Re: [pfSense Support] LAGG across all interfaces?
Hello Adam, On Wed, Apr 20, 2011 at 17:19, Adam Thompson wrote: > How would one go about setting up LAGG (LACP, 802.3ad) across _all_ the > interfaces on a pfSense box? > > It looks like I can’t get rid of the WAN interface, which would prevent me > from assigning it to a LAG group. > > What I want to do is take a dual-ethernet board and run all the interfaces > on VLANs over LAGG so that I’m protected against cable faults, switchport > faults, NIC failures, even switch failures if I ever stack these and do > cross-stack LACP. > > Yes, I’m using CARP to create a redundant pair of firewalls, but I’d like to > maximize hardware redundancy as much as possible. > > The other issue is that I’ll be creating more VLANs than I have ports; so if > I’m using VLANs anyway, I figure I may as well go all the way. > > I think what would be needed to make this practical is some way of setting > up LAGG from the console, since in this particular scenario I would be > setting the switch up for static LAG and .1Q tagging, so would not normally > have any network connectivity until I configured pfSense to match. We've been doing this for a few years. Just set up the lagg on one port, create the vlans on the lagg, then assign all required interfaces (WAN and before 2.0 LAN) to a VLAN and finally add the other interface to the lagg. Regards, Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] NAT reflection port limit
Hello List, I was experimenting with the maximum number of TCP-ports that can be NAT reflected and the built-in limit of 990 ports (or 1000 as the error message reads) does not seem to be so arbitrary on both 1.2.3 and 2.0. When trying to up the limit to 2000 ports in /etc/inc/filter.inc (and creating corresponding /etc/services entries) inetd takes some time to start but only services the first 1006 nat reflection entries (internal reflection port 19000-20005 plus the tftp-helper entry in /var/etc/inetd.conf). The 1007th port (and all thereafter) successfully connect to inetd and data can be sent to it, but inetd never calls nc and the connection never reaches the endpoint. Instead the following error is logged to /var/log/system.log: Apr 6 18:01:04 fw01 inetd[17900]: accept (for 21324): Resource temporarily unavailable We suspected some filehandle/socketnumber limit (like ulimit on linux) and tried adjusting kern.maxprocperuid=1, kern.threads.max_threads_per_proc=1, kern.maxfiles=3, kern.maxfilesperproc=27000, kern.ipc.maxsockets=24000 but to no avail. Any freebsd/inetd gurus lurking on the list with ideas ? Thanks and best regards, Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] BGP
Hello Ermal, On Sat, Sep 18, 2010 at 14:38, Ermal Luçi wrote: >> We had full tables on pfsense for almost 2 years, but have now moved >> on to custom openbsd routers for that. Since you only want to use the > Any reason you switched to OpenBSD? Not specifically, I just disliked the way pfsense 1.2.3 handled interface (e.g. vlan interface) adds, where it removes all interfaces and rebuilds them again, dropping all neighbour sessions. That, and some quirks in the gui with full tables (static route add/delete wont work and status->interfaces hangs) and we got someone with openbsd know-how led to the decision for the routers. We're still running lots of pfsense firewalls though and are happy with them. Regards, Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] BGP
Hello topher, On Fri, Sep 17, 2010 at 21:49, Chris Flugstad wrote: > I am trying to BGP our core router with our 2 providers and they are asking > me if i want a Full Internet routing table, a partial routing table, or just > a default route > > any help? > > I'm looking at just redundancy and load balancing, but 1 provider is our > main connection, the 2nd is for backup or when the 1st is bogged down. We had full tables on pfsense for almost 2 years, but have now moved on to custom openbsd routers for that. Since you only want to use the second provider as fail-over I'd recommend getting default routes only and local-pref:ing the first over the second. Regards, Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] dhclient udp source port on 1.2.3-release
Hi Chris, On Tue, Aug 17, 2010 at 21:47, Chris Buechler wrote: > On Tue, Aug 17, 2010 at 10:14 AM, Aarno Aukia wrote: >> We're seeing an interesting dhcp problem with one ISPs (Swisscom) VDSL >> product, where the dhclient tries to renew the WAN IP address with >> unicast to udp port 68 but from a random high port instead of the >> dhcp-client udp port 67 and gets dropped therefore. > > I've never seen dhclient behave like that, sure you don't have > Outbound NAT that's catching your DHCP requests (like by specifying > source "any")? Yep, we have a 50/50-mix of "Automatic outbound NAT rule generation" and "Manual Outbound NAT rule generation" with the default rule. Looking at the dhclient code this seems to be expected though (for unicast renewals to the DHCP server IP, not for the broadcast discovery/renewal). -Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] dhclient udp source port on 1.2.3-release
Hello, We're seeing an interesting dhcp problem with one ISPs (Swisscom) VDSL product, where the dhclient tries to renew the WAN IP address with unicast to udp port 68 but from a random high port instead of the dhcp-client udp port 67 and gets dropped therefore. After 30 minutes dhclient falls back to dhcpdiscovery (broadcast, to port 68, from port 67) which usually works but in rare cases (about one a week) fails and kills connectivity. RFC2131 (http://www.rfc-archive.org/getrfc.php?rfc=2131 page 23 top) unfortunately doesn't definine the udp source port at all, and RFC951 says: "We could not simply allow the client to pick a 'random' port number for the UDP source port field; since the server reply may be broadcast, a randomly chosen port number could confuse other hosts that happened to be listening on that port." (although this is not the case for unicast renewals). In http://svn.freebsd.org/base/release/7.2.0/sbin/dhclient/bpf.c I see the "SENDING DIRECT" codepath (lines 250ff), so the socket opened on line 255 could be bound to source port 67 with bind(). Any objections to me submitting a patch ? Regards, Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] dhclient udp source port on 1.2.3-release
Hello, We're seeing an interesting dhcp problem with one ISPs (Swisscom) VDSL product, where the dhclient tries to renew the WAN IP address with unicast to udp port 68 but from a random high port instead of the dhcp-client udp port 67 and gets dropped therefore. After 30 minutes dhclient falls back to dhcpdiscovery (broadcast, to port 68, from port 67) which usually works but in rare cases (about one a week) fails and kills connectivity. RFC2131 (http://www.rfc-archive.org/getrfc.php?rfc=2131 page 23 top) unfortunately doesn't definine the udp source port at all, and RFC951 says: "We could not simply allow the client to pick a 'random' port number for the UDP source port field; since the server reply may be broadcast, a randomly chosen port number could confuse other hosts that happened to be listening on that port." (although this is not the case for unicast renewals). In http://svn.freebsd.org/base/release/7.2.0/sbin/dhclient/bpf.c I see the "SENDING DIRECT" codepath (lines 250ff), so the socket opened on line 255 could be bound to source port 67 with bind(). Any objections to me submitting a patch ? Regards, Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Monitoring pfSense
Hello Mark, On Tue, Aug 10, 2010 at 13:59, Mark Wiater wrote: > Is there a way to disable the menu when SSHing to the firewall? I'm looking > for just a shell. On 1.2.3 you can relace /etc/rc.initial with /bin/tcsh in /etc/inc/pfsense-utils.inc:2553... Would you mind sharing your scripts ? Thanks and regards, Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Creating a PPTP connection through PUTTY
Hello, On Thu, Jun 10, 2010 at 02:26, David Burgess wrote: > You could perhaps tunnel a PPTP connection through ssh using putty, > but I don't know why you would. I wouldn't know how to tunnel GRE through SSH... But you can: - OpenVPN through SSH - use SSH as a SOCKS-proxy (option -D on the command line, no clue about putty) -Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] How to view logs on pfsense 1.2.3 using putty
Hi Joseph, On Mon, Jun 7, 2010 at 06:05, Joseph Rotan wrote: > I have already active ssh on one of my pfsense 1.2.3 site box and sometimes > i'm having dropoff connections through PPTP, therefore i have manage to > access the box using PUTTY with a more steady connection. But how can i view > the logs history using PUTTY, has anyone tried using it. Dial 8 for shell and then "clog /var/log/system.log". -Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.3: dnsmasq and mac os x 10.6 snow leopard
Hello, On Tue, Mar 2, 2010 at 00:12, Chris Buechler wrote: > On Mon, Mar 1, 2010 at 9:45 AM, Scott Ullrich wrote: >> On Mon, Mar 1, 2010 at 2:38 AM, Aarno Aukia wrote: >>> Hello, >>> >>> I just found out my new mac os x 10.6 snow leopard machine seems to >>> have problems with DNS TTL 0, dnsmasqs default TTL for local entries >>> (http://www.mac-forums.com/forums/os-x-operating-system/164649-snow-leopard-keeps-dropping-dns.html#post912124). >>> Adding " --local-ttl 1" to the dnsmasq $args in /etc/inc/services.inc >>> (around line 634 on this 1.2.3-rc3 nanobsd) seems to work out the >>> issues, although I'll keep testing it for some more time... >> >> That does not make any sense to me. I have quite a number of Macs and >> do not see this issue. >> > > It's only for local entries, and I bet you (and most others) don't > resolve entries off the firewall's hosts file. A TTL 0 is a bit > unusual in that scenario, it should be safe to set it to 1 for > everything. I committed that change to 2.0. At the end, the problem was snow leopard querying both A and records, with the A record being answered correctly locally and the record being forwarded externally. The external answer to the is the public CNAME, which points to a public dyndns-name with only A records. Thus it had 2 different A records and (after some timeout) the second A record was preferred (although IMHO it should be ignored since it was an answer to an query...). The solution was to add --local= with my domain (which, incidentally, is already there in /etc/inc/services.inc, only commented out) to dnsmasq to not forward any (esp. ) queries externally. Should that be added as a checkbox to services_dnsmasq.php ? -Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OT: VLAN
Hello, On Fri, Mar 12, 2010 at 18:31, Michel Servaes wrote: > Since a new networkcable is practically impossible, I'll assign 4 > wires to each (that way I'll be limited to 100mbit - but that's enough > for either settop & other peripherals that resides under the tv)... > I splitted an 8-wire cable before, into two pairs of 100mbit, > succesfully - and reading Vick's comment... i'll jump out of the idea > with vlans :) In my humble 0.02CHF I'd rather share 1x Gigabit Ethernet in 2 VLANs than to have 2x 100Mbps physically divided... Put a small managed switch under the tv (I used a linksys slm2008 for that) and split the trunk in the required vlans. Use another managed switch or pfsense itself on the other end. -Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] siproxd package on 2.0
Hello, We are testing 2.0 (on our office firewall) and can't install the siproxd package. It is unfortunately also marked "?" in the package status spreadsheet (http://spreadsheets.google.com/pub?key=tFSe4gIfr3P0Nr1uYLxCHdw&single=true&gid=0&output=html). How/where can we enable more debugging output to figure out what exactly fails to try to fix it ? Regards, Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] 1.2.3: dnsmasq and mac os x 10.6 snow leopard
Hello, I just found out my new mac os x 10.6 snow leopard machine seems to have problems with DNS TTL 0, dnsmasqs default TTL for local entries (http://www.mac-forums.com/forums/os-x-operating-system/164649-snow-leopard-keeps-dropping-dns.html#post912124). Adding " --local-ttl 1" to the dnsmasq $args in /etc/inc/services.inc (around line 634 on this 1.2.3-rc3 nanobsd) seems to work out the issues, although I'll keep testing it for some more time... -Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Ability to summarize # of states/IP
Hello Nathan, On Wed, Feb 3, 2010 at 20:35, Nathan Eisenberg wrote: > It would be incredibly handy to build a report that summarizes the number of > states open, groups by IP. That way, one could easily identify a DOS origin. > > For example, I just had an attacker attempt to open 40,000 simultaneously > HTTP sessions on one of my servers. I'd love to be able to see something > like this: > > Proto Source SRC Ports DST Ports > TCP 10.0.x.x 40,000 1 > TCP 74.1.x.x 16 1 > TCP 63.5.x.x 10 1 > TCP 152.4.x.x 4 1 Patches to "pftop" are very welcome, I suppose. Regards, Aarno -- Aarno Aukia Atrila GmbH Switzerland
Re: [pfSense Support] OpenBGPd package on 1.2.3-release
Hello, On Sun, Jan 31, 2010 at 19:10, Scott Ullrich wrote: > On Fri, Jan 29, 2010 at 11:03 AM, Aarno Aukia wrote: >> Thanks for committing, > > Committed. Thanks for submitting. Please also bump the packages version number, although this was not in my patch ;) Thanks, Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OpenBGPd package on 1.2.3-release
Hello Ermal, On Mon, Feb 1, 2010 at 09:35, Ermal Luçi wrote: > On Fri, Jan 29, 2010 at 5:03 PM, Aarno Aukia wrote: >> On Fri, Jan 29, 2010 at 00:06, Scott Ullrich wrote: >> > On Thu, Jan 28, 2010 at 10:57 AM, Aarno Aukia >> > wrote: >> >> bgpd is started twice when booting on 1.2.3-release with the newest >> >> package. I suspect once from /usr/local/pkg/openbgpd.inc and once from >> >> /usr/local/etc/rc.d/bgpd.sh ? When commenting out the exec("bgpd") in >> >> /usr/local/pkg/openbgpd.inc it is only started once. Should the check >> >> is_openbgpd_running() also be added to /usr/local/etc/rc.d/bgpd.sh or >> >> is there a more favorable way ? >> > >> > Sounds reasonable. >> >> That would be: >> $ diff -urNp openbgpd.inc.old openbgpd.inc >> --- openbgpd.inc.old 2010-01-29 16:53:08.0 +0100 >> +++ openbgpd.inc 2010-01-29 17:00:55.0 +0100 >> @@ -153,7 +153,11 @@ function openbgpd_install_conf() { >> $fd = fopen("/usr/local/etc/rc.d/bgpd.sh","w"); >> fwrite($fd, "#!/bin/sh\n\n"); >> fwrite($fd, "# This file was created by the pfSense package >> manager. >> Do not edit!\n\n"); >> - fwrite($fd, "/usr/local/sbin/bgpd -f /usr/local/etc/bgpd.conf\n"); >> + fwrite($fd, "NUMBGPD=`ps auxw | grep bgpd | grep parent | grep -v >> grep | wc -l | awk '{print \$1}'`\n"); >> + fwrite($fd, "#echo \$NUMBGPD\n"); >> + fwrite($fd, "if [ \$NUMBGPD -lt 0 ] ; then\n"); >> + fwrite($fd, " /usr/local/sbin/bgpd -f >> /usr/local/etc/bgpd.conf\n"); >> + fwrite($fd, "fi\n"); >> fclose($fd); >> exec("chmod a+rx /usr/local/etc/rc.d/bgpd.sh"); >> exec("chmod a-rw /usr/local/etc/bgpd.conf"); > > This is missing a bgpctl reload in an else?! Do you think executing /usr/local/etc/rc.d/bgpd.sh should issue a "bgpctl reload" if bgpd is already running ? Although issuing an error message (and maybe suggesting using bgpctl reload instead) if bgpd was found already running would be the nice thing to do, I agree: $ diff -urNp openbgpd.inc.old openbgpd.inc --- openbgpd.inc.old2010-01-29 16:53:08.0 +0100 +++ openbgpd.inc2010-02-01 11:29:46.0 +0100 @@ -153,7 +153,13 @@ function openbgpd_install_conf() { $fd = fopen("/usr/local/etc/rc.d/bgpd.sh","w"); fwrite($fd, "#!/bin/sh\n\n"); fwrite($fd, "# This file was created by the pfSense package manager. Do not edit!\n\n"); - fwrite($fd, "/usr/local/sbin/bgpd -f /usr/local/etc/bgpd.conf\n"); + fwrite($fd, "NUMBGPD=`ps auxw | grep bgpd | grep parent | grep -v grep | wc -l | awk '{print \$1}'`\n"); + fwrite($fd, "#echo \$NUMBGPD\n"); + fwrite($fd, "if [ \$NUMBGPD -lt 0 ] ; then\n"); + fwrite($fd, " /usr/local/sbin/bgpd -f /usr/local/etc/bgpd.conf\n"); + fwrite($fd, "else\n"); + fwrite($fd, " echo 'bgpd was not started because there is already a process \"bgpd parent\" running. To reload the configuration please issue \"bgpctl reload\".\n"); + fwrite($fd, "fi\n"); fclose($fd); exec("chmod a+rx /usr/local/etc/rc.d/bgpd.sh"); exec("chmod a-rw /usr/local/etc/bgpd.conf"); Regards, Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Command in Crontab Missing
Hello, On Fri, Jan 29, 2010 at 16:55, Vick Khera wrote: > On Fri, Jan 29, 2010 at 2:36 AM, Indrajaya Pitra Perdana > wrote: > >> I try to insert several command in the /etc/crontab file, but after >> sometimes (around 30 days) the command that i manually insert is gone, is >> there something that made the crontab reset as it was before ? >> i use 1.2.2 version , thx before > > > Pretty much any file you manually edit will go away on reboot. Any > configuration you want to persist must be done via the GUI. The more helpful suggestion IMHO: use the "Cron" package to manage the crontab entries in the GUI Regards, Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OpenBGPd package on 1.2.3-release
Hello, On Fri, Jan 29, 2010 at 00:06, Scott Ullrich wrote: > On Thu, Jan 28, 2010 at 10:57 AM, Aarno Aukia wrote: >> bgpd is started twice when booting on 1.2.3-release with the newest >> package. I suspect once from /usr/local/pkg/openbgpd.inc and once from >> /usr/local/etc/rc.d/bgpd.sh ? When commenting out the exec("bgpd") in >> /usr/local/pkg/openbgpd.inc it is only started once. Should the check >> is_openbgpd_running() also be added to /usr/local/etc/rc.d/bgpd.sh or >> is there a more favorable way ? > > Sounds reasonable. That would be: $ diff -urNp openbgpd.inc.old openbgpd.inc --- openbgpd.inc.old2010-01-29 16:53:08.0 +0100 +++ openbgpd.inc2010-01-29 17:00:55.0 +0100 @@ -153,7 +153,11 @@ function openbgpd_install_conf() { $fd = fopen("/usr/local/etc/rc.d/bgpd.sh","w"); fwrite($fd, "#!/bin/sh\n\n"); fwrite($fd, "# This file was created by the pfSense package manager. Do not edit!\n\n"); - fwrite($fd, "/usr/local/sbin/bgpd -f /usr/local/etc/bgpd.conf\n"); + fwrite($fd, "NUMBGPD=`ps auxw | grep bgpd | grep parent | grep -v grep | wc -l | awk '{print \$1}'`\n"); + fwrite($fd, "#echo \$NUMBGPD\n"); + fwrite($fd, "if [ \$NUMBGPD -lt 0 ] ; then\n"); + fwrite($fd, " /usr/local/sbin/bgpd -f /usr/local/etc/bgpd.conf\n"); + fwrite($fd, "fi\n"); fclose($fd); exec("chmod a+rx /usr/local/etc/rc.d/bgpd.sh"); exec("chmod a-rw /usr/local/etc/bgpd.conf"); Thanks for committing, Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] OpenBGPd package on 1.2.3-release
Hello, bgpd is started twice when booting on 1.2.3-release with the newest package. I suspect once from /usr/local/pkg/openbgpd.inc and once from /usr/local/etc/rc.d/bgpd.sh ? When commenting out the exec("bgpd") in /usr/local/pkg/openbgpd.inc it is only started once. Should the check is_openbgpd_running() also be added to /usr/local/etc/rc.d/bgpd.sh or is there a more favorable way ? In addition I discovered support for tcp-md5sig, which only works for openbgpd-configurations made with the assisstant. I'll try to hack something up for parsing the "raw config" and generating a bgpdsetkey.conf. Any suggestions there ? Regards, Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Password reset
Hi Mitch, Try using the "change password" option 3 on the console (or virtual console in your case) if you haven't password protected your console. Regards, Aarno PS: If you need any help, we're in Zürich and Zug... On Tue, Jan 26, 2010 at 08:57, Michel Herzog wrote: > Hello > > We have a pfsense from VM running. > > It is fine but only problem is that the admin password is lost :) > > Have logged on to pfsense in rescue mode and resetted the password using > "password". > This worked, but with the next reboot, the password again didn't matched. > > Could you please advise us on resetting admin password at this > virtual-machine-pfsense ? > > Thank you very much & regards from Switzerland > Michel Herzog -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP and BGP
Hello Evgeny, On Mon, Nov 16, 2009 at 17:31, Evgeny Yurchenko wrote: > Could you explain how it works please? I have no questions about > active(CARP) one but what about passive? bgpd on passive one will be > continuously trying to connect to peer... using what source IP? The key is to use "local-address " and "depend-on carpX". This way the backup bgpd only starts connecting when carp has fail-overed (when the carp interface becomes active) using the carp address. Beware of asymmetric routing though if not using pfsync... -Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP and BGP
Hello, On Sat, Nov 14, 2009 at 03:36, Chris Buechler wrote: > On Fri, Nov 13, 2009 at 9:13 PM, Glenn Kelley wrote: >> Am I correct in assuming that CARP and BGP cannot work together - as CARP >> pushes private ip addresses ? >> > > CARP doesn't push private IPs, not sure what you mean by that, but it > can work just the same as anything with public IPs. Though there are > likely complications related to the BGP package in combination with > CARP. Haven't tried it personally, not sure. It works fine, you have to configure openbgpd to use the carp-address using "local-address". You will still have a short interruption of service until the backup bgpd resyncs the session, but it is a lot faster than to manually reconfigure the routers... We have this running in prodution, feel free to contact me off-list for details. Regards, Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] lagg (lacp) support 1.2
Hello, On Fri, Nov 13, 2009 at 00:08, Leon Strong wrote: > > I'm at a point here that i'm going to be needing to do some port level > aggregation due to bandwidth/sub-netting requirements, currently, it seems > that the only way to do this reliably in a semi supportable way, would be to > do "bonding/teaming/lacp" on a linux/bsd box, and to virtualise pfSense, > which i'm not terribly keen on. > > Whats the possibility of getting bonding into 1.2 - how much work would it > be, and would there be anyone interested in doing this for a bounty? > Since 1.2 is in a feature-freeze and this is hardly a bug I don't know if even patches would be accepted for this in 1.2. Currently its not really that hard: * install package shellcmd * add following earlyshellcmds (substitute your ethernet interface names): * ifconfig lagg0 create * ifconfig lagg0 up laggproto lacp laggport em2 laggport em3 * add the following shellcmds: * ifconfig em2 up * ifconfig em3 up * reboot * you now have a lagg0 interface in Interfaces -> assign * if you want to assign vlans to it in the gui you have to patch /usr/local/www/interfaces_vlan_edit.php: * comment out "if (is_jumbo_capable($ifn)) {", add "{" to parent foreach We have done this a few times already, we can do it for you if you want. Regards, Aarno -- Aarno Aukia Atrila GmbH Switzerland
Re: [pfSense Support] Public ip bgp routing
Hello, On Mon, Oct 19, 2009 at 19:45, Nathan Eisenberg wrote: > But the BGP implementation in PFSense needs further development - the web > interface for it has bugs, and I'm not sure if the daemon recognizes iBGP vs > eBGP (same AS# vs external), or public AS numbers vs Private. Route > reflectors are also incredibly useful in the BGP world - and they're nowhere > to be found in the implementation. OpenBGPd knows all of it, the pfsense gui supports them in the "raw config"-mode (but you need to read bgpd.conf(5)). > And what good is a border gateway protocol (BGP) without an internal gateway > protocol (IGP) to manage the internal routing? And no, RIP doesn't count as > an IGP these days. :-) OpenOSPF is on my task-/wishlist... -Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Static routes
Hello, On Thu, Oct 8, 2009 at 17:16, Scott Ullrich wrote: > On Thu, Oct 8, 2009 at 11:13 AM, Aarno Aukia wrote: >> On Thu, Oct 8, 2009 at 16:21, Aarno Aukia wrote: >>> I would propose to compare the "old" {$g['vardb_path']}/routes.db to >>> the current set of configured static routes and "route delete" the >>> superfluous routes. Any comments/objections ? >> >> On a closer look, all previous static routes are removed if they are >> found in the current routing table. Altough I could rewrite that to >> use "route get", why not try to remove all previous routes and >> ignoring failure to do so to achieve the same effect ? > > You are probably the first person to run into this, that is why. We > will happily accept patches for this considering its a bug for 1.2.3. > However we also need to fix it in 2.0. Attached is a patch against 1.2.3-rc1 which is running in production since friday. I wanted to start sending merge-requests instead, but my git repo (mainline clone at https://rcs.pfsense.org/projects/pfsense/repos/arska-clone) has not been created yet... -Aarno -- Aarno Aukia Atrila GmbH Switzerland --- system.inc.orig 2009-10-08 16:23:17.0 +0200 +++ system.inc 2009-10-09 15:47:44.0 +0200 @@ -231,9 +231,6 @@ mwexec("/sbin/sysctl net.inet.ip.fastforwarding=1"); /* clear out old routes, if necessary */ - exec("/usr/bin/netstat -rn", $route_arr, $retval); - $route_str = implode("\n", $route_arr); - if (file_exists("{$g['vardb_path']}/routes.db")) { $fd = fopen("{$g['vardb_path']}/routes.db", "r"); if (!$fd) { @@ -242,13 +239,16 @@ } while (!feof($fd)) { $oldrt = trim(fgets($fd)); - if (($oldrt) && (stristr($route_str, $oldrt))) -mwexec("/sbin/route delete " . escapeshellarg($oldrt)); + if ($oldrt) { +// try to delete the old route, ignoring if it's not there anymore +mwexec("/sbin/route delete " . escapeshellarg($oldrt),true); + } } fclose($fd); unlink("{$g['vardb_path']}/routes.db"); } + /* add the static routes to the routing table */ if (is_array($config['staticroutes']['route'])) { $fd = fopen("{$g['vardb_path']}/routes.db", "w"); @@ -273,13 +273,9 @@ } /* Make sure default gateway is present */ - $result = `/usr/bin/netstat -rn | grep default`; - if(!$result) { - if(is_ipaddr($config['interfaces']['wan']['gateway'])) { - log_error("No default gateway detected, adding {$config['interfaces']['wan']['gateway']}"); - mwexec("/sbin/route add default " . escapeshellarg($config['interfaces']['wan']['gateway'])); - } - } + $retval = mwexec("/sbin/route add default " . escapeshellarg($config['interfaces']['wan']['gateway']),true); + if ($retval == 0) log_error("No default gateway detected, adding {$config['interfaces']['wan']['gateway']}"); + return 0; } @@ -1280,4 +1276,4 @@ } } -?> \ No newline at end of file +?> - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: Static routes
Replying to myself, sorry. On Thu, Oct 8, 2009 at 16:21, Aarno Aukia wrote: > I would propose to compare the "old" {$g['vardb_path']}/routes.db to > the current set of configured static routes and "route delete" the > superfluous routes. Any comments/objections ? On a closer look, all previous static routes are removed if they are found in the current routing table. Altough I could rewrite that to use "route get", why not try to remove all previous routes and ignoring failure to do so to achieve the same effect ? -Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Static routes
Hello, I have to patch how static routes are applied in pfsense 1.2.3, because it falls over when there are already lots of routes (e.g. on a bgp-speaking router). Specifically, in /etc/inc/system.inc:234 it reads netstat -rn into memory, exhausting the default php memory limit. I would propose to compare the "old" {$g['vardb_path']}/routes.db to the current set of configured static routes and "route delete" the superfluous routes. Any comments/objections ? While being at it, I saw $config['staticroutes']['enablefastrouting'] (setting "sysctl net.inet.ip.fastforwarding=1") could only be activated when $config['system']['disablefilter'] was set. AFAIK (http://redmine.pfsense.org/search/index/pfsense?q=fastforward, http://www.mail-archive.com/support@pfsense.com/msg07871.html) fast forwarding interferes with IPSec and ICMP redirect/source quench generation (http://www.mail-archive.com/support@pfsense.com/msg07862.html), but basic packet filtering should still work. Notably, there is a hardcoded hack in vpn.inc to set net.inet.ip.fastforwarding=0 if ipsec is enabled. I would propose to document it at both ends in the GUI (VPN/IPSec (disallow enabling if fastforwarding is set) and System/Static Routes (disable enabling if ipsec is enabled)), but let the user still enable fastforwarding even though disablefilter is not set. Comments/objections ? -Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: SV: [pfSense Support] Running out of memory
On Thu, Sep 17, 2009 at 11:54, wrote: > On Wed, Sep 16, 2009 at 17:51, Scott Ullrich wrote: >> On Wed, Sep 16, 2009 at 11:42 AM, Oliver Hansen >> wrote: >>> a_subscribti...@fiberby.dk wrote: >>>> That immediately reduced the memory use from 50% -22% >>>> But as you state, it doesn't solve the underlying problem. >> >> Thanks, I just committed a change to prevent this from being a problem. > > I guess that would be > http://redmine.pfsense.org/repositories/diff/pfsense/usr/local/www/diag_packet_capture.php?rev=4e7d16657607583500f9c05aa5b8b6fdfa859e1c > > Which solves Olivers problem filling up the /tmp/ ramdisk. > > Anders: did this also solve your problem ? were you running packet > captures ? Can you post a longer ps aux | grep tcpdump to confirm > whether this is the pflog or another tcpdump process ? > > No, I never use the packet-capture feature, since I have a sniffer on a > mirror-port. > It seems that one of my routers (the one with a fresh install of 1.2.2) is > behaving different now. > Just after I ran the "Kill 554", it immediately reduced the memory use from > 50% -22%. This morning it was down to 15%. > On the other router, the "Kill 554" apparently didn't have any effect, since > the memory usage is still the same. > > Here's the full ps aux for the router that is still leaking memory: The command names are still truncated. Do you have a larger terminal to output on ? The "kill 554" command removed the tcpdump process on your first machine (where the process ID was 554), on the other machine the PID is 517 and the process is consuming 33% of memory: > USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND > root 517 0.0 33.0 343616 341308 d0- S 4Sep09 496:51.12 > /usr/sbin/tcpdum I still suspect this being the pflog-tcpdump hogging memory, not the packet capture filling the ramdisk. Scott ? -Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: SV: [pfSense Support] Running out of memory
On Wed, Sep 16, 2009 at 17:51, Scott Ullrich wrote: > On Wed, Sep 16, 2009 at 11:42 AM, Oliver Hansen > wrote: >> a_subscribti...@fiberby.dk wrote: >>> That immediately reduced the memory use from 50% -22% >>> But as you state, it doesn't solve the underlying problem. > > Thanks, I just committed a change to prevent this from being a problem. I guess that would be http://redmine.pfsense.org/repositories/diff/pfsense/usr/local/www/diag_packet_capture.php?rev=4e7d16657607583500f9c05aa5b8b6fdfa859e1c Which solves Olivers problem filling up the /tmp/ ramdisk. Anders: did this also solve your problem ? were you running packet captures ? Can you post a longer ps aux | grep tcpdump to confirm whether this is the pflog or another tcpdump process ? -Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Running out of memory
On Wed, Sep 16, 2009 at 09:36, wrote: > It seems like its tcpdump that is causing the problem. Both machines are > running 1.2.2. One is upgraded from 1.0.1 - 1.2 - 1.2.2. The other is a > fresh install. > They were bootet 12 days ago. Just after a reboot they use app. 8% of > memory, and that has now increased to app. 50%. > > USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND > root 554 3.3 27.7 288320 286384 d0- S 4Sep09 240:11.90 > /usr/sbin/tcpdum It very much looks like the tcpdump process generating the firewall log messages. Here the section from ps from a 1.2.1-embedded (although it's the same on 1.2.3-rc1): router:~# ps aux | grep tcpd root 450 0.0 21.7 56896 54936 d0- S 2Jan09 81:46.02 /usr/sbin/tcpdump -s 256 -v -l -n -e -ttt -i pflog0 Command line option -l activates line buffering -i t might be a memory leak in tcpdump (although it hasn't been a problem on any machine of ours). Do you have an unusually high load of connections and/or logging enabled on firewall-rules ? Tried to disable the logging of the default deny-all rule ? -Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OpenBGPD
Hi Nathan, On Fri, Aug 21, 2009 at 10:18, Nathan Eisenberg wrote: > After seeing the flurry of commits to this package, I was curious, and tried > it out with a half dozen VMs in a basic 'core and border' setup. > > I'd like to play with it a bit more and see what it's really capable of. Are > there any good guides out there on using openBGPD, maybe even specific to > pfSense? One thing I couldn't figure out how to do is restricting > announcements. > > For example, my upstream carriers restrict my BGP announces so that I can't > announce networks that don't belong to me, like 74.125.0.0/16, and steal > Google's traffic. :-) I'll suggest: http://www.openbsd.org/cgi-bin/man.cgi?query=bgpd.conf (the definitions of filters is about 2/3 down) http://www.openbsd.org/papers/linuxtag06-network.pdf ("real-life" examples) Regards, Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PfSense_advanced_etherchannel_and_vlan_howto_with_cisco_2900
Hi Luismi, On Wed, Aug 5, 2009 at 12:19, luismi wrote: > Yes, I didn't take note about the HEAD version, I read the document just > putting focus on the Etherchannel configuration :-D > >From the point of view of Cisco, what type of FEC are you using? LACP? > LAGP? on? I'm alo using LACP on the cisco-side: interface Port-channel1 switchport mode trunk flowcontrol send off ! interface FastEthernet0/1 switchport mode trunk channel-group 1 mode active channel-protocol lacp ! interface FastEthernet0/2 switchport mode trunk channel-group 1 mode active channel-protocol lacp Regards, Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PfSense_advanced_etherchannel_and_vlan_howto_with_cisco_2900
Hi luismi, On Wed, Aug 5, 2009 at 11:58, luismi wrote: > Hi all, > > I was reviewing the document > http://chaos.untouchable.net/index.php/PfSense_advanced_etherchannel_and_vlan_howto_with_cisco_2900 > > And I was looking for the way to do that in our pfsense 1.2.2 but I > didn't see any option in the web interface, so, should it be done at low > level with the shell? In the wiki "Using a recent version of HEAD" means pfSense 2.0 (alpha). > Is there anyone here using Etherchannel against a PFSense box with a > Cisco 2960 or 3750 stack? Yes, I am, against 2950/60/60G. I'm using shell commands with the Shellcmd-package as earlyshellcmds: ifconfig lagg0 create ifconfig lagg0 up laggproto lacp laggport em2 laggport em3 an then as shellcmds: ifconfig em2 up ifconfig em3 up Regards, Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Help with Siproxd
As 1.2.3 hasn't been released yet, I assume you are using 1.2.3-rc1. You said you installed the siproxd package on 1.2.3-rc1 embedded ? Have you: - configured siproxd ? services -> siproxd, set the in- and outbound interfaces, port ranges etc - added firewall rules to WAN to allow the configured port ranges ? - configured AON by simply clicking "Manual Outbound NAT rule generation" in Firewall -> NAT -> Outbound, leaving the default rule untouched and applying ? -Aarno On Tue, Aug 4, 2009 at 11:08, Jeremy Bennett wrote: > > On Aug 3, 2009, at 6:29 PM, David Burgess wrote: > >> On Mon, Aug 3, 2009 at 9:55 PM, Jeremy Bennett >> wrote: >> >>> When I install siproxd, everything looks good, however when I go to my >>> "services" page and press the "play/start" button, PFsense reports that >>> "siproxd has been started", but when the page refreshes, the status still >>> shows up as "stopped". >> >> Have you tried refreshing the Services>>Status page after waiting a >> few more seconds? I haven't used the siproxd package, but I know that >> some services take longer to start than it does for the page to >> refresh. >> >> db >> > > Yes I have waited for 30 seconds, a minute, 5 minutes, It never changes from > "stopped" > > > > ----- > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsense embedded 1.2.3-rc2 crash with PPPoE and PPTP
This is now being tracked in http://cvstrac.pfsense.com/tktview?tn=1935 It's a known FreeBSD kernel bug with a fix/patch available. -Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] pfsense embedded 1.2.3-rc2 crash with PPPoE and PPTP
Hi folks, We have a customer pfsense embedded 1.2.3-rc2 crash and reboot when using PPTP when the WAN link is over PPPoE (DSL). This does not happen with 1.2.2 or when using DHCP as WAN. Until we try out the usual suspects (replace CF, replace HW, etc) or work around this (using a DSL-router instead of a bridge), has any of you experienced anything like this ? -Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OpenOSPFd
On Wed, Jul 1, 2009 at 19:26, Scott Ullrich wrote: > On Wed, Jul 1, 2009 at 6:46 AM, Aarno Aukia wrote: >> Hello, >> >> From what I saw in the forums >> (http://forum.pfsense.org/index.php?topic=11603.0) adding an openospfd >> package shouldn't be such a challenge. I can try to write an >> appropriate openospfd.xml, but how/where are the binaries added to the >> package ? > > Take a look at the OpenBGP package. I did, but didn't find out how bgpd bgpd.sh bgpd translates to a binary in /usr/local/sbin/... -Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OpenBGPd raw config edit
On Wed, Jul 1, 2009 at 19:07, Scott Ullrich wrote: > On Wed, Jul 1, 2009 at 6:41 AM, Aarno Aukia wrote: >> Corrected patch (with correct highlighting of the selected tab) attached. > > Patch was already applied. You need to submit a change on top of what > is commited: > > sullrich$ patch < ~/Downloads/pfsense-openbgpd-rawconfig.diff > patching file openbgpd.inc > Reversed (or previously applied) patch detected! Assume -R? [n] ^C That would be the following two-liner. -Aarno diff -urN openbgpd.med/openbgpd_raw.php openbgpd/openbgpd_raw.php --- openbgpd.med/openbgpd_raw.php 2009-07-02 13:43:30.0 +0200 +++ openbgpd/openbgpd_raw.php 2009-07-01 10:03:26.0 +0200 @@ -56,7 +56,7 @@ $tab_array[] = array(gettext("Neighbors"), false, "/pkg.php?xml=openbgpd_neighbors.xml"); $tab_array[] = array(gettext("Groups"), false, "/pkg.php?xml=openbgpd_groups.xml"); $tab_array[] = array(gettext("Raw config"), true, "/openbgpd_raw.php"); - $tab_array[] = array(gettext("Status"), true, "/openbgpd_status.php"); + $tab_array[] = array(gettext("Status"), false, "/openbgpd_status.php"); display_top_tabs($tab_array); ?> diff -urN openbgpd.med/openbgpd_status.php openbgpd/openbgpd_status.php --- openbgpd.med/openbgpd_status.php2009-07-02 13:43:30.0 +0200 +++ openbgpd/openbgpd_status.php2009-07-01 10:03:46.0 +0200 @@ -120,7 +120,7 @@ $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=openbgpd.xml&id=0"); $tab_array[] = array(gettext("Neighbors"), false, "/pkg.php?xml=openbgpd_neighbors.xml"); $tab_array[] = array(gettext("Groups"), false, "/pkg.php?xml=openbgpd_groups.xml"); - $tab_array[] = array(gettext("Raw config"), true, "/openbgpd_raw.php"); + $tab_array[] = array(gettext("Raw config"), false, "/openbgpd_raw.php"); $tab_array[] = array(gettext("Status"), true, "/openbgpd_status.php"); display_top_tabs($tab_array); ?> -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] OpenOSPFd
Hello, >From what I saw in the forums (http://forum.pfsense.org/index.php?topic=11603.0) adding an openospfd package shouldn't be such a challenge. I can try to write an appropriate openospfd.xml, but how/where are the binaries added to the package ? -Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OpenBGPd raw config edit
On Tue, Jun 30, 2009 at 21:30, Scott Ullrich wrote: > On Tue, Jun 30, 2009 at 3:12 PM, Aarno Aukia wrote: >> As noted on the "Raw config" site itself, the GUI-configuration is >> ignored as long as there is raw config present. One can empty out the >> raw config and then start using the gui again. > > Thanks, that is perfect. I have to admit that I did not read the > "Raw config" as of yet as I have about 2 pages of TODO's left. np. Corrected patch (with correct highlighting of the selected tab) attached. -Aarno -- Aarno Aukia Atrila GmbH Switzerland pfsense-openbgpd-rawconfig.diff Description: Binary data - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OpenBGPd raw config edit
Hi Scott, On Tue, Jun 30, 2009 at 18:21, Scott Ullrich wrote: > On Tue, Jun 30, 2009 at 11:58 AM, Aarno Aukia wrote: >> Hello, >> >> Attached is a patch to allow the more experienced BGP admin to edit >> the raw bgpd.conf in the WebConfigurator. >> >> This is against >> https://rcs.pfsense.org/projects/pfsense-packages/repos/mainline/trees/master/config/openbgpd/. > > Hi, > > Thanks for this! One question: how would you prevent the raw edited > configuration from automatically be overwritten by the GUI? As noted on the "Raw config" site itself, the GUI-configuration is ignored as long as there is raw config present. One can empty out the raw config and then start using the gui again. -Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] OpenBGPd raw config edit
Hello, Attached is a patch to allow the more experienced BGP admin to edit the raw bgpd.conf in the WebConfigurator. This is against https://rcs.pfsense.org/projects/pfsense-packages/repos/mainline/trees/master/config/openbgpd/. Regards, Aarno -- Aarno Aukia Atrila GmbH Switzerland pfsense-openbgpd-rawconfig.diff Description: Binary data - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Cvstrac-Bug 1932 patch
Hi, Attached a patch against 1.2.3-rc1 fixing http://cvstrac.pfsense.com/tktview?tn=1932, which was opened by a co-worker of mine while I was on vacation. Let me know if de patch fails against cvs/git. I'll have to update my test box to rc2 now anyway... IMHO there should be a link from cvstrac to redmine to facilitate the migration/adoption of redmine ;) Regards, Aarno -- Aarno Aukia Atrila GmbH Switzerland pfsense123-nsupdate-server.diff Description: Binary data - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Shellcmd package patch
Hello list, I was editing config.xml by hand to add system/shellcmd and system/earlyshellcmd until I noticed the Shellcmd package. When I started using that on pfSense 1.2.3-rc1 all shellcmds stopped working, because the Shellcmd package wraps the commands in an additional -tag, which is not interpreted in /etc/inc/system.inc. >From all forum-posts mentioning shellcmd and /etc/inc/system.inc I assume not using the -tag is the way to go, so I humbly submit a patch against the shellcmd package 0.3 (installed yesterday, so I assume it's the latest) in /usr/local/www/packages/. Regards, Aarno -- Aarno Aukia Atrila GmbH Switzerland shellcmd-noadditionalxmltag.diff Description: Binary data - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] shellcmd package
Hello list, I was editing config.xml by hand to add system/shellcmd and system/earlyshellcmd until I noticed the Shellcmd package. When I started using that on pfSense 1.2.3-rc1 all shellcmds stopped working, because the Shellcmd package wraps the commands in an additional -tag, which is not interpreted in /etc/inc/system.inc. >From all forum-posts mentioning shellcmd and /etc/inc/system.inc I assume not using the -tag is the way to go, so I humbly submit a patch against the shellcmd package 0.3 (installed yesterday, so I assume it's the latest) in /usr/local/www/packages/. Regards, Aarno -- Aarno Aukia Atrila GmbH Switzerland shellcmd-noadditionalxmltag.diff Description: Binary data - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Recommended pfSense Hardware ( UK ~£100) ?
Hi, On Mon, Jun 1, 2009 at 03:20, Volker Kuhlmann wrote: > ALIX 2C3 + case. > What are my options if I need 4 NICs (not UK, but the options so far > have been international)? ALIX 2c3 + case + VLAN capable switch ? -Aarno -- Aarno Aukia +41764000464 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense gets RFC1918 address on WAN interface after reboot
Can be anything... you're best off wiresharking the WAN interface during a reboot to see whether its anything from the outside... Although, this reminds me of a cable-operator here whose cable-modems are responsible for answering incoming dhcp-requests using the config they get via tftp. If one resets the modem and requests an IP from it before it has synced and downloaded its config you get an IP in 192.168.100.0/24... -Aarno On Sat, Apr 4, 2009 at 07:50, Karl Fife wrote: > pfSense consistently has a 10.0.1.x address on the WAN interface after > reboot (DHCP client). > > pfSense WAN interface gets REAL public IP address only after explicit > release/renew event. > > > > This happens every time, > > > > To the users it manifests as 'it doesn't work' after a reboot without > administrator intervention. > > > > Does anyone have any idea what could be going on here? I configured > pfSense as a 10.2/16 not a 10./8 because I routinely create PPTP tunnels to > other networks 10.x /16 networks thinking that this configuration would > give me proper routing. Perhaps that is not incorrect, and perhaps I have > broken something by choosing 10.2 /16 instead of 10. /8. > > > > I originally assumed that someone in my ISP’s network had a rogue DHCP > server occasionally filling my WAN interface's DHCP requests. Evidence > against this theory is that pfSense only gets this 'bad' address on reboot, > and it seems to happen 100% of the time, and I can NEVER replicate the > problem with release/renew NOR can I get replicate the problem with a > modem-attached windows host even by trying hard (many times) to be issued a > bad address by aforementioned theoretical ROGUE DHCP server. > > > > A higher-up tech at my ISP mumbled some stuff about BSD DHCPD being known > to issue addresses to itself if dhcpd is not configured 100% properly. I > found this idea somewhat absurd because the 10.0.1.x address is not even in > my subnet, (10.2.x.x/16) neither do I see any noise about the DHCP > transaction in the System Log. ALTHOUGH dhcpd IS configured to allocate > leases between ..1.254 and ..1.1--so at least it's got the third octet right > if indeed there's something’s wrong related to /16 vs /8 on a 10. network > > > > By the way, this happens with 1.2-Release AND with 1.2.2 (embedded on > Soekris 5501) > > > > Anybody know what's going on? Any help or pointers are MUCH appreciated! > > > > Thank you! > > > > -Karl Fife > > > > > > > > > > -- Aarno Aukia ETH Zurich / Atrila GmbH +41764000464
Re: [pfSense Support] VLANs/802.1q Trunking
You need to configure the interface on the 2950 to your pfsense box as a trunk to send and receive tagged packets. e.g.: Interface fastethernet0/6 switchport mode trunk switchport trunk encapsulation dot1q Also have a look at: switchport trunk allowed vlan ... -Aarno On Mon, Feb 9, 2009 at 09:35, Nathan Eisenberg wrote: > > Hello, > > > > I set out tonight to get a new firewall box deployed; this will be the first > on which I am using the VLAN feature in PFSense. I figured I was going to be > done quick; boy was I wrong. > > > > My configuration looks like this: > > PFSENSE > > [WAN][OPT1 (192.168.1.1) (VLAN 101)][Cisco 2950]Laptop > (192.168.1.2) (VLAN 101) > > > > There are other VLANs, but I suspect that is not particularly relevant. My > issue is that I cannot get through the Cisco 2950 when VLAN tagged. If I > connect directly to the PFSense box, everything works exactly as I would have > expected it to. > > > > So clearly, I have not configured the Cisco correctly. I am confused how, > though, because I have performed the following steps on the 2950: > > > > Config t > > Interface fastethernet0/6 > > switchport access vlan 101 > > exit > > Interface fastethernet0/7 > > switchport access vlan 101 > > exit > > > > show vlan brief shows that both interfaces are on the correct VLAN, and yet… > I'm still stuck without traffic. > > > > I googled and dove through the forums, and at the end of the day, after 3 > hours of searching, I am posting. Any thoughts? J > > > > Thank You, > > Nathan Eisenberg > > Sr. Systems Administrator > > Atlas Networks, LLC > > > > Atlas Support Center > > http://support.atlasnetworks.us/portal > > -- Aarno Aukia 0764000464 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] DMZ to LAN access
If you would like to send ping-replies from LAN to DMZ you might have to add a "* * * 192.168.4.x * *" to LAN... -Aarno 2009/1/8 Peter Todorov > I add * * * 192.168.2.x * * to DMZ and LAN interfaces. I set thease rules > to the top but there is not even a ping from DMZ to 192.168.2.x. I get > ping to LAN interface (192.168.2.1) from DMZ but not to any of computers > attached to that interface. > > On Wed, Jan 7, 2009 at 6:19 PM, Gary Buckmaster < > g...@centipedenetworks.com> wrote: > >> Peter Todorov wrote: >> >>> Hello, >>> I have a LAN that have 192.168.2.0/24 <http://192.168.2.0/24> and DMZ >>> (second LAN) with 192.168.4.0/24 <http://192.168.4.0/24> >>> How can I access LAN from DMZ? >>> pfsense 1.2 - dual WAN configuration. >>> Thank you in advance for answers. >>> >>> -- >>> честността не е порок >>> >>> >> Typically this is inadvisable from a security standpoint. However, in >> order to allow it, create firewall rules on your DMZ interface with the >> destination IP of the machine(s) you want to send to. >> !DSPAM:4964d6b815801234511312! >> >> >> >> - >> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >> For additional commands, e-mail: support-h...@pfsense.com >> >> Commercial support available - https://portal.pfsense.org >> >> > > > -- > честността не е порок > -- Aarno Aukia 0764000464