[pfSense Support] Help with IPSec
Hi All, I need some help with packet loss and high latency inside ipsec tunnels. I'm running pfSense 1.2-BETA-1-TESTING-SNAPSHOT-04-30-07 with two offices connected to the main office. Inside these tunnels I´m always getting 5~10% of packet loss and latency 250~2000ms. The ipsec are configured as in http://doc.m0n0.ch/handbook/ipsec-tunnels.html. The 3 Internet connections are 512Kbps wireless with network modules fxp, rl, xl all using device polling. At the rush hours, the traffic goes extremely slow, however the main site link gets only 60~70% of utilization. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] MTU field
Chris, Thank you. Sorry for this question! -- Diego - Original Message - From: "Chris Buechler" <[EMAIL PROTECTED]> To: Sent: Sunday, April 08, 2007 11:18 PM Subject: Re: [pfSense Support] MTU field Scott Ullrich wrote: >The MTU field on Interfaces page is not working as expected. > ifconfig -a is always showing mtu=1500 even after reboots. The value is changed in /tmp/rules.debug. Search for mss in that file. Because it doesn't actually change the MTU, it configures MSS clamping, which is what you want for a firewall. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] MTU field
I forgot the pfsense version: 1.0.1-SNAPSHOT-03-27-2007 built on Sat Apr 7 13:40:06 EDT 2007 Hi, The MTU field on Interfaces page is not working as expected. ifconfig -a is always showing mtu=1500 even after reboots. -- Diego - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] MTU field
Hi, The MTU field on Interfaces page is not working as expected. ifconfig -a is always showing mtu=1500 even after reboots. -- Diego - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] bridged interface and "arp: moved..." messages
The webGUI set this options right now, however after reboot this setting is lost. -- Diego - Original Message - From: "Scott Ullrich" <[EMAIL PROTECTED]> To: Sent: Monday, April 02, 2007 1:30 PM Subject: Re: [pfSense Support] bridged interface and "arp: moved..." messages On 4/2/07, Diego Morato <[EMAIL PROTECTED]> wrote: Scott, The Shared Physical Netork option is not setting net.link.ether.inet.log_arp_movement in my box. I check and save, and unckek and save, and this always stay in 1. I´m using sysctl -a to list the onfigurations. It only print 1 -> 0 at the top to the page. Oops, it was setting sysctl -n net.link.ether.inet.log_arp_wrong_iface=0 I've fixed both of the problems. Please try a snapshot a couple of hours from now. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Help with backup remote office conection
Chris, Thank you again, I´m just configured the solution you described bellow and it works great. Now I´m getting some problems with IPSEC tunnels like the latency is very and high packet loss. I need to configure something to resolve this problems? I´m current using xl, rl and fxp modules for ethernet cards. Mtu, device polling, hardware checksum is all default. Connection between end-points are 512Kb/s. The systems are 1.0.1-SNAPSHOT-03-15-2007. -- Diego - Original Message - From: "Chris Buechler" <[EMAIL PROTECTED]> To: Sent: Saturday, March 31, 2007 10:48 PM Subject: Re: [pfSense Support] Help with backup remote office conection Diego Morato wrote: Acctualy the frame relay router is the default gateway of the LAN, I´m thinking in change this to the pfsense and work with static routes. I would leave the frame relay router as the default gateway, assuming it's a Cisco router or something with near-equivalent functionality that can do what I describe here. What I would do is put in a route with a higher metric on your router pointing to pfsense. When the frame relay goes down it'll take down the serial interface which will drop the route that uses the serial int, and it'll fall back to the route with the higher metric, which will be your pfsense box. Note you'll have to do this on the routers on both sides of the frame relay link. A secondary option possible on Cisco routers would be to setup monitoring to ping the IP on the other end of the frame PVC. If that fails, configure it to change the route to pfsense. There are two options, I'd try the former first. Your routers are probably a better choice as default gateways because they're in a better position to be able to detect failure of the frame link. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSec Issue Report
Scott, Ok. Thank you very much. Each tab on "Firewall> Rules" page control the traffic incoming on each corresponding interface. -- Diego - Original Message - From: "Scott Ullrich" <[EMAIL PROTECTED]> To: Sent: Thursday, April 05, 2007 1:44 PM Subject: Re: [pfSense Support] IPSec Issue Report On 4/5/07, Diego Morato <[EMAIL PROTECTED]> wrote: > I´m using ipsec to connect three branch offices. There is a issue with the > firewall described below: > > I´m not allowing output traffic from LAN subnet to WAN, so I disabled the > default LAN rule "Default LAN -> any", however disabling this rules causes > LAN subnet not reach the ipsec tunnels. After creating a LAN rule allowing > LAN subnet to the others remote LAN subnet, everything goes fine. Yes, and this is no different from how LAN -> WAN traffic is permitted as well. > I think the logic of the webgui show that traffic between remote lan > subnets > through ipsec tunnels are controlled by ipsec rules, but LAN rules are > affecting this traffic! > The default ipsec rule "Permit ipsec traffic" are enabled. Yes. The IPSEC interface is to allow you to control incoming traffic from across the VPN. There is no differences in the way this works vs. filtering traffic out the WAN. We filter on incoming interface. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] IPSec Issue Report
I´m using ipsec to connect three branch offices. There is a issue with the firewall described below: I´m not allowing output traffic from LAN subnet to WAN, so I disabled the default LAN rule "Default LAN -> any", however disabling this rules causes LAN subnet not reach the ipsec tunnels. After creating a LAN rule allowing LAN subnet to the others remote LAN subnet, everything goes fine. I think the logic of the webgui show that traffic between remote lan subnets through ipsec tunnels are controlled by ipsec rules, but LAN rules are affecting this traffic! The default ipsec rule "Permit ipsec traffic" are enabled. System: 1.0.1-SNAPSHOT-03-15-2007 built on Fri Mar 23 05:07:13 EDT 2007 -- Diego - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] bridged interface and "arp: moved..." messages
Scott, The Shared Physical Netork option is not setting net.link.ether.inet.log_arp_movement in my box. I check and save, and unckek and save, and this always stay in 1. I´m using sysctl -a to list the onfigurations. It only print 1 -> 0 at the top to the page. System: 1.0.1-SNAPSHOT-03-15-2007 built on Fri Mar 23 05:07:13 EDT 2007 -- Diego - Original Message - From: "Scott Ullrich" <[EMAIL PROTECTED]> To: Sent: Sunday, April 01, 2007 12:20 AM Subject: Re: [pfSense Support] bridged interface and "arp: moved..." messages On 3/31/07, Charles Sprickman <[EMAIL PROTECTED]> wrote: > On Sat, 31 Mar 2007, Scott Ullrich wrote: > Just out of curiousity, what does this setting actually do? Does it move > the WAN IP to the bridge interface? No, it sets sysctl -w net.link.ether.inet.log_arp_movement=0. -HEAD has different code which moves the IP to the bridge interface. [snip] Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Help with backup remote office conection
Chris, Thank you. The routers are Vanguard 6455 that runs voice and data channels and I believe it has this features that you described. Currently I don´t have access to it, so I will contact the ISP to implement one of this solutions. Soon I post the results! -- Diego - Original Message - From: "Chris Buechler" <[EMAIL PROTECTED]> To: Sent: Saturday, March 31, 2007 10:48 PM Subject: Re: [pfSense Support] Help with backup remote office conection Diego Morato wrote: > Acctualy the frame relay router is the default gateway of the LAN, I´m > thinking in change this to the pfsense and work with static routes. I would leave the frame relay router as the default gateway, assuming it's a Cisco router or something with near-equivalent functionality that can do what I describe here. What I would do is put in a route with a higher metric on your router pointing to pfsense. When the frame relay goes down it'll take down the serial interface which will drop the route that uses the serial int, and it'll fall back to the route with the higher metric, which will be your pfsense box. Note you'll have to do this on the routers on both sides of the frame relay link. A secondary option possible on Cisco routers would be to setup monitoring to ping the IP on the other end of the frame PVC. If that fails, configure it to change the route to pfsense. There are two options, I'd try the former first. Your routers are probably a better choice as default gateways because they're in a better position to be able to detect failure of the frame link. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] bridged interface and "arp: moved..." messages
Scott, Ok, I rebooted the firewall and the arp messages continue. After this reboot I went to the webgui, unchecked the Shared Physical Network and clicked Save, the page was reloaded and I check again the option and Save. The page was reloaded and at the top of the page appeared this: 1 -> 0 System: 1.0.1-SNAPSHOT-03-15-2007 built on Fri Mar 23 05:07:13 EDT 2007 -- Diego - Original Message - From: "Scott Ullrich" <[EMAIL PROTECTED]> To: Sent: Saturday, March 31, 2007 7:41 PM Subject: Re: [pfSense Support] bridged interface and "arp: moved..." messages Try rebooting the firewall to make sure. Scott On 3/31/07, Diego Morato <[EMAIL PROTECTED]> wrote: > I´ve checked the shared physical network option and I continue getting arp > messages from my team. > > > -- > Diego > > - Original Message - > From: "Scott Ullrich" <[EMAIL PROTECTED]> > To: > Sent: Saturday, March 31, 2007 7:14 PM > Subject: Re: [pfSense Support] bridged interface and "arp: moved..." > messages > > On 3/31/07, Charles Sprickman <[EMAIL PROTECTED]> wrote: > > I'm not sure that's going to help - I have no interfaces sharing the > > same > > physical network, and the messages are from hosts on the bridged OPT1, > > not > > from pfsense itself. > > This suppresses that log mesasge. > > > In short, the pfsense box seems to be flipping between using the WAN and > > OPT1 MACs when talking to the bridged hosts. > > See above. > > > FreeBSD bug? > > Doubt it. It sounds to me like a misconfigured network. I have 10+ > teams on my network using LACP and none of our FreeBSD boxen (10+) > shows these symptoms. > > Scott > > > Scott > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] bridged interface and "arp: moved..." messages
I´ve checked the shared physical network option and I continue getting arp messages from my team. -- Diego - Original Message - From: "Scott Ullrich" <[EMAIL PROTECTED]> To: Sent: Saturday, March 31, 2007 7:14 PM Subject: Re: [pfSense Support] bridged interface and "arp: moved..." messages On 3/31/07, Charles Sprickman <[EMAIL PROTECTED]> wrote: > I'm not sure that's going to help - I have no interfaces sharing the same > physical network, and the messages are from hosts on the bridged OPT1, not > from pfsense itself. This suppresses that log mesasge. > In short, the pfsense box seems to be flipping between using the WAN and > OPT1 MACs when talking to the bridged hosts. See above. > FreeBSD bug? Doubt it. It sounds to me like a misconfigured network. I have 10+ teams on my network using LACP and none of our FreeBSD boxen (10+) shows these symptoms. Scott Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Help with backup remote office conection
Hi, I have two remote offices connected through frame relay. This frame relay is connected directly on the switches. Now I need to install a backup connection because this frame relay eventually goes down. I installed pfsense in all remote offices connected to the Internet with cable connection and configured ipsec tunnels. With this new layout I want frame relay as primary link with the offices and when it goes down the ipsec tunnels will be the primary connection. How do I do this? Considering frame relay and pfsense is connected in LAN and I can´t change this. Acctualy the frame relay router is the default gateway of the LAN, I´m thinking in change this to the pfsense and work with static routes. Create a static route to say to reach remote offices go through frame relay router and delete this route when the frame relay is unavailable. I´ve tested this but traffic always go through the ipsec tunnels. Any help are welcome! -- Diego - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] bridged interface and "arp: moved..." messages
You are right Charles, shared physical network doesn´t apply here. Just for complement, I installed pfsense in a remote office and I getting this same problem. In my case this problem occur because I have a Windows Server using two interfaces as team, however it was configured via software. There is a post about it: http://forum.pfsense.org/index.php/topic,4245.0.html Sorry, I can´t help you! -- Diego - Original Message - From: "Charles Sprickman" <[EMAIL PROTECTED]> To: Sent: Friday, March 30, 2007 4:19 PM Subject: Re: [pfSense Support] bridged interface and "arp: moved..." messages On Fri, 30 Mar 2007, Diego Morato wrote: > Did you tried to check the option 'Shared Physical Network' under System: > Advanced functions? I don't think that really applies to my situation, as I'm not using a shared physical network. My understanding is that that option is used when you're overlapping multiple networks (inside + outside) on one nic. Charles > -- > Diego > > - Original Message - > From: "Charles Sprickman" <[EMAIL PROTECTED]> > To: > Sent: Thursday, March 29, 2007 9:27 PM > Subject: Re: [pfSense Support] bridged interface and "arp: moved..." > messages > >> On Wed, 31 Jan 2007, Scott Ullrich wrote: >> >>> On 1/31/07, Charles Sprickman <[EMAIL PROTECTED]> wrote: >>>> Hi all, >>>> >>>> I'm running PFSense 1.0.1 with three interfaces: WAN, LAN and then >>>> OPT1 >>>> acting as a bridged interface with the WAN. Our DSL provider gives us >>>> a >>>> /29 on the LAN port of their router and I use the first available IP >>>> for >>>> the PFSense WAN IP (which is also used for NAT on the LAN) and the >>>> remainder of the /29 bridges to OPT1. >>>> >>>> On the boxes connected to the bridge interface I periodically get the >>>> following messages in the logs: >>>> >>>> Jan 30 23:45:54 devel2 /kernel: arp: 74.x.x.26 moved from >>>> 00:50:ba:52:00:95 to 00:b0:d0:b6:94:3d on fxp0 >>>> Jan 30 23:47:21 devel2 /kernel: arp: 74.x.x.26 moved from >>>> 00:b0:d0:b6:94:3d to 00:50:ba:52:00:95 on fxp0 >>>> Jan 31 00:05:48 devel2 /kernel: arp: 74.x.x.26 moved from >>>> 00:50:ba:52:00:95 to 00:b0:d0:b6:94:3d on fxp0 >>>> >>>> The two MAC addresses in question are the WAN and OPT1 interfaces. >>>> I've >>>> seen some discussion of this on the freebsd-stable list, but no real >>>> good >>>> info. WAN is an rl card, OPT1 is an xl if that matters. >>>> >>>> Any ideas why the bridged hosts occasionally see the "invisible" MAC >>>> address of the OPT1 interface? >>> >>> It thinks there is some kind of loop somewhere. While I cannot >>> certify your working environment without a lot more questions and >>> answers which is beyond this mailing list I can tell you how to squash >>> this message... System -> Advanced -> Shared Physical Network >> >> Sorry for returning to this so late... I think last time I got lost on a >> tangent of trying to find software to help draw ascii network diagrams >> and >> never came back... :) >> >> In short, here's the network. Pretty simple, no loops, very common setup >> for a US SDSL or routed ADSL customer with ISP-provided CPE: >> >>| ADSL w/routed /29 >>| >>+---|+ >>| router | >>++ >>| 74.x.x.25 (network is 74.x.x.24/29) >>| >>| >>| WAN 74.x.x.26 - 00:50:ba:52:00:95 >>+---\+ >>|pfsense | >>+-/-\+ >> LAN / \ OPT1 (bridged w/WAN, ie: 74.x.x.24/29 >> (192.168.0.1/24 - nat) / \00:b0:d0:b6:94:3d) >> +--+ +-'+ >> |switch| |switch| >> +--+ +--+ >>| | | | >> workstations at | | | | >> 192.168.0.2-20 | |+--+ +--+ >> +--+ +--+ | | | | >> | | | | | | | | servers at 74.x.x.27, >> 74.x.x.28 >> | | | | | | | | (these rep
Re: [pfSense Support] L2tpd on pfsense?
Tommy, You can use the PPTP to your Windows Clients. And the great diference between pptp on pfsense and linux is that you can do filter on client connections in the webgui. So you will have two layers of security, the first is the password provided to connect to the pptp server and the secind is the firewall filter. There is a option to force 128 bit encryption and finally you can view the connections history at System Logs: PPTP VPN. -- Diego - Original Message - From: Tommaso Di Donato To: support@pfsense.com Sent: Tuesday, March 27, 2007 11:04 AM Subject: Re: [pfSense Support] L2tpd on pfsense? mmh, I understand... Is not possible to help in developing it? Thank you very much Tommy On 3/27/07, Holger Bauer < [EMAIL PROTECTED]> wrote: It's already implemented in out HEAD codetree but pretty untested currently. Don't expect this to appear in a release before 2.0 (might change but there is no plan on porting it to the 1.x branch currently). Holger From: Tommaso Di Donato [mailto: [EMAIL PROTECTED] Sent: Tuesday, March 27, 2007 9:06 AM To: support@pfsense.com Subject: [pfSense Support] L2tpd on pfsense? Hi to all! I was looking for something to replace my linux VPN server (currently used fot L2TP/ipsec vpns with windows clients), and I've seen that there is something about l2tp vpn in CVS. Am I wrong? Could I ask the status of this feature? Thank you in advance! Best regards Tommy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSec connection problem
Hi again, Please forgot, the tunnel was established with the network activity and not automatically as I´m thinking. Last question: The IPSec tunnel uses compression? System logs: Mar 30 14:15:36 racoon: INFO: IPsec-SA established: ESP/Tunnel 200.xx.93.210[0]->201.xxx.20.10[0] spi=211026278(0xc940166) Mar 30 14:15:36 racoon: INFO: IPsec-SA established: ESP/Tunnel 201.xxx.20.10[0]->200.xx.93.210[0] spi=41172309(0x2743d55) Mar 30 14:15:35 racoon: INFO: respond new phase 2 negotiation: 200.xx.93.210[500]<=>201.xxx.20.10[500] Mar 30 14:15:35 racoon: INFO: ISAKMP-SA established 200.xx.93.210[500]-201.xxx.20.10[500] spi:c37181d85b7fa623:2716c4c16889f544 Mar 30 14:15:35 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. Mar 30 14:15:35 racoon: INFO: received Vendor ID: DPD Mar 30 14:15:35 racoon: INFO: begin Aggressive mode. Mar 30 14:15:35 racoon: INFO: respond new phase 1 negotiation: 200.xx.93.210[500]<=>201.xxx.20.10[500] -- Diego - Original Message - From: "Diego Morato" <[EMAIL PROTECTED]> To: "Support PfSense" Sent: Friday, March 30, 2007 2:09 PM Subject: [pfSense Support] IPSec connection problem Hi, I have two pfsense and trying to do a IPsec tunnel, however I´m having no sucess. The two points have static IP´s and first I used the default options of the webgui. After I´m followed this doc: http://doc.m0n0.ch/handbook/ipsec-tunnels.html. Is there something that need to be allowed in the Firewall: Rules? System: 1.0.1-SNAPSHOT-03-15-2007 built on Fri Mar 23 05:07:13 EDT 2007 IPsec logs: Mar 30 13:57:05 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 30 13:57:05 racoon: INFO: 201.xxx.20.10[500] used as isakmp port (fd=21) Mar 30 13:57:05 racoon: INFO: fe80::204:acff:fe39:aabf%fxp0[500] used as isakmp port (fd=20) Mar 30 13:57:05 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 30 13:57:05 racoon: INFO: 192.xxx.1.71[500] used as isakmp port (fd=19) Mar 30 13:57:05 racoon: INFO: fe80::201:3ff:fec1:9736%xl0[500] used as isakmp port (fd=18) Mar 30 13:57:05 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 30 13:57:05 racoon: INFO: 200.xxx.4.75[500] used as isakmp port (fd=17) Mar 30 13:57:05 racoon: INFO: fe80::210:5aff:fea7:c137%xl1[500] used as isakmp port (fd=16) Mar 30 13:57:05 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 30 13:57:05 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15) Mar 30 13:57:05 racoon: INFO: ::1[500] used as isakmp port (fd=14) Mar 30 13:57:05 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13) Mar 30 13:57:05 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) Mar 30 13:57:05 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) Thanks -- Diego - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] IPSec connection problem
Hi, I have two pfsense and trying to do a IPsec tunnel, however I´m having no sucess. The two points have static IP´s and first I used the default options of the webgui. After I´m followed this doc: http://doc.m0n0.ch/handbook/ipsec-tunnels.html. Is there something that need to be allowed in the Firewall: Rules? System: 1.0.1-SNAPSHOT-03-15-2007 built on Fri Mar 23 05:07:13 EDT 2007 IPsec logs: Mar 30 13:57:05 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 30 13:57:05 racoon: INFO: 201.xxx.20.10[500] used as isakmp port (fd=21) Mar 30 13:57:05 racoon: INFO: fe80::204:acff:fe39:aabf%fxp0[500] used as isakmp port (fd=20) Mar 30 13:57:05 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 30 13:57:05 racoon: INFO: 192.xxx.1.71[500] used as isakmp port (fd=19) Mar 30 13:57:05 racoon: INFO: fe80::201:3ff:fec1:9736%xl0[500] used as isakmp port (fd=18) Mar 30 13:57:05 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 30 13:57:05 racoon: INFO: 200.xxx.4.75[500] used as isakmp port (fd=17) Mar 30 13:57:05 racoon: INFO: fe80::210:5aff:fea7:c137%xl1[500] used as isakmp port (fd=16) Mar 30 13:57:05 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument Mar 30 13:57:05 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15) Mar 30 13:57:05 racoon: INFO: ::1[500] used as isakmp port (fd=14) Mar 30 13:57:05 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13) Mar 30 13:57:05 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) Mar 30 13:57:05 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) Thanks -- Diego - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Log Rotation
Thank you Gary! -- Diego - Original Message - From: "Gary Buckmaster" <[EMAIL PROTECTED]> To: Sent: Friday, March 30, 2007 10:32 AM Subject: Re: [pfSense Support] Log Rotation Diego Morato wrote: Hi All, I would like to know how pfsense rotate the log files, how days it is stored and how do I configure this. I need to know this because we have auditors that from time to time do audits in this logs. In other systems I rotate the logs monthly and keep in HD for 24 months. -- Diego - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Diego, Currently pfSense uses a round-robin style logging format which will be inappropriate for your auditors' purposes. This will change at some point in the future. In the meantime, I recommend that you configure your pfSense box to log to a remote syslog host where you can control what your logging parameters are. -Gary - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] bridged interface and "arp: moved..." messages
Did you tried to check the option 'Shared Physical Network' under System: Advanced functions? -- Diego - Original Message - From: "Charles Sprickman" <[EMAIL PROTECTED]> To: Sent: Thursday, March 29, 2007 9:27 PM Subject: Re: [pfSense Support] bridged interface and "arp: moved..." messages On Wed, 31 Jan 2007, Scott Ullrich wrote: On 1/31/07, Charles Sprickman <[EMAIL PROTECTED]> wrote: Hi all, I'm running PFSense 1.0.1 with three interfaces: WAN, LAN and then OPT1 acting as a bridged interface with the WAN. Our DSL provider gives us a /29 on the LAN port of their router and I use the first available IP for the PFSense WAN IP (which is also used for NAT on the LAN) and the remainder of the /29 bridges to OPT1. On the boxes connected to the bridge interface I periodically get the following messages in the logs: Jan 30 23:45:54 devel2 /kernel: arp: 74.x.x.26 moved from 00:50:ba:52:00:95 to 00:b0:d0:b6:94:3d on fxp0 Jan 30 23:47:21 devel2 /kernel: arp: 74.x.x.26 moved from 00:b0:d0:b6:94:3d to 00:50:ba:52:00:95 on fxp0 Jan 31 00:05:48 devel2 /kernel: arp: 74.x.x.26 moved from 00:50:ba:52:00:95 to 00:b0:d0:b6:94:3d on fxp0 The two MAC addresses in question are the WAN and OPT1 interfaces. I've seen some discussion of this on the freebsd-stable list, but no real good info. WAN is an rl card, OPT1 is an xl if that matters. Any ideas why the bridged hosts occasionally see the "invisible" MAC address of the OPT1 interface? It thinks there is some kind of loop somewhere. While I cannot certify your working environment without a lot more questions and answers which is beyond this mailing list I can tell you how to squash this message... System -> Advanced -> Shared Physical Network Sorry for returning to this so late... I think last time I got lost on a tangent of trying to find software to help draw ascii network diagrams and never came back... :) In short, here's the network. Pretty simple, no loops, very common setup for a US SDSL or routed ADSL customer with ISP-provided CPE: | ADSL w/routed /29 | +---|+ | router | ++ | 74.x.x.25 (network is 74.x.x.24/29) | | | WAN 74.x.x.26 - 00:50:ba:52:00:95 +---\+ |pfsense | +-/-\+ LAN / \ OPT1 (bridged w/WAN, ie: 74.x.x.24/29 (192.168.0.1/24 - nat) / \00:b0:d0:b6:94:3d) +--+ +-'+ |switch| |switch| +--+ +--+ | | | | workstations at | | | | 192.168.0.2-20 | |+--+ +--+ +--+ +--+ | | | | | | | | | | | | servers at 74.x.x.27, 74.x.x.28 | | | | | | | | (these report that 74.x.x.26 | | | | | | | | is "moving") +--+ +--+ +--+ +--+ Does that clarify things? There is NO physical connection between the OPT1 and WAN networks, hence no loop. Thanks, Charles Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Log Rotation
Hi All, I would like to know how pfsense rotate the log files, how days it is stored and how do I configure this. I need to know this because we have auditors that from time to time do audits in this logs. In other systems I rotate the logs monthly and keep in HD for 24 months. -- Diego - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Multi-Wan/Load Balancing
gateway 204.xx.20.9 Mar 29 15:19:53 server01 php: : Setting up route with opt1 om xl1 for monitor 200.xx.4.65 on gateway 200.xx.4.65 Mar 29 15:20:22 server01 kernel: fxp0: link state changed to DOWN Mar 29 15:20:30 server01 slbd[72876]: ICMP poll failed for 204.xx.20.9, marking service DOWN Mar 29 15:20:30 server01 last message repeated 2 times Mar 29 15:20:32 server01 slbd[72876]: Service OPT1FailoverWAN changed status, reloading filter policy Mar 29 15:20:32 server01 slbd[72876]: Service WANFailoverOPT1 changed status, reloading filter policy Mar 29 15:20:32 server01 slbd[72876]: Service WanBalanceOPT1 changed status, reloading filter policy Mar 29 15:20:33 server01 check_reload_status: reloading filter Mar 29 15:20:35 server01 php: : Filter: FTP proxy disabled for interface opt1 - ignoring. Mar 29 15:20:36 server01 php: : We found 1 valid entries in status file /tmp/WanBalanceOPT1.pool Mar 29 15:20:36 server01 php: : Setting up route with opt1 om xl1 for monitor 200.xx.4.65 on gateway 200.xx.4.65 Mar 29 15:23:26 server01 kernel: fxp0: link state changed to UP Mar 29 15:23:27 server01 check_reload_status: rc.linkup starting Mar 29 15:23:31 server01 slbd[72876]: ICMP poll succeeded for 204.xx.20.9, marking service UP Mar 29 15:23:31 server01 last message repeated 2 times Mar 29 15:23:33 server01 slbd[72876]: Service OPT1FailoverWAN changed status, reloading filter policy Mar 29 15:23:33 server01 slbd[72876]: Service WANFailoverOPT1 changed status, reloading filter policy Mar 29 15:23:33 server01 slbd[72876]: Service WanBalanceOPT1 changed status, reloading filter policy Mar 29 15:23:33 server01 check_reload_status: reloading filter Mar 29 15:23:35 server01 php: : Filter: FTP proxy disabled for interface opt1 - ignoring. Mar 29 15:23:36 server01 php: : We found 2 valid entries in status file /tmp/WanBalanceOPT1.pool Mar 29 15:23:36 server01 php: : Setting up route with wan om fxp0 for monitor 204.xx.20.9 on gateway 204.xx.20.9 Mar 29 15:23:36 server01 php: : Setting up route with opt1 om xl1 for monitor 200.xx.4.65 on gateway 200.xx.4.65 LoaderBalancer: Pool NameTypeServers/GatewaysPort Monitor WanBalanceOPT1 gateway wan 201.xx.20.9 (balance) opt1 200.xx.4.65 WANFailoverOPT1 gateway wan 201.xx.20.9 (failover) opt1 200.xx.4.65 OPT1FailoverWAN gateway wan 201.xx.20.9 (failover) opt1 200.xx.4.65 Firewall: Rules Proto Source PortDestination PortGateway TCP/UDP 192.168.0.77* * 80 - 443 WanBalanceOPT1 - Original Message - From: "Scott Ullrich" <[EMAIL PROTECTED]> To: Sent: Thursday, March 29, 2007 1:25 PM Subject: Re: [pfSense Support] Multi-Wan/Load Balancing On 3/29/07, Diego Morato <[EMAIL PROTECTED]> wrote: Hi All, I´m folowing the documentation (http://doc.pfsense.org/index.php/Multi-Wan/Load-Balancing) to setup a Multi-Wan/Load Balancing environment, however after create the pool, I´m getting a error when I click on Apply button: Warning: unlink(/tmp/Wan1BalanceWan2.pool): No such file or directory in /etc/inc/vslb.inc on line 104 WAN and OPT1 is current using static IP´s. WAN is using fxp module and OPT1 is using xl module. Thanks for the report. It is cosmetic only and should now be fixed. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Multi-Wan/Load Balancing
Ok, thank you. I will test this and report any problems. Diego - Original Message - From: "Scott Ullrich" <[EMAIL PROTECTED]> To: Sent: Thursday, March 29, 2007 1:25 PM Subject: Re: [pfSense Support] Multi-Wan/Load Balancing On 3/29/07, Diego Morato <[EMAIL PROTECTED]> wrote: Hi All, I´m folowing the documentation (http://doc.pfsense.org/index.php/Multi-Wan/Load-Balancing) to setup a Multi-Wan/Load Balancing environment, however after create the pool, I´m getting a error when I click on Apply button: Warning: unlink(/tmp/Wan1BalanceWan2.pool): No such file or directory in /etc/inc/vslb.inc on line 104 WAN and OPT1 is current using static IP´s. WAN is using fxp module and OPT1 is using xl module. Thanks for the report. It is cosmetic only and should now be fixed. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Multi-Wan/Load Balancing
Hi All, I´m folowing the documentation (http://doc.pfsense.org/index.php/Multi-Wan/Load-Balancing) to setup a Multi-Wan/Load Balancing environment, however after create the pool, I´m getting a error when I click on Apply button: Warning: unlink(/tmp/Wan1BalanceWan2.pool): No such file or directory in /etc/inc/vslb.inc on line 104 WAN and OPT1 is current using static IP´s. WAN is using fxp module and OPT1 is using xl module. 1.0.1-SNAPSHOT-03-15-2007 built on Fri Mar 23 05:07:13 EDT 2007 -- Diego - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
