[pfSense Support] policy routing openvpn -- how to select interface/gateway for openvpn

2010-04-19 Thread mayak-cq
hi all,

i have a pfsense box with two interfaces (not sharing the same media or
gateway).

i need for openvpn to use a specific interface/gateway to bind to.

as packets are internally generated, standard policy routing won't work
here -- i tried the openvpn --bind option to no avail.

any suggestions?

thanks

m


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense Support] openvpn TLS

2010-04-19 Thread Nick Upson
so far it's not working with tls,I've been concentrating on other
areas but expect to return to this shortly

On 17 April 2010 19:27, i...@unseregedanken.de  wrote:
> Nick,
>
> can you please give some feedback?
>
> jan
>
> i...@unseregedanken.de wrote:
>> Hi Nick,
>>
>> Nick Upson wrote:
>>> thanks, I now get
>>>
>>> openvpn[24699]: Options error: Unrecognized option or missing
>>> parameter(s) in /var/etc/openvpn_server0.conf:22: tls_auth (2.0.6)
>>> when trying to start the server, the key was generated on our
>>> certificates machine if that makes any difference
>>
>> you have a typo in your syntax just try it with "tls-auth" instead of
>> "tls_auth" :-)
>>
>> kind regards
>> Jan
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense Support] openvpn TLS

2010-04-19 Thread i...@unseregedanken.de
okay, just let us know when your focus changes.

Nick Upson wrote:
> so far it's not working with tls,I've been concentrating on other
> areas but expect to return to this shortly
> 
> On 17 April 2010 19:27, i...@unseregedanken.de  wrote:
>> Nick,
>>
>> can you please give some feedback?
>>
>> jan
>>
>> i...@unseregedanken.de wrote:
>>> Hi Nick,
>>>
>>> Nick Upson wrote:
 thanks, I now get

 openvpn[24699]: Options error: Unrecognized option or missing
 parameter(s) in /var/etc/openvpn_server0.conf:22: tls_auth (2.0.6)
 when trying to start the server, the key was generated on our
 certificates machine if that makes any difference
>>> you have a typo in your syntax just try it with "tls-auth" instead of
>>> "tls_auth" :-)
>>>
>>> kind regards
>>> Jan
>> -
>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
>> For additional commands, e-mail: support-h...@pfsense.com
>>
>> Commercial support available - https://portal.pfsense.org
>>
>>
> 
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
> 
> Commercial support available - https://portal.pfsense.org
> 

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



[pfSense Support] how do i install firewall setting for the Lan & Wan

2010-04-19 Thread Barkat ali
Hi,
I have Lan and Wan in my organization i want to create gateway for internet 
please guide me.

Thanks,
Mir



  

Re: [pfSense Support] how do i install firewall setting for the Lan & Wan

2010-04-19 Thread Abdulrehman
RTFM

On Mon, Apr 19, 2010 at 3:20 PM, Barkat ali  wrote:

> Hi,
> I have Lan and Wan in my organization i want to create gateway for internet
> please guide me.
>
> Thanks,
> Mir
>
>


-- 


Regards
Abdulrehman


Re: [pfSense Support] how do i install firewall setting for the Lan & Wan

2010-04-19 Thread Serg Dvoriancev
Hi

Before look this tutorials:
http://doc.pfsense.org/index.php/Tutorials

Regards,
Sergey.
  - Original Message - 
  From: Barkat ali 
  To: support@pfsense.com 
  Sent: Monday, April 19, 2010 2:20 PM
  Subject: [pfSense Support] how do i install firewall setting for the Lan & Wan


  Hi,
  I have Lan and Wan in my organization i want to create gateway for internet 
please guide me.

  Thanks,
  Mir




Re: [pfSense Support] openvpn TLS

2010-04-19 Thread Nick Upson
right, I took a working openvpn tunnel, added "tls-auth
/var/etc/openvpn_server0.tls" to the server (pfsense) and enabled
tls-auth in the client. then made the client reconnect, the file is
the same one copied to both machines. I just get

"TLS error: TLS key negociation failed to occur within 60 seconds"

On 17 April 2010 19:27, i...@unseregedanken.de  wrote:
> Nick,
>
> can you please give some feedback?
>
> jan
>
> i...@unseregedanken.de wrote:
>> Hi Nick,
>>
>> Nick Upson wrote:
>>> thanks, I now get
>>>
>>> openvpn[24699]: Options error: Unrecognized option or missing
>>> parameter(s) in /var/etc/openvpn_server0.conf:22: tls_auth (2.0.6)
>>> when trying to start the server, the key was generated on our
>>> certificates machine if that makes any difference
>>
>> you have a typo in your syntax just try it with "tls-auth" instead of
>> "tls_auth" :-)
>>
>> kind regards
>> Jan
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense Support] policy routing openvpn -- how to select interface/gateway for openvpn

2010-04-19 Thread Jim Pingle
On 4/19/2010 5:40 AM, mayak-cq wrote:
> i have a pfsense box with two interfaces (not sharing the same media or
> gateway).
> 
> i need for openvpn to use a specific interface/gateway to bind to.
> 
> as packets are internally generated, standard policy routing won't work
> here -- i tried the openvpn --bind option to no avail.

Try adding 'local x.x.x.x;' to the custom options box on the config,
that should allow it to use a specific local IP on the box from which to
source its traffic.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense Support] policy routing openvpn -- how to select interface/gateway for openvpn

2010-04-19 Thread mayak-cq
On Mon, 2010-04-19 at 07:27 -0400, Jim Pingle wrote:
> On 4/19/2010 5:40 AM, mayak-cq wrote:
> > i have a pfsense box with two interfaces (not sharing the same media or
> > gateway).
> > 
> > i need for openvpn to use a specific interface/gateway to bind to.
> > 
> > as packets are internally generated, standard policy routing won't work
> > here -- i tried the openvpn --bind option to no avail.
> 
> Try adding 'local x.x.x.x;' to the custom options box on the config,
> that should allow it to use a specific local IP on the box from which to
> source its traffic.

brain dead -- i meant "local" instead of "bind" 

turns out that the problem is running 2 openvpn instances -- if i use
"local" for different openvpn declarations, its doesn't seem to work.

cant reboot the unit until tonight.

have you successfully bound openvpn to two different adapters in
pfsense?

thanks

m


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense Support] openvpn TLS

2010-04-19 Thread i...@unseregedanken.de
you will have to add the side identication integer to the string of the
tls-auth directive.

for the server sided configuration use ..

"tls-auth /var/etc/openvpn_server0.tls 0"
   ^

and for the client ..

"tls-auth /var/etc/openvpn_server0.tls 1"
   ^

hope this helps .. for more information have an eye on the openvpn
configuration howto :-)

http://openvpn.net/index.php/open-source/documentation/howto.html#security

Nick Upson wrote:
> right, I took a working openvpn tunnel, added "tls-auth
> /var/etc/openvpn_server0.tls" to the server (pfsense) and enabled
> tls-auth in the client. then made the client reconnect, the file is
> the same one copied to both machines. I just get
> 
> "TLS error: TLS key negociation failed to occur within 60 seconds"
> 
> On 17 April 2010 19:27, i...@unseregedanken.de  wrote:
>> Nick,
>>
>> can you please give some feedback?
>>
>> jan
>>
>> i...@unseregedanken.de wrote:
>>> Hi Nick,
>>>
>>> Nick Upson wrote:
 thanks, I now get

 openvpn[24699]: Options error: Unrecognized option or missing
 parameter(s) in /var/etc/openvpn_server0.conf:22: tls_auth (2.0.6)
 when trying to start the server, the key was generated on our
 certificates machine if that makes any difference
>>> you have a typo in your syntax just try it with "tls-auth" instead of
>>> "tls_auth" :-)
>>>
>>> kind regards
>>> Jan
>> -
>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
>> For additional commands, e-mail: support-h...@pfsense.com
>>
>> Commercial support available - https://portal.pfsense.org
>>
>>
> 
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
> 
> Commercial support available - https://portal.pfsense.org
> 

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense Support] openvpn TLS

2010-04-19 Thread Nick Upson
On 19 April 2010 13:20, i...@unseregedanken.de  wrote:
> you will have to add the side identication integer to the string of the
> tls-auth directive.
>
> for the server sided configuration use ..
>
>        "tls-auth /var/etc/openvpn_server0.tls 0"
>                                               ^
>
> and for the client ..
>
>        "tls-auth /var/etc/openvpn_server0.tls 1"


openvpn[50734]: Key file '/var/etc/openvpn_server0.tls' used in
--tls-auth contains insufficient key material [keys found=1
required=2] -- try generating a new key file with 'openvpn --genkey
--secret [file]', or use the existing key file in bidirectional mode
by specifying --tls-auth without a key direction parameter

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense Support] openvpn TLS

2010-04-19 Thread i...@unseregedanken.de
can you try to regenerate the tls key file on your pfsense box and then
copy it to your clients? afaik your current key has not been generated on
your pfsense box, right? maybe thats why it says that there is not enough
key material to proceed ..

pfbox # openvpn --genkey --secret /var/etc/openvpn_server0.tls
pfbox # scp /var/etc/openvpn_server0.tls @:/path/to/dir/

and then retry. at the beginning I mentioned a similiar procedure but also
had a typo in it - sorry for that (in the "openvpn --genkey.." two genkey
parameters were included ..).

Nick Upson wrote:
>   openvpn[50734]: Key file '/var/etc/openvpn_server0.tls' used in
> --tls-auth contains insufficient key material [keys found=1
> required=2] -- try generating a new key file with 'openvpn --genkey
> --secret [file]', or use the existing key file in bidirectional mode
> by specifying --tls-auth without a key direction parameter


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense Support] openvpn TLS

2010-04-19 Thread Nick Upson
I can try that out but the permanent solution needs to use the
existing tls key, as it's also used, without problems, elsewhere and
we don't want the headache of more key files than necessary

On 19 April 2010 14:36, i...@unseregedanken.de  wrote:
> can you try to regenerate the tls key file on your pfsense box and then
> copy it to your clients? afaik your current key has not been generated on
> your pfsense box, right? maybe thats why it says that there is not enough
> key material to proceed ..
>
> pfbox # openvpn --genkey --secret /var/etc/openvpn_server0.tls
> pfbox # scp /var/etc/openvpn_server0.tls @:/path/to/dir/
>
> and then retry. at the beginning I mentioned a similiar procedure but also
> had a typo in it - sorry for that (in the "openvpn --genkey.." two genkey
> parameters were included ..).
>
> Nick Upson wrote:
>>       openvpn[50734]: Key file '/var/etc/openvpn_server0.tls' used in
>> --tls-auth contains insufficient key material [keys found=1
>> required=2] -- try generating a new key file with 'openvpn --genkey
>> --secret [file]', or use the existing key file in bidirectional mode
>> by specifying --tls-auth without a key direction parameter
>
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense Support] openvpn TLS

2010-04-19 Thread i...@unseregedanken.de
Nick Upson wrote:
> I can try that out but the permanent solution needs to use the
> existing tls key, as it's also used, without problems, elsewhere and
> we don't want the headache of more key files than necessary

So you're already using the respective key with other openvpn instances?
can you post your client and server configs?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense Support] openvpn TLS

2010-04-19 Thread Nick Upson
yes, the ta key works fine against an openvpn server on fedora over wlan

which part of the configs do you need?

On 19 April 2010 14:46, i...@unseregedanken.de  wrote:
> Nick Upson wrote:
>> I can try that out but the permanent solution needs to use the
>> existing tls key, as it's also used, without problems, elsewhere and
>> we don't want the headache of more key files than necessary
>
> So you're already using the respective key with other openvpn instances?
> can you post your client and server configs?
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense Support] openvpn TLS

2010-04-19 Thread info
On 04/19/2010 03:54 PM Nick Upson wrote:
> yes, the ta key works fine against an openvpn server on fedora over wlan
>
> which part of the configs do you need?

would be great to have a look on both; the client and the server config.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense Support] policy routing openvpn -- how to select interface/gateway for openvpn HELP!

2010-04-19 Thread mayak-cq
On Mon, 2010-04-19 at 14:07 +0200, mayak-cq wrote:
> On Mon, 2010-04-19 at 07:27 -0400, Jim Pingle wrote:
> > On 4/19/2010 5:40 AM, mayak-cq wrote:
> > > i have a pfsense box with two interfaces (not sharing the same media or
> > > gateway).
> > > 
> > > i need for openvpn to use a specific interface/gateway to bind to.
> > > 
> > > as packets are internally generated, standard policy routing won't work
> > > here -- i tried the openvpn --bind option to no avail.
> > 
> > Try adding 'local x.x.x.x;' to the custom options box on the config,
> > that should allow it to use a specific local IP on the box from which to
> > source its traffic.
> 
> brain dead -- i meant "local" instead of "bind" 
> 
> turns out that the problem is running 2 openvpn instances -- if i use
> "local" for different openvpn declarations, its doesn't seem to work.
> 
> cant reboot the unit until tonight.
> 
> have you successfully bound openvpn to two different adapters in
> pfsense?


ok -- so i have used the "local" option for each openvpn instance, but
the openvpn client process still uses the lowest numbered gateway and
starts the packets going out the wrong interface.

i guess the question is: how do you tell openvpn what gateway to use to
establish the vpn? one would have thought that if the openvpn process
was bound to sis4's interface, that it would have used sis4's gateway to
send packets. indeed, it does not.

badly need help!

thanks

m



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



[pfSense Support] no packages for 2.0

2010-04-19 Thread David Burgess
The Available Packages page for 2.0 beta x86_64 full snapshot from
Friday shows no packages, with the warning "Unable to communicate with
www.pfsense.com. Please verify DNS and interface configuration, and
that pfSense has functional Internet connectivity." My DNS works. I
don't see anything related in the forum. Am I doing it wrong?

db

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



AW: [pfSense Support] no packages for 2.0

2010-04-19 Thread Fuchs, Martin
Same here

-Ursprüngliche Nachricht-
Von: David Burgess [mailto:apt@gmail.com] 
Gesendet: Montag, 19. April 2010 19:58
An: support
Betreff: [pfSense Support] no packages for 2.0

The Available Packages page for 2.0 beta x86_64 full snapshot from
Friday shows no packages, with the warning "Unable to communicate with
www.pfsense.com. Please verify DNS and interface configuration, and
that pfSense has functional Internet connectivity." My DNS works. I
don't see anything related in the forum. Am I doing it wrong?

db

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org




[pfSense Support] Wierd CARP problem

2010-04-19 Thread Joshua Schmidlkofer
I have a site in Jacksonville, FL.   We have two Watchguard Firebox
X700s, with upgraded RAM and a pfSense embedded deployment.

 Since installation we have had WEIRD problems with the VPN.  We
THOUGHT it was the vpn.  However, weeks and work revealed an apparent
switch problem.  Basically, what we've determined is happening is that
our HP 2524 is getting confused and moving the internal CARP address
over to the second firewall.

 Our firewalls are designated "JAX1" and "JAX2".  Our switch is "JAX".
 The Config is like this:

10.5.1.1 -- CARP0, Default Gateway
10.5.1.2 -- JAX1
10.5.1.3 -- JAX2
10.5.1.10 -- HPSW


 When we startup, we get this:

(from the swtich CLI)
JAX LAN# show arp

 IP ARP table

  IP Address  MAC Address   TypePort
  --- - --- 
  10.5.1.15e-000102 dynamic
  10.5.1.200907f-321b15 dynamic 18
  10.5.1.52   002682-2dadc0 dynamic 3


When the tunnel goes down, we get this:

JAX LAN# show arp

 IP ARP table

  IP Address  MAC Address   TypePort
  --- - --- 
  10.5.1.15e-000102 dynamic 24
  10.5.1.200907f-321b15 dynamic 18
  10.5.1.52   002682-2dadc0 dynamic 3


In this case, port 24 is JAX2.  The switch never seems pickup
10.5.1.3, which is JAX2, and only the tunnel/routing traffic becomes
diverted.  Does anyone have any idea / practical advice?   The only
other idea which I have it to purchase a cheap-ass 5 port switch and
interpose that to eliminate the HP needing to think at all.

I have Spanning Tree disabled, and no VLANs or other config
adjustments.  I just upgraded firmware to latest and I have no clue
what is causing this.   Please help.

Sincerely,
 Joshua

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense Support] Wierd CARP problem

2010-04-19 Thread Evgeny Yurchenko

Joshua Schmidlkofer wrote:

I have a site in Jacksonville, FL.   We have two Watchguard Firebox
X700s, with upgraded RAM and a pfSense embedded deployment.

 Since installation we have had WEIRD problems with the VPN.  We
THOUGHT it was the vpn.  However, weeks and work revealed an apparent
switch problem.  Basically, what we've determined is happening is that
our HP 2524 is getting confused and moving the internal CARP address
over to the second firewall.

...

Sincerely,
 Joshua

  

Does pfSense' log say CARP is moved from Active to Passive?
Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense Support] no packages for 2.0

2010-04-19 Thread Jim Pingle
On 4/19/2010 1:57 PM, David Burgess wrote:
> The Available Packages page for 2.0 beta x86_64 full snapshot from
> Friday shows no packages, with the warning "Unable to communicate with
> www.pfsense.com. Please verify DNS and interface configuration, and
> that pfSense has functional Internet connectivity." My DNS works. I
> don't see anything related in the forum. Am I doing it wrong?

It's probably looking for a package file that doesn't exist. Did this
ever work before?

I'm not sure if there are any 64-bit packages setup in the repo yet.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense Support] no packages for 2.0

2010-04-19 Thread David Burgess
On Mon, Apr 19, 2010 at 1:29 PM, Jim Pingle  wrote:

> It's probably looking for a package file that doesn't exist. Did this
> ever work before?

It's the first time I've tried PFS on 64-bit.

> I'm not sure if there are any 64-bit packages setup in the repo yet.

That's possible, and unfortunate.

db

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense Support] Wierd CARP problem

2010-04-19 Thread Joshua Schmidlkofer
> Does pfSense' log say CARP is moved from Active to Passive?
> Evgeny.

Evgeny,

 It appears we are getting some of that: (JAX2)

Apr 19 14:48:13 kernel: carp1: link state changed to DOWN
Apr 19 14:48:13 kernel: carp1: MASTER -> BACKUP (more frequent
advertisement received)
Apr 19 14:48:10 kernel: carp1: link state changed to UP
Apr 19 14:48:07 kernel: carp1: link state changed to DOWN
Apr 19 14:48:07 kernel: carp1: MASTER -> BACKUP (more frequent
advertisement received)
..
Apr 19 14:31:22 kernel: carp1: MASTER -> BACKUP (more frequent
advertisement received)
Apr 19 14:31:14 kernel: carp1: link state changed to UP
Apr 19 14:31:10 kernel: carp1: link state changed to DOWN
Apr 19 14:31:10 kernel: carp1: MASTER -> BACKUP (more frequent
advertisement received)
Apr 19 14:31:07 kernel: carp1: link state changed to UP


 I have just been brought in (again) for this problem, and I now see
another correlation.   I just realized that the timestamps of the
CARP1 UP match a message from JAX1: kernel: re1: watchdog timeout

  Apparently, this may be the source of my problem.

Sincerely,
 Joshua

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense Support] Wierd CARP problem

2010-04-19 Thread Evgeny Yurchenko

Joshua Schmidlkofer wrote:

Does pfSense' log say CARP is moved from Active to Passive?
Evgeny.



Evgeny,

 It appears we are getting some of that: (JAX2)

Apr 19 14:48:13 kernel: carp1: link state changed to DOWN
Apr 19 14:48:13 kernel: carp1: MASTER -> BACKUP (more frequent
advertisement received)
Apr 19 14:48:10 kernel: carp1: link state changed to UP
Apr 19 14:48:07 kernel: carp1: link state changed to DOWN
Apr 19 14:48:07 kernel: carp1: MASTER -> BACKUP (more frequent
advertisement received)
..
Apr 19 14:31:22 kernel: carp1: MASTER -> BACKUP (more frequent
advertisement received)
Apr 19 14:31:14 kernel: carp1: link state changed to UP
Apr 19 14:31:10 kernel: carp1: link state changed to DOWN
Apr 19 14:31:10 kernel: carp1: MASTER -> BACKUP (more frequent
advertisement received)
Apr 19 14:31:07 kernel: carp1: link state changed to UP


 I have just been brought in (again) for this problem, and I now see
another correlation.   I just realized that the timestamps of the
CARP1 UP match a message from JAX1: kernel: re1: watchdog timeout

  Apparently, this may be the source of my problem.

Sincerely,
 Joshua


  
Yes, do not blame your switch, something is wrong with your pfSense 
cluster. Most probably your re1 becomes overloaded with traffic.

Evgeny.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense Support] no packages for 2.0

2010-04-19 Thread Evgeny Yurchenko

David Burgess wrote:

On Mon, Apr 19, 2010 at 1:29 PM, Jim Pingle  wrote:

  

It's probably looking for a package file that doesn't exist. Did this
ever work before?



It's the first time I've tried PFS on 64-bit.

  

I'm not sure if there are any 64-bit packages setup in the repo yet.



That's possible, and unfortunate.

db
  
Apparently there is no proper pkg_conifg.8.xml.XXX  (or 
pkg_conifg.7.xml.XXX - depends on FreeBSD version) file for these boxes.

From xmlrpc.php:
   if($params['freebsd_machine'])
   if($params['freebsd_machine'] != "i386")
   $freebsd_machine = "." . $params['freebsd_machine'];

Can you trace what request is generated by your pfSense when you try to 
access list of available packages?

For example my 32-bit system generates:


pfsense.get_pkgs



pkg
all

info


noembedded
name
category
website
version
status
descr
maintainer
required_version
pkginfolink



freebsd_version
7






I think yours inserts freebsd_machine parameter in its request.

Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense Support] no packages for 2.0

2010-04-19 Thread David Burgess
On Mon, Apr 19, 2010 at 2:03 PM, Evgeny Yurchenko  wrote:

> Can you trace what request is generated by your pfSense when you try to
> access list of available packages?

Where would I find that?

db

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense Support] no packages for 2.0

2010-04-19 Thread Evgeny Yurchenko

David Burgess wrote:

On Mon, Apr 19, 2010 at 2:03 PM, Evgeny Yurchenko  wrote:

  

Can you trace what request is generated by your pfSense when you try to
access list of available packages?



Where would I find that?

db


  

tcpdump -ni  -s0 -wpfSensePkg.cap host 69.64.6.21
Then load pfSensePkg.cap into Wireshark and see (or send it to me off-list).
Evgeny.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense Support] no packages for 2.0

2010-04-19 Thread Scott Ullrich
On Mon, Apr 19, 2010 at 3:31 PM, David Burgess  wrote:

> On Mon, Apr 19, 2010 at 1:29 PM, Jim Pingle  wrote:
>
> > It's probably looking for a package file that doesn't exist. Did this
> > ever work before?
>
> It's the first time I've tried PFS on 64-bit.
>
> > I'm not sure if there are any 64-bit packages setup in the repo yet.
>
> That's possible, and unfortunate.
>
>
That is correct, I have not finished adding all of the 64 bit packages and
there are still a few math bugs in the base pfSense system when using amd64
versions of pfSense.

Scott


Re: [pfSense Support] Wierd CARP problem

2010-04-19 Thread Joshua Schmidlkofer
>>
>>
>>
>
> Yes, do not blame your switch, something is wrong with your pfSense cluster.
> Most probably your re1 becomes overloaded with traffic.
> Evgeny.
>


Ok new problem: re:1 watchdog timeout.   I think we have properly
disabled ACPI.  Anyone have any other advice?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense Support] Wierd CARP problem

2010-04-19 Thread Chris Buechler
On Mon, Apr 19, 2010 at 4:38 PM, Joshua Schmidlkofer  wrote:
>
> Ok new problem: re:1 watchdog timeout.   I think we have properly
> disabled ACPI.  Anyone have any other advice?
>

Change hardware. Those cheap NICs in the Watchguards have all kinds of problems.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense Support] Wierd CARP problem

2010-04-19 Thread Joshua Schmidlkofer
>> Ok new problem: re:1 watchdog timeout.   I think we have properly
>> disabled ACPI.  Anyone have any other advice?
>>
>
> Change hardware. Those cheap NICs in the Watchguards have all kinds of 
> problems.

Chris,

 Thanks, I appreciate your input.  I think we'll take your advice. =(
 Weak-sauce hardware!

Sincerely,
 Joshua

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense Support] Wierd CARP problem

2010-04-19 Thread Hans Maes



Joshua Schmidlkofer wrote:

Ok new problem: re:1 watchdog timeout.   I think we have properly
disabled ACPI.  Anyone have any other advice?

  

Change hardware. Those cheap NICs in the Watchguards have all kinds of problems.



Chris,

 Thanks, I appreciate your input.  I think we'll take your advice. =(
 Weak-sauce hardware!


  
Just to confirm, I've seen the same watchdog timeout problem on two 
salvaged Firebox X500's running pfsense 1.x.x a few years ago.
Back then I tried about anything I could think of, never found a 
solution. Finally replaced the hardware to get it fixed.

There are a few forum threads about this as well.

Although it is definately related to the type of NIC's in the watchguard 
boards, I'm still not completely convinced this is 100% a hardware 
problem since the Watchguard Linux OS seems to work just fine on it. 
Sounds more like a FreeBSD driver problem to me, and therefore not 
directly related to pfsense.


Has anyone tested pfsense 2.0 on these fireboxes ?
Since it is based on a newer version of FreeBSD, maybe an updated NIC 
driver solves these issues ?


Regards,

H.


Re: [pfSense Support] Wierd CARP problem

2010-04-19 Thread Chris Buechler
On Mon, Apr 19, 2010 at 6:56 PM, Hans Maes  wrote:
>
> Although it is definately related to the type of NIC's in the watchguard
> boards, I'm still not completely convinced this is 100% a hardware problem
> since the Watchguard Linux OS seems to work just fine on it. Sounds more
> like a FreeBSD driver problem to me, and therefore not directly related to
> pfsense.
>

It's not a hardware problem any more than the countless workarounds
already in the Realtek drivers for hardware bugs are hardware
problems, it's likely just yet another quirk in a different
implementation of the same chipset that isn't worked around in
FreeBSD. It's most likely a hardware quirk with a software work around
that doesn't exist in FreeBSD (7.2 at least).


> Has anyone tested pfsense 2.0 on these fireboxes ?
> Since it is based on a newer version of FreeBSD, maybe an updated NIC driver
> solves these issues ?
>

If anyone has any interest in putting in the time to help get it
fixed, that's where I would start, and post any problems to the
freebsd-net list. 2.0 is based on RELENG_8, what will become 8.1.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense Support] 1.2.3-release rebooting

2010-04-19 Thread Chris Buechler
On Thu, Apr 15, 2010 at 3:17 PM, Bao Ha  wrote:
>
> Padlock does not have an issue that we know of! We have sold hundreds
> of VIA C7 systems with Padlock running pfSense. If it was a problem,
> we would have asked Chris B. to fix it.
>

I haven't seen it on any hardware that you guys sell, Bao. In fact our
primary colocation facility is running behind one VIA system from
Hacom and uses the Padlock with IPsec and OpenVPN with 0 problems.
Same for my primary firewall, and one other system I'm running in
production, and those of many of our support customers. Never seen a
problem on any of them.

I'm not sure if it's actually padlock related, and it definitely does
not affect all hardware with padlock as I've never seen it on a
variety of hardware from Hacom that run in some heavy duty roles, but
there have been at least a couple reports on the forum of people
seeing this after upgrading to a version that added back padlock
(without an accompanying FreeBSD version change IIRC).

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org