Re: [pfSense Support] Traffic Shaper ?

[Ermal Luçi]

On Wed, Aug 31, 2011 at 12:38 AM, Nicolas Roussi
 wrote:
> Hi, i am running 1.2.3 and I need some ideas on how to limit and prioritize 
> traffic
> This is the setup
>
> internet <---10Mbps--->MainFirewall 
> (NAT)<---1000Mbps--->pfSense(NAT)<1000Mbps--->1600 wireless clients
>                                                    |
>                                                    |
>                                                 servers
>
> Besides the double NATing, first I would like to make sure that traffic that 
> goes to the Internet only uses 2MBps.
> Second, I would like to block everything except 80,443,548, 25 and a few 
> other services (I can do that in the firewall settings)
> Third, from those services, I would like to give priority and full bandwidth 
> to AFP (548) then to web and then the rest.
>
> Is this possible?

I would suggest upgrading to 2.0 because is easier to achieve this
configuration.
You would limit your traffic with limiters and and apply your priority
policy through traffic shaper queues.
>
> Any help is greatly appreciated.
>
> Thanks
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Logout button - captive portal

[Ermal Luçi]

On Mon, Jul 18, 2011 at 8:41 AM, Raimund Sacherer
 wrote:
> Hello,
>
> wouldn't it be possible to send some javascript back which does, at least, 
> deactivate/hide the button and say something like "You have been 
> disconnected, have a nice day", waiting a second or two, and then kill 
> everything?
>

You can create a custom logout page for this.
The problem with embedding such javascripts in default pages is they
cannot be generalized.

> best
> Ray
>
> - Original Message -
> From: "Chris Buechler" 
> To: support@pfsense.com
> Sent: Sunday, July 17, 2011 5:21:26 AM
> Subject: Re: [pfSense Support] Logout button - captive portal
>
> On Fri, Jul 15, 2011 at 2:59 PM, Atkins, Dwane P  wrote:
>> Good afternoon all.
>>
>>
>>
>> We use the following version and it has been rather stable.
>>
>>
>>
>> 1.2.3-RELEASE
>> built on Sun Dec 6 23:21:36 EST 2009
>>
>>
>>
>> My issue is when authenticate, you can do whatever you have been authorized.
>>  But when you have completed and click the logout button, it just sits
>> there.  You can click it and click it and it will not go away.  However, I
>> did notice that I was logged out from the pfsense box which is a good
>> thing.
>>
>>
>>
>> How do we get the button to disappear or to possibly show something that
>> will state that you have been disconnected.
>>
>
> Yeah what you're seeing there is it fully disconnects the user. When
> you're logged out, the portal kills all your states to ensure you're
> cut off from Internet access, cutting off their HTTP session to the
> logout window in the process (there is no possible way in the
> underlying software to kill the host's states with the exception of
> one to keep the logout window alive). There currently aren't any
> alternatives there.
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Re: unknown cause of limited throughput

[Ermal Luçi]

On Thu, Jul 14, 2011 at 8:26 AM, David Burgess  wrote:
> 2.0-RC3 (amd64)
> built on Tue Jul 12 21:23:55 EDT 2011
>
> On Tue, Jul 5, 2011 at 11:52 PM, David Burgess  wrote:
>
>> I hope that's not too confusing. To summarize, any two machines, real
>> or virtual, get iperf results near wire speed when on the same L2
>> network. Any two machines on different (routed) networks see iperf
>> speeds between 320 and 550, which is expected due to the limitations
>> of the router. The exception is rip. Of my three virtual hosts, which
>> all live on the same ESXi server, only rip is seeing very slow iperf
>> speeds (and similar nfs speeds) when acting as server to routed hosts.
>
> I did some more testing and was surprised by the results. I created a
> new virtual server "chunk" running Ubuntu Server 10.10 and expected
> that because it was now the same version OS as my other servers, it
> would now exhibit normal routed network speeds. But I was wrong. Chunk
> consistently serves iperf at 12.8 Mbps to a routed client.
>
> Intrigued, I moved chunk to a different local vlan/network and tested
> again. The result:
>
> iperf client   vlan    server              vlan   result
> ren    real    85    chunk     virtual    250  380 Mbps  routed
> ren    real    85    chunk     virtual    240  12.8 Mbps  routed
> mule real    85    chunk     virtual    250  380 Mbps  routed
> mule real    85    chunk     virtual    240  12.8 Mbps  routed
> ren   real    85     mule       real      240   16.8 Mbps  routed
>
> So it's not the server, it's the vlan or something related to it.
> vlan85 is my LAN, and the only firewall rule on that interface is a
> PASS all rule. There is no floating rule that should touch any of this
> as far as I can tell.
>
> The only thing that distinguishes vlan 240 from the other vlans I'm
> testing (besides being slower) is that the hosts on this vlan have
> publicly routable IP addresses, while the hosts on every other vlan
> are 192.168.x.x addresses. There is no NAT occurring between local
> networks.
>
> I've now ruled out virtualization and OS as being the cause of this,
> and that leaves pfsense and the switch. The switch is not slow where
> the router is not involved, so unless I've misjudged, this is a
> pfsense problem.
>
> Any ideas?
>

Try to tune these sysctl:
net.isr.numthreads: 1
net.isr.bindthreads: 0
net.isr.direct: 1
net.isr.direct_force: 1

latest pfSense ships with net.isr.direct disable and
net.isr.bindthreads enabled.
It creates isr threads for each cpu it finds.

Possibly you can try the above values and see if they improve your problem.

> db
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Strange TCP connection behavior 2.0 RC2 (+3)

[Ermal Luçi]

On Thu, Jun 30, 2011 at 11:16 AM, William Salt
 wrote:
> Attached is the ifconfig, sysctl and pfcrl results from each
> firewall/router.
> If someone could look at them and suggest anything, i would be
> eternally grateful! :)
> Has anyone got a similar config they could possibly share? (1gb link, 132ms
> RTT)

Looking at your state table i see that the max of data you have in
transit is at 65K average and
only few states with 262K in transit.

This may suggest that your application buffers are set at this limit
and this need to be tuned in the application machine and not pfsense.

>
> Regards
> Will
>
> On Wed, Jun 29, 2011 at 6:14 PM, Chase Bolt  wrote:
>>
>> On Wed, Jun 29, 2011 at 5:16 AM, William Salt
>>  wrote:
>>>
>>> Hi all, thanks for the input.
>>> We have now swapped the cards to em card at both ends, instead of igb at
>>> one end, and em at the other. We are now seeing near gig speeds in both
>>> directions. Before, we saw very different speeds in each direction.
>>> We have now managed to reach around 860-900mbps each way with the
>>> following values in our sysctl.conf:
>>>
>>> kern.ipc.maxsockbuf=20971520
>>> net.inet.tcp.recvbuf_max=20971520
>>> net.inet.tcp.sendbuf_max=20971520
>>> net.inet.tcp.recvbuf_inc=524288
>>> net.inet.tcp.sendbuf_inc=524288
>>> However, even though we can reach around the upper threshold of the
>>> connection, we are seeing the boxes crash, or tcp performance hit the
>>> miximum 860-900mbps then drop, and stick at around 8mbps, until a reboot.
>>>
>>> I might add that we are running 32bit (i386) RC3 at both ends, with 6gb
>>> of ram.(probably alot less in the OS, need to upgrade to x64)
>>> When i replicated these settings on two fresh boxes beyong the routers at
>>> either end, i saw no performance increase...
>>> Regards
>>> Will
>>
>> Well that makes me uneasy about igb cards... I also have igb cards in my
>> pfsense boxes waiting to upgrade to 2.0 final so I can start using them in
>> production.
>>
>> Thanks,
>> Chase Bolt
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Strange TCP connection behavior 2.0 RC2 (+3)

[Ermal Luçi]

On Wed, Jun 29, 2011 at 2:16 PM, William Salt
 wrote:
> Hi all, thanks for the input.
> We have now swapped the cards to em card at both ends, instead of igb at one
> end, and em at the other. We are now seeing near gig speeds in both
> directions. Before, we saw very different speeds in each direction.
> We have now managed to reach around 860-900mbps each way with the following
> values in our sysctl.conf:
>
> kern.ipc.maxsockbuf=20971520
> net.inet.tcp.recvbuf_max=20971520
> net.inet.tcp.sendbuf_max=20971520
> net.inet.tcp.recvbuf_inc=524288
> net.inet.tcp.sendbuf_inc=524288
> However, even though we can reach around the upper threshold of the
> connection, we are seeing the boxes crash, or tcp performance hit the
> miximum 860-900mbps then drop, and stick at around 8mbps, until a reboot.
>
> I might add that we are running 32bit (i386) RC3 at both ends, with 6gb of
> ram.(probably alot less in the OS, need to upgrade to x64)
> When i replicated these settings on two fresh boxes beyong the routers at
> either end, i saw no performance increase...
> Regards
> Will
>

Can you please give the back traces from the cashes?
Also can you gather statistics:
pfctl -vvsa
ifconfig -a
sysctl -a

from the box


> On Tue, Jun 28, 2011 at 3:34 PM, Eugen Leitl  wrote:
>>
>> - Forwarded message from Rhys Rhaven  -
>>
>> From: Rhys Rhaven 
>> Date: Tue, 28 Jun 2011 09:30:06 -0500
>> To: na...@nanog.org
>> Subject: Re: [pfSense Support] Strange TCP connection behavior 2.0 RC2
>> (+3)
>> Organization: Rhaven Industrys
>> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
>>        rv:1.9.2.17) Gecko/20110516 Lightning/1.0b2 Thunderbird/3.1.10
>>
>> Obviously not helping if you are trying to tune standard TCP, but I
>> lament that protocols like Tsunami are not in wider use.
>> http://tsunami-udp.sourceforge.net/ Short of it, a TCP control channel
>> takes care of error checking and resends while the data channel is a UDP
>> stream, specifically built to max out LFNs.
>>
>> On 06/28/2011 03:52 AM, Eugen Leitl wrote:
>> > - Forwarded message from William Salt 
>> > -
>> >
>> > From: William Salt 
>> > Date: Tue, 28 Jun 2011 08:03:25 +0100
>> > To: support@pfsense.com
>> > Subject: [pfSense Support] Strange TCP connection behavior 2.0 RC2 (+3)
>> > Reply-To: support@pfsense.com
>> >
>> > Hi All,
>> >          For the last couple of months i have been pulling my hair out
>> > trying to solve this problem.
>> > We have a 1Gbps transatlantic link from the UK to the US, which has
>> > successfully passed the RFC2544 test.
>> >
>> > At either end, we have a media converter, and a supermicro server with
>> > an
>> > intel quad port NIC running pfsense 2 (RC2 at one end RC3 at the other)
>> > and
>> > the IGB driver on the quad port.
>> >
>> > We can pass 1gbps either way with UDP. However we are experiencing very
>> > strange issues with tcp connections.
>> >
>> > With window scaling enabled, and a max socket buffer set to 16MB, we see
>> > no
>> > difference.
>> > Even disabling window scaling and setting the window to 16MB makes no
>> > difference.
>> >
>> > Each TCP connection starts very slowly, and will max out at around
>> > 190mbps,
>> > taking nearly 2 minutes to climb to this speed before *plateauing*.
>> >
>> > We have to initiate many (5+) connections to saturate the link with tcp
>> > connections with iperf.
>> >
>> > Real world tests transferring files, max out at 100mbps, using multiple
>> > connections.
>> >
>> > I have followed guides like this:
>> > http://www.psc.edu/networking/projects/tcptune/#FreeBSD
>> >
>> > With no luck, and have tweaked, disabled, and enabled nearly every
>> > relevant
>> > sysctl parameter with no luck.
>> >
>> > Can anyone shed some light on this?
>> >
>> > I am now doubting the IGB driver, and am looking to swap out the cards
>> > as a
>> > last ditch effort.
>> > However, we have tried different hardware (L3 switches, media convertes
>> > +
>> > laptops etc), and the symptoms still persist...
>> > The only constant is freebsd 8.1 - pfsense (or 8.2 for our production
>> > systems).
>> > I have tried the freebsd net mailinglist, but im hoping you lot can help
>> > me!
>> >
>> > Cheers in advance
>> > Will
>> >
>> > - End forwarded message -
>>
>>
>> - End forwarded message -
>> --
>> Eugen* Leitl http://leitl.org";>leitl http://leitl.org
>> __
>> ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
>> 8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
>>
>> -
>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
>> For additional commands, e-mail: support-h...@pfsense.com
>>
>> Commercial support available - https://portal.pfsense.org
>>
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional comma

Re: [pfSense Support] Test-Upgrade from 1.2.3 to 2.0RC3 Alix

[Ermal Luçi]

On Fri, Jun 24, 2011 at 1:27 PM, Klaus Lichtenwalder
 wrote:
> Hi all,
>
> I'm running pfSense 2.0RC3 (embedded) as a virtual instance to test
> importing my old config into the new system. Real target will be my alix
> board. I manually edited the interface section to account for the
> different network names and of course network topology.
> Loading the config file works fine, but after the reboot I get:
>
>
> Warning: ksort() expects parameter 1 to be array, null given in
> /etc/inc/certs.inc on line 359
>
> Warning: ksort() expects parameter 1 to be array, null given in
> /etc/inc/certs.inc on line 359
>
> Warning: ksort() expects parameter 1 to be array, null given in
> /etc/inc/certs.inc on line 359
> ..

I just put some more error checking in the code.
Please test with latest snapshots of tomorrow.

Also would be useful if it happens again to have your certificate
section from the xml
even in private e-mails.

>
>  ** WARNING **
>
>  Configuration could not be validated. A previous configuration was
> restored.
>
> Anything I could check for?
> Klaus
> --
> 
>  Klaus Lichtenwalder, Dipl. Inform.,  http://www.lichtenwalder.name
>  PGP Key fingerprint: BF52 72FA 1F5A 1E29 C0F8  498C C4C6 633C 2821 97DA
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] psSense , AD, Kerberos, FreeBSD, Samba,Squid,SquidGuard

[Ermal Luçi]

On Thu, Jun 23, 2011 at 10:30 AM, Younes EL AMRAOUI wrote:

>
> Hi,
>
> I'm trying to set up Kerberos on my FreeBSD (command line of pfSense) to
> specify NTLM users of AD of Windows Server.
> The problem is that I don't know how to install it and configure it?Any
> documentation please??
>
>
You can try something like
http://siphon9.net/loune/2007/10/simple-lightweight-ntlm-in-php/?
It needs some adoption for pfSense(FreeBSD),
Or you are looking at something completely different.


> Regards,
> --
> Younes EL AMRAOUI
>
> *Engineering Student at ESIREM.*
> *Computer Science Engineering School.*
> *+33629153757*
> *Dijon ,FRANCE .*
>
>
>
>


-- 
Ermal

Re: [pfSense Support] supported auth protocols

[Ermal Luçi]

On Wed, Jun 22, 2011 at 2:40 PM, Roberto Nunnari
 wrote:
> Chris Buechler wrote:
>>
>> On Wed, Jun 22, 2011 at 3:19 AM, Roberto Nunnari
>>  wrote:
>>>
>>> Ok, thank you.
>>> Now I have a couple of important tasks that will take me off from this,
>>> but
>>> I hope I'll be back here in three-four weeks.
>>>
>>
>> There will also be a developer mailing list available in the near
>> future, as soon as I have a chance to take down this server and bring
>> up the new one, you'll see an email to this list with info then. You
>> can follow up there then with any additional questions (or here in the
>> mean time).

Take a look at http://svn.php.net/viewvc/pecl/radius/trunk/examples/
>
> Great!
> Best regards.
> Robi
>
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] No-IP and static IP

[Ermal Luçi]

On Mon, Jun 13, 2011 at 6:33 PM, J. Echter
 wrote:
> Hi,
>
> is there a possibility to have pfsense force to sync with no-ip.com to
> avoid messages like this:
>
> Your free host bla.blubb, will expire
> in 14 days due to account inactivity.

It will do a forced update every 25 days.
>
> bla.blubb was last  updated on  2011-04-28 02:06:47. Free Dynamic DNS
> hosts must be updated via our website or dynamic update client every 60 days
> to prevent them from being removed from our system.
>
> thanks.
>
> juergen.
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] l7 blocking

[Ermal Luçi]

On Mon, Jun 6, 2011 at 12:34 PM, Martin Månsson  wrote:

>  Dear Users
>
>
>
> I have been trying to block p2p traffic, as its killing the internet line.
>
> I have recently asked a question if there was a way to get snort to block
> only that one traffic type and not the entire ip
>
> I was tolled to try layer 7 blocking which I now have.
>
>
>
> I have no problem blocking http, ftp or vnc, but bittorrent isn’t blocking
> only if I enable bittorrent AND http to block then I can’t get bittorrent
> peer connections
>
> And I really would like my users to be able to do a http request J
>
>
>

If bitorrent is using encryption then you have to create a regex yourself to
detect there.
L7 will only catch the unencrupted bittorrent as is today.


>  Im using 2.0 r2
>
>
>
> Best regards
>
> *Martin Månsson*
> IT-supporter, University Library of Southern Denmark
>
> Tel.
>
> +45 6550 2709
>
> Fax
>
> +45 6315 0095
>
> Email
>
> m...@bib.sdu.dk
>
> Addr.
>
> Campusvej 55, DK-5230 Odense M, Denmark
>
>
>
> [image: Beskrivelse: C:\Users\mam\Application
> Data\Microsoft\Signaturer\sduemaillogoUK.jpg]
>  --
>
> *Campusvej 55 · DK-5230   Odense M · Denmark · Tel. +45 6550 1000 ·
> www.sdu.dk*
>
>
>



-- 
Ermal

Re: [pfSense Support] Traffic shaping for specific file type

[Ermal Luçi]

On Tue, May 17, 2011 at 2:10 AM, A Mohan Rao  wrote:
> ok
>
> On Mon, May 16, 2011 at 9:03 PM, Michel Servaes  wrote:
>>
 u can come on chat Google chat)  i will help u my best..  .

 mohanra...@gmail.com


>>> Though this answer might be interesting for the person who has asked It.
>>> It is totally useless to the mailing list.
>>>
>>>
>>> If everybody acted the same, mailing list would be filled with 0 answer…
>>>
>>> Please post your answer on the mailing list.
>>>
>>>
>>> Thanks.
>>>
>>
>> Yes, I was thinking the very same thing here... I am not going to use
>> bandwidth throttling right now - but I would love to know a bit on a howto
>> described right here :-)
>> It's like learning using it in every possible aspect...

You can try with layer7 shaper.
I am not sure if there is a regex there for this or you would have to
write one yourself.

But that is your best bet.


>>
>> -
>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
>> For additional commands, e-mail: support-h...@pfsense.com
>>
>> Commercial support available - https://portal.pfsense.org
>>
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] L7 queue seems not to work

[Ermal Luçi]

On Wed, May 4, 2011 at 4:47 PM, Vaughn L. Reid III
 wrote:
>
>
> On 4/29/2011 4:49 PM, bsd wrote:
>>
>> Le 29 avr. 2011 à 19:08, bsd a écrit :
>>
>>> Le 29 avr. 2011 à 09:37, bsd a écrit :
>>>
 Hi,

 I have created a simple L7 container where I have put SIP and SkypeOut
 traffic.

 Then created a Queue called VoIP where this traffic is supposed to end
 (HFSC with 10% reserved).

 Then two floating rule to put all traffic (TCP and UDP) in and selected
 the VoIP L7 container I have created.


 No traffic seems to go in that queue ??

 Any hints ?
 Is L7 traffic shapping Out of order for the time beeing ?


 Thanks.
>>>
>>> May I had that my WLAN and LAN are bridged …
>>> If this has any impact on the L7 Queuing.
>>>
>>> … and that my other queue (non L7) are also working very correctly.
>>>
>>>
>>> Thx.
>>
>> And the system tunables have been set correctly…
>>
>> net.link.bridge.pfil_member     Set to 0 to disable filtering on the
>> incoming and outgoing member interfaces.   0
>> net.link.bridge.pfil_bridge     Set to 1 to enable filtering on the bridge
>> interface    1
>>
>>
>> No one has any feedback on L7 that and v.2.0.RC1 ?
>
> Here is some feedback on my experience with the L7 filter:
>
> With this morning's snapshot (05/04/2011 approximately 06:00 EST was the
> time I initiated a snapshot update), I have experienced the L7 filter
> significantly slowing web traffic on a system containing Squid and
> Squidguard once there were more than a couple of users sending traffic
> through the firewall.  Disabling the firewall rule passing traffic to the L7
> filter eliminated the bottleneck.   Hardware is a a Core 2 Duo Processor, 4
> Gigs memory, Supermicro Server Board, Intel Server NIC's.  Also, no other
> traffic shaping other than a single L7 filter rule to block peer-to-peer
> traffic was enabled.
>

I would recommend putting a firewall rule to send traffic to layer 7
on the outging side when squid is in place
or either just filter the tcp 80/443 through squid and the other
through layer7 with rules on the lan side.


> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>

-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] L7 queue seems not to work

[Ermal Luçi]

On Sat, Apr 30, 2011 at 5:30 AM, Chris Buechler  wrote:
> On Fri, Apr 29, 2011 at 4:49 PM, bsd  wrote:
>>
>> No one has any feedback on L7 that and v.2.0.RC1 ?
>>
>
> It doesn't work. At least apparently unless manually compiled. There
> is a ticket open on it.
>
Try snapshots from tomorrow and see if it works.
I put a fix in just now about this.

-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] GRE help needed

[Ermal Luçi]

On Wed, Apr 20, 2011 at 5:40 PM, Adam Thompson  wrote:
> Trying to setup GRE tunnel between two pfSense boxes (both running 2.0RC1).
>
> FW “A” is a single pfSense box.
>
> FW “B” is a pfSense HA cluster.
>
> No NAT exists between their WAN interfaces; both have public IP addresses.
>
>
>
> On “A”:
>
> Interfaces→(assign)→GRE, create GRE tunnel with
>
>     Parent: WAN
>
>     Remote: B’s WAN VIP
>
>     GRE local: 10.0.0.1
>
>     GRE remote: 10.0.0.2/24
>
> Interfaces→(assign)→Interface assignments,
>
>     Created OPT1 on GRE
>
> Interaces→OPT1
>
>     Type: static

Just put type none here and that is all you need.

>
>     MAC/MTU/MSS: blank
>
>     IP Address: 10.0.0.1/24
>
>     Gateway: none
>
>     Private network blocking: both OFF
>
> Firewall→Rules→OPT1
>
>     Create new allow-all rule for testing.
>
>
>
> On “B”, almost the same thing except the Parent interface is WAN VIP and the
> GRE local/remote #s are reverse.  OPT1 is configured as 10.0.0.2/24.
>
>
>
> With the GRE tunnel created but OPT1 not yet assigned an IP address,
> netstat(1) shows a local link route for 10.0.0.1 & 10.0.0.2.  After I create
> OPT1 and assign it an IP address, the route vanishes!
>
>
>
> Am I doing something really obviously wrong here?
>
>
>
> (I’m trying to use GRE so I can run a routing protocol; apparently OSPF and
> IPSec tunnels don’t really work together in pfSense.)
>
>
>
> Thanks,
>
> -Adam Thompson
>
> athom...@athompso.net
>
>



-- 
Ermal

Re: [pfSense Support] Wireless roaming between AP

[Ermal Luçi]

On Wed, Apr 20, 2011 at 7:31 PM, bsd  wrote:
> Hello,
>
> At some point there were indication that Wireless AP roaming could be 
> achieved - at least It is achievable in FreeBSD - how about setting It up in 
> pfSense ?
>
> --> http://blog.pfsense.org/?p=174
>
> Has anyone got any hints on this ?
>

Iirc you just need a radius server to handle the re-authentication.
Its being used in at least one setup as this.

>
> Thanks.
>
> ––
> -> Grégory Bernard Director <-
> ---> www.osnet.eu <---
> --> Your provider of OpenSource appliances <--
> ––
> OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO
>
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] 2.0RC1 - PPTP client disconnect kills all IPsec VPNs

[Ermal Luçi]

On Mon, Apr 4, 2011 at 12:52 AM, David Rees  wrote:
> On Sat, Apr 2, 2011 at 12:19 AM, Chris Buechler  wrote:
>> On Thu, Mar 31, 2011 at 5:05 PM, David Rees  wrote:
>>> I posted this on the forum[1] but didn't get any responses, so am trying 
>>> here.
>>>
>>> On 2.0-RC1 (amd64) built on Tue Mar 22 21:02:19 EDT 2011
>>>
>>> When a PPTP user connects and then disconnects, all IPsec VPNs go down
>>> shortly afterwards.
>>>
>>> In the logs, we see that the pptp user logs out - shortly afterwards
>>> the DPD kicks in on the VPNs, but fails to bring the VPNs back up.
>>> Disabling/enabling an IPsec VPN brings them all back up.
>>>
>>> We don't use PPTP much so it's the first time we've seen it.  We're
>>> planning on going back to the official RC1 in the mean time.  Known
>>> issue?  Anyone using both PPTP server and IPsec VPNs NOT seeing this
>>> issue?  What's your setup like?
>>
>> Can't replicate, I connected and disconnected PPTP about 30 times to a
>> system with a few IPsec connections all with DPD and had 0 issues with
>> any of them. Typical basic PPTP setup and site to site IPsec. See if
>> you can narrow it down more, or if there's something specific about
>> your setup that's pertinent.
>
> Thanks for the response - I'll try to narrow down our config in a test
> bed to try to duplicate situation.
>

Can you try the suggestion posted here
http://forum.pfsense.org/index.php/topic,34853.0.html?

> Only "special" settings are that it's a dual-WAN setup with multiple
> VLANs and use IPsec, OpenVPN and PPTP VPN. connections...
>
> -Dave
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: AW: [pfSense Support] Re: Intel Gigabit - em0: Watchdog Timeout

[Ermal Luçi]

On Sat, Mar 5, 2011 at 4:44 AM, Kevin Tollison  wrote:
> Very similar setup here D510 4GB RAM using amd64 version. This box gave 
> trouble first. The HDD was a standard 160GB 3.5" SATA.  I have since 
> installed a 40GB Intel SSD
>
> The other is a D525 2GB RAM and a 40GB Intel SSD using the i386 version.
>
> The 64 is a factory default and stays up a while, but still stops at some 
> point. The i386 only last a few minutes with the production config.
> --
It certainly a driver or hardware issue.
Reiniting your controller makes traffic flow again.
Please re-give access to me on the box so i can finish the diagnoses
or try upgrading bios.


> Kevin Tollison
>
> Sent from my Blackberry
>
> -Original Message-
> From: Mehma Sarja 
> Date: Fri, 04 Mar 2011 19:22:50
> To: 
> Reply-To: support@pfsense.com
> Subject: Re: AW: [pfSense Support] Re: Intel Gigabit - em0: Watchdog Timeout
> On 3/4/11 7:09 PM, Kevin Tollison wrote:
>>
>> 2 B5 was good until a month or so ago. Are you using any vlans?  I am 
>> beginning to think it may be in vlans.
>
> Don't use vlans. I tried upgrading with and without my packages (snort,
> country block, DNS blacklist, rate and notes) - same effect. I thought
> maybe it is FBSD 7.3 - but it does not make any logical sense for an
> earlier release to support the nics and ssd (I am on a TORQX ssd) and
> not a later release. Then I started suspecting the ssd.
>
> Cuz, here is an observation, I had to reboot a few times for the BIOS to
> see the drive. My config is simple - 32 gb SSD, 4 GB RAM, D510 MB. No
> other devices. I am booting off an external USB DVD drive. I can get the
> drive to be seen it I pull the power plug. This MB has IPMI and suspect
> that other cpu is humming at power off. Have not logged into the IPMI
> processor.
>
> Mehma
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Multiwan failover

[Ermal Luçi]

On Wed, Feb 9, 2011 at 3:29 PM, Mark Wiater  wrote:
> On 2/9/2011 9:12 AM,  Ermal Luçi said:
>> On Wed, Feb 9, 2011 at 11:50 AM, Mark Wiater  
>> wrote:
>
>> So... In the issue, Ermal indicates that it's taken care of in 2.0 in 
>> another way. I think I missed what that other way is. Because if the 
>> interface that holds my default route goes down, lots of traffic doesn't end 
>> up hitting the internet unless it sources from an internal network and I've 
>> got a policy route in pf.
>>
>> It will be taken care from pf(4) policy route. In pfSense there are
>> enhancement in the kernel to support that.
> When my WAN interface, the default route goes down, things like squid and 
> dnsmasq stop working for me, and I have multiple DNS entries in the general 
> setup using the different gateways.
>
>>> Is a dynamic default route change out of the question? What is the other 
>>> way to affect the same behavior in 2.0?
>> Not that its out of the question but the ways things work right now
>> its not the best option and the pf(4) fix works quite ok.
>> On 2.0 you can run even without a default gateway from what i have tested.
> In my experience, there are things that don't work from the firewall itself 
> and that can cause somewhat significant problems. How does dns forwarder 
> traffic or squid traffic know where to go if the default route is not 
> functioning? Is there a configuration in pf that I'm missing?
>
> It sounds like I'm missing some fundamental configuration concept to make it 
> work as well and as reliably as you have. I thought I looked everywhere for 
> the right way to configure multiwan but maybe I've missed it? Got any 
> pointers?

Please upgrade to a snapshot from 9th of February and up and just test it again.
You would  only need a gateway pool on the floating rules + AON to
make that work.
But please lets continue this on the forum.

>> Though for later releases this might be revisited but its low priority for 
>> now.
>
> Thanks Ermal
>
> Mark
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Multiwan failover

[Ermal Luçi]

On Wed, Feb 9, 2011 at 11:50 AM, Mark Wiater  wrote:
> Good day everyone,
>
> I was hoping to open or reopen a discussion about how pfSense reacts to a 
> gateway failure in a multiwan configuration. I think there was an attempt to 
> address this in http://redmine.pfsense.org/issues/880.
>
> I use both 1.2 and 2.0.
>
> I'm an advocate for changing the default route to a valid wan interface in 
> the event that the interface holding the default route fails monitoring.
>
> I work with a couple of other firewall brands, coincidentally also Freebsd 
> based, that do support default route changes based on reachability and it 
> works very very well. Users don't even know what's happened. And isn't that 
> the point of having multiwan (at least one of the points).
>
> So... In the issue, Ermal indicates that it's taken care of in 2.0 in another 
> way. I think I missed what that other way is. Because if the interface that 
> holds my default route goes down, lots of traffic doesn't end up hitting the 
> internet unless it sources from an internal network and I've got a policy 
> route in pf.
>

It will be taken care from pf(4) policy route. In pfSense there are
enhancement in the kernel to support that.

> Is a dynamic default route change out of the question? What is the other way 
> to affect the same behavior in 2.0?

Not that its out of the question but the ways things work right now
its not the best option and the pf(4) fix works quite ok.
On 2.0 you can run even without a default gateway from what i have tested.

Though for later releases this might be revisited but its low priority for now.

>
> Thanks
>
> Mark
>
>
>
>
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0, upgrade to this morning's snap problem

[Ermal Luçi]

On Mon, Jan 24, 2011 at 7:42 PM, Dimitri Rodis
 wrote:
> After an upgrade to this morning’s snap, I received the following after the
> upgrade/reboot (it’s what’s on my PuTTY atm):
>
>
>
> Syncing OpenVPN settings...done.
>
> Starting syslog...done.
>
> Configuring firewall..done.
>
> Starting PFLOG...done.
>
> Setting up gateway monitors...done.
>
> Synchronizing user settings...done.
>
> Starting webConfigurator...done.
>
> Configuring CRON...done.
>
> Starting OpenNTP time client...done.
>
> Starting DHCP service...done.
>
> Starting DNS forwarder...done.
>
> Configuring firewall..done.
>
> kernel trap 12 with interrupts disabled
>
>
>
>
>
> Fatal trap 12: page fault while in kernel mode
>
> cpuid = 0; apic id = 00
>
> fault virtual address   = 0x8
>
> fault code  = supervisor read, page not present
>
> instruction pointer = 0x20:0xc094d130
>
> stack pointer   = 0x28:0xc27d1b84
>
> frame pointer   = 0x28:0xc27d1ba4
>
> code segment    = base 0x0, limit 0xf, type 0x1b
>
>     = DPL 0, pres 1, def32 1, gran 1
>
> processor eflags    = resume, IOPL = 0
>
> current process = 11 (swi4: clock)
>
> trap number = 12
>
> panic: page fault
>
> cpuid = 0
>
> Uptime: 25s
>
> Cannot dump. Device not defined or unavailable.
>
> Automatic reboot in 15 seconds - press a key on the console to abort
>
> --> Press a key on the console to reboot,
>
> --> or switch off the system now.
>
>
If you have a bridge setup please upgrade to the 2nd next snapshot.


-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Hardware for WAN interface - Frame Relay

[Ermal Luçi]

On Sat, Jan 22, 2011 at 4:07 PM, Alberto Mijares  wrote:
> Greetings,
>
> I need a router with a V.35 interface for my frame relay link. I found
> that ctau(4) driver in FreeBSD 8.x may handle this PCI card[1], so my
> question is:  does pfSense 2.x support this card and may be used as
> WAN interface? I think so, since pfSense 2.x is based on FreeBSD 8.1
> and keeps all driver, isn't it?

You can try grab the module from a standard freebsd iso and load it in pfSense.
You will have to grab even sconfig utitlity for this and is not
supported from the GUI.

Than you can go and do some test on the PPP page for it.

>
> Anybody using this card as WAN interface?
>
> I need the hardware provider too, by the way.
>
> Thanks in advance.
>
>
> Alberto Mijares
>
>
> [1] http://www.cronyx.ru/hardware/taupci.html
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] 1:1 NAT Entry issue - Bug or mistake?

[Ermal Luçi]

On Fri, Jan 21, 2011 at 4:11 AM, Dimitri Rodis
 wrote:
> On Thu, Jan 20, 2011 at 9:28 PM, Dimitri Rodis 
>  wrote:
>> pfSense 2.0-BETA5 (i386) built on Wed Jan 19 12:45:14 EST 2011
>>
>>
>>
>> When I try to use an alias in the Internal IP field (suppose the alias
>> was
>> ) I receive the following error upon saving (or trying to save):
>>
>>
>>
>> The following input errors were detected:
>>
>>      is not a valid internal IP address
>>
>>
>>
>>
>>
>> I know in <2.0 you could not use aliases in the 1:1 fields, but in
>> this version the boxes are RED, implying that aliases are allowed. I
>> don't know if this is a bug or just a mistake (in formatting the
>> fields RED) but in any event it looks like something needs to be fixed
>> or changed. I did not try using an Alias in the External Subnet IP field, 
>> although it is RED also.
>>
>>
>>That's correct, the fields shouldn't be red though, I just fixed that.
>>Aliases aren't supported in binat in pf.
>
> Even if binat doesn't support them, they could theoretically be "resolved" 
> via code prior to updating the rulesin 2.1 :)
>
You can put a feature request on redmine.pfsense.org so it does not
get forgotten.



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] NUT pfsense package rewrite

[Ermal Luçi]

On Wed, Jan 12, 2011 at 7:52 PM, Grant Joy  wrote:
> Hello,
>
> I am rewriting the pfsense NUT package to work with multiple UPSs.
> Everything is working, except deleting UPSs. I am using pkg.php and the
>  XML tag to create the list of UPSs. What I really
> need is for a PHP function to run when the remove button is clicked (one of
> my functions defined in nut.inc.)
>
> Is there a way to call a function (like the custom_php functions) on delete?
> Am I going to be better off rewriting nut.xml as a /web file?
>
> Thank you,
> Grant Joy
> A-1 Networks
>
Send the code to have an answer otherwise nobody can help you.

> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfsense 2.0 BETA5 Can't get PPPoE working!

[Ermal Luçi]

On Thu, Jan 13, 2011 at 2:07 AM, Maik Heinelt  wrote:
> On 2011/01/13 9:20, Chris Buechler wrote:
>>
>> On Wed, Jan 12, 2011 at 1:43 PM, Charles N Wyble
>>   wrote:
>>>
>>> Same here. No PPPOE support.
>>>
>> It works fine for the vast majority, there are some edge cases that
>> don't work and we don't know why yet at this point. Send logs, "it
>> doesn't work" isn't helpful.
>>
>> -
>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
>> For additional commands, e-mail: support-h...@pfsense.com
>>
>> Commercial support available - https://portal.pfsense.org
>>
> Well, if I can help
> We have a PPPoE line for developing & tests.
> I could setup a pfsense 2.0 Beta5 box and make you ssh login to it.
> Then you, or other pfsense developer can debug it.
>
> I just would like to make it working!
>
> How about that idea?
>
> Maik
>

That can be helpful too.
Please provide the setup and details to me privately so i can give a look.

> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] CARP support broken in kernel?

[Ermal Luçi]

Can you please try this change:
diff --git a/etc/rc.filter_synchronize b/etc/rc.filter_synchronize
index 0a8316b..7bece74 100755
--- a/etc/rc.filter_synchronize
+++ b/etc/rc.filter_synchronize
@@ -66,7 +66,7 @@ function backup_vip_config_section() {
}
if($section['advbase'] <> "") {
$section_val = intval($section['advbase']);
-   $section_val=$section_val+1;
+   $section_val=$section_val;
if($section_val > 255)
$section_val = 255;
$section['advbase'] = $section_val;


I would like to see even some statistics of your interfaces.

On Fri, Dec 10, 2010 at 7:38 PM,   wrote:
> Hello,
>
> It seems like this question should be addressed to the pfSense kernel
> maintainer(s).
>
> I've two firewalls on 2.0-BETA4 with CARP enabled. Until the recent upgrade
> everything worked almost perfect.
> Now both routers got all CARP devices in MASTER state.
>
> Firewall 1:
> vip6: flags=49 metric 0 mtu 1500
>        inet 192.168.199.1 netmask 0xff00
>        carp: MASTER vhid 6 advbase 2 advskew 100
> vip10: flags=49 metric 0 mtu 1500
>        inet 192.168.0.51 netmask 0xff00
>        carp: MASTER vhid 10 advbase 2 advskew 100
> vip12: flags=49 metric 0 mtu 1500
>        inet 192.168.253.252 netmask 0xff00
>        carp: MASTER vhid 12 advbase 2 advskew 100
>
> #netstat -ssp carp
> carp:
>        92555 packets received (IPv4)
>                14 discarded for bad authentication
>                9 discarded for bad vhid
>        39869 packets sent (IPv4)
>
> Firewall 2:
> vip6: flags=49 metric 0 mtu 1500
>        inet 192.168.199.1 netmask 0xff00
>        carp: MASTER vhid 6 advbase 1 advskew 0
> vip10: flags=49 metric 0 mtu 1500
>        inet 192.168.0.51 netmask 0xff00
>        carp: MASTER vhid 10 advbase 1 advskew 0
> vip12: flags=49 metric 0 mtu 1500
>        inet 192.168.253.252 netmask 0xff00
>        carp: MASTER vhid 12 advbase 1 advskew 0
>
> #netstat -ssp carp
> carp:
>        39184 packets received (IPv4)
>                1 discarded for bad authentication
>                39074 discarded for bad vhid
>        93005 packets sent (IPv4)
>
> Here is a packet dump:
>
> #tcpdump -nvei re0_vlan5 not tcp and not udp
> tcpdump: listening on re0_vlan5, link-type EN10MB (Ethernet), capture size
> 96 bytes
> 20:28:26.227652 00:00:5e:00:01:0a > 01:00:5e:00:00:12, ethertype IPv4
> (0x0800), length 70: (tos 0x10, ttl 255, id 13532, offset 0, flags [DF],
> proto VRRP (112), length 56, bad cksum 0 (->a57a)!)
>    192.168.0.52 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 0,
> authtype #128, intvl 1s, length 36, addrs(7):
> 227.234.177.249,120.162.118.75,40.102.130.17,242.232.0.66,58.203.185.41,64.96.187.4,114.121.226.49
> 20:28:26.723778 00:00:5e:00:01:0a > 01:00:5e:00:00:12, ethertype IPv4
> (0x0800), length 70: (tos 0x10, ttl 255, id 13772, offset 0, flags [DF],
> proto VRRP (112), length 56)
>    192.168.0.53 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 100,
> authtype #128, intvl 2s, length 36, addrs(7):
> 227.234.177.249,120.162.117.92,228.194.169.203,197.128.149.181,204.97.168.247,234.48.188.234,14.68.23.250
> 20:28:27.223192 00:00:5e:00:01:0a > 01:00:5e:00:00:12, ethertype IPv4
> (0x0800), length 70: (tos 0x10, ttl 255, id 57411, offset 0, flags [DF],
> proto VRRP (112), length 56, bad cksum 0 (->fa12)!)
>    192.168.0.52 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 0,
> authtype #128, intvl 1s, length 36, addrs(7):
> 227.234.177.249,120.162.118.76,5.159.71.110,98.90.217.70,117.200.253.191,117.207.179.185,132.131.241.197
> 20:28:28.218741 00:00:5e:00:01:0a > 01:00:5e:00:00:12, ethertype IPv4
> (0x0800), length 70: (tos 0x10, ttl 255, id 26425, offset 0, flags [DF],
> proto VRRP (112), length 56, bad cksum 0 (->731d)!)
>    192.168.0.52 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 0,
> authtype #128, intvl 1s, length 36, addrs(7):
> 227.234.177.249,120.162.118.77,156.42.80.119,212.10.43.254,52.127.252.175,13.193.236.116,250.186.146.126
> 20:28:29.115843 00:00:5e:00:01:0a > 01:00:5e:00:00:12, ethertype IPv4
> (0x0800), length 70: (tos 0x10, ttl 255, id 17830, offset 0, flags [DF],
> proto VRRP (112), length 56)
>    192.168.0.53 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 100,
> authtype #128, intvl 2s, length 36, addrs(7):
> 227.234.177.249,120.162.117.93,134.208.204.108,14.90.209.13,71.169.61.99,222.84.234.186,206.168.118.252
> 20:28:29.214280 00:00:5e:00:01:0a > 01:00:5e:00:00:12, ethertype IPv4
> (0x0800), length 70: (tos 0x10, ttl 255, id 20580, offset 0, flags [DF],
> proto VRRP (112), length 56, bad cksum 0 (->89f2)!)
>    192.168.0.52 > 224.0.0.18: VRRPv2, Advertisement, vrid 10, prio 0,
> authtype #128, intvl 1s, length 36, addrs(7):
> 227.234.177.249,120.162.118.78,152.171.173.48,92.93.224.15,236.101.105.252,83.24.68.20,227.104.66.63
>
>
> Overall picture is the same as it was before t

Re: [pfSense Support] PPTP outbound to another non PF network

[Ermal Luçi]

Should be ok on new snapshots and the limitation mentioned in the wiki
should not apply anymore.
Confirming this would help.

-- 
Ermal

Re: [pfSense Support] Lots of processes

[Ermal Luçi]

On Tue, Nov 9, 2010 at 9:52 AM, Cyril Jaquier  wrote:
> Hi all,
>
> I noticed today that in the RRD graphs that the number of processes is
> increasing over the time. I have a lot of zombie processes still around:
>
> root     181  0.0  0.0     0     0  ??  ZN   12:35PM   0:01.99 
> root     258  0.0  0.0     0     0  ??  ZN   Fri03PM   0:01.01 
> root     259  0.0  0.0     0     0  ??  ZN   Fri03PM   0:01.00 
> root     378  0.0  0.0     0     0  ??  ZN   Sun08PM   0:01.10 
> root     588  0.0  0.0     0     0  ??  ZN   Sun09PM   0:02.06 
> root     763  0.0  0.0     0     0  ??  ZN   Fri03PM   0:01.24 
> root     778  0.0  0.0     0     0  ??  ZN    2:11PM   0:01.06 
> root     906  0.0  0.0     0     0  ??  ZN   Mon08AM   0:01.88 
> root    1392  0.0  0.0     0     0  ??  ZN   Sun09AM   0:01.79 
> root    1584  0.0  0.0     0     0  ??  ZN   Sat06PM   0:01.07 
> root    1608  0.0  0.0     0     0  ??  ZN   Fri04PM   0:00.78 
> root    1844  0.0  0.0     0     0  ??  ZN    1:09PM   0:00.78 
> root    2262  0.0  0.0     0     0  ??  ZN   Sun09PM   0:02.14 
> root    2354  0.0  0.0     0     0  ??  ZN   Fri04PM   0:01.06 
> root    2532  0.0  0.0     0     0  ??  ZN   Sun09PM   0:02.03 
> root    2704  0.0  0.0     0     0  ??  ZN   Sun10PM   0:02.02 
> root    2857  0.0  0.0     0     0  ??  ZN   Sat06PM   0:01.86 
> root    2997  0.0  0.0     0     0  ??  ZN   Sun10PM   0:02.02 
> root    3141  0.0  0.0     0     0  ??  ZN   Fri03PM   0:01.77 
> root    3777  0.0  0.0     0     0  ??  ZN   Sun08PM   0:01.49 
> root    3986  0.0  0.0     0     0  ??  ZN   Fri04PM   0:01.91 
> root    4046  0.0  0.0     0     0  ??  ZN   Sun08PM   0:02.44 
> root    4060  0.0  0.0     0     0  ??  ZN   Sat06PM   0:01.98 
> root    4087  0.0  0.0     0     0  ??  ZN   Sun10AM   0:01.79 
> root    4303  0.0  0.0     0     0  ??  ZN   Sun09PM   0:02.06 
> root    4638  0.0  0.0     0     0  ??  ZN   12:39PM   0:01.97 
> root    4875  0.0  0.0     0     0  ??  ZN   Sun09PM   0:02.13 
> root    4944  0.0  0.0     0     0  ??  ZN   Sun10AM   0:01.82 
> root    5624  0.0  0.0     0     0  ??  ZN   Sat06PM   0:01.86 
> root    5707  0.0  0.0     0     0  ??  ZN   Sat06PM   0:01.05 
> root    5880  0.0  0.0     0     0  ??  ZN    2:11PM   0:01.06 
> root    5899  0.0  0.0     0     0  ??  ZN   Sat03PM   0:01.96 
> root    6250  0.0  0.0     0     0  ??  ZN   12:37PM   0:01.99 
> root    6280  0.0  0.0     0     0  ??  ZN   Sat06PM   0:01.07 
> root    6797  0.0  0.0     0     0  ??  ZN   Fri03PM   0:02.09 
> root    7041  0.0  0.0     0     0  ??  ZN   Sat06PM   0:01.74 
> root    7420  0.0  0.0     0     0  ??  ZN   Sun11PM   0:02.06 
> root    7718  0.0  0.0     0     0  ??  ZN   Sun01PM   0:00.77 
> root    7789  0.0  0.0     0     0  ??  ZN   Sun01PM   0:01.02 
> root    7866  0.0  0.0     0     0  ??  ZN   Sat03PM   0:01.80 
> root    7888  0.0  0.0     0     0  ??  ZN   Mon08AM   0:01.95 
> root    7975  0.0  0.0     0     0  ??  ZN   Sat01PM   0:01.91 
> root    9161  0.0  0.0     0     0  ??  ZN   Fri03PM   0:01.84 
> root    9165  0.0  0.0     0     0  ??  ZN   Mon08AM   0:01.05 
> root    9261  0.0  0.0     0     0  ??  ZN   12:36PM   0:01.96 
> root    9810  0.0  0.0     0     0  ??  ZN   Sun09PM   0:02.06 
> root   10233  0.0  0.0     0     0  ??  ZN   Sat03PM   0:01.06 
> root   10590  0.0  0.0     0     0  ??  ZN   Fri03PM   0:01.32 
> root   10691  0.0  0.0     0     0  ??  ZN   Sun09PM   0:02.06 
> root   11163  0.0  0.0     0     0  ??  ZN   Fri03PM   0:01.34 
> root   11344  0.0  0.0     0     0  ??  ZN   Sat06PM   0:01.06 
> root   11413  0.0  0.0     0     0  ??  ZN   Sun10AM   0:01.79 
> root   11443  0.0  0.0     0     0  ??  ZN   Sun10PM   0:02.02 
> root   12087  0.0  0.0     0     0  ??  ZN   Mon08AM   0:01.07 
> root   12096  0.0  0.0     0     0  ??  ZN   Fri04PM   0:01.76 
> root   12100  0.0  0.0     0     0  ??  ZN   Sun09PM   0:02.05 
> root   12333  0.0  0.0     0     0  ??  ZN   Mon08AM   0:01.97 
> root   12753  0.0  0.0     0     0  ??  ZN   Fri04PM   0:01.05 
> root   12859  0.0  0.0     0     0  ??  ZN   Sun10AM   0:01.79 
> root   13094  0.0  0.0     0     0  ??  ZN   Sun10PM   0:02.02 
> root   13124  0.0  0.0     0     0  ??  ZN   Sun10AM   0:01.79 
> root   13244  0.0  0.0     0     0  ??  ZN   Fri04PM   0:01.68 
> root   13308  0.0  0.0     0     0  ??  ZN   Sat06PM   0:01.06 
> root   13462  0.0  0.0     0     0  ??  ZN   Sat03PM   0:02.03 
> root   13577  0.0  0.0     0     0  ??  ZN   Fri03PM   0:00.78 
> root   13798  0.0  0.0     0     0  ??  ZN   Sun08PM   0:01.08 
> root   14180  0.0  0.0     0     0  ??  ZN   Sat06PM   0:01.06 
> root   14304  0.0  0.0     0     0  ??  ZN   Sun10AM   0:01.79 
> root   14702  0.0  0.0     0     0  ??  ZN   Sun08PM   0:01.92 
> root   15001  0.0  0.0     0     0  ??  ZN   Fri03PM   0:01.34 
> root   15022  0.0  0.0     0     0  ??  ZN   Sun10PM   0:02.03 
> root   15301  0.0  0.0     0     0  ??  ZN   Sat06PM   0:01.05 
> root   15354  0.0  0.0     0 

Re: [pfSense Support] OpenVPN multi-wan in 2.0 - local port re-use?

[Ermal Luçi]

On Mon, Oct 25, 2010 at 6:31 AM, Chris Buechler  wrote:
> On Mon, Oct 25, 2010 at 12:00 AM, Adam Thompson  wrote:
>> Using 2.0 from a few days ago…
>>
>> In the OpenVPN setup, I can (must) choose which interface each OpenVPN
>> server is listening on.  I must also choose a local port number to bind to.
>>
>>
>>
>> If I’m binding a specific port to a specific interface, why can’t I reuse
>> the same port# on another interface?
>>
>> (I tried, the gui complains that the local port is already in use.  Which is
>> true, but – I think – shouldn’t matter if it’s bound to specific
>> interfaces.)
>>
>
> The management interface, which binds to 127.0.0.1, also uses that
> port, which can't be re-used. I'd rather work around that in a
> different fashion in the future, but that's rife with possibilities
> for introducing bugs, and it's not broken, so it's not going to change
> for 2.0.
>

This is not true. The management interafce is a unix domain socket now.
And that is only a bug of th eweb interface!
I thought that Jim fixed that at some point.

> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] WAN reply-to under 2.0?

[Ermal Luçi]

On Tue, Oct 19, 2010 at 9:28 PM, Adam Thompson  wrote:
> Repeat of the earlier problem under 1.x, I remember Chris saying this
> would be do-able under 2.0 but it still doesn't work for me.  Most
> likely I've forgotten the magic trick required... or I just don't
> understand how WAN reply-to has to be configured under 2.0.
>
> (FYI, Chris' original reply was under the subject "Re: 1:1 multi-homed
> NAT broken?" at 19:10 July 14 2010.)
>
> To recap the scenario:
>
> SBS (yeah, three guesses...)  sits on em0 at 192.168.232.201.
> em2 is outbound to MRNet, BGP feed with ~13K routes (*not* including
> 0.0.0.0/0).
> em3 is outbound to TeraGo, default route.
>
> CARP VIP configured on em3 for 67.226.137.178.
> 1:1 NAT configured to map 192.168.232.201 to 67.226.137.178.
> Firewall rule allowing inbound TCP port 25 to 192.168.232.201.
>
> Inbound mail works for any sender NOT reachable via em2 but breaks for
> any senders reachable via em2.
>
> Example:
> Remote host "R" (130.179.31.46) trying to send me mail.  Attempts TCP
> connection to port 25 @ 67.226.137.178.
> Pfsense receives packet, translates to 192.168.232.201, forwards to SBS.
> SBS replies to packet, so far so good.
> Pfsense receives reply packet and sends it out em2 with the 1:1 NAT
> address, which promptly gets blackholed by the next-hop router.
>
> I've tried adding a policy rule (first rule on em0) that applies to TCP
> packets from SBS with a source port of 25, forcing the packet out via
> TeragoGW (i.e. via em3), but that doesn't work - I suspect because PF is
> already treating this as an "established" connection.
>
> Then I tried adding a Gateway to the original allow-inbound-smtp rule,
> which produced an error message:
> [[
> There were error(s) loading the rules: /tmp/rules.debug:170: direction
> must be explicit with rules that specify routing pfctl: Syntax error in
> config file: pf rules not loaded - The line in question reads [170]:
> pass  $GWTeraGOGW  proto tcp  from any to   $SBS port 25  flags S/SA
> keep state  label "USER_RULE: inbound SMTP to Exchange"
> ]]
>
> I've experimenting with various combinations of in/out and gateway
> settings, but all I've succeeded on doing so far is breaking ALL smtp
> connections...
>
> Can anyone explain how I use this new feature in 2.0?
>
There is nothing more to do regarding configuration but
just wait for a snapshot build to finish and upgrade to it.

I fixed it just today because of it having some small issue remaining.
That new snapshot should work with your setup without glitches.

> Thanks,
> -Adam Thompson
> athom...@c3a.ca
> (204) 291-7950
>
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] BGP

[Ermal Luçi]

On Sat, Sep 18, 2010 at 12:12 PM, Aarno Aukia  wrote:
> Hello topher,
>
> On Fri, Sep 17, 2010 at 21:49, Chris Flugstad  wrote:
>> I am trying to BGP our core router with our 2 providers and they are asking
>> me if i want a Full Internet routing table, a partial routing table, or just
>> a default route
>>
>> any help?
>>
>> I'm looking at just redundancy and load balancing, but 1 provider is our
>> main connection, the 2nd is for backup or when the 1st is bogged down.
>
> We had full tables on pfsense for almost 2 years, but have now moved
> on to custom openbsd routers for that. Since you only want to use the
Any reason you switched to OpenBSD?

> second provider as fail-over I'd recommend getting default routes only
> and local-pref:ing the first over the second.
>
> Regards,
> Aarno
> --
> Aarno Aukia
> Atrila GmbH
> Switzerland
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] BGP MD5 weird behavior when connection closes

[Ermal Luçi]

On Fri, Feb 5, 2010 at 11:22 PM, Evgeny Yurchenko wrote:

> I think it is more FreeBSD's problem than pfSense's but decided anyway to
> post it here as somebody might run into the same issue.
> When we use MD5 TCP signing with OpenBGP package TCP connection termination
> does not go properly which results in BGP password errors on remote cisco
> side and thus problems with reestablishing connection/routing.
>
> So, normal tcp connection tearing down procedure:
> ---FIN--->
>
> <---ACK---
> <---FIN---
> ACK--->
> All these TCP packets must be MD5 signed (correct me if I am wrong). The
> problem is: when pfSense initiates connection termination (you want to clear
> BGP session) the last ACK is not MD5 signed. It makes cisco keep this
> connection active for some time sending FINs as it attempts to close the
> connection.
> If somebody has a clue how to fix this I would be very grateful for
> solution.
>

Try disabling selective acks.
should be net.inet.tcp.sack.enable=0


> Thanks.
>
> Evgeny.
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>


-- 
Ermal

Re: [pfSense Support] OpenBGPd package on 1.2.3-release

[Ermal Luçi]

On Fri, Jan 29, 2010 at 5:03 PM, Aarno Aukia  wrote:

> Hello,
>
> On Fri, Jan 29, 2010 at 00:06, Scott Ullrich  wrote:
> > On Thu, Jan 28, 2010 at 10:57 AM, Aarno Aukia 
> wrote:
> >> bgpd is started twice when booting on 1.2.3-release with the newest
> >> package. I suspect once from /usr/local/pkg/openbgpd.inc and once from
> >> /usr/local/etc/rc.d/bgpd.sh ? When commenting out the exec("bgpd") in
> >> /usr/local/pkg/openbgpd.inc it is only started once. Should the check
> >> is_openbgpd_running() also be added to /usr/local/etc/rc.d/bgpd.sh or
> >> is there a more favorable way ?
> >
> > Sounds reasonable.
>
> That would be:
> $ diff -urNp openbgpd.inc.old openbgpd.inc
> --- openbgpd.inc.old2010-01-29 16:53:08.0 +0100
> +++ openbgpd.inc2010-01-29 17:00:55.0 +0100
> @@ -153,7 +153,11 @@ function openbgpd_install_conf() {
>$fd = fopen("/usr/local/etc/rc.d/bgpd.sh","w");
>fwrite($fd, "#!/bin/sh\n\n");
>fwrite($fd, "# This file was created by the pfSense package manager.
>  Do not edit!\n\n");
> -   fwrite($fd, "/usr/local/sbin/bgpd -f /usr/local/etc/bgpd.conf\n");
> +   fwrite($fd, "NUMBGPD=`ps auxw | grep bgpd | grep parent | grep -v
> grep | wc -l | awk '{print \$1}'`\n");
> +   fwrite($fd, "#echo \$NUMBGPD\n");
> +   fwrite($fd, "if [ \$NUMBGPD -lt 0 ] ; then\n");
> +   fwrite($fd, "  /usr/local/sbin/bgpd -f
> /usr/local/etc/bgpd.conf\n");
> +   fwrite($fd, "fi\n");
>fclose($fd);
>exec("chmod a+rx /usr/local/etc/rc.d/bgpd.sh");
>exec("chmod a-rw /usr/local/etc/bgpd.conf");
>
>
This is missing a bgpctl reload in an else?!



> Thanks for committing,
> Aarno
> --
> Aarno Aukia
> Atrila GmbH
> Switzerland
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>


-- 
Ermal

Re: [pfSense Support] 1.2.3-RC3 PPPoE

[Ermal Luçi]

On Wed, Dec 9, 2009 at 3:01 PM, RB  wrote:

> On Wed, Dec 9, 2009 at 01:34, Ermal Luçi  wrote:
> > Please provide logs of mpd and explain more what you are trying to do and
> > how you are trying to achive it!
>
> What I'm trying to achieve is awfully simple - with a fresh install of
> 1.2.3-RC3, I'm plugging a dumb Speedport ADSL modem in to one ethernet
> port (fxp1) and a switch into the other (fxp0).  After configuring
> pfSense with the right PPPoE credentials and _nothing else_, the WAN
> interface comes up with a valid IP from my ISP and proper-looking MPD
> logs (I'm running it from the CLI to be certain).  However, pinging my
> next hop or issuing requests to the outside DNS servers results in
> outbound traffic with no returns (monitoring with "tcpdump -s0 -vni "
> on fxp1 and ng0).  With 1.2.3-RC1, traffic flows smoothly.
>
> I don't have logs with me because the system is down, inaccessible due to
> this.
>
>
> Sorry but without any logging other suggestions would be a jump in crystal
ball.


-- 
Ermal

Re: [pfSense Support] a pfSense/radius/paypal captive portal solution

[Ermal Luçi]

I did not understand you question throughly but if you are asking about
integrating CP with paypal i think only a sponsored work will
achieve this.

On Wed, Dec 9, 2009 at 12:40 PM, Christoph Fahle wrote:

> My dearest PF Sense Support Mailinglist,
>
> I have some things I want to achieve with the help of PF Sense and I am not
> quite sure if this a) make sense and b) is possible with our technical set
> up. Nevertheless I am also looking for somebody that could help us with
> further developing a package for pf sense and open sourcing it, if that
> would help our needs. But anyway, let's get started:
>
> We do run a coworking space in berlin (www.betahaus.de) wich host around
> 120 coworkers and is running on a pfSense 1.2.2. as the heart of the Wifi
> and Lan infrastructur. We basically do only have Wifi APs from Linksys (WRT
> 54 GL) running on OpenWRT. Our Users book their plan (weekly, monthly or
> part time desks) via paypal subscription or handish (they just pay cash)
>
> To ease up usermanagement and billing issues, we would love to have the
> following features:
>
>
>- a captive portal solution that prompts you to either authenticate or
>signup for a monthly plan on paypal or similar if you open your laptop and
>connect to the WLAN.
>- an API that hand over Ids of users that are logged on , e.g. are
>situated inside the coworking space, so that you can check out how is
>present (of course only if the agreed earlier!)
>- an API that hands over some activity data to play around with on our
>external website (e.g. total users online, location of users inside the
>building/access point wise, downstream, upstream, anonymous voip traffic,
>whatever makes sense,)
>
> With my knowledge which is limited it seems that for the furst bullet point
> we just need to make a radius server check with paypal if the users has paid
> his plan and at what schedule he is allowed to work at our coworking space.
> the rest is done by the captive portal function of the pfsense, I guess. But
> still I am not an expert and maybe there are smarter ways to conduct what I
> have in mind.
>
> I would be very glad to get some hints into the right direction and would
> be happy if we could get closer to a good solution.
>
> I you happen to be in Berlin anyway just pass by betahaus at Moritzplatz to
> have a chat about it. We are open all day and serve good coffee... ;)
>
> Cheers
>
> Christoph
>
>
>
>
>
>


-- 
Ermal

Re: [pfSense Support] 1.2.3-RC3 PPPoE

[Ermal Luçi]

On Wed, Dec 9, 2009 at 8:58 AM, RB  wrote:

> I've been fighting a losing battle with an update from 1.2.3-RC1 to
> 1.2.3-RC3 and am at the end of my options.  This also exhibits in the
> 2.0-ALPHA-ALPHA 8.0-based snapshot I grabbed two days ago.
>
> With both an upgrade and a fresh install, when I configure a simple
> LAN + PPPoE WAN, the WAN negotiates and comes up with an appropriate
> address, but does not get return traffic.  I'm able to see outbound
> traffic on both the physical interface and the generated ng0
> interface, but nothing returns.  Last time I ran into something like
> this it was the tcpmssfix/ng_tcpmss.ko stuff
> (http://forum.pfsense.org/index.php/topic,17644.0.html).  Although not
> precisely the same (mpd isn't dying), I saw the same thing then -
> packets pass outbound but the returns get dropped somewhere.
>
> Suggestions?  A fresh 1.2.3-RC1 install does not exhibit this behavior.
>
> Please provide logs of mpd and explain more what you are trying to do and
how you are trying to achive it!


-- 
Ermal

Re: [pfSense Support] pfSense and tables?

[Ermal Luçi]

On Fri, Dec 4, 2009 at 1:24 PM, J.D. Bronson  wrote:
> Since I came from a 'pf' environment, I had used tables
> to list piles of IPs (CIDRs) that were known spammers and the like.
> Mostly APIC...
>
> Is there any way to setup a table within pfSense?
>
> I would like to be able to upload (or ssh into and create) a table
> and then have pfSense use it for BLOCK purposes.
>
> Thanks!
pfSense has a 3 tables already setup to be used for blocking.




The last one is evaluated first in all versions of pfSense.

While the others evaluate first on the upcoming 2.0 version.
On 2.0 aliases means table while i cannot recall if this is the same on 1.2.3.

But you can be fine by just adding to the tables mentioned above.


-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] download quota

[Ermal Luçi]

It should be possible in 2.0 through radius.

On Tue, Nov 24, 2009 at 2:21 PM, ozan ucar  wrote:
> Ohh sorry,
> I was wrong understanding ;-)
> Pete Boyd yazmış:
>>
>> > Is it possible to set a download quota per captive portal user, or per
>> > IP address, or something, using pfSense 1.2 or 2.0?
>>
>> > For example 20GB total download per month, or until the captive portal
>> > account expires.
>>
>> ozan ucar wrote:
>>>
>>> Install Fit123 package, Got to Status > Fit123 page > click "Captive
>>> Portal Add-On"  and save button.
>>> Later go Captive Portal Page set setting "* per-user bandwidth
>>> restriction* "  , see attached image.
>>
>> Thankyou for your explanation but what I'm looking for is a download total
>> limit (in gigabytes) rather than a bandwidth limit (in kb/s).
>>
>>
>> -
>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
>> For additional commands, e-mail: support-h...@pfsense.com
>>
>> Commercial support available - https://portal.pfsense.org
>>
>>
>>
>
>
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] lagg (lacp) support 1.2

[Ermal Luçi]

I would be interested for bringing support to it on 1.2. Since i wrote teh
support for bonding in 2.0.
Beaware that it will not be committed on 1.2 repo it will be a private
addition to your install.

What is your budget on this and we can come to an agreement.

On Fri, Nov 13, 2009 at 12:08 AM, Leon Strong  wrote:

>  Hi Team,
>
> I'm at a point here that i'm going to be needing to do some port level
> aggregation due to bandwidth/sub-netting requirements, currently, it seems
> that the only way to do this reliably in a semi supportable way, would be to
> do "bonding/teaming/lacp" on a linux/bsd box, and to virtualise pfSense,
> which i'm not terribly keen on.
>
> Whats the possibility of getting bonding into 1.2 - how much work would it
> be, and would there be anyone interested in doing this for a bounty?
>
> Cheers,
>
> Leon.
> --
>
> *Leon Strong *| Technical Engineer
> *DDI:* +64 9 950 2203 *Fax:* +64 9 302 0518
> *Mobile:* +64 21 0202 8870 *Freephone:* 0800 SMX SMX (769 769)
> Level 15, 19 Victoria Street, Auckland, New Zealand | SMX Ltd | smx.co.nz
> [image: SMX | Business Email Specialists]
> The information contained in this email and any attachments is
> confidential. If you are not
> the intended recipient then you must not use, disseminate, distribute or
> copy any information
> contained in this email or any attachments. If you have received this email
> in error or you
> are not the originally intended recipient please contact SMX immediately
> and destroy this email.
>  This email has been scrubbed for your protection by SMX. For more
> information visit smx.co.nz 
>



-- 
Ermal

Re: [pfSense Support] Login with email address + curl don't work in local

[Ermal Luçi]

On Tue, Oct 20, 2009 at 10:31 AM, Philippe  wrote:
> This message is the same than :
> http://forum.pfsense.org/index.php/topic,19926.0.html
>
> Hi pfSense users!
>
> I'm new to pfSense and want to customize the captive portal. I want it to do
> a simple thing: users on the LAN are redirected to the captive portal which
> ask them for their email address. If the address is valid, they are
> logged-in, else a message warn them of invalid email address.
>
> I created login.php, a simple form which auto-post $PORTAL_REDIRURL$ and
> $PORTAL_ACTION$ (they are not replaced in another php-only page).
>
> It seems that I cannot execute php script more than ~200 bytes long in
> login.php: the start of them is interpreted, and after a certain point,
> script content is outputed as-is in the html source. It's why it splitted
> the code into 2 php files:
>
> 
>    value="$PORTAL_REDIRURL$">
>
>    value="$PORTAL_ACTION$">
>   
> 
>
> 
>   login_form.submit();
>
> 
>
>
> I want the second file, captiveportal-login.php to ask for the email
> address, and connect as a defined user (ie: guest). I think the better way
> to do this is that the script itself check email address and post to
> $PORTAL_ACTION$.
>
> Here is the simplified code of captiveportal-login.php:
>
> if (!isset($_POST["email"]))
>
> {
>   showLoginForm($portal_action, $portal_redirurl);
>
>   die();
> }
>   
> // Got a mail address
> $email = trim($_POST["email"]);
>
>   
> // If email if invalid, shows a failure message
> if (!validEmail($email))
>
> {
>   
> showLoginForm($portal_action, $portal_redirurl, 'The mail you entered is invalid!');
>
>   die();
> }
>
> // Got a valid email, post user and password to the portal login form
> //*
> echo "server respond: " . Post($portal_action , "auth_user=guest&auth_pass=passw0rd&redirurl=$portal_redirurl&accept=Continue");
>
> //**
>
> /**
> Validate an email address.
> Provide email address (raw input)
> Returns true if the email address has the email
> address format and the domain exists.
>
> */
> function validEmail($email)
> {
> [... check email and set result in $isValid]
>
>    return $isValid;
> }
>
>
> /**
>  * Shows the login form
>  */
> function showLoginForm($portal_action, $portal_redirurl, $message = "")
>
> {
>
> echo '
>   Login
>   
>   Please enter your email address to log-in to the portal.
>   ' .  $message . '
>
>   
>   
>   
>   Email address:
>   
>   
> 
>
>   
> 
>
>   
>   
>   ';
> }
>
>
> /**
>  * POST content to a page
>  */
>
> function Post($url, $post)
>
> {
>   $ch = curl_init($url);
>
>   curl_setopt ($ch, CURLOPT_POST, 1);
>
>   curl_setopt ($ch, CURLOPT_POSTFIELDS,  $post);
>
>   $result =  curl_exec ($ch);
>
>   curl_close ($ch);
>
>   return $result;
>
> }
> ?>
>
> My problem come from the Post function: I tried curl, fopen, readfile,
> exec(curl)... It can post to and get the response from an external page, but
> when I try getting $PORTAL_ACTION$ (for me http://1.2.3.4:8000) I get an
> error saying that the destination is unreacheable or a timeout, or simply
> nothing (instead exec('ls') shows me a result).
>
> Do you think this code is the best way to do email-authentification?
> Do you know why curl sucks so much in local?
>
> Thanks for your help !
>

Please do not double post in the forums and here.
There is no 'easy help' you can get for custom modifications.

I would suggest you open a bounty for such things or use
the pfSense customer support for finding a solution.

-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] CARP with captive portal

[Ermal Luçi]

On Fri, Oct 16, 2009 at 6:21 PM, Roberto Greiner  wrote:
> Hi,
>
> I'm having trouble making captive portal and CARP work togheter.
>
> I've set CARP to use the WAN interface for synchronization, and it works
> fine.
>
> Problem is, the moment I enable Captive Portal, the LAN Virtual IP dies out
> (stops pinging), and the whole setup stops working. I've tried adding the
> LAN MAC address of the stations on the "Pass-through MAC" page (added MAC
> address of both servers), but it didn't work. Also tried the same for IP.
> The moment I disable captive portal, CARP immediately works again.
>
> Any ideas of what I should do to make Captive Portal and CARP work together?
Without modification NO.

Please open a bug report on redmine.pfsense.org so i can can fix this
for 2.0. Do not forget to assign it to me.

>
> Tks,
>
> Roberto Greiner
>
>
> --
>  -
>               Marcos Roberto Greiner
>
>  Os otimistas acham que estamos no melhor dos mundos
>   Os pessimistas tem medo de que isto seja verdade
>                                 James Branch Cabell
>  -
>
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] One check-box is missing in Rules-Edit-Advanced of 1.2.3-RC3 snapshot

[Ermal Luçi]

On Wed, Sep 30, 2009 at 11:48 PM, Evgeny Yurchenko  wrote:
> Scott Ullrich wrote:
>>
>> On Wed, Sep 30, 2009 at 5:27 PM, Evgeny Yurchenko 
>> wrote:
>>
>>>
>>> Well, I am sorry for confusion... but could you please confirm that this
>>> is
>>> from 2.0 filter.inc, starting at line 1961:
>>>                      if ($type == "pass") {
>>>                              if (isset($rule['allowopts']))
>>>                                      $aline['allowopts'] = " allow-opts
>>> ";
>>>                              if( isset($rule['source-track']) or
>>> isset($rule['max-src-nodes']) or isset($rule['max-src-states']) )
>>>                                      if($rule['protocol'] == "tcp")
>>>                                              $aline['flags'] = "flags
>>> S/SA
>>> ";
>>>
>>
>> No, I see:
>>
>>                                $cron_item = array();
>>
>>
>>>
>>> PS: I must stop playing with pfSense -(((
>>>
>>
>> Why do you say that?
>>
>> Scott
>>
>
> Because it would be stupid to copy at least two files filter.inc and
> firewall_rules_edit.php from 2.0 to 1.2.2. And I do not recall I modified

Good luck in doing this!

> this part of these files on any of my test boxes, but I do remember I was
> happy when I discovered this check-box... Now I am not sure on which version
> I discovered it first... Mystery...
> firewall_rules_edit.php on my 1.2.2 box is 35773 bytes in size.  On 2.0 it
> is 49332. Ok, may be I am too tired today. Just note for myself: this
> check-box is available starting from 2.0.
>
> Thanks anyway and sorry for this mess.
> Evgeny.
>
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] FTP in a Multi-WAN setup

[Ermal Luçi]

On Wed, Sep 30, 2009 at 1:57 PM, Chris Bagnall  wrote:
> Greetings list,
>
> We have a number of pfSense boxes out there, usually with two ADSL 
> connections into each. When we first started down the multi-WAN route, there 
> was an issue with FTP, to which someone had rather helpfully posted a 
> workaround on the forum: insert a rule on the LAN interface as follows:
> TCP      LAN net         *       127.0.0.1       *       *
>
> This works around the issue perfectly, provided the following are true:
> a) the client trying to access a remote FTP server is on the LAN interface
> b) the first WAN interface is up
>
> it does not work on any other interfaces apart from the first LAN interface 
> (even with a similar rule on that interface as follows):
> TCP      OPT1 net        *       127.0.0.1       *       *
>
> Nor does it work if WAN1 is down for whatever reason.
>
> So, a couple of questions for other multi-WAN users if I may:
> 1) is this workaround still necessary in more recent versions of pfSense 
> (>=1.2.3)?
Only 2.0  can help you with this.

> 2) if so, is there any way to work around the two limitations above?
>
> Thanks in advance!
>
> Regards,
>
> Chris
> --
> For full contact details visit http://www.minotaur.it
> This email is made from 100% recycled electrons
>
>
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Crazy Session State requirement

[Ermal Luçi]

On Fri, Sep 18, 2009 at 11:00 PM, Nathan Eisenberg
 wrote:
>> -Original Message-
>> From: Ermal Luçi [mailto:ermal.l...@gmail.com]
>> Sent: Friday, September 18, 2009 10:26 AM
>> To: support@pfsense.com
>> Subject: Re: [pfSense Support] Crazy Session State requirement
>>
>> Activate sticky option on 1.2.3-RC* installations.
>>
>> --
>> Ermal
>
> To confirm - the sticky behavior in 1.2.3-RC3 is different than in 1.2.2?
Well now it works!
Before it had issues.

>
> Is there any documentation on this change that I can take a look at?
>
Actually it is a kernel patch that has been integrated into FreeBSD
and fixes pf(4) behaviour of stcikies.
There is not much documentation about that other than trying to work
as advertised in documentation.

For your curiosity
http://svn.freebsd.org/viewvc/base/head/sys/contrib/pf/net/pf.c?view=log
Revision 196372

>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Crazy Session State requirement

[Ermal Luçi]

On Fri, Sep 18, 2009 at 7:24 PM, Nathan Eisenberg
 wrote:
> Knee deep in a deployment of a load balanced web application, I’ve run into
> a bizarre requirement.
>
>
>
> I have a HA PFSense cluster with 5 SSL load balanced virtual hosts,
> listening on IPs x.x.x.10-x.x.x.14.  These map back to 3 backend web servers
> serving xxx1.com-xxx5.com.  I’ve used this design many times, and never had
> a problem.
>
>
>
> However, this application has some crazy cookie stuff built in.  Basically,
> a client may connect to xxx1.com, log in, browse some content, and then
> browse to xxx2.com.  Since these are separate load balanced virtual servers,
> the PF state tracking mechanism doesn’t force the client to go to the same
> backend server, which means that the session information is inconsistent and
> the application breaks.
>
>
>
> So, what I suppose I really need is a way of forcing the connection states
> to be per-source IP, rather than per source/dest.  Is this possible?  If
> not, other workaround suggestions would be lovely!
>
>
>
Activate sticky option on 1.2.3-RC* installations.



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] IGMP packet out of WAN

[Ermal Luçi]

On Fri, Aug 21, 2009 at 5:40 AM, Evgeny Yurchenko wrote:
> Old story but I can't see any progress here so decided to try to make patch
> by myself though it's not very straightforward for FreeBSD ports...
> Ermal, could you please look at
> https://rcs.pfsense.org/projects/pfsense-tools/repos/Eugene-igmpproxy/commits/169ff1e643cfbcd9ef6958f45b4c095547548603
> and approve? I explained the problem I am trying to solve in Comments to
> this commit.
> If this commit looks ok what should be the next step to make it available
> for install via pfSense' gui?
> Thanks,
> Eugene.
Send a merge request to mainline. If you do not succeed i will merge
it manually.


-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] dynamic load balancing

[Ermal Luçi]

On Thu, Aug 20, 2009 at 9:45 AM, Chris Buechler wrote:
> On Thu, Aug 20, 2009 at 3:38 AM, Michel Servaes wrote:
>> Hi,
>>
>>
>> I am wondering, if the following would be possible - and how to start with 
>> it.
>> I have this SDSL and ADSL connection - in where our ADSL has a
>> download limit of 25GB/month
>>
>> If one bypasses the 25GB - the connection drops from 10mbits to 64kbits !
>> How can I make pfSense see this, so if this happens the connection
>> switches over to the SDSL connection (being 1mbit, still better than
>> 64kbits).
>>
>>
>> ps. the SDSL connection must be preserved as much as possible - so it
>> only should jump to the SDSL, when the ADSL doesn't go any faster than
>> 64kbits... (or if I can use an internal counter, that checks if the
>> 25GB limit is passed - that's also ok)
>>
>> Would this be possible, and where to start ?
>>
Not easy at all since you have to handle reboots, wrap arounds and
some other things.
I guess it is better to fund pfSense devs to implement this so you
will have it supported on further releases too.

>
> Only if you want to write code or a script of some sort to detect that
> and automatically switch. That's somewhat involved though. No easy way
> to do that.
>




-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] IGMP packet out of WAN

[Ermal Luçi]

On Fri, Jul 31, 2009 at 7:36 PM, Evgeny
Yurchenko wrote:
>> From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On
>> Behalf Of Chris Buechler
>>
>> On Thu, Jul 30, 2009 at 8:33 PM, Evgeny
>> Yurchenko wrote:
>> >
>> > The code of igmpproxy is heavily inherited from mrouted and actual
>> > proxying of IGMP-packets does not happen. It is not a
>> problem if mcast
>> > sender on upstream interface does not care about
>> memberships and just
>> > multicasts always, but if it is wise sender, or if sender
>> is located
>> > in several routers upstream then IGMP is needed. So I fixed
>> this small issue for 1.2.2 (I have only this development
>> version). There was another problem with understanding
>> interfaces consisting of more than 3 letters (em1 - ok, bge1
>> - can't start), also fixed. Could somebody validate and put
>> my several lines of code in repository please? How does it
>> work at all - if somebody found solution for some problem, what to do?
>> >
>>
>> You can send a patch here (diff -rub please) and I'm sure
>> Ermal will review (he does most of our C work, and did this multicast
>> implementation) and get it committed.
>>
>> Thanks!
>>
> diff -rub original/igmpproxy/work/igmpproxy/src/config.c
> igmpproxy/work/igmpproxy/src/config.c
> --- original/igmpproxy/work/igmpproxy/src/config.c      2009-07-31
> 17:17:16.0 +
> +++ igmpproxy/work/igmpproxy/src/config.c       2009-07-31
> 17:21:28.0 +
> @@ -241,7 +241,7 @@
>     tmpPtr->allowednets = NULL;
>
>     // Make a copy of the token to store the IF name
> -    tmpPtr->name = (char *)malloc( sizeof(char) * strlen(token) );
> +    tmpPtr->name = (char *)malloc( sizeof(char) * strlen(token) + 1 );
>     if(tmpPtr->name == NULL) {
>         log(LOG_ERR, 0, "Out of memory.");
>     }
>
>
> diff -rub original/igmpproxy/work/igmpproxy/src/mcgroup.c
> igmpproxy/work/igmpproxy/src/mcgroup.c
> --- original/igmpproxy/work/igmpproxy/src/mcgroup.c     2009-07-31
> 17:17:16.0 +
> +++ igmpproxy/work/igmpproxy/src/mcgroup.c      2009-07-31
> 17:11:00.0 +
> @@ -63,13 +63,18 @@
>     }
>  #else
>     if( setsockopt( UdpSock, IPPROTO_IP,
> -          Cmd == 'j' ? IP_ADD_SOURCE_MEMBERSHIP :
> IP_DROP_SOURCE_MEMBERSHIP,
> +          Cmd == 'j' ? IP_ADD_MEMBERSHIP : IP_DROP_MEMBERSHIP,
>           (void *)&CtlReq, sizeof( CtlReq ) ) )
>     {
>         log( LOG_WARNING, errno, "MRT_%s_MEMBERSHIP failed", Cmd == 'j'
> ? "ADD" : "DROP" );
>         return 1;
>     }
>  #endif
> +    /* We have to send IGMP packet on upstream interface */
> +    if( Cmd == 'j' )
> +       sendIgmp(0, mcastaddr, IGMP_V2_MEMBERSHIP_REPORT, 0, mcastaddr,
> 0);
> +    else
> +        sendIgmp(0, mcastaddr, IGMP_V2_LEAVE_GROUP, 0, mcastaddr, 0);
>
>     return 0;
>  }
>
>
>
> diff -rub original/igmpproxy/work/igmpproxy/src/rttable.c
> igmpproxy/work/igmpproxy/src/rttable.c
> --- original/igmpproxy/work/igmpproxy/src/rttable.c     2009-07-31
> 17:17:16.0 +
> +++ igmpproxy/work/igmpproxy/src/rttable.c      2009-07-31
> 17:25:18.0 +
> @@ -344,12 +344,8 @@
>                 return 0;
>             }
>         }
> -    }
> -
> -    // Send join message upstream, if the route has no joined flag...
> -    if(croute->upstrState != ROUTESTATE_JOINED) {
> -        // Send Join request upstream
> -        sendJoinLeaveUpstream(croute, 1);
> +        // Send join message upstream
> +       sendIgmp(0, group, IGMP_V2_MEMBERSHIP_REPORT, 0, group, 0);
>     }
>
>     IF_DEBUG logRouteTable("Insert Route");
>
>
Slightly different version committed to the
port.(https://rcs.pfsense.org/projects/pfsense-tools/repos/mainline/commits/82204b23ead0d217382d49477bd72a7c0374841f)
Can you test this?


-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] OSPF Package!

[Ermal Luçi]

2009/7/28 "Alexandre F. Guimarães" :
>
> Someone know to say if exist OSPF Package to install on PFSense solution?
Check the forums a guy has posted how to make OSPF run on pfSense.

>
> Thank you all!
>
>
> --
> Alexandre F Guimarães
>
> Dpto Engenharia e Operações
> Tel: 19 3119 2445   /   19 3251 6744
> Divisão LaRCom - Unicamp
> Ignis Tecnologia da Informação e Comunicação Ltda.
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] IGMP packet out of WAN

[Ermal Luçi]

On Sat, Jul 25, 2009 at 9:55 PM, Evgeny
Yurchenko wrote:
>> From: Evgeny Yurchenko [mailto:evgeny.yurche...@frontline.ca]
>> Sent: July 25, 2009 3:49 PM
>>
>> > From: Ermal Luçi [mailto:ermal.l...@gmail.com]
>> > Sent: July 25, 2009 11:20 AM
>> >
>> > On Fri, Jul 24, 2009 at 6:19 PM, Evgeny
>> > Yurchenko wrote:
>> > >> From: Evgeny Yurchenko [mailto:evgeny.yurche...@frontline.ca]
>> > >> Sent: July 23, 2009 5:59 PM
>> > >>
>> > >> > From: Evgeny Yurchenko [mailto:evgeny.yurche...@frontline.ca]
>> > >> > Sent: July 23, 2009 12:07 PM
>> > >> >
>> > >> > > From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On
>> > >> > > Sent: July 23, 2009 11:32 AM
>> > >> > >
>> > >> > > On Thu, Jul 23, 2009 at 11:29 AM, Chris
>> > Buechler
>> > >> > > wrote:
>> > >> > > > On Thu, Jul 23, 2009 at 10:02 AM, Evgeny
>> > >> > > > Yurchenko wrote:
>> > >> > > >>
>> > >> > > >> Thanks for quick report Chris. I am completely new to
>> > >> this stuff
>> > >> > > >> please bear with me. Trying to accoomplish 'Clone the
>> > >> > > tools repo at
>> > >> > > >> rcs.pfsense.org' I came to conclusion I need git
>> > >> installed on my
>> > >> > > >> pfSense-dev system. Reading several documents I tried
>> > >> > the following
>> > >> > > >> procedure:
>> > >> > > >> echo "WITHOUT_X11=yo" >> /etc/make.conf portsnap fetch
>> > >> > extract ->
>> > >> > > >> Success cd /usr/ports/devel/git && make BATCH=yo &&
>> > >> make install
>> > >> > > >> BATCH=yo && make clean -> Failure after the next:
>> > >> > > >>
>> > >> > > >
>> > >> > > > No idea.  Try to pkg_add -r git, or you may have to
>> > clone it on
>> > >> > > > another system and copy over the port.
>> > >> > > >
>> > >> > >
>> > >> > > or fetch http://cvs.pfsense.org/~cmb/igmpproxy-port.tgz
>> > >> > >
>> > >> > >
>> > >> >
>> > >>
>> >
>> -
>> > >> > > To unsubscribe, e-mail: support-unsubscr...@pfsense.com For
>> > >> > additional
>> > >> > > commands, e-mail: support-h...@pfsense.com
>> > >> > >
>> > >> > > Commercial support available - https://portal.pfsense.org
>> > >> > >
>> > >> > # pkg_add -r git
>> > >> > Error: FTP Unable to get
>> > >> > ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.0-rele
>> > >> ase/Latest/git.tbz: File unavailable (e.g., file not found, no >
>> > >> access)
>> > >> > pkg_add: unable to fetch
>> > >> > 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.0-rel
>> > >> ease/Latest/git.tbz' by URL
>> > >> >
>> > >> > Fetch from http worked, thank you.
>> > >> >
>> > >> > Eugene
>> > >> >
>> > >>
>> > >> Ok, I managed to fix 'not sending IGMP out of upstream
>> interface'.
>> > >> But igmpproxy sends it only first two times when IGMP
>> received on
>> > >> downstream interface.
>> > >>
>> > >> 17:54:59.158716 IP 192.168.254.1 > 239.142.1.1: igmp v2 report
>> > >> 239.142.1.1
>> > >> 17:55:59.057693 IP 192.168.254.1 > 239.142.1.1: igmp v2 report
>> > >> 239.142.1.1
>> > >>
>> > >> Then further igmp reports for this group received on downstream
>> > >> interface are not send out of upstream... Though igmpproxy
>> > sees them.
>> > >> Will investigate further.
>> > >>
>> > >> Eugene.
>> > >>
>> > > Ok. This part is done. IGMP is being sent from downstream
>> > to upstream interface.
>> > > Now another problem. When I generate multicast tr

Re: [pfSense Support] IGMP packet out of WAN

[Ermal Luçi]

On Fri, Jul 24, 2009 at 6:19 PM, Evgeny
Yurchenko wrote:
>> From: Evgeny Yurchenko [mailto:evgeny.yurche...@frontline.ca]
>> Sent: July 23, 2009 5:59 PM
>>
>> > From: Evgeny Yurchenko [mailto:evgeny.yurche...@frontline.ca]
>> > Sent: July 23, 2009 12:07 PM
>> >
>> > > From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On
>> > > Sent: July 23, 2009 11:32 AM
>> > >
>> > > On Thu, Jul 23, 2009 at 11:29 AM, Chris Buechler
>> > > wrote:
>> > > > On Thu, Jul 23, 2009 at 10:02 AM, Evgeny
>> > > > Yurchenko wrote:
>> > > >>
>> > > >> Thanks for quick report Chris. I am completely new to
>> this stuff
>> > > >> please bear with me. Trying to accoomplish 'Clone the
>> > > tools repo at
>> > > >> rcs.pfsense.org' I came to conclusion I need git
>> installed on my
>> > > >> pfSense-dev system. Reading several documents I tried
>> > the following
>> > > >> procedure:
>> > > >> echo "WITHOUT_X11=yo" >> /etc/make.conf portsnap fetch
>> > extract ->
>> > > >> Success cd /usr/ports/devel/git && make BATCH=yo &&
>> make install
>> > > >> BATCH=yo && make clean -> Failure after the next:
>> > > >>
>> > > >
>> > > > No idea.  Try to pkg_add -r git, or you may have to clone it on
>> > > > another system and copy over the port.
>> > > >
>> > >
>> > > or fetch http://cvs.pfsense.org/~cmb/igmpproxy-port.tgz
>> > >
>> > >
>> >
>> -
>> > > To unsubscribe, e-mail: support-unsubscr...@pfsense.com For
>> > additional
>> > > commands, e-mail: support-h...@pfsense.com
>> > >
>> > > Commercial support available - https://portal.pfsense.org
>> > >
>> > # pkg_add -r git
>> > Error: FTP Unable to get
>> > ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.0-rele
>> ase/Latest/git.tbz: File unavailable (e.g., file not found,
>> no > access)
>> > pkg_add: unable to fetch
>> > 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.0-rel
>> ease/Latest/git.tbz' by URL
>> >
>> > Fetch from http worked, thank you.
>> >
>> > Eugene
>> >
>>
>> Ok, I managed to fix 'not sending IGMP out of upstream
>> interface'. But igmpproxy sends it only first two times when
>> IGMP received on downstream interface.
>>
>> 17:54:59.158716 IP 192.168.254.1 > 239.142.1.1: igmp v2
>> report 239.142.1.1
>> 17:55:59.057693 IP 192.168.254.1 > 239.142.1.1: igmp v2
>> report 239.142.1.1
>>
>> Then further igmp reports for this group received on
>> downstream interface are not send out of upstream... Though
>> igmpproxy sees them.
>> Will investigate further.
>>
>> Eugene.
>>
> Ok. This part is done. IGMP is being sent from downstream to upstream 
> interface.
> Now another problem. When I generate multicast traffic (with destination IP 
> 239.142.1.1) on WAN this traffic does not go to downstream interface (LAN).
> Has this package ever worked on Linux (as I undrestand it was initially 
> written on Linux)?
>

http://forum.pfsense.org/index.php/topic,13312.15.html

> Eugene.
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] IGMP packet out of WAN

[Ermal Luçi]

On Mon, Jul 20, 2009 at 9:02 PM, Evgeny
Yurchenko wrote:
[snip]


> think I'll spend the rest of my life trying to figure out how to install 
> development enviroment > on pfSense unless there is a guide somewhere -)))
I patched the port so later on a new binary will be available for you to test.
Please report back your findings.


-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] IGMP packet out of WAN

[Ermal Luçi]

Sorry for the late reply but i have been busy with work.
Read below...

On Sun, Jul 19, 2009 at 2:29 AM, Evgeny
Yurchenko wrote:
>> -Original Message-
>> From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On
>> Behalf Of Chris Buechler
>> Sent: July 18, 2009 3:50 AM
>> To: support@pfsense.com
>> Subject: Re: [pfSense Support] IGMP packet out of WAN
>>
>> On Mon, Jul 13, 2009 at 6:59 PM, Evgeny
>> Yurchenko wrote:
>> >
>> > No, I can not see in logs. But on LAN I have
>> >
>> > 18:55:24.602839 IP 192.168.1.2 > 224.0.0.22: igmp v2 report
>> > 239.142.1.1
>> >
>> > It does not go out of WAN. And when I disable packet
>> filtering it does go out of WAN.
>> >
>>
>> You're using the IGMP proxy package on 1.2.x I presume?  It's
>> not blocking it if it isn't getting logged (unless you
>> disabled logging on the default rules), but it sounds like it
>> has some sort of impact on the traffic. I spent some time
>> working with that package and never could get it to pass the
>> traffic as it should, though the code it came from in 2.0 did
>> work for me. Haven't had time to go back and look at it further.
>>
>> -
>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com For
>> additional commands, e-mail: support-h...@pfsense.com
>>
>> Commercial support available - https://portal.pfsense.org
>>
>>
> Yes, I use 1.2 release. I am sorry for misinforming you. When I disable
> packet filtering then packet received on LAN goes to WAN which is quite
> expected behaviour, so it is not packet generated by igmpproxy.
> My findings are here. I get in debug mode:
> igmpproxy, Version 0.1 beta2, Build 090427
> Copyright 2005 by Johnny Egeland 
> Distributed under the GNU GENERAL PUBLIC LICENSE, Version 2 - check
> GPL.txt
>
> Debu: Searching for config file at '/tmp/igmpproxy.conf'
> Debu: Config: Quick leave mode enabled.
> Debu: Config: Got a phyint token.
> Debu: Config: IF: Config for interface bge0.
> Debu: Config: IF: Got downstream token.
> Debu: Config: IF: Got ratelimit token '0'.
> Debu: Config: IF: Got threshold token '1'.
> Debu: Config: IF: Got altnet token 224.0.0.0/4.
> Debu: Config: IF: Altnet: Parsed altnet to 224/4.
> Debu: IF name : bge0
> Debu: Next ptr : 0
> Debu: Ratelimit : 0
> Debu: Threshold : 1
> Debu: State : 2
> Debu: Allowednet ptr : 2820c030
> Debu: Config: Got a phyint token.
> Debu: Config: IF: Config for interface bge1.
> Debu: Config: IF: Got upstream token.
> Debu: Config: IF: Got ratelimit token '0'.
> Debu: Config: IF: Got threshold token '1'.
> Debu: Config: IF: Got altnet token 224.0.0.0/4.
> Debu: Config: IF: Altnet: Parsed altnet to 224/4.
> Debu: IF name : bge1
> Debu: Next ptr : 0
> Debu: Ratelimit : 0
> Debu: Threshold : 1
> Debu: State : 1
> Debu: Allowednet ptr : 2820c040
> Debu: Adding Physical Index value of IF 'bge0' is 1
> Debu: buildIfVc: Interface bge0 Addr: 192.168.1.1, Flags: 0x8943,
> Network: 192.168.1/24
> Debu: Adding Physical Index value of IF 'bge1' is 2
> Debu: buildIfVc: Interface bge1 Addr: 192.168.7.171, Flags: 0x8843,
> Network: 192.168.7/24
> Debu: Adding Physical Index value of IF 'lo0' is 6
> Debu: buildIfVc: Interface lo0 Addr: 127.0.0.1, Flags: 0x8049,
> Network: 127/8
> Debu: Found config for bge1
> Note: adding VIF, Ix 0 Fl 0x0 IP 0x0101a8c0 bge0, Threshold: 1,
> Ratelimit: 0
> Debu:         Network for [bge0] : 192.168.1/24
> Note: adding VIF, Ix 1 Fl 0x0 IP 0xab07a8c0 bge1, Threshold: 1,
> Ratelimit: 0
> Debu:         Network for [bge1] : 192.168.7/24
> Debu:         Network for [bge1] : 224/4
> Debu: Got 262144 byte buffer size in 0 iterations
> Debu: Joining all-routers group 224.0.0.2 on vif 192.168.1.1
> Note: joinMcGroup: 224.0.0.2 on bge0
> Debu: SENT Membership query   from 192.168.1.1     to 224.0.0.1
> Debu: Sent membership query from 192.168.1.1 to 224.0.0.1. Delay: 10
> Debu: Created timeout 1 (#0) - delay 10 secs
> Debu: (Id:1, Time:10)
> Debu: Created timeout 2 (#1) - delay 21 secs
> Debu: (Id:1, Time:10)
> Debu: (Id:2, Time:21)
> Debu: Packet from 192.168.1.1: proto: 2 hdrlen: 20 iplen: 8 or 2048
> Note: RECV Membership query   from 192.168.1.1     to 224.0.0.1 (ip_hl
> 20, data 8)
> ^[[5~Debu: About to call timeout 1 (#0)
> Debu: Aging routes in table.
> Debu:
> Current routing table (Age active routes);
> -
>
> Debu: No routes in table...
> Debu:
> ---
>
>
> Then I run small program on my laptop connected to LAN and generating
> IGMP membership reports and indeed igmpproxy sees them:
> Debu: Packet from 192.168.1.2: proto: 2 hdrlen: 20 iplen: 8 or 2048
> Note: RECV V2 member report   from 192.168.1.2     to 224.0.0.22 (ip_hl
> 20, data 8)
> Debu: Should insert group 239.142.1.1 (from: 192.168.1.2) to route
> table. Vif Ix : 0
> Debu: No existing route for 239.142.1.1. Create new.
> Debu: No routes in table. Insert at beginning.
> Info: Inserted route table entry for 239.

Re: [pfSense Support] Re: Patch and ISO: New Feature -- Auto Configuring Interfaces

[Ermal Luçi]

Please pretty please do not make distinctions on lan/wan/optif i have
invested too much time to clean this!
I still think that youare not competent enough to do this in 2.0 still
good luck

On Wed, Jul 15, 2009 at 12:08 AM, Tim A. wrote:
> Chris Buechler wrote:
>
> On Sun, Jul 5, 2009 at 4:23 PM, Tim A. wrote:
>
>
> Attached a patch against 1.2.3-rc2 adding support for auto configuring
> interfaces.
>
>
> That's definitely a nice feature, though only suitable for addition to
> 2.0, so we'll need a patch for 2.0.  The only thing from your
> description that needs to change is the auto-assignment with one
> interface, 2.0 will let you assign only WAN and treat it basically
> like LAN with a default gateway for appliance purposes, so if there is
> only one interface it needs to only assign WAN.
>
> Thanks!
>
>
> Attached a patch against 2.0 adding support for auto configuring interfaces.
> This patch is done with -rub. So, you wont see the white space but note that
> there's a significant block of the original code that should be indented
> with this.
>
> I reworked it to be less clunky and more POLS. Also, I'm learning more about
> pfsense internals and the auto interface feature automatically turns on sshd
> if it kicks in.
> So, no need to worry about the config file.
>
> I'll update the 1.2 patch later with these improvements as well.
>
> By the way. I've started using git, and its very cool. I created an account
> and added my key to rcs.pfsense.org.
> I tried to push this to the repo but it keeps saying not allowed.
> Are you guys only using that internally?
>
> --- a/etc/inc/config.inc        2009-07-14 16:39:50.0 -0400
> +++ b/etc/inc/config.inc        2009-07-14 14:30:35.0 -0400
> @@ -790,6 +790,12 @@
>
>        $iflist = get_interface_list();
>
> +/* Function flow is based on $key and $auto_assign or the lack thereof */
> +       $key = null;
> +
> +       if ((ereg("cdrom", $g['platform'])) || is_interface_mismatch())
> +               $auto_assign = true;
> +
>        echo <<
>  Valid interfaces are:
> @@ -799,7 +805,7 @@
>
>        if(!is_array($iflist)) {
>                echo "No interfaces found!\n";
> -               $iflist = array();
> +               return;
>        } else {
>                foreach ($iflist as $iface => $ifa) {
>                        echo sprintf("% -16s%s%s\t%s\n", $iface, $ifa['mac'],
> @@ -807,6 +813,14 @@
>                }
>        }
>
> +       if ($auto_assign) {
> +               echo << +
> +BEGIN MANUAL CONFIGURATION OR WE WILL PROCEED WITH AUTO CONFIGURATION.
> +
> +EOD;
> +       }
> +
>        echo <<
>  Do you want to set up VLANs first?
> @@ -816,7 +830,54 @@
>  Do you want to set up VLANs now [y|n]?
>  EOD;
>
> -       if (strcasecmp(chop(fgets($fp)), "y") == 0)
> +       if ($auto_assign) {
> +               $timeout=9;             // How long do you want the script
> to wait before moving on (in seconds)
> +               exec("/bin/stty erase " . chr(8));
> +               while(!isset($key)) {
> +                       echo chr(8) . "{$timeout}";
> +                       `/bin/stty -icanon min 0 time 25`;
> +                       $key = trim(`KEY=\`dd count=1 2>/dev/null\`; echo
> \$KEY`);
> +                       `/bin/stty icanon`;
> +                       if ($key == '')
> +                               unset($key);
> +                       // Decrement our timeout value
> +                       $timeout--;
> +                       // If we have reached 0 exit and continue on
> +                       if ($timeout == 0)
> +                               break;
> +               }
> +       } else
> +               $key = chop(fgets($fp));
> +
> +
> +       if (!isset($key)) {     // Auto Assign Interfaces
> +               $optif = array();
> +               $i = $j = 0;
> +               echo "\n\n";
> +               foreach ($iflist as $iface => $ifa) {
> +                       if ($i > 1) {
> +                               $optif[$j] = $iface;
> +                               echo "Assigned OPT" . ($j+1) . " to :
> $optif[$j] \n";
> +                               $i++;
> +                               $j++;
> +                       }
> +                       elseif ($i == 1) {
> +                               $lanif = $iface;
> +                               echo "Assigned LAN to : $lanif \n";
> +                               $i++;
> +                       }
> +                       elseif ($i == 0) {
> +                               $wanif = $iface;
> +                               echo "Assigned WAN to : $wanif \n";
> +                               $i++;
> +                       }
> +               }
> +
> +               $config['system']['enablesshd'] = 'enabled';
> +               $key = 'y';
> +
> +       } else {                //Manually assign interfaces
> +       if (in_array($key, array('y', 'Y')))
>                vlan_setup();
>
>        if (is_array($config['vlans']['vlan']) &&
> count

Re: [pfSense Support] IGMP packet out of WAN

[Ermal Luçi]

Not neccessarily.

On Mon, Jul 13, 2009 at 3:43 PM, Evgeny
Yurchenko wrote:
> Hi All!
>
> should the rule
>   pass out quick on bge1 all flags S/SA keep state label "let out
> anything from firewall host itself"
> allow IGMP packets out of WAN interface? Packets are generated by
> igmpproxy running at pfSense.
> Thanks,
>
> Eugene
>
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Understanding 2.0

[Ermal Luçi]

On Tue, Jul 7, 2009 at 6:27 PM, Tim A. wrote:
> I don't get it. Sure there's a lot of features people want to add. And the
> answer is typically, "2.0".
> But what is the major platform difference for this major revision?
If you are brave try to do a diff between RELENG_1_2 and master and
you will see what is the difference.
I do not want to count how much things have been fixed.

> I just built HEAD (2.0 on 7_2) and... umm... I like 1.2.3, at least it
> works.
> This is so broken and as far as I can tell, most of its the same anyway.
> Why not just add new features / fix things on whats already working so well?
>
> I'm trying RELENG_2_0 now, maybe that'll be more encouraging.
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Patch and ISO: New Feature -- Auto Configuring Interfaces

[Ermal Luçi]

On Mon, Jul 6, 2009 at 8:39 PM, Chris Buechler wrote:
> On Mon, Jul 6, 2009 at 8:47 AM, Ermal Luçi wrote:
>>
>> To me this is a hack and not a feature.
>> There is a better way to do this things than kludge things here and
>> there in the code. The right fix was proposed once and not everybody
>> liked the POLA breaking.
>
> I don't recall that discussion (and I'll admit I didn't have time to
> read the patch before I replied).
>
> What do you consider the "right fix", Ermal?

It was the proposal to name all the interfaces with a common name and
not following the FreeBSD by product naming(at least in embedded).
This would give a uniform interface name on different products and
would make at least embedded a no pain installing/running since it
would just boot into the webgui!

>
> POLA = http://en.wikipedia.org/wiki/Principle_of_least_astonishment
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Patch and ISO: New Feature -- Auto Configuring Interfaces

[Ermal Luçi]

On Sun, Jul 5, 2009 at 10:23 PM, Tim A. wrote:
> Attached a patch against 1.2.3-rc2 adding support for auto configuring
> interfaces.
> By enabling sshd in the default config.xml on the Live CD installer, this
> eliminates many headaches for installs:
> No monitor / keyboard / mouse required.
> No console cable required.
> Install to headless boxes that don't even have console ports!
> No more crackin open your box to screw with CF cards and /etc/fstab
> nightmares (for being installed to a /dev/device that no longer exists!).
>
> Just plug-in, turn it on and ssh to the default IP.
>
> This is a link to an ISO built with this patch and my previously submitted
> DHCP Server patch.
> http://techneck.goldenpath.org/pfsense/pfSense_1.2.3-R2_RELENG_7_2_techneck_patches.iso
>
>
> The new code will pause to allow interruption for manual assignment. Any
> keyboard input will interrupt the procedure.
> But if left unattended the code will timeout to begin the automated process.
> The code assigns interfaces in the order they were discovered, LAN, WAN,
> OPT1, OPT2, etc...
> If only one interface exists and is vlan capable, the code with create vlan0
> tagged VLAN1.
> But this will invariably be assigned to WAN as LAN is assigned first and
> obviously the parent NIC is discovered before the vlan0.
> This is appropriate behavior though given the undesirable situation of
> having only 1 NIC, and installation priorities.
> It is appropriate because it is more likely that the typical user is not
> actually prepared to connect to VLANs and his priority is to connect to the
> LAN interface to install and configure his box
>
> ~Tim
>
> --- config.inc.old      2009-07-05 10:18:55.0 -0400
> +++ config.inc  2009-07-05 11:39:34.0 -0400
> @@ -1285,6 +1285,95 @@
>
>        echo <<
> +Press any key to configure interfaces manually,
> +otherwise we're proceeding with autoconfiguring in:
> +
> +EOD;
> +       $anykey = Array();
> +       for ( $i = 7 ; $i < 14 ; $i++ ) { $anykey[] = chr($i); }
> +       for ( $i = 32 ; $i < 128 ; $i++ ) { $anykey[] = chr($i); }
> +       $anykey[] = chr(27);
> +       $timeout=9;             // How long do you want the script to wait
> before moving on (in seconds)
> +       $key = null;
> +       exec("/bin/stty erase " . chr(8));
> +       while(!in_array($key, $anykey)) {
> +               echo chr(8) . "{$timeout}";
> +               `/bin/stty -icanon min 0 time 25`;
> +               $key = trim(`KEY=\`dd count=1 2>/dev/null\`; echo \$KEY`);
> +               `/bin/stty icanon`;
> +               // Decrement our timeout value
> +               $timeout--;
> +               // If we have reached 0 exit and continue on
> +               if ($timeout == 0)
> +                       break;
> +       }
> +
> +       if(!in_array($key, $anykey)) {  // Auto Assign Interfaces
> +               if(count($iflist) < 2) {        // If less than two NICs,
> auto assign a vlan.
> +                       echo << +
> +Less than two interfaces detected.
> +Proceeding with VLAN autoconfig...
> +
> +EOD;
> +                       $vflist = Array();
> +                       $vlan = Array();
> +
> +                       echo "VLAN Capable interfaces:\n\n";
> +                       if(!is_array($iflist)) {
> +                               echo "No interfaces found! EXITING \n";
> +                               return;
> +                       } else {
> +                               foreach ($iflist as $iface => $ifa) {
> +                                       if (is_jumbo_capable($iface)) {
> +                                               echo sprintf("% -8s%s%s\n",
> $iface, $ifa['mac'],
> +                                                       $ifa['up'] ? "
> (up)" : "");
> +                                               $vflist[] = $iface;
> +                                       }
> +                               }
> +                       }
> +
> +                       if(count($vflist) < 1) {
> +                               echo "No VLAN capable interfaces detected.
> EXITING \n";
> +                               return;
> +                       }
> +                                                               // Create
> VLANs
> +                       echo "\n\n";
> +                       foreach ($vflist as $v => $vface) {
> +                               $vlan['if'] = $vface;
> +                               $vlan['tag'] = 1;
> +                               $config['vlans']['vlan'][] = $vlan;
> +                               $iflist['vlan' . $v] = array();
> +                               echo "Created VLAN interface vlan" . $v . "
> with VLAN tag: 1\n";
> +                       }
> +               }
> +                                                               //
> Assignment
> +               $optif = Array();
> +               $x = $y = 0;
> +               echo "\n\n";
> +               foreach ($iflist as $iface => $ifa) {
> +                       

Re: [pfSense Support] Inbound load balancer performance under heavy load.

[Ermal Luçi]

On Fri, Jun 12, 2009 at 6:27 PM, Jose Hernandez wrote:
>
>
> -Original Message-
> From: Ermal Luçi [mailto:ermal.l...@gmail.com]
> Sent: 12 June 2009 12:48
> To: support@pfsense.com
> Subject: Re: [pfSense Support] Inbound load balancer performance under heavy
> load.
>
> Can you please try a later snapshot after 11062009 it seems you had
> problems with sticky-connections!
> Though without analysis i might be compeletly WRONG.
>
> Ermal
>
>
> On Fri, Jun 12, 2009 at 12:52 PM, Jose Hernandez wrote:
>> It is fine Tebano,
>>
>>
>>
>> I appreciate your answer and as you said there are not other limitations
>> documented nor any other issues I could find anywhere, and I did spend
> some
>> time researching…
>>
>>
>>
>> Regards,
>>
>>
>>
>> Jose Hernandez
>> Software and Systems Senior Engineer
>> VIDZONE DIGITAL MEDIA
>>
>>
>>
>> From: Tebano epaminonda [mailto:l_epa_m_ino...@hotmail.com]
>> Sent: 12 June 2009 11:44
>> To: support@pfsense.com
>> Subject: RE: [pfSense Support] Inbound load balancer performance under
> heavy
>> load.
>>
>>
>>
>>
>>
>> 
>>
>> From: j...@vidzone.tv
>> To: support@pfsense.com
>> Date: Fri, 12 Jun 2009 11:33:54 +0100
>> Subject: RE: [pfSense Support] Inbound load balancer performance under
> heavy
>> load.
>>
>> Thank for your response, however the limitations on the featured list are
>> not the cause of the problem… I am happy with the load balancer to equally
>> distribute the load, also happy with the firewall not checking for a valid
>> response… but there seems to be any other limitation not listed…
>>
>>
>>
>> Regards,
>>
>>
>>
>> Jose Hernandez
>> Software and Systems Senior Engineer
>> VIDZONE DIGITAL MEDIA
>>
>>
>>
>> -
>>
>>
>>
>> Hi Josè.
>>
>> Sorry for the misunderstanding.
>>
>> I was simply trying to say that there aren't other limitation (that I
> know),
>> except the ones I've pasted You.
>>
>> Probably my answer wasn't really wroten correctly... sorry!
>>
>> Cheers.
>>
>> Tebano.
>>
>>
>>
>> From: Tebano epaminonda [mailto:l_epa_m_ino...@hotmail.com]
>> Sent: 12 June 2009 11:11
>> To: support@pfsense.com
>> Subject: RE: [pfSense Support] Inbound load balancer performance under
> heavy
>> load.
>>
>>
>>
>>
>>
>> 
>>
>> From: j...@vidzone.tv
>> To: support@pfsense.com
>> Date: Fri, 12 Jun 2009 10:29:03 +0100
>> Subject: [pfSense Support] Inbound load balancer performance under heavy
>> load.
>>
>> Hi,
>>
>>
>>
>> Yesterday we had a service launch, and pfSense inbound load balancer let
> me
>> down big time… We have been using pfSense 1.2-release version installed on
>> Dell PowerEdge R200 and CARP for redundancy for around a year now, it
> probed
>> to work although we never have had a very high load.
>>
>>
>>
>> Yesterday right after we launch the service, we start getting complaints
> of
>> many requests failing from users. After some investigation it was clear
> that
>> the request were not getting through to our systems!!!
>>
>>
>>
>> The only indication of something going bad was the traffic graph (attached
>> is a screen grab), it was picking up and down as never before… We did some
>> load testing last week and the week before and we were seeing ~100Mbps
>> constant outbound speed, we also have seen in the past ~100Mbps inbound
>> speeds… So I first blame our IP transit provider, after contacting them,
>> they confirmed to me that no packets were being lost or dropped anywhere
> in
>> their network and that their systems were just fine… so the only other
> thing
>> that could be causing the problem was pfSense… however I couldn’t find any
>> indication of anything going wrong but the traffic graph… memory and
>> processor were fine, states table size, no packets dropped in RRD Graphs,
>> etc…
>>
>>
>>
>> After tweaking many settings in pfSense with no joy, I finally removed the
>> Virtual Server and created a NAT Port Forward to only one of our web
> servers
>> layer at the backend… and that fixed the problem of requests not getting
>> through and the traffic graph was again stable…

Re: [pfSense Support] Inbound load balancer performance under heavy load.

[Ermal Luçi]

Can you please try a later snapshot after 11062009 it seems you had
problems with sticky-connections!
Though without analysis i might be compeletly WRONG.

Ermal


On Fri, Jun 12, 2009 at 12:52 PM, Jose Hernandez wrote:
> It is fine Tebano,
>
>
>
> I appreciate your answer and as you said there are not other limitations
> documented nor any other issues I could find anywhere, and I did spend some
> time researching…
>
>
>
> Regards,
>
>
>
> Jose Hernandez
> Software and Systems Senior Engineer
> VIDZONE DIGITAL MEDIA
>
>
>
> From: Tebano epaminonda [mailto:l_epa_m_ino...@hotmail.com]
> Sent: 12 June 2009 11:44
> To: support@pfsense.com
> Subject: RE: [pfSense Support] Inbound load balancer performance under heavy
> load.
>
>
>
>
>
> 
>
> From: j...@vidzone.tv
> To: support@pfsense.com
> Date: Fri, 12 Jun 2009 11:33:54 +0100
> Subject: RE: [pfSense Support] Inbound load balancer performance under heavy
> load.
>
> Thank for your response, however the limitations on the featured list are
> not the cause of the problem… I am happy with the load balancer to equally
> distribute the load, also happy with the firewall not checking for a valid
> response… but there seems to be any other limitation not listed…
>
>
>
> Regards,
>
>
>
> Jose Hernandez
> Software and Systems Senior Engineer
> VIDZONE DIGITAL MEDIA
>
>
>
> -
>
>
>
> Hi Josè.
>
> Sorry for the misunderstanding.
>
> I was simply trying to say that there aren't other limitation (that I know),
> except the ones I've pasted You.
>
> Probably my answer wasn't really wroten correctly... sorry!
>
> Cheers.
>
> Tebano.
>
>
>
> From: Tebano epaminonda [mailto:l_epa_m_ino...@hotmail.com]
> Sent: 12 June 2009 11:11
> To: support@pfsense.com
> Subject: RE: [pfSense Support] Inbound load balancer performance under heavy
> load.
>
>
>
>
>
> 
>
> From: j...@vidzone.tv
> To: support@pfsense.com
> Date: Fri, 12 Jun 2009 10:29:03 +0100
> Subject: [pfSense Support] Inbound load balancer performance under heavy
> load.
>
> Hi,
>
>
>
> Yesterday we had a service launch, and pfSense inbound load balancer let me
> down big time… We have been using pfSense 1.2-release version installed on
> Dell PowerEdge R200 and CARP for redundancy for around a year now, it probed
> to work although we never have had a very high load.
>
>
>
> Yesterday right after we launch the service, we start getting complaints of
> many requests failing from users. After some investigation it was clear that
> the request were not getting through to our systems!!!
>
>
>
> The only indication of something going bad was the traffic graph (attached
> is a screen grab), it was picking up and down as never before… We did some
> load testing last week and the week before and we were seeing ~100Mbps
> constant outbound speed, we also have seen in the past ~100Mbps inbound
> speeds… So I first blame our IP transit provider, after contacting them,
> they confirmed to me that no packets were being lost or dropped anywhere in
> their network and that their systems were just fine… so the only other thing
> that could be causing the problem was pfSense… however I couldn’t find any
> indication of anything going wrong but the traffic graph… memory and
> processor were fine, states table size, no packets dropped in RRD Graphs,
> etc…
>
>
>
> After tweaking many settings in pfSense with no joy, I finally removed the
> Virtual Server and created a NAT Port Forward to only one of our web servers
> layer at the backend… and that fixed the problem of requests not getting
> through and the traffic graph was again stable… I wonder if it is there any
> known issue with the inbound load balancer… I think the problem was with the
> number of source IPs or states it had to deal with (after the load balancer
> was removed, the states picked up to ~21, as when load testing we tested
> from a bunch of ~10 IPs…
>
>
>
> The problem is that we do need load balancing, mainly for redundancy of our
> systems at the back end…
>
>
>
> The inbound load balancer that was set up had 3 servers in the pool and, the
> port was HTTPS and TCP monitor was configured
>
>
>
> Is there anything in version 1.2-release that affects the performance of the
> inbound load balancer? Would this performance issues go away if I upgrade to
> the latest stable version, currently 1.2.2?
>
>
>
> We are also thinking in getting commercial support, however we are not sure
> if this will help as we don’t know if pfSense is actually able to take the
> load…
>
>
>
> Can anyone shed some light into this issues we are having?
>
>
>
> Regards,
>
>
>
> Jose Hernandez
>
> Software and Systems Senior Engineer
>
> VIDZONE DIGITAL MEDIA
>
>
>
> GET IN THE VIDZONE™
>
>
>
>
>
>
>
> The contents of this e-mail and any attachments/inserts are strictly
> confidential and sent for the attention of the addressee/s only. This e-mail
> might contain confidentia

Re: [pfSense Support] pf tagging

[Ermal Luçi]

Only 2.0 from the gui

On Wed, Apr 29, 2009 at 1:49 PM, Matias Surdi  wrote:
> Does pfSense 1.2 support pf's packet tagging?
>
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Can captive portal authenticate based on windows login

[Ermal Luçi]

I think you can do with some simple Javascript and Ajax.
Or at least that's the way i have seen it done with Squid.

On Tue, Jul 21, 2009 at 11:48 PM, Ryan  wrote:
>
>> -Original Message-
>> From: Dimitri Rodis [mailto:dimit...@integritasystems.com]
>> Sent: Tuesday, April 21, 2009 4:34 PM
>> To: support@pfsense.com
>> Subject: RE: [pfSense Support] Can captive portal
>> authenticate based on windows login
>>
>> Single Sign-on (aka one set of credentials) is one thing, the
>> captive portal's ability to automatically _receive_ (and
>> authenticate) the credentials from the requesting
>> client/browser is another. Unless I'm misunderstanding, Ryan
>> wants to get rid of the username/password prompt from the
>> captive portal, and have the "current" windows logon
>> credentials automatically pass to the captive portal, which
>> is currently not possible with pfSense-- ISA Server is the
>> only thing I know of that does this.
>>
>> Dimitri Rodis
>> Integrita Systems LLC
>> http://www.integritasystems.com
>
> You are correct.  This is exactly what i want to do.
> Ryan Rodrigue
>
>>
>>
>> -Original Message-
>> From: Jim Pingle [mailto:li...@pingle.org]
>> Sent: Tuesday, April 21, 2009 1:18 PM
>> To: support@pfsense.com
>> Subject: Re: [pfSense Support] Can captive portal
>> authenticate based on windows login
>>
>> Ryan wrote:
>> >
>> >> Without seeing the CP screen, automatically logging them in with
>> >> Windows
>> > credentials, no. You can authenticate them on.
>> >> the CP screen with RADIUS using their Windows credentials
>> to IAS on a
>> > Windows Server DC (if you're using AD).
>> >
>> >
>> > I kinda thought that was the case.  Thank you for your help
>> Chris.  Do
>> > you know of anything that might do this?
>>
>> I don't know if the Captive Portal can be coerced to support
>> LDAP or Kerberos, but I have heard of people achieving a
>> single sign-on type setup with Squid that way.
>>
>> Jim
>>
>> -
>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com For
>> additional commands, e-mail: support-h...@pfsense.com
>>
>> Commercial support available - https://portal.pfsense.org
>>
>>
>
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Filtering by URL or regexp

[Ermal Luçi]

Its in 2.0 with the layer7 filter/shaper

On Tue, Mar 31, 2009 at 7:09 PM, luismi  wrote:
> Hi again,
>
> I am searching with google -I am sorry, I didn't do that before- but the
> idea is to filter directly when I enter a rule without install
> third-party packages like squid.
>
> Is that possible?
> If not, is there any plan to include it in future releases?
>
> El mar, 31-03-2009 a las 17:44 +0100, Michael Schuh escribió:
>> look at squid
>> acl-rules par example
>> you can also generate lists to load in squid
>> für deny or allow...
>>
>>
>> 2009/3/31 luismi 
>>         Is possible to create rules to match URLs or regext
>>         expression?
>>         I would like to provide access just to *.foobar.com but I
>>         don't know the
>>         IPs used for that domain :-/
>>
>>
>>         -
>>         To unsubscribe, e-mail: support-unsubscr...@pfsense.com
>>         For additional commands, e-mail: support-h...@pfsense.com
>>
>>         Commercial support available - https://portal.pfsense.org
>>
>>
>>
>>
>> --
>> = = =  m  i  c  h  a  e  l  -  s  c  h  u  h  .  n  e  t  = = =
>> Projektmanagement - IT-Consulting - Professional Services IT
>> Michael Schuh
>> Postfach 10 21 52
>> 66021 Saarbrücken
>> phone: 0681/8319664
>> mobil:  0177/9738644
>> @: m i c h a e l . s c h u h @ g m a i l . c o m
>>
>> = = =  Ust-ID:  DE251072318  = = =
>
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] FTP helper timeouts

[Ermal Luçi]

On Mon, Mar 30, 2009 at 11:39 AM, Paul M  wrote:
> Joe Laffey wrote:
>>
>> I am transferring about one thousand smaller (1.4Mb) files - SD video
>> frames.
>
> Have you sufficient states enabled in pfsense?
>
>
> I'd suggest switching to using rsync IIWY... however, where you have to use
> ftp then leechftp is quite good as it can be set to only download files
> where the target doesn't exist or is a different size and thus allow
> resuming.
>
>
Well 2.0 is better in this respect cause it has an in kernel ftp-proxy
which should avoid all problems with ftp.
It even allows redirecting ftp without the need to open firewall ports
on outside.

-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: Re: [pfSense Support] Re: Can't get more than 15kpps.

[Ermal Luçi]

You would have to build a kernel yourself without the em/ixgbe modules
to be able to use yandex driver.
Ever checked if you have MSI enabled on your motherboard and what
happens if you disable it?

On Wed, Mar 18, 2009 at 4:27 PM,   wrote:
> Also, while searching the net for the "emX taskq" solution, I read that few
> people are successfully running the modified em driver from Yandex.
> This is their README:
> RX queue is being processed w/more than one thread. Use "sysctl
> dev.em.X.rx_kthreads" to alter number of threads.
> TX interrupts has been removed because it's not neccessary actually. That's
> why interrupt rate has been reduced twice at least.
> TX queue cleaning moved to seperate kthread. em_start uses mtx_trylock
> instean of mtx_lock. That's why em_start locks less.
> + RX queues' priority may be altered thru sysctl. System seems to be more
> stable if RX scheduled w/less priority.
> + RX interrupt stay masked if there is no thread ready to catch interrupt.
> The hint reduces context switching under load.
> NOTES:
> 1) do not forget to do "sysctl net.isr.direct=1" if you want to see more
> SMP.
> 2) turn off polling. We didn't touch this part of code yet.
>
> So the question is, should I go for it? Will it help me in any way? I mean,
> if I have 2 Xeon CPUs and Hyper Threading enabled, I can actually divide it
> into 4 threads, right?
> And the biggest question is: will I be able to do it on pfSense and how
> would I go about it?
>
> Thanks,
>
> Lenny.
>
>
> On Mar 16, 2009 5:37pm, Scott Ullrich  wrote:
>> On Mon, Mar 16, 2009 at 7:14 AM, Lenny five2one.le...@gmail.com> wrote:
>>
>> > Hi again,
>>
>> >
>>
>> > So I did replace the server, I have an IBM x336 now instead of the x335.
>> > The
>>
>> > NIC is the identical, but not the same.
>>
>> > First of all, Chris, you were absolutely right - it was some sort of a
>>
>> > glitch with the hardware compatibility, as with this server I'm seeing a
>>
>> > completely different behavior. I started seeing interrupt taking some of
>> > the
>>
>> > CPU(not too much though - about 8-10% when loaded), and I don't see an
>> > emX
>>
>> > taskq at all now.
>>
>> > But the thing is - the problem is still there - I had a relatively high
>> > load
>>
>> > this weekend (15kpps is my high load, remember?) and once again I got
>> > some
>>
>> > packet loss and a slow response time from the website.
>>
>> >
>>
>> > Couple of things I noticed though:
>>
>> > When it happened, the quality RRD graph showed about 35-40ms spike (from
>> > the
>>
>> > usual 1-2). It was that time that I checked the "Disable Hardware
>> > Checksum
>>
>> > Offloading" option and it was back to normal within seconds. But I saw
>> > it
>>
>> > climb few other times afterwords... So maybe it was just a coincidence.
>>
>> > Also, if I check the interface status when there is normal traffic -
>> > there
>>
>> > are no errors(well, no more additional errors), but the minute the load
>> > hits
>>
>> > - I start seeing the counters climbing up. On both interfaces, but only
>> > on
>>
>> > the "In", the out is "0".
>>
>> >
>>
>> > And one last thing, I was thinking about maybe enforcing the negotiation
>>
>> > through the config.xml. So I went through it and I saw this:
>>
>> >
>>
>> >             em0
>>
>> >
>>
>> >
>>
>> >
>>
>> >             100
>>
>> >             Mb
>>
>> >
>>
>> >
>>
>> >             X.X.X.X
>>
>> >             28
>>
>> >             Y.Y.Y.Y
>>
>> >
>>
>> >
>>
>> >             em1
>>
>> >             OPTICAL
>>
>> >
>>
>> >
>>
>> >             Z.Z.Z.Z
>>
>> >             29
>>
>> >
>>
>> >
>>
>> >
>>
>> >
>>
>> >
>>
>> > Is this normal, I mean regarding the 100Mb bandwidth? I have everything
>> > set
>>
>> > to autonegotiation and the interface status shows:
>>
>> > Media 1000baseTX   on both, so I assume I shouldn't touch it.
>>
>> > But the 100Mb confuses me.
>>
>> > Anyhow, this x336 server is a loaner and I have to return it or buy it
>>
>> > within a day or two, so if you have any thoughts at all, please.
>>
>>
>>
>> Now you may be hitting a sysctl limit.   Quoting BillM from prior in
>>
>> this thread:
>>
>>
>>
>> "Check sysctl net.inet.ip.intr_queue_drops and raise
>>
>> net.inet.ip.intr_queue_maxlen if it's non-zero.
>>
>>
>>
>> Also check net.isr.drop.
>>
>>
>>
>> The intel driver has some debugging also under the dev.em sysctl I
>> believe."
>>
>>
>>
>> Scott
>>
>>
>>
>> -
>>
>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
>>
>> For additional commands, e-mail: support-h...@pfsense.com
>>
>>
>>
>> Commercial support available - https://portal.pfsense.org
>>
>>
>>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Time based Load balance ?

[Ermal Luçi]

That would be possible only if schedules used pf instead of ipfw.
Nobody has a plan to do so, AFAIK, in near terms so you have to
convince somebody to implement that.



On Wed, Mar 11, 2009 at 9:34 AM, Liew Toh Seng  wrote:
> Hi,
>
>   I've tried to googling around but still not able to find the solution.
> Currently I've two WAN lines, and I want to use schedule to control the WAN
> usage. Let says 2-4pm will use balance and other times are using one WAN
> line only. I found that I am not able to set schedule when the gateway is
> balance. Is there any other way I can make this work ? CMD line ?
>
> Thanks.
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Stateful shaping

[Ermal Luçi]

On Sat, Mar 7, 2009 at 8:57 AM, Daniel Lloyd  wrote:
> Is it possible to do shaping based on connection properties, such as shaping
> based on bytes transferred?  I am looking to drop http based file transfers
> below normal web browsing, but am thinking this lies a little outside the
> current state of the shaper.  If this already exists, or is planned to be
> included in the future, I would love to hear about it.  Thanks
> -Dan Lloyd
>
I have this on my TODO list as part of the shaper for 2.0.

-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfsense 1.2.3 problem with vpn ipsec (can ping, but nothing else ?)

[Ermal Luçi]

look at this http://forum.pfsense.org/index.php/topic,13847.0.html

On Sat, Jan 31, 2009 at 10:37 AM, Michel Servaes  wrote:
> Hi,
>
>
> I've upgraded to the 1.2.3 version on one end, and have a monowall at my
> end... whenever I ping a host over the tunnel, they reply...
> But doing anything else (http, rdp, ...) it simply does nothing at all !
> (eventually, I got a timeout) - but the tunnel is up, and I can ping.
>
> My rules on the firewall are on both ends setup to allow all traffic (since
> both networks are trusted to each other) - any ideas ?
>
>
> The issue why I upgraded to 1.2.3 is somewhat funny... I had a 1.2.1rc1,
> that I wanted to upgrade to 1.2.2 remotely... but it never came up again (so
> I drove over to the company, to do a manual upgrade, but since I had no
> internet at the office, and only my latest revision to test on my home-box,
> I decided to put it on the production server)
>
>
> In my effort in trying to solve this, I removed the tunnel on both sides,
> deleted the rules - and recreated them... on the pfsense I got this when
> making a small change to the new tunnel :
>
> Warning: unlink(/tmp/spd.conf.reload.1233394121.y9DXI8): No such file or
> directory in /etc/inc/vpn.inc on line 1193
>
> kind regards,
> Michel
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Policy Routing and Re-Direct Question

[Ermal Luçi]

On Wed, Dec 3, 2008 at 5:40 PM, Bill Marquette <[EMAIL PROTECTED]> wrote:
> On Wed, Dec 3, 2008 at 10:12 AM, Gary Buckmaster
> <[EMAIL PROTECTED]> wrote:
>> It can be done, although not if the proxy machine is inside your LAN.  It
>> would need to live on a separate network segment (ie: DMZ).  In this case,
>> yes, its possible to redirect outbound traffic for TCP 80 to the proxy
>> machine, do your content filtering and pass it on.  You cannot transparently
>> proxy SSL traffic in this manner however due to the fact that the streams
>> are encrypted.
>
> Well, there are ways to do it, all of them evil :)  Consider it a
> trusted MITM attack.  Wh...outside of commercial proxies however,
> I know of no open source way to automate this (without lots of work on
> the administrator end to set it up).
>

Actually relayd can do this!

> --Bill
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] manual pf rules

[Ermal Luçi]

What you might do is create an wan interface as pptp get the config
files created on /var/etc iirc and move them to /etc or /conf
then use the link that Scott gave you to run
mpd -d /conf -f mpd.conf pptp[client] iirc.
That will work.

Surely after that configure the wan interface as the one you need it for.

I have something in plan for 2.0 to allow doing this...

On Tue, Nov 25, 2008 at 8:38 PM, mikel <[EMAIL PROTECTED]> wrote:
>
> But this is using openvpn, and I need pptp
>
> On Tue, 25 Nov 2008 14:36:21 -0500, "Scott Ullrich" <[EMAIL PROTECTED]>
> wrote:
>> On Tue, Nov 25, 2008 at 2:34 PM, mikel <[EMAIL PROTECTED]> wrote:
>>>
>>> Please Scott
>>>
>>> The origin of this probelms is that i can´t configure pptp client with
>> my
>>> ISP in pfsense. Please help me
>>
>> Believe it or not, I did read your original message.   See the URL I
>> posted.
>>
>> Scott
>>
>> -
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>> Commercial support available - https://portal.pfsense.org
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
Ermal

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense on alternate architectures?

[Ermal Luçi]

On Thu, Oct 30, 2008 at 6:24 PM, Chris Buechler <[EMAIL PROTECTED]> wrote:
> On Thu, Oct 30, 2008 at 1:10 PM, Tim Nelson <[EMAIL PROTECTED]> wrote:
>> It was my understanding that pfSense was largely x86 dependent with even 
>> x86_64 being unavailable for now. By the message included below by Ermal, 
>> does this mean that alternate architectures can run pfSense if compiled for 
>> that platform? I ask specifically in reference to sparc64. Maybe Ermal can 
>> comment on the possibility of such a possibility? Understandably, it may be 
>> completely impossible due to the endian-ness differences between the arch 
>> types... but I feel I must ask anyways. :-)
>>
>
> I very, very seriously doubt if any alternate architectures would work
> without significant efforts. If Ermal's willing to find out for sure,
> more power to him. To date there hasn't been a compelling reason to
> justify the effort, plus a lack of FreeBSD support. The only tier 1
> (read: fully supported) FreeBSD architectures are x86 and AMD64.
>
Basically it is possible that it might work, no guarantees of it and
Chris is right in telling that it probably want work.
But trying it does not hurt and building it for sparc64 is another arch to test.

People that have the clue on how to build pfSense might give some
feedback on what architectures they tried.


-- 
Ermal

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] pfSense on comtrend 536+ DSL router

[Ermal Luçi]

Can you deliver its specs i would be willing to give you an image for
it if it fits the requirements of pfSense and has one of the supported
FreeBSD archs.

On Thu, Oct 30, 2008 at 2:56 PM, Chris Buechler <[EMAIL PROTECTED]> wrote:
> On Thu, Oct 30, 2008 at 6:55 AM, Matias Surdi <[EMAIL PROTECTED]> wrote:
>> Does anybody know if pfSense would work embedded on a comtrend ADSL2+
>> router?
>>
>
> DSL routers aren't x86 platforms, so no.
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>



-- 
Ermal

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] can't get to specific site(subaru.com)

[Ermal Luçi]

On Fri, Oct 10, 2008 at 2:01 AM, BSD Wiz <[EMAIL PROTECTED]> wrote:
> going back a few weeks ago when i posted my issues getting to subaru.com.. i
> came across another site that i could not get to behind pfsense(cisco.com).
> i installed squid proxy and then i was able to get to subaru.com and
> cisco.com
>
> to refresh your memory, there are no rules blocking traffic on port 80, i'm
> on a cable modem, when on a shell on the firewall i can always telnet over
> port 80 to subaru.com but i cannot from my client machines. the client sends
> a syn but never receives the syn/ack from the firewall. however, the
> firewall does in fact get the syn/ack back from the webserver.
>
> finally to my question, what are you thoughts as to why the proxy being
> installed solved my issue?

Its simple as i said in a previous post problems might arise:
1- tcp mss
2- timestamps not handled correctly
3- sacks not handled propperly by the reciveing host
4- tcp options not correctly set by your host
...
Basically any part of a tcp header the pf checks for a state.

Now with squid that works cause the connection to the site is made
directly from pfSense which does know how to handle its own packets.

Mostly you seem to need more elaborate scrub rules for your hosts
which i suspect are having problmes with path mtu discovery(a guess).

>
> best,
>
> -phil
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>



-- 
Ermal

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Can't connect to subaru.com on port 80

[Ermal Luçi]

Open /etc/inc/filter.inc and search for pppoeclient:
after 4 line of that enter this
set iface enable tcpmssfix

and retry connecting the pppoe and see if that fixes the problem.
I was having the same problems with mail.yahoo/hotmail/msn messenger
and some other sites on one installation and that fixed it.
I think its worth a try.

Other than that it might be a timestamp handling issue on the client
stack that is failing to open the site.

On Thu, Oct 2, 2008 at 6:38 AM, BSD Wiz <[EMAIL PROTECTED]> wrote:
> i know, i just want to check out the new wrx's and sti!!
>
> tried messing with the mtu without any luck.
>
> ok, here is tcpdump running on my pfsense firewall(unixbox.gnet). you can
> see my request to subaru.com and then the reply comes to the firewall but
> never get's passed to my computer. what's weird is the reset.
>
> 23:30:04.664256 IP UNIXBOX.gnet.49796 > subaru.com.http: S
> 1787975612:1787975612(0) win 65535  2090781090 0,sackOK,eol>
> 23:30:04.710299 IP subaru.com.http > UNIXBOX.gnet.49796: S
> 2731372884:2731372884(0) ack 1787975613 win 4380  0,nop,nop,timestamp 311872670 2090781090,sackOK,eol>
> 23:30:05.321055 IP 12.120.5.14.http > UNIXBOX.gnet.49740: R
> 2533320030:2533320030(0) ack 10685623 win 0
> 23:30:07.420107 IP UNIXBOX.gnet.49796 > subaru.com.http: S
> 1787975612:1787975612(0) win 65535  2090781095 0,sackOK,eol>
>
>
>
> so in search of what the ip of the reset flag is i pointed my browser to it.
>
>
>
>
>
>
>
>
> so they are behind some type of load balancer but wtf??
>
>
>
>
> On Oct 1, 2008, at 11:30 PM, Bill Marquette wrote:
>
>> On Wed, Oct 1, 2008 at 11:12 PM, Chris Buechler <[EMAIL PROTECTED]>
>> wrote:
>>>
>>> On Wed, Oct 1, 2008 at 11:55 PM, BSD Wiz <[EMAIL PROTECTED]> wrote:

 yep, i looked at it using tcpdump. i just see syn packets going out the
 door, i never get any syn-acks back.

 22:50:47.417326 IP unixbox.gnet.49330 > subaru.com.http: S
 3917131801:3917131801(0) win 65535 >>> 0,nop,nop,timestamp
 2090776378 0,sackOK,eol>

>>>
>>> Have you tried lowering MTU on your WAN, or just on the problem
>>> machine? Doing it on the WAN will MSS clamp everything, so if this is
>>> limited to one machine I wouldn't do that. With the 1460 MSS that
>>> shows and likely 1500 MTU end to end, that should not be a problem.
>>> It's worth a shot though.
>>
>> Wouldn't explain no syn/ack's coming back.  This would seem more like
>> an upstream routing (or firewalling) issue to me.  That, or a
>> conspiracy against BSD Wiz and his desire to look at new cars.
>>
>> --Bill
>>
>> -
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>



-- 
Ermal

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] ipv6 possibility

[Ermal Luçi]

On Sat, Sep 27, 2008 at 11:54 PM, Chris Bagnall <[EMAIL PROTECTED]> wrote:
>> Availability is a major constraint. At least for Scott and myself,
>> neither of us have an option to even get IPv6 connectivity on a
>> residential grade connection.
>
> Obviously I don't know where Scott and yourself are based, but that's 
> kinda... shocking, for want of a better way of putting it. Are there no *DSL 
> providers in your neck of the woods that'll offer an IP6-compatible 
> connection?
>
> And we keep being told how far behind the rest of the world the UK is for 
> broadband ;-)
>
> Anyway, back to the original topic, are there any pfSense developers who 
> might have time available to tackle a project of this size and scope? In my 
> experience, time is usually the major limiting factor, especially as I'm sure 
> many developers have full-time jobs that get in the way. ;-)
>
> To put it bluntly, I (and I'm sure others here) need to try and grasp at 
> least a rough idea of the financial implications before we know how far into 
> our pockets we need to dig to fund it.
>
I am interested in this and have the possibility of getting such a
link at local ISP though somewhat 'expenssive' at present.
Basically this is something that, one person, can deliver in 4-6
months depending on hours put into development.

But i am definitely interested. The estimation of the cost is
something that needs to be investigated though. Though Chris in a
previous thread might have given a quick approximation.

Regards,
-- 
Ermal

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] ipv6 possibility

[Ermal Luçi]

On Thu, Sep 25, 2008 at 12:28 PM, Paul Mansfield
<[EMAIL PROTECTED]> wrote:
> Eugen Leitl wrote:
>> I have a small business with a /24. In order for me to make money
>> I will soon have to order another /24. And then another.
>
> there's also the problem of getting globally routable PI space - you
> need a /23 to ensure your prefix isn't discarded by some ISPs, but
> getting a /23 these days is very difficult without very good
> justification - we found it easier to team up with an ISP to make use of
> their /22 for load-balancing and failover!
>
Well you guys want to make money but are trying to push something free!

It just doesn't make sense to me, really how about
cooperate/contribute/involve/whatever... you 'business' consider
appropriate to push the products over.

-- 
Ermal

P.S. Sorry couldn't resist.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Re: random lock up

[Ermal Luçi]

Try a SMP kernel.

On Wed, Sep 24, 2008 at 5:37 PM, Matias Surdi <[EMAIL PROTECTED]> wrote:
> Even more info:
>
> # dmesg
>
>
>
> Copyright (c) 1992-2007 The FreeBSD Project.
> Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
>The Regents of the University of California. All rights reserved.
> FreeBSD is a registered trademark of The FreeBSD Foundation.
> FreeBSD 6.2-RELEASE-p11 #0: Sun Feb 24 16:32:58 EST 2008
>[EMAIL PROTECTED]:/usr/obj.pfSense/usr/src/sys/pfSense.6
> Timecounter "i8254" frequency 1193182 Hz quality 0
> CPU: Intel(R) Core(TM)2 CPU  6420  @ 2.13GHz (2128.01-MHz 686-class
> CPU)
>  Origin = "GenuineIntel"  Id = 0x6f6  Stepping = 6
>
> Features=0xbfebfbff
>
> Features2=0xe3bd,CX16,,>
>  AMD Features=0x2010
>  AMD Features2=0x1
>  Cores per package: 2
> real memory  = 3756957696 (3582 MB)
> avail memory = 3677630464 (3507 MB)
> wlan: mac acl policy registered
> kbd1 at kbdmux0
> ath_hal: 0.9.17.2 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413)
> cpu0 on motherboard
> pcib0:  pcibus 0 on motherboard
> pci0:  on pcib0
> pcib1:  irq 11 at device 1.0 on pci0
> pci1:  on pcib1
> pcib2:  at device 0.0 on pci1
> pci2:  on pcib2
> pcib3:  at device 0.0 on pci2
> pci3:  on pcib3
> em0:  port
> 0x4000-0x401f mem 0xe802-0xe803,0xe800-0xe801 irq 11 at
> device 0.0 on pci3
> em0: Memory Access and/or Bus Master bits were not set!
> em0: Ethernet address: 00:15:17:58:01:7c
> em1:  port
> 0x4020-0x403f mem 0xe806-0xe807,0xe804-0xe805 irq 11 at
> device 0.1 on pci3
> em1: Memory Access and/or Bus Master bits were not set!
> em1: Ethernet address: 00:15:17:58:01:7d
> pcib4:  at device 1.0 on pci2
> pci4:  on pcib4
> em2:  port
> 0x5000-0x501f mem 0xe812-0xe813,0xe810-0xe811 irq 11 at
> device 0.0 on pci4
> em2: Memory Access and/or Bus Master bits were not set!
> em2: Ethernet address: 00:15:17:58:01:7e
> em3:  port
> 0x5020-0x503f mem 0xe816-0xe817,0xe814-0xe815 irq 5 at
> device 0.1 on pci4
> em3: Memory Access and/or Bus Master bits were not set!
> em3: Ethernet address: 00:15:17:58:01:7f
> pcib5:  irq 11 at device 28.0 on pci0
> pci9:  on pcib5
> pcib6:  at device 0.0 on pci9
> pci10:  on pcib6
> pci9:  at device 0.1 (no driver
> attached)
> pcib7:  irq 11 at device 28.4 on pci0
> pci13:  on pcib7
> em4:  port
> 0x6000-0x601f mem 0xe820-0xe821 irq 11 at device 0.0 on pci13
> em4: Ethernet address: 00:30:48:99:1d:3a
> pcib8:  irq 11 at device 28.5 on pci0
> pci14:  on pcib8
> em5:  port
> 0x7000-0x701f mem 0xe840-0xe841 irq 11 at device 0.0 on pci14
> em5: Ethernet address: 00:30:48:99:1d:3b
> uhci0:  port 0x3000-0x301f irq 10 at device
> 29.0 on pci0
> uhci0: [GIANT-LOCKED]
> usb0:  on uhci0
> usb0: USB revision 1.0
> uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
> uhub0: 2 ports with 2 removable, self powered
> uhci1:  port 0x3020-0x303f irq 11 at device
> 29.1 on pci0
> uhci1: [GIANT-LOCKED]
> usb1:  on uhci1
> usb1: USB revision 1.0
> uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
> uhub1: 2 ports with 2 removable, self powered
> uhci2:  port 0x3040-0x305f irq 5 at device
> 29.2 on pci0
> uhci2: [GIANT-LOCKED]
> usb2:  on uhci2
> usb2: USB revision 1.0
> uhub2: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
> uhub2: 2 ports with 2 removable, self powered
> uhci3:  port 0x3060-0x307f irq 11 at device
> 29.3 on pci0
> uhci3: [GIANT-LOCKED]
> usb3:  on uhci3
> usb3: USB revision 1.0
> uhub3: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
> uhub3: 2 ports with 2 removable, self powered
> ehci0:  mem 0xe880-0xe88003ff
> irq 10 at device 29.7 on pci0
> ehci0: [GIANT-LOCKED]
> usb4: EHCI version 1.0
> usb4: companion controllers, 2 ports each: usb0 usb1 usb2 usb3
> usb4:  on ehci0
> usb4: USB revision 2.0
> uhub4: Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1
> uhub4: 8 ports with 8 removable, self powered
> pcib9:  at device 30.0 on pci0
> pci15:  on pcib9
> pci15:  at device 0.0 (no driver attached)
> isab0:  at device 31.0 on pci0
> isa0:  on isab0
> atapci0:  port
> 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0x30b0-0x30bf at device 31.2 on pci0
> ata0:  on atapci0
> ata1:  on atapci0
> pci0:  at device 31.3 (no driver attached)
> pmtimer0 on isa0
> orm0:  at iomem
> 0xc-0xcafff,0xcb000-0xcbfff,0xcc000-0xccfff on isa0
> atkbdc0:  at port 0x60,0x64 on isa0
> atkbd0:  irq 1 on atkbdc0
> kbd0 at atkbd0
> atkbd0: [GIANT-LOCKED]
> psm0:  flags 0x1000 irq 12 on atkbdc0
> psm0: [GIANT-LOCKED]
> psm0: model IntelliMouse, device ID 3
> fdc0:  at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on
> isa0
> fdc0: [FAST]
> ppc0:  at port 0x378-0x37f irq 7 on isa0
> ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode
> ppc0: FIFO with 16/16/9 bytes threshold
> ppbus0:  on ppc0
> lpt0:  on ppbus0
> lpt0: Interrupt-driven port
> ppi0:  on ppbus0
> sc0:  at flags 0x100 on isa0
> sc0: VGA <16 virtual consoles, flags=0x300>
> sio0 at port 0

Re: [pfSense Support] pfSense 1.2-RELEASE: Performance Issue?

[Ermal Luçi]

On Wed, Jul 30, 2008 at 10:03 PM, Ted Crow <[EMAIL PROTECTED]> wrote:
>
> I'm running 1.2-RELEASE and we recently upgraded from 10mbps DSL to a
> metro fiber link and we were seeing a pretty significant performance hit
> across the firewall, especially outbound.  In troubleshooting this, my
> provider has disabled all limiting on their end and the connection is
> basically a wide open FDX 100Mbps link.  This *really* made the
> performance drop noticeable.
>
> Simple Diagram:
>
>    --   
> | Fiber Switch |---| Cisco 2801 |---| Firewall |--> Multiple LANs
>    --   
>  |
>   --
>   | DMZ Switch |--> DMZ Hosts
>   --
>
> A laptop directly connected to the fiber switch can pump >80Mbps to many
> points on the Internet.  Behind my router it only hits 45-60Mbps
> probably because the router was never intended to be used at this speed
> (before the speed was bumped to 100mbps there was no significant
> performance drop).  Behind the pfSense box, however, averages around
> 20-25Mbps to the Internet.  LAN to DMZ Hosts are around 55-60Mbps.
>
> The box is pretty beefy - a SuperServer 5015M-MF+B, Xeon 3040 with 1GB
> DDR2 and six Intel 1Gbps ports.  I'd be a little surprised if the
> hardware has anything to do with it.  CPU and RAM usage have never
> exceeded 10%.
>
> I tried enabling polling but that made no difference.  I've disabled the
> traffic shaper and removed most of my packages to get where I am now and
> I've run out of ideas.
>
> Anyone?

Search  google for tweaking freebsd!
I would start with tcp/udp buffers. Take a look with sysctl to the
net.inet tree.

>
> Ted Crow
> Information Technology Manager
> Tuttle Services, Inc.
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>



-- 
Ermal

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Re: PPTP and NAT

[Ermal Luçi]

On Wed, Jul 23, 2008 at 1:48 AM, Ugo Bellavance <[EMAIL PROTECTED]> wrote:
> Tim Dickson wrote:
>>
>> Yes
>

Grab a 1.2.1 snapshot after 1 hour or so and test it.

>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>



-- 
Ermal

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Re: PPTP and NAT

[Ermal Luçi]

On Tue, Jul 22, 2008 at 12:42 AM, Ugo Bellavance <[EMAIL PROTECTED]> wrote:
> Ugo Bellavance wrote:
>>
>> Hi,
>>
>>Is there a way to make it possible to have computers behind a Natting
>> pfsense to connect to a PPTP server on the net?  More than one concurrent
>> PPTP connection?
>
> I forgot to add that we're using PPTP to connect remotely.  We could
> probably find another way to connect if we would need to make outgoing PPTP
> work.
>

Actually i have the fix for multiple outgoing PPTP to the same site
just tracing a problem it has for redirecting the PPTP connections if
you want to test it i will be happy to supply something.


> Regards,
>
> Ugo
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>



-- 
Ermal

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Tracking a specific user

[Ermal Luçi]

On Thu, Jul 17, 2008 at 7:22 AM, Luiz Vaz <[EMAIL PROTECTED]> wrote:
> Hi all,
>
>   there is a better solution: ipfw and pipe.
>   I´m working on a package that simplify the job, but it getting harder to
> make flexible.
>
>   Just load ipfw.ko and dummynet.ko.
>
>   To control everyone in your LAN use this rules:
>
> SUBNET="192.168.1.0/24"
> LIMIT_PIPEIN="250Kbit/s"
> LIMIT_PIPEOUT="250Kbit/s"
> ipfw add pipe 100 ip from ${SUBNET} to any
> ipfw add pipe 200 ip from any to ${SUBNET}
> ipfw pipe 100 config mask src-ip 0x00ff bw ${LIMIT_PIPEOUT}  queue 10
> ipfw pipe 200 config mask dst-ip 0x00ff bw ${LIMIT_PIPEIN} queue 10
>
>   Just change the subnet and limit vars to your own needs.
>   Remeber, the limit must be 30% less than real.
>
>   If you put the whole band value, like "4Mbit/s" everyone will use this
> upper limit.
>   But if you want up to 15 people using this at same time without fighting
> with each other about download rate, place the value "250Kbit/s".
>   This will fix a hard limit around 25KB/s to every machine on your LAN.
>   Remeber this, every machine not every connection.
>
>   The great vilain today are p2p.
>   With these setting no matter how many connections on machine do, the limit
> you be respected.
>   It´s transparent to user.
>
>   Take a deep look on MASK and SUBNET.
>   My sample uses a subnet with last OCTET open and the MASK will match the
> last OCTET too.
>   So the pipes will be dynamically created for every single IP from LAN,
> starting from 1 to 254.
>
>   Many pipes can be created as will wish.
>   But the matching sequence is up-down.
>   The first match pipe takes the control.
>
>   Ex.: You wish to unlock one machine and others no.
>  Place 2 pipes, one before 00100 and 00200.
>  Like 00096 and 00097.
>
>Using the "ipfw show" command you will see this:
>
> # ipfw show
> 00096   1979400   342455858 pipe 96 ip from 192.168.1.199 to any
> 00097   2614619  2089783809 pipe 97 ip from any to 192.168.1.199
> 00100  93382187 27428427675 pipe 100 ip from 192.168.1.0/24 to any
> 00200  96107581 63006151656 pipe 200 ip from any to 192.168.1.0/24
> 65535 178815274 89112098498 allow ip from any to any
>
>   The numbers after pipe id are the counting bytes running thru the pipe.
>   Using the "ipfw pipe show" command you will see how much the users are
> trying to overflow your rule:
>
> # ipfw pipe show
> 00100: 250.000 Mbit/s0 ms   10 sl. 32 queues (64 buckets) droptail
> mask: 0x00 0x00ff/0x -> 0x/0x
> BKT Prot ___Source IP/port Dest. IP/port Tot_pkt/bytes Pkt/Byte
> Drp
>   0 ip 0.0.0.128/0 0.0.0.0/0 1538   261999  00
> 0
>   2 ip  0.0.0.65/0 0.0.0.0/0   12  504  00
> 0
>   4 ip   0.0.0.2/0 0.0.0.0/0 428723 204387674  0
> 0 5999
>   6 ip 0.0.0.195/0 0.0.0.0/0 1958   333940  00
> 0
>   8 ip   0.0.0.4/0 0.0.0.0/0 2252   275042  00
> 0
>  10 ip   0.0.0.5/0 0.0.0.0/0   23  986  00
> 0
>  12 ip   0.0.0.6/0 0.0.0.0/0 1325082 393705846  0
> 0 71262
>  14 ip  0.0.0.71/0 0.0.0.0/0 2494   446546  00
> 0
>  16 ip 0.0.0.104/0 0.0.0.0/0 113053  5149188  0
> 0   0
>  18 ip   0.0.0.9/0 0.0.0.0/0 19386  3502548  00
> 33
>  20 ip  0.0.0.10/0 0.0.0.0/0   25 2068  00
> 0
>  22 ip  0.0.0.11/0 0.0.0.0/0 2408   560263  00
> 0
>  24 ip 0.0.0.172/0 0.0.0.0/0 1267730 186456524  0
> 0 687
>  26 ip  0.0.0.77/0 0.0.0.0/0 37047  2376900  0
> 0   0
>  28 ip  0.0.0.78/0 0.0.0.0/0  717   138436  00
> 0
>  30 ip 0.0.0.175/0 0.0.0.0/0 145990 25002406  0
> 0   0
>  32 ip  0.0.0.80/0 0.0.0.0/0   15 4640  00
> 0
>  34 ip 0.0.0.113/0 0.0.0.0/0 604247 82553217  0
> 0   4
>  36 ip 0.0.0.178/0 0.0.0.0/0   41 3344  00
> 0
>  38 ip 0.0.0.179/0 0.0.0.0/0 54740 29536883  0
> 0   0
>  40 ip 0.0.0.180/0 0.0.0.0/0 22377  5160831  0
> 0   0
>  42 ip  0.0.0.85/0 0.0.0.0/08  320  00
> 0
>  44 ip  0.0.0.22/0 0.0.0.0/0   8752470  00
> 0
>  46 ip  0.0.0.87/0 0.0.0.0/0   36 9360  00
> 0
>  48 ip 0.0.0.184/0 0.0.0.0/0 498850 106375209  0
> 0 186
>  50 ip 0.0.0.185/0 0.0.0.0/0 282755 21496479  0
> 0  18
>  52 ip 0.0.0.186/0 0.0.0.0/0 32043  2909375  0
> 0   5
>  54 ip 0.0.0.187/0 0.0.0.0/0  13422753  00
> 0
>  56 ip 0.0.0.188/0 0.0.0.0/0 51862  8719019  0
> 0   1
>  58 ip   

Re: [pfSense Support] Re: blocked by many rules?

[Ermal Luçi]

On Mon, Jul 7, 2008 at 7:47 AM, sai <[EMAIL PROTECTED]> wrote:
> I tested this and it looks like this is a side effect of the new shaper.
>

What's the wrong side of it?

Ermal

> sai
>
> On 6/19/08, sai <[EMAIL PROTECTED]> wrote:
>> Is this normal? I just opened my log files and clicked on one of the
>>  red icons. I seem to remember that blocked packets only had one
>>  associated rule. I get this:
>>
>>  <10.10.10.10>
>>
>>  The rule that triggered this action is:
>>
>>  @2 block drop in log all label "Default deny rule"
>>  @20 block drop in on ! rl1 inet from 192.168.10.0/24 to any
>>  @21 block drop in inet from 192.168.10.10 to any
>>  @22 block drop in on ! rl2 inet from 11.22.33.0/24 to any
>>  @23 block drop in inet from 11.22.33.215 to any
>>  @24 block drop in on rl0 inet6 from fe80::xx:xx:xx:b767 to any
>>  @25 block drop in on rl1 inet6 from fe80::xx:xx:xx:b766 to any
>>  @26 block drop in on rl2 inet6 from fe80::xx:xx:xx:b765 to any
>>  @27 anchor "spoofing" all
>>  @28 anchor "spoofing" all
>>  @29 block drop in on vr0 inet6 from fe80::xx:xx:xx:ca70 to any
>>
>>  I had Ermals shaper installed and in use but due to isp problems got rid of 
>> it.
>>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>



-- 
Ermal

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Re: DHCP ranges

[Ermal Luçi]

On Mon, Jun 23, 2008 at 6:39 PM, Matias Surdi <[EMAIL PROTECTED]> wrote:
> Matias Surdi escribió:
>>
>> Reza Ambler escribió:
>>>
>>> Also, is it possible to set DHCP options? I know the new Wyse thin client
>>> v10L looks for certain DHCP options to be configured in order for it to
>>> automatically pull new firm ware. So I was hoping to accomplish this with
>>> our pfSense machines. Would it be possible to set them manually in the
>>> config, or would it be wiped?
>>> Thanks,
>>>
>>> -Original Message-
>>> From: news [mailto:[EMAIL PROTECTED] On Behalf Of Matias Surdi
>>> Sent: Tuesday, June 17, 2008 9:37 AM
>>> To: support@pfsense.com
>>> Subject: [pfSense Support] DHCP ranges
>>>
>>> Is it possible to specify more than one dhcp range?
>>> If not, will it be available in 1.3?
>>>
>>> Sorry for making so much questions, but I'm trying to migrate our
>>> firewalls here, and I've to find work arounds for every feature we need.
>>>
>>> Thanks for your patience.
>>>
>>>
>>> -
>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>
>>>
>>
>>
>> I've implemented this feature (althought not hard tested).
>>
>> I've attached the corresponding patches to
>>
>>  http://cvstrac.pfsense.org/tktview?tn=1762
>
> Sorry, but with "this feature" I mean the one from the first post (multiple
> ranges).
>

Can you please sync your cvs tarball and redo the patch and not touch
code that is not related to your changes?

Thank you.
-- 
Ermal

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Building kernel fail on freebsd 7

[Ermal Luçi]

Try adding deveice ucom to the kernel config

On Sun, Jun 22, 2008 at 12:26 AM, Aziz THRAYA <[EMAIL PROTECTED]> wrote:
> Hi all,
>
>
>
> I try to build customized kernel pfSense_wrap.7 and make embebbed pfsense
> 1.3 running on freebsd 7. So I edit the pfsense_local.sh and
> build_embebbed.sh to use freebsd 7 , RELENG_7_0 and  500mo flash disk.
>
> But during the build I have this error:
>
>
>
> --
>
 stage 3.2: building everything
>
> --
>
> cd /usr/obj.pfSense/usr/src/sys/pfSense_wrap.7;
> MAKEOBJDIRPREFIX=/usr/obj.pfSense  MACHINE_ARCH=i386  MACHINE=i386
> CPUTYPE=  GROFF_BIN_PATH=/usr/obj.pfSense/usr/src/tmp/legacy/usr/bin
> GROFF_FONT_PATH=/usr/obj.pfSense/usr/src/tmp/legacy/usr/share/groff_font
> GROFF_TMAC_PATH=/usr/obj.pfSense/usr/src/tmp/legacy/usr/share/tmac
> _SHLIBDIRPREFIX=/usr/obj.pfSense/usr/src/tmp  INSTALL="sh
> /usr/src/tools/install.sh"
> PATH=/usr/obj.pfSense/usr/src/tmp/legacy/usr/sbin:/usr/obj.pfSense/usr/src/tmp/legacy/usr/bin:/usr/obj.pfSense/usr/src/tmp/legacy/usr/games:/usr/obj.pfSense/usr/src/tmp/usr/sbin:/usr/obj.pfSense/usr/src/tmp/usr/bin:/usr/obj.pfSense/usr/src/tmp/usr/games:/sbin:/bin:/usr/sbin:/usr/bin
> make KERNEL=kernel all -DNO_MODULES_OBJ
>
> linking kernel
>
> ubsa.o(.text+0x3e3): In function `ubsa_attach':
>
> : undefined reference to `ucom_attach'
>
> ubsa.o(.text+0x85): In function `ubsa_detach':
>
> : undefined reference to `ucom_detach'
>
> ubsa.o(.text+0x3f5): In function `ubsa_notify':
>
> : undefined reference to `ucom_status_change'
>
> ubsa.o(.data+0xa8): undefined reference to `ucom_devclass'
>
> *** Error code 1
>
>
>
> Stop in /usr/obj.pfSense/usr/src/sys/pfSense_wrap.7.
>
> *** Error code 1
>
>
>
> Stop in /usr/src.
>
> *** Error code 1
>
>
>
> Stop in /usr/src.
>
>
>
> Ok you will say me try the default kernel configuration pfSense_wrap.7 but I
> the build my customized kernel in freebsd 7 (make buildkernel
> KERNCONF=pfSense_wrap.7) and all are ok with build successful…
>
>
>
> What is ubsa device in the kernel conf? Can I remove it?
>
> Why the kernel was  build successfully manually  and not with the script?
>
>
>
> Thank you for your help and sorry for my bad English J



-- 
Ermal

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Mod the kernel of embedded_warp.7_0 (pfsense 1.3 alpha )

[Ermal Luçi]

On Wed, May 28, 2008 at 11:07 AM, Aziz THRAYA <[EMAIL PROTECTED]> wrote:
> Hi all,
>
>
>
> I modify some FreeBSD kernel without problems but modding pfsense Kernel it
> is to hard without docs.
>
>
>
> So I want to mod the kernel and make pfsense 1.3 ALPHA embedded but I don't
> found any docs except:
>
> http://devwiki.pfsense.org/wikka.php?wakka=BuildingpFSense
>
>
>
> I download and install "pfSense-7.0-RELENG_1-Developers-LiveCD.iso.gz"
>
> I make "./cvsup_current"
>
> I mod "/home/pfsense/builder_script/conf/embedded_warp.7_0 kernel"
>
> I make "./build_embedded.sh" and I that make the pfsense.img
>
> But when I install it I will have pfsense 1.2  testing distribution and
> webconfigurator doesn't work
>
>

You need to customize pfsense_local.sh and get familiar with the build system.

Ermal

>
> How to add package (LCDPROC) to embedded img?
>
>
>
> Any help please ? How to mod the pfsense kernel
>
>
>
> Thank you for your help.
>
>
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] PFsense wan hangs up after 10min

[Ermal Luçi]

On Wed, May 21, 2008 at 11:14 PM, Chris Flugstad <[EMAIL PROTECTED]> wrote:
> I am having a similar problem.  Strangely this box which has been up for
> months, now wont respond to commands.  Webgui works but then gets slow and
> then stops.  i can ping the box from both wAN AND LAN and ssh into it.  if i
> try to do a web restart from cli  it just sits and does nothing.  if i try
> to do a restart or halt from cli, it just sits.  the box doesnt get
> disconnected but is just not responding.  i did a upgrade from console and
> when i got to login ot the gui for the 5 minutes it lets me, it said it had
> the newest build.
>
> i have unplugged all connections except WAN and myself on the LAN and its
> still behaving like this.
>
> any light shed on this?
>
Any errors reported on the logs?
Can you check with top or ps what is going on?
Are there any coredumps around the machine?
Can you get a tcpdump of packets?

I have seen this behavior under very low RAM devices, like with 64MB,
but on a normal machine it is just weird.

Ermal

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Re: atheros / ath driver

[Ermal Luçi]

On Tue, May 20, 2008 at 3:06 PM, Beat Siegenthaler
<[EMAIL PROTECTED]> wrote:
> Ermal Luçi wrote:
>
>
>> Are you by any chance running the traffic shaper on the atheros interface?
>> If yes, disabling it does help anyhow?
>
> This makes a very big difference. The mbuf counter does now show a "normal"
> behavior.
>
> 175/350/525 mbufs in use (current/cache/total)
> even with Zattoo and incoming Torrent Load...
>
> ath error counters are still the same, but no more mbuf trouble...
>
> See picture @
> http://forum.pfsense.org/index.php/topic,1007.msg53920.html#msg53920
>
> kind regards, Beat
>

Is it usable now apart the ath errors?!
Meaning it does not disconnect and weird behaviour.

Ermal
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Re: atheros / ath driver

[Ermal Luçi]

On Mon, May 19, 2008 at 10:02 AM, Simon Gerber <[EMAIL PROTECTED]> wrote:
> Jup, never said I does not run fine, but still to have errors is
> never a good thing.
>
> Interference is very unlikely, apart from a channel 11 WLAN nothing
> emits (have not yet used a spectrometer) in my neighborhood.
> (Am using channel 1).
>
> Gonna try and switch to 5GHz just to see if it improves.
>
> As for athstats, it's only semi useful as the rx buffer overrun seams to
> creep up to many of the pfsene/embedded/atheros users.
>
> Thanks for the input, it always helps.

Are you by any chance running the traffic shaper on the atheros interface?
If yes, disabling it does help anyhow?

Ermal

>
> Regards, Simon
>
> Chris Buechler wrote:
>> On Sun, May 18, 2008 at 9:02 AM, Simon Gerber <[EMAIL PROTECTED]> wrote:
>>> I have the exact same problem.
>>> Updated yesterday to PFsense 1.2 (FreeBSD 6.3) based with the updated
>>> HAL driver but still have tons of "IN" errors.
>>>
>>> ALIX board (latest bios installed) using either CM9 or wlm54abg 200mW as
>>> wireless card with 2 antenna setup. Installed on Microdrive using
>>> embedded kernel but else "writable" setup.
>>>
>>> Played with sysctl settings to no avail.
>>> In errors stilll here after playing with the following paramters in
>>> almoast every combination:
>>>
>>> hw.ath.txbuf: 3000
>>> hw.ath.rxbuf: 6000
>>> dev.ath.0.txantenna: 2
>>> dev.ath.0.rxantenna: 2
>>> dev.ath.0.diversity: 0
>>> dev.ath.0.tpscale: 1
>>> dev.ath.0.tpc: 1
>>>
>>> There no real "better" settings situation from what I can tell, so I too
>>>  "blame" the problems on the driver or on a issue with the hardware.
>>>
>>
>> It could also be interference, and potentially other things as well.
>> Run "athstats" at a command prompt or the command page and you may get
>> some helpful info. My trusty old pre-1.0 pfSense AP always shows tens
>> of thousands of errors on the ath interface but it works fine. It's
>> one of those things I want to look at closer eventually, but I don't
>> have any problems with it, so it hasn't been a priority.
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] limited per IP

[Ermal Luçi]

Well do not hope this will ever work.

The problem is pretty simple, there are 2 action applied to the same
packet while this happens:
1- redirect changes the destination address
2- dummynet which just keeps the packet according to preconfigured
conditions and than reloops the packet.

IE a packet from 192.168.1.1 to www.yahoo.com enters the WAN interface
in ip_input() it hits a pf rdr rule which changes www.yahoo.com to
www.internal.yahoo.com after that the packet hits a ipfw dummynet rule
which after doing its QoS reloops the packet to ip_input() which again
sends it to pf which again hits the rdr rule which in case of tcp
drops the packet since a state already exists or the packet loops in
the stack forever exausting it with udp this might not happen but you
also might get a recursion in some cases.

Teh solution is just 2 flags to the pf tag or 2 new mbuf flags which
state that the packet has already been processed by pf and all this
would get fixed.

Why i haven't fixed this as of now well it is on the list :S

Greetings,
Ermal


On Thu, May 1, 2008 at 10:30 PM, Scott Ullrich <[EMAIL PROTECTED]> wrote:
> On 5/1/08, Luiz Vaz <[EMAIL PROTECTED]> wrote:
>
>
> > Well,
>  >
>  >   in my tests, "any to any" pipes hanged all the time.
>  >   And the "via" setting don't worked well too.
>  >
>  >   The pipe creation order are a problem too.
>  >   The manual don't talk about this, but you need to create the pipe before
>  > apply the mask.
>  >Using the way you are trying, the pipe is created in the first command
>  > and again on the second. This can cause the hang on wan, because the mask
>  > will be set but the queue don't.
>  >
>  >   Taking a deep look, a saw that the mask combination used in your script
>  > you are matching the last byte of wan client address.
>  >So if a client with address 64.233.167.99 and other 200.221.2.99 are
>  > matched as the same.
>  >If you want to fix the bandwidth for a internet address you need to use 
> a
>  > full 0x mask.
>  > Otherwise, Pipe 101 and 102 src-ip and dst-ip are in inverse order.
>  >
>  >I will rewrite your script using my approach either for LAN and WAN.
>  >
>  >When it´s ok i will send it to you!
>
>  Yes, please do, and I will add the package back and you will make a
>  lot of ppl happy.  Including a angry user from Lake of Egypt.   /me
>  ducks
>
>
>
>
>  Scott
>
>  -
>  To unsubscribe, e-mail: [EMAIL PROTECTED]
>  For additional commands, e-mail: [EMAIL PROTECTED]
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] RRD graphs keep going NaN

[Ermal Luçi]

On Tue, Apr 29, 2008 at 7:13 PM, Jeppe Øland <[EMAIL PROTECTED]> wrote:
> If I just run it in the "Diagnostics/Command" field, it doesn't show anything.
>
>  How many are supposed to be running at any one time?!?

Actually you have to run that from ssh since it runs in background!
Sorry i forgot to mention that !

Ermal




>  $ ps -efx | grep update
>  34828  ??  SN 0:00.16  /bin/sh /var/db/rrd/updaterrd.sh
>  35228  ??  SN 0:00.00  /bin/sh /var/db/rrd/updaterrd.sh
>  35240  ??  SN 0:00.01  /bin/sh /var/db/rrd/updaterrd.sh
>
>  Regards,
>  -Jeppe
>
>
>
>  On Tue, Apr 29, 2008 at 9:23 AM, Ermal Luçi <[EMAIL PROTECTED]> wrote:
>  > When the issue shows up can you run /var/db/rrd/updaterrd.sh manually
>  >  and tell the output?
>  >
>  >  Ermal
>  >
>  >
>  >
>  >  On Tue, Apr 29, 2008 at 9:34 AM, Jeppe Øland <[EMAIL PROTECTED]> wrote:
>  >  > After upgrading to 1.2 embedded, the RRD graphs keep getting into a
>  >  >  state where they show nothing, and all the values listed below the
>  >  >  graphs are nan.
>  >  >
>  >  >  I have tried the hack to reset the graphs (delete the RRD files
>  >  >  manually, and run the PHP function to start it again), but that only
>  >  >  makes it work for a little while.
>  >  >
>  >  >  Any known things that can cause this, and any workarounds?
>  >  >
>  >  >  Regards,
>  >  >  -Jeppe
>  >  >
>  >  >  -
>  >  >  To unsubscribe, e-mail: [EMAIL PROTECTED]
>  >  >  For additional commands, e-mail: [EMAIL PROTECTED]
>  >  >
>  >  >
>  >
>  >  -
>  >  To unsubscribe, e-mail: [EMAIL PROTECTED]
>  >  For additional commands, e-mail: [EMAIL PROTECTED]
>  >
>  >
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] RRD graphs keep going NaN

[Ermal Luçi]

When the issue shows up can you run /var/db/rrd/updaterrd.sh manually
and tell the output?

Ermal

On Tue, Apr 29, 2008 at 9:34 AM, Jeppe Øland <[EMAIL PROTECTED]> wrote:
> After upgrading to 1.2 embedded, the RRD graphs keep getting into a
>  state where they show nothing, and all the values listed below the
>  graphs are nan.
>
>  I have tried the hack to reset the graphs (delete the RRD files
>  manually, and run the PHP function to start it again), but that only
>  makes it work for a little while.
>
>  Any known things that can cause this, and any workarounds?
>
>  Regards,
>  -Jeppe
>
>  -
>  To unsubscribe, e-mail: [EMAIL PROTECTED]
>  For additional commands, e-mail: [EMAIL PROTECTED]
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] 'maximum new connections / per second' in advaned options

[Ermal Luçi]

On Fri, Apr 18, 2008 at 9:53 AM, Yin Gang <[EMAIL PROTECTED]> wrote:
> Hi,
>
>  I've been using pfsense 1.2 as my company's internet sharing router
>  for a few days.
>
>  Yesterday I set a threshold value for the "maximum new connections /
>  per second" on the default LAN rule. I also set some other advanced
>  options mainly to reduce the impact from some p2p download software.
>  Today one guy came to me and said his computer can't reach to internet
>  anymore. After some digging, I found that:
>
>  He has a software on his computer which could emit many connections in
>  all of a sudden (which has exceed my setting quite a lot) and after
>  that his computer would failed to access internet. At this time, the
>  pfsense router can ping his computer quite well while the later can't
>  ping the router. Finally his computer can access the router or the
>  internet again after changing its ip address or restarting the router.
>  That's not a good solution for sure ;-)
>
>  Because the problem could be repeated exactly, I guess that maybe the
>  router has banned the computer's ip address because that software on
>  it. I think there may be somewhere in the webConfigurator to handle
>  these banning things. But I failed to find out any related function
>  page.
>
>  Then I cleared the 'maximum new connections per second' setting and
>  the problem is just gone whatever the guy use that software.
>
>  Of coz, I could just increase the threshold value or even tell the guy
>  not to use that software.
>
>  But I still wonder if there any way for me to view all these banned ip
>  addresses? Is there any way for me to de-ban them? How long would be
>  the banning period?
>

There is no banning it is just doing what you told it to do. Limit the
number of concurrent connections on a configured time bases.
If you want still to keep that setting read the pf manual here to
configure just that machine ip to be more tolerant and be more
agressive on the time its tcp connections can live on the rule.

Ermal

>  I'm not a bsd expert and just use unix/linux once in a while. Any help
>  would be appreciated.
>
>  --
>  Best Regards,
>  Yin Gang
>
>  -
>  To unsubscribe, e-mail: [EMAIL PROTECTED]
>  For additional commands, e-mail: [EMAIL PROTECTED]
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] blocking to destination ports

[Ermal Luçi]

On Fri, Apr 11, 2008 at 9:06 PM, Chris Buechler <[EMAIL PROTECTED]> wrote:
> Ermal Luçi wrote:
>
> > What's wrong with only in rules?!
> >
> > You can do the same blocking as you would do with out and just save
> > your computer from blocking the packet after traversing the whole
> > machine!
> >
> >
>
>  The interface it's blocked on is relatively irrelevant. You can do anything
> with only in rules, but in some circumstances, it's *much* easier to use
> outbound rules because you can accomplish the same thing with far fewer
> rules. One good example is a box with several interfaces where you want to
> use a single egress ruleset for Internet traffic without configuring the
> same ruleset multiple times.
>
>  But isn't this all a moot argument now? Ermal, doesn't your shaper work
> allow in and out filtering in 1.3?

Yes that's for sure it allows you to do such things and i know where
those out or generic rules come handy.
http://forum.pfsense.org/index.php/topic,2718.180.html
3rd reply in that page or post #182 explains it.

Just not advertised it since 'in' rules in this case still do the job.

Ermal
>
>
>
>
>  -
>  To unsubscribe, e-mail: [EMAIL PROTECTED]
>  For additional commands, e-mail: [EMAIL PROTECTED]
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] blocking to destination ports

[Ermal Luçi]

On Fri, Apr 11, 2008 at 7:33 AM, Jan Zorz <[EMAIL PROTECTED]> wrote:
> Don't bother with this. I ran through a small flame-war with Scott about
> this, wrote my own patches for pfsense, that were working flawlessly on
> 1.0.1 and were applying rules on out-traffic, but politic persuation on
> dev's side prevented those patches to be implemented...
>
>  Too bad, from my point of view.
>
What's wrong with only in rules?!

You can do the same blocking as you would do with out and just save
your computer from blocking the packet after traversing the whole
machine!

Ermal

>  Don't start that all over again, just learn to live with in-only rules.
>
>  /jan
>
>
>
>  Randy Schultz wrote:
>
> > Hiya,
> >
> > We are running 1.2-RELEASE with a bridge across OPT1 and OPT2.  Is there
> any
> > way to block to destination ports?  I have found blocking from source
> ports
> > but cannot find anything that allows me to block traffic to a port.  Have
> I
> > just overlooked something?
> >
> > --
> >  Randy([EMAIL PROTECTED])  765.983.1283 <*>
> >
> > Love with your heart, think with your head;  not the other way around.
> >
> >
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
>  -
>  To unsubscribe, e-mail: [EMAIL PROTECTED]
>  For additional commands, e-mail: [EMAIL PROTECTED]
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] PPP with Verizon USB Card

[Ermal Luçi]

On Fri, Mar 28, 2008 at 12:45 AM, Reza Ambler <[EMAIL PROTECTED]> wrote:
> Hey everyone,
> I just saw a friend of mine using a Verizon Wireless card with wvdial. I
> wanted to know if it is possible to get pfSense to dial a on-demand PPP
> connection to a USB based modem? This would be good in the cases where a
> client has a downed internet connection. We could have a technician show up
> and route everything through a Verizon card while we wait for the ISP to fix
> their issue.
> Any thoughts are appreciated,

Check mpd it can do this.

> -Reza
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Any chance of pfsense being a port?

[Ermal Luçi]

I do not know the reason to have this as a port.

If you ahve gone to FreeBSD than you know what you are doing.
If you want the simplicity download pfSense.

Simple as that.

I am not saying that it cannot be a port but that is to much hassle
getting it built first do not want to thing about maintaing it.



On Wed, Mar 19, 2008 at 6:23 PM, Chris Buechler <[EMAIL PROTECTED]> wrote:
> Scott Ullrich wrote:
>  > None of us have the time and or patience to maintain a freebsd port.
>  > Since we replace the /etc/rc system with PHP that would hardly be a
>  > good idea.
>  >
>
>  Plus a few kernel patches, a custom kernel config, and it would have to
>  install numerous other ports. It would be a huge effort that may be
>  impossible (I don't know that a port can patch /usr/src and rebuild
>  world and kernel), and it's not a priority. It's unlikely if this will
>  ever happen.
>
>
>
>
>
>  -
>  To unsubscribe, e-mail: [EMAIL PROTECTED]
>  For additional commands, e-mail: [EMAIL PROTECTED]
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Fatal trap 12 during installation

[Ermal Luçi]

On Wed, Mar 19, 2008 at 6:56 PM, Mike Lever <[EMAIL PROTECTED]> wrote:
> Done ! removed them and it works fine. I put the 2 x Dlinks into an old P4
>  its boots up fine !
>
>  So then the problem is the board  ? processor ?
>
>  Can you suggest a board that you know for certain works with either the
>  dlinks or Intel 4 port cards ?
>
>
Just make sure the board does not share interrupt with other pci slots.
That would mostly take care of it.

Though it is just a suggestion.
>  Regards,
>
>
>  Mike Lever
>
>  Tenacity Films (Pty) Ltd t/a
>  Velocity Films
>
>  (T) +2711-807-0100
>  (F) 086-681-7518
>
>  http://www.velocityfilms.com
>
>
>  CONFIDENTIALITY CAUTION: If you have received this communication in error,
>  please note that it is intended for the addressee only, is privileged and
>  confidential and dissemination or copying prohibited. Please notify us
>  immediately by e-mail and return the original message. Thank you.
>
>
>
> -Original Message-
>  From: Scott Ullrich [mailto:[EMAIL PROTECTED]
>  Sent: 19 Mar 2008 07:55 PM
>  To: support@pfsense.com
>  Subject: Re: [pfSense Support] Fatal trap 12 during installation
>
>
>
> On 3/19/08, Mike Lever <[EMAIL PROTECTED]> wrote:
>  > The last line before the error is:
>  >
>  >  ste0:   on
>  >  pci3
>
>  Try removing one of the dlink 4 port cards.  I get similar panics when
>  trying to use 2 PCI-E 4-port intel gigabit cards as well.
>
>  Scott
>
>  -
>  To unsubscribe, e-mail: [EMAIL PROTECTED]
>  For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>  -
>  To unsubscribe, e-mail: [EMAIL PROTECTED]
>  For additional commands, e-mail: [EMAIL PROTECTED]
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Strange problem

[Ermal Luçi]

On Tue, Mar 18, 2008 at 8:08 PM, Curtis Maurand <[EMAIL PROTECTED]> wrote:
>
> No iptables.  wasn't even installed until 2 minutes ago.  No http proxy
> statements very generic gentoo installation on the laptop.  I have not tried
> wget, but I did try telnet to a host on port 80 and the connection hung.  I
> had to do a ^] to get out of it.  I have not tried wget, lynx or curl,
> though they are all installed.
>
> I'll try a tcpdump from the pfsense machine the next time I'm in there and
> see what I find.

Try disabling SACK on the linux host or even socket autosizing.

>
> thanks,
>
> Curtis
>
>
> - Original Message -
> From: "RB" <[EMAIL PROTECTED]>
> To: support@pfsense.com
> Sent: Tuesday, March 18, 2008 2:15:34 PM (GMT-0500) America/New_York
> Subject: Re: [pfSense Support] Strange problem
>
>
> On 3/18/08, Curtis Maurand <[EMAIL PROTECTED]> wrote:
> > Like I said, it works fine on the same hardware if I run Windows, but not
> if
> > I run Linux.  I've used IE and firefox on Windows, IE, firefox, epiphany
> and
> > konqueror on Linux.  I wish I had a MAC to test with.  :-(
>
> I have one, and it works fine on my various networks.
>
> OS and hardware likely aren't the issue here.  Have you done something
> like 'export http_proxy="http://foobar:8080";' in your profile on the
> Linux box, or set up a port redirect with iptables, or any one of the
> other thousands of ways to muck with your http traffic on   a Linux
> client?  Have you tried using wget, curl, or lynx?
>
> Try the tcpdump from your pfSense system; it'll be the most immediate
> and apparent.  If you see appropriate traffic (which at the moment I
> honestly doubt you will), then there's something really strange with
> your pfSense setup.  Otherwise, you know it's something on the client.
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Squid using RAM disk

[Ermal Luçi]

On Wed, Mar 5, 2008 at 8:40 PM, Radio Tech <[EMAIL PROTECTED]> wrote:
> Is there a way to make squid use RAM instead of hard drive for logs and
>  cache?  I can put 8 gigs of ram in a machine.  I could put a hard drive if i
>  really had to, but I would really like to not have to.  If it is possible,
>  can i get some basic instructions on what to do.  Thanks for your help,
>  Ryan.

This is a bad idea.

>
>  Running on
>  Intel Workstation Board S975XBX2
>  Intel Core 2 Duo 2.2 Ghz processor
>  3 ea Intel PCI-express Desktop Gigabit network cards (plus one onboard)
>  (WAN1, WAN2, LAN, SPARE)
>  Transcend 1 gig IDE flash module
>  2 gigs RAM, but can put more if need be.
>  (I know this is overkill for 20 computers on 2each  6 meg internet
>  connections, but I got a good deal on the parts and really need squid to run
>  fast.  I want to use the Squid Light report utility)
>
>
>
>
>  -
>  To unsubscribe, e-mail: [EMAIL PROTECTED]
>  For additional commands, e-mail: [EMAIL PROTECTED]
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Downloading/Uploading IP identification

[Ermal Luçi]

Log to pfsense though ssh.
pkg_add -r rate

than: rate -i {interface_to_monitor} -R (or similar) it should have
even an option to do ranking to show your most hungry host.

If you find it useful wrap a gui at it and send patches.

On Tue, Feb 26, 2008 at 4:15 PM, Bosco <[EMAIL PROTECTED]> wrote:
>
>
>
> Hi all,
>
> I am using pfSense solution for a while (about 6 months) - version
> 1.2 with 1 LAN + 3 WANs - and sometimes the Download or Upload traffic goes
> very high.
>
> How do I know who (the LAN IP address) is downloading or uploading -
> any package or command ?
>
> thanks
>
> JBosco
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] delay problem when traffic shaper is enabled

[Ermal Luçi]

On Wed, Feb 20, 2008 at 9:39 PM, Rossella Mariotti-Jones
<[EMAIL PROTECTED]> wrote:
>
>
>
>
> Hi all, we're running pfsense v. 1.2-rc4 with Snort and for a while we have
> noticed delay problems when the traffic shaper is enabled. Ping times from
> LAN to the gateway vary greatly and often are all over the place, as soon as
> we turn the traffic shaper off and/or disable the wizard ping times seem to
> return to normal (1 – 2ms). Did anybody encounter such problem? Thanks in
> advance.
>
Rosella,

can you please post your rules.debug found in /tmp.
There might be some cases that are difficult to reproduce which show
some delay problems with ALTQ.
Please, with that send info about your network config, hardware you
are using and the setup of your pfSense.

Thank You,
Ermal
>
>
> ***
>
> Rossella Mariotti-Jones
>
> [EMAIL PROTECTED]
>
>
>
>
>
> Network Analyst, SS - SPIR - IT TAC
>
> desk 503-589-7775 - cell 503-480-4255
>
>
>
>  PRIVILEGED AND CONFIDENTIAL COMMUNICATION   This electronic
> transmission, and any documents attached hereto, may contain confidential
> and/or legally privileged information.  The information is intended only for
> use by the recipient named above.  If you have received this electronic
> message in error, please notify the sender and delete the electronic
> message.  Any disclosure, copying, distribution, or use of the contents of
> information received in error is strictly prohibited.
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]