[pfSense Support] Man Pages
Just our of curiosity, why does pfSense have no man pages? -- Regards, James. http://www.jamesbensley.co.cc/ There are 10 kinds of people in the world; Those who understand Vigesimal, and J others...? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Man Pages
On 12/14/2010 4:26 AM, James Bensley wrote: Just our of curiosity, why does pfSense have no man pages? To save hard drive space, download space, etc. The stock ones from FreeBSD can all be accessed on the web: http://www.freebsd.org/cgi/man.cgi Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP support broken in kernel?
Hello, Is there is any update on the issue? On 11.12.2010 12:30, st41...@st41ker.net wrote: Hello, Understood. The requested changes has been made and the result is the same. Please, clarify, what exactly statistics do you need? Here is complete output of netstat -ss #uptime; netstat -ss 12:28PM up 33 mins, 2 users, load averages: 0.23, 0.23, 0.11 tcp: 14643 packets sent 6316 data packets (2478656 bytes) 433 data packets (375832 bytes) retransmitted 25 data packets unnecessarily retransmitted 7266 ack-only packets (0 delayed) 85 window update packets 552 control packets 12769 packets received 6093 acks (for 2483590 bytes) 255 duplicate acks packets (2405848 bytes) received in-sequence 1 out-of-order packet (0 bytes) 11 window update packets 193 connection requests 205 connection accepts 4 ignored RSTs in the windows 396 connections established (including accepts) 388 connections closed (including 17 drops) 119 connections updated cached RTT on close 128 connections updated cached RTT variance on close 41 connections updated cached ssthresh on close 2 embryonic connections dropped 5376 segments updated rtt (of 5566 attempts) 638 retransmit timeouts 12 connections dropped by rexmit timeout 2 keepalive timeouts 2 connections dropped by keepalive 1986 correct data packet header predictions 205 syncache entries added 5 retransmitted 3 dropped 205 completed 208 cookies sent 130 SACK options (SACK blocks) received udp: 2200 datagrams received 173 dropped due to no socket 589 broadcast/multicast datagrams undelivered 1438 delivered 11169 datagrams output sctp: Packet drop statistics: Timeouts: ip: 68772 total packets received 125 bad header checksums 56439 packets for this host 6 packets for unknown/unsupported protocol 7670 packets forwarded 150 packets not forwardable 29848 packets sent from this host 1182 output packets discarded due to no route icmp: 1544 calls to icmp_error Output histogram: echo reply: 56 destination unreachable: 148 Input histogram: echo reply: 1900 echo: 56 56 message responses generated ICMP address mask responses are disabled igmp: 509 messages received 506 membership reports received 503 membership reports received with invalid field(s) 15 membership reports sent ipsec: ah: esp: ipcomp: pim: carp: 17235 packets received (IPv4) 17225 discarded for bad vhid 12296 packets sent (IPv4) pfsync: 21776 packets received (IPv4) 21768 packets discarded for bad interface 12898 packets sent (IPv4) arp: 2381 ARP requests sent 61 ARP replies sent 3735 ARP requests received 27 ARP replies received 3762 ARP packets received 2317 total packets dropped due to no ARP entry 26 ARP entrys timed out ip6: 51 total packets received 51 packets sent from this host Input histogram: ICMP6: 51 Mbuf statistics: 0 one mbuf 51 one ext mbuf 0 two or more ext mbuf Source addresses selection rule applied: icmp6: Output histogram: neighbor solicitation: 12 MLDv2 listener report: 37 Histogram of error messages to be generated: ipsec6: rip6: pfkey: 2 requests sent from userland 32 bytes sent from userland histogram by message type: flush: 1 x_spdflush: 1 2 requests sent to userland 32 bytes sent to userland histogram by message type: flush: 1 x_spdflush: 1 According to ip_carp.c this counter (discarded for bad vhid) incremented each time when phys. interface on which carp packet was received does not contains any carp interface assosiated or if VHID of assotiated CARP interfaces does not contains the VHID got in the received packet. IMHO the problem could be in binaries. Anyway I've double checked each VLAN interface on router for CARP packets that could get on the wrong one due to switch\pfSense interface misconfiguration and there were no signs of such misconfiguration. Every CARP packet getting right to the destination. Also there is intermittent CARP status
Re: [pfSense Support] CARP support broken in kernel?
I've updated bug 1072 (http://redmine.pfsense.org/issues/1072) According to packet dump carp vhid=1 192.168.252.254 224.0.0.18: VRRPv2, Advertisement, vrid 1, prio 0, authtype #128, intvl 1s, length 36, addrs(7): 107.95.16.142,89.11.4.1,28.106.118.248,149.43.12.212,148.195.215.246,252.189.185.117,56.253.61.5 0x: 0100 5e00 0012 5e00 0101 0800 4510 0x0010: 0038 d66a 4000 ff70 c0a8 fcfe e000 0x0020: 0012 2101 0007 8001 b7a9 6b5f 108e 590b 0x0030: 0401 1c6a 76f8 952b 0cd4 94c3 d7f6 fcbd 0x0040: b975 38fd 3d05 carp vhid=256 192.168.253.254 224.0.0.18: VRRPv2, Advertisement, vrid 0, prio 0, authtype simple, intvl 1s, length 36, addrs(7): 137.7.31.146,238.223.10.81,90.241.214.208,59.45.154.124,64.216.227.11,117.38.205.9,26.19.86.208[|vrrp] 0x: 0100 5e00 0012 5e00 0100 0800 4510 0x0010: 0038 8271 4000 ff70 c0a8 fdfe e000 0x0020: 0012 2100 0007 0101 5dc9 8907 1f92 eedf 0x0030: 0a51 5af1 d6d0 3b2d 9a7c 40d8 e30b 7526 0x0040: cd09 1a13 56d0 seems like there is something wrong with bit shifting for vhidx field (previously it was known as carp_pad1 field). When interface's vhid=255 - it's allways 1000b (0x80) and only when interface's vhid=255 everything works as expected. 2ALL: Temporary workaround for this situation is to use VHID greater than 255. On 15.12.2010 1:23, st41ker wrote: Hello, Is there is any update on the issue? On 11.12.2010 12:30, st41...@st41ker.net wrote: Hello, Understood. The requested changes has been made and the result is the same. Please, clarify, what exactly statistics do you need? Here is complete output of netstat -ss #uptime; netstat -ss 12:28PM up 33 mins, 2 users, load averages: 0.23, 0.23, 0.11 tcp: 14643 packets sent 6316 data packets (2478656 bytes) 433 data packets (375832 bytes) retransmitted 25 data packets unnecessarily retransmitted 7266 ack-only packets (0 delayed) 85 window update packets 552 control packets 12769 packets received 6093 acks (for 2483590 bytes) 255 duplicate acks packets (2405848 bytes) received in-sequence 1 out-of-order packet (0 bytes) 11 window update packets 193 connection requests 205 connection accepts 4 ignored RSTs in the windows 396 connections established (including accepts) 388 connections closed (including 17 drops) 119 connections updated cached RTT on close 128 connections updated cached RTT variance on close 41 connections updated cached ssthresh on close 2 embryonic connections dropped 5376 segments updated rtt (of 5566 attempts) 638 retransmit timeouts 12 connections dropped by rexmit timeout 2 keepalive timeouts 2 connections dropped by keepalive 1986 correct data packet header predictions 205 syncache entries added 5 retransmitted 3 dropped 205 completed 208 cookies sent 130 SACK options (SACK blocks) received udp: 2200 datagrams received 173 dropped due to no socket 589 broadcast/multicast datagrams undelivered 1438 delivered 11169 datagrams output sctp: Packet drop statistics: Timeouts: ip: 68772 total packets received 125 bad header checksums 56439 packets for this host 6 packets for unknown/unsupported protocol 7670 packets forwarded 150 packets not forwardable 29848 packets sent from this host 1182 output packets discarded due to no route icmp: 1544 calls to icmp_error Output histogram: echo reply: 56 destination unreachable: 148 Input histogram: echo reply: 1900 echo: 56 56 message responses generated ICMP address mask responses are disabled igmp: 509 messages received 506 membership reports received 503 membership reports received with invalid field(s) 15 membership reports sent ipsec: ah: esp: ipcomp: pim: carp: 17235 packets received (IPv4) 17225 discarded for bad vhid 12296 packets sent (IPv4) pfsync: 21776 packets received (IPv4) 21768 packets discarded for bad interface 12898 packets sent (IPv4) arp: 2381 ARP requests sent 61 ARP replies sent 3735 ARP requests received 27 ARP replies received 3762 ARP packets received 2317 total packets dropped due to no ARP entry 26 ARP entrys timed out ip6: 51 total packets received 51 packets sent from this host Input histogram: ICMP6: 51 Mbuf statistics: 0 one mbuf 51 one ext mbuf 0 two or more ext mbuf Source addresses selection rule applied: icmp6: Output histogram: neighbor solicitation: 12 MLDv2 listener report: 37 Histogram of error messages to be generated: ipsec6: rip6: pfkey: 2 requests sent from userland 32 bytes sent from userland histogram by message type: flush: 1 x_spdflush: 1 2 requests sent to userland 32 bytes sent to userland histogram by message type: flush: 1 x_spdflush: 1 According to ip_carp.c this counter (discarded for bad vhid) incremented each time when phys. interface on which carp packet was received does not contains any carp interface assosiated or if VHID of assotiated CARP interfaces does not contains the VHID got in the received packet. IMHO the problem could be in binaries. Anyway I've double checked each VLAN interface on router for CARP packets that could get on the wrong one due to
[pfSense Support] dmesg of Supermicro Atom D510 with SSD drive
Copyright (c) 1992-2009 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 7.2-RELEASE-p5 #0: Sun Dec 6 23:20:31 EST 2009 sullr...@freebsd_7.2_pfsense_1.2.3_snaps.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.7 Timecounter i8254 frequency 1193182 Hz quality 0 CPU: Intel(R) Atom(TM) CPU D510 @ 1.66GHz (1671.67-MHz 686-class CPU) Origin = GenuineIntel Id = 0x106ca Stepping = 10 Features=0xbfebfbffFPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE Features2=0x40e31dSSE3,DTES64,MON,DS_CPL,TM2,SSSE3,CX16,xTPR,PDCM,b22 AMD Features=0x2010NX,LM AMD Features2=0x1LAHF Cores per package: 2 Logical CPUs per core: 2 real memory = 3220701184 (3071 MB) avail memory = 3145904128 (3000 MB) ACPI APIC Table: 052610 APIC1327 FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs cpu0 (BSP): APIC ID: 0 cpu1 (AP/HT): APIC ID: 1 cpu2 (AP): APIC ID: 2 cpu3 (AP/HT): APIC ID: 3 ioapic0: Changing APIC ID to 4 ioapic0 Version 2.0 irqs 0-23 on motherboard wlan: mac acl policy registered kbd1 at kbdmux0 cryptosoft0: software crypto on motherboard padlock0: No ACE support. acpi0: SMCI on motherboard acpi0: [ITHREAD] acpi0: Power Button (fixed) acpi0: reservation of fee0, 1000 (3) failed acpi0: reservation of 0, a (3) failed acpi0: reservation of 10, bff0 (3) failed Timecounter ACPI-fast frequency 3579545 Hz quality 1000 acpi_timer0: 24-bit timer at 3.579545MHz port 0x808-0x80b on acpi0 acpi_hpet0: High Precision Event Timer iomem 0xfed0-0xfed003ff on acpi0 Timecounter HPET frequency 14318180 Hz quality 900 pcib0: ACPI Host-PCI bridge port 0xcf8-0xcff on acpi0 pci0: ACPI PCI bus on pcib0 uhci0: UHCI (generic) USB controller port 0xcc00-0xcc1f irq 16 at device 26.0 on pci0 uhci0: [GIANT-LOCKED] uhci0: [ITHREAD] usb0: UHCI (generic) USB controller on uhci0 usb0: USB revision 1.0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 on usb0 uhub0: 2 ports with 2 removable, self powered uhci1: UHCI (generic) USB controller port 0xc880-0xc89f irq 21 at device 26.1 on pci0 uhci1: [GIANT-LOCKED] uhci1: [ITHREAD] usb1: UHCI (generic) USB controller on uhci1 usb1: USB revision 1.0 uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 on usb1 uhub1: 2 ports with 2 removable, self powered uhci2: UHCI (generic) USB controller port 0xc800-0xc81f irq 19 at device 26.2 on pci0 uhci2: [GIANT-LOCKED] uhci2: [ITHREAD] usb2: UHCI (generic) USB controller on uhci2 usb2: USB revision 1.0 uhub2: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 on usb2 uhub2: 2 ports with 2 removable, self powered ehci0: EHCI (generic) USB 2.0 controller mem 0xfebfbc00-0xfebfbfff irq 18 at device 26.7 on pci0 ehci0: [GIANT-LOCKED] ehci0: [ITHREAD] usb3: EHCI version 1.0 usb3: companion controllers, 2 ports each: usb0 usb1 usb2 usb3: EHCI (generic) USB 2.0 controller on ehci0 usb3: USB revision 2.0 uhub3: Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1 on usb3 uhub3: 6 ports with 6 removable, self powered pcib1: ACPI PCI-PCI bridge irq 17 at device 28.0 on pci0 pci1: ACPI PCI bus on pcib1 pcib2: ACPI PCI-PCI bridge irq 17 at device 28.4 on pci0 pci2: ACPI PCI bus on pcib2 em0: Intel(R) PRO/1000 Network Connection 6.9.6 port 0xdc00-0xdc1f mem 0xfe9e-0xfe9f,0xfe9dc000-0xfe9d irq 16 at device 0.0 on pci2 em0: Using MSIX interrupts em0: [ITHREAD] em0: [ITHREAD] em0: [ITHREAD] em0: Ethernet address: 00:25:90:04:6e:98 pcib3: ACPI PCI-PCI bridge irq 16 at device 28.5 on pci0 pci3: ACPI PCI bus on pcib3 em1: Intel(R) PRO/1000 Network Connection 6.9.6 port 0xec00-0xec1f mem 0xfeae-0xfeaf,0xfeadc000-0xfead irq 17 at device 0.0 on pci3 em1: Using MSIX interrupts em1: [ITHREAD] em1: [ITHREAD] em1: [ITHREAD] em1: Ethernet address: 00:25:90:04:6e:99 uhci3: UHCI (generic) USB controller port 0xc480-0xc49f irq 23 at device 29.0 on pci0 uhci3: [GIANT-LOCKED] uhci3: [ITHREAD] usb4: UHCI (generic) USB controller on uhci3 usb4: USB revision 1.0 uhub4: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 on usb4 uhub4: 2 ports with 2 removable, self powered uhci4: UHCI (generic) USB controller port 0xc400-0xc41f irq 19 at device 29.1 on pci0 uhci4: [GIANT-LOCKED] uhci4: [ITHREAD] usb5: UHCI (generic) USB controller on uhci4 usb5: USB revision 1.0 uhub5: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 on usb5 uhub5: 2 ports with 2 removable, self powered uhci5: UHCI (generic) USB controller port 0xc080-0xc09f irq 18 at device 29.2 on pci0 uhci5: [GIANT-LOCKED] uhci5: [ITHREAD] usb6: UHCI (generic) USB controller on uhci5 usb6: USB revision 1.0 uhub6: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 on usb6 uhub6: 2 ports with 2 removable, self powered ehci1: EHCI (generic) USB 2.0 controller mem
[pfSense Support] New Widgets
What is the proper procedure for sending in a widget for inclusion in pfsense? I wrote a widget to do wake-on-lan from the main page. - Yehuda
Re: HA: Re: HA: Re: HA: Re: [pfSense Support] 2.0 - don't work Ipsec!
2010/12/14 drova...@kaluga-gov.ru: Hi, Monowall works with similar options, but pfsense does not work! Problem: Have bought new hardware, network the driver are present only in freebsd 8.0! The decision: has put vmware esxi and in him monowall - all works! Both use the same underlying software, we just have much newer versions of it, and the actual underlying configs are all fine. Hard to say what might be happening, you'll need to put racoon in debug mode and provide logs. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsense 1.2.3 firewall settings and static routes
2010/12/13 Maik Heinelt m...@vegasystems.com: I still have trouble with pfsense and several routing settings. Our main network: 192.168.144.x ISDN router 192.168.144.254 (is used to do RDP connection to our costumers Server) So I added a static route looks like the following: Interface: LAN Network: 192.168.111.0/24 Gateway: 192.168.144.254 If I now ping our costumers server (192.168.111.1), the ISDN router start a connection and I can ping the server. So this looks like it is working. But if I try to open RDP connection to our costumers server, I cannot connect at all. So I guessed, it must be a firewall reason. I had set a firewall rule looked like that: For LAN: Proto: * Source: 192.168.144.0/24 Port: * Destination: 192.168.111.0/24 Port: * Gateway:* Also System Advanced Static route filtering is checked. You do need that, and with that checked you can't be blocking any traffic through that firewall. You should do a packet capture on LAN of the firewall, you should see the SYN going in and coming out of the interface, and I expect you'll see no other traffic. Also do a capture on the host initiating the connection. Most likely cause is either a host based firewall, or a firewall somewhere else in between, that either allows pings but not RDP, or isn't setup appropriately to handle asymmetrically routed traffic on the other end of the ISDN. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] New Widgets
On Tue, Dec 14, 2010 at 11:11 PM, Yehuda Katz yeh...@ymkatz.net wrote: What is the proper procedure for sending in a widget for inclusion in pfsense? I wrote a widget to do wake-on-lan from the main page. You can submit a feature request ticket at redmine.pfsense.org and attach the file(s). - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
