[pfSense Support] boot time increased
Dear all, I have stared using pfSense before 2 months ,am using squid ,squidguard ,lightsquid etc...today i restarted the machine but it taking 20 mins for booting squidguard sync takes 10 mins is there any way to optimize this??/ -- Thanks Regards Shali K R Server Administrator Vidya Academy of Science Technology Thrissur,Kerala. Mob:9846303531
Re: [pfSense Support] 2.0-RC1 now available!
On 02/28/2011 11:02 PM, Chris Buechler wrote: http://blog.pfsense.org/?p=585 Thanks Chris. I've been using the beta for a while (updating it thru the WebGUI). By updating this beta...will it be the same as this RC1? or is RC1 from another tree now? Thanks, Jorge - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] DNS forwarding log? Finding which machine is accessing what site.
Greetings, I'm wondering if there is a DNS forwarding log? I don't have a DNS server installed here at the site, I use OpenDNS for my name servers. I have a machine that is requesting a website that supposedly is related to malware according to OpenDNS. How would I figure out which machine this is on my network? I figure the best way would be with a DNS forwarding log, but there isn't one... and I don't know much about this stuff anyway and I'm eager to learn. Thank you, Andy - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] DNS forwarding log? Finding which machine is accessing what site.
On Tue, Mar 1, 2011 at 2:26 PM, Andy Graybeal andy.grayb...@casanueva.com wrote: Greetings, I'm wondering if there is a DNS forwarding log? I don't have a DNS server installed here at the site, I use OpenDNS for my name servers. I have a machine that is requesting a website that supposedly is related to malware according to OpenDNS. How would I figure out which machine this is on my network? I figure the best way would be with a DNS forwarding log, but there isn't one... and I don't know much about this stuff anyway and I'm eager to learn. You can use tcpdump on your LAN interface to see which IP is requesting the website: tcpdump -i lan_interface -n host name_of_malware_website replace lan_interface with your real name of lan interface (eg. em0). The tcpdump will show you the IP that is requesting the page of name_of_malware_website Something like the following: tcpdump -i en1 -n host 196.36.108.168 14:32:55.465558 IP 10.0.1.57.50963 196.36.108.168.80: Flags [.], ack 1, win 4380, length 0 14:32:55.465765 IP 10.0.1.57.50963 196.36.108.168.80: Flags [P.], seq 1:218, ack 1, win 4380, length 217 14:32:55.466266 IP 196.36.108.168.80 10.0.1.57.50963: Flags [.], ack 218, win 5840, length 0 14:32:55.506885 IP 196.36.108.168.80 10.0.1.57.50963: Flags [P.], seq 1:267, ack 218, win 5840, length 266 -- .warren - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] DNS forwarding log? Finding which machine is accessing what site.
You can use tcpdump on your LAN interface to see which IP is requesting the website: tcpdump -ilan_interface -n host name_of_malware_website replacelan_interface with your real name of lan interface (eg. em0). The tcpdump will show you the IP that is requesting the page of name_of_malware_website Something like the following: tcpdump -i en1 -n host 196.36.108.168 14:32:55.465558 IP 10.0.1.57.50963 196.36.108.168.80: Flags [.], ack 1, win 4380, length 0 14:32:55.465765 IP 10.0.1.57.50963 196.36.108.168.80: Flags [P.], seq 1:218, ack 1, win 4380, length 217 14:32:55.466266 IP 196.36.108.168.80 10.0.1.57.50963: Flags [.], ack 218, win 5840, length 0 14:32:55.506885 IP 196.36.108.168.80 10.0.1.57.50963: Flags [P.], seq 1:267, ack 218, win 5840, length 266 Warren, Thank you. I will try it. -Andy - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 2.0-RC1 now available!
Op 1-3-2011 12:42, Jorge Fábregas schreef: On 02/28/2011 11:02 PM, Chris Buechler wrote: http://blog.pfsense.org/?p=585 Thanks Chris. I've been using the beta for a while (updating it thru the WebGUI). By updating this beta...will it be the same as this RC1? or is RC1 from another tree now? RC1 is the same branch as before, what used to be tagged as BETA5 became RC1 over the weekend. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Multiple WAN subnets
We currently use PFSense as a perimeter firewall it does all of our NAT as well. We recently ran out of public ip's and had another subnet issued to us. The problem is whether I add a new interface or set it up as a static route we can't get it to be reachable from outside. I know I am missing something small, I have been skimming through the pFsense book again and nothing is popping out. Anyone have any ideas? If I add it as an interface, I can ping whatever ip address I bind that interface too but adding virtual ips and then setting up NAT for additional ips in that block are not routeable. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Multiple WAN subnets
Could you use virtual IPs assigned to the wan interface? I use them now for a different subnet and it works fine for me. I assign the virtual IP and use 1:1 nat. Ryan Rodrigue P.O. Box 4336 Systems Technician Houma, LA 70361 A A R Electronics, Inc Phone (985) 876-4096 510 West Tunnel Blvd Phone (800) 649-7346 Houma, LA 70360 Fax (985) 853-1034 radiote...@aaremail.com www.aarelectronics.com -Original Message- From: JASON JAMES [mailto:jam...@milton.k12.wi.us] Sent: Tuesday, March 01, 2011 11:02 AM To: support@pfsense.com Subject: [pfSense Support] Multiple WAN subnets We currently use PFSense as a perimeter firewall it does all of our NAT as well. We recently ran out of public ip's and had another subnet issued to us. The problem is whether I add a new interface or set it up as a static route we can't get it to be reachable from outside. I know I am missing something small, I have been skimming through the pFsense book again and nothing is popping out. Anyone have any ideas? If I add it as an interface, I can ping whatever ip address I bind that interface too but adding virtual ips and then setting up NAT for additional ips in that block are not routeable. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org __ Information from ESET NOD32 Antivirus, version of virus signature database 5917 (20110301) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
Re: [pfSense Support] Multiple WAN subnets
I thought so, but that does not seem to work either. Jason James Technology Department School District of Milton 608-868-9570 ext 1082 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Multiple WAN subnets
I thought so, but that does not seem to work either. Make sure you power cycle the router that is passing that subnet to your firewall. I had this same issue when I set this up, and racked my head for hours before doing that. I opted for the separate interface approach when I did the install (which works great) You will want to setup the Virtual IPs first, then power cycle the router. It will then arp out when it boots and get the IPs routed correctly. -Tim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiple WAN subnets
On Tue, Mar 1, 2011 at 12:02 PM, JASON JAMES jam...@milton.k12.wi.us wrote: We currently use PFSense as a perimeter firewall it does all of our NAT as well. We recently ran out of public ip's and had another subnet issued to us. The problem is whether I add a new interface or set it up as a static route we can't get it to be reachable from outside. I know I am missing something small, I have been skimming through the pFsense book again and nothing is popping out. Anyone have any ideas? Check out the Methods of Using Additional Public IPs section in the firewall chapter of the book. The best way to use that second subnet is to have your ISP route it to you, which they should be willing to do, then you can either directly assign it to an internal interface or use it with NAT. Details in that section of the book. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiple WAN subnets
I apologize, this actually had nothing to do with pFsense. It ended up being an internal issue with acl's on our core. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Only allow DHCP assigned addresses access to network
Hi, I would like every machine on my network to get it's address from PFSense's DHCP server. If it doesn't receive an address from the DHCP server (if they pick some arbitrary address on the same subnet) how do I dis-allow them access to network services? Does this make any sense to do this? Does this make sense to not do this? -Andy - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Only allow DHCP assigned addresses access to network
If a computer doesn't pick up a DHCP address I believe it gets an APIPA address, a 169.192 address if I recall right. With an apipa address the computer wouldn't be able to do much of anything anyways as the subnet is different and there isnt a gateway to my knowledge, so a standard setup of a DHCP server and client machines sounds like what you want no? If a computer isn't receiving a DHCP address from your pfsense then you have a configuration issue, or your scope is too small (not set to give out enough addresses), or there is a physical problem somewhere in your network. On Mar 1, 2011, at 5:40 PM, Andy Graybeal andy.grayb...@casanueva.com wrote: Hi, I would like every machine on my network to get it's address from PFSense's DHCP server. If it doesn't receive an address from the DHCP server (if they pick some arbitrary address on the same subnet) how do I dis-allow them access to network services? Does this make any sense to do this? Does this make sense to not do this? -Andy - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Only allow DHCP assigned addresses access to network
I think Andy means, how do I stop people who set a static IP on the same subnet as my network from getting on the network? The short answer is that you can't do that easily. Internal network traffic does not pass through the pfSense and cannot be stopped by it. You may be able to prevent internet access (or access to other network segments) by programmatically creating an alias built from the DHCP client table. I don't know how easy that is in practice but that is what I might do. Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 On Tue, Mar 1, 2011 at 6:49 PM, Cole Devitt cdev...@gotoworkonenw.comwrote: If a computer doesn't pick up a DHCP address I believe it gets an APIPA address, a 169.192 address if I recall right. With an apipa address the computer wouldn't be able to do much of anything anyways as the subnet is different and there isnt a gateway to my knowledge, so a standard setup of a DHCP server and client machines sounds like what you want no? If a computer isn't receiving a DHCP address from your pfsense then you have a configuration issue, or your scope is too small (not set to give out enough addresses), or there is a physical problem somewhere in your network. On Mar 1, 2011, at 5:40 PM, Andy Graybeal andy.grayb...@casanueva.com wrote: Hi, I would like every machine on my network to get it's address from PFSense's DHCP server. If it doesn't receive an address from the DHCP server (if they pick some arbitrary address on the same subnet) how do I dis-allow them access to network services? Does this make any sense to do this? Does this make sense to not do this? -Andy - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Only allow DHCP assigned addresses access to network
Hi, you can only restrict the access/traffic to services provided and managed by pfSense. But there might be another possibility like using snort package, activating it on the LAN side and permit only the traffic from the IP’s that you allow. I think this can be done, but certainly needs further investigation to confirm this possibility. Carlos From: kohenk...@gmail.com [mailto:kohenk...@gmail.com] On Behalf Of Moshe Katz Sent: quarta-feira, 2 de Março de 2011 00:20 To: support@pfsense.com Cc: Cole Devitt; t...@casanueva.com Subject: Re: [pfSense Support] Only allow DHCP assigned addresses access to network I think Andy means, how do I stop people who set a static IP on the same subnet as my network from getting on the network? The short answer is that you can't do that easily. Internal network traffic does not pass through the pfSense and cannot be stopped by it. You may be able to prevent internet access (or access to other network segments) by programmatically creating an alias built from the DHCP client table. I don't know how easy that is in practice but that is what I might do. Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 On Tue, Mar 1, 2011 at 6:49 PM, Cole Devitt cdev...@gotoworkonenw.com wrote: If a computer doesn't pick up a DHCP address I believe it gets an APIPA address, a 169.192 address if I recall right. With an apipa address the computer wouldn't be able to do much of anything anyways as the subnet is different and there isnt a gateway to my knowledge, so a standard setup of a DHCP server and client machines sounds like what you want no? If a computer isn't receiving a DHCP address from your pfsense then you have a configuration issue, or your scope is too small (not set to give out enough addresses), or there is a physical problem somewhere in your network. On Mar 1, 2011, at 5:40 PM, Andy Graybeal andy.grayb...@casanueva.com wrote: Hi, I would like every machine on my network to get it's address from PFSense's DHCP server. If it doesn't receive an address from the DHCP server (if they pick some arbitrary address on the same subnet) how do I dis-allow them access to network services? Does this make any sense to do this? Does this make sense to not do this? -Andy - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] DNS forwarding log? Finding which machine is accessing what site.
On Tue, Mar 1, 2011 at 7:26 AM, Andy Graybeal andy.grayb...@casanueva.com wrote: Greetings, I'm wondering if there is a DNS forwarding log? I don't have a DNS server installed here at the site, I use OpenDNS for my name servers. I have a machine that is requesting a website that supposedly is related to malware according to OpenDNS. How would I figure out which machine this is on my network? I figure the best way would be with a DNS forwarding log, but there isn't one... and I don't know much about this stuff anyway and I'm eager to learn. If you can do some basic command line hacking, there is an option for dnsmasq to log all its queries with the -q option. Level of logging could get out of hand quickly, you'll probably have to log to a syslog server to be able to retain enough to find what you're looking for as the local logs on the system are circular and will overwrite themselves. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Only allow DHCP assigned addresses access to network
Andy, 802.1x with MAC authentication bypass is probably what you are looking for. Nearly all managed switches these days have support for 802.1x. This way the device is authenticated at the switch-port, if it is not an allowed device the switch will deny the device access (or you could set the switch to give unknown users access to a guest VLAN). Once set up it is no harder to administer than maintaining you DHCP reservations list (Once you have it set up I would recommend removing DHCP reservations where they are not needed, this way you only need to maintain one list of MAC addresses). Regards, Daniel -Original Message- From: Andy Graybeal [mailto:andy.grayb...@casanueva.com] Sent: Wednesday, 2 March 2011 9:10 AM To: support@pfsense.com; t...@casanueva.com Subject: [pfSense Support] Only allow DHCP assigned addresses access to network Hi, I would like every machine on my network to get it's address from PFSense's DHCP server. If it doesn't receive an address from the DHCP server (if they pick some arbitrary address on the same subnet) how do I dis-allow them access to network services? Does this make any sense to do this? Does this make sense to not do this? -Andy - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- This message has been scanned for viruses and dangerous content by mail.lasseters.com.au, and no infections were found. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] throughput tuning in 2.0
2.0-RC1 (amd64) built on Tue Mar 1 15:52:28 EST 2011 Core i3 550 3.2 GHz 4GB RAM Intel GBE I've just set this system up doing some crude throughput testing with iperf. The most I can push through this box from LAN to WAN is a steady 503-520 mbps, using the default mtu (higher mtu values produce no throughput on iperf for reasons I haven't looked into. I'm suspecting no support in the switch). top -SH is showing ~25% interrupt usage and 30%+ idle on both cores. Hyperthreading is disabled. I'm using a single NIC with vlans, but testing in only one direction, so the NIC is sending and receiving a total of about 530 mbit x2 during the test. iperf test machines show minimal CPU usage during the test, and have no other significant network activity happening concurrently. The switch is a Netgear ProSafe GS108E, which is ostensibly non-blocking. I expected better throughput than that. Any ideas what is holding this thing back, or where I could look to find out? Thanks, db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] throughput tuning in 2.0
I am not sure how/where you would check this but maybe the card is operating in simplex mode in which case I believe it makes sense you are getting approximately half of gigabit. Someone please correct me if I am wrong. Moshe On Tuesday, March 1, 2011, David Burgess apt@gmail.com wrote: 2.0-RC1 (amd64) built on Tue Mar 1 15:52:28 EST 2011 Core i3 550 3.2 GHz 4GB RAM Intel GBE I've just set this system up doing some crude throughput testing with iperf. The most I can push through this box from LAN to WAN is a steady 503-520 mbps, using the default mtu (higher mtu values produce no throughput on iperf for reasons I haven't looked into. I'm suspecting no support in the switch). top -SH is showing ~25% interrupt usage and 30%+ idle on both cores. Hyperthreading is disabled. I'm using a single NIC with vlans, but testing in only one direction, so the NIC is sending and receiving a total of about 530 mbit x2 during the test. iperf test machines show minimal CPU usage during the test, and have no other significant network activity happening concurrently. The switch is a Netgear ProSafe GS108E, which is ostensibly non-blocking. I expected better throughput than that. Any ideas what is holding this thing back, or where I could look to find out? Thanks, db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- -- Moshe Katz KatzNet Computers -- mo...@ymkatz.net -- kohenk...@gmail.com -- mk...@zment.com -- mmk...@umd.edu -- kohenk...@aim.com -- moshek...@verizon.net -- kohenk...@inbox.com -- kohenk...@protonic.com -- +1(301)867-3732 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] throughput tuning in 2.0
Op 2-3-2011 3:44, David Burgess schreef: 2.0-RC1 (amd64) built on Tue Mar 1 15:52:28 EST 2011 Core i3 550 3.2 GHz 4GB RAM Intel GBE I'm seeing atleast 600mbit of iscsi throughput through a Dell R310 with this processor, 4 port igb card and 2 bce onboard. I'm routing it from one interface to another although it's destination is also a VLAN on that other interface. Maybe that's where the issue lies. I have not performed testing from one interface to another without vlans. I am seeing roughly 200mbit sustained during the backups at night. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] throughput tuning in 2.0
On Wed, Mar 2, 2011 at 12:38 AM, Seth Mos seth@dds.nl wrote: I'm routing it from one interface to another although it's destination is also a VLAN on that other interface. Maybe that's where the issue lies. It would be unfortunate if vlan-vlan traffic on a given interface has its maximum throughput reduced by almost half. I would be interested to see how your throughput would differ using two distinct physical interfaces, all else being equal. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org