Re: [pfSense Support] Is there any reason I can't Remote desktop through an ipsec tunnel?
Marty Nelson wrote: I have an IPSec tunnel connecting my network to one of our customer sites, and while I can ping a computer on their network I am unable to remote desktop to. Currently all of our customer tunnels are setup to terminate in our DMZ to limit access back into our network. I have a second firewall (monowall) in our DMZ that then routes all traffic out through the tunnel. I’ve drawn a rudimentary layout of how it’s setup (see below). I have the IPsec rules to pass all traffic, and currently I have it setup to log all traffic as well. What’s strange is that when I attempt to remote desktop to it, I see no traffic relating to that at all. Nothing passing, nothing getting blocked. Like I said, I can ping the box just fine (and it shows up in the log), but I am unable to remote desktop to it and I don’t see anything getting blocked, or passed. Hopefully this made sense. If it’s unclear, please let me know and I’ll try my best to clear it up. LAN (192.168)---[pfSenseFW]---DMZ (10.100)---[monowall]---[ipsec tunnel to cust site]---Cust site I would say that it's almost certainly MTU-related. RDP always seems to be the first thing hit by a failure of the pmtud mechanism to work. The IPSEC tunnel will be reducing your MTU, and when the RDP server tries to send out a packet it'll get dropped. Try reducing the MTU of the interface of the server? This usually manifests itself by the login screen background appearing (presumably because it fits into 1492 bytes), but then nothing more. Doesn't sound exactly like what you're seeing, but RDP + IPSEC issues are usually MTU-related IME. adam. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] BGP status
Royce Mitchell III wrote: Adam Armstrong wrote: Carp is unnecessary when using BGP, as the provider sees routes into your network via the individual devices and both devices see routes out. You wouldn't want to run BGP from a CARP IP anyawys, as it would result in BGP flapping when the CARP switched. adam. Okay, please forgive my ignorance, but if you have two redundant routers servicing your BGP, how will they decide who is going to handle a packet without some sort of CARP/VRRP communication between them? There are a number of mechanisms for doing this, generally you'll set the localpref high for prefixes coming from the peer you want to use, and set the MED low for prefixes being announced to that peer, that way your peer will send traffic to you on the correct link (lowest MED wins) and you'll send traffic out on the correct link (highest localpref wins). However, if you're doing BGP solely to get redundant connectivity to the same ISP you should look again at CARP and ask what your ISP can do by way of HSRP/VRRP to present a single IP to you from two of their devices. VRRP/CARP/HSRP is generally a far better solution for that due to the slowlness of BGP convergence. adam. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] BGP status
Paul M wrote: Royce Mitchell III wrote: Is the BGP package for pfsense available, yet? Also, does it play nice with CARP, or is CARP even necessary when you have BGP? I think CARP is a very different thing - BGP is a way of having multiple circuits to different ISPs to get resilience internet connectivity. CARP is a way of having two devices share an IP. Or am I missing some clever use of BGP and CARP? Carp is unnecessary when using BGP, as the provider sees routes into your network via the individual devices and both devices see routes out. You wouldn't want to run BGP from a CARP IP anyawys, as it would result in BGP flapping when the CARP switched. adam. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Spanning tree support
Gary Buckmaster wrote: Chris Bagnall wrote: Greetings list, Does anyone know if pfSense includes support for failover between two LAN interfaces? For example, one can provide high availability using CARP to create a virtual router IP failing over between 2 pfSense boxes, but that's not going to solve the problem of a switch dying. It'd be useful to be able to connect 2 interfaces from each box to the LAN (one to each switch), then configure them using spanning tree protocol (or one of the derivatives). If it's not currently included, are there plans to do so, and/or what sort of financial incentive would encourage development on that front? :-) Regards, Chris Chris, There's been a call on the site for awhile for some hardware that support STP. I don't know if that call is still valid or if they got hardware in. I suspect that you'd want to consider a bounty project or get in touch with BSDPerimeter and put together a formal quote. I hope you choose to pursue this, it'd be a nice feature to have. You don't need spanning tree support on the router to accomplish this. You just need NIC 'teaming' support in the OS. Linux supports this in a variety of modes, for example, using a single MAC address across two ports but only transmitting on one, or using standards-based link aggregation to allow the bandwidth of both connections to be used (you could use this with a stacking switch such as a 3750 to also get resilience). I would guess that FreeBSD also has support for this somewhere, it would just be a case of building it into the back-end and web interface. STP is, in my opinion, a brain-dead way of accomplishing this. STP should be eliminated from any well-designed modern network wherever possible! Thanks, adam. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Issue with stalling on static route
jamespev wrote: Hello all! I am having a major issue that I'm hoping you can shed light on. We recently added an MPLS link from our location to our other company offices (replacing a pfsense VPN tunnel that was working great) and am now having issues across it. The MPLS is hooked to a cisco router sitting behind our pfsense firewall, and I setup a static route on pfsense over to it for the appropriate subnet. This seemed to work fine, but after using it a bit it seems that traffic is getting stalled somewhere. If I setup a static route on my desktop machine (client machine on network) to the cisco (for the appropriate subnet) everything works perfectly. So it seems something is happening on the pfsense machine. Shorter transactions seem to be fine, pinging always works. Outlook however is very unhappy (consequently so are the users...). In general it seems that TCP services being effected most. I did a packet capture with and without the static route on my client machine. With all the traffic going through the pfsense there were a lot of TCP retransmissions happening. Could this be an issue with pfsense's packet scrubbing? There is nothing in the firewall logs to indicate that anything is being blocked. I am using 1.2RC2. If anyone has any ideas I would be very appreciative. I think the users are starting to gather torches and pitchforks... James You haven't specified what MPLS-based service(s) you're taking! First point of call for all MPLS-related issues : have you made sure you can pass full 1500-byte frames across the circuit? adam. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] British Telecom and pfSense
Siju George wrote: Dear People in U.K, I had a little taste of the British Telecom ( BT ) ISP a while back. It seems that they have a device ( modem ) that has to be used to give IP address by dhcp to all systems. And even if you want to give Static IPs ( routable on the Internet ) assigned to you by BT on any of your servers you should first assign the server an IP in the local range through dhcp and then get into the BT device's web interface and assign the Static IP through that interface to the appropriate server. How do the British people use pfSense as the firewall while using BT as their ISP? I asked the sysadmin there and he said they just use the firewall on the BT device (modem) and that the device cannot be done away with or configured to allow us to define static IPs on the interface of our Servers using the config files on the servers Operating System. Is this true? And what are the other ISPs other than BT in U.K especially in the Bolton Area? Almost all ADSL ISPs in the UK are national, that is they share the BT ADSL network so get almost 100% national reach. You need to find an ISP which will allow you to use any routing hardware you like, and configure it how you like, possibly giving you a subnet for use with the device. I wasn't aware of BT having any draconian limitations, unless you go for their BT HomeHub service, which of course, needs to use the home hub! Almost any 'decent' UK ADSL ISP should suffice, and of course the company I work for provides ADSL too :) There have been a large number of highly 'commoditised' ADSL providers eating up the market at the moment, such as Orange, Sky and Tiscali. If this is for a business application where you need some IPs, you should look elsewhere than the 'cheap' providers here. There are a few options for how you'd get ADSL connectivity to the pfsense sanely, you could use a Draytek Vigor 100 to pass a PPPoE connection to the pfSense, or you could use something like a Zoom X3 to do 'half bridge' and present the same connectivity to you on the ethernet to the pfSense as it's presented by the remote ADSL LNS. Hope that helps! adam. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] performance on a PE860
jamona perez wrote: Thanks for the tip, I'm not too sure about this stp stuff, because I always think twice before doing that kind of stuff, I've had my share of network loops not being always well-handled by switch hardware. On the other hand I've read from m0n0wall's forum that it is feasible. so if it's the way to go, I'll go. Last, (I don't wan't to start flame war, please), as all I want to do is transparent FW, maybe I should go for m0n0wall instead of pfsense. The drawback of monowall being that it won't support smp, thus making me stick to a single celeron 3.33 Ghz, and running freebsd 4.2 (will the double-port intel pcie card be supported ?). The Intel nic should be easily supported, though others may know id there have been lockups or other nasties with the old freebsd version. There is a benefit with monowall, in that it's quite a bit faster. The major downside is that you can't synchronise rules across the two firewalls, as you could by using pfsync with pfSense (note, i don't mean using carp, just rule synchronisation!) If you do try it, let me know how it works, because i may be interested in doing it too! regards, adam. regards Date: Fri, 10 Aug 2007 23:49:13 +0100 From: [EMAIL PROTECTED] To: support@pfsense.com Subject: Re: [pfSense Support] performance on a PE860 jamona perez wrote: Okay, I did not realize that, this is really helpful info. Thinking about it for 2 minutes I just realized that a in bridge mode, the WAN does not really have an IP address, does it ? so carp has no IP failover to do whatsoever. Please Correct me if I'm wrong. So if the best I can do is having a spare box standing by to get fired up if the other goes down ,it's what i'm going to do. But if you can think of any mecanism (similar to linux heartbeat) that can sit here waiting for the other side to fail, then take the appropriate measure (read configurable like starting the proper services) to ensure high-availability of such a system, I'll be more that glad to hear about it. If pfSense will allow you to pass STP frames across it, you could just put two pfSense boxes in parallel like so EXTERNAL SWITCH FA0/1 FA0/2 | | | | FW1--SYNC-- FW2 | | | | FA0/1 FA0/2 INTERNAL SWITCH Assuming that STP will pass the packets, you should have no issues in this configuration. STP will put the ports of FA0/2 into blocking mode, and no traffic will pass unless traffic stops flowing across FA0/1 (yes, i have just realised that you were probably meaning gig interfaces, but i did the diagram already :P) Someone else here will probably better know wether or not you can pass STP across pfSense correctly... You might also want to use two more interfaces for management? (don't give the firewalls IPs on the bridge, so that FW2 is still accessable when the links are blocking!) adam. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Besoin d'un e-mail ? Créez gratuitement un compte Windows Live Hotmail et bénéficiez de 2 Go de stockage ! Windows Live Hotmail http://www.windowslive.fr/hotmail/default.asp - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] performance on a PE860
jamona perez wrote: Okay, I did not realize that, this is really helpful info. Thinking about it for 2 minutes I just realized that a in bridge mode, the WAN does not really have an IP address, does it ? so carp has no IP failover to do whatsoever. Please Correct me if I'm wrong. So if the best I can do is having a spare box standing by to get fired up if the other goes down ,it's what i'm going to do. But if you can think of any mecanism (similar to linux heartbeat) that can sit here waiting for the other side to fail, then take the appropriate measure (read configurable like starting the proper services) to ensure high-availability of such a system, I'll be more that glad to hear about it. If pfSense will allow you to pass STP frames across it, you could just put two pfSense boxes in parallel like so EXTERNAL SWITCH FA0/1FA0/2 | | | | FW1--SYNC-- FW2 | | | | FA0/1 FA0/2 INTERNAL SWITCH Assuming that STP will pass the packets, you should have no issues in this configuration. STP will put the ports of FA0/2 into blocking mode, and no traffic will pass unless traffic stops flowing across FA0/1 (yes, i have just realised that you were probably meaning gig interfaces, but i did the diagram already :P) Someone else here will probably better know wether or not you can pass STP across pfSense correctly... You might also want to use two more interfaces for management? (don't give the firewalls IPs on the bridge, so that FW2 is still accessable when the links are blocking!) adam. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Failover from PC to WRAP
Is it possible to have a 'hot standby' on a WRAP if the firewall is a PC (we are not running any packages). Don't consider performance. There's no reason why not! adam. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense Firewall Logs: no ports listed !?
224.0.0.2 is the all routers multicast address, and any traffic to it is probably router discovery or something similar. adam. That looks more like a protocol decode issue to me. 224.0.0.2 is a multicast address, I wouldn't be surprised if that really wasn't UDP. Can you show an example of a TCP log entry w/out ports, or something to a non-multicast address? Thanks --Bill On 6/16/07, Heiko Garbe [EMAIL PROTECTED] wrote: Hello, here is a screenshot. I think he means the firewall logs in the gui Greetings heiko Chris Buechler schrieb: On Fri, 2007-06-15 at 18:01 +0200, Fuchs, Martin wrote: Hi ! In the firewall logs always was shown blocked traffic with the ports that were used... Now with the 6-6 snapshot it does not display the ports anymore ... !? It's a little confusing and seems tob e a bit silly / senseless not to display the ports !? Can you post a screenshot? Not sure exactly what you mean, I haven't seen or heard of any issues. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] SNMP
On 2/21/07, Andrew Kemp [EMAIL PROTECTED] wrote: any plans to enable additional SNMP'able items like cpu usage, memory usage, and disk usage? i know m0n0wall allowed me to graph a few more values in cacti than pfsense does. As soon as someone adds the support to bsnmpd, sure. Are there any reasons why pfSense doesn't use net-snmpd? Adam. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] CARP address bug
Hi, If I try to edit a CARP virtual IP, it tells me that the VHID is already in use and won't let me save the changes. The result is that every time I change a setting on one of the CARP virtual IPs, I have to change the VHID on every device. Very annoying! Is this intended behaviour, or a horrid bug? Thanks, Adam.
RE: [pfSense Support] pfSense SNMP identification
On 1/25/07, Adam Armstrong [EMAIL PROTECTED] wrote: [snip] Except, Still no suggestions on how to identify a pfSense needle in a haystack of FreeBSD servers. :\ Just let us know what you want us to do and we will do it. Manuel has made a modification to m0n0wall to give out 'correct' snmp sysDescr values : [EMAIL PROTECTED]:~# snmpwalk -v2c -c xxx w3z.alderwasley.org SNMPv2-MIB::sysDescr.0 = STRING: m0n0wall w3z.alderwasley.org 1.23b3 net45xx FreeBSD 4.11-RELEASE-p26 i386 Based on the format : $os $host $version $platform $base $base_version $base_hardware Could you guys make this modification to pfsense too? Thanks, Adam. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Embedded bootup
Hi, I have a Lex box (the CV860A), but I can't get it to boot any version of pfSense. I'm trying to use the embedded image, but every one I've tried over the past few weeks has hung at right after 'Loading /boot/defaults/loader.conf'. The little spinning line spins a few times and then just stops. I've tried changing the bios settings I thought would make a difference, but to no avail. I'm currently trying 0.94.10, but I've tried a lot of other images and every one of them locks at the same point! Kind Regards, Adam. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] SNMP / Updating
Hi All, My pfsense devices won't do auto update, are there any known issues with 0.90? Also, the snmp daemon on my 0.90 devices are reporting that their interfaces are all down! I'm using carp, will this be causing it? Thanks, Adam. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]