Re: [pfSense Support] pfsense 1.23 rc3 - ipsec VPN dies randomly, but stays active in the overview
IPSEC still dies silently from time to time. I have to restart racoon each and every now and then... (and I am preffering the old IPSEC sa's on all pfsense ends (which are 3 nodes now) I did install cron, but am not an active cron user (or knowledgeable)... would it be wise to restart the racoon service every now and then (or each morning at 5AM ?) I am using my VPN tunnels only for network printers... so it's not really disturbing to have an on/off situation... The odd thing is, when IPSEC dies between two PFSENSE platforms, nothing is being showed (the tunnel also seems active on both ends !! - but I cannot reach the destination anymore). On the linksys or dlink devices, the tunnel shows a state of unreachable... Restarting racoon on both pfsense-ends, helps me out this situation... On Wed, Nov 25, 2009 at 12:20 AM, Michel Servaes mic...@mcmc.be wrote: Since I have added two IPSEC tunnels to both Linksys' RV042 - my VPN connections start to die randomy, but stay active in both the webgui's overview (both, I mean pfSense and the DLINK's) - but either way is impossible to ping each other !! Have you tried checking the Prefer old IPsec SAs option under System Advanced? Jim No I haven't tried this one yet - as of now, I changed this option - will see if this helps... should I repost the outcome ? Thanks in advance. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Multiwan and DNS forwarder
First, this is the best routing product I have ever used. Ihad a box that was up and running for over two years!!! It only rebooted because of a faiure in my ups. I went ahead and updated to 1.2.3 seings as the system up time had reset anyway. Thanks for the excellent work!!! I have a Question. I use Mlti-Wan with 1 Cable modem, 1 DSL line and 1 T1 line. I setup Failover and have been very happy thus far. I am also using DNS forwarder. On each computer, PFsense assigns its own address as the DNS server. Then PF serves up the dns. My question it, what link does PF use to get its dns information. I would assume the wan link as this is the only link that it uses for package information also. If it is just the wan link and I lose that connection, will the fail-over be of any real use? It seems like without being able to update the dns, individual user will only be able to reach those sites in the cached dns table. Am i correct in this? Thank for the help. __ Information from ESET NOD32 Antivirus, version of virus signature database 5136 (20100521) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiwan and DNS forwarder
On Fri, May 21, 2010 at 11:38 AM, Ryan radiote...@aaremail.com wrote: First, this is the best routing product I have ever used. Ihad a box that was up and running for over two years!!! It only rebooted because of a faiure in my ups. I went ahead and updated to 1.2.3 seings as the system up time had reset anyway. Thanks for the excellent work!!! I have a Question. I use Mlti-Wan with 1 Cable modem, 1 DSL line and 1 T1 line. I setup Failover and have been very happy thus far. I am also using DNS forwarder. On each computer, PFsense assigns its own address as the DNS server. Then PF serves up the dns. My question it, what link does PF use to get its dns information. I would assume the wan link as this is the only link that it uses for package information also. If it is just the wan link and I lose that connection, will the fail-over be of any real use? It seems like without being able to update the dns, individual user will only be able to reach those sites in the cached dns table. Am i correct in this? Thank for the help. For such multi-WAN setups, I would recommend hard coding your DNS servers under System General Setup and not allowing them to be overridden. Then add a static route for one of them so it always goes out your second WAN. Make sure the server you use will answer on the WAN for which it's being used, use Google's public DNS or OpenDNS and you don't have to worry about that. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiwan and DNS forwarder
On Fri, May 21, 2010 at 12:07 PM, Chris Bagnall li...@minotaur.cc wrote: For such multi-WAN setups, I would recommend hard coding your DNS... ...Then add a static route for one of them so it always goes out your second WAN I agree with this entirely. It's perhaps worth mentioning here that you can improve the *perceived* speed of browsing from your users' perspective quite a bit by routing DNS queries out on a less-saturated WAN link. For example, most of the clients to whom we've supplied pfSense-based routers have at least two ADSL connections - one (or more) for general net use, and one for VoIP traffic. DNS traffic is usually sufficiently small that it doesn't affect VoIP quality, so, sending DNS queries out via the less-saturated VoIP ADSL can result in a reasonable improvement to perceived page load times. In 1.2.3 and newer, the DNS forwarder queries all configured DNS servers simultaneously and takes the first response. So if you set it up so one goes out each WAN, you'll get that benefit automatically, plus the benefit that if the other WAN responds faster, it'll take that response. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Multiwan and DNS forwarder
In 1.2.3 and newer, the DNS forwarder queries all configured DNS servers simultaneously and takes the first response. That's useful to know, thanks! Regards, Chris -- For full contact details visit http://www.minotaur.it This email is made from 100% recycled electrons - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsense 1.23 rc3 - ipsec VPN dies randomly, but stays active in the overview
On Fri, May 21, 2010 at 4:17 AM, Michel Servaes mic...@mcmc.be wrote: PSEC still dies silently from time to time. I have to restart racoon each and every now and then... (and I am preffering the old IPSEC sa's on all pfsense ends (which are 3 nodes now) Do you have the keepalive ping running, and is it pointing to an IP on the other end LAN (not the other endpoint router IP)? I haven't had IPsec break since pfSense 1.2 came out. I used to get random drops that required stop/start of ipsec before then. What version are you running everywhere? Oh... hmm. you seem to have one non-pfSense endpoint. I don't know if that's your problem then. My pfSense endpoints are very stable. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Multiwan and DNS forwarder
For such multi-WAN setups, I would recommend hard coding your DNS servers under System General Setup and not allowing them to be overridden. Then add a static route for one of them so it always goes out your second WAN. Make sure the server you use will answer on the WAN for which it's being used, use Google's public DNS or OpenDNS and you don't have to worry about that. Thanks for the reply. So I go to System Static routes and add a new route. I gues I set the DNS server in the Destination Network Field with a /32 and I put the default gateway of my T1 in the Gateway field. What do i put for the interface field? I don't see an interface for the pfsense trafic itself. __ Information from ESET NOD32 Antivirus, version of virus signature database 5136 (20100521) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Multiwan and DNS forwarder
-Original Message- From: Gary Buckmaster [mailto:g...@s4f.com] Sent: Friday, May 21, 2010 3:24 PM To: support@pfsense.com Subject: Re: [pfSense Support] Multiwan and DNS forwarder Actually, the easier way to do this is to use policy routes. Create aliases called ISP1DNS and ISP2DNS and put the appropriate DNS server IPs in those two aliases. Then create firewall rules on your LAN interface(s) above any load balancing rules which will match DNS traffic to the appropriate DNS servers and select the appropriate gateway. I would think your approach would work if the end computer was requesting dns from the real dns server, not using dns forwarding. I think the DNS request does not originate from the Lan, but from the router itself. I may be wrong in this though. __ Information from ESET NOD32 Antivirus, version of virus signature database 5136 (20100521) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiwan and DNS forwarder
On Fri, May 21, 2010 at 4:53 PM, Ryan radiote...@aaremail.com wrote: -Original Message- From: Gary Buckmaster [mailto:g...@s4f.com] Sent: Friday, May 21, 2010 3:24 PM To: support@pfsense.com Subject: Re: [pfSense Support] Multiwan and DNS forwarder Actually, the easier way to do this is to use policy routes. Create aliases called ISP1DNS and ISP2DNS and put the appropriate DNS server IPs in those two aliases. Then create firewall rules on your LAN interface(s) above any load balancing rules which will match DNS traffic to the appropriate DNS servers and select the appropriate gateway. I would think your approach would work if the end computer was requesting dns from the real dns server, not using dns forwarding. I think the DNS request does not originate from the Lan, but from the router itself. I may be wrong in this though. Yeah, that is correct, if you're using the DNS forwarder you must use static routes. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiwan and DNS forwarder
Chris Buechler wrote: On Fri, May 21, 2010 at 4:53 PM, Ryan radiote...@aaremail.com wrote: -Original Message- From: Gary Buckmaster [mailto:g...@s4f.com] Sent: Friday, May 21, 2010 3:24 PM To: support@pfsense.com Subject: Re: [pfSense Support] Multiwan and DNS forwarder Actually, the easier way to do this is to use policy routes. Create aliases called ISP1DNS and ISP2DNS and put the appropriate DNS server IPs in those two aliases. Then create firewall rules on your LAN interface(s) above any load balancing rules which will match DNS traffic to the appropriate DNS servers and select the appropriate gateway. I would think your approach would work if the end computer was requesting dns from the real dns server, not using dns forwarding. I think the DNS request does not originate from the Lan, but from the router itself. I may be wrong in this though. Yeah, that is correct, if you're using the DNS forwarder you must use static routes. Yeah, I missed that requirement on the first read-through. Didn't mean to give you a bum steer. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Multiwan and DNS forwarder
Yeah, I missed that requirement on the first read-through. Didn't mean to give you a bum steer. Thats OK. I've been running thes fail-over setup for a while and just now thought of this senario. It worked when I tested it over a year ago because i simply tested with ping. My wan went out last week and I couldn't figure out why the fail-over failed. I found out it was a failure in my design. smacks head in disgust __ Information from ESET NOD32 Antivirus, version of virus signature database 5136 (20100521) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] pfSense 1.2.3 / squid performance issue.
Hi, I am experiencing a problem with my pfSense installation(s) at one of my sites,my only US site. The same installation on the same hardware has worked perfectly at all my non US locations (6). (US info provided only because I am not based in US and thus am hoping someone based there may have experienced this). In short, I have run pfSense 1.2.2 and pfSense 1.2.3 at this site, using a Dell 1950 machine and also running the machines under VM's (ESXI) on different hardware and have changed the NIC interface on the VM's from flexible to E1000 and still no luck. When the machine is set as the default gateway with no proxy specified *Transparent enabled* the users can get excellent download / upload speeds. However the moment they set the same machine as their proxy, speed drops to between 8 - 11Kb/sec (Always within this range, regardless of hardware pfSense is running on). I have changed my link provider to see if this solves the problem but the same is experienced with both. (old on 1.2.2, new on 1.2.3). Does anyone have any idea's on what could cause this and how it can be resolved? Thank you in advance. Dominic. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense 1.2.3 / squid performance issue.
On Fri, May 21, 2010 at 11:05 PM, Dominic dominic@gmail.com wrote: Hi, I am experiencing a problem with my pfSense installation(s) at one of my sites,my only US site. The same installation on the same hardware has worked perfectly at all my non US locations (6). (US info provided only because I am not based in US and thus am hoping someone based there may have experienced this). In short, I have run pfSense 1.2.2 and pfSense 1.2.3 at this site, using a Dell 1950 machine and also running the machines under VM's (ESXI) on different hardware and have changed the NIC interface on the VM's from flexible to E1000 and still no luck. When the machine is set as the default gateway with no proxy specified *Transparent enabled* the users can get excellent download / upload speeds. However the moment they set the same machine as their proxy, speed drops to between 8 - 11Kb/sec (Always within this range, regardless of hardware pfSense is running on). I have changed my link provider to see if this solves the problem but the same is experienced with both. (old on 1.2.2, new on 1.2.3). Does anyone have any idea's on what could cause this and how it can be resolved? http://doc.pfsense.org/index.php/Squid_Package_Tuning - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org