Re: [pfSense Support] Thoughts on hardware for a possible pfSense installation for firewalling 5000+ workstations on a 30-40Mbps Internet uplink
I have a slightly larger deployment in HA failover using Dell R200's with 4GB ram and a QC processor. 4400 Users, 18 VLAN's, 200MB WAN and 300 servers (customer facing). These are also the Intervlan routers :) Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Fri, Mar 4, 2011 at 11:03 AM, Eric Feldhusen efeldhusen.li...@gmail.com wrote: As part of a regional education service agency to multiple K-12 school districts, we're talking about using pfSense for our nat/firewalling for approximately 5000+ workstations on a 30-40 Mbps internet uplink. Any one on the list have a pfSense similar to that for any suggestions? My plan would be to use do nat/firewall, no squid, squidguard, snort packages. Thank you in advance for any information. Eric Feldhusen - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Backups Via FTP (split in to two gig chunks) Acronis
On Wed, Dec 1, 2010 at 11:51 AM, justino garcia jgarciaitl...@gmail.comwrote: why is it that it won't use at least half of the 10.37 Mbps upload from fios? Colo is 66.08 Mbps down 57.34 Mbps upload and FIOS is down 36.5 Mbps 10.37 Mbps upload. Backups since last night (started at 3:30 am) using acronis, via FTP (using filiezila server) at about 2.2 Mbps max I saw is 2.4Mbps... Any ideas. CUrrenly it is 1.1 Mbps this morning. Any one got an idea? -- Justin IT-TECH duplex issue? Are you maxing out states, CPU, memory, etc? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com
Re: [pfSense Support] Squid port redirection on DMZ
I would install the squid package on pfsense and tell it to forward to an upstream proxy. Curtis LaMasters On Nov 25, 2010 7:08 AM, Jigar SOLANKI sol4...@gmail.com wrote: Hi list, The subject speaks by itself : I have a buch of servers within a dmz network and a lan. I would like to redirect the port 80 (outgoing http connections) on lan to 3128 (squid transparent) on dmz. I'd like to do that without manually modifying the pf.conf. Is there a way to do such a thing in the GUI ? (pfsense stable 1.2.3-RELEASE) Thanx, may the Lord of All Networks be with you ^_^ - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsense on Xenserver
I want to run pfsense on xenserver. But I think the kernel does not support. Do a study on this issue. How can I make my own kernel compilation work. Do you have a document for that. Regards, Ali You can install it using other media but you just can't install the xentools...i'm sure someone will or already has figured that part out. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com
Re: [pfSense Support] I have Installed Pfsense on hard disk
By default LAN is 192.168.1.1. WAN will be dynamic and dependent on your provider. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Mon, Apr 26, 2010 at 6:00 AM, Barkat ali mir7_...@yahoo.com wrote: LAN is configured with dhcp WAN is also configured with dhcp what should be the address of pf sense Lan and Wan ? Thanks Mir - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Microsoft Server 2008 DHCP relay
Thanks, obviously letting the 2008box do it all always works (the first law of Microsoft) but that was precisely not the point. The question was explicitly how to keep pfsense as authoritative DNS and DHCP server and how to make the Win2008 use the pfsense master. According to the OP MS is unwilling to cooperate (the second law of Microsoft). I'd be interested as well in how to keep pfsense authoritative in later MS server OSes. It works with SBS2003. We are using DHCP relay for 400 some PC's to Server 2008 DC w/ DNS/DHCP. It's a pretty basic setup and it allowed us to consolidate our DHCP onto 2 servers (failover). Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] I: help me
2010/4/15 GIUSEPPE MUSTO mus...@interfree.it -- *Da:* GIUSEPPE MUSTO [mailto:mus...@interfree.it] *Inviato:* giovedì 15 aprile 2010 18.35 *A:* 'support-subscr...@pfsense.com' *Oggetto:* help me English: If I understand you correctly, the IP address on your system is now incorrect? If that is so, you can reset this IP address from the console (keyboard and monitor) or depending on your device, with a console cable. Please let us know if this is not the case. Italiano: Se ho capito bene, l'indirizzo IP del sistema di oggi è corretto? Se è così, è possibile reimpostare l'indirizzo IP dal console (tastiera e monitor) o in base al dispositivo, con un cavo console. Vi preghiamo di farci sapere se questo non è il caso. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com
Re: [pfSense Support] PPTP Error
A few questions need answered. 1) What firewall are you originating from? Some firewalls have an issue with PPTP outbound (i.e. Cisco ASA/PIX). They just need to have fixup turned off in order for this to work. 2) Are you doing local or RADIUS authentication? If doing RADIUS, try switching to local, create a local user account and test again. It may be an issue with your RADIUS auth? Please post a screenshot of your config if possible. Thanks, Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Mon, Apr 12, 2010 at 12:20 PM, Abdulrehman arvagabo...@gmail.com wrote: I have setup a PPTP server and testing to connect it from a windows machine. I get the attached error after verifying username/password message... where am i doing wrong...please help...! -- Regards Abdulrehman - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] help -- policy routing problem
On Thu, Mar 18, 2010 at 3:04 PM, mayak-cq ma...@australsat.com wrote: hi all, i've got a serious policy routing problem that i cannot seem to overcome. the pfsense box has three interfaces: two are wan ports and one is lan -- both wan ports share the same physical media and use the same gateway. they each have a different ip address. i need to route outbound mail traffic out of one specific interface and voip out the other (among other requirements). since the gateway's are the same, and because i cannot specify the interface but only the next router, pfsense seems to choose the first/lowest interface to send mail. is there a way around this? thanks m I have not tested this but an advanced outbound NAT setup where you specify either the source or destination port and NAT address could work. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] SSL Cert for Login Auth
I used the built in cert manager to make a new login auth SSL cert on my 2.0 install. Apparrently I did something wrong as I no longer have access to my web GUI. I get this error. Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. (Error code: sec_error_reused_issuer_and_serial) Is there any way to remove that cert or set it back to the default one without reloading the box? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] SSL Cert for Login Auth
You can set the LAN IP and it'll prompt to revert to HTTP, then get in and fix. Make sure you upgrade, that should be fixed but within the past week or so. Super. Thank you. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Could this MS Exchange problem have anything to do with pfsense?
If I remember correctly the 32 limit is for MAPI sessions per client. I have seen this happen when users install Xobni. Anything in the event logs? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Thu, Feb 11, 2010 at 3:19 PM, Oliver Hansen oliver.han...@gmail.com wrote: Hello, We have been having a problem between Outlook and Exchange at the office and I know this is a pfSense support list but I wanted to check if there was any possible way pfSense could be causing any of the problems before I contact MS for a paid support call and have them blame pfSense. The problem seemed gradual so I can't say for sure or not but it was not too long after we upgraded a lot of 1.2.2 boxes to 1.2.3-RC3. The problem manifests itself as exchange keeping idle connections alive and then not allowing the client to connect because exchange has reached the maximum connections of 32. This KB describes the error received on Exchange: http://support.microsoft.com/kb/842022 and then this one is where I have found myself after determining that the connections are being held too long: http://support.microsoft.com/kb/948496/ Note it mentions Inactive Outlook connections to the Exchange server may not be cleaned up. as one of the symptoms. Now, I've done everything on those KB articles but I just wanted to ask the pfSense community if anyone has experienced this or if there was something I could do to rule out pfSense as a part of the issue. It is only happening at remote locations and not at the central office. Also, all of those locations are where a pfsense router is in place remotely. We still have some sites on linksys VPN systems and none of those sites have had the problem. Thanks for any suggestions! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] block a country (.com)
Best way that I could imagine would be to use the bogon's list. Either manually or figure out how to get pfSense to update it manually. In this case one of your bogon's would be network blocks from China. Not 100% fool proof but it's a good start I think. Maybe a snort rule would do as well. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Mon, Feb 1, 2010 at 4:36 PM, Michel Servaes mic...@mcmc.be wrote: Would there be an easy option to block or allow a certain country to a pfSense box ? Let's assume that I don't want any Korean traffic on my pfSense... or China. As I see that most attempts to the firewall (blocked ones, so not really an issue) are from chinese ip's... I was wondering, if I could add something from the blockacountry.com site to my rules to completely reject any request coming from china. Or just redirect them to a honeypot - that would just show an HTTP page... (a friendly one :-)) I guess manually editing the config.xml would be the only way for now ? Kind regards, Michel - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Kernel ARP in the logs
I'm getting a lot of these messages. Anything that I should be concerned about? fw01 kernel: arp: 10.55.0.33 moved from c5:dc:15:69:6c:05 to 46:1d:d2:34:40:0c on vlan1 Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Kernel ARP in the logs
The most common reasons for that here: http://doc.pfsense.org/index.php/ARP_moved_log_messages Thanks Chris. In this case I have servers that aren't teaming and only have one NIC (XenServer). I think I need to investigate. Thanks, Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Serious issue with PPTP VPN
Sorry for not posting back sooner. I discovered that it was only my desktop that was able to login without a password (well, pfsense show's my username and so does RADIUS). I somehow had it cached in my client. Deleting and recreating the connection fixed my issue. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Fri, Jan 15, 2010 at 1:32 PM, Lyle Giese l...@lcrcomputer.net wrote: Chris Buechler wrote: On Fri, Jan 15, 2010 at 1:02 PM, Curtis LaMasters curtislamast...@gmail.com wrote: Ok, I'm not sure where to begin troubleshooting on this one. I'm running 1.2.3-RC (I'll be upgrading to RELEASE this weekend during a maintenance window). I have discovered that a blank user/pass in the Windows PPTP client is accepted by the PPTP VPN server on pfSense. Any thoughts. Not on any of mine. Maybe if you're authenticating to a RADIUS server that tells pfSense a blank user/pass is OK (which would be the fault of your RADIUS server). How do you have it setup? There is an option in the Windows client to use the logon credentials (Automatically use my Windows logon name and password(and domain if any).) If you happened to have that selected... Lyle Giese LCR Computer Services, Inc. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Web filtering with Squid/Squidguard and AD Groups
Is there a way that I am just not seeing to authenticate users based on their AD group (Users, Admins, Executives, etc) with Squid or Squidguard. I would need to apply different policies to each group. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Web filtering with Squid/Squidguard and AD Groups
Do you happen to have a config that I can look at to do this or should I start looking at Squidguard's page? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jan 20, 2010 at 11:08 AM, Gary Buckmaster g...@s4f.com wrote: Its possible to do with Squid and SquidGuard, and while some of the widgets exist in the package GUI, I don't think they actually do anything. Curtis LaMasters wrote: Is there a way that I am just not seeing to authenticate users based on their AD group (Users, Admins, Executives, etc) with Squid or Squidguard. I would need to apply different policies to each group. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Serious issue with PPTP VPN
Ok, I'm not sure where to begin troubleshooting on this one. I'm running 1.2.3-RC (I'll be upgrading to RELEASE this weekend during a maintenance window). I have discovered that a blank user/pass in the Windows PPTP client is accepted by the PPTP VPN server on pfSense. Any thoughts. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Serious issue with PPTP VPN
There is an option in the Windows client to use the logon credentials (Automatically use my Windows logon name and password(and domain if any).) If you happened to have that selected... Lyle Giese LCR Computer Services, Inc. Yes, RADIUS back end to Server 2008 NAP. I'll have to dig into the config again to verify the allow any user/pass or blank. I won't accept incorrect information so that is somewhat comforting. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PFSense advocacy
Commercial support should help put Boss's worries at bay: https://portal.pfsense.org/ Between this, the mailing list and forum you are covered. Scott The big selling points for my Boss' were 1) cost 2) features 3) ease of use Cost is a no brainer. The features of pfSense that we needed sold the solution very easily. Failover, Load Balancing, SNORT IDS, Proxy Filtering and an great web based configuration engine were the key ones. All but the proxy filtering was needed for our hosting environment and a huge selling point for our corporate firewall was the proxy filtering (with squidguard) to keep our users in check. Ease of use was huge because we didn't have to drop to CLI every time someone needed a non standard configuration. Cough, cough Cisco Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pkg_add and openvpn-auth-ldap in 1.2.3-RC1
I don't want to jump in front of Chris on this but the forums has a sticky on setting up PAM auth for OpenVPN to back end to RADIUS. It may not even be an option anymore but something to look at. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Thu, Nov 12, 2009 at 3:46 PM, Joseph L. Casale jcas...@activenetwerx.com wrote: If you're going to do this, upgrade to RC3 and start from there, then at least you can upgrade to the final 1.2.3 release (no FreeBSD version change). Chris, I greatly appreciate the guidance there. If it's not supported, I don't want to go there as to many people depend on the vpn being available. Given I also have zero experience w/ FreeBSD, that concerns me. Is it just a matter of maintaining the OpenVPN config (That I can handle) or do I risk breaking anything else? Is there a supported method to accomplish what I need with either ldap or radius etc? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP with captive portal
Might be a long shot, but check your subnet mask for the CARP. I've seen odd things happend when that is not correct. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Mon, Oct 19, 2009 at 9:33 AM, Roberto Greiner mrgrei...@gmail.com wrote: Hi, no one with ideas about this? Roberto Roberto Greiner wrote: Hi, I'm having trouble making captive portal and CARP work togheter. I've set CARP to use the WAN interface for synchronization, and it works fine. Problem is, the moment I enable Captive Portal, the LAN Virtual IP dies out (stops pinging), and the whole setup stops working. I've tried adding the LAN MAC address of the stations on the Pass-through MAC page (added MAC address of both servers), but it didn't work. Also tried the same for IP. The moment I disable captive portal, CARP immediately works again. Any ideas of what I should do to make Captive Portal and CARP work together? Tks, Roberto Greiner -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade James Branch Cabell - - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Dell R200 Working Setup?
I would also like to note that I am only having this issue on 2 interfaces which both happen to be VLAN interfaces. I hope that helps. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Fri, Oct 9, 2009 at 12:28 AM, Curtis LaMasters curtislamast...@gmail.com wrote: I just reinstalled with uniprocessor kernel. I'm passing traffic but still getting lots of errors. Also in the firewall logs, it says i'm blocking traffic that I have permitted. Very strange but hopefully that helps. Can I provide and log / debug info? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Fri, Oct 9, 2009 at 12:15 AM, Chris Buechler cbuech...@gmail.com wrote: On Fri, Oct 9, 2009 at 1:10 AM, Curtis LaMasters curtislamast...@gmail.com wrote: Still getting them with that setting enabled. Do I need to reboot? No. Strange this would come up again, last time was about a year ago and I don't recall what the cause was. I know there are a lot of people running 1.2.3 versions, and FreeBSD 7.2, on such hardware. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Dell R200 Working Setup?
On Fri, Oct 9, 2009 at 4:54 AM, Paul Mansfield it-admin-pfse...@taptu.com wrote: On 09/10/09 07:58, Curtis LaMasters wrote: I would also like to note that I am only having this issue on 2 interfaces which both happen to be VLAN interfaces. I hope that helps. if you're using a managed switch, is it reporting any errors? if Ciscos see bpdus incorrectly they can go into blocking mode and the port error light flashes Here is my output for the connection to FW1 and FW2. We have 2 of them running with CARP. GigabitEthernet0/1 is up, line protocol is up (connected) Hardware is Gigabit Ethernet, address is 0026.ca83.9581 (bia 0026.ca83.9581) Description: ## VISOMAFW01 ## MTU 1500 bytes, BW 100 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:00, output hang never Last clearing of show interface counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 1 bits/sec, 16 packets/sec 78596 packets input, 21900394 bytes, 0 no buffer Received 7249 broadcasts (7204 multicasts) 126 runts, 0 giants, 0 throttles 126 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 7204 multicast, 0 pause input 0 input packets with dribble condition detected 2918379 packets output, 280362434 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out GigabitEthernet0/1 is up, line protocol is up (connected) Hardware is Gigabit Ethernet, address is 0026.ca83.8e01 (bia 0026.ca83.8e01) Description: ## VISOMAFW02 ## MTU 1500 bytes, BW 100 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:00, output hang never Last clearing of show interface counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 252000 bits/sec, 43 packets/sec 5 minute output rate 122000 bits/sec, 47 packets/sec 19213067 packets input, 24692805689 bytes, 0 no buffer Received 1316132 broadcasts (1313540 multicasts) 236 runts, 0 giants, 0 throttles 236 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 1313540 multicast, 0 pause input 0 input packets with dribble condition detected 19576913 packets output, 12046179495 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Dell R200 Working Setup?
Still getting them with that setting enabled. Do I need to reboot? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Thu, Oct 8, 2009 at 11:55 PM, Chris Buechler cbuech...@gmail.com wrote: On Fri, Oct 9, 2009 at 12:52 AM, Curtis LaMasters curtislamast...@gmail.com wrote: Anyone know what version of OS I need to install to get a Dell R200 working properly? I have 1.2.3-RC3 installed right now and I'm getting the bad hdr length messages in the logs and it's keeping me from passing traffic. Try disabling checksum offloading under System -Advanced. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Dell R200 Working Setup?
I just reinstalled with uniprocessor kernel. I'm passing traffic but still getting lots of errors. Also in the firewall logs, it says i'm blocking traffic that I have permitted. Very strange but hopefully that helps. Can I provide and log / debug info? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Fri, Oct 9, 2009 at 12:15 AM, Chris Buechler cbuech...@gmail.com wrote: On Fri, Oct 9, 2009 at 1:10 AM, Curtis LaMasters curtislamast...@gmail.com wrote: Still getting them with that setting enabled. Do I need to reboot? No. Strange this would come up again, last time was about a year ago and I don't recall what the cause was. I know there are a lot of people running 1.2.3 versions, and FreeBSD 7.2, on such hardware. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Vista DHCP Issue
Curtis, or anyone else who can replicate problems with a Vista client, ditto, capturing the DHCP request in Wireshark and sending me the pcap would be appreciated. Chris, I won't be at that client today, but I should be there this weekend or early next week and will get that for you. In my case, I have 5 Vista machines all with different patch levels and all different vendors, a switch infrastructure of Cisco 3750's and 3650's, and pfsense 1.2.2. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Vista DHCP Issue
I've searched around and read about others with this issue. Basically I have 5 different Vista laptops that cannot get a DHCP address unless I modify the registry and disable a broadcast setting. Does anybody have a solution to this that would prevent me from having to touch each workstation? They are public computers and not part of a domain otherwise I would just do it via GPO. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Load Balanced Passive FTP?
On Thu, Oct 1, 2009 at 3:57 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: Is there a way to load balance a range of ports with one rule? For example, I have a 100 port passive FTP range defined. Do I have to create 100 load balancer rules? 1.2.3 Best Regards, Nathan Eisenberg Sr. Systems Administrator - Atlas Networks, LLC office: 206.577.3078 | suncadia: 206.210.5450 www.atlasnetworks.us | www.suncadianet.com Would an alias work? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 192.0.2.112
I'm not sure how the dynamic dns daemon works on pf, however I could possibly understand this issue if the ISP was doing NAT with their cable/dsl modem and passing off a private IP range to your WAN interface. What IP is assigned to the WAN? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Tue, Sep 29, 2009 at 5:52 AM, Fuchs, Martin martin.fu...@trendchiller.com wrote: Hi ! A friend of mine has a strange problem: everytime he reboots his pfsense his dyndns updates with 192.0.2.112 He had this problem with 1.2.2 and now updatet to 1.2.3 RC3 and it still exists… Anyone hast he same issues ? Any ideas ? Regards, Martin - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] SNMP oid's for bandwidth
I'm not sure about Nagios for graphing, however here is what my Cacti poller shows. Data Source: x.x.x.x/fxp0 (In) RRD: /var/www/data/graphs/networks/rra/X_in_1.rrd Action: 0, OID: .1.3.6.1.2.1.2.2.1.10.1 (Host: x.x.x.x, Community: **) Data Source: x.x.x.x/fxp0 (Out) RRD: /var/www/data/graphs/networks/rra/X_out_2.rrd Action: 0, OID: .1.3.6.1.2.1.2.2.1.10.1 (Host: x.x.x.x, Community: **) Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com 2009/9/29 Ståle Johnsen stale.john...@smartit.no: Hi, I'm trying to monitor in / out bandwidth in bits on wan interface but are having some problems finding the right SNMP oid. I found this one: http://cvstrac.pfsense.com/tktview?tn=257 but the OID i'm trying doesn't return anything. Does anyone have any better suggestions for bandwidth monitoring on pfsense from an nagios server? Regards Stale Johnsen - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] NAT and Bridge on the same box
I have a need to provide NAT for the majority of our services and also assign public IP's to our customers. My question is, can I do bridging and NAT on the same server? I.E. can I have my WAN interface with all it's virtual IP's continue to map to my internal VLAN's and then have a seperate VLAN(s) bridge and be able to deliver public IP's to those customers? Is it as simple as setting the bridge with WAN on that interface and then assigning IP's? Sorry if this has been covered in the past. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Running out of memory
I'd say just run kill 554 but that wouldn't fix the underlying issue. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Sep 16, 2009 at 2:36 AM, a_subscribti...@fiberby.dk wrote: Hi again It seems like its tcpdump that is causing the problem. Both machines are running 1.2.2. One is upgraded from 1.0.1 - 1.2 - 1.2.2. The other is a fresh install. They were bootet 12 days ago. Just after a reboot they use app. 8% of memory, and that has now increased to app. 50%. USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 554 3.3 27.7 288320 286384 d0- S 4Sep09 240:11.90 /usr/sbin/tcpdum any ideas? Kind regards Anders -Oprindelig meddelelse- Fra: a_subscribti...@fiberby.dk [mailto:a_subscribti...@fiberby.dk] Sendt: 4. september 2009 09:48 Til: support@pfsense.com Emne: SV: [pfSense Support] Running out of memory Thanks for the quick response. I surely do not have any packages installed. I didn't know of 'ps aux', but now I'll keep an eye on it. Kind regards Anders -Oprindelig meddelelse- Fra: cbuech...@gmail.com [mailto:cbuech...@gmail.com] På vegne af Chris Buechler Sendt: 4. september 2009 09:25 Til: support@pfsense.com Emne: Re: [pfSense Support] Running out of memory On Fri, Sep 4, 2009 at 3:20 AM, a_subscribti...@fiberby.dk wrote: Hi I have two pfsense running for approximately 1300 costumers each. They hold between 10-15 vlans each, and is acting as dhcp servers. All traffic is being natted. It's a full install with no packages installed. The platform they are running on is supermicro servers, with 1GB ram. These are the services that is running: DNS Forwarder (all users are given real dns-server addresses) NTP clock sync DHCP Service SNMP Service UPnP Service My problem is related to the use of memory. Over time they use more and more of the memory, and after approximately two month the memory is full (90+%), and they start to use the swap file. After that I restart them, because I can lower the amount of cpu used. You must have some package installed that has a memory leak. Nothing I'm aware of in the base system will do that. Check 'ps aux' in Diagnostics - Command for what process is leaking memory. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] pfSense version for new install
I normally just download the one from the mirrors and install it, however I wanted to check and see if it was recommended / wise to install one from the snapshot server instead. Sorry if this has been covered a thousand times. My Googling fu is lacking today. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense version for new install
This page may help you: http://www.pfsense.org/index.php?option=com_contenttask=viewid=43Itemid=44 If I'm reading that correctly, do not use the snapshots? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense version for new install
It is not recommended on a production system. Everyone can make their own decisions but the stable release is recommended for production environments. Good enough for me. Thank you very much for answering my stupid questions. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Firewall Rules for Dynamic Host
On Fri, Aug 14, 2009 at 12:20 PM, Tim Nelsontnel...@rockbochs.com wrote: Greetings all- I have a situation where I need to have firewall rules for a particular host that has a dynamic IP address(PPPoE ADSL). Unfortunately, getting a static IP is cost prohibitive at this point. When there is a power outage or after x number of days, the IP address changes on the connection. My thought was to write a script that would automagically check for the public IP, and if it is changed, then update the firewall rule using curl to submit the form and then reload the rules. Is there a better way to do this or any unforseen caveats to doing it the way I described? Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 - Unless I am not understanding this, if you were to just put WAN Address as the rule destination instead of specifying the actual IP, it would fix the issue. Right? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't get more than 15kpps.
I have forgotten and am too lazy to go through all my emails again to read, but have you tried standard intel server NIC's for this? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jul 29, 2009 at 10:30 AM, Lennyfive2one.le...@gmail.com wrote: Hi guys, I know how sick of me you are by now, but I've had some developments here and now I'm stuck again. So, FINALLY I convinced the management to buy a new server. We bought an IBM x3550 with 2 Quad Core CPUs E5420 and 2GB RAM PC2-5300 667MHz. Not just that, we bought 2 of them ( we need the second one for the identical project). I really wanted to try the Yandex em driver, so I installed the 1.2.3-RC2 built on Wed Jun 24 10:37:51 EDT 2009 version. These are the things I've changed: /etc/sysctl.conf added: dev.em.0.rx_processing_limit=1000 dev.em.1.rx_processing_limit=1000 kern.ipc.somaxconn=1024 dev.em.0.rx_kthreads=2 dev.em.1.rx_kthreads=2 /boot/loader.conf added: hw.em.rxd=4096 hw.em.txd=4096 I wasn't sure about the kthreads, so I put 2 as a value, but I later read that people use 6. Now, for the problem: It's the same! I had 50kpps, which was 180Mbps and I had 2 CPUs go up to 100%. How is that even possible? Should I give up on RC version and go back to stable, which also means giving up on the em driver? Any other things I can adjust? By the way, I checked sysctl net.inet.ip.intr_queue_drops and it's 0. On the interfaces I see that em0(outside) has 0 errors, but on the em1(inside) there are 3666587/0. 6 of the CPUs(cores) are usually 100% idle, while the other 2 are actually stuck with emX taskq. In other words - nothing's changed. Except for 1 thing - the management spent the money and now they wanna see results. Please help! Lenny. changed: net.inet.ip.intr_queue_maxlen=4096 (old value=1000) On Thu, May 14, 2009 at 11:26 AM, Lenny five2one.le...@gmail.com wrote: Thanks for all the suggestions, guys. Anyway, I found it very interesting that the new snapshots have yandex driver in them, so I decided to try it. Of course, as I don't have the new server yet, I had to try on my old IBM x335. But here are a couple of things that wouldn't let me try it: with 2 SCSI hard drives in RAID 1 (LSI controller), it would always give an error and reboot in 15 sec. If I take out 1 drive - it would boot, but then get stuck on configuring wan interface for a long time and then reboot. It's not connected, but previous pfSense versions had no problems with it. Any suggestions? thanks, Lenny. P.S. we don't have eval-systems, so I'll have to take the risk and buy a cat in the sack. On Wed, May 13, 2009 at 6:13 PM, Scott Ullrich sullr...@gmail.com wrote: On Wed, May 13, 2009 at 10:21 AM, Rainer Duffner rai...@ultra-secure.de wrote: AFAIK, SUN still provides eval-systems for free. I would evaluate one of the new X2270 with the Nehalem Xeons. This should provide a 50% boost even on 5400-series Xeons. Also, they use Intel NICs, IIRC. The smallest test-system already has 6 GB of RAM and costs 2000 USD, which you have to pay only after 60 days. All good advice here in the last couple messages. Wanted to add that I would suggest trying a recent 1.2 / FreeBSD 7 pfSense snapshot from snapshots.pfsense.org as we added the high performance yandex driver located at http://people.yandex-team.ru/~wawa/em-6.9.6-RELENG7-yandex-1.36.2.10.tar.gz The README file that was included: Main features - RX queue is being processed w/more than one thread. Use sysctl dev.em.X.rx_kthreads to alter number of threads. TX interrupts has been removed because it's not neccessary actually. That's why interrupt rate has been reduced twice at least. TX queue cleaning moved to seperate kthread. em_start uses mtx_trylock instean of mtx_lock. That's why em_start locks less. + RX queues' priority may be altered thru sysctl. System seems to be more stable if RX scheduled w/less priority. + RX interrupt stay masked if there is no thread ready to catch interrupt. The hint reduces context switching under load. You will want to experiment with 1 thread per proc and 2 threads per proc by setting sysctl dev.em.X.rx_kthreads (I think) Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't get more than 15kpps.
Not sure what your talking about with top posting. I just replied to the list. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jul 29, 2009 at 11:07 AM, Eugen Leitleu...@leitl.org wrote: On Wed, Jul 29, 2009 at 10:33:19AM -0500, Curtis LaMasters wrote: I have forgotten and am too lazy to go through all my emails again to read, but have you tried standard intel server NIC's for this? Please do not top-post. Please trim your replies (message unchanged below). Thank you. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jul 29, 2009 at 10:30 AM, Lennyfive2one.le...@gmail.com wrote: Hi guys, I know how sick of me you are by now, but I've had some developments here and now I'm stuck again. So, FINALLY I convinced the management to buy a new server. We bought an IBM x3550 with 2 Quad Core CPUs E5420 and 2GB RAM PC2-5300 667MHz. Not just that, we bought 2 of them ( we need the second one for the identical project). I really wanted to try the Yandex em driver, so I installed the 1.2.3-RC2 built on Wed Jun 24 10:37:51 EDT 2009 version. These are the things I've changed: /etc/sysctl.conf added: dev.em.0.rx_processing_limit=1000 dev.em.1.rx_processing_limit=1000 kern.ipc.somaxconn=1024 dev.em.0.rx_kthreads=2 dev.em.1.rx_kthreads=2 /boot/loader.conf added: hw.em.rxd=4096 hw.em.txd=4096 I wasn't sure about the kthreads, so I put 2 as a value, but I later read that people use 6. Now, for the problem: It's the same! I had 50kpps, which was 180Mbps and I had 2 CPUs go up to 100%. How is that even possible? Should I give up on RC version and go back to stable, which also means giving up on the em driver? Any other things I can adjust? By the way, I checked sysctl net.inet.ip.intr_queue_drops and it's 0. On the interfaces I see that em0(outside) has 0 errors, but on the em1(inside) there are 3666587/0. 6 of the CPUs(cores) are usually 100% idle, while the other 2 are actually stuck with emX taskq. In other words - nothing's changed. Except for 1 thing - the management spent the money and now they wanna see results. Please help! Lenny. changed: net.inet.ip.intr_queue_maxlen=4096 (old value=1000) On Thu, May 14, 2009 at 11:26 AM, Lenny five2one.le...@gmail.com wrote: Thanks for all the suggestions, guys. Anyway, I found it very interesting that the new snapshots have yandex driver in them, so I decided to try it. Of course, as I don't have the new server yet, I had to try on my old IBM x335. But here are a couple of things that wouldn't let me try it: with 2 SCSI hard drives in RAID 1 (LSI controller), it would always give an error and reboot in 15 sec. If I take out 1 drive - it would boot, but then get stuck on configuring wan interface for a long time and then reboot. It's not connected, but previous pfSense versions had no problems with it. Any suggestions? thanks, Lenny. P.S. we don't have eval-systems, so I'll have to take the risk and buy a cat in the sack. On Wed, May 13, 2009 at 6:13 PM, Scott Ullrich sullr...@gmail.com wrote: On Wed, May 13, 2009 at 10:21 AM, Rainer Duffner rai...@ultra-secure.de wrote: AFAIK, SUN still provides eval-systems for free. I would evaluate one of the new X2270 with the Nehalem Xeons. This should provide a 50% boost even on 5400-series Xeons. Also, they use Intel NICs, IIRC. The smallest test-system already has 6 GB of RAM and costs 2000 USD, which you have to pay only after 60 days. All good advice here in the last couple messages. Wanted to add that I would suggest trying a recent 1.2 / FreeBSD 7 pfSense snapshot from snapshots.pfsense.org as we added the high performance yandex driver located at http://people.yandex-team.ru/~wawa/em-6.9.6-RELENG7-yandex-1.36.2.10.tar.gz The README file that was included: Main features - RX queue is being processed w/more than one thread. Use sysctl dev.em.X.rx_kthreads to alter number of threads. TX interrupts has been removed because it's not neccessary actually. That's why interrupt rate has been reduced twice at least. TX queue cleaning moved to seperate kthread. em_start uses mtx_trylock instean of mtx_lock. That's why em_start locks less. + RX queues' priority may be altered thru sysctl. System seems to be more stable if RX scheduled w/less priority. + RX interrupt stay masked if there is no thread ready to catch interrupt. The hint reduces context switching under load. You will want to experiment with 1 thread per proc and 2 threads per proc by setting sysctl dev.em.X.rx_kthreads (I think) Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com
Re: [pfSense Support] Re: Can't get more than 15kpps.
Lenny, Do you have commercial support on these box's? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jul 29, 2009 at 11:54 AM, Lennyfive2one.le...@gmail.com wrote: Just like I answered previously, without the pfSense Alteon was able to handle the load without problems. Cisco switch also didn't have any errors on the interface. Plus, I only started to see errors, when the high load began and at that same time I also saw some packet loss on the firewall. Jaime Díaz wrote: On Wed, Jul 29, 2009 at 12:30 PM, Lennyfive2one.le...@gmail.com wrote: By the way, I checked sysctl net.inet.ip.intr_queue_drops and it's 0. On the interfaces I see that em0(outside) has 0 errors, but on the em1(inside) there are 3666587/0. 6 of the CPUs(cores) are usually 100% idle, while the other 2 are actually stuck with emX taskq. In other words - nothing's changed. Except for 1 thing - the management spent the money and now they wanna see results. Why so many error on em1? Have you checked the settings on your switches? have you tried another port or, better, a different switch? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't get more than 15kpps.
Who is the guy that runs some of the Fox websites. I believe he is in this area as far as PPS. Maybe he could shed some light though he may be only available via the Forums. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jul 29, 2009 at 12:00 PM, Lennyfive2one.le...@gmail.com wrote: Well, I believe, a standard support of NBD. Except for the NIC, which was bought on ebay. Curtis LaMasters wrote: Lenny, Do you have commercial support on these box's? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jul 29, 2009 at 11:54 AM, Lennyfive2one.le...@gmail.com wrote: Just like I answered previously, without the pfSense Alteon was able to handle the load without problems. Cisco switch also didn't have any errors on the interface. Plus, I only started to see errors, when the high load began and at that same time I also saw some packet loss on the firewall. Jaime Díaz wrote: On Wed, Jul 29, 2009 at 12:30 PM, Lennyfive2one.le...@gmail.com wrote: By the way, I checked sysctl net.inet.ip.intr_queue_drops and it's 0. On the interfaces I see that em0(outside) has 0 errors, but on the em1(inside) there are 3666587/0. 6 of the CPUs(cores) are usually 100% idle, while the other 2 are actually stuck with emX taskq. In other words - nothing's changed. Except for 1 thing - the management spent the money and now they wanna see results. Why so many error on em1? Have you checked the settings on your switches? have you tried another port or, better, a different switch? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
Thanks Scott. I know what top posting is...I just don't know why you think I did. I hit reply, type my message and go forth. Didn't think it needed to be any harder than that. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jul 29, 2009 at 12:15 PM, Scott Ullrichsullr...@gmail.com wrote: http://www.caliburn.nl/topposting.html http://idallen.com/topposting.html Thank you Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
You was not specifically YOU...rather the list. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jul 29, 2009 at 12:26 PM, Scott Ullrichsullr...@gmail.com wrote: On Wed, Jul 29, 2009 at 1:25 PM, Curtis LaMasterscurtislamast...@gmail.com wrote: Thanks Scott. I know what top posting is...I just don't know why you think I did. I hit reply, type my message and go forth. Didn't think it needed to be any harder than that. I did not think anything -- This is my 1st message to this list in days and days Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
And I think the point is being missed. WHY WAS MY MESSAGE VIEWED AS TOP POSTED. Ok, I committed my internet crime of YELLING in caps for the day. In Gmail, is there a proper way to not top post? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jul 29, 2009 at 12:28 PM, David Burgessapt@gmail.com wrote: On Wed, Jul 29, 2009 at 11:25 AM, Curtis LaMasterscurtislamast...@gmail.com wrote: Thanks Scott. I know what top posting is...I just don't know why you think I did. I hit reply, type my message and go forth. Didn't think it needed to be any harder than that. It can be a lot harder than that. It's effectively illustrated in the links that Scott provided. A little effort in replying can save a lot of wasted effort in trying to bring oneself up to speed or refresh one's memory on a long thread. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
This is top posting apparently. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jul 29, 2009 at 12:34 PM, iggd...@gmail.com wrote: On Wed, Jul 29, 2009 at 1:33 PM, Curtis LaMasters curtislamast...@gmail.com wrote: And I think the point is being missed. WHY WAS MY MESSAGE VIEWED AS TOP POSTED. Ok, I committed my internet crime of YELLING in caps for the day. In Gmail, is there a proper way to not top post? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jul 29, 2009 at 12:28 PM, David Burgessapt@gmail.com wrote: On Wed, Jul 29, 2009 at 11:25 AM, Curtis LaMasterscurtislamast...@gmail.com wrote: Thanks Scott. I know what top posting is...I just don't know why you think I did. I hit reply, type my message and go forth. Didn't think it needed to be any harder than that. It can be a lot harder than that. It's effectively illustrated in the links that Scott provided. A little effort in replying can save a lot of wasted effort in trying to bring oneself up to speed or refresh one's memory on a long thread. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org flick the scroll wheel to get to the bottom of the post basically. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
And this is bottom posting. Correct? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
To which one? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jul 29, 2009 at 12:40 PM, David Burgessapt@gmail.com wrote: Yes. On Wed, Jul 29, 2009 at 11:38 AM, Curtis LaMasterscurtislamast...@gmail.com wrote: This is top posting apparently. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jul 29, 2009 at 12:34 PM, iggd...@gmail.com wrote: On Wed, Jul 29, 2009 at 1:33 PM, Curtis LaMasters curtislamast...@gmail.com wrote: And I think the point is being missed. WHY WAS MY MESSAGE VIEWED AS TOP POSTED. Ok, I committed my internet crime of YELLING in caps for the day. In Gmail, is there a proper way to not top post? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jul 29, 2009 at 12:28 PM, David Burgessapt@gmail.com wrote: On Wed, Jul 29, 2009 at 11:25 AM, Curtis LaMasterscurtislamast...@gmail.com wrote: Thanks Scott. I know what top posting is...I just don't know why you think I did. I hit reply, type my message and go forth. Didn't think it needed to be any harder than that. It can be a lot harder than that. It's effectively illustrated in the links that Scott provided. A little effort in replying can save a lot of wasted effort in trying to bring oneself up to speed or refresh one's memory on a long thread. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org flick the scroll wheel to get to the bottom of the post basically. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
On Wed, Jul 29, 2009 at 12:41 PM, David Burgessapt@gmail.com wrote: On Wed, Jul 29, 2009 at 11:38 AM, Curtis LaMasterscurtislamast...@gmail.com wrote: And this is bottom posting. Correct? Well, I don't think it's top-posting or bottom-posting if you delete all prior content. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org How about now? Bottom posting? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
Gotta tell you guys...this is out right frustrating. Is it the fact that I'm using Gmail or that by definition, threading in email is broken by design. I would have imagined that the Spamassassin mailing list would have eaten all Gmail users alive if Gmail were the issue. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jul 29, 2009 at 12:42 PM, David Burgessapt@gmail.com wrote: The current is an example of top-posting, in response to your top-post. I don't think you've bottom-posted in this thread yet. db On Wed, Jul 29, 2009 at 11:41 AM, Curtis LaMasterscurtislamast...@gmail.com wrote: To which one? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jul 29, 2009 at 12:40 PM, David Burgessapt@gmail.com wrote: Yes. On Wed, Jul 29, 2009 at 11:38 AM, Curtis LaMasterscurtislamast...@gmail.com wrote: This is top posting apparently. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jul 29, 2009 at 12:34 PM, iggd...@gmail.com wrote: On Wed, Jul 29, 2009 at 1:33 PM, Curtis LaMasters curtislamast...@gmail.com wrote: And I think the point is being missed. WHY WAS MY MESSAGE VIEWED AS TOP POSTED. Ok, I committed my internet crime of YELLING in caps for the day. In Gmail, is there a proper way to not top post? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jul 29, 2009 at 12:28 PM, David Burgessapt@gmail.com wrote: On Wed, Jul 29, 2009 at 11:25 AM, Curtis LaMasterscurtislamast...@gmail.com wrote: Thanks Scott. I know what top posting is...I just don't know why you think I did. I hit reply, type my message and go forth. Didn't think it needed to be any harder than that. It can be a lot harder than that. It's effectively illustrated in the links that Scott provided. A little effort in replying can save a lot of wasted effort in trying to bring oneself up to speed or refresh one's memory on a long thread. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org flick the scroll wheel to get to the bottom of the post basically. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
HItting reply resulted in the above A proper bottom post then looks like this: On Wed, Jul 29, 2009 at 1:45 PM, Curtis LaMasterscurtislamast...@gmail.com wrote: Gotta tell you guys...this is out right frustrating. Is it the fact that I'm using Gmail or that by definition, threading in email is broken by design. I would have imagined that the Spamassassin mailing list would have eaten all Gmail users alive if Gmail were the issue. This is a bottom post. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I actually find that to be annoying to read. However, in the spirit of good internetship, I'll oblige. Sorry any problems I may have caused. Let me know if I did that correctly. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
On Wed, Jul 29, 2009 at 12:56 PM, Scott Ullrichsullr...@gmail.com wrote: On Wed, Jul 29, 2009 at 1:54 PM, Curtis LaMasterscurtislamast...@gmail.com wrote: I actually find that to be annoying to read. However, in the spirit of good internetship, I'll oblige. Sorry any problems I may have caused. Let me know if I did that correctly. That looks correct. Unfortunately this is the way mailing lists have operated for as long as I have remembered. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I am still a youngling but I've been on the internet on forums, mailing lists, and others for almost 20 years and this is the first time that I've actually been called out for top posting. /rant Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
On Wed, Jul 29, 2009 at 2:46 PM, wayneplet...@gmail.com wrote: Eugen Leitl wrote: On Wed, Jul 29, 2009 at 11:28:14AM -0600, David Burgess wrote: It can be a lot harder than that. It's effectively illustrated in the links that Scott provided. A little effort in replying can save a lot of wasted effort in trying to bring oneself up to speed or refresh one's memory on a long thread. I've found that a few educational off-list messages can bring quite a few people around. For the hard cases, there's the killfile. Or list bans, for moderated lists. To be used ruthlessly, so deliberate netiquette violators will get the message. T S O P P O T t o n s e o d e n o y h w s i s i h T Some of us have many lists to read, and to break the logical flow of Quote/question then answer below, just makes us loose interest. W - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I find it funny when people assume because they do a certain thing, that they must not be doing x. I have 9 mailing lists that I participate in, and as I mentioned before, none have bothered me or others for that matter about top posting. But, as I stated, I'll go forth with bottom posting from now on. Curtis - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
Thanks everyone. Learning has occurred. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jul 29, 2009 at 3:45 PM, Gary Buckmasterg...@s4f.com wrote: David Rees wrote: On Wed, Jul 29, 2009 at 10:31 AM, iggd...@gmail.com wrote: Unfortunately Gmail top posts by default. So expecting bottom posting to be and to remain the default behavior may be an exercise in futility. proper ettiquite or not, some people just bang off replies and figure everything is a-ok. This being a reason, not an excuse. Yes - bottom posting takes a bit of work. But on a high volume mailing list or if you receive a lot of mail, a little bit of context goes a LONG way. And while we're talking about it - Trim your messages, too! Only leave the relevant portion of the original email in the message - so that means trimming the list-footer off the message. Again - it takes a bit of work, but it really makes reading mailing lists a LOT easier. Try it for a bit - once you do, you'll realize how much better it is. -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Can we please knock this crap off now? The 5 people in the world who care about top posting have made their point, the 5 people in the world who think that top posting is perfectly valid seem to be willing to abide by your particular brand of netiquette naziism and the rest of the world is going to continue to join this list, top post, bottom post, send emails with return receipt requests, send emails entirely composed of HTML, reply to emails belonging to other threads and generally do whatever they feel like doing. If you really feel *this* strongly about mailing list etiquette perhaps now would be a good time to re-examine your life. I think its safe to say that the rest of us are tired of your spam. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
I really hate to fan the flames here... but I just HAD to do this: http://diy.despair.com/output/poster84114313.jpg The hilarity and simultaneous irritation this thread has caused is just fantastic. --Tim Yes, I noticed that just as soon as I sent it. Thanks for the virtual slap in the face. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OT: web based performance testing
I have been wanting to make an app like iperf available through a web page...not sure how that would work but i think it would be cool. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Sat, Jul 25, 2009 at 3:32 PM, Scott Ullrichsullr...@gmail.com wrote: On Sat, Jul 25, 2009 at 4:31 PM, Chris Buechlerc...@pfsense.org wrote: Saw that, doesn't have latency or loss though. That's the piece that's missing from all the options I've seen. Maybe this will fit the bill. Kinda expensive. http://www.ookla.com/linequality.php Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Anything like fail2ban for PFSense?
What about using Snort in an IPS mode. I'm sure there is a rule out there to block a specific IP based on the number of times this even occurs. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Tue, Jul 21, 2009 at 9:00 AM, k_o_lk_...@hotmail.com wrote: From: Jeppe Øland [mailto:jol...@gmail.com] Sent: Tuesday, July 21, 2009 5:04 AM To: support@pfsense.com Subject: Re: [pfSense Support] Anything like fail2ban for PFSense? Some of my pfsense boxes get a lot of SSH bruteforces; is there a package like fail2ban out there which could automatically blacklist IPs after x Request: It would be really nice if pfsense could limit the connection-rate *per IP*. IIRC it is possible to set this per source-IP ;-) Maybe I missed an option then? How do you configure it? Why leave you ssh service exposed to the world? Lock it down to a range of ip's (or subnet of your isp), or if you don't have static ip's try setting up openvpn IMO its best to expose as little as possible. Sometimes you have to expose it. I can't install OpenVPN on all PCs that I might need access to servers from, and on mergency cellphone access to the servers it just might not be possible. Best compromise I've found so far has been to require certificates to log in to the SSH server. Hammering doesn't stop, but the risk of compromising the server is massively reduced. And with lockdown after X connection attempts in Y seconds, the risk is all but gone. (For the vast majority of servers at least ... maybe not if you run a bank or some such) Regards, -Jeppe What is a good values to set? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1U Case Reco
I don't know if it meets all of your requirements but I do quite a few installs on http://www.ironsystems.com AR230. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Tue, Jul 21, 2009 at 7:46 PM, Joseph L. Casalejcas...@activenetwerx.com wrote: Anyone know who makes a decent 1u case with the eth and peripheral slot open in the front and that also redirects the leds up front for a Soekris 5501? If need be, I am open to a different mobo suggestion as well, I just need ~4 eth ports and an embedded design resilient to any potential power outages at this location. Thanks, jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Pfsense + Postfix (Relay)
I would assume you could do this with pkg_add but I have no clue... Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Tue, May 19, 2009 at 9:56 AM, Jean Carlos Coelho jean.lis...@gmail.com wrote: Hi all.. a question.. It is possible to install postfix in pfsense 1.2.2 only for mail relay ? how can i install into it ? (I am a newbie), thank's!! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Captive Portal Page
Does anyone know where I can find a nice templated captive portal page. Something with a simple header, ULA and Login. I know it sounds so simple, but my web skillz are limited... Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PPTP Hangs at Verifying Username and Password
What firewall does the network you are originating traffic from have? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Fri, May 1, 2009 at 12:21 PM, Marty Nelson mnel...@transdyn.com wrote: Happy Friday all. I have a pfSense box running version 1.2.2 and I’m trying to get the PPTP server working on it. I’ve enabled it, created a rule to pass all PPTP traffic and I’ve also created a test user. The problem I’m having is that when I try to connect it hangs on “verifying username and password”. Nothing shows up in the PPTP logs, and I mean nothing. Any ideas would be greatly appreciated. Thanks, -Marty - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can captive portal authenticate based on windows login
Barracuda bases logins 100% on IP address when used as a transparent proxy. User opens browser and looks at google.com, the barracuda gets IP information from the Audit of login/logout on the domain controller and associates a users. The barracuda checks the user against a group and then allows or denies them access to the destination. 100% IP address, no plugin required. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Apr 22, 2009 at 1:00 AM, Glenn Kelley gl...@typo3usa.com wrote: i believe the barracuda does this only when the outlook plugin has been downloaded - i could be wrong however but at least that is our experience thusfar. - actually there is one other time - when they are part of a windows network and ldap is involved already... On Apr 22, 2009, at 12:52 AM, Curtis LaMasters wrote: 's Web Filter does this. I know you have to install a DC client on the domain controllers that key's off of event log logins/offs and reports to the filter. Probably not what you need but it's an option. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can captive portal authenticate based on windows login
Somehow Barracuda's Web Filter does this. I know you have to install a DC client on the domain controllers that key's off of event log logins/offs and reports to the filter. Probably not what you need but it's an option. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Tue, Apr 21, 2009 at 11:32 PM, Dave Warren dave-use...@djwcomputers.com wrote: In message ffb190ee79ba57428e06ab63df10963bfcbe1d9...@hivemind.integrita.internal Dimitri Rodis dimit...@integritasystems.com was claimed to have wrote: Single Sign-on (aka one set of credentials) is one thing, the captive portal's ability to automatically _receive_ (and authenticate) the credentials from the requesting client/browser is another. Unless I'm misunderstanding, Ryan wants to get rid of the username/password prompt from the captive portal, and have the current windows logon credentials automatically pass to the captive portal, which is currently not possible with pfSense-- ISA Server is the only thing I know of that does this. It can be done by any 'ol proxy that supports kerberos, but the browser needs to know it's talking to a proxy to even try to authenticate, so it would still take some browser configuration. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] csico vpn client and pfsense
I don't know about acting as a client but you should be able to do site to site tunnel between the two quite easily. Make sure on the Cisco side you disable xauth and PFS if they are on...it's been a while since I've been on a VPN concentrator. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Fri, Apr 10, 2009 at 5:33 AM, Mikel Jimenez Fernandez mi...@irontec.com wrote: Hello to everyboody Can Pfsense act as cisco vpn client software to access cisco vpn concentrator? Thanks - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Moving Target - How do people track down bandwidth usage...?
I monitor ports on a managed switch with SNMP using Cacti or similar. Obviously not for everyone but at least I can determine who the problem child is. I have used NTOP in the past but my NTOP skills are lacking. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Thu, Apr 9, 2009 at 9:05 AM, Jaime Díaz jnd...@gmail.com wrote: On Thu, Apr 9, 2009 at 9:56 AM, Chuck Mariotti cmario...@xunity.com wrote: Are either of these safe to run on embedded (Alix)? I did a custom install so that I can install Packages, so that I could run snort, but I can't seem to keep snort running, keeps shutting down by itself. So wonder if I'll run into any issues with these... -Original Message- From: Jaime Díaz [mailto:jnd...@gmail.com] Sent: Thursday, April 09, 2009 8:50 AM To: support@pfsense.com Subject: Re: [pfSense Support] Moving Target - How do people track down bandwidth usage...? On Thu, Apr 9, 2009 at 9:39 AM, Chuck Mariotti cmario...@xunity.com wrote: Yesterday we had a huge hit on our bandwidth for a period of time... How are people tracking down bandwidth usage to specific machines, etc...? By the time I captured some packets and pulled up wireshark, the hit was gone. It showed up later in the day, but again, too fast to track down. Is there an easy way to track down specifically what machines are using up bandwidth? Regards, Chuck - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org You could use bandwidthd or ntop to track down those users. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Sorry, I didn't knew you were running on an embedded platform. I wouldn't run it on such hardware. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] First Embedded System
Everything I have heard and actually witnessed with the ALIX systems is that they are very stable. There has been discussion about reasons to use the full image on the ALIX systems instead of the embedded version but I cannot speak as to why. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Apr 8, 2009 at 11:13 AM, Joseph L. Casale jcas...@activenetwerx.com wrote: I am about to order hardware to make my first embedded system and am thinking of an ALIX.2D3 as it covers port wise all that I need. This will function for a very small lan 10 clients, are there any opinions anyone can share about possibly better choices or more reliable setups? Thanks for any points! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Massive static route load
If I understand you correctly, you can just add them from the GUI from SystemStatic Routes. If that isn't what you needed, let us know. Curtis On 3/16/09, luismi asturlui...@gmail.com wrote: Hi all, Is there anyway to load several static routes at the same time? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense to use with production web server
Depending on the size of the internal network, added security can be had with the SNORT package on pfSense. Though it's not considered a layer 7 firewall (I don't think :)) It does help protect against or at least alert on some of the threats that were mentioned in the posting. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Mar 4, 2009 at 12:04 PM, RB aoz@gmail.com wrote: On Wed, Mar 4, 2009 at 09:30, Vick Khera vi...@khera.org wrote: What threats are you defending against? The firewall will not protect you against application flaws such as cross site scripting and SQL injection attacks. I agree, but given the context and content (no disrespect intended either), I'm not sure Raleigh knows what he's looking for or what he's defending against. Raleigh: the most basic form of firewalling today is precisely what you stated - packet filtering. Firewalls in this category (pfSense included) filter at OSI layers 2-4, meaning they don't get any deeper into the packet than IP and port number. This defends against basic attacks reconnaissance including some DoS, address spoofing, port scanning, and so on. pfSense also adds load balancing, VPN termination, and other border services as well. If, as Ben Vick have asked, you are interested in application-level filtering (SQL injection, XSS, and other layer 7 attacks), you'll need to look at something more like a reverse proxy running mod_security - pfSense does not offer application-level filters. RB - Show quoted text - - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Not all Virtual IP's forwarding correctly
Firewall Rules should look something like this... TCP | * | * | 192.168.1.10 | 80 (HTTP| * | | NAT HTTP to 1st server TCP | * | * | 192.168.1.11 | 80 (HTTP| * | | NAT HTTP to 2nd server TCP | * | * | 192.168.1.12 | 80 (HTTP| * | | NAT HTTP to 3rd server NAT rules should look something like this... WAN | TCP | 80 (HTTP) | 192.168.1.10 (ext.: x.x.x.126) | 80 (HTTP) HTTP to 1st server WAN | TCP | 80 (HTTP) | 192.168.1.11 (ext.: x.x.x.127) | 80 (HTTP) HTTP to 2nd server WAN | TCP | 80 (HTTP) | 192.168.1.12 (ext.: x.x.x.128) | 80 (HTTP) HTTP to 3rd server Virtual IPs should look something like this... x.x.x.127 | CARP | VIP1 x.x.x.128 | CARP | VIP1 note... the 126 IP in this case is attatched to the WAN interface. If you create your rules from the NAT configuration, they will show up like this (easy as pie). Let me know what it looks like on your end. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Tue, Mar 3, 2009 at 6:53 AM, Matthias Niggemeier m...@thias.de wrote: Von: Abdulrehman [mailto:arvagabo...@gmail.com] Gesendet: Dienstag, 3. März 2009 07:16 An: support@pfsense.com Betreff: Re: [pfSense Support] Not all Virtual IP's forwarding correctly Don't confuse guys up here...! 1. where your IP is blocked...at ISP end or somewhere on internet..? Don't be confused... he has a block of IP addresses; what he wants to say is a range of addresses (i.e. his ISP gave him a subnet with official addresses) 2. The second set and its port forwarding work with out issue (port He forwards port 80 of to an internal server 3. Now I do have port 80 forwarded to different servers depending on the ip on the WAN port...what does it mean? As I understand it, he wants to have multiple IPs on the WAN side and forward port 80 to different internal servers depending on which WAN IP the request was received. I don't think he can do this through the gui, maybe some config.xml-hacking does the trick. Paul, in the subject you talk about Virtual IPs. Please read the manual; the Virtual IP-Settings in the pfsense-GUI are not what you believe you understood. A VIP is NOT a second address for an Interface as you need it. You can make a backup of your config, edit the resulting xml file and restore it (search the web; there is a howto in pfsense.org). I haven’t done port forwarding yet, so I cannot help you at this point. Regards Matthias On Tue, Mar 3, 2009 at 7:40 AM, Paul joyride...@gmail.com wrote: We have a block ip address from our provider. The main ip for our network and its port forwarding works well. I created 2 virtual ip's. The second set and its port forwarding work with out issue (port 80) that go to another server. The 3rd virtual ip I created partially works. SSH works. I then forwarded 80 with it and it does not work. I can pull up the webpage internally though. Now I do have port 80 forwarded to different servers depending on the ip on the WAN port. What do I need to provide to see why its not working for help Thanks - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PfSense OpenVPN key generation
Try the scripts that Scott has published on the forums. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Thu, Feb 26, 2009 at 3:48 PM, Steve Spencer sspen...@kdsi.net wrote: I attempted this yesterday, but when I copied the keys in I received a message that the keys appeared to be invalid. I'm wondering if I'm copying white-space some how. Any help is appreciated. Steve Mikel Jimenez Fernandez wrote: Hello I recommend you to use easy-rsa scripts of openvpn Steve Spencer wrote: OK, I've read the previous posts with regard to OpenVPN and I'm ready to take my excellent PfSense firewall to the next level with a VPN. I'd like to create the keys for the server on a Linux box and wonder if anyone has a quick how-to on generating the x509 keys on that platform. Thanks, - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- Steven G. Spencer, Network Administrator KSC Corporate - The Kelly Supply Family of Companies Office 308-382-8764 Ext. 231 Mobile 308-380-7957 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Need help regarding the initial configuration of pfsense
Sumesh, If you need a NAT router, then you should not be setting up a transparent bridge. Unless you are having a strange network or hardware issue, once you install or assign the NIC's to WAN and LAN, you have a fully functioning firewall. Really no more configuration is required if you don't want to. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Feb 25, 2009 at 5:09 AM, Paul Mansfield it-admin-pfse...@taptu.com wrote: Sumesh T A wrote: Dear All I have installed pfsense successfully. I need to use pfsense box as a NAT router BOX. But i am unable get it work as expected. Can somebody send me documentation needed for the same. -- T. A. Sumesh Lecturer, CSED NIT Calicut I am the only one to find this scary? I was curious as to what CSED/NIT was. http://www.nitc.ac.in/nitc/sree/dept.jsp?dpt=Computer Maybe pfsense is *too* easy for people to install? :-( - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Need help regarding the initial configuration of pfsense
What exactly is not working? Are you able to get to the internet from LAN? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Feb 25, 2009 at 9:16 AM, Sumesh T A sumesh.n...@gmail.com wrote: Curtis I have tried all these even before i sent this query to the support forum. There are no hardware issues. On Wed, Feb 25, 2009 at 6:23 PM, Curtis LaMasters curtislamast...@gmail.com wrote: Sumesh, If you need a NAT router, then you should not be setting up a transparent bridge. Unless you are having a strange network or hardware issue, once you install or assign the NIC's to WAN and LAN, you have a fully functioning firewall. Really no more configuration is required if you don't want to. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Feb 25, 2009 at 5:09 AM, Paul Mansfield it-admin-pfse...@taptu.com wrote: Sumesh T A wrote: Dear All I have installed pfsense successfully. I need to use pfsense box as a NAT router BOX. But i am unable get it work as expected. Can somebody send me documentation needed for the same. -- T. A. Sumesh Lecturer, CSED NIT Calicut I am the only one to find this scary? I was curious as to what CSED/NIT was. http://www.nitc.ac.in/nitc/sree/dept.jsp?dpt=Computer Maybe pfsense is *too* easy for people to install? :-( - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- T. A. Sumesh Lecturer, CSED NIT Calicut - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Need help regarding the initial configuration of pfsense
I don't recall...does pfSense allow ICMP by default? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Feb 25, 2009 at 9:29 AM, Sumesh T A sumesh.n...@gmail.com wrote: Nelson intel chipsets...moreover both the NICs are pinging On Wed, Feb 25, 2009 at 8:54 PM, Sumesh T A sumesh.n...@gmail.com wrote: No i am unable to get connected to internet. I am can ping my WAN IP. I cannot ping my gateway of WAN network On Wed, Feb 25, 2009 at 8:49 PM, Curtis LaMasters curtislamast...@gmail.com wrote: What exactly is not working? Are you able to get to the internet from LAN? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Feb 25, 2009 at 9:16 AM, Sumesh T A sumesh.n...@gmail.com wrote: Curtis I have tried all these even before i sent this query to the support forum. There are no hardware issues. On Wed, Feb 25, 2009 at 6:23 PM, Curtis LaMasters curtislamast...@gmail.com wrote: Sumesh, If you need a NAT router, then you should not be setting up a transparent bridge. Unless you are having a strange network or hardware issue, once you install or assign the NIC's to WAN and LAN, you have a fully functioning firewall. Really no more configuration is required if you don't want to. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Feb 25, 2009 at 5:09 AM, Paul Mansfield it-admin-pfse...@taptu.com wrote: Sumesh T A wrote: Dear All I have installed pfsense successfully. I need to use pfsense box as a NAT router BOX. But i am unable get it work as expected. Can somebody send me documentation needed for the same. -- T. A. Sumesh Lecturer, CSED NIT Calicut I am the only one to find this scary? I was curious as to what CSED/NIT was. http://www.nitc.ac.in/nitc/sree/dept.jsp?dpt=Computer Maybe pfsense is *too* easy for people to install? :-( - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- T. A. Sumesh Lecturer, CSED NIT Calicut - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- T. A. Sumesh Lecturer, CSED NIT Calicut -- T. A. Sumesh Lecturer, CSED NIT Calicut - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Need help regarding the initial configuration of pfsense
Anything in the system log? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Feb 25, 2009 at 11:15 AM, Sumesh T A sumesh.n...@gmail.com wrote: with all the conditions that you have mentioned i am unable to ping external IP On Wed, Feb 25, 2009 at 9:27 PM, RB aoz@gmail.com wrote: On Wed, Feb 25, 2009 at 08:41, Sumesh T A sumesh.n...@gmail.com wrote: It is static So, presuming all other routing is normal (you've not set up any static routes, no address space conflicts, etc.), can you ping an external IP, like 4.2.2.2? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- T. A. Sumesh Lecturer, CSED NIT Calicut - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Not resolving external addresses
I personally do not run tinydns on pf but would the DNS forwarder and DNS package every conflict. Try disabling the DNS forwarder to see if that solves your issue. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Sat, Feb 21, 2009 at 1:06 AM, Victor Padro vpa...@gmail.com wrote: On Fri, Feb 20, 2009 at 11:49 AM, Victor Padro vpa...@gmail.com wrote: Hola to everyone! First of all, thank you for this great project! Now, to business. My PFsense setup it's very simple 1 WAN(ADSL 1Mbps/256Kbps) and 1 LAN(Gigabit Network) DHCP is enabled and configured to use Pfsense IP as Gateway and DNS DNS Forwarder is enabled with the register DHCP leases option. I installed the DNS package(TinyDNS) and configure it correctly, all my servers and workstations resolve names internally without any issue. The issue comes when in any given time of the day my whole network can't resolve external names, can't access gmail.com, yahoo.com, etc The partial solution that I found is that if I stop the DNS service(TinyDNS only) wait for a couple minutes then I can resolve names externally as usual, but not internally ok? so I have to start the DNS service again and voila! everything goes normal for about 24hrs or less, then I have to do the same ritual in order to get things working. Is this behaviour normal? I search in the forum if anybody had same or similar situatio and I found that could be normal, but I need to be sure. Another solution that I can think is just use PFsense as a DNS fowarder only and setup a box with Bind or TinyDNS. Any help/comment given will be apreciated, Thank you P.S. I had this same issue with another box using dual wan balancing. -- It is human nature to think wisely and act in an absurd fashion. Todo el desorden del mundo proviene de las profesiones mal o mediocremente servidas No one? -- It is human nature to think wisely and act in an absurd fashion. Todo el desorden del mundo proviene de las profesiones mal o mediocremente servidas - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Packets get lost inside router
I think what you are describing is the need for nat-reflection. You can enable this in the advanced settings I believe, however, it may not work with dual-wan setups. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Fri, Feb 20, 2009 at 1:07 AM, Veiko Kukk veiko.k...@krediidipank.eewrote: Hi, I have dual router configuration, 1 lan, 3 wan, 2 isp-s. port 25 is forwarded to email server in lan network. Default route is wan1. When i try to telnet from lan to wan2 port 25, i get no connection, but i can ping wan2 from lan. Telnet to wan1 and wan2 from outside works perfectly. What might be the problem? Where do the packets get lost? --- Veiko - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Support CARP active/active
You could manually load balance I believe by making the Advertising Frequency of the virtual IP higher or lower on each of the firewalls. Probably not easy to troubleshoot or manage. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Mon, Feb 16, 2009 at 9:38 AM, Gary Buckmaster g...@centipedenetworks.com wrote: cassio lima wrote: hi freinds pfsense in the support carp mode active / active and how I can configure? No, it does not support active/active. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] DNS
For installing packaged on flash based systems. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Thu, Feb 12, 2009 at 4:22 AM, Nick Upson nick.up...@gmail.com wrote: for which issue or both? 2009/2/11 Curtis LaMasters curtislamast...@gmail.com: There are workarounds for this. Check the forums/archive. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Feb 11, 2009 at 9:32 AM, Nick Upson nick.up...@gmail.com wrote: unfortunately we are currently running from flash, which I understand disable access to System-Packages this was due to issues with the initial disk format not working on install 2009/2/11 Curtis LaMasters curtislamast...@gmail.com: SystemPackagesDNS-Server - based on tiny dns I think.. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Feb 11, 2009 at 8:35 AM, Nick Upson nick.up...@gmail.com wrote: there is a DNS server package available. - pointer please small network with minimal or no internal servers is a pretty good description for the setup I'm currently dealing with 2009/2/11 Chris Buechler c...@pfsense.org: On Wed, Feb 11, 2009 at 8:39 AM, Rainer Duffner rai...@ultra-secure.de wrote: pfSense doesn't implement a full DNS (AFAIK). It's mainly a resolver-cache. Not built in, there is a DNS server package available. The firewall is certainly *not* an ideal place to put the (internal) DNS, though. That's not universally true, if you have a small network with minimal or no internal servers, it's commonly your best option for a caching resolver. If you have a sizable network with multiple internal servers, or one where you're using something like Active Directory that relies on DNS, then I agree. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] DNS
SystemPackagesDNS-Server - based on tiny dns I think.. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Feb 11, 2009 at 8:35 AM, Nick Upson nick.up...@gmail.com wrote: there is a DNS server package available. - pointer please small network with minimal or no internal servers is a pretty good description for the setup I'm currently dealing with 2009/2/11 Chris Buechler c...@pfsense.org: On Wed, Feb 11, 2009 at 8:39 AM, Rainer Duffner rai...@ultra-secure.de wrote: pfSense doesn't implement a full DNS (AFAIK). It's mainly a resolver-cache. Not built in, there is a DNS server package available. The firewall is certainly *not* an ideal place to put the (internal) DNS, though. That's not universally true, if you have a small network with minimal or no internal servers, it's commonly your best option for a caching resolver. If you have a sizable network with multiple internal servers, or one where you're using something like Active Directory that relies on DNS, then I agree. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] DNS
There are workarounds for this. Check the forums/archive. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Feb 11, 2009 at 9:32 AM, Nick Upson nick.up...@gmail.com wrote: unfortunately we are currently running from flash, which I understand disable access to System-Packages this was due to issues with the initial disk format not working on install 2009/2/11 Curtis LaMasters curtislamast...@gmail.com: SystemPackagesDNS-Server - based on tiny dns I think.. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Feb 11, 2009 at 8:35 AM, Nick Upson nick.up...@gmail.com wrote: there is a DNS server package available. - pointer please small network with minimal or no internal servers is a pretty good description for the setup I'm currently dealing with 2009/2/11 Chris Buechler c...@pfsense.org: On Wed, Feb 11, 2009 at 8:39 AM, Rainer Duffner rai...@ultra-secure.de wrote: pfSense doesn't implement a full DNS (AFAIK). It's mainly a resolver-cache. Not built in, there is a DNS server package available. The firewall is certainly *not* an ideal place to put the (internal) DNS, though. That's not universally true, if you have a small network with minimal or no internal servers, it's commonly your best option for a caching resolver. If you have a sizable network with multiple internal servers, or one where you're using something like Active Directory that relies on DNS, then I agree. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't get more than 15kpps.
I don't want to sound stupid or make this very complex network sound like it has a simple issue, but the support on this jumped strait from i have a speed problem to some failry complex stuff. I have sites with the same throughput needs without doing any type of debugging or CLI changes to the firewalls. Lenny, you said that you are connected to a Cisco switch on the GBIC interfaces, right? Have you statically set speed and duplex on those interfaces as well as on PF. I don't know what your skill level is on Cisco but check the interface for errors, resets, CRC's and watchdogs. Do the same on your pfSense box under the interface diagnostics. If all are 0's then I'll shutup but if you have anything besides that, then please consider these changes. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Sun, Feb 8, 2009 at 7:22 AM, Lenny five2one.le...@gmail.com wrote: Hi, so after a long time of trying different things and some tests, I'm back to square one, but with some additional info. things I've done: -Replaced the server. It's also an IBM x335, but with 2 Xeon 3.06GHz now. 2GB RAM. The only thing that's left from the old one is the Dual Intel NIC. I know it may very well be the reason for failures, but before I go buy a new one, I wanted to try everything else. -I installed pfSense 1.2.2 and left the old configuration. -Tried it with and without polling, and with and without checksum offloading. Nothing helped. -I also bypassed the firewall and saw that without it everything works perfect. Now for the things I've noticed yesterday(we had a high load): -It was almost impossible to get through the firewall, good thing I had polling enabled, so I could ssh and see top -S. I saw that em0 and em1 taskq were 100% CPU each. -The RRD graphs showed blank spaces as always in these situations. -At one point I noticed that the states came up as high as 997000 out of 100. So I increased the value to 200, but the second I did that it dropped to around 45(weird or what?). Also, it's strange that I still have around 25 states, even when the actual sessions number is near 2(according to Alteon), isn't it supposed to be somewhere near 6-8 states? And I'm talking about 15 hours after the change. The load I'm talking about (that was yesterday) 18-20 kpps, around 150Mb/s traffic. I also started reading about em taskq on freebsd and I saw a couple of other guys having this problem. Those guys were advised to start tweaking sysctl and loader.conf. No success stories were published though. But before I do that, I was wondering if there is anything else I can do. The last, but definetely not least is that I realized that a static route was on the wrong interface. here's how: mysetup goes like this. [squids]10.0.0.160/27 10.0.0.161[alteon]192.168.5.2--192.168.5.1[pfSense]11.11.11.11-Internet obviously the IPs are fictional. Now the route I had on the firewall is 10.0.0.160/27 through gateway 192.168.5.2, but it was on the WAN interface! Yesterday I changed the interface to OPT1, which is the one connected to the Alteon. But I won't be able to see the effect of it till Saturday( this is my biggest problem - I can only test it on Saturdays, cause this is when our website is loaded). Is there any chance that it was the solution to my problem? Sorry for the long post. Thanks, Lenny. On Sun, Dec 21, 2008 at 12:45 AM, Lenny five2one.le...@gmail.com wrote: Hi, I'm kind of desperate here, so please try to help me. Here's my problem: I have a setup in production (a very dynamic website). It consists of pfsense--Alteon Load Balancer--IBM Bladecenter(with a Squids cluster on it). pfsense is installed on IBM x335 with 2 Xeon 2.4GHz, 2GB RAM, and Dual Intel NIC PCI-X 1Gb. I'm connected with 1Gb to the ISP. The problem is that no matter what I do, I can't get more than 15kpps. After that I start to get a lot of packet loss. At first I was sure that the ISP has me on QoS, because I never saw traffic going over a 100Mb/s, but then to convince me they downloaded some large files from my servers and came up as high as 170Mb/s. So that one was out. Next I changed the NICs (I used the onboard Broadcom at first) and it did save me from the need to do Device Polling, and I have no more interrupt using half the CPU, but not more than that. So I upgraded to 1.2.1 RC3. And still - the most I saw was 14kpps and 102 Mb/s. I have 70 states entered, while I never saw it going over 25 in reality. The files transfered are rather small, 600KB being the largest. As for the Alteon, at first it was connected via another Broadcom fibre NIC (Alteon only has 1 fibre uplink that's 1Gb), but now that I use an Intel Dual - I connected it to a Cisco Gbic and from there to the Alteon by another fibre Gbic (don't judge me - I don't have a giga switch). I know it's
Re: [pfSense Support] what VPN to use
+1 for OpenVPN. Once you wrap your head around the certificate creation, it's quite easy and in each instance where I have both Cisco VPN and OpenVPN, performance is better for OpenVPN. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Fri, Feb 6, 2009 at 11:04 AM, Hassan Manji hkma...@gmail.com wrote: Just to add my support for Open VPN We use open VPN between offices (using PFSense boxes) and the OpenVPN gui on windows machines direct to HQ PFSense box. Works sweet. Rgds Hassan On Fri, Feb 6, 2009 at 3:24 PM, Oliver von Bueren maill...@ovb.ch wrote: Hi Nick Upson wrote: Hi, I'm intending to implement VPN into our network, from various windows machines at peopel's houses. Can anyone reccomend a product that will work well with pfsense I recommend OpenVPN with pfSense. I've deployed it for various windows machines using version 2.0.9. As a helper I used the openvpn-gui-1.0.3.exe so that the user can control the connection. Oiver - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] what VPN to use
But what if I want to VPN with my iPhone :) /kidding Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Fri, Feb 6, 2009 at 11:25 AM, Tim Nelson tnel...@rockbochs.com wrote: Replying to myself here. In the current version of pfSense, I do not believe it is possible to firewall/filter traffic on your OpenVPN interfaces. IIRC, this functionality is coming in 2.0. If you need filtering, you may want to look at IPSEC instead. Just please for the love of insert your favorite deity here, don't use PPTP. :-) Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 - Tim Nelson tnel...@rockbochs.com wrote: OpenVPN! Secure, robust, and stable. What more could you ask? Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 - Nick Upson nick.up...@gmail.com wrote: Hi, I'm intending to implement VPN into our network, from various windows machines at peopel's houses. Can anyone reccomend a product that will work well with pfsense - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Problems with 2nd phase IPsec between Openswan and pfSense racoon
I don't use certs on ipsec but from the sounds of it, pfSense cant find the certificate, it's in the wrong format or a permissions issue. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Tue, Feb 3, 2009 at 4:38 AM, Xesc Arbona x.arb...@topdesk.com wrote: Hi, I'm trying to set a VPN tunnel between a Debian GNU/Linux machine with Openswan 2.4.6 and a box with pfSense 1.2.2. I'm using X.509 certificates and my configuration is: linux: conn pfsense2linux left=192.168.251.3 leftnexthop=192.168.1.1 leftid=@pfsense.foo.bar leftsubnet=10.5.0.0/22 right=192.168.250.2 rightid=C=NL, L=Spook, O=Foo, CN=linux.foo.bar rightcert=linux.crt rightsubnet=10.0.0.0/22 rightnexthop=192.168.250.1 type=tunnel ## Automatic keying keyexchange=ike rekey=yes keylife=12h auth=esp keyingtries=3 ## RSA authentication authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert leftca=%same rightca=%same auto=start pfsense: MyIdentifier: Domain = pfsense.foo.bar Authentication method: RSA signature Certificate: pasted PEM pfsense.crt Private key: pasted PEM pfsense.key There is a machine in the middle, with networks 192.168.250.0/24 and 192.168.251.0/24 , acting as a WAN emulator. No packets are lost. I get a ISAKMP SA established, but the pfsense box don't answer the 2nd phase request: 104 pfsense2linux #31: STATE_MAIN_I1: initiate 003 pfsense2linux #31: received Vendor ID payload [Dead Peer Detection] 106 pfsense2linux #31: STATE_MAIN_I2: sent MI2, expecting MR2 108 pfsense2linux #31: STATE_MAIN_I3: sent MI3, expecting MR3 004 pfsense2linux #31: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024} 117 pfsense2linux #32: STATE_QUICK_I1: initiate 010 pfsense2linux #32: STATE_QUICK_I1: retransmission; will wait 20s for response 010 pfsense2linux #32: STATE_QUICK_I1: retransmission; will wait 40s for response 031 pfsense2linux #32: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal 000 pfsense2linux #32: starting keying attempt 2 of at most 3, but releasing whack On the pfSense machine logs I've found: Feb 3 10:53:04 racoon: ERROR: failed to pre-process packet. Feb 3 10:53:04 racoon: ERROR: failed to get sainfo. Feb 3 10:53:04 racoon: ERROR: failed to get sainfo. Feb 3 10:53:04 racoon: [NL Spook]: INFO: respond new phase 2 negotiation: 192.168.251.3[0]=192.168.250.2[0] Feb 3 10:53:04 racoon: [NL Spook]: INFO: ISAKMP-SA established 192.168.251.3[500]-192.168.250.2[500] spi:82d506c13c91ba76:d13128841f0c0f60 Feb 3 10:53:04 racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/DC=bar/DC=foo/CN=rootca.foo.bar Feb 3 10:53:04 racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=NL/L=Spook/O=Foo/CN=linux.foo.bar Feb 3 10:53:04 racoon: WARNING: No ID match. Feb 3 10:53:04 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 Feb 3 10:53:04 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Feb 3 10:53:04 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Feb 3 10:53:04 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 Feb 3 10:53:04 racoon: INFO: received Vendor ID: RFC 3947 Feb 3 10:53:04 racoon: INFO: received Vendor ID: DPD Feb 3 10:53:04 racoon: INFO: begin Identity Protection mode. Feb 3 10:53:04 racoon: [NL Spook]: INFO: respond new phase 1 negotiation: 192.168.251.3[500]=192.168.250.2[500] I've searched in several forums, but I didn't found a solution. Pfsense machine doesn't send any packet in response. How can I get more detailed logs from racoon? Any ideas? Thank you very much! Best regards, -- Xesc Arbona - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how best to monitor openvpn connections
None that I am aware of in the package manager. You could possibly enable the openvpn manager but it lacks the security features I would like to have in place. Nagios or something similar may work for you. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Sun, Feb 1, 2009 at 9:44 PM, Raymond Norton ad...@lctn.org wrote: I switched from IPCop to Pfsense because I needed multiple wan interfaces. Everything is working fine, including my first openvpn server. With IPCop it I had a great gui to monitor the status of all connections. I am not seeing a similar way to monitor connections on my new Pfsense box. Looking through the forums, it seems it may not exist. I hope that is not the case. Is there a way to monitor vpn connections, or maybe an addon that allows this? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.2 TCP Disconnects (sessions)
Thanks for your thoughts on this one. For me, it ended up being a dotnet application pool issue on the server set to 60 minutes instead of a specific time or 24 hours :). Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Sat, Jan 31, 2009 at 8:36 AM, Chris Bagnall li...@minotaur.cc wrote: are these on a managed switch so you can see if there are any errors, short frames, overruns etc? One of the offices has a semi-managed switch, on which, looking at the stats I can't see anything obviously wrong. The other office just has an el-cheapo 5 port switch. do you have tcp hand-off, polling or other option enabled? Hardware offloading is enabled. Polling is disabled. The pfSense boxes in question are ALIX 2c0 boards, and the options (offloading on, polling off) are the same as the settings on the 1.2-RELEASE boxes. MTU problems (unlikely)? None that I can see. I can try upgrading the pfSense box (same hardware) at my home to 1.2.2 this weekend and see if I can introduce the same issue, if that's of any help diagnosing the issue? Regards, Chris - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.2 TCP Disconnects (sessions)
Confirmed... pfSense 1.2.2 has NOT had an adverse effect on our network. The problem was found on the Web server and has been 100% verified as the root cause. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Sat, Jan 31, 2009 at 2:45 PM, Chris Buechler c...@pfsense.org wrote: On Sat, Jan 31, 2009 at 3:15 PM, Chris Bagnall li...@minotaur.cc wrote: Thanks for your thoughts on this one. For me, it ended up being a dotnet application pool issue on the server set to 60 minutes instead of a specific time or 24 hours :). Just to confirm, are you saying that 1.2.2 has definitely *not* introduced any new issues in your environment? That's what it sounds like, the issues he noted weren't anything like the ones you and LJ noted in this thread. If there are issues, they aren't widespread. Between our developers and commercial support customers, I know many of the biggest installs out there are on 1.2.2 and have no issues. The mail issue noted in this thread and the issues you noted, Chris, sound like they could be state keeping regressions for some rare edge cases. I'm curious if the newer FreeBSD in 1.2.3 snapshots changes anything, but recommend approaching it with caution as the change to 7.1 isn't widely tested yet. I know 7.1 has fixed hardware regressions from 6.2 to 7.0 for multiple people, and there are many people running it without problems, but still approach with caution at this point. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.2 TCP Disconnects (sessions)
No load balancing. We are in HA but only a single internet connection and a single web server. One of our DNN sites has undergone major development as of late, I'm thinking that something with that process has fooked the other sites. I'm reading about application pools for dotnet right now, that may be the issue. Thanks for your thoughts. Curtis were a firewall problem, it would be pages not loading at all, or page loads not completing, things of that nature - network connectivity problems. Getting kicked out of a session on a web server isn't a network connectivity problem. unless he's using load balancing and the stickyness isn't working? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] 1.2.2 TCP Disconnects (sessions)
At my company we host a large number of dotnet sites and have now been plagued with an issue in our hosting environment. Nearly all of our sites are now report periodic disconnects where users viewing the sites who have sessions on the servers (portals, forms, etc) get disconnected from the session and brought right back to the home page. To ME, this does not sound like a firewall issue, however, our first 3 reports of this happened the day after I upgraded from 1.2-RELEASE to 1.2.2. Any ideas? I'll upgrade to 1.2.3 during the next downtime but I don't want to do too much at a time. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com
Re: [pfSense Support] 1.2.2 TCP Disconnects (sessions)
No, typical users via the internet. However, I do not have that disabled at this time. Is that an issue? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Thu, Jan 29, 2009 at 10:49 PM, Scott Ullrich sullr...@gmail.com wrote: On Thu, Jan 29, 2009 at 11:45 PM, Curtis LaMasters curtislamast...@gmail.com wrote: At my company we host a large number of dotnet sites and have now been plagued with an issue in our hosting environment. Nearly all of our sites are now report periodic disconnects where users viewing the sites who have sessions on the servers (portals, forms, etc) get disconnected from the session and brought right back to the home page. To ME, this does not sound like a firewall issue, however, our first 3 reports of this happened the day after I upgraded from 1.2-RELEASE to 1.2.2. Any ideas? I'll upgrade to 1.2.3 during the next downtime but I don't want to do too much at a time. Are these connections using NAT Reflection? Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Isolate network traffic
I echo austin's remark. Private VLAN's are really the only way to go unless you do it wirelessly which is probably not the case and would have nothing to do with pfsense. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Sun, Jan 25, 2009 at 1:28 AM, Austin G. Smith aus...@digitalson.comwrote: Not sure if this went through last time I sent it: That would be available on your switch, it is called private vlan edge or pve. Cisco smb supports this. low entry cost. U designate the uplink and that's all the connected computers can access if they are a member of the pve. The sge and sfe models support this for sure. Sfe2000, sfe2010, sge2000, sge2010. Put a P on the end for the power over Ethernet version. Thank you, Austin G. Smith, A+, MCP, MCPS, MCNPS (Network Infrastructure) DigitalSon, I.T. Services www.digitalson.com 678.213.0550 x:101 Office 678.213.0535 Fax Ask me about DigitalSon DataLocker - the affordable, secure backup solution! -Original Message- From: Paul [mailto:joyride...@gmail.com] Sent: Sunday, January 25, 2009 1:32 AM To: support@pfsense.com Subject: [pfSense Support] Isolate network traffic Not real familiar on how to accomplish this. Is there an easy way to isolate network traffic so that any computer connected can only pass traffic to the router and internet but not any other computer on the network. i.e. Infected computers cannot infect other computers on the network. paul - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.176 / Virus Database: 270.10.12/1909 - Release Date: 1/24/2009 8:40 PM - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Bandwidth problems/collisions/packet loss
I've seen this a few times on Cisco switches; telnet to the switch and look at the interface that is connected to the pfSense box (show int fastethernet 0/#) and see if it is running at full or half duplex. If it's half, then manually set the interface to full duplex with the following commands... conf t int fastethernet 0/$ duplex full speed 100 You may need to power cycle the pfSense box but it should fix the issue. Ensure that you save the config on the Cisco switch with write memory. Sorry for the simplicty, I don't know what level of Cisco you are... Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Thu, Jan 15, 2009 at 10:09 PM, Ugo Bellavance u...@lubik.ca wrote: Hi, I'm trying to troubleshoot a problem on a PfSense 1.2-RELEASE, running on a P4 1.4, Hard-drive install, 1 GB RAM. WAN is vr0 and Lan (vlan0, vlan1 and vlan2) is on fxp0. WAN is auto-sense, and ends up 100baseTX (half-duplex, I guess) and fxp0 is 100basetx full-duplex. vr0 is connected directly into the ISP's equipment, which is a Cisco switch. It's running BandwidthD and traffic shaping. It is connected to 100-mbps link from an ISP, capped at 30 mbps. Average traffic in a day is 4.23mbps down, 2.44 mbps, historical maximum of 13.86 up and 9.62 down (not simultaneously). The cpu usage averages 34%, memory usage 30%. Most CPU usage seems to be coming from interrupt: 21.69% average. System : 6.86,nice : 2.36, User 2.21. They're experiencing performance problems since they upgraded from 15 mbps to 30 mbps. I tried forcing vr0 to be full-duplex, but the connection dropped, I had to reboot the firewall (I wasn't on site). It for an uptime of 11h, it currently reads 0/86 in/out errors, and 1699614 collisions. That doesn't soud right. The number of collisions is increasing continuously. Any suggestions of what to check next would be appreciated. Thanks, Ugo - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] DMZ to LAN access
No need of manual configuration needed, actually I would not recommend that at all. I was referring to using the SSH console to review your raw logs for quicker diagnosis if it indeed was a firewall rule issue. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Fri, Jan 9, 2009 at 2:15 AM, Peter Todorov pmi...@gmail.com wrote: Curtus, I am no so familiar with pfsense architecture to do SSh login and manual rewriting conf files. I have NAT yes it is AON because I have dual WAN configuration. I have only NAT between external and internal interfaces. I add some rules to bouth interfacese in the top just for test that has * * * * * * and * * * * * * . Still I got no ping from DMZ to LAN. Chris, Do I need to enable NAT between DMZ and LAN? Thank Peter On Thu, Jan 8, 2009 at 11:36 PM, Chris Buechler c...@pfsense.org wrote: 2009/1/8 Curtis LaMasters curtislamast...@gmail.com: Sounds like a NAT issue. Manually configure our outbound NAT or tell it not to NAT. Not necessary. Traffic between internal interfaces isn't NATed unless you enable AON and configure it to do so. The firewall rules on the DMZ interface don't allow pings most likely. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- честността не е порок
Re: [pfSense Support] Zabbix Agent package on 1.2.1
Just curious, what does Zabbix do that Nagios does not? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Tue, Jan 6, 2009 at 12:48 PM, Nathan Eisenberg nat...@atlasnetworks.uswrote: Tim, Zabbix does support SNMP checks and TCP/IP via zabbix-server originated pings and port checks. -Original Message- From: Tim Nelson [mailto:tnel...@rockbochs.com] Sent: Tuesday, January 06, 2009 10:45 AM To: support@pfsense.com Subject: Re: [pfSense Support] Zabbix Agent package on 1.2.1 Thank you all for the responses! I thought that the Zabbix Agent package may be out of date but it did list it as being 'up to par' with version 1.2.1 of pfSense in the packages page. Apparently it is incorrect. Well, back to the drawing board. Checking to see if Zabbix supports plain TCP/UDP port monitoring, content checking, and SNMP polling... OT I've been using JFFNMS for quite some time as a monitoring solution. It works well as long as you don't mind running PHP4 and MySQL4 on an older box. The latest version has some serious issues (Google jffnms admin structure not found) which haven't been fixed and the project is nearly dead. It's time to move on... /OT Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 - Nathan Eisenberg nat...@atlasnetworks.us wrote: Throwing my hat in the ring here - we have several zabbix servers deployed in production. It is very good; it is easy to set it up to get emails on disk failures, raid rebuilds, individual fan failures; pretty much anything you might want to hear about. Plus having anything you else you can imagine on a graph is pretty nice. -Original Message- From: Paul Mansfield [mailto:it-admin-pfse...@taptu.com] Sent: Tuesday, January 06, 2009 10:34 AM To: support@pfsense.com Subject: Re: [pfSense Support] Zabbix Agent package on 1.2.1 Tim Nelson wrote: I've recently tried installing the Zabbix Agent package on a fresh 1.2.1 installation and it appears to have some 'issues'. Namely, one issue. It doesn't install at all. The output from the installation session: we too would be interested in this, as we're trialling zabbix in place of cacti and nagios - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Zabbix Agent package on 1.2.1
The graphing I can understand but with NRPE/NSCA on Linux and possibly BSD systems, you really aren't limited to network/ping/SNMP checks unless I'm missing something about Zabbix. Initiating research now. :) Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Tue, Jan 6, 2009 at 1:15 PM, Tim Nelson tnel...@rockbochs.com wrote: Part of the intrigue for me was a nice consolidated interface for everything. With Nagios, you still really need Cacti to make it fully functional. Plus, the zabbix-agent allows for an even wider scope of monitoring versus plain old network/ping/snmp checks. I've tried the Nagios/Cacti route and just didn't like it. - Curtis LaMasters wrote: Just curious, what does Zabbix do that Nagios does not? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Tue, Jan 6, 2009 at 12:48 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: Tim, Zabbix does support SNMP checks and TCP/IP via zabbix-server originated pings and port checks. -Original Message- From: Tim Nelson [mailto:tnel...@rockbochs.com] Sent: Tuesday, January 06, 2009 10:45 AM To: support@pfsense.com Subject: Re: [pfSense Support] Zabbix Agent package on 1.2.1 Thank you all for the responses! I thought that the Zabbix Agent package may be out of date but it did list it as being 'up to par' with version 1.2.1 of pfSense in the packages page. Apparently it is incorrect. Well, back to the drawing board. Checking to see if Zabbix supports plain TCP/UDP port monitoring, content checking, and SNMP polling... OT I've been using JFFNMS for quite some time as a monitoring solution. It works well as long as you don't mind running PHP4 and MySQL4 on an older box. The latest version has some serious issues (Google jffnms admin structure not found) which haven't been fixed and the project is nearly dead. It's time to move on... /OT Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 - Nathan Eisenberg nat...@atlasnetworks.us wrote: Throwing my hat in the ring here - we have several zabbix servers deployed in production. It is very good; it is easy to set it up to get emails on disk failures, raid rebuilds, individual fan failures; pretty much anything you might want to hear about. Plus having anything you else you can imagine on a graph is pretty nice. -Original Message- From: Paul Mansfield [mailto:it-admin-pfse...@taptu.com] Sent: Tuesday, January 06, 2009 10:34 AM To: support@pfsense.com Subject: Re: [pfSense Support] Zabbix Agent package on 1.2.1 Tim Nelson wrote: I've recently tried installing the Zabbix Agent package on a fresh 1.2.1 installation and it appears to have some 'issues'. Namely, one issue. It doesn't install at all. The output from the installation session: we too would be interested in this, as we're trialling zabbix in place of cacti and nagios - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Dell Hardware Monitoring - pfSense 1.2 Final
Yes, all of the flashing lights and LCD displays are obvious but in this case I just used hard drive as an example and the Dell 1750's don't have LCD displays. A quick reboot into the Dell Diagnostic software gave me a memory log error about a correctable issue. I easily cleared the log out and rebooted into pfSense. I monitor all of our servers hardware with Nagios so I was trying to figure out if FreeBSD supported any of the Dell tools, SNMP or otherwise. Thanks, Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Tue, Dec 16, 2008 at 4:46 AM, Paul Mansfield it-admin-pfse...@taptu.comwrote: Chris Bagnall wrote: The flashing amber lights on the Dell servers typically indicate a hardware issue... Might be worth mentioning that a number of the Dell rackmount server range have a flashing blue or amber light that indicates... nothing. You can switch it between off/steady/flashing using a button on the front (usually marked i - one assumes for info). There's an identical light at the back of the machine which follows the same pattern. It's designed to make it easier to work out which machine you're connecting cables to in a densely populated rack, and for something so simple, it's very useful. there's also a light on each drive bay which can indicate a fault, or can be made to flash under user control? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Dell Hardware Monitoring - pfSense 1.2 Final
I have a flashing amber light on one of my Dell 1750 firewalls (they are failover so I'm not terribly worried). What would be the best way to go about monitoring these devices? How do I figure out what is currently wrong without booting into the Dell management software. I do have a Nagios box on the network if that would help. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com
Re: [pfSense Support] Dell Hardware Monitoring - pfSense 1.2 Final
I'm just trying to minimize failover/failback and downtime. If I knew it was a memory module, hard drive or fan, I could have one ordered and ready to go all in one big swoop. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Tue, Dec 9, 2008 at 12:56 PM, Tim Nelson [EMAIL PROTECTED] wrote: The flashing amber lights on the Dell servers typically indicate a hardware issue... Unless your box has a nice little LCD like the 26xx, or 29xx series, you'll probably have to run the Dell diagnostics. On my 2650s, they scroll the error code across the LCD. A note aside... you have a failover box available in case this box dies... but you don't want to take the box down on purpose to boot the OM software? I'm confused... :-) Wouldn't you want a controlled failure of the primary hardware instead of a random failure where the failover process could get botched? Just my $0.02 USD... Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 - Curtis LaMasters wrote: I have a flashing amber light on one of my Dell 1750 firewalls (they are failover so I'm not terribly worried). What would be the best way to go about monitoring these devices? How do I figure out what is currently wrong without booting into the Dell management software. I do have a Nagios box on the network if that would help. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com
Re: [pfSense Support] Dell Hardware Monitoring - pfSense 1.2 Final
No problem, I'm on the phone with Dell support now for which ISO/tool to download. Thanks. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Tue, Dec 9, 2008 at 1:12 PM, Chris Buechler [EMAIL PROTECTED] wrote: On Tue, Dec 9, 2008 at 2:05 PM, Curtis LaMasters [EMAIL PROTECTED] wrote: I'm just trying to minimize failover/failback and downtime. If I knew it was a memory module, hard drive or fan, I could have one ordered and ready to go all in one big swoop. You can tell if it's a hard drive by looking at the lights on the drive sleds, they'll go orange on a dead disk. Aside from that, it's probably a bad power supply, fan, or RAM, and you have to get into the diag software to tell unfortunately. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: Re: [pfSense Support] pptp help!!
Just to make sure, have you tried setting the WAN type to PPPoE? I've done this with a number of Qwest DSL circuits in the US with great success. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Tue, Nov 25, 2008 at 4:11 PM, mikel [EMAIL PROTECTED] wrote: In native English... this is my problem: http://osdir.com/ml/security.firewalls.pfsense.user/2006-08/msg00046.html Why is that so strange? On Tue, 25 Nov 2008 16:29:03 -0500, Scott Ullrich [EMAIL PROTECTED] wrote: On Tue, Nov 25, 2008 at 4:22 PM, mikel [EMAIL PROTECTED] wrote: OK so explain me please the purpose off pptp wan interface. In practical/reallife scenario please Exactly what you want it to be, but it expects the IP address to be handed out via DHCP. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org