarounds already in the Realtek drivers for hardware bugs are hardware problems, it's likely just yet another quirk in a different implementation of the same chipset that isn't worked around in FreeBSD. It's most likely a hardware quirk with a software work around that doesn't exist in FreeBSD (7.2 at least). > Has anyone tested pfsense 2.0 on these fireboxes ? > Since it is based on a newer version of FreeBSD, maybe an updated NIC driver > solves these issues ? > If anyone has any interest in putting in the time to help get it fixed, that's where I would start, and post any problems to the freebsd-net list. 2.0 is based on RELENG_8, what will become 8.1. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.3-release rebooting
On Thu, Apr 15, 2010 at 3:17 PM, Bao Ha wrote: > > Padlock does not have an issue that we know of! We have sold hundreds > of VIA C7 systems with Padlock running pfSense. If it was a problem, > we would have asked Chris B. to fix it. > I haven't seen it on any hardware that you guys sell, Bao. In fact our primary colocation facility is running behind one VIA system from Hacom and uses the Padlock with IPsec and OpenVPN with 0 problems. Same for my primary firewall, and one other system I'm running in production, and those of many of our support customers. Never seen a problem on any of them. I'm not sure if it's actually padlock related, and it definitely does not affect all hardware with padlock as I've never seen it on a variety of hardware from Hacom that run in some heavy duty roles, but there have been at least a couple reports on the forum of people seeing this after upgrading to a version that added back padlock (without an accompanying FreeBSD version change IIRC). - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
