Re: [pfSense Support] Buttons or menu options
On Tue, Feb 1, 2011 at 4:07 PM, Atkins, Dwane P atki...@uthscsa.edu wrote: When I click on certain buttons or options, I will get the source code instead of results. The latest was http://10.10.10.10/reboot.php. I clicked on the reboot menu option and it gave me source code. Is there a way to stop this? Never heard of anything like that and apparently others haven't either. I'm not sure what to suggest. Does it have any kind of pattern, only happen on systems where captive portal is enabled or something of that nature? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Multiwan failover
Good day everyone, I was hoping to open or reopen a discussion about how pfSense reacts to a gateway failure in a multiwan configuration. I think there was an attempt to address this in http://redmine.pfsense.org/issues/880. I use both 1.2 and 2.0. I'm an advocate for changing the default route to a valid wan interface in the event that the interface holding the default route fails monitoring. I work with a couple of other firewall brands, coincidentally also Freebsd based, that do support default route changes based on reachability and it works very very well. Users don't even know what's happened. And isn't that the point of having multiwan (at least one of the points). So... In the issue, Ermal indicates that it's taken care of in 2.0 in another way. I think I missed what that other way is. Because if the interface that holds my default route goes down, lots of traffic doesn't end up hitting the internet unless it sources from an internal network and I've got a policy route in pf. Is a dynamic default route change out of the question? What is the other way to affect the same behavior in 2.0? Thanks Mark - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiwan failover
On Wed, Feb 9, 2011 at 11:50 AM, Mark Wiater mark.wia...@greybeam.com wrote: Good day everyone, I was hoping to open or reopen a discussion about how pfSense reacts to a gateway failure in a multiwan configuration. I think there was an attempt to address this in http://redmine.pfsense.org/issues/880. I use both 1.2 and 2.0. I'm an advocate for changing the default route to a valid wan interface in the event that the interface holding the default route fails monitoring. I work with a couple of other firewall brands, coincidentally also Freebsd based, that do support default route changes based on reachability and it works very very well. Users don't even know what's happened. And isn't that the point of having multiwan (at least one of the points). So... In the issue, Ermal indicates that it's taken care of in 2.0 in another way. I think I missed what that other way is. Because if the interface that holds my default route goes down, lots of traffic doesn't end up hitting the internet unless it sources from an internal network and I've got a policy route in pf. It will be taken care from pf(4) policy route. In pfSense there are enhancement in the kernel to support that. Is a dynamic default route change out of the question? What is the other way to affect the same behavior in 2.0? Not that its out of the question but the ways things work right now its not the best option and the pf(4) fix works quite ok. On 2.0 you can run even without a default gateway from what i have tested. Though for later releases this might be revisited but its low priority for now. Thanks Mark - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- Ermal - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Country Block anolalies
Bump! On Sun, 2011-02-06 at 08:29 -0600, Gerald Waugh wrote: Having some foreign to the US country IPs getting through firewall Country Block is running an the countries are enabled for blocking blocking 59817 Networks for example; 203.81.81.253 # MM Myanmar sending snmp packets through the firewall I have had several probes this morning, Brazil, Argentina, Germany -- Gerald - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiwan failover
On 2/9/2011 9:12 AM, Ermal Luçi said: On Wed, Feb 9, 2011 at 11:50 AM, Mark Wiater mark.wia...@greybeam.com wrote: So... In the issue, Ermal indicates that it's taken care of in 2.0 in another way. I think I missed what that other way is. Because if the interface that holds my default route goes down, lots of traffic doesn't end up hitting the internet unless it sources from an internal network and I've got a policy route in pf. It will be taken care from pf(4) policy route. In pfSense there are enhancement in the kernel to support that. When my WAN interface, the default route goes down, things like squid and dnsmasq stop working for me, and I have multiple DNS entries in the general setup using the different gateways. Is a dynamic default route change out of the question? What is the other way to affect the same behavior in 2.0? Not that its out of the question but the ways things work right now its not the best option and the pf(4) fix works quite ok. On 2.0 you can run even without a default gateway from what i have tested. In my experience, there are things that don't work from the firewall itself and that can cause somewhat significant problems. How does dns forwarder traffic or squid traffic know where to go if the default route is not functioning? Is there a configuration in pf that I'm missing? It sounds like I'm missing some fundamental configuration concept to make it work as well and as reliably as you have. I thought I looked everywhere for the right way to configure multiwan but maybe I've missed it? Got any pointers? Though for later releases this might be revisited but its low priority for now. Thanks Ermal Mark - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] pfSense WAN hang after 10mn
Hello ! I'm using pfSense on a TEAK 3030 from ArinfoTek (Atom N270, 4 gigabits network ports 82574L, http://www.arinfotek.com.tw/product.php?gid=1pid=39). Configuration : ISP Modem -- pfSense --- Gigabit Switch- LAN pfSense WAN set by DHCP and doing NAT ISP Modem network port is 100Mbit/s (pfSense see it as 100Mbit/s full duplex) LAN port is at 1000Mbit/s The problem : It has worked for one month without any problem, before making strange things : - loosing internet connection - no log at all when disconnection appears - RDD graph quality showing 100% packet loss during the time of disconnection - RDD graph traffic showing some sent data but no data receive by WAN interface - Wan connection may come back by itself, but it cut again 10mn later (or less) - The lan interface stay up with no problem - Making any change on network related option (DHCP Renew lease, checksum option...etc), bring the connection back for a short time - The problem seems to happen only when there is load on WAN (the router doesn't disconnect at all during night) - No ping response from the ISP Gateway (by the pfSense diagnostic page) What i've already try, without any succes : - disabling checksum hardware offload - reducing MTU to 1492 - put WAN interface with static address (instead of DHCP) - put the NAT in manual mode with static port - change the wire between pfsense and ISP Box Please, do you have any idea ? i'm going crazy ! Sebastian PS : i've not been able to redo the problem unless putting the pfSense in production, so for the moment i can do test only at night PS 2 : sorry for my poor english
Re: [pfSense Support] Restrict a web site access by remote IP address block, gain access by VPN into that block?
On Tue, Feb 8, 2011 at 11:50 PM, Chuck Mariotti cmario...@xunity.comwrote: Now the client wants to allow a few people access to the web site while at home. Unfortunately, password protecting it is not an option. VPN access seems to be the only options but I’m wondering what the best approach would be. ssh port forwarding could be applied here as well.
Re: [pfSense Support] Multiwan failover
On Wed, Feb 9, 2011 at 3:29 PM, Mark Wiater mark.wia...@greybeam.com wrote: On 2/9/2011 9:12 AM, Ermal Luçi said: On Wed, Feb 9, 2011 at 11:50 AM, Mark Wiater mark.wia...@greybeam.com wrote: So... In the issue, Ermal indicates that it's taken care of in 2.0 in another way. I think I missed what that other way is. Because if the interface that holds my default route goes down, lots of traffic doesn't end up hitting the internet unless it sources from an internal network and I've got a policy route in pf. It will be taken care from pf(4) policy route. In pfSense there are enhancement in the kernel to support that. When my WAN interface, the default route goes down, things like squid and dnsmasq stop working for me, and I have multiple DNS entries in the general setup using the different gateways. Is a dynamic default route change out of the question? What is the other way to affect the same behavior in 2.0? Not that its out of the question but the ways things work right now its not the best option and the pf(4) fix works quite ok. On 2.0 you can run even without a default gateway from what i have tested. In my experience, there are things that don't work from the firewall itself and that can cause somewhat significant problems. How does dns forwarder traffic or squid traffic know where to go if the default route is not functioning? Is there a configuration in pf that I'm missing? It sounds like I'm missing some fundamental configuration concept to make it work as well and as reliably as you have. I thought I looked everywhere for the right way to configure multiwan but maybe I've missed it? Got any pointers? Please upgrade to a snapshot from 9th of February and up and just test it again. You would only need a gateway pool on the floating rules + AON to make that work. But please lets continue this on the forum. Though for later releases this might be revisited but its low priority for now. Thanks Ermal Mark - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- Ermal - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Country Block anolalies
Maybe its not a complete list of everysingle IP/assigned block in the world? IPv4 exhaustion was only a few days ago, but how recently was that that list updated, and how recently was it updated on your pfSense box! --James. (This email was sent from a mobile device)
Re: [pfSense Support] Country Block anolalies
On Wed, 2011-02-09 at 17:38 +, James Bensley wrote: Maybe its not a complete list of everysingle IP/assigned block in the world? IPv4 exhaustion was only a few days ago, but how recently was that that list updated, and how recently was it updated on your pfSense box! --James. (This email was sent from a mobile device) Thanks for the response, excuse my ignorance but how do I update the list? Thanks -- Gerald - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Restrict a web site access by remote IP address block, gain access by VPN into that block?
Hi Chuck, I have solved a similar situation by adding a Sonicwall SSL-VPN 200 behind the main firewall. For normal web access it acts like a reverse proxy over https with userauthentication and password, but no need to install extra software on the clients bye Christoph On 09.02.2011 05:50 Chuck Mariotti wrote: I’m not sure how best to describe this situation without it getting word. We have a number of servers behind a pfSense firewall at a datacenter. One of the servers is a web site that needs to be accessible only by computers on our client’s network (also behind pfSense elsewhere)… This solution has been implemented and working based on IP address restrictions. Now the client wants to allow a few people access to the web site while at home. Unfortunately, password protecting it is not an option. VPN access seems to be the only options but I’m wondering what the best approach would be. We do not want to allow VPN access into the datacenter network and administratively this would be a hassle. Instead, we would like to force these home users onto the client network, using the client’s gateway … resulting in an allowable IP address to the restricted web site. This is simple to implement, but creates a lot of additional traffic if we leave them using the default gateway. Unfortunately, the client network is using a wireless connection that pays by the gigabyte. This will be an issue when a home users forgets to stop downloading music, movies, etc… We also would prefer not to install a new VPN client (like OpenVPN, even though it looks like the best solution). I was thinking a simple PPTP connection (not sure if this would work really), turning off the default gateway on the client end… Then, using pfSense on the client network, make a rule that would map an internal IP address (10.10.10.100) to the web site’s public IP address… Then, make a public DNS entry mapped to the internal IP address and instruct the users to use this new DNS entry when remotely accessing this restricted site. Would this work? I guess my other question is, what is the best way to get this to work? Regards, Chuck - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
I've got a PfSense version 1.2.3 cluster at a Public Library customer connected to 6 WAN links. The first 5 are connected as VLANS through a TP-Link SL3428 switch then to an ISP provided Router (4 ATT ADSL links each with a Netopia ADSL router and a Fiber Link with a Cisco 2800 series router). These 5 WAN links are all configured identically (except for IP, etc.) and have worked beautifully for 2 or 3 years). The first 5 WAN's all go out the same Intel server interface. The 6th connection goes out a second Intel server interface (There are 6 physical Intel server gigabit interfaces on the machines all together -- 4 onboard plus 1 dual port PCI-X card). Illustration: WAN Connections 1 through 5 Pfsense Cluster --- VLAN Trunk --- TP-Link Managed Switch --- Switch Ports out to each Provider on a different VLAN's (port to provider in access mode not tagged) --- Provider's Router -- Internet Everything Works!!! WAN Connection 6 Pfsense cluster -- VLAN Trunk -- D-Link Managed Switch -- Switch Port out to the Provider (port to provider in access mode not tagged) Provider's On-Site Black Box/Fiber Converter (can't get any details about what's in it) -- Nothing!!! The Library has recently decided to replace the ADSL links with a fiber-to-your door Internet connection. For redundancy, I've set this up to run through a D-Link DGS 3200-10 managed switch. I this connection configured identically to the other 5 working connections except ISP specific things like netmask and IP address. I cannot, for the life of me, get this 6th connection to work correctly. I've been doing some troubleshooting for bit now and have noticed some items that might be helpful on this 6th WAN connection. Address Learning enabled on the Switch (default setting): 1. If I leave MAC address learning on on the D-Link switch, the Carp Master can ping its real IP address, can ping its CARP IP address, and can ping the fail-over PfSense 2. The fail-over Pfsense server can ping its own real IP, can ping the Carp Master's real IP, but cannot ping the CARP IP. 3. When I first boot the switch, I can usually ping the CARP IP from the fail-over box 1 time before pings start timing out. 4. From a remote location, I am able to ping the real IP of both boxes, but I cannot ping the CARP IP. 5. Both boxes can ping the ISP's default gateway. Address Learning disabled on the Switch: 1. Both PFSense boxes can ping each other, and both can ping the CARP IP. 2. Neither can ping the ISP's IP address. 3. From a remote location, I am unable to ping any of the boxes on the 6th ISP interface. I've tried this connection through the same switch without VLAN's enabled for this connection and still have no connectivity through this provider. If I plug in a laptop directly to the switch and use any of the 3 IP's in question, I have a good Internet connection. On the D-Link Switch, Spanning Tree is disabled. The ports containing the PFSense box links are tagged VLAN trunks with no untagged ports allowed. The port leading to the ISP is an untagged VLAN that is only a member of 1 VLAN. I know I could set this up without fussing with the VLANS, but I wanted to be consistent between the 2 switches. I believe this is a switch related issue and not a PFSense related issue directly. I am hesitant to run this connection through the other managed switch because I'm looking for redundancy. If anyone has any suggestions about where my problem may be, I'd really appreciate the help. Thanks! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
[snip] Address Learning enabled on the Switch (default setting): [snip] Can you briefly explain what 'address learning' is according to D-Link? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
According to page 15 of the reference manual address learning is: Enable or disable MAC address learning for the selected ports. When Enabled, destination and source MAC addresses are automatically listed in the forwarding table. When address learning is Disabled, MAC addresses must be manually entered into the forwarding table. This is sometimes done for reasons of security or efficiency. See the section on Forwarding/Filtering for information on entering MAC addresses into the forwarding table. The default setting is Enabled. One other thing. I need to note that I have dedicated a CARP interface on each Pfsense box connected to each over via a cross-over cable. On 2/9/2011 2:35 PM, e...@tm-k.com wrote: [snip] Address Learning enabled on the Switch (default setting): [snip] Can you briefly explain what 'address learning' is according to D-Link? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On 2/9/11 1:12 PM, Vaughn L. Reid III wrote: According to page 15 of the reference manual address learning is: Enable or disable MAC address learning for the selected ports. When Enabled, destination and source MAC addresses are automatically listed in the forwarding table. When address learning is Disabled, MAC addresses must be manually entered into the forwarding table. This is sometimes done for reasons of security or efficiency. See the section on Forwarding/Filtering for information on entering MAC addresses into the forwarding table. The default setting is Enabled. This just means the switch dynamically learns the source MAC of each attached device. 99.999 percent of all switches on the market have dynamic MAC learning enabled. This isn't the problem. One other thing. I need to note that I have dedicated a CARP interface on each Pfsense box connected to each over via a cross-over cable. Sorry, I don't completely understand your CARP setup. I too use a crossover cable between pairs of boxes but that's for pfsync, not CARP. pfsync migrates table state between pf boxes; CARP is for redundant sharing of a virtual IP address among multiple pf boxes, and would be of little use on a network consisting of a crossover cable. IIRC CARP uses multicast addressing for its keepalive messages. You might also want to verify that the switch is configured to forward multicast. dn On 2/9/2011 2:35 PM, e...@tm-k.com wrote: [snip] Address Learning enabled on the Switch (default setting): [snip] Can you briefly explain what 'address learning' is according to D-Link? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
My understanding of forwarding also was that address learning is a normal part of switch operation. But, I find it odd that turning that off lets the fail-over box ping the CARP IP on the primary box, with address learning on, I am unable to do that. A clarification about the Carp setup -- Each PfSense server has a dedicated interface connected to each other via a crossover cable. This is the interface that is configured to send and receive pfsync and its related traffic in the carp setup page. The firewall rules for this dedicated interface on each server are to allow all traffic on the interface. With a dedicated interface for the Carp related stuff to use, do the other interfaces still send and receive multi-cast pfsync traffic? On 2/9/2011 5:10 PM, David Newman wrote: On 2/9/11 1:12 PM, Vaughn L. Reid III wrote: According to page 15 of the reference manual address learning is: Enable or disable MAC address learning for the selected ports. When Enabled, destination and source MAC addresses are automatically listed in the forwarding table. When address learning is Disabled, MAC addresses must be manually entered into the forwarding table. This is sometimes done for reasons of security or efficiency. See the section on Forwarding/Filtering for information on entering MAC addresses into the forwarding table. The default setting is Enabled. This just means the switch dynamically learns the source MAC of each attached device. 99.999 percent of all switches on the market have dynamic MAC learning enabled. This isn't the problem. One other thing. I need to note that I have dedicated a CARP interface on each Pfsense box connected to each over via a cross-over cable. Sorry, I don't completely understand your CARP setup. I too use a crossover cable between pairs of boxes but that's for pfsync, not CARP. pfsync migrates table state between pf boxes; CARP is for redundant sharing of a virtual IP address among multiple pf boxes, and would be of little use on a network consisting of a crossover cable. IIRC CARP uses multicast addressing for its keepalive messages. You might also want to verify that the switch is configured to forward multicast. dn On 2/9/2011 2:35 PM, e...@tm-k.com wrote: [snip] Address Learning enabled on the Switch (default setting): [snip] Can you briefly explain what 'address learning' is according to D-Link? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On 2/9/2011 2:35 PM, e...@tm-k.com wrote: [snip] Address Learning enabled on the Switch (default setting): [snip] Can you briefly explain what 'address learning' is according to D-Link? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org On 11-02-09 04:12 PM, Vaughn L. Reid III wrote: According to page 15 of the reference manual address learning is: Enable or disable MAC address learning for the selected ports. When Enabled, destination and source MAC addresses are automatically listed in the forwarding table. When address learning is Disabled, MAC addresses must be manually entered into the forwarding table. This is sometimes done for reasons of security or efficiency. See the section on Forwarding/Filtering for information on entering MAC addresses into the forwarding table. The default setting is Enabled. One other thing. I need to note that I have dedicated a CARP interface on each Pfsense box connected to each over via a cross-over cable. Please do not top-post. So Address Learing should be enabled. 1) do you see one box as stand-by, another one as active in web-interface? 2) connect laptop instead of ISP's cable and run packet capture you should be able to see once a second carp-heartbeat (multicast mac + carp IP in destination field). If one pfSense shows Active, another one shows Stand-by and on the laptop you see heartbeat from only one (master) pfSense then you did not mess up with carp configuration and vlans on the switch. Evgeny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On Wed, Feb 9, 2011 at 8:51 PM, Vaughn L. Reid III vaughn_reid_...@elitemail.org wrote: My understanding of forwarding also was that address learning is a normal part of switch operation. But, I find it odd that turning that off lets the fail-over box ping the CARP IP on the primary box, with address learning on, I am unable to do that. A clarification about the Carp setup -- Each PfSense server has a dedicated interface connected to each other via a crossover cable. This is the interface that is configured to send and receive pfsync and its related traffic in the carp setup page. The firewall rules for this dedicated interface on each server are to allow all traffic on the interface. With a dedicated interface for the Carp related stuff to use, do the other interfaces still send and receive multi-cast pfsync traffic? No but they send the multicast CARP traffic on all interfaces where a CARP IP resides. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On 2/9/2011 9:20 PM, Evgeny Yurchenko wrote: On 2/9/2011 2:35 PM, e...@tm-k.com wrote: [snip] Address Learning enabled on the Switch (default setting): [snip] Can you briefly explain what 'address learning' is according to D-Link? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org On 11-02-09 04:12 PM, Vaughn L. Reid III wrote: According to page 15 of the reference manual address learning is: Enable or disable MAC address learning for the selected ports. When Enabled, destination and source MAC addresses are automatically listed in the forwarding table. When address learning is Disabled, MAC addresses must be manually entered into the forwarding table. This is sometimes done for reasons of security or efficiency. See the section on Forwarding/Filtering for information on entering MAC addresses into the forwarding table. The default setting is Enabled. One other thing. I need to note that I have dedicated a CARP interface on each Pfsense box connected to each over via a cross-over cable. Please do not top-post. So Address Learing should be enabled. 1) do you see one box as stand-by, another one as active in web-interface? 2) connect laptop instead of ISP's cable and run packet capture you should be able to see once a second carp-heartbeat (multicast mac + carp IP in destination field). If one pfSense shows Active, another one shows Stand-by and on the laptop you see heartbeat from only one (master) pfSense then you did not mess up with carp configuration and vlans on the switch. Evgeny. 1. All the Master and backup status notifications in the web interface on both PFSense boxes show the correct status 2. I'll do a packet capture tomorrow and see if the carp-heartbeat shows up I was unaware that any Carp related traffic passed between any of the interfaces except the one designated as the synchronization interface. I need to double-check the multi-cast configuration on the switch tomorrow also ( I think I have multi-cast enabled on the switch, but need to confirm that). - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On 2/9/2011 10:09 PM, Chris Buechler wrote: On Wed, Feb 9, 2011 at 8:51 PM, Vaughn L. Reid III vaughn_reid_...@elitemail.org wrote: My understanding of forwarding also was that address learning is a normal part of switch operation. But, I find it odd that turning that off lets the fail-over box ping the CARP IP on the primary box, with address learning on, I am unable to do that. A clarification about the Carp setup -- Each PfSense server has a dedicated interface connected to each other via a crossover cable. This is the interface that is configured to send and receive pfsync and its related traffic in the carp setup page. The firewall rules for this dedicated interface on each server are to allow all traffic on the interface. With a dedicated interface for the Carp related stuff to use, do the other interfaces still send and receive multi-cast pfsync traffic? No but they send the multicast CARP traffic on all interfaces where a CARP IP resides. Thanks for this clarification. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
Op 10-2-2011 4:18, Vaughn L. Reid III schreef: 1. All the Master and backup status notifications in the web interface on both PFSense boxes show the correct status 2. I'll do a packet capture tomorrow and see if the carp-heartbeat shows up I was unaware that any Carp related traffic passed between any of the interfaces except the one designated as the synchronization interface. I need to double-check the multi-cast configuration on the switch tomorrow also ( I think I have multi-cast enabled on the switch, but need to confirm that). Yes, some switch support multicast filtering, I know from experience with HP switches that it works with the setting on. So I know they have it implemented correctly. This way not all switch ports get the carp traffic unless they participate in the multicast group. This cuts down on broadcast a lot. I recommend the HP switches, they have never given me any grief as long as I've worked with them. I even have a carp cluster spanning 2 building across the street over a fiber connection. It just works. If you need a managed switch on a budget I can confirm that the HP Procurve 1810-8G works well. It's web managed, supports vlans and basic traffic counters. It is also fanless. The smallest I have in use on a carp cluster is a Procurcve 2650 in combination with a 2900-48G. The biggest I have is a 8212zl. Do note that the software in the 1810 differs a lot from the other managed switches. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
