Re: [pfSense Support] import monowall xml files
This used to work, but our config has significantly diverged from m0n0. I suspect if you used a config from where we forked it'd probably work, but assuming m0n0 changed _anything_ in their config file since then, it's unlikely to convert over. I think we're at the point where either someone needs to make it work, or the restore function rejects a m0n0 config. --Bill On 9/29/05, Jonathan Woodard [EMAIL PROTECTED] wrote: i know this has probably been answered in previous posts but i didn't see them. i'm wondering if / how i can move my monowall xml file over to pfsense. i tried to just restore, thinking that i had seen a previous post saying it was ok, it but killed everything and i had to re-install. i would love to try pfsense and most likely will when i have more time. i just really hoped that all my configurations are not lost when moving over. thanks and i apologize if i wasn't detailed enough. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 802.11q vlans
On 9/29/05, Dan Swartzendruber [EMAIL PROTECTED] wrote: i assumed he had all that correct, since he said he could see the traffic going into the pfsense port. i was going to ask the same question, myself. this has to be a config problem, as i'm using this exact same setup. I agree, which is why I asked the obvious question :) Not everyone realizes that marking a port with multiple vlans doesn't mean that it's a tagged port, just that the machine on that port can see and talk to each of the vlans (untagged). That of course would require pfSesne to support real interface aliases - which we don't (and I'm not yet convinced is required) --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Traffic shaping. Parent Queue
Wrong. A parent queue denotes a child queue. Create 4 queues and assign your rules to the two child queues. Better yet, use the ezshaper wizard, it's there so you don't have to try and figure out how it all works. --Bill On 9/29/05, Audun Brekke [EMAIL PROTECTED] wrote: There seems to be an error in the traffic shaping. When I set the queues manually it is not possible to set the parent queue. I can set the queue to be parent in the webui, but the queue don't seem to be updated. I get an error like: php: : There were error(s) loading the rules: /tmp/rules.debug:16: queue MaxDownload has no parent /tmp/rules.debug:16: errors in queue definition /tmp/rules.debug:17: queue MaxUpload has no parent /tmp/rules.debug:17: errors in queue definition pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [16]: queue MaxDownload bandwidth 4100Kb cbq There is no change in the config file if I set or unset the this is the parent queue in the webui. I line like this shoud be added in the config files when the this is the parent queue is selected altq on xl0 cbq queue { MaxDownload } -Audum- -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.11.9/115 - Release Date: 29.09.2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Questions about Load Balancing
Not unique, we just don't have an easy way to implement ratio based load balancing at this time. BTW, it'd be connection based anyway, not true bandwidth balancing. I'd recommend putting some clients on one connection, some on the other and manually balance the links using rules. --Bill On 9/29/05, Wesley K. Joyce [EMAIL PROTECTED] wrote: Hi Scott, is there a solution to this? Am I unique in that I have multiple WAN connections of different capacities? Anyone have another solution? Thanks From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Thu 9/29/2005 7:20 PM To: support@pfsense.com Subject: Re: [pfSense Support] Questions about Load Balancing Load balancing uses round robin. Scott On 9/29/05, Wesley K. Joyce [EMAIL PROTECTED] wrote: Greetings, I have a Squid PROXY server that I want to use two DSL connections that I have with. However, one of them is a 1 megabit connection and the other is a 512kbps connections. Based on what I have read on the list, I am concerned that the load balancing algorithm will NOT distribute 2/3 and 1/3 of the combined 1.5mbps for the outgoing traffic over the two connections respectively. Am I incorrect in this? Will it maximize each connection if they are of difference capacities? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] unexpected dhcp lease
Are these two logical networks on the same physical network? I'm noticing the request came in on both fxp0 and xl0 - that seems kinda odd. Sep 28 14:35:03 dhcpd: DHCPREQUEST for 192.168.2.254 (192.168.2.4) from 00:12:79:ad:c6:fc (TRC-dc5100) via fxp0: wrong network. Sep 28 14:35:03 dhcpd: DHCPREQUEST for 192.168.2.254 (192.168.2.4) from 00:12:79:ad:c6:fc (TRC-dc5100) via xl0 --Bill On 9/28/05, Imre Ispanovits [EMAIL PROTECTED] wrote: Hi, I have a problem with pfSense's dhcp server since 0.85.x (I guess it wasn't an issue in 0.84.6). I have two lan interfaces and both serves as dhcp server, of course not overlapping. My problem is that on lan2 (opt2 - xl0) a dynamic ip address is always issued despite it shouldn't be because only fixed leases expected. This is the only address I have to configure for the dhcp servers range. What's more strange for that mac address (00:12:79:ad:c6:fc) is a fixed lease reserved on the other (fxp0) interface. Which as I see in the logs once offered, but the other address picked up. This never happened on the other interface. In syslog I have: Sep 28 14:35:04 last message repeated 2 times Sep 28 14:35:03 kernel: arp: 192.168.2.254 is on xl0 but got reply from 00:12:79:ad:c6:fc on fxp0 Sep 28 14:34:49 last message repeated 5 times Sep 28 14:34:36 dhcpd: send_packet: Invalid argument and in dhcp logs: Sep 28 14:35:03 dhcpd: DHCPNAK on 192.168.2.254 to 00:12:79:ad:c6:fc via fxp0 Sep 28 14:35:03 dhcpd: DHCPREQUEST for 192.168.2.254 (192.168.2.4) from 00:12:79:ad:c6:fc (TRC-dc5100) via fxp0: wrong network. Sep 28 14:35:03 dhcpd: DHCPACK on 192.168.2.254 to 00:12:79:ad:c6:fc (TRC-dc5100) via xl0 Sep 28 14:35:03 dhcpd: DHCPREQUEST for 192.168.2.254 (192.168.2.4) from 00:12:79:ad:c6:fc (TRC-dc5100) via xl0 Sep 28 14:35:03 dhcpd: DHCPOFFER on 192.168.0.22 to 00:12:79:ad:c6:fc via fxp0 Sep 28 14:35:03 dhcpd: DHCPDISCOVER from 00:12:79:ad:c6:fc via fxp0 Sep 28 14:35:03 dhcpd: DHCPOFFER on 192.168.2.254 to 00:12:79:ad:c6:fc (TRC-dc5100) via xl0 Sep 28 14:35:03 dhcpd: DHCPDISCOVER from 00:12:79:ad:c6:fc via xl0 Sep 28 14:34:51 dhcpd: DHCPRELEASE of 192.168.2.254 from 00:12:79:ad:c6:fc via fxp0 (found) Sep 28 14:34:51 dhcpd: DHCPRELEASE of 192.168.2.254 from 00:12:79:ad:c6:fc (TRC-dc5100) via xl0 (found) Sep 28 14:34:49 dhcpd: send_packet: Invalid argument Sep 28 14:34:49 dhcpd: DHCPACK on 192.168.2.254 to 00:12:79:ad:c6:fc (TRC-dc5100) via fxp0 Sep 28 14:34:49 dhcpd: DHCPREQUEST for 192.168.2.254 from 00:12:79:ad:c6:fc (TRC-dc5100) via fxp0 Sep 28 14:34:49 dhcpd: send_packet: Invalid argument ## My two lan inrefaces are as below: interfaces lan iffxp0/if ipaddr192.168.0.3/ipaddr subnet24/subnet media/ mediaopt/ bridge/ bandwidth100/bandwidth bandwidthtypeMb/bandwidthtype /lan opt2 descrLAN2/descr ifxl0/if bridge/ enable/ bandwidth100/bandwidth bandwidthtypeMb/bandwidthtype ipaddr192.168.2.4/ipaddr subnet24/subnet gateway/ spoofmac/ mtu/ /opt2 /interfaces and dhcp servers : dhcpd lan range from192.168.0.250/from to192.168.0.250/to /range defaultleasetime/ maxleasetime/ denyunknown/ failover_peerip/ gateway/ staticmap mac00:14:c2:0b:95:49/mac ipaddr192.168.0.21/ipaddr descrlvc-felsorec/descr /staticmap staticmap mac00:08:02:d8:1f:eb/mac ipaddr192.168.0.130/ipaddr descrI.I. nc6000/descr /staticmap staticmap mac00:12:79:ad:c6:fc/mac ipaddr192.168.0.22/ipaddr descrdc5100 teszt/descr /staticmap staticarp/ enable/ dnsserver192.168.1.5/dnsserver dnsserver192.168.1.1/dnsserver /lan opt2 range from192.168.2.254/from to192.168.2.254/to /range defaultleasetime/ maxleasetime/ failover_peerip/
Re: [pfSense Support] Interesting failure
Probably not when certain people split a dozen or so functions out into their own file :) 0.85.4 has all the latest fixes. At this time, there isn't much patched post 0.85.4 (unless you try running ipv6 tunneling :)), I'd recommend moving to it. --Bill On 9/27/05, Dan Swartzendruber [EMAIL PROTECTED] wrote: At 11:56 PM 9/26/2005, you wrote: This file was introduced after 0.85.2. Are you sure you didn't update filter.inc ? i probably did. i think i was trying to pick up a bugfix. probably not a good idea. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 050.2 CARP won't go Master or Backup
Only problems I've had with carp recently weren't actually due to carp, but the dhcp daemon. There's a hold down timer somewhere that won't let it come up as primary for 300 or 360 seconds (my bet is there two different timeouts, a 60 second timeout and a 300 second one). So if you're running a highly available DHCP server on your pfSense box, keep this in mind - don't reboot both within about 10 minutes of each other for now. --Bill On 9/27/05, Holger Bauer [EMAIL PROTECTED] wrote: I have a working carp config at home. Have failed over several times the last days, with 0.85.2 and 0.85.4 no session was dropped (I even was tunnelling from a client behind the carpmachines to the office). DNS and DHCP is configured for failover as well. I haven't seen any issues so far. Anybody else seeing having problems? Strange. Holger -Ursprüngliche Nachricht- Von: Frimmel, Ivan (ISS South Africa) [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 27. September 2005 11:47 An: support@pfsense.com Betreff: RE: [pfSense Support] 050.2 CARP won't go Master or Backup HI Yes .. 085.2 .. 085.4 does the same too. Enable / disable does not work ... goes to init always. 0.85 worked.. did an upgrade to 085.2 it stopped working. I deleted all carp entries and re-setup from scratch. I will try update_file.sh and let you know results. Tx Ivan -Original Message- From: Holger Bauer [mailto:[EMAIL PROTECTED] Sent: Monday, September 26, 2005 10:55 AM To: support@pfsense.com Subject: AW: [pfSense Support] 050.2 CARP won't go Master or Backup 0.50.2? I guess you are talking about 0.85.2, if not upgrade! ;-) I only have experienced such problems if the carpinterfaces didn't match the real ip/subnet-range of the real interface the carp interface is running on. Another thing to try is to manually disable and enable CARP at StatusCARP(failover) in the webgui. If it's working after that there might be a problem bringing up everything in the right order. There also have been some changes to CARP lately. You might want to run update_file.sh -all from the shell to grab the latest changes. Holger -Ursprüngliche Nachricht- Von: Frimmel, Ivan (ISS South Africa) [mailto:[EMAIL PROTECTED] Gesendet: Montag, 26. September 2005 09:34 An: support@pfsense.com Betreff: [pfSense Support] 050.2 CARP won't go Master or Backup HI I have Carp running successfully on 0.50. Upgraded yesterday to 050.2 and CARP absolutely refuses to start. OPT1 is up. PPPoE is UP. CARP goes to INIT and does not ever go master or backup. I deleted all CARP configs and recreated everything from scratch. On both boxes CARP will not start. Hitting Disable / enable makes it go from disable to INIT.. but never starts. Even tried doing everything with the second box physically turned off. No difference. Any ideas? Tx Ivan. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 050.2 CARP won't go Master or Backup
On 9/27/05, Frimmel, Ivan (ISS South Africa) [EMAIL PROTECTED] wrote: HI PPPoe is on WAN .. CARP is on LAN with carp sync on OPT1. OK so you guys are going to laugh at me. I do feel stupid. As a fault finding procedure and just to get connectivity back I halted router2, which is UTP crossed over connected to router 1 on OPT1. So OPT1 (carp sync) is down. (no link since you need both nic up to have link). CARP will NOT come up without link on OPT1. My suggestion in terms of best practice is to have a switch on OPT(sync) when using CARP. It has wasted a lot of my time and it IS my fault cause I was cheap just using cross over cable. Tx all .. Hrm...I'll have to test this out at home :-/ At work everything is always plugged into a switch (the machines are miles apart), but at home I'm using a crossover cable for the dedicated sync network. But I didn't think that CARP would stay down forever if the sync interface was down :-/ --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 85.2 traffic Shapper TOS error
Are both supposed to be selected? I suspect for this to work we'll need to convert those to the hex values and do a bitwise AND on them. I trust you'll be able to test any changes we make? --Bill On 9/27/05, William Armstrong [EMAIL PROTECTED] wrote: The error is not on TF wizard.. I try clone rule for MS-RDP ( port 3389 ) to a another service RADMIN ( port 4899 ) but I select TOS low delay and to throughput for this rule I get this error and if I not select it's work fine. 2005/9/27, Scott Ullrich [EMAIL PROTECTED]: This just came up moments ago Rerun the ez-shaper wizard. Scott. On 9/27/05, William Armstrong [EMAIL PROTECTED] wrote: I get this error on I include manual rule for service Radmin php: : There were error(s) loading the rules: /tmp/rules.debug:115: syntax error /tmp/rules.debug:116: syntax error /tmp/rules.debug:117: syntax error /tmp/rules.debug:118: syntax error pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [115]: pass in on xl0 proto tcp from 10.0.1.0/24 to any port 4899 tos lowdelay,throughput keep state tag qOthersDownH -- -=-=-=-=-=-=-=-=-=- William David Armstrong Bio Systems Security. ICQ 10253747 MSN [EMAIL PROTECTED] -- Ninguém nasce sabendo de tudo. Mas tudo pode ser Aprendido; E principalmente porque tudo pode ser Ensinado By Bio. -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- -=-=-=-=-=-=-=-=-=- William David Armstrong Bio Systems Security. ICQ 10253747 MSN [EMAIL PROTECTED] -- Ninguém nasce sabendo de tudo. Mas tudo pode ser Aprendido; E principalmente porque tudo pode ser Ensinado By Bio. -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] wrap 85.2
Oddly I haven't seen this on my wrap installs :-/ There was a broken commit of /etc/filter.inc that would have exhibited this behavior on a wrap, but that didn't make it into 0.85.2 (just confirmed on one of my installs) Warning: touch(): Unable to create file /filter_dirty makes me think we missed a global $g somewhere. --Bill On 9/26/05, Scott Ullrich [EMAIL PROTECTED] wrote: This is not correct. WRAP's should be running on a memory mounted /tmp/ What does /etc/platform say?If it does not say wrap, pleae change it and reboot. Scott On 9/26/05, Rodolfo Vardelli [EMAIL PROTECTED] wrote: I have just upgrade from 84.6 to 85.2 (on wrap), modifying a firewall rule I got this error Warning: touch(): Unable to create file /filter_dirty because Read-only file system in /etc/inc/filter.inc on line 57 regards Rodolfo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] wrap 85.2
N...don't do that :) I split the shaper code off into another file, you will break if you simply follow this. /etc/rc.conf_mount_rw touch /etc/inc/shaper.inc /etc/rc.conf_mount_ro update_file.sh /etc/inc/shaper.inc update_file.sh /etc/inc/filter.inc --Bill On 9/26/05, Scott Ullrich [EMAIL PROTECTED] wrote: update_file.sh /etc/inc/filter.inc On 9/26/05, Rodolfo Vardelli [EMAIL PROTECTED] wrote: Scott Ullrich wrote: Where? So I can fix on my board regards Rodolfo Yep, there was a small typo in filter.inc. It's fixed now. Scott On 9/26/05, Bill Marquette [EMAIL PROTECTED] wrote: Oddly I haven't seen this on my wrap installs :-/ There was a broken commit of /etc/filter.inc that would have exhibited this behavior on a wrap, but that didn't make it into 0.85.2 (just confirmed on one of my installs) Warning: touch(): Unable to create file /filter_dirty makes me think we missed a global $g somewhere. --Bill On 9/26/05, Scott Ullrich [EMAIL PROTECTED] wrote: This is not correct. WRAP's should be running on a memory mounted /tmp/ What does /etc/platform say?If it does not say wrap, pleae change it and reboot. Scott On 9/26/05, Rodolfo Vardelli [EMAIL PROTECTED] wrote: I have just upgrade from 84.6 to 85.2 (on wrap), modifying a firewall rule I got this error Warning: touch(): Unable to create file /filter_dirty because Read-only file system in /etc/inc/filter.inc on line 57 regards Rodolfo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] sockets over pfsense nat very slow
On 9/25/05, Jeroen Hermans [EMAIL PROTECTED] wrote: I have the following situation at a site: - 1 pfsense box connected to the internet and lan (194.1.1.41) - lan behind pfsense box (nat) (194.1.1.0/24) - proxy (squid) box in lan (194.1.1.31) - a few clients in the lan The last few weeks internet was really slow. I first started to look at the squid configuration, but i found out that when i did a telnet hostnameontheinternet 80 on the squid-box, that too was really slow (about 5 seconds till the socket was open). So i suspected that there was not (primairily) something wrong with the squid config. The strange thing is that when i open the same connection twice on the squid-box (telnet port 80), the first time it takes about 5 seconds till i get a connection to the host. The second time it works in about 0,1 second. Now, pfsense has its own ssh-shell, so i tried the same test on the pfsense-box. But there the socket to the internethost opens fast the first time. My conclusion is that the delay happends on the pfsense box (nat?). I can resolve all hostnames and ip-adresses (forward and reverse) without any delay on the pfsense and squid-box. The firewall is completely open btw (lan, wan and pptp). I hope someone can give me pointers to what the problem can be. Thanks a lot in advance, Hmmm...slow the first time and fast the second possibly sounds like an issue in DNS resolution somewhere. Are you using pfSense as your DNS server for the LAN? Can you telnet to any host via IP address and see if the results differ? How about telneting through the pfSense box from a machine other than the squid box (you changed two things when you tested from the pfSense box, not one). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] dual WAN failover
On 9/25/05, Matt Fanady [EMAIL PROTECTED] wrote: Hello, I've got a PC with 3 identical NIC's in it. I have a landline internet connection and a satellite internet connection. I would like to use PFsense to use the landline when it's up, and then fail over to the satellite if the landline goes down. So far, I have added my static IP address for the opt1 interface and included the gateway for that internet connection. Can someone push me in the right direction for the next step? In short, multi-wan failover isn't supported at this time http://wiki.pfsense.com/wikka.php?wakka=ReleaseTimeline Show Stoppers for release version 1 SLBD outgoing LB monitoring What I do is have an identical set of rules for the second wan already configured but disabled and ready to go. It's annoying, but we're just not there yet. --Bill PS. if you haven't found it yet, http://wiki.pfsense.com/wikka.php?wakka=OutgoingLoadBalancing is useful. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] sockets over pfsense nat very slow
On 9/25/05, Jeroen Hermans [EMAIL PROTECTED] wrote: Hmmm...slow the first time and fast the second possibly sounds like an issue in DNS resolution somewhere. Are you using pfSense as your DNS server for the LAN? Can you telnet to any host via IP address and see if the results differ? Indeed, you are right. At first i suspected the dns being faulty. I am using the pfsense box as a dns-server, but i am also using another machine in the subnet as a secondary dns-server (need it for non-dhcp adresses). The point is that when i resolve the ip-adresses and hostnames, the dns seems to be working (on both the dns-servers). So i tried to telnet to ip-adresses. The very same problem occured (first telnet is slow, the second is fast). That's really strange. About all I can offer is that none of my pfSense installs work that way. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Argg! My PfSense just died!
On 9/25/05, Mojo Jojo [EMAIL PROTECTED] wrote: Ever heard of CARP? We have that you know. Yes, it's one of the reasons I chose your product over others.. However, I was going to set it up in case of unplanned failure of hardware or software. In this case, I am basically planning on failure because that's exactly what's happening AND it's consistent. I plan on my machines failing, so I run carp...if I didn't plan on them failing, I wouldn't :) With that said, yes it shouldn't be hanging or locking up on you. But if it does, it's likely to be an OS bug that we can't fix. I don't know what more to tell you - none of my pfSense boxes randomly hang, from time to time I've seen a kernel panic - but even that's cleaned up alot as the FreeBSD betas have stabilized. This is sort of like putting a UPS battery on a server because the power goes out every two or three days. The UPS is a good idea but it's a better idea to fix the real problem. Erm, sometimes you can't fix the power company...actually, I've never been able to fix the power company. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load balancing-aggregate more WAN connections
Nope, it's not possible to aggregate a single TCP flow over multiple connections. With load balancing you can at least get number of WAN link TCP flows going at full speed, but you won't bet a single flow at the speed of all connections. --Bill On 9/22/05, Robo.K. [EMAIL PROTECTED] wrote: Hi, is possible with PFSENSE load balancing features make aggregation with 2 or more connections to Internet from various ISP /or some ISP, dont matter/, no only failover or load balancing? Thanx. Bop. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.11.4/109 - Release Date: 21.9.2005 -- * www.inMail.sk - Vasa emailova adresa na cely zivot ZDARMA * www.SlovakNET.sk - profesionalny webhosting, domena .SK ZADARMO * www.inshop.sk - virtualna obchodna galeria s viac ako 230 obchodmi! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Dual Wan with PPPOE and Static isp
On 9/20/05, raphael [EMAIL PROTECTED] wrote: Does anyone already tested and validated the dual wan using pppoe on thefirst link ? Yes, that's my configuration at home. PPPOE on WAN and DHCP (cable) on OPT1. LAN is my internal network (gee imagine that) and OPT2 is my DMZ. BTW, I downgraded my wrap to the latest stable0.70.4 version as I don't want to have errors on the web interface :) Well, I suspect this is the problem. .70.4 is ancient, you should upgrade to the .84 series - I can't count the number of multi wan fixes that went in between .70.4 and .84 (heck, we had a hackathon in between there!) What errors on the web interface are you referring to? --Bill
Re: [pfSense Support] Argg! My PfSense just died!
On 9/19/05, Mojo Jojo [EMAIL PROTECTED] wrote: Any idea why my Pf died in the middle of running? I didn't do an upgrade, itwas a system running on a fresh install of 0.84 days before.Also, besided the booting problem, I am wondering why it just stopped working which is what caused me to reboot it in the first place.Thanks for any insight on this.. We've had reports on the IRC channel of this happening after a power hit, or other crash too. --Bill
Re: [pfSense Support] 2 ADSL and load balancing
One of the two PPPOE connections will need to be terminated on a router unless I missed a major change recently. --BillOn 9/18/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: hello I read the archives and found 2 posts in relation with my question : http://www.mail-archive.com/support@pfsense.com/msg00326.html http://www.mail-archive.com/support@pfsense.com/msg00084.html Both were posted a month ago and it seems a lot of changes have been made since then. so... I would like to know if the features for 2 ADSL and / or load balancing are now OK ? In my case I have : ___ | | | |- ADSL1 (pppoe1) LAN || -| IPSens|- ADSL2 (pppoe2) | | | |- SL |___| I would like to have : some protpcols have to go through ADSL1, all requests from an IP in LAN area network on SL all other requests have to go through ADSL2 Is it now possible without adding a routeur (as said in one of the previous mentioned posts) ? Thanks for answering. Melanie
Re: [pfSense Support] Dhcp server
Doh, we thought you were talking about a different setting. Should be fixed in the latest services_dhcp_edit.php --BillOn 9/17/05, Damien Dupertuis [EMAIL PROTECTED] wrote: Hello,I tried again this morning with a new nic...the sameproblem is here again... the adress in dhcp leasehas the priority over the static mappingregards..Damien --- Bill Marquette [EMAIL PROTECTED] a écrit: This works for me, can you try your update_file.sh again? # update_file.sh /usr/local/www/services_dhcp_edit.php trying to fetch latest /usr/local/www/services_dhcp_edit.php # --Bill On 9/16/05, Damien Dupertuis [EMAIL PROTECTED] wrote: Okay, I've done it but it didn't worked...here is what I got: $ update_file.sh /usr/local/www/services_dhcp_edit.php Status: 404 Content-type: text/html X-Powered-By: PHP/4.3.10 No input file specified. trying to fetch latest /usr/local/www/services_dhcp_edit.php Status: 404 Content-type: text/html X-Powered-By: PHP/4.3.10 No input file specified.--- Scott Ullrich [EMAIL PROTECTED] a écrit :I just commited a change. Hopefully this will fix your problem. From a shell do: update_file.sh /usr/local/www/services_dhcp_edit.php Scott On 9/16/05, Damien Dupertuis [EMAIL PROTECTED] wrote:Hello, I love the abbility to add a static mapping to a macadress in the dhcp server but I saw that the only wayto actually make it works is by rebooting pfsenseevery time you add an adress... otherwise even if you ask for a new adress (client side), the dhcp dontgives you the static one you just configured... Maybe a future task for your already hudge to dolist ? regards... Damien ___ Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez cette version sur http://fr.messenger.yahoo.com -To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ___ Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger Téléchargez cette version sur http://fr.messenger.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ___ Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez cette version sur http://fr.messenger.yahoo.com- To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Access ADSL modem on WAN port
You might be able to create a proxy arp address on that interface (virtual IPs screen) and then create an outbound nat that matches your dsl modems IP address and source it from the proxy arp address. --BillOn 9/17/05, Jeroen Geusebroek [EMAIL PROTECTED] wrote: Hi,I have an DSL modem with a web interface from which i can get the status etc.It only reacts to an IP adres in the same subnet (10.0.0.0/24).Pfsense gets an IP using DHCP, but it is in a different range then the DSL modem (while being on the same interface).Is it possible to have 2 IP's on the WAN side? Dhcp Static 10.0.0.0/24?I've tried using virtual ip addresses but that doesn't seem to work, unless i'm doing something wrong.The ideal situation would be to have 2 ip addresses and tell outbound NATto use IP adress X for 10.0.0.0/24 and IP address Y for the rest ofthe internet. Is this possible with pfsense?--Jeroen-To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Problems in Traffis shapper in 0.84.6 are outlive, but even more.
On 9/16/05, Robo.K. [EMAIL PROTECTED] wrote: Version 0.84.6 1./ In traffic shaper is still problem as described here - http://marc.theaimsgroup.com/?l=pfsense-supportm=112662324102230w=2 Fixed in CVS, must have missed the 0.84.6 release. 2./ In Queues isn`t displayed three boxes for speed - min/max/shared. Not sure what you're asking for here? Is this a bug, or a feature request? 3./ In logs are this messages: php: : There were error(s) loading the rules: /tmp/rules.debug:22: queue qWANRoot has no parent /tmp/rules.debug:22: errors in queue definition /tmp/rules.debug:23: queue qWANdef has no parent /tmp/rules.debug:23: errors in queue definition /tmp/rules.debug:24: queue qLANRoot has no parent /tmp/rules.debug:24: errors in queue definition /tmp/rules.debug:25: queue qLANdef has no parent /tmp/rules.debug:25: errors in queue definition /tmp/rules.debug:26: queue qLANacks has no parent /tmp/rules.debug:26 Fixed in CVS. http://cvstrac.pfsense.com/tktview?tn=515 When reporting bugs, please tell us how you got there, errors with no detail don't help much. In this case, you had to have changed something as the wizard creates clean, parseable rules by default. I understand the traffic shaper stuff is somewhat touchy, but we need details. --Bill
Re: [pfSense Support] Relativelly long ping to Pfsense on local direct connection.
On 9/16/05, Robo.K. [EMAIL PROTECTED] wrote: Version 0.84.6 If I have connected computer /Celer 2.4Ghz, 256MB RAM, 100Mbps 3COM TX interface/ directly to test computer via crossover cable, or both are in some switch, ping time response is from bellow 1ms to 9-10 msand abou 700 - 900ms if i go to the menu, for example Traffic shaper.Is it normal? Maybe. Are you transferring data when the ping times increase? More work is upcoming on the shaper to address some of the local lan to local firewall speed issues (it's due to what's being queued). Monowall is more more faster. Bad comparison any more (and you don't explain what you mean anyway). We have some significant technology differences from m0n0 these days. --Bill
Re: [pfSense Support] PFSTAT don`t works. ow PFSTAT works?
Please create a ticket, this has been reported before. --BillOn 9/16/05, Robo.K. [EMAIL PROTECTED] wrote: 0.84.6 After attempt to configure PFSTAT after save options there i gett screen with error messages: $value = $_POST['location0'];$value = $_POST['counters0'];$value = $_POST['color0'];$value = $_POST['appearance0'];$value = $_POST['location1'];$value = $_POST['counters1'];$value = $_POST['color1'];$value = $_POST['appearance1'];$value = $_POST['location2'];$value = $_POST['counters2'];$value = $_POST['color2'];$value = $_POST['appearance2'];$value = $_POST['location3'];$value = $_POST['counters3'];$value = $_POST['color3'];$value = $_POST['appearance3'];$value = $_POST['location4'];$value = $_POST['counters4'];$value = $_POST['color4'];$value = $_POST['appearance4'];$value = $_POST['location5'];$value = $_POST['counters5'];$value = $_POST['color5'];$value = $_POST['appearance5'];$value = $_POST['location6'];$value = $_POST['counters6'];$value = $_POST['color6'];$value = $_POST['appearance6'];$value = $_POST['location7'];$value = $_POST['counters7'];$value = $_POST['color7'];$value = $_POST['appearance7'];$value = $_POST['location8'];$value = $_POST['counters8'];$value = $_POST['color8'];$value = $_POST['appearance8'];$value = $_POST['location9'];$value = $_POST['counters9'];$value = $_POST['color9'];$value = $_POST['appearance9'];$value = $_POST['location10'];$value = $_POST['counters10'];$value = $_POST['color10'];$value = $_POST['appearance10'];$value = $_POST['location11'];$value = $_POST['counters11'];$value = $_POST['color11'];$value = $_POST['appearance11'];$value = $_POST['location12'];$value = $_POST['counters12'];$value = $_POST['color12'];$value = $_POST['appearance12'];$value = $_POST['location13'];$value = $_POST['counters13'];$value = $_POST['color13'];$value = $_POST['appearance13'];$value = $_POST['location14'];$value = $_POST['counters14'];$value = $_POST['color14'];$value = $_POST['appearance14'];$value = $_POST['location15'];$value = $_POST['counters15'];$value = $_POST['color15'];$value = $_POST['appearance15'];$value = $_POST['location16'];$value = $_POST['counters16'];$value = $_POST['color16'];$value = $_POST['appearance16'];$value = $_POST['location17'];$value = $_POST['counters17'];$value = $_POST['color17'];$value = $_POST['appearance17'];$value = $_POST['location18'];$value = $_POST['counters18'];$value = $_POST['color18'];$value = $_POST['appearance18'];$value = $_POST['location19'];$value = $_POST['counters19'];$value = $_POST['color19'];$value = $_POST['appearance19'];$value = $_POST['location20'];$value = $_POST['counters20'];$value = $_POST['color20'];$value = $_POST['appearance20'];$value = $_POST['location21'];$value = $_POST['counters21'];$value = $_POST['color21'];$value = $_POST['appearance21'];$value = $_POST['location22'];$value = $_POST['counters22'];$value = $_POST['color22'];$value = $_POST['appearance22'];$value = $_POST['location23'];$value = $_POST['counters23'];$value = $_POST['color23'];$value = $_POST['appearance23'];$value = $_POST['location24'];$value = $_POST['counters24'];$value = $_POST['color24'];$value = $_POST['appearance24'];$value = $_POST['location25'];$value = $_POST['counters25'];$value = $_POST['color25'];$value = $_POST['appearance25'];$value = $_POST['location26'];$value = $_POST['counters26'];$value = $_POST['color26'];$value = $_POST['appearance26'];$value = $_POST['location27'];$value = $_POST['counters27'];$value = $_POST['color27'];$value = $_POST['appearance27'];$value = $_POST['location28'];$value = $_POST['counters28'];$value = $_POST['color28'];$value = $_POST['appearance28'];$value = $_POST['location29'];$value = $_POST['counters29'];$value = $_POST['color29'];$value = $_POST['appearance29'];$value = $_POST['location30'];$value = $_POST['counters30'];$value = $_POST['color30'];$value = $_POST['appearance30'];$value = $_POST['location31'];$value = $_POST['counters31'];$value = $_POST['color31'];$value = $_POST['appearance31'];$value = $_POST['location32'];$value = $_POST['counters32'];$value = $_POST['color32'];$value = $_POST['appearance32'];$value = $_POST['location33'];$value = $_POST['counters33'];$value = $_POST['color33'];$value = $_POST['appearance33'];$value = $_POST['location34'];$value = $_POST['counters34'];$value = $_POST['color34'];$value = $_POST['appearance34'];$value = $_POST['location35'];$value = $_POST['counters35'];$value = $_POST['color35'];$value = $_POST['appearance35'];$value = $_POST['location36'];$value = $_POST['counters36'];$value = $_POST['color36'];$value = $_POST['appearance36'];$value = $_POST['location37'];$value = $_POST['counters37'];$value = $_POST['color37'];$value = $_POST['appearance37'];$value = $_POST['location38'];$value = $_POST['counters38'];$value = $_POST['color38'];$value = $_POST['appearance38'];$value = $_POST['location39'];$value = $_POST['counters39'];$value = $_POST['color39'];$value =
Re: [pfSense Support] Relativelly long ping to Pfsense on local direct connection.
On 9/16/05, Robo.K. [EMAIL PROTECTED] wrote: I know that kernel in monowall 4.xx is faster than 5.xx used in PFSENSE. But from this For the archives. pfSense uses FreeBSD 6, not FreeBSD 5. --Bill
Re: [pfSense Support] 0.84.6 errors
Oddly, the upgrade should have moved that setting to the right place. :-/ I'll look into this a little more as this shouldn't have bitten you. --BillOn 9/16/05, Damien Dupertuis [EMAIL PROTECTED] wrote: It is done thank you...--- Scott Ullrich [EMAIL PROTECTED] a écrit : Rerun the EZ Shaper Wizard.We moved the scheduler location so it can be sync'd properly. Scott On 9/16/05, Damien Dupertuis [EMAIL PROTECTED] wrote: Hello, I just upgraded from 0.84 to 0.84.6 and the system gives me this: php: : There were error(s) loading the rules: /tmp/rules.debug:13: no scheduler specified! /tmp/rules.debug:14: no scheduler specified! /tmp/rules.debug:16: queue qWANRoot has no parent /tmp/rules.debug:16: errors in queue definition /tmp/rules.debug:17: syntax error /tmp/rules.debug:18: queue qLANRoot has no parent /tmp/rules.debug:18: errors in queue definition /tmp/rules.debug:19: syntax error /tmp/rules.debug:20: syntax error /tmp/rules.debug:21: syntax error /tmp/rules.debug:22: syntax error /tmIs it usefull for you if I post the errors or not??? I'm interrested in helping but not in bothering... ;-) regards... Damien ___ Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger Téléchargez cette version sur http://fr.messenger.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ___Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez cette version sur http://fr.messenger.yahoo.com-To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Dhcp server
This works for me, can you try your update_file.sh again? # update_file.sh /usr/local/www/services_dhcp_edit.php trying to fetch latest /usr/local/www/services_dhcp_edit.php # --BillOn 9/16/05, Damien Dupertuis [EMAIL PROTECTED] wrote: Okay,I've done it but it didn't worked...here is what Igot:$ update_file.sh /usr/local/www/services_dhcp_edit.phpStatus: 404Content-type: text/htmlX-Powered-By: PHP/4.3.10No input file specified. trying to fetch latest/usr/local/www/services_dhcp_edit.phpStatus: 404Content-type: text/htmlX-Powered-By: PHP/4.3.10No input file specified.--- Scott Ullrich [EMAIL PROTECTED] a écrit : I just commited a change.Hopefully this will fix your problem. >From a shell do: update_file.sh /usr/local/www/services_dhcp_edit.php Scott On 9/16/05, Damien Dupertuis [EMAIL PROTECTED] wrote: Hello, I love the abbility to add a static mapping to a mac adress in the dhcp server but I saw that the only way to actually make it works is by rebooting pfsense every time you add an adress... otherwise even if you ask for a new adress (client side), the dhcp dont gives you the static one you just configured... Maybe a future task for your already hudge to do list ? regards... Damien ___ Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger Téléchargez cette version sur http://fr.messenger.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ___Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez cette version sur http://fr.messenger.yahoo.com-To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Understand log entry
On 9/15/05, Mojo Jojo [EMAIL PROTECTED] wrote: So, if I am reading you right, this is something I should mostly ignore and not worry about too much? Mostly, don't worry about it too much. I'd keep an eye on them as it's possible it's part of a stealth scan. But I wouldn't put too much weight in them if it's just onesy-twosy type stuff. --Bill
Re: [pfSense Support] pfsense on mac mini?
Tier 2 platform, don't even both with it until it's a Tier 1 platform unless you like fixing things. http://www.freebsd.org/platforms/ppc.html I'd also like to point out that we've had nothing but issues with usb keyboards and that's all that currently works in the PPC port. Wait another year and a half or so and it won't matter. --BillOn 9/12/05, dny [EMAIL PROTECTED] wrote: btw.i read somewhere, freebsd does run on maci even seen the screenshoots...-To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] FW: Cosmetic Bug in Trafficshaper?
ack, I'll poke at this shortly. I had some interesting experiences with the bandwidth fields when writing the wizard. They shouldn't be needed - realtime/upperlimit/linkshare are supposed to be better. What I found was that bandwidth is needed so that pfctl doesn't bitch about bandwidth being over allocated (also, it seemed like it stomped on the queue even though I'd set upperlimit to a reasonable setting). --BillOn 9/13/05, Ben Browning [EMAIL PROTECTED] wrote: I installed pfSense a few days ago using pfSense-LiveCD-0.84.iso (theversion from 09/11/05).I've observed this bug also. After examining the source of the filefirewall_shaper_queues_edit.php I came to the following conclusion: * When using HFSC, the bandwidth input box doesn't appear.* Because of this, when you press the save button on any HFSC queue,it clears the bandwidth value of that queue in the config xml file.* Thus, anytime you press save on a HFSC queue, the bandwidth field gets blanked.This is more than just a cosmetic bug. If you ever edit the rootqueues, their bandwidth gets set to 0. This bandwidth value is usedwhen calculating the maximum available bandwidth to give out to the other queues. So, if I create a queue called qSSHUp under my qWANRoot(which we'll pretend I have saved since running the wizard, and it nowshows up blank in the bandwidth field) and tell qSSHUp to guarantee a realtime bandwidth of 32Kb, the traffic shaping rules won't load. Itwill complain that there isn't that much bandwidth available to giveout.To fix this, on line 202 of firewall_shaper_queues_edit.php I changed: ?php if ($schedulertype == cbq): ?to?php if ($schedulertype == cbq or $schedulertype == hfsc): ?This has solved my disappearing bandwidth-field issue, and now allows me to modify rules and have them load successfully.-To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Re: [pfSense-discussion] L3 load balancer
On 9/12/05, Tom Müller-Kortkamp [EMAIL PROTECTED] wrote: What about pound as LB? It works greate on several Sites !(http://www.apsis.ch/pound/) One of the requirements was that we didn't proxy the traffic. It appears that pound proxies the traffic. Feel free to make a package for this. --Bill
Re: [pfSense Support] SS with Putty don`t work
Username 'admin' works too. --BillOn 9/10/05, Scott Ullrich [EMAIL PROTECTED] wrote: Use the username root and the pfsense webConfigurator password.On 9/10/05, Robo.K. [EMAIL PROTECTED] wrote: When I use a PUTTY for Windows and I`m tying acces pfesnese via SSh,Putty ask for me user name and for password, but then window of Putty dismiss. This occurs on all versions of PFSENSE. Wher is the problem? Thanx. --No virus found in this outgoing message. Checked by AVG Anti-Virus.Version: 7.0.344 / Virus Database: 267.10.20/95 - Release Date: 9.9.2005 --* www.inMail.sk - Vasa emailova adresa na cely zivot ZDARMA * www.php5.sk - novy freehosting s php5 a MySQL, forum o php5* www.inshop.sk - virtualna obchodna galeria s viac ako 230 obchodmi! -To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Plan author of TrafficShaper some expanation of use the traffic shaper?
I'm still somewhat working on the shaper and since I've taken about a much needed 2 month break from it, I'm going to have to do a little re-education. Here's a little info right from the pf.conf man page: The hfsc scheduler supports some additional options: realtime _sc_ The minimum required bandwidth for the queue. upperlimit _sc _ The maximum allowed bandwidth for the queue. linkshare _sc_ The bandwidth share of a backlogged queue. sc is an acronym for service curve. The format for service curve specifications is (m1, d, m2). m2 controls the bandwidth assigned to the queue. m1 and d are optional and can be used to control the initial bandwidth assignment. For the first d mil- liseconds the queue gets the bandwidth given as m1, afterwards the value given in m2. In some cases percentages were easier or more right to enter, in other cases the KB values were the right thing to do...the decision for each had nothing to do with what valid values for those fields were, but what my experience showed as useful. --Bill On 9/10/05, Robo.K. [EMAIL PROTECTED] wrote: Planauthor of TrafficShaper some expanation of use the traffic shaper? Because one thing is theory of HFSC and other thing is filling boxes Upperlimit Real time Link share Parent queue ...? There http://wiki.pfsense.com/wikka.php?wakka=HFSCBandwidthShapingNotes is some explanation, but not complete. In boxes Upperlimit Realtime Link share are used three values and once percents and once Kbite/s... What is for?what is what? Can explain anybody this more complex? Thank you. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.10.20/95 - Release Date: 9.9.2005 -- * www.inMail.sk - Vasa emailova adresa na cely zivot ZDARMA * www.EuropskaDomena.sk - bezplatna predregistracia domen .EU * Zoner Photo Studio 7 - Spoznajte kuzlo digitalnej fotografie! http://www.zoner.cz/photo-studio
Re: [pfSense Support] Slow response from graphical menu of Pfsense
Are you using traffic shaping and filling the downstream queue? --BillOn 9/10/05, Robo.K. [EMAIL PROTECTED] wrote: Why is so slow response from menu of PF ? Time is from 3 to 5 seconds on 100TX 3COM cardfull duplexin PFsense drop down menu. In mettalic is responses more slower. Classic view is more faster.Acceptable. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.10.20/95 - Release Date: 9.9.2005 -- * www.inMail.sk - Vasa emailova adresa na cely zivot ZDARMA * Zoner Photo Studio 7 - Spoznajte kuzlo digitalnej fotografie! http://www.zoner.cz/photo-studio * www.ZonerPress.sk - pocitacova literatura, zameranie na webdesign a grafiku
Re: [pfSense Support] pfsense and static IPs through PPPoE
Yup, I have SBC's static offering. With the Cayman router that comes with that offering you can terminate PPPOE on the modem and allow for the 5 addresses to be used on the ethernet side with pfSense. You then have the option of bridging those IPs to inside (or DMZ) and putting real addresses on your machines, or doing a 1 to 1 NAT. The other option is to terminate PPPOE on the pfSense box - you still get the option to do 1 to 1 NAT, but you lose the bridging option (I think, I haven't tried that setup, can't see how it would work though). I've done both setups, started with terminating PPPOE on the pfSense box, moved to terminating on the router so I could work on CARP and am back to terminating on pfSense because my Cayman died. --BillOn 9/9/05, Darin [EMAIL PROTECTED] wrote: I have DSL with 5 static IPs through SBC. I've also been a FreeBSD userfor a few years now, and currently have a firewall up and running on 4.11The 5 statics are actually a /29 block, and the IP info is passed down through the PPP session.In order to use the statics on other machines,I have to use the nat functions in the PPP daemon and assign a public IPto a private IP.Here is an example from my ppp.conf on how this is done: nat enable yes nat same_ports yes nat addr 192.168.1.5 1.2.3.4 nat addr 192.168.1.6 1.2.3.5This is the only way I was able to assign those public IPs to anotherbox.I could not get it to work using natd.Will pfsense be able to do this?I installed 82.4 on a test machinejust to get a feel for the interface and didnt really see any provision for it.Any idea how something like this would work?Thanks for your time.Darin --To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfsense and static IPs through PPPoE
Right now I'm running on a borrows 5100a which bridges the PPPOE only. Works fine. I don't know anything about the 5360, is it terminating the PPPOE, or is bridging the PPPOE? --BillOn 9/9/05, Darin [EMAIL PROTECTED] wrote: What if you dont have the Cayman router anymore? I'm just using a standard Speedstream 5360 modem that has no routing or firewall capabilities. Bill Marquette wrote: Yup, I have SBC's static offering. With the Cayman router that comes with that offering you can terminate PPPOE on the modem and allow for the 5 addresses to be used on the ethernet side with pfSense. You then have the option of bridging those IPs to inside (or DMZ) and putting real addresses on your machines, or doing a 1 to 1 NAT. The other option is to terminate PPPOE on the pfSense box - you still get the option to do 1 to 1 NAT, but you lose the bridging option (I think, I haven't tried that setup, can't see how it would work though). I've done both setups, started with terminating PPPOE on the pfSense box, moved to terminating on the router so I could work on CARP and am back to terminating on pfSense because my Cayman died. --Bill On 9/9/05, Darin [EMAIL PROTECTED] wrote: I have DSL with 5 static IPs through SBC. I've also been a FreeBSD user for a few years now, and currently have a firewall up and running on 4.11 The 5 statics are actually a /29 block, and the IP info is passed down through the PPP session.In order to use the statics on other machines, I have to use the nat functions in the PPP daemon and assign a public IP to a private IP.Here is an example from my ppp.conf on how this is done: nat enable yes nat same_ports yes nat addr 192.168.1.5 1.2.3.4 nat addr 192.168.1.6 1.2.3.5 This is the only way I was able to assign those public IPs to another box.I could not get it to work using natd. Will pfsense be able to do this?I installed 82.4 on a test machine just to get a feel for the interface and didnt really see any provision for it. Any idea how something like this would work? Thanks for your time. Darin - - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:4322115d830751396210774!
Re: [pfSense Support] pfsense and static IPs through PPPoE
Give 'er a shot. Should work like a charm. Just put your [EMAIL PROTECTED] username in the WAN config for PPPOE and watch it fly. You'll need to do some playing with Virtual IPs so you can handle the 1 to 1 NATs, but shouldn't take too long of poking through the interface to figure it out. --BillOn 9/9/05, Darin [EMAIL PROTECTED] wrote: Its just a bridge. Its a pretty old modem with very basic functions. About 3-4 years old. http://www.chipweb.de/dsl/index.php?menu=2id2=33 Darin - Bill Marquette wrote: Right now I'm running on a borrows 5100a which bridges the PPPOE only. Works fine. I don't know anything about the 5360, is it terminating the PPPOE, or is bridging the PPPOE? --Bill On 9/9/05, Darin [EMAIL PROTECTED] wrote: What if you dont have the Cayman router anymore? I'm just using a standard Speedstream 5360 modem that has no routing or firewall capabilities. Bill Marquette wrote: Yup, I have SBC's static offering. With the Cayman router that comes with that offering you can terminate PPPOE on the modem and allow for the 5 addresses to be used on the ethernet side with pfSense. You then have the option of bridging those IPs to inside (or DMZ) and putting real addresses on your machines, or doing a 1 to 1 NAT. The other option is to terminate PPPOE on the pfSense box - you still get the option to do 1 to 1 NAT, but you lose the bridging option (I think, I haven't tried that setup, can't see how it would work though). I've done both setups, started with terminating PPPOE on the pfSense box, moved to terminating on the router so I could work on CARP and am back to terminating on pfSense because my Cayman died. --Bill On 9/9/05, Darin [EMAIL PROTECTED] wrote: I have DSL with 5 static IPs through SBC. I've also been a FreeBSD user for a few years now, and currently have a firewall up and running on 4.11 The 5 statics are actually a /29 block, and the IP info is passed down through the PPP session.In order to use the statics on other machines, I have to use the nat functions in the PPP daemon and assign a public IP to a private IP.Here is an example from my ppp.conf on how this is done: nat enable yes nat same_ports yes nat addr 192.168.1.5 1.2.3.4 nat addr 192.168.1.6 1.2.3.5 This is the only way I was able to assign those public IPs to another box.I could not get it to work using natd. Will pfsense be able to do this?I installed 82.4 on a test machine just to get a feel for the interface and didnt really see any provision for it. Any idea how something like this would work? Thanks for your time. Darin - - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:432226be835511404224424!
Re: [pfSense Support] Multiple WANs
Technically, we do put the interface in the rule when it's created. But I can guarantee we'll only snag the first one. So, while you can enter the same IP multiple times in a pool (artificially creating a ratio based round robin) I'd be willing to bet that we don't correctly support this on one device. --BillOn 9/5/05, Scott Ullrich [EMAIL PROTECTED] wrote: On 9/5/05, Holger Bauer [EMAIL PROTECTED] wrote: using the same gateway for both wans won't work as you can't specify rules for this I think. the rules are applied to a gateway and with both gateways the same... :-/ you might have to come up with a workaround like having a nated router in front of one connection to use this as gateway on one wan and put the pfsense in the dmz of this router.You *possibly* could create a load balancing pool with 1 device in it.Select this as your gateway from the rules. Again, haven't testedthis so I'm not sure if it will work or not.Scott -To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Soekris Net4801
Not all CF cards are created equal. Some are better than others. http://www.m0n0.ch/bsd/#knownprobs http://lists.soekris.com/pipermail/soekris-tech/2004-October/022017.html --Bill PS. Scott, note the especially Lexar in the m0n0 page? Wasn't it Lexar cards we were trying to use at the hackathon that gave us mixed results? On 9/5/05, Leuchter, Lars [EMAIL PROTECTED] wrote: Hi ScottDo you refer to theset flash=primaryreboot??If so, it doesn´t work, at least when using a 512MB Flash-Card.Is there another hack how to make this possible ?ThanksLars -Ursprüngliche Nachricht-Von: Scott Ullrich [mailto:[EMAIL PROTECTED]]Gesendet: Sonntag, 4. September 2005 15:24An: Leuchter, LarsCc: support@pfsense.comBetreff: Re: [pfSense Support] Soekris Net4801Change your compact flash to primary in the BIOS.There is a blog entry for this as well.ScottOn 9/4/05, Leuchter, Lars [EMAIL PROTECTED] wrote: Hi all, I am trying to get the latest embedded image to work on a Soekris Net4801, however, after I have written the image to flash-card and boot it up, I do get the following error message : sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0 sio0: type 16550A, console sio1 at port 0x2f8-0x2ff irq 3 on isa0 sio1: type 16550A Timecounters tick every 1.000 msec Fast IPsec: Initialized Security Association Processing. ad1: 497MB SAMSUNG CF/ATA 04/05/06 at ata0-slave PIO4 Trying to mount root from ufs:/dev/ad0a Manual root filesystem specification: fstype:deviceMount device using filesystem fstypeeg. ufs:da0s1a ?List valid disk boot devices empty line Abort manual input mountroot Any idea ? Thanks Lars- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Outgoing Load Balancer and policy based routing
I don't believe slb is fully integrated into the outbound load balancer. If you don't have a load balanced server you probably won't see anything in the logs at this time. --BillOn 9/2/05, Daniel Solsona [EMAIL PROTECTED] wrote: Well, awesome job guys for the work on the outbound load balancer and ofcourseon pfsense project itself. I'm using 0.82.4 on a soekris 4501 and I've tried the load balancer with twoadsl lines on the same wan. It works really well, fast change between the two gateways. I dont know if it's an error or something not done yet, but on thelog page, the load balancer is clear all the time. That part it¡s only forserver load balancer? or it should have something about outgoing load balancer too?And i've been playing with policy based routing too, having pop3,smtp goingacross one ADSL and http going on the other one. It works really well too.Thx for the work- To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 81.4 load balance + carp
Hmmm, that's a seriously high interrupt load. How much traffic goes through this box? What type of NICs and CPU do the boxes have? --BillOn 8/31/05, Rodolfo Vardelli [EMAIL PROTECTED] wrote: second part.Now backup is completly frozer,here top:last pid: 737;load averages:0.97,0.43,0.17up 0+00:02:5111:30:3325 processes:5 running, 20 sleepingCPU states:0.3% user,0.3% nice, 10.2% system, 77.2% interrupt, 11.9%idleMem: 13M Active, 7404K Inact, 10M Wired, 24K Cache, 9200K Buf, 87M Free Swap: PID USERNAMETHR PRI NICE SIZERES STATETIME WCPU COMMAND 668 root1 8 10 10856K9588K ppwait 0:040.00% php 663 root17602264K1516K RUN0:010.00% top 540 root17601292K 868K select 0:010.00% syslogd 657 root1 801580K1228K wait 0:000.00% login 662 root12002616K2000K pause0:000.00% tcsh 297 root1 -5803656K1748K bpf0:000.00% tcpdump 543 root17603480K1960K RUN0:000.00% mini_httpd 554 root1 801620K1120K wait 0:000.00% sh 641 root1 801300K 984K nanslp 0:000.00% cron 299 root1-801188K 688K piperd 0:000.00% logger 658 root1 801624K1092K wait 0:000.00% sh 659 root1 801632K1160K wait 0:000.00% sh 298 _pflogd 1 -5801536K1180K bpf0:000.00% pflogd 669 root1-803484K2012K piperd 0:000.00% mini_httpd 295 root1 401472K1136K sbwait 0:000.00% pflogd 667 root1 801168K 480K nanslp 0:000.00% sleep 656 root1 80 228K 124K nanslp 0:000.00%check_reload_st 547 nobody1 13201320K 940K select 0:000.00% dnsmasqno answer from serial console.It answers to ping.Here the last message arrived at syslog server:Aug 31 11:29:40 192.168.9.32 kernel: webgui doesn't answer.nothing elseregards, Rodolfo-To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Outgoing load balancing problem
0.81 contained a number of load balancer fixes. --BillOn 8/30/05, Holger Bauer [EMAIL PROTECTED] wrote: It can be done the way you describe it and I have this setup at home in my testenvironment (however, I use different subnets on my wans, but it should work with your setup too as far as I know). If properly configured you should see the 2 wans used roundrobin. In my setup this means if I traceroute to internet testtarget1.com I can see the traffic going out wan1. Tracerouting testtarget2 shows the route going out via wan2. If you always trace the same target it will mostprobably stay at the same wan for some time as the connections are sticky to the wan it went out the first time unless the states for that connection are gone because of closing the connection or statetable-timeout removes it. (I'm not sure if the latest changes to the loadbalancer to work this way are in 0.80.4 already or if you have to upgrade some files first. At some point the loadbalancer only worked for more than one client as a clients IP was mapped to one of the wans, but I lost trace here, check cvs-trac for further info ;-). You should upgrade to the latest image after itbecomes available. With this one you don't need the manual NAT setup any more and also enabling advanced outbound NAT should create correct rules for the loadbalancer by default.The monitor IP can be any IP you want to check through this wan. Of course it should be a highavailablity IP as the connection will be assumed broken if it doesn't get an answer from this and the wan will be removed from the roundrobin-pool. Monitoring doesn't work at the moment as far as I know, so at the moment it isn't used anyway.The problem with the non-editable list is known already, thanks for reporting.Holger-Ursprüngliche Nachricht-Von: Daniel Solsona [mailto: [EMAIL PROTECTED]]Gesendet: Dienstag, 30. August 2005 09:49An: support@pfsense.comBetreff: [pfSense Support] Outgoing load balancing problem I have soekirs 4501 with 0.80.4 and I was trying outoing load balancing.I've read the wiki document and I can get it work atm.I just have done a quick test to try it, will try to do a better one when I have more time. Actually I tryed:Lan on eth0 with ip 192.168.1.1Linux client on lan with ip 192.168.1.10 and gateway 192.168.1.1Wan on eth1 with ip 192.168.50.199On wan I've two adsl routers conected to a switch. Ip for adsl1 is192.168.50.240 and ip for adsl2 is 192.168.50.80I go to sevices and create the load balancer pool.At this point I've a question about ip monitor, it needs to be an internet ip? the adsl router ip?I add the 2 adsl gateways ip to the pool.Probably at this point there is a bug in 0.80.4 when you try to edit anoutgoing load balancer pool. You click on edit and you dont get all the info from the pool, just the name, description and type of pool, but the list isempty.After I go to nat and enable advanced outbound nat. And then change thefirewall rule to the new gateway pool. When i try to see if it works, i do a traceroute to google and it goes to thefirst adsl router (192.168.50.80) but if I unplug the adsl router It doesntchange to the other router. So the question, it can be done on this way or I need to make two wan adaptersand put the router on diferent ethernet?Thanks for the help- To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit-To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] WARNING: R/W mount of denied. File system is not clean - run fsck
Interestingly the WRAP image is supposed to be mounted read-only anyway. Only /cf should normally get mounted r/w and then only for changes. --BillOn 8/30/05, Fleming, John (ZeroChaos) [EMAIL PROTECTED] wrote: Just an FYI this is why you see the error message. You should only beworried if you see it twice.# Mount all. If it fails run a fsck./sbin/mount -a || /sbin/fsck -y /sbin/mount -a || /sbin/fsck -y The error message you've seen came from the first /sbin/mount -a. fsckthen cleaned all the file systems (fsck -a).Had the file system been dirty after that you would have seen the erroragain, but that would mean something was really hosed as in Bad hard drive or some kind of storage communications error (flash, IDE or SCSIwrite error).-Original Message-From: Tomas Hodan [mailto:[EMAIL PROTECTED]]Sent: Tuesday, August 30, 2005 2:10 PM To: support@pfsense.comSubject: [pfSense Support] WARNING: R/W mount of denied. Filesystem isnot clean - run fsckhi,I installed pfsense to CF card, booted once, repowered wrap and on next bootI got lot of messages like: WARNING: R/W mount ofdenied.Filesystemisnot clean - run fsckshould not be pfsense able to handle such situations? or I'm doingsomethingwrongregards, tomas-To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]-To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] captive portal
I noticed this behaviour this morning. https didn't work, http sent me to the login page, but ping worked (usually) and I could SSH through the firewall. Oddly, last night after I setup CP, it worked as intended. --Bill On 8/23/05, Tobias Frank [EMAIL PROTECTED] wrote: Hello, when trying to use the captive portal on 0.79 there is a strange thing. Following ports work without authentication: MySQL, smtp, ping, ssh, name. Others I didn´t check. m0n0wall (1.2b9) doesn´t show this behaviour. Is this a bug or a feature? heres my configuration 212.x.x.x 192.168.0.x / 24192.168.1.x / 24 -- -- --- -| Router |--| FW |--| pfsense |- -- -- --- (WAN - 192.168.0.129) (LAN - 192.168.1.1) I didn´t check the checkbox block private networks because one of the Mail-Servers has a private ip-address (192.168.99.x) Another feature of m0n0wall which i think its very useful is the Reauthentication in current beta version. So accounting works good for our use. Is it planned to integrate this feature in a future pfsense version? Greeting from Munich Tobias Frank - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Running multiple routed subnets on LAN interface
iy yi yi...I can't ever begin to remember what bugs lurked back that far. Any chance you can upgrade to current? We're fixing stuff left and right, I'm not going to go back through the last three months changelogs to see if we've already fixed whatever might be affecting you (if anything). If it's still affecting you on something recent (preferably .80 at a minimum) we can take a look. --Bill PS. I agree with John, we need a network diagram. If you don't have Visio, please use Dia (http://www.gnome.org/projects/dia/) On 8/25/05, Ted Crow [EMAIL PROTECTED] wrote: I am (still) running pfSense 70.4 and I am in the process of adding a routed subnet to my LAN. I don't have any trouble seeing the remote LAN from my core LAN, nor any trouble seeing the core LAN from the remote LAN. But, my remote LAN gets no responses from devices on any other interface on the firewall. The routing appears to be correct as far as I can tell using traceroute/ping. I can ping machines on the remote LAN from the firewall, and the firewall from the remote network. The firewall appears to be black-holing the remote LAN traffic. -- From REMOTE LAN -- Tracing the route to xx.xx.xx.xx (public) 1 1 ms1 ms1 ms172.16.11.1 --- New Remote (172.16.11/24) 2 4 ms4 ms4 ms172.16.0.2 --- Internal Router (172.16.0/23) 3 5 ms5 ms5 ms172.16.0.1 --- pfSense Firewall (172.16.0/23) 4 * * * --- should be Gateway Router (public) 5 * * * --- should be ISP Router (public) ... --- on to oblivion I do have a LAN rule explicitly allowing the remote subnet to have full access to any^3. Any ideas? Or do I just need to get the latest version of pfSense on the box? Ted Crow MCP/W2K Information Technology Manager Tuttle Services, Inc. (419) 228-6262 x 247 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Virtual IPs not working
Bastian Schern, you probably already know this, but your email is busted. --Bill On 8/22/05, Mail Delivery System [EMAIL PROTECTED] wrote: This is the Postfix program at host server19.greatnet.de. I'm sorry to have to inform you that your message could not be be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster If you do so, please include this problem report. You can delete your own text from the attached returned message. The Postfix program [EMAIL PROTECTED] (expanded from [EMAIL PROTECTED]): delivery temporarily suspended: connect to kundt.homeip.net[213.191.40.68]: Connection timed out Final-Recipient: rfc822; [EMAIL PROTECTED] Original-Recipient: rfc822; [EMAIL PROTECTED] Action: failed Status: 4.0.0 Diagnostic-Code: X-Postfix; delivery temporarily suspended: connect to kundt.homeip.net[213.191.40.68]: Connection timed out -- Forwarded message -- From: Bill Marquette [EMAIL PROTECTED] To: Bastian Schern [EMAIL PROTECTED] Date: Mon, 22 Aug 2005 18:18:24 -0500 Subject: Re: [pfSense Support] Virtual IPs not working On 8/22/05, Bastian Schern [EMAIL PROTECTED] wrote: Okay I believe you, but what can I do to solve my Problem with my three LAN subnets: 192.168.0.0/24 (main), 192.168.3.0/24 and 192.168.101.0/24. All of them are located on the same physical interface and in this moment it is not possible to join the subnets. Is there a way to handle that configuration? If ping is a big issue (I can understand), use CARP instead of ProxyARP. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] .79 issues
There was a nasty bug in .79 that partially reverted the config file version. This left a config file that had newer syntax and an older version number. Upgrading past .79 w/out taking some corrective measure will break your system. Again, if you installed or upgraded to .79 and plan on using anything newer, please read. Two issues in particular affect those that are on .79 and plan to upgrade. During boot, we check to see if the config file version is older than what we claim is current. If it is, we upgrade it. One of the upgrade steps encrypts the (already encrypted) password in the xml file leaving you with a system you couldn't access (there are a couple workarounds that I'll mention shortly). The other somewhat damaging item I've had mixed reports on are irreversible issues with the DHCP config; if you don't use the dhcp server you will be fine. Disabling the server and re-enabling it is not enough to fix it if you are using DHCP. This issue _only_ affects people that upgraded/installed .79 and then upgraded to anything above it (.79.2 is currently the only thing above it). There was about a three hour window where .79 was the most recent version, so I expect very few people actually got affected. Workarounds: This is for those that upgraded to .79. We now version every change that happens on your pfSense box. They are available via the Diagnostics menu, choose Backup/Restore then click Remote. You'll see a list of all the times your configuration changed and at a minimum where in the firewall the change was made (still working on exact change details). You should the Current entry showing as Upgraded config version level from 1.9 to 1.1 or similar. Clicking on the + (plus) symbol on the line below will restore the previous configuration file. Then upgrade to .79.2 w/out rebooting. .79.2 will correctly upgrade your configuration file to version 2.0 w/out destroying anything. For those that installed .79 and wish to upgrade. If you aren't using the DHCP server, the only item that should affect you is the password. Upgrade to .79.2 and use menu option number 3 from the shell (Reset webGUI password). If you are using the DHCP server, be thankful this is a new install. Hopefully you've installed before and have an old config laying around. If not, you'll be reconfiguring from scratch, there's not much we can do. You can try disabling/reenabling the DHCP server after upgrading to .79.2. I've had one report of that works and one of that didn't work - if it doesn't work, reinstall. --Bill PS. For those wondering... 1.10 == 1.1 I apparently failed floating point 101! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] wireless card on lan
On 8/23/05, Scott Ullrich [EMAIL PROTECTED] wrote: I'll check it out. I really need to rip out the interfaces crap and redo it completely. But no time and a feature freeze. GRR. Yeah, I think this work is slated for 2.x / next hackathon or something. The right way to do this requires a significant redesign for how interfaces work in pfSense. In the meantime it sounds like Scott will fix up the remaining screens to at least allow for the same info. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Upgrade from m0n0 to pfSense?
On 8/23/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: As a test, I tried to create a rule to send all VNC traffic over the OPT1 WAN interface, but it always used the default WAN interface. I must be missing something. How can this be done when the second WAN interface has a static IP? Possibly, possibly not.Check /tmp/rules.debug for the rule that your adding and please post it here to see if the gateway portion is being added correctly for the rule in question. # NAT Inbound Redircts ... rdr on xl2 proto tcp from any to port 5900 - 192.168.1.230 port 5900 rdr on xl1 proto tcp from any to port 5900 - 192.168.1.230 port 5900 # User-defined rules follow ... pass in quick on $WANII proto tcp from any to { 192.168.1.230 } port = 5900 keep state label USER_RULE: NAT Allow VNC to buzz via WAN2 ... That's inbound. The multi-wan code we're talking about is outbound. By default inbound traffic to an IP will return out the interface/gateway it came in on (as long as you have a gateway setup in the interface config). It's up to the user to get the inbound traffic on the right link, via DNS, or IP, or whatever other trick. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Virtual IPs not working
On 8/22/05, Bastian Schern [EMAIL PROTECTED] wrote: Hi, SNIP I'm using pfSense Version 0.79.2 and my Virtual IPs are not functional. It's not possible to ping any Virtual Interface. Most important thing is to get the external IPs back to work. Because all of them should be forwarded to Webserver, Mailserver, ... Expected behaviour. ProxyARP doesn't create another IP address on the firewall, it just replies to the upstream router with an arp reply when queried for that IP. As has been suggested, do a 1:1 NAT, or Port Forward the ICMP to the appropriate server (rules permitting). Alternately, use CARP - it'll create an interface with that IP so the firewall will respond (rules permitting). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 0.78 on WRAP 1E board
What SSH client are you using? Is it configured for 'keyboard-interactive' ? --Bill On 8/20/05, Giorgio Ducci [EMAIL PROTECTED] wrote: Hi, I get installed the last embedded release 0.78 on a WRAP 1E board and now all the minor webgui problem related to status==interfaces are ok. Wonderful!! After that I tried to connect by SSH to pfsense after, of course, have enabled it in System==advanced but I cannot log in: it says ...no further authentication methods avalaible..I also disabled the firewall to be sure tha some rule would not interfere but no chances. Should I do something else to enable the ssh or the problem is elsewhere? Has someone else the same problem with embedded release? cheers Giorgio - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Alert about pf rules syntax errors... again...
I've had coworkers report the same issue. The solution was to remove the entire IPSEC section in the XML file (actually, if you know exactly what to remove, you don't need to, but this is the easier more generic way describing the fix). At some point in one of the versions right after the hackathon we accidentally set an empty tunnel in memory which got saved to the config file. Maybe in the next release we can update config file versions and clear any blank tunnel fields (if someone can send me a known bad config file exhibiting this behaviour). --Bill On 8/17/05, Scott Ullrich [EMAIL PROTECTED] wrote: The problem is the previous version had a parser bug and I bet money your ipsec profiles are now corrupted. I had to readd my ipsec connections after the version in question (cannot recall which version it was). The web gui's job is to enforce data but if it becomes corrupted then it gets rather hard to enforce, no? Scott On 8/17/05, Randy B [EMAIL PROTECTED] wrote: Scott Ullrich wrote: I just tested the latest vpn.inc with my home firewall that has 4+ ipsec links and it works fine.I'll be releasing a new version soon. Please be on the lookout for it and give it a try. Scott I'm still showing this issue in 0.77. My last fix was to comment out a large swath of /etc/inc/filter.inc, but I tried to be a bit more pragmatic about it this time, and realized that I came to the precise same conclusions that M. Kohn came to. There needs to be some catch, some hook in vpn_ipsec.php (line 36 where the empty definition is created), filter.inc (see previously submitted patch), or vpn.inc. Something somewhere either has to stop making the empty tunnel or everything else has to be changed to be able to deal with it. Scott - you said a change to filter.inc is not the correct fix, and to make it in /etc/inc/vpn.inc. Why would that be? AFAICT, vpn.inc just sets up defined tunnels - very little error control in it. The specified code chunk in filter.inc (starting ~2093) seems to be the flawed one - it just happily chews right over definitions, uncaring whether they're empty or not. Shouldn't a process that's generating system commands be a bit more concerned about whether or not it's putting out proper syntax? RB - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense on complex Network
No. Use the new Virtual IP screen to create virtual IPs that are either proxy arp or other depending on whether those IPs are routed to the physical subnet the box is on or to it directly. --Bill On 8/15/05, Paulus Edwin Prasetya [EMAIL PROTECTED] wrote: So, it is really because of realtek, so I cannot NAT using xxx.xxx.148.11 or other on the wan with IP xxx.xxx.148.10? Ted Crow wrote: For my production unit, I have a SuperMicro 5013 server with 2 LOB Intel Gigabit LAN/WAN interfaces and a PCI/64 Intel Quad Fast Ethernet for my OPT interfaces. Works great with top notch throughput. (IIRC, I've been using this hw since 0.49) I pretty much gave up on Realtek a couple years ago, and now avoid systems with built in Realtek NICs. A while back I did a test with 11 Intel NICs in one pfSense box and it worked /flawlessly/. So, probably needless to say, I highly recommend Intel NICs. In general practice, I put 3Com NICs third on my list right behind Broadcom. *Ted Crow* /MCP/W2K/ Information Technology Manager *Tuttle Services, Inc.* (419) 228-6262 x 247 *From:* David Strout [mailto:[EMAIL PROTECTED] *Sent:* Monday, August 15, 2005 1:54 PM *To:* [EMAIL PROTECTED]; [EMAIL PROTECTED] *Cc:* [EMAIL PROTECTED]; support@pfsense.com *Subject:* Re: Re: [pfSense Support] pfSense on complex Network I have an old Dell Precission w/ PCI-X slots and use the Intel (PCI/PCI-X) quad 10/100/1000 card (I have two working flawlessly w/ 0.74.8) that's my reccomendation - stick w/ intel on many/multi homed (more than 2-3 NICs) boxes. -- David L. Strout Engineering Systems Plus, LLC - Original Message - *Subject: *Re: [pfSense Support] pfSense on complex Network *From: [EMAIL PROTECTED] *To: [EMAIL PROTECTED] *Date: *08-15-2005 1:43 pm On 8/15/05, Scott Ullrich [EMAIL PROTECTED] wrote: On 8/15/05, Paulus Edwin Prasetya [EMAIL PROTECTED] wrote: Hi, ! I'm new to this list, any one can help me? I am setup a quite complex gateway using pfSense the box contain 6 NIC all using RealTek (rl0-rl5) Are you sure that all 6 Realtek NICS function correctly in the machine? That's a lot of NICS and RealTeks at that (read: I would use better nics such as intel/3com). I wouldn't even recommend 3Com - I've had more tons of problems with them. Absolutely agreed though that Realtek suck *ss. Expect poor performance. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] javascript:popup('/webapps/groupoffice_205/modules/email/[EMAIL PROTECTED]','650','500') For additional commands, e-mail: [EMAIL PROTECTED] javascript:popup('/webapps/groupoffice_205/modules/email/[EMAIL PROTECTED]','650','500') - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Port Forward failing
On 8/16/05, Howard Virag [EMAIL PROTECTED] wrote: Hello, This is likely not strictly (or loosely) a pfSense problem. Can someone venture a guess as to why simple port forwarding is failing for me? In short, It works to my Linux PC, an older AMD 800 MHz machine, but port forwards to my Sun Sparc Ultra 2 fail regardless of port. Interesting...hows routing on the U2 set up? Is the default gateway the same as the AMD? Hows the ARP table look - is it similar to the AMD box? I'm kind of assuming that the AMD and U2 are on the same network ;) I am using pfSense, 0.74.4, behind an Actiontec GT704 set up as a transparent bridge after having used a simpler DSL Paradyne modem weeks ago successfully with IPCop. I recall that all worked nicely before. PPPOE on the pfSense? I'm not completely following your network setup here. Any suggestions on what to look at? With previous posts in mind, I do have a mix of 3Com and a cheap new Realtek card. Will using these cards make any difference for a small home network? Performance issues mainly. The NICs work, just don't expect 100Mbit out of them (with exception to 3com which can just have wierd issues), --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Ping issue
On 8/12/05, Chris Buechler [EMAIL PROTECTED] wrote: On 8/12/05, Bill Marquette [EMAIL PROTECTED] wrote: Let me guess, the hosts initiating the PING are running Windows? I'm pretty sure we've recently fixed this bug. Care to try it? With ipfilter 3.x (and hence m0n0wall) it doesn't matter if the hosts are Windows or not. It isn't even as smart as PF's behavior prior to that latest patch. Just doesn't work from multiple sources behind NAT no matter what. Ahhh, didn't realize IPFilter still sucked that hard. I've never used it with NAT. I thought it at least knew about the ICMPID though. But yes, should be completely fixed here. :) The patch for those that care (it's commited in OpenBSD now I think) is http://marc.theaimsgroup.com/?l=openbsd-pfm=112316815028454w=2 and see http://marc.theaimsgroup.com/?l=openbsd-pfm=112299265510286w=2 for an explanation of what the patch actually does. The patch has been in since at least the hackathon, so all versions newer than .74 should have this fixed. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ISO problems ... still
Hrm..I've got a GX110 sitting on my desk here that I installed FreeBSD on just fine. If I can dig up another HD, I'll try the install on it. --Bill On 8/11/05, Wesley Joyce [EMAIL PROTECTED] wrote: I'm in the same boat as well on Dell GX 110's. I have followed the 'upgrade solution' of installing 0.68.x and upgrading from there. -Original Message- From: William Pflaumer [mailto:[EMAIL PROTECTED] Sent: Thursday, August 11, 2005 7:11 AM To: David Strout Cc: support@pfsense.com Subject: RE: [pfSense Support] ISO problems ... still David and List, I,too have not been able to do a harddrive install on my Dell Dimension XPS R300 since V 0.63 or so.(Last version that the installer functioned properly) That version had a bug with DHCP Client on the WAN Interface. I get Kernel Page Faults about 50% of the install will all later LiveCDs. I don't have specific errors, but I tried about 6 different Live CDs versions. I tried Bios tweaks (NO sound, NO power Management, NO USB), different memory (Ran Extensive memory tests),different HD,CDROM Drives, Use known good 3Com 3c905b from my Monowall PC. As a New Version comes out and fails to install, I try different things (place HD and CDROM Drive on the Same IDE Channel or delete the Partition with DELPART), the list goes on and on. I tried the install on a Toshiba 300mhz Celeron and I get ATA IDENTITY issues. Someone will probably suggest install that earlier version ( I believe it was 0.63) and do a manual update from there, but the way this product is evolving that idea probable will not work. I really like this firewall (been using Monowall since pb27) but I just cannot get this SOB to install. The feature I am waiting to see is DANSGUARDIAN WebFilter with Squid Transparent Proxy. I can post the specific errors that I receive if need be (no time to do it now) Thanks for this great Product, Bill -Original Message- From: David Strout [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 10, 2005 12:59 PM To: support@pfsense.com Subject: [pfSense Support] ISO problems ... still Anyone, I have tried burning all of the version 0.73.x ISOs, and still the problem of when you launch the /FreeSBIE/scripts/install.sh script it hangs on the Waiting for Backend ANSI screen. Additionally, a couple of mesages pop up on the bottom of the screen ... xl0 link changed state to DOWN xl0 link tate changed to UP. BTW ... xl0 is configured for the WAN interface on the ISO boot up and pre-config. I'm at a loss ... tried a few BIOS tweaks and nothing seems to help. I'm wondering if anyone else is experiencing the same symptoms. BTW2 ... tried two different PC's a Dell GX260 a generic PC running an AMD Athelon 700Mhz I have had no problems w/ prior versions (0.68.x), but this issue crept up in/or about the 0.73.0 version. Any ideas ? -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] load balancer
You won't find one until that work is complete. How it should work is not how it currently works - it's a functioning work in progress. --Bill On 8/8/05, alan walters [EMAIL PROTECTED] wrote: Just looking for a quick blah on how the incoming load balancer should work - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] FreeRadius Package - slight security issue
On 8/5/05, Paul Taylor [EMAIL PROTECTED] wrote: While looking through the config.xml file to see if I could spot anything unusual (to help me fix the last issue I posted about), I noticed the FreeRadius config... The problem that I saw is that the passwords are stored in clear text. I would think that the passwords should be at least base64encoded for storage, so at least they would be as secure as the locally managed passwords, native to pfSense and Monowall. Actually, base64encoding would still be less secure (and as an application auditor, wouldn't provide more than another 10 seconds of delay in retrieving them) than local passwords which are one way hashed. I don't know anything about the FreeRadius package so I can't comment directly on what it requires or what the passwords it stores in our config.xml are supposed to resemble. It's an issue, I don't know how to fix it at this point as I've never even looked at that part of code. --Bill --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] FreeRadius Package - slight security issue
On 8/5/05, Paul Taylor [EMAIL PROTECTED] wrote: Bill, Well, yes, I realize that base64encoding doesn't provide much in the way of security... But it's better than the data being completely in the clear... I have some encryption/decryption code around here somewhere that could probably be used, but of course the key would have to be in the code, where it could be seen, so even that doesn't provide great security... And I disagree. base64encoding provides zero security. Obscuring the data is no excuse for real protection. If we can protect it the right way (a one way hash), we will. Anything less than a one-way hash means it's reversible, passwords shouldn't be reversible in any way shape or form - I'd rather have glaring plaintext passwords reminding me to do something about them than something that at first glance passes muster. I'll personally back out any commit that does a half-ass job at it (not that I expect anyone to make such a commit). Don't hand out your config.xml and you'll be fine. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] FreeRadius Package - slight security issue
Get a privacy screen for your monitor. Or get a mirror for the monitor so you can see the corporate spies. Or retrieve the config file via status.php which will sanitize the passwords. Masking the passwords w/ base64 doesn't solve the problem and we will _NOT_ implement a half assed solution. --Bill On 8/5/05, Paul Taylor [EMAIL PROTECTED] wrote: Bill, Sure, if someone gets a hold of the config.xml file, no amount of base64encoding will stop them from getting a password.. But, if someone is in the same room with you looking over your shoulder while you are looking through the config.xml file, there is no need to give them a clear view of usernames and passwords. In a corporate environment, people can walk by your office or cube any time... We have found ourselves in this very situation more than once... Having passwords in a file that we were working on in clear text, when someone unexpectedly dropped by.. In our situation, we are pretty out-of-the-way, but in most corporate environments, that just isn't the case... People are crammed in cubes right next to each other, and they might not even be doing related jobs. Paul -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Friday, August 05, 2005 11:17 AM To: Paul Taylor Cc: support@pfsense.com Subject: Re: [pfSense Support] FreeRadius Package - slight security issue On 8/5/05, Paul Taylor [EMAIL PROTECTED] wrote: Bill, Well, yes, I realize that base64encoding doesn't provide much in the way of security... But it's better than the data being completely in the clear... I have some encryption/decryption code around here somewhere that could probably be used, but of course the key would have to be in the code, where it could be seen, so even that doesn't provide great security... And I disagree. base64encoding provides zero security. Obscuring the data is no excuse for real protection. If we can protect it the right way (a one way hash), we will. Anything less than a one-way hash means it's reversible, passwords shouldn't be reversible in any way shape or form - I'd rather have glaring plaintext passwords reminding me to do something about them than something that at first glance passes muster. I'll personally back out any commit that does a half-ass job at it (not that I expect anyone to make such a commit). Don't hand out your config.xml and you'll be fine. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Two ISP configuration
It sure does :) I had an ISP failure last night, quite annoying :) I've now got a duplicate of all my rules with different gateways setup. I enable/disable the rules depending on which ISP I need/want the traffic to head out at that time. Can't wait 'til this weekend so we can make all that automatic instead of manually doing it :) So, yes to answer the unasked question...the people that know how to fix this are getting annoyed by it too so it _will_ be fixed. It's not just a feature that we think would be cool so we're putting it in, it's going to work because we want it to work for ourselves too :) --Bill On 8/3/05, alan walters [EMAIL PROTECTED] wrote: Configure opt 1 with publicips and set gateway to (LMDS). Configure wan the same way with yourdchp setting. Now on the lan use advanced outbound nat and 1 to nat to configure the clients to there respective gateway. Nofailover but dual WAN works -Original Message- From: Charrua [mailto:[EMAIL PROTECTED] Sent: 03 August 2005 21:45 To: Scott Ullrich Cc: support@pfsense.com Subject: Re: [pfSense Support] Two ISP configuration Great ! Thanks for your prompt reply. Right now I'm trying version 0.73.2. Could you please give me a hint on how to accomplish each point ? Thanks in advance, Andrés - Original Message - From: Scott Ullrich [EMAIL PROTECTED] To: Charrua [EMAIL PROTECTED] Cc: support@pfsense.com Sent: Wednesday, August 03, 2005 5:36 PM Subject: Re: [pfSense Support] Two ISP configuration On 8/3/05, Charrua [EMAIL PROTECTED] wrote: Hi I have two Internet connections from two different ISPs. Connection A is ADSL, connection B is another kind of broadband connection (LMDS). In the ADSL link I have 1 public ip which changes dynamically, and in the B connection I have 28 fixed public IP's that I can use. Each of them come into my network through a standard Ethernet 10BaseT connection. I would like to have the following configuration: 1. A few users will be assigned public IPs (belonging to the B connection). This is doable. 2. The rest of the users will be assigned private IPs, and their traffic will go out using NAT Should be ok. 3. I want to route some of the users which have private IPs through conection A (ADSL) and other users having private IPs through the B connection (kind of static balance of the traffic). No load balancing available yet. Its scheduled for the weekend. 4. If there is no Internet connectivity through the B connection, I want that all the users with private IPs, be automatically routed through the A (ADSL) link. Not doable until after this weekend. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Internal Virus Database is out-of-date. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.9.2/52 - Release Date: 19/07/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] concurrent captive portal users
On 8/2/05, Paul Taylor [EMAIL PROTECTED] wrote: Woops - I was trying to paste this in after like so: when I accidentally sent the email... :) Last 50 captive portal log entries Aug 2 13:44:33 LOGIN: pault, 00:50:da:b2:42:36, 192.168.1.254 Aug 2 13:45:29 LOGIN: pault, 00:10:4b:76:91:4e, 192.168.1.253 Aug 2 14:01:34 DISCONNECT: pault, 00:10:4b:76:91:4e, 192.168.1.253 Aug 2 14:01:51 CONCURRENT LOGIN - TERMINATING: pault, 00:50:da:b2:42:36, 192.168.1.254 Aug 2 14:01:51 LOGIN: pault, 00:10:4b:76:91:4e, 192.168.1.253 Aug 2 14:01:55 CONCURRENT LOGIN - TERMINATING: pault, 00:10:4b:76:91:4e, 192.168.1.253 Aug 2 14:01:55 LOGIN: pault, 00:50:da:b2:42:36, 192.168.1.254 Aug 2 14:02:24 CONCURRENT LOGIN - TERMINATING: pault, 00:50:da:b2:42:36, 192.168.1.254 Aug 2 14:02:24 LOGIN: pault, 00:10:4b:76:91:4e, 192.168.1.253 Aug 2 14:02:38 CONCURRENT LOGIN - TERMINATING: pault, 00:10:4b:76:91:4e, 192.168.1.253 Aug 2 14:02:38 LOGIN: pault, 00:50:da:b2:42:36, 192.168.1.254 Note that I kicked the pault user at 14:01:34, then tried logging in as pault at 14:01:51 (after saving the code onto Monowall). It kicked the other login of pault out (the .254 user) and then logged me in (.253). Then, we went back and forth logged each other out... What fun! You might also make the behaviour configurable - say, _not_ logging the existing user out, or giving an option asking first. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Enable 'routed'
On 8/2/05, Scott Muller [EMAIL PROTECTED] wrote: Is it possible to enable the Routing daemon (routed). Our pfsense box sits on a network that uses rip v2. I have manually started /sbin/routed -q (-q means listen only) from the shell prompt but need an integrated way to do this, or is there a recommended alternative way to get this going. You can use shellcmd for this (http://m0n0.ch/wall/list/?action=show_msgactionargs[]=135actionargs[]=62) --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 0.71.2 on WRAP
On 7/29/05, Scott Ullrich [EMAIL PROTECTED] wrote: On 7/29/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: - I created a Virtual IP using the same IP address as my WAN interface, trying to get the router to accept (or redirect) ICMP (I want my system pingable). I failed in doing that. (1) How do I make my router pingable from the outside world? (2) In making that change above, I wasn't able to remove the interface. The error always said that that VIP was in use by a NAT rule. In order to remove it, I needed to remove all my NAT rules, delete the VIP, and re-enter all the NAT rules by hand. Painful! I'll let Bill chime in here but to get ICMP working you need to allow the protocol in the interface rules. Hrm, I'll check this out. I've got a code change that I need to commit for this stuff anyway. The VIP code does check to see if you've used the VIP in a NAT entry (probably cause the only reason you need a VIP is if you don't use the interface address in your NAT), I don't see that changing. I can probably easily add code to not allow a VIP that is the same IP as the interface address though. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] traffic shaper queues scheduler options
Use the EZ-Shaper wizard. It will do exactly what you want. --Bill On 7/24/05, Xtian [EMAIL PROTECTED] wrote: Hi, I have done my best to read the FAQs, documentation, and mailing list archives for both pfSense and Monowall, and have not found any information on this, hence I am asking here. If I overlooked something, please point me to the information. Thanks! pfSense has no documentation for the traffic shaper. Since the traffic shaper is significantly different than that of Monowall's, the Monowall documentation (which is also non-existent, but there is one example in their mailing list archives on how to prioritize ACKs) doesn't directlu apply. Specifically, in Firewall: Shaper: Queues: Edit, what do the following fields or check boxes in the Scheduler options section mean: This is a parent queue of HFSC/CBQ Upperlimit: [field] [field] [field] Real time: [field] [field] [field] Link share: [field] [field] [field] How are they to be set? If I were to be more specific: I wish to prioritize interactive SSH traffic above all else (such that FTP, bittorrent, etc., do not create such massive lag in my SSH sessions.) If you tell me about the Scheduler options I am sure I can figure it out on my own, but if you want I would also be glad for information specific to the SSH question. Perhaps this could be added to the pfSense documentation? Or tutorials? I think that besides firewalling and routing, traffic shaping must be the most used feature in pfSense. Documentation would be highly welcome. Thanks, -Christian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] traffic shaper queues scheduler options
On 7/25/05, Christian Rohrmeier [EMAIL PROTECTED] wrote: I haven't found that to be true. It doesn't create any rules for SSH. pfSense has a wide selection of games and P2P software that it will make rules and queues for, but not SSH, unless I overlooked something. Certainly trying to SSH whilst FTPing a large suffered from the same massive lag as always. SSH sets the TOS lowdelay bit on all it's ACKs, so non-bulk SSH should by default go into the ACK queue. Any chance you were saturating your downstream with ACKs, which would force SSH and FTP to then compete within the same queue? I would still like to know what the 6 fields in the traffic shaper scheduler are for though! I'll update the code with comments, in the meantime, from the pf.conf man page: The hfsc scheduler supports some additional options: realtime _sc_ The minimum required bandwidth for the queue. upperlimit _sc_ The maximum allowed bandwidth for the queue. linkshare _sc_ The bandwidth share of a backlogged queue. sc is an acronym for service curve. The format for service curve specifications is (m1, d, m2). m2 controls the bandwidth assigned to the queue. m1 and d are optional and can be used to control the initial bandwidth assignment. For the first d mil- liseconds the queue gets the bandwidth given as m1, afterwards the value given in m2. The boxes correspond to m1, d, m2 in that order (except m1 and d are not optional with pfsense). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] round robin on inbound nat
On 7/21/05, alan walters [EMAIL PROTECTED] wrote: I would like to try and test an inbound round robin to our test web servers. This isn't currently a feature, it's being worked on. Would it be possible to put a shell command In to do this. Please tell me if you figure something out that's easier than me writing code. If so would this sync across a carp array. Not at this time. Look forward to your replies -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.9.2/53 - Release Date: 20/07/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Re: [BULK] AW: [pfSense Support] carp array
Yikes...why aren't you using proxy arp? At any rate, carp will work for that too - it'll be somewhat noisy, but'll work just fine. In fact...what the hell I recommend it, there, I said it...;-P --Bill On 7/18/05, ijez [EMAIL PROTECTED] wrote: Hi, 1. config all your public IPs as CARP-IPs, so the pfsense will answer them on wan Sorry to ask, it is possible for me to do this for replacing IP Aliases? currently i'm have to manually edit config.xml to include all those Public IP that i have under shellcmd so that my WAN interfaces will answer to all my public IP and port forward to my server on DMZ with private IP set ( 192.168.0.x ) Please shed me some light on this and thanks in advances, Regards, - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 0.70.2 ???
Try http://www.pfsense.com/downloads/pfSense-Full-Update-0.70.2.tgz and another useful URL :) http://www.pfsense.com/downloads/ On 7/17/05, David Strout [EMAIL PROTECTED] wrote: I saw the post on the BLOG about ver 0.70.2 but can seem to find it on the updates link or in the downloads directory at http://www.pfsense.com/ Am I missing something??? -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]