Re: [pfSense Support] Test-Upgrade from 1.2.3 to 2.0RC3 Alix

[Evgeny Yurchenko]

On Jun 25, 2011, at 3:01 PM, Klaus Lichtenwalder wrote:

> Am 25.06.2011 20:52, schrieb Evgeny Yurchenko:
>> 
>> On Jun 25, 2011, at 2:06 PM, Klaus Lichtenwalder wrote:
>> 
>>> Am 24.06.2011 14:11, schrieb Ermal Luçi:
>>>>> ..
>>>> 
>>>> I just put some more error checking in the code.
>>>> Please test with latest snapshots of tomorrow.
>>>> 
>>>> Also would be useful if it happens again to have your certificate
>>>> section from the xml
>>>> even in private e-mails.
>>>> 
>>> 
>>> Ermal,
>>> 
>>> I don't know whether this is the newest you meant, but up to now there's
>>> no other image than: pfSense-2.0-RC3-1g-i386-20110624-1747-nanobsd.img
>>> 
>>> I restored my config and got the following, different result:
>>> 
> [...]
> 
>>> 
>>> ---
>> By old config you mean config from 1.2.3?
>> 
>> 
> Correct. I just want to take my old config without too much hassle, as
> probably regenerating manually would be. And from the list I gather that
> people are able to do this...
> 
> Klaus
> 
> -- 
ok, ok, we understand -)
You are spamming the list by sending the same message every 5 minutes.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Test-Upgrade from 1.2.3 to 2.0RC3 Alix

[Evgeny Yurchenko]

On Jun 25, 2011, at 2:06 PM, Klaus Lichtenwalder wrote:

> Am 24.06.2011 14:11, schrieb Ermal Luçi:
>>> ..
>> 
>> I just put some more error checking in the code.
>> Please test with latest snapshots of tomorrow.
>> 
>> Also would be useful if it happens again to have your certificate
>> section from the xml
>> even in private e-mails.
>> 
> 
> Ermal,
> 
> I don't know whether this is the newest you meant, but up to now there's
> no other image than: pfSense-2.0-RC3-1g-i386-20110624-1747-nanobsd.img
> 
> I restored my config and got the following, different result:
> 
> v cut here 
> Updating configuration
> 
> ** WARNING **
> 
> Configuration could not be validated. A previous configuration was
> restored.
> 
> The failed configuration file has been saved as /conf/config.xml.bad}
> 
> done.
> Cleaning backup cache...done.
> ...
> Synchronizing user settings...
> Warning: Invalid argument supplied for foreach() in /etc/inc/auth.inc on
> line 211
> done.
> Starting webConfigurator...
> 
> ** WARNING **
> 
> Configuration could not be validated. A previous configuration was
> restored.
> 
> The failed configuration file has been saved as /conf/config.xml.bad}
> 
> done.
> 
> Configuring IPsec VPN...
> Warning: Invalid argument supplied for foreach() in /etc/inc/vpn.inc on
> line 274
> done
> Generating RRD graphs...done.
> cut here^^^
> 
> 
> The error in auth.inc seems to remove the admin account, btw. I had to
> restore the Webconfigurator credentials:
> 
>  The webConfigurator admin password and privileges will be reset to
>  the default (which is "pfsense").
>  Do you want to proceed [y|n]?y
> 
>  Warning: Invalid argument supplied for foreach() in /etc/inc/auth.inc
>  on line 196
>  Failed to locate the admin user account! Attempting to restore access.
> 
> 
>  The password for the webConfigurator has been reset and
>  the default username has been set to "admin".
> 
> But to no avail...
> Right now I can't log in...
> 
> Klaus
> 
> ---
By old config you mean config from 1.2.3?


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] CertManager

[Evgeny Yurchenko]

On Jun 16, 2011, at 8:36 AM, Fuchs, Martin wrote:

> Hi !
> I have an old cert that was used as the webui cert.
> I replaced this and wanted to delete the old cert, but the certmanager tells 
> me it’s still in use by IPSec Tunnel…
>  
> I have IPSec-Tunnels but no one with certs…
> I already looked into my config in the IPSec-settings but I really cannot 
> find this cert…
>  
> Any idea where to find it or how to get rid of the old cert ?
>  
> Regards,
>  
> martin
Hi,
this should be fixed in current snapshot. Though you have to edit/save your 
tunnels' phase1s to get rid of reference to 'default' certificate.
Evgeny.

Re: [pfSense Support] Pfsense, OpenVPN and multicast

[Evgeny Yurchenko]

On 11-05-18 04:53 PM, Kurt Buff wrote:

On Wed, May 18, 2011 at 13:37, Evgeny Yurchenko  wrote:

On 11-05-17 01:38 PM, Kurt Buff wrote:


On Tue, May 17, 2011 at 10:18,wrote:


All,

We have a subnet with a public IP address fronted by a pfsense
(1.2.3R) box with routing and OpenVPN enabled and configured. We're
testing this with a product that uses multicast - the server is in the
network protected by the pfsense box, and there will be one or more
clients connecting to it from the field.. While most network
functionality is present, the multicast traffic is not being seen on
the client.

Does pfsense/OpenVPN support multicast in this kind of arrangement?

We've added in the IGMPProxy package, which so far doesn't seem to be
doing anything for us, though we may not have configured that
correctly.

Thanks,

Kurt


I do not think igmpproxy will be in any use here.
Try routing multicast IPs/subnet over the tunnel explicitly.
Evgeny.


I'm a complete newb at multicast stuff - never used it before. Since
this traffic will be completely contained over the OpenVPN link,
should I be using (per this link:
http://www.tcpipguide.com/free/t_IPMulticastAddressing.htm) addresses
from the administratively (or locally) scoped range?

Also, what might a route statement look like for multicast - different
than normal unicast routing, or pretty much the same?

Thanks,

Kurt


Don't try to route all multicast addresses (like 224.0.0.0/4) find out what
IP address(es) your application is using and try to route only this
one(these ones). Do not forget to allow it in Rules.
Route statement will look exactly like for 'normal' unicast.
Remember: I never tried that, just do not see why it will not work -))) I
guess it is worth to try.
Evgeny.



After a buncha research, I found that this is a known issue, with a
hackish workaround. You have to enable tap, vs. tun, and the
directions are here: http://doc.pfsense.org/index.php/OpenVPN_Bridging
- I found it in pfSense, The Definitive Guide.

I haven't tried it yet, so we'll see how it goes.

If that doesn't work, I will probably try the tun/routing approach again.


please keep us posted. I am very curious to see how it goes.
thanks.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Pfsense, OpenVPN and multicast

[Evgeny Yurchenko]

On 11-05-17 01:38 PM, Kurt Buff wrote:

On Tue, May 17, 2011 at 10:18,  wrote:

All,

We have a subnet with a public IP address fronted by a pfsense
(1.2.3R) box with routing and OpenVPN enabled and configured. We're
testing this with a product that uses multicast - the server is in the
network protected by the pfsense box, and there will be one or more
clients connecting to it from the field.. While most network
functionality is present, the multicast traffic is not being seen on
the client.

Does pfsense/OpenVPN support multicast in this kind of arrangement?

We've added in the IGMPProxy package, which so far doesn't seem to be
doing anything for us, though we may not have configured that
correctly.

Thanks,

Kurt


I do not think igmpproxy will be in any use here.
Try routing multicast IPs/subnet over the tunnel explicitly.
Evgeny.


I'm a complete newb at multicast stuff - never used it before. Since
this traffic will be completely contained over the OpenVPN link,
should I be using (per this link:
http://www.tcpipguide.com/free/t_IPMulticastAddressing.htm) addresses
from the administratively (or locally) scoped range?

Also, what might a route statement look like for multicast - different
than normal unicast routing, or pretty much the same?

Thanks,

Kurt

Don't try to route all multicast addresses (like 224.0.0.0/4) find out what IP address(es) your application is using and 
try to route only this one(these ones). Do not forget to allow it in Rules.

Route statement will look exactly like for 'normal' unicast.
Remember: I never tried that, just do not see why it will not work -))) I guess 
it is worth to try.
Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???

[Evgeny Yurchenko]

On 11-02-10 11:07 AM, Vaughn L. Reid III wrote:



On 2/10/2011 10:42 AM, Vaughn L. Reid III wrote:



On 2/10/2011 9:32 AM, Vaughn L. Reid III wrote:

On 2/10/2011 2:43 AM, Seth Mos wrote:

Op 10-2-2011 4:18, Vaughn L. Reid III schreef:






1. All the Master and backup status notifications in the web interface
on both PFSense boxes show the correct status
2. I'll do a packet capture tomorrow and see if the carp-heartbeat shows up

I was unaware that any Carp related traffic passed between any of the
interfaces except the one designated as the synchronization interface. I
need to double-check the multi-cast configuration on the switch tomorrow
also ( I think I have multi-cast enabled on the switch, but need to
confirm that).


Yes, some switch support multicast filtering, I know from experience with HP switches that it works with the 
setting on. So I know they have it implemented correctly. This way not all switch ports get the carp traffic unless 
they participate in the multicast group. This cuts down on broadcast a lot.


I recommend the HP switches, they have never given me any grief as long as I've worked with them. I even have a 
carp cluster spanning 2 building across the street over a fiber connection. It just works.


If you need a managed switch on a budget I can confirm that the HP Procurve 1810-8G works well. It's web managed, 
supports vlans and basic traffic counters. It is also fanless.


The smallest I have in use on a carp cluster is a Procurcve 2650 in combination with a 2900-48G. The biggest I have 
is a 8212zl. Do note that the software in the 1810 differs a lot from the other managed switches.


Regards,

Seth

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



I've run a packet capture and here are the results:

1.  Capture shows a bunch of VRRP announcements from the primary firewall to destination 224.0.0.18.  The 
destination confirms this is a multicast address I  believe.  According to Wikipedia, VRRP and CARP share the same 
protocol number.  So, I believe that these are CARP announcements.


2.  All the VRRP requests had a vrrp.prio value of 0 with a description of "Priority: 0 (Current Master has stopped 
participating in VRRP)


3.  Over a 114 second capture, there were no VRRP announcements from the 
secondary firewall.

4.  There were lots of ARP broadcast requests from the secondary firewall asking for who has the IP of the default 
gateway.  There were 0 ARP requests from the primary firewall during the capture period.


5.  There were lots of ICMP pings from both the primary and secondary Pfsense firewalls to the default gateway on 
this WAN interface.  I assume this is from the Load Balance Fail-Over configuration I have enabled for the cluster 
on this interface.


I confirmed that the Master firewall shows itself as Master for all interfaces.  I confirmed that the Secondary 
firewall shows itself as Backup for all interfaces.




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



I performed a second capture of 3 minutes on malfunctioning WAN and noted identical results for the VRRP/CARP 
packets.  On the second capture, however, I did see ARP requests from both firewalls asking for the MAC of the IP of 
the Default Gateway -- this was different from my item number 4 in the previous post.


I also performed a 3 minute packet capture from one of the known working WAN connections on the cluster.  The VRRP 
packets on that connection showed an origination address of the "Real" IP on primary/Master firewall and a multi-cast 
destination, just like the results from the problem WAN connection.  I also noted that the vrrp.prio value and 
description was the same on the working WAN as on the not-working WAN.


Both the working WAN connection packet capture and the non-Working WAN packet captures show IGMP packets noting the 
entering and leaving of multi-cast groups.




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



One more thing.  If I unplug the connection that leads to the ISP's black box  from the switch and leave everything 
else in place, pings from the secondary/backup firewall to the CARP start working as expected.


I'm not sure I understand this behavior.  With 2 IP addresses on the same subnet that can communicate with each other 
on the same VLAN of a switch, it seems to me that it shouldn't matter what else I plug into that switch (as long as it 
has a different IP and as long as

Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???

[Evgeny Yurchenko]

On 2/9/2011 2:35 PM, e...@tm-k.com wrote:

[snip]

Address Learning enabled on the Switch (default setting):

[snip]
Can you briefly explain what 'address learning' is according to D-Link?


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org




On 11-02-09 04:12 PM, Vaughn L. Reid III wrote:

According to page 15 of the reference manual "address learning" is:

Enable or disable MAC address learning for the selected ports. When Enabled, 
destination and
source MAC addresses are automatically listed in the forwarding table. When 
address learning
is Disabled, MAC addresses must be manually entered into the forwarding table. 
This is
sometimes done for reasons of security or efficiency. See the section on 
Forwarding/Filtering
for information on entering MAC addresses into the forwarding table. The 
default setting is
Enabled.



One other thing.  I need to note that I have dedicated a CARP interface on each Pfsense box connected to each over via 
a cross-over cable.



Please do not top-post.
So Address Learing should be enabled.
1) do you see one box as stand-by, another one as active in web-interface?
2) connect laptop instead of ISP's cable and run packet capture you should be able to see once a second carp-heartbeat 
(multicast mac + carp IP in destination field).


If one pfSense shows Active, another one shows Stand-by and on the laptop you see heartbeat from only one (master) 
pfSense then you did not mess up with carp configuration and vlans on the switch.


Evgeny.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] PPTP problems with pfsense

[Evgeny Yurchenko]

On 11-01-22 08:18 PM, Chris Buechler wrote:

On Sat, Jan 22, 2011 at 7:37 PM, Evgeny Yurchenko  wrote:

Chris, could you briefly describe what mechanism is used in 2.0 to avoid
this problem?


Ermal enhanced the GRE state tracking in PF so it tracks call ID in
addition to source and destination IP, and tied the GRE states to the
TCP 1723 states in the case of PPTP.


This is really great! Thanks!

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] PPTP problems with pfsense

[Evgeny Yurchenko]

On 11-01-22 07:14 PM, Chris Buechler wrote:

On Sat, Jan 22, 2011 at 6:50 PM, Manny A. Wise  wrote:

I have a client who insist on having 5 PPTP clients behind the new pfsense
1.2.3 I just installed for him...
I explained that as the best of my knowledge, only one tunnel can be active
at any giving time...
any work around to solve this problem???

NAT each internal host to its own public IP, or use 2.0.



Does he need all 5 tunnels to the same remote IP?
Chris, could you briefly describe what mechanism is used in 2.0 to avoid this 
problem?
Thanks.




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] User Interface changes after adding many interfaces

[Evgeny Yurchenko]

On 10-12-29 12:57 PM, Charles N Wyble wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ah. It switches in firefox but not in Chrome. Should I file a bug?


You are using 1.2.3, right? As I recall it was already fixed long time ago.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense and adsl

[Evgeny Yurchenko]

On 10-12-17 04:59 PM, David Bottrill wrote:

On 17 Dec 2010, at 21:45, Michel Servaes wrote:


On 18/12/10 10:16, Evgeny Yurchenko wrote:

my only concern now is PPPoA... But I need public IP on pfSense for sure
to do port-forwarding.

Not really; if you can ask the modem to port-forward to the pfsense box,
you can then ask pfSense to port-forward to the final destination.

So the public IP stays on the modem's WAN interface, you burn a small
private network for the connection between the modem's LAN and pfSense's
WAN (using DHCP so that pfSense gets the modem's sense of DNS
providers), and provide ordinary services over pfSense's LAN.

This means you end up with double-NAT, which isn't ideal in a busy
environment, but is stable enough for quieter locations.



You could do that, but then you would have to disable the private address 
filtering on the WAN side ofcourse !

I'm in the UK and I use a Draytek Vigor 120 router that out of the box will 
work as an ADSL modem.
It autodetects your ADSL settings and performs PPoE to PPoA authentication so I 
simply configure the WAN port on PFSense for PPoE and use my ISP ADSL userid 
and password.

This works a treat and I get my Internet IP address on PFSense, in fact I have 
a netblock from my ISP so I just add Proxy ARP Virtual address entries on 
PFSense for the additional IP addresses and 1:1 NAT rules to map my additional 
external IP addresses to devices on my internal networks.

Hope that helps

David


That would be ideal for me. The site is in UK -) I am wondering if my modem can 
do the same stuff.
Gentlemen, I understand double-nat thing and can certainly configure that, but the simpler the better, I'd prefer to 
have public IP (range) on pfSense box.

Thanks all for ideas! Now I have more hopes that it'll work.
Evgeny.

   



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense and adsl

[Evgeny Yurchenko]

On 10-12-17 02:54 PM, Michel Servaes wrote:


Can I reconfigure Netgear in 'bridge' mode so I get Public IP on pfSense WAN? What would be WAN type on pfSense 
(DHCP? static? PPPoE?)?

Or if you can answer more generally what is genereal pfSense set up if you get 
DSL line from ISP?
Thanks.



Can't tell for netgear, but I have 5 locations with a DSL line and either a 
Speedtoch router or SagemRouter 3436.
I configure PPPoE on pfSense and the routers goes bridged automatically... I do however remove all settings from the 
PPPoE login at the Speedtoch or Sagem boxes to make sure that during a reboot of pfSense they won't go connecting.


I need pfSense to get the public IP adress, as I am using IPSEC in between (and 
I don't like to use IPSEC NAT-T).

That said, I can only tell for PPPoE - don't know how PPPoA should be done...


Kind regards,
Michel


Thanks David and Michel,
my only concern now is PPPoA... But I need public IP on pfSense for sure to do 
port-forwarding.
Evgeny.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] pfSense and adsl

[Evgeny Yurchenko]

Hi list,
never worked with dsl devices so the question might seem stupid.
Nevertheless...
now Netgear DG834 does PPPoA with ISP having 192.168.0.1 on LAN and Public IP 
on WAN.
How would I introduce pfSense to firewall LAN from WAN here?
Can I reconfigure Netgear in 'bridge' mode so I get Public IP on pfSense WAN? What would be WAN type on pfSense (DHCP? 
static? PPPoE?)?

Or if you can answer more generally what is genereal pfSense set up if you get 
DSL line from ISP?
Thanks.

Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: HA: Re: HA: Re: [pfSense Support] 2.0 - don't work Ipsec!

[Evgeny Yurchenko]

On 10-12-13 02:14 AM, drova...@kaluga-gov.ru wrote:

[snip]
Now ipsec does not work!
[snip]

Wrong. It does work. -)

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: HA: Re: [pfSense Support] 2.0 - don't work Ipsec!

[Evgeny Yurchenko]

On 10-12-11 06:28 AM, drova...@kaluga-gov.ru wrote:

Hi, pfsense not send and recived ipsec message to remote gateway!

[snip]

Just do tcpdump on WAN and see whether you receive anything from remote site on 
port 500.



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: HA: Re: [pfSense Support] 2.0 - don't work Ipsec!

[Evgeny Yurchenko]

On 10-12-11 06:46 AM, st41...@st41ker.net wrote:

Hi,

JFYI: you must use only those cryptographic services\alrorithms which
has been sertified by "ФСБ" and\or "ФСТЭК" (I'm not sure how it sounds
in English).
It seems like blowfish is under question in your case.

Hi,
just curious, can private company or a person use something that is not 
certified by FSB?
Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] 2.0 - don't work Ipsec!

[Evgeny Yurchenko]

On 10-12-10 01:40 AM, drova...@kaluga-gov.ru wrote:

Hi,

LAN net - 192.168.8.0/24  This is pfsense 2.0 --
172.20.20.0/24
    172.20.21.0/24
0.0.0.0/0   172.20.22.0/24
172.20.24.0/24
...

firewall on the ipsec iface full open.

Why not  established 1 phase ipsec?

P.S. With this configuration all works on pfsense 1.2 and monowall!

Please Help!


my racoon.conf:

# This file is automatically generated. Do not edit
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";


listen
{
 adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
 isakmp 192.168.180.33 [500];
 isakmp_natt 192.168.180.33 [4500];
 isakmp 192.168.180.1 [500];
 isakmp_natt 192.168.180.1 [4500];
 isakmp 10.221.40.6 [500];
 isakmp_natt 10.221.40.6 [4500];
}


remote 192.186.180.38
{
 ph1id 1;
 exchange_mode aggressive;
 my_identifier address 192.168.180.33;
 peers_identifier address 192.186.180.38;
 ike_frag on;
 generate_policy = off;
 initial_contact = on;
 nat_traversal = off;


 dpd_delay = 10;
 dpd_maxfail = 5;
 support_proxy on;
 proposal_check obey;


 proposal
 {
 authentication_method pre_shared_key;
 encryption_algorithm 3des;
 hash_algorithm sha1;
 dh_group 2;
 lifetime time 3600 secs;
 }
}

remote 192.186.180.39
{
 ph1id 2;
 exchange_mode aggressive;
 my_identifier address 192.168.180.33;
 peers_identifier address 192.186.180.39;
 ike_frag on;
 generate_policy = off;
 initial_contact = on;
 nat_traversal = on;


 dpd_delay = 10;
 dpd_maxfail = 5;
 support_proxy on;
 proposal_check obey;


 proposal
 {
 authentication_method pre_shared_key;
 encryption_algorithm 3des;
 hash_algorithm sha1;
 dh_group 2;
 lifetime time 3600 secs;
 }
}

..


sainfo subnet 0.0.0.0/0 any subnet 172.20.22.0/24 any
{
 remoteid 1;
 encryption_algorithm blowfish 256, blowfish 248, blowfish 240,
blowfish 232, blowfish 224, blowfish 216, blowfish 208, blowfish 200,
blowfish 192, blowfish 184, blowfish 176, blowfish 168, blowfish 160,
blowfish 152, blowfish 144, blowfish 136, blowfish 128;
 authentication_algorithm hmac_sha1;
 pfs_group 2;
 lifetime time 3600 secs;
 compression_algorithm deflate;
}

sainfo subnet 0.0.0.0/0 any subnet 172.20.20.0/24 any
{
 remoteid 2;
 encryption_algorithm aes 256, aes 192, aes 128;
 authentication_algorithm hmac_sha1;
 pfs_group 2;
 lifetime time 3600 secs;
 compression_algorithm deflate;
}

...

racoon.log


racoon: INFO: @(#)ipsec-tools 0.7.3 (http://ipsec-tools.sourceforge.net)
Dec 10 08:55:02 racoon: INFO: @(#)This product linked OpenSSL 0.9.8n 24
Mar 2010 (http://www.openssl.org/)
Dec 10 08:55:02 racoon: INFO: Reading configuration from
"/var/etc/racoon.conf"
Dec 10 08:55:02 racoon: [Self]: INFO: 10.221.40.6[4500] used as isakmp
port (fd=16)
Dec 10 08:55:02 racoon: INFO: 10.221.40.6[4500] used for NAT-T
Dec 10 08:55:02 racoon: [Self]: INFO: 10.221.40.6[500] used as isakmp
port (fd=17)
Dec 10 08:55:02 racoon: INFO: 10.221.40.6[500] used for NAT-T
Dec 10 08:55:02 racoon: INFO: 192.168.180.1[4500] used as isakmp port
(fd=18)
Dec 10 08:55:02 racoon: INFO: 192.168.180.1[4500] used for NAT-T
Dec 10 08:55:02 racoon: INFO: 192.168.180.1[500] used as isakmp port
(fd=19)
Dec 10 08:55:02 racoon: INFO: 192.168.180.1[500] used for NAT-T
Dec 10 08:55:02 racoon: [Self]: INFO: 192.168.180.33[4500] used as 
isakmp
port (fd=20)
Dec 10 08:55:02 racoon: INFO: 192.168.180.33[4500] used for NAT-T
Dec 10 08:55:02 racoon: [Self]: INFO: 192.168.180.33[500] used as isakmp
port (fd=21)
Dec 10 08:55:02 racoon: INFO: 192.168.180.33[500] used for NAT-T
Dec 10 08:55:02 racoon: INFO: uns

Re: [pfSense Support] Firewall Rule for another network

[Evgeny Yurchenko]

On 10-12-10 01:21 AM, Maik Heinelt wrote:

On 2010/12/10 13:56, Evgeny Yurchenko wrote:

On 10-12-09 11:54 PM, Maik Heinelt wrote:

On 2010/12/10 13:26, Evgeny Yurchenko wrote:

On 10-12-09 11:07 PM, Maik Heinelt wrote:

pfSense is our internet router (192.168.144.10)

The L3 switch in between the 2 networks A. and B. is configured to 
send all request for network A (192.168.144.0) to the pfsense router.

Before we used pfSense, we had a working CentreCom Router.

Maik
..
Heinelt Maik | Software Developer
ハイネルト　マイク
愛知県一宮市富士２－２－２２
株式会社 ベガシステムズ
TEL: 0586-71-3903 FAX: 0586-71-4071
http://www.vegasystems.com
Skype ID: daliose
..
DISCLAIMER: This information is confidential and is intended only 
for the use of the individual or entity named above. If the reader 
of this message is not the intended recipient, please disregard 
and destroy this email and its content. Thank you


On 2010/12/10 13:04, Evgeny Yurchenko wrote:

On 10-12-09 11:01 PM, Maik Heinelt wrote:

Sorry for the confusion.
We have L3 switch between network A and B.
This switch has the IP 192.168.144.112 in network A and the IP 
192.168.11.1 in network B.
Any request for network B (192.168.11.0) from 192.168.144.0 
network is routed to 192.168.144.112.


I can reach from A network to B network, but not backward.

Maik


And where is pfSense here?

please do not top-post.

So, we have
Network A -192.168.144.112 switch 192.168.11.1 
-- Network B
192.168.144.0/24  | 

|192.168.11.0/24
 
| 
|
 \-192.168.144.10 pfsense 
192.168.11.x-/
and hosts from A forward packets to pfSense when send to B while 
hosts from B always forward packets to the switch.

Right?
Ideal solution is to get rid of asymmetric routing, if you want to 
filter traffic just make hosts in B to use pfSense when sending to A.
If it is not possible then what Chris proposed does not work 
because pfSense has network B on one of its interfaces, thus you 
can't create static route to Network B.

Try in the rule allowing A to B set StateType to None.


You are almost right with our network configuration.
Network A 192.168.144.0/24 is using pfsense on 192.168.144.10 as 
internet router.
Network B 192.168.11.0/24 is using it's own router for internet 
connection.
Only in case of requests to network A from B it will use the L3 
switch in between the both networks.
So all clients in network B are using the 192.168.11.xx internet 
router as gateway.


So it isn't possible to use pfsense in network B as default.

If I set the rule allowing A to B with settings StateType to None, I 
cannot connect to network B (192.168.11.0/24) at all.


Maik

Ok then, if pfSense does not have 192.168.11.0/24 at all then just 
create static route on pfSense. 192.168.11.0/24 route via 
192.168.144.112 and enable option Chris mentioned. Should work.

Evgeny.


Static route is set:
InterfaceNetwork  Gateway
LAN  192.168.11.0/32192.168.144.112

Static route filtering: *Bypass firewall rules for traffic on the same 
interface* is checked.
But if I try to reach an 192.168.144.0/24 IP from 192.168.11.0/24 
network, I cannot. connect.

From 144.0 network to 11.0 works very well.

Maik


Can you do tcpdump on the interface Network A?
like tcpdump -ni net 192.168.11.0/24
you should see two instances of every packet coming back to 192.168.11.0/24
Evgeny

Re: [pfSense Support] Firewall Rule for another network

[Evgeny Yurchenko]

On 10-12-09 11:54 PM, Maik Heinelt wrote:

On 2010/12/10 13:26, Evgeny Yurchenko wrote:

On 10-12-09 11:07 PM, Maik Heinelt wrote:

pfSense is our internet router (192.168.144.10)

The L3 switch in between the 2 networks A. and B. is configured to 
send all request for network A (192.168.144.0) to the pfsense router.

Before we used pfSense, we had a working CentreCom Router.

Maik
..
Heinelt Maik | Software Developer
ハイネルト　マイク
愛知県一宮市富士２－２－２２
株式会社 ベガシステムズ
TEL: 0586-71-3903 FAX: 0586-71-4071
http://www.vegasystems.com
Skype ID: daliose
..
DISCLAIMER: This information is confidential and is intended only 
for the use of the individual or entity named above. If the reader 
of this message is not the intended recipient, please disregard and 
destroy this email and its content. Thank you


On 2010/12/10 13:04, Evgeny Yurchenko wrote:

On 10-12-09 11:01 PM, Maik Heinelt wrote:

Sorry for the confusion.
We have L3 switch between network A and B.
This switch has the IP 192.168.144.112 in network A and the IP 
192.168.11.1 in network B.
Any request for network B (192.168.11.0) from 192.168.144.0 
network is routed to 192.168.144.112.


I can reach from A network to B network, but not backward.

Maik


And where is pfSense here?

please do not top-post.

So, we have
Network A -192.168.144.112 switch 192.168.11.1 
-- Network B
192.168.144.0/24  | 
| 
   192.168.11.0/24
 
| |
 \-192.168.144.10 pfsense 
192.168.11.x-/
and hosts from A forward packets to pfSense when send to B while 
hosts from B always forward packets to the switch.

Right?
Ideal solution is to get rid of asymmetric routing, if you want to 
filter traffic just make hosts in B to use pfSense when sending to A.
If it is not possible then what Chris proposed does not work because 
pfSense has network B on one of its interfaces, thus you can't create 
static route to Network B.

Try in the rule allowing A to B set StateType to None.


You are almost right with our network configuration.
Network A 192.168.144.0/24 is using pfsense on 192.168.144.10 as 
internet router.
Network B 192.168.11.0/24 is using it's own router for internet 
connection.
Only in case of requests to network A from B it will use the L3 switch 
in between the both networks.
So all clients in network B are using the 192.168.11.xx internet 
router as gateway.


So it isn't possible to use pfsense in network B as default.

If I set the rule allowing A to B with settings StateType to None, I 
cannot connect to network B (192.168.11.0/24) at all.


Maik

Ok then, if pfSense does not have 192.168.11.0/24 at all then just 
create static route on pfSense. 192.168.11.0/24 route via 
192.168.144.112 and enable option Chris mentioned. Should work.

Evgeny.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Firewall Rule for another network

[Evgeny Yurchenko]

On 10-12-09 11:07 PM, Maik Heinelt wrote:

pfSense is our internet router (192.168.144.10)

The L3 switch in between the 2 networks A. and B. is configured to 
send all request for network A (192.168.144.0) to the pfsense router.

Before we used pfSense, we had a working CentreCom Router.

Maik
..
Heinelt Maik | Software Developer
ハイネルト　マイク
愛知県一宮市富士２－２－２２
株式会社 ベガシステムズ
TEL: 0586-71-3903 FAX: 0586-71-4071
http://www.vegasystems.com
Skype ID: daliose
..
DISCLAIMER: This information is confidential and is intended only for 
the use of the individual or entity named above. If the reader of this 
message is not the intended recipient, please disregard and destroy 
this email and its content. Thank you


On 2010/12/10 13:04, Evgeny Yurchenko wrote:

On 10-12-09 11:01 PM, Maik Heinelt wrote:

Sorry for the confusion.
We have L3 switch between network A and B.
This switch has the IP 192.168.144.112 in network A and the IP 
192.168.11.1 in network B.
Any request for network B (192.168.11.0) from 192.168.144.0 network 
is routed to 192.168.144.112.


I can reach from A network to B network, but not backward.

Maik


And where is pfSense here?

please do not top-post.

So, we have
Network A -192.168.144.112 switch 192.168.11.1 
-- Network B
192.168.144.0/24  | 
| 
   192.168.11.0/24
 
| |
 \-192.168.144.10 pfsense 
192.168.11.x-/
and hosts from A forward packets to pfSense when send to B while hosts 
from B always forward packets to the switch.

Right?
Ideal solution is to get rid of asymmetric routing, if you want to 
filter traffic just make hosts in B to use pfSense when sending to A.
If it is not possible then what Chris proposed does not work because 
pfSense has network B on one of its interfaces, thus you can't create 
static route to Network B.

Try in the rule allowing A to B set StateType to None.



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Firewall Rule for another network

[Evgeny Yurchenko]

On 10-12-09 11:01 PM, Maik Heinelt wrote:

Sorry for the confusion.
We have L3 switch between network A and B.
This switch has the IP 192.168.144.112 in network A and the IP 
192.168.11.1 in network B.
Any request for network B (192.168.11.0) from 192.168.144.0 network is 
routed to 192.168.144.112.


I can reach from A network to B network, but not backward.

Maik


And where is pfSense here?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Firewall Rule for another network

[Evgeny Yurchenko]

On 10-12-09 08:42 PM, Maik Heinelt wrote:


We have 2 networks in our company with pfSense 1.2.3.

A. 192.168.144.0/24
B. 192.168.11.0/24

The gateway for network B is 192.168.144.112
So I had setup a static route for network B to it's gateway.
From network A to B it works as expected, but if I try reach from 
network B to network A,

I'm not able to connect.
Firewall rule to pass traffic from network 192.168.11.0/24 to 
192.168.144.0/24 is set, but if I check the firewall logs in pfSense,

it still is blocking traffic between B and A.
Rip in pfsense is also activated.

Any hint?


Maik



It does not make sense:
B. 192.168.11.0/24
The gateway for network B is 192.168.144.112

Can you run simultaneous  tcpdump on both interfaces and try to reach A 
from B?

Evgeny

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] NATed SMTP server shows WAN IP

[Evgeny Yurchenko]

On 10-12-06 01:13 AM, el caballo wrote:

HI Guys!

I have a mailserver that is setup to be NATed to a Private IP and 
configured to have its own Public IP. The Public IP is a Virtual IP 
(Proxe ARP). And on the Firewall: NAT: Outbound, AON is selected. It 
is working correctly with one thing seem to be wrong. We are able to 
connect to the SMTP servers Public IP but it seem to be connecting to 
outside SMTP servers using the Firewall WAN IP and not the specified 
SMTP IP on the Virtual IP. Pleae let me know if there is something 
that I missed, or how can I enable it to send emails out using its 
assigned Public IP. The pfsense version im using is 1.2.3-RELEASE. 
Many thanks !



Make sure in "Outbound NAT" the rule with the source IP of your 
SMTP-server is located higher than all other general rules.

Evgeny.

Re: [pfSense Support] IPSec VPN Question

[Evgeny Yurchenko]

On 10-12-05 06:22 PM, Alex Threlfall wrote:

Hi All,

Doing some testing here, and this might not be the best place to ask
but thought I'd start off here!

I'm running a pair of pfSense 2.0 Beta 4 LiveCD's back to back with
a pair of WAN connections between them via x-over cat5's. Fairly normal
hardware, HP DL360 G3's with a Dual Port Intel FXP Card (onboard BGE is lan)

I'm trying to prove that I can run two IPSec VPN's between the
boxes, to provide some fault tolerance, however I can only get the VPN's to
link up on the WAN interface, despite specifying on both boxes that the
second VPN should be on OPT1 (or WAN1 which I've named it).

Can anyone shed any light on this behaviour, I have firewall rules
allowing all traffic on both interfaces and the IPSec Interface, private
networks turned off etc.

Cheers!
   
If you are trying to connect the same two subnets by two different IPSec 
tunnels then I am afraid it is impossible. I can't see the way they can 
run simultaneously regardless pfSense version. It is probably possible 
in 2.0 bring back up IPSec if primary fails - I am not sure about that 
as I do not have much

experience with 2.0.
Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] RFC1918 on WAN

[Evgeny Yurchenko]

On 10-12-04 04:26 PM, David Burgess wrote:

My WAN is mlppp with a static public IP address. pfSense is 2.0 beta4.

Out of curiosity I disabled the check box on the WAN config page to
block private networks. I then created an alias for RFC1918 and
loopback addresses and manually created a logging reject rule at the
top of the WAN rules for this alias. To my surprise the rule started
logging packets at a rate of around 4/minute, suggesting that my ISP
is not dropping these as prescribed in the RFC.

Before I bring this to their attention, I wanted to ask the list a
couple related questions:

1. Is there any reason for an ISP to forward these packets? AFAIK, my
ISP does no NATing ever, and every customer gets only publicly
routable IP addresses from them.

2. Is there a chance that my logs are misrepresenting, like maybe
these packets came from an internal interface, even though the log
shows they are from the WAN?

Here's a snippet from the Firewall Log page to illustrate what I'm seeing.

Dec 4 14:18:44  WAN 192.168.0.2:57198 69.165.225.177:57815  UDP 
block
Dec 4 14:17:30  WAN 172.16.36.144:58728   69.165.225.177:40730  TCP:R 
block
Dec 4 14:17:10  WAN 172.16.36.144:58661   69.165.225.177:40730  TCP:R 
block
Dec 4 14:17:09  WAN 192.168.0.2:22836 69.165.225.177:57815  UDP 
block
Dec 4 14:17:06  WAN 192.168.0.2:22836 69.165.225.177:57815  UDP 
block
Dec 4 14:15:17  WAN 192.168.9.10:5050569.165.225.177:49615  UDP 
block
Dec 4 14:14:41  WAN 192.168.230.178:56200 69.165.225.177:13945  TCP:R

   
I would suggest to tcpdump. This way you for sure will know where these 
packets are coming from.

Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Firewall rule problem

[Evgeny Yurchenko]

On 10-12-03 03:43 PM, Wakefield, Thad M. wrote:


   

Can you send me .pcap file with this packet please? Once I saw similar
problem when IP header had additional options. The packet just did not
follow my rule and that is it!
Thanks.

 

While capturing the packet for you, I discovered the problem. This traffic is 
asymmetrical. This packet is a syn/ack packet. Since the pfsense doesn't see 
the syn packet, I assume it blocks the packet when configured to keep state. Is 
there an easy pfsense solution for asymmetrical traffic? Is a solution to 
manually edit the pf rules file to allow the traffic out the bge0 interface?

you can't create rules for outgoing traffic using web-interface. You can 
disable filtering at all but probably it is not what you want.



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Firewall rule problem

[EVGENY YURCHENKO]

--- On Fri, 12/3/10, Wakefield, Thad M.  wrote:

> From: Wakefield, Thad M. 
> Subject: RE: [pfSense Support] Firewall rule problem
> To: "support@pfsense.com" 
> Date: Friday, December 3, 2010, 2:35 PM
> Original Message-
> > From: Evgeny Yurchenko [mailto:evg.yu...@rogers.com]
> > Sent: Friday, December 03, 2010 12:57 PM
> > To: support@pfsense.com
> > Subject: Re: [pfSense Support] Firewall rule problem
> > 
> > On 10-12-03 12:51 PM, Wakefield, Thad M. wrote:
> > > I'm have a problem with the firewall rules with
> pfSense 1.2.3-
> > RELEASE.
> > >
> > > The firewall is blocking the traffic from
> 10.0.150.250.1321 unless
> > state is not kept. Of course without the state the
> traffic is then
> > blocked on the egress port. Below is the log and
> firewall rules for
> > both cases. The results are the same if the source
> address is changed
> > to any. Any suggestions on how to resolve this would
> be greatly
> > appreciated.
> > >
> > >
> > > With keep state:
> > > Dec  3 10:00:14 192.76.18.8 pf: 039505 rule
> 251/0(match): block in on
> > vlan2: (tos 0x0, ttl 127, id 19405, offset 0, flags
> [DF], proto TCP
> > (6), length 52) 10.0.150.250.1321> 
> 192.76.4.8.53145: S, cksum 0x0da9
> > (correct), 4056631626:4056631626(0) ack 323007018 win
> 8192 > 1460,nop,wscale 8,nop,nop,sackOK>
> > >
> > > @191 pass in log quick on vlan2 inet proto tcp
> from 10.0.150.250 port
> > = 1321 to any flags S/SA keep state label "USER_RULE"
> > >    [ Evaluations: 24   
>     Packets: 0     
>    Bytes: 0
> > States: 0     ]
> > > @251 block drop in log quick all label "Default
> deny rule"
> > >
> > >
> > >
> > > Without keep state:
> > > Dec  3 10:06:01 192.76.18.8 pf: 079950 rule
> 191/0(match): pass in on
> > vlan2: (tos 0x0, ttl 127, id 37671, offset 0, flags
> [DF], proto TCP
> > (6), length 52) 10.0.150.250.1321> 
> 192.76.4.8.53145: S, cksum 0xc360
> > (correct), 4144994380:4144994380(0) ack 411542245 win
> 8192 > 1460,nop,wscale 8,nop,nop,sackOK>
> > > Dec  3 10:06:01 192.76.18.8 pf: 55 rule
> 252/0(match): block out
> > on bge0: (tos 0x0, ttl 126, id 19770, offset 0, flags
> [DF], proto TCP
> > (6), length 52) 10.0.150.250.1321> 
> 192.76.4.8.53145: S, cksum 0xc360
> > (correct), 4144994380:4144994380(0) ack 411542245 win
> 8192 > 1460,nop,wscale 8,nop,nop,sackOK>
> > >
> > > @191 pass in log quick on vlan2 inet proto tcp
> from 10.0.150.250 port
> > = 1321 to any no state label "USER_RULE"
> > >    [ Evaluations: 49   
>     Packets: 4     
>    Bytes: 192
> > States: 0     ]
> > > @252 block drop out log quick all label "Default
> deny rule"
> > >
> > >
> > >
> > > Thanks
> > >
> > > Thad
> > >
> > When you try to establish this connection probably the
> state already
> > exists. Can you check it with
> > pfctl -ss | grep 1321
> > If it does exist
> > 
> > 10.0.150.250.1321>  192.76.4.8.53145
> > 
> > then I think new one will be rejected.
> > 
> > Evgeny.
> > 
> 
> Unfortunately that doesn't appear to be the problem.
> 
> Thanks anyway.
> 
> Thad

Can you send me .pcap file with this packet please? Once I saw similar problem 
when IP header had additional options. The packet just did not follow my rule 
and that is it!
Thanks.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] PPTP question

[EVGENY YURCHENKO]

--- On Fri, 12/3/10, David Miller  wrote:

> From: David Miller 
> Subject: Re: [pfSense Support] PPTP question
> To: support@pfsense.com
> Date: Friday, December 3, 2010, 2:35 PM
> On 12/3/10 2:00 PM, EVGENY YURCHENKO
> wrote:
> 
> 
> [snip]
> 
> >> Thanks Evgeny;
> >> 
> >> When I run tcpdump on the host I'm trying to
> connect to I
> >> see unanswered arp requests for the IP I'm trying
> to connect
> >> from.
> >> 
> >> Is there a proxy arp setting I need to turn
> on?  I
> >> just tried allowing icmp in addition to tcp/udp
> from the
> >> pptp interface to the internal network, but get
> the same arp
> >> requests on the target box.
> >> 
> >> Any hints for using a separate network for my vpn
> client?
> >> 
> >> Thanks,
> >> 
> >> --- David
> > I am a bit confused... Can you post your dump here?
> Plus ifconfig when a PPTP client is connected.
> 
> An ifconfig from the firewall:
> 
> # ifconfig
> fxp0:
> flags=8943
> metric 0 mtu 1500
>    
> options=2009
>     ether 00:e0:81:02:5d:d6
>     inet 24.39.39.202 netmask 0xfff8
> broadcast 24.39.39.207
>     inet6 fe80::2e0:81ff:fe02:5dd6%fxp0 prefixlen
> 64 scopeid 0x1
>     nd6 options=3
>     media: Ethernet autoselect (100baseTX)
>     status: active
> fxp1:
> flags=8843
> metric 0 mtu 1500
>    
> options=2009
>     ether 00:e0:81:02:5d:d7
>     inet 172.30.0.1 netmask 0xff00 broadcast
> 172.30.0.255
>     inet6 fe80::2e0:81ff:fe02:5dd7%fxp1 prefixlen
> 64 scopeid 0x2
>     nd6 options=3
>     media: Ethernet autoselect (100baseTX
> )
>     status: active
> [snip]
> vip1: flags=49 metric 0 mtu
> 1500
>     inet 24.39.39.203 netmask 0xfff8
>     carp: MASTER vhid 1 advbase 1 advskew 0
> pptpd0:
> flags=88d1
> metric 0 mtu 1456
>     inet6 fe80::2e0:81ff:fe02:5dd6%pptpd0
> prefixlen 64 scopeid 0xc
>     inet 24.39.39.202 --> 172.30.0.65 netmask
> 0x
>     nd6 options=3
> pptpd1:
> flags=8890 metric
> 0 mtu 1500
> 
> tcpdump run from the target host (172.30.0.203)
> 
> newrogue:~# tcpdump host 172.30.0.65
> tcpdump: verbose output suppressed, use -v or -vv for full
> protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture
> size 96 bytes
> 13:24:44.980948 IP 172.30.0.65 > 172.30.0.203: ICMP echo
> request, id 24908, seq 9, length 64
> 13:24:44.985196 arp who-has 172.30.0.65 tell 172.30.0.203
> 13:24:45.983096 IP 172.30.0.65 > 172.30.0.203: ICMP echo
> request, id 24908, seq 10, length 64
> 13:24:45.986742 arp who-has 172.30.0.65 tell 172.30.0.203
> 13:24:46.990958 IP 172.30.0.65 > 172.30.0.203: ICMP echo
> request, id 24908, seq 11, length 64
> 13:24:46.994740 arp who-has 172.30.0.65 tell 172.30.0.203
> 
> 
> and an ifconfig on the mac:
> 
> MacBook-Pro-2:~ root# ifconfig ppp0
> ppp0: flags=8051
> mtu 1444
>     inet 172.30.0.65 --> 24.39.39.202 netmask
> 0x
> MacBook-Pro-2:~ root#
> 
> I can ping the internal address of the firewall
> (172.30.0.1) over the VPN, but other targets on that network
> can't arp the remote box to reply.
> 
> Thanks!
> 
> --- David

Interesting and weird. I recall this way worked on 1.2.3. Then I think you must 
try 'subnet different from LAN' option.

Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] PPTP question

[EVGENY YURCHENKO]

--- On Fri, 12/3/10, David Miller  wrote:

> From: David Miller 
> Subject: Re: [pfSense Support] PPTP question
> To: support@pfsense.com
> Date: Friday, December 3, 2010, 1:33 PM
> On 12/3/10 12:09 PM, Evgeny Yurchenko
> wrote:
> > On 10-12-03 10:43 AM, David Miller wrote:
> >> Hi All;
> >> 
> >> I'm trying to bring up VPN access to an internal
> network via PPTP.
> >> 
> >> On the firewall (pfsense 2.0 BETA1, built 4/18
> 2010) I enabled 8 PPTP users, setup a remote address of
> 172.30.0.64, used the WAN address for the server address,
> and configured a user.
> >> 
> >> I went to firewall->rules->PPTP and added a
> rule to allow TCP connections from any source/port to any
> dest/port.
> >> 
> >> 
> >> On a mac (snowleopard) I configured the PPTP
> client with the WAN address of the firewall as the server,
> enter the username & password.  I hit connect and
> the mac says it's connected fine.  It's assigned an IP
> address (172.30.0.65)
> >> 
> >> The mac shows this:
> >> 
> >> MacBook-Pro-2:~ root# ifconfig ppp0
> >> ppp0:
> flags=8051 mtu 1444
> >>     inet 172.30.0.65 -->
> 24.39.39.202 netmask 0x
> >> MacBook-Pro-2:~ root#
> >> 
> >> and this:
> >> 
> >> MacBook-Pro-2:~ root# netstat -rn
> >> Routing tables
> >> 
> >> Internet:
> >> Destination       
> Gateway            Flags 
>       Refs     
> Use   Netif Expire
> >> default           
> 10.0.1.1       
>    UGSc       
>    18       13 
>    en1
> >> default           
> 24.39.39.202       UGScI 
>          0     
>   0    ppp0
> >> 10.0.1/24         
> link#5         
>    UCS         
>    2        0 
>    en1
> >> 10.0.1.1       
>    0:23:df:d9:8a:93   UHLWI 
>         16 
>    1031     en1 
>   456
> >> 10.0.1.198     
>    127.0.0.1       
>   UHS         
>    0        0 
>    lo0
> >> 10.0.1.255     
>    ff:ff:ff:ff:ff:ff  UHLWbI 
>         0       
> 6     en1
> >> 24.39.39.202   
>    10.0.1.1       
>    UGHS         
> 166      202     en1
> >> 127           
>     127.0.0.1         
> UCS         
>    0        0 
>    lo0
> >> 127.0.0.1         
> 127.0.0.1          UH   
>           1   
> 18114     lo0
> >> 169.254           
> link#5         
>    UCS         
>    0        0 
>    en1
> >> 172.30         
>    ppp0         
>      USc       
>      2       
> 0    ppp0
> >> 
> >> The problem is that I can't connect to anything
> else on the internal (172.30.0.0/24) network.  So what
> step did I miss?
> >> 
> >> This isn't exactly where I want to end up. 
> I'd prefer to assign another network to PPTP clients
> (172.30.1.0) and route them to the internal network, but I'm
> taking one step at a time.
> >> 
> >> TIA,
> >> 
> >> --- David
> >> 
> > Do tcpdump on LAN when pinging any LAN-connected
> device from your MAC. Do you see packets?
> > Evgeny.
> 
> Thanks Evgeny;
> 
> When I run tcpdump on the host I'm trying to connect to I
> see unanswered arp requests for the IP I'm trying to connect
> from.
> 
> Is there a proxy arp setting I need to turn on?  I
> just tried allowing icmp in addition to tcp/udp from the
> pptp interface to the internal network, but get the same arp
> requests on the target box.
> 
> Any hints for using a separate network for my vpn client?
> 
> Thanks,
> 
> --- David

I am a bit confused... Can you post your dump here? Plus ifconfig when a PPTP 
client is connected.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Firewall rule problem

[Evgeny Yurchenko]

On 10-12-03 12:51 PM, Wakefield, Thad M. wrote:

I'm have a problem with the firewall rules with pfSense 1.2.3-RELEASE.

The firewall is blocking the traffic from 10.0.150.250.1321 unless state is not 
kept. Of course without the state the traffic is then blocked on the egress 
port. Below is the log and firewall rules for both cases. The results are the 
same if the source address is changed to any. Any suggestions on how to resolve 
this would be greatly appreciated.


With keep state:
Dec  3 10:00:14 192.76.18.8 pf: 039505 rule 251/0(match): block in on vlan2: (tos 0x0, 
ttl 127, id 19405, offset 0, flags [DF], proto TCP (6), length 52) 10.0.150.250.1321> 
 192.76.4.8.53145: S, cksum 0x0da9 (correct), 4056631626:4056631626(0) ack 323007018 win 
8192

@191 pass in log quick on vlan2 inet proto tcp from 10.0.150.250 port = 1321 to any flags 
S/SA keep state label "USER_RULE"
   [ Evaluations: 24Packets: 0 Bytes: 0   States: 0 
]
@251 block drop in log quick all label "Default deny rule"



Without keep state:
Dec  3 10:06:01 192.76.18.8 pf: 079950 rule 191/0(match): pass in on vlan2: (tos 0x0, 
ttl 127, id 37671, offset 0, flags [DF], proto TCP (6), length 52) 10.0.150.250.1321> 
 192.76.4.8.53145: S, cksum 0xc360 (correct), 4144994380:4144994380(0) ack 411542245 win 
8192
Dec  3 10:06:01 192.76.18.8 pf: 55 rule 252/0(match): block out on bge0: (tos 0x0, 
ttl 126, id 19770, offset 0, flags [DF], proto TCP (6), length 52) 10.0.150.250.1321> 
 192.76.4.8.53145: S, cksum 0xc360 (correct), 4144994380:4144994380(0) ack 411542245 win 
8192

@191 pass in log quick on vlan2 inet proto tcp from 10.0.150.250 port = 1321 to any no 
state label "USER_RULE"
   [ Evaluations: 49Packets: 4 Bytes: 192 States: 0 
]
@252 block drop out log quick all label "Default deny rule"



Thanks

Thad
   
When you try to establish this connection probably the state already 
exists. Can you check it with

pfctl -ss | grep 1321
If it does exist

10.0.150.250.1321>  192.76.4.8.53145

then I think new one will be rejected.

Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] PPTP question

[Evgeny Yurchenko]

On 10-12-03 10:43 AM, David Miller wrote:

Hi All;

I'm trying to bring up VPN access to an internal network via PPTP.

On the firewall (pfsense 2.0 BETA1, built 4/18 2010) I enabled 8 PPTP 
users, setup a remote address of 172.30.0.64, used the WAN address for 
the server address, and configured a user.


I went to firewall->rules->PPTP and added a rule to allow TCP 
connections from any source/port to any dest/port.



On a mac (snowleopard) I configured the PPTP client with the WAN 
address of the firewall as the server, enter the username & password.  
I hit connect and the mac says it's connected fine.  It's assigned an 
IP address (172.30.0.65)


The mac shows this:

MacBook-Pro-2:~ root# ifconfig ppp0
ppp0: flags=8051 mtu 1444
inet 172.30.0.65 --> 24.39.39.202 netmask 0x
MacBook-Pro-2:~ root#

and this:

MacBook-Pro-2:~ root# netstat -rn
Routing tables

Internet:
DestinationGatewayFlagsRefs  Use   
Netif Expire

default10.0.1.1   UGSc   18   13 en1
default24.39.39.202   UGScI   00ppp0
10.0.1/24  link#5 UCS 20 en1
10.0.1.1   0:23:df:d9:8a:93   UHLWI  16 1031 
en1456

10.0.1.198 127.0.0.1  UHS 00 lo0
10.0.1.255 ff:ff:ff:ff:ff:ff  UHLWbI  06 en1
24.39.39.202   10.0.1.1   UGHS  166  202 en1
127127.0.0.1  UCS 00 lo0
127.0.0.1  127.0.0.1  UH  118114 lo0
169.254link#5 UCS 00 en1
172.30 ppp0   USc 20ppp0

The problem is that I can't connect to anything else on the internal 
(172.30.0.0/24) network.  So what step did I miss?


This isn't exactly where I want to end up.  I'd prefer to assign 
another network to PPTP clients (172.30.1.0) and route them to the 
internal network, but I'm taking one step at a time.


TIA,

--- David

Do tcpdump on LAN when pinging any LAN-connected device from your MAC. 
Do you see packets?

Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfsense 1.2.3 - ipsec racoon watchdog ?

[Evgeny Yurchenko]

On 10-11-26 03:25 PM, Michel Servaes wrote:
Is it possible to have some kind of watchdog installed on the racoon 
service ?
I have scheduled a racoon restart at 4am, and this seems to resolve 
the racoon shutdowns that occured sometimes in the week...


But today, racoon ended in the middle of the day - and as such, the 
printserver could not connect to the remote printers ofcourse...
Some kind of watchdog, that would automatically restart a service (eg. 
racoon in this case), would be some cool solution... the watchdog 
should not retry more than 3 times within 10 minutes or so - as an 
errorneous config could be the base of this ofcourse...


I tried checking the log; and it seems to be appearing after DPD 
detected a dead pear this time... right after that, the printserver 
started mailing errors (so I'm sure it happened right after this in 
the log)


The ip 194.23.45.67 is the main-site
The ip 84.23.45.67 is the client-site... an FVS-318G.

I currently disabled DPD for this tunnel; I have entered "0" for DPD 
(this means disabled - I hope ?)
The FVS-318 on the client site, is also handling DPD - I guess one 
site is enough ?



Looks like DPD perfectly worked - detected dead pear.
And it seems that you just stopped receiving anything from remote end. 
Can you when it happens the next time do tcpdump on WAN and see whether 
there is any communication between these sites?


Evgeny.
PS: as far as I know DPD settings should be identical on both sides of 
the tunnel (intervals may differ but both either ON or OFF).


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] FTP problem with virtual ip and proxy

[Evgeny Yurchenko]

On 10-11-24 11:08 AM, Lluis wrote:

Hi,

I'm using pfsense 1.2.3, with 1 LAN and 1 WAN, in the WAN I use some 
virtual IP's, and make NAT like this example:


http://chaos.untouchable.net/index.php/PfSense_advanced_outbound_nat_example

...
Please remove this document from the Web if it is in your power and read 
normal documentation provided at http://doc.pfsense.org instead.
Regarding your FTP problem I am totally confused by your description of 
the problem. But generally if one client connects OK and other one does 
not (from the same subnet to the same server) then probably it is a 
matter of FTP mode - passive or active, try to play with ftp-client 
settings.


Evgeny.

Re: [pfSense Support] Desperately Need Help With Wan

[Evgeny Yurchenko]

On 10-11-22 04:39 PM, James Bensley wrote:

...

The 2 ZyXel P-660r ADSL modems are in bridged mode passing all ADSL
traffic out their Ethernet interface (my ISP has given me a /29

   
What exactly did your ISP tell you? To use /29 with two physical ADSL 
lines? Do you have static address assignment? Sounds a bit unusual to me...


Evgeny.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] how to prevent spams

[Evgeny Yurchenko]

On 10-11-21 02:58 AM, Guruprasad wrote:


I am using PFSense firewall in my office. I have a windows based mail 
server in LAN and all the systems in LAN send mails thru the 
mailserver(icewarp merak mail server). There is no spam problem.


But the moment I allow my branch office people to send/receive mails 
using my local mail server via my ISP allocated static IP ( this is 
configured in pfsense WAN), lots of spam/virus being relayed thru my 
mail server and I could see the same in my mail server Log.


Since many roaming users/branch office people are connected to this 
mail server, how do I find out which remote client is compromised and 
sending this spams using my internal mail server as a relay host.


Secondly is there any AV package for pfsense which can prevent smpt, 
pop, ftp, smb viruses apart from http ( I have installed clamAV)


-guru

I very hope you allow only authenticated clients to use your smtp-server 
to send e-mails, don't you?

Evgeny

Re: [pfSense Support] how to manage 2 subnets for LAN ?

[Evgeny Yurchenko]

On 10-11-20 08:25 PM, Karsten Becker wrote:

On 11/20/2010 09:04 PM, Frédéric Boiteux wrote:
   

I'm not sure to understand well : in the case I gave, 192.168.1.0/24 and
192.168.2.0/24, the two nets don't share the same broadcast domain
(192.168.1.255 and 192.168.2.255), isn't it ?

 Fred.
 

I'm also in doubt.

Because your example is exactly why I see the need to have two subnets
on the same interface.

I have one subnet for VoIP phones and one for computers, just to have
the f*cking broadcasting from Windows not bailing onto my phones which
makes them slow and #+?1-up the speech quality. So I need to have both
subnets on the FW interface to reach both the internet.

Regards
Karsten
   
Regardless of number of subnets and their masks you configure on *one* 
physical interface they all belong to one L2 broadcast domain. Thus any 
broadcast packet generated by any host from any subnet will be received 
by all hosts connected to this segment. Let's put it this way - your L3 
broadcast segment differs from your L2 segment in this case which does 
not prevent broadcast packets to hit all machines.


Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] CARP IP/Hyper-V/Hyper-V R2

[Evgeny Yurchenko]

On 10-11-16 12:19 PM, Dimitri Rodis wrote:


On 10-11-15 09:22 PM, Dimitri Rodis wrote:

I recently migrated a pfSense virtual machine (version 1.2.2) that was 
running flawlessly on Hyper-V (first release) with 2 additional CARP 
IP addresses on the WAN interface for about 16 months. Over the 
weekend, I migrated that virtual machine over to a Hyper-V R2 machine, 
and all was well except that the 2 additional CARP IPs do not respond 
to traffic (although traffic to/from/in/out of the WAN's actual IP 
works fine). After rebooting nearly every piece of equipment between 
the servers and the ISP, the only thing that made the CARP IPs work 
again was migrating the virtual machine back to the original Hyper-V 
(non-R2) host.


Any ideas on why CARP IPs wouldn't work on Hyper-V R2? Is there 
something since 1.2.2 that might change this?


Thanks,

Dimitri Rodis

Integrita Systems LLC

http://www.integritasystems.com

I do not know a lot about Hyper-v but in VMWare for instance you can 
block frames with 'faked' mac-addresses. Probably you hit the same 
problem as CARP-packets have MAC-addresses 'not real' but specifically 
crafted. Weird thing though in your e-mail is that you mention only 
one virtual machine... do you use CARP-IPs with one pfSense? if yes 
then why would you need such set up?


Evgeny.

I have several public IPs from the ISP, and need to use each of them 
for different purposes (SSL/TCP-443 for different sites & services). I 
use CARP addresses for the rest of the IPs I've been given---then if I 
get the opportunity to add redundancy, they are already set up that 
way. Obviously the point is that the additional CARP addresses don't 
seem to function at all when pfSense is run under Hyper-V R2 as 
opposed to Hyper-V R1, and I am hoping to resolve that issue so that 
the old server can be formatted and upgraded and added to the 
cluster.. FWIW, both hosts are Dell PowerEdge 2900s **identically** 
configured, with the only exception currently being the of the amount 
of RAM,


It should be pretty easy to check. Under Hyper-V R2 do tcpdump and see 
whether packets with CARP IPs leave your virtual machine and physical 
host. And if you do not see them coming out of physical interface then 
this question should be addressed to Hyper-V community.


Evgeny.

Re: [pfSense Support] CARP IP/Hyper-V/Hyper-V R2

[Evgeny Yurchenko]

On 10-11-15 09:22 PM, Dimitri Rodis wrote:


I recently migrated a pfSense virtual machine (version 1.2.2) that was 
running flawlessly on Hyper-V (first release) with 2 additional CARP 
IP addresses on the WAN interface for about 16 months. Over the 
weekend, I migrated that virtual machine over to a Hyper-V R2 machine, 
and all was well except that the 2 additional CARP IPs do not respond 
to traffic (although traffic to/from/in/out of the WAN's actual IP 
works fine). After rebooting nearly every piece of equipment between 
the servers and the ISP, the only thing that made the CARP IPs work 
again was migrating the virtual machine back to the original Hyper-V 
(non-R2) host.


Any ideas on why CARP IPs wouldn't work on Hyper-V R2? Is there 
something since 1.2.2 that might change this?


Thanks,

Dimitri Rodis

Integrita Systems LLC

http://www.integritasystems.com

I do not know a lot about Hyper-v but in VMWare for instance you can 
block frames with 'faked' mac-addresses. Probably you hit the same 
problem as CARP-packets have MAC-addresses 'not real' but specifically 
crafted. Weird thing though in your e-mail is that you mention only one 
virtual machine... do you use CARP-IPs with one pfSense? if yes then why 
would you need such set up?


Evgeny.

Re: [pfSense Support] PPTP outbound to another non PF network

[Evgeny Yurchenko]

On 10-11-09 07:38 PM, Marc R. Meshurle Jr. wrote:


I have PPTP (RRAS) enabled on my Windows 2003 Active Directory and 
have port 1723 + GRE pointing to that box. Since upgrading to 2.0, 
while INSIDE the PFS network, I cannot connect to another PPTP (non 
PFS router) VPN. I've tested this from another network and determined 
that it is the PFS box on my network that is causing my outbound PPTP 
hangups. I searched and found that only one outbound PPTP (GRE) 
connection to another network can only be initiated at a time from 
inside the PFS network.


Any suggestions? I tried turning of scrubbing and still does not work. 
All outbound traffic is allowed without restriction.


Marc R. Meshurle, Jr.


I am afraid it is not 'since upgrade to 2.0' it was always an issue. It 
is impossible (as to my knowledge) to have two or more PPTP connections 
to the same remote IP address.

Re: [pfSense Support] Benchmark tool

[EVGENY YURCHENKO]

--- On Tue, 9/7/10, bsd  wrote:

> From: bsd 
> Subject: Re: [pfSense Support] Benchmark tool
> To: support@pfsense.com
> Date: Tuesday, September 7, 2010, 3:24 PM
> Here are the results of the test you
> have asked : 
> 
> gregober 21:15:31 ~ -> iperf -c 1.2.3.5
> 
> Client connecting to 1.2.3.5, TCP port 5001
> TCP window size:  129 KByte (default)
> 
> [  3] local 192.168.10.2 port 60681 connected with
> 1.2.3.5 port 5001
> [ ID] Interval   
>    Transfer 
>    Bandwidth
> [  3]  0.0-10.0 sec  1.07
> GBytes   919 Mbits/sec
> 
> Ubuntu 10.04 LTS freshly baked. 
> 
> 
> I think this has to be compared to this test : 
> 
> > WITHOUT PACKET FILTERING ENABLED 
> > gregober 18:40:12 ~ -> iperf -c 1.2.3.4
> >
> 
> > Client connecting to 1.2.3.4, TCP port 5001
> > TCP window size:  129 KByte (default)
> >
> 
> > [  3] local 192.168.1.199 port 53391 connected
> with 1.2.3.4 port 5001
> > [ ID] Interval   
>    Transfer 
>    Bandwidth
> > [  3]  0.0-10.0 sec  1.03
> GBytes   882 Mbits/sec
> 
> Results are somewhat similar…
> 
> My main question is why when filtering is enabled do we
> loose 75% of the throughput… 
> 
> Is this normal figures or not ? 
> 
> 
> Thank you. 
> 
You should definitely see CPU load, you mentioned that you did not see anything 
close to CPU saturation. Could you please post top -S with filtering enabled 
and disabled. Thanks.

Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Mac OS Package Lost

[EVGENY YURCHENKO]

> From: Berk Gulenler 
> Subject: [pfSense Support] Mac OS Package Lost
> To: support@pfsense.com
> Date: Friday, August 27, 2010, 7:29 AM
> Hi,
> 
> My Pfsense firewall has 3 interfaces, WAN, LAN and DMZ. Mac
> OS computers in my LAN net can not connect to an external
> site on net. When I sniff the traffic on both WAN and LAN
> interfaces I saw a situation like this:
> 
> MAC -> LAN -> WAN -> SITE (SYN)
> SITE -> WAN x LAN x MAC (SYN ACK)
> 
> I see SYN ACK packages on my WAN interface coming from SITE
> but I don't see them on my LAN interface. Packages getting
> lost between my WAN and LAN interfaces. Is there any way to
> debug the problem? / Is there any one having the same
> problem?
> 
> Thanks.
> 
> -- Berk Gulenler
I suppose you are talking about TCP traffic, do TCP-ports in SYN and SYN ACK 
match? What do you see in logs, why SYN ACKs are discarded? What about ICMP?

Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Multi WAN - Failover doubts.

[EVGENY YURCHENKO]

--- On Tue, 8/10/10, Benjamin LAUGIER  wrote:

From: Benjamin LAUGIER 
Subject: Re: [pfSense Support] Multi WAN - Failover doubts.
To: support@pfsense.com
Date: Tuesday, August 10, 2010, 1:03 PM

Hi Fabricio,

In fact, the main problem with failover, as far as I know, is that pfSense only 
checks that the physical link is up and that the local gateway is pingable.

I bet you're using DSL connections with local ethernet links to reach each 
gateway.

Sadly, this means that pfSense will only do failover when the local ethernet 
gateways are down, which might never occur, even if the DSL links are down.

Hope this helped.
Benjamin.


You can choose whatever IP you want to monitor link status, just make sure this 
IP is reachable only via this interface.

Evgeny

Re: [pfSense Support] HORRIBLE Speeds with 1.2.3 on PE1950 with Quad Intel (igb)

[Evgeny Yurchenko]

 On 28/07/2010 8:31 PM, Gino O'Donnell wrote:

I flew down to our data center recently to decommission our ASA 5510's
replacing them with pfSense 1.2.3. Since then, I have noticed that we aren't
getting anywhere near the speeds that the ASA had been providing.

The average total throughput on the network is ~10MB/s, ~94%+ of which is
non-crypto.

When I initiate test downloads of large files, I start out with a ~3MB/s
speed which decreases rather steep on a linear scale to ~20KB/s. This is
true of HTTP uploads/downloads and scp uploads/downloads.

Also most of our ~4MB data sets (JSON) get truncated now, making them
unusable for our applications.

I've read a few posts that say setting these to 0 can help with the igb
driver:

dev.igb.1.enable_lro: 0
dev.igb.1.enable_aim: 0

If this is something I should attempt, do I truly need to reboot or can I
set these in the conf and run a sysctl -p without having downtime?

Any other thoughts?

TIA

.

Machine specs are as follows:

Dell PowerEdge 1950 Gen 3
Dual Intel Xeon Dual Core 5148's @ 2.33GHz 1333FSB
8GB Mem (4 x 2GB PC-4200)
Dual 146GB 15K SAS Drives in RAID 1

Intel PT 1000 Quad Port Gigabit Ethernet


igb0:  port
0xece0-0xecff mem
0xfd0e-0xfd0f,0xfce0-0xfcff,0xfd0dc000-0xfd0d irq 18 at
device 0.0 on pci16
igb0: Using MSIX interrupts with 3 vectors
igb0: [ITHREAD]
igb0: [ITHREAD]
igb0: [ITHREAD]
igb0: Ethernet address: 00:1b:21:
igb1:  port
0xecc0-0xecdf mem
0xfd0a-0xfd0b,0xfcc0-0xfcdf,0xfd0d8000-0xfd0dbfff irq 19 at
device 0.1 on pci16
igb1: Using MSIX interrupts with 3 vectors
igb1: [ITHREAD]
igb1: [ITHREAD]
igb1: [ITHREAD]
igb1: Ethernet address: 00:1b:21
igb2:  port
0xdce0-0xdcff mem
0xfcae-0xfcaf,0xfc80-0xfc9f,0xfcadc000-0xfcad irq 16 at
device 0.0 on pci17
igb2: Using MSIX interrupts with 3 vectors
igb2: [ITHREAD]
igb2: [ITHREAD]
igb2: [ITHREAD]
igb2: Ethernet address: 00:1b:21:
igb3:  port
0xdcc0-0xdcdf mem
0xfcaa-0xfcab,0xfc60-0xfc7f,0xfcad8000-0xfcadbfff irq 17 at
device 0.1 on pci17
igb3: Using MSIX interrupts with 3 vectors
igb3: [ITHREAD]
igb3: [ITHREAD]
igb3: [ITHREAD]
igb3: Ethernet address: 00:1b:21:...



dev.igb.0.%desc: Intel(R) PRO/1000 Network Connection version - 1.4.1
dev.igb.0.%driver: igb
dev.igb.0.%location: slot=0 function=0
dev.igb.0.%pnpinfo: vendor=0x8086 device=0x10d6 subvendor=0x8086
subdevice=0x145a class=0x02
dev.igb.0.%parent: pci16
dev.igb.0.debug: -1
dev.igb.0.stats: -1
dev.igb.0.flow_control: 0
dev.igb.0.enable_lro: 1
dev.igb.0.enable_aim: 1
dev.igb.0.low_latency: 128
dev.igb.0.ave_latency: 450
dev.igb.0.bulk_latency: 1200
dev.igb.0.rx_processing_limit: 100
dev.igb.1.%desc: Intel(R) PRO/1000 Network Connection version - 1.4.1
dev.igb.1.%driver: igb
dev.igb.1.%location: slot=0 function=1
dev.igb.1.%pnpinfo: vendor=0x8086 device=0x10d6 subvendor=0x8086
subdevice=0x145a class=0x02
dev.igb.1.%parent: pci16
dev.igb.1.debug: -1
dev.igb.1.stats: -1
dev.igb.1.flow_control: 0
dev.igb.1.enable_lro: 1
dev.igb.1.enable_aim: 1
dev.igb.1.low_latency: 128
dev.igb.1.ave_latency: 450
dev.igb.1.bulk_latency: 1200
dev.igb.1.rx_processing_limit: 100
dev.igb.2.%desc: Intel(R) PRO/1000 Network Connection version - 1.4.1
dev.igb.2.%driver: igb
dev.igb.2.%location: slot=0 function=0
dev.igb.2.%pnpinfo: vendor=0x8086 device=0x10d6 subvendor=0x8086
subdevice=0x145a class=0x02
dev.igb.2.%parent: pci17
dev.igb.2.debug: -1
dev.igb.2.stats: -1
dev.igb.2.flow_control: 0
dev.igb.2.enable_lro: 1
dev.igb.2.enable_aim: 1
dev.igb.2.low_latency: 128
dev.igb.2.ave_latency: 450
dev.igb.2.bulk_latency: 1200
dev.igb.2.rx_processing_limit: 100
dev.igb.3.%desc: Intel(R) PRO/1000 Network Connection version - 1.4.1
dev.igb.3.%driver: igb
dev.igb.3.%location: slot=0 function=1
dev.igb.3.%pnpinfo: vendor=0x8086 device=0x10d6 subvendor=0x8086
subdevice=0x145a class=0x02
dev.igb.3.%parent: pci17
dev.igb.3.debug: -1
dev.igb.3.stats: -1
dev.igb.3.flow_control: 0
dev.igb.3.enable_lro: 1
dev.igb.3.enable_aim: 1
dev.igb.3.low_latency: 128
dev.igb.3.ave_latency: 450
dev.igb.3.bulk_latency: 1200
dev.igb.3.rx_processing_limit: 100

Juve says reboot is needed 
http://forum.pfsense.org/index.php/topic,21056.msg108159.html#msg108159


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfsense 1.2.3 virtual ip proxy arp

[EVGENY YURCHENKO]

From: Lluis 
Subject: [pfSense Support] pfsense 1.2.3 virtual ip proxy arp
To: "'support@pfsense.com'" 
Date: Tuesday, July 13, 2010, 7:41 AM

Hi,

I configured a virtual ip with proxy arp, and now I have to configure a rule to 
outgoing virtual ip traffic. This is the structure:


    le1: WAN (X.X.X.134)  with    VIRTUALIP (X.X.X.135)
                              |
                              |
   le0:       LAN (192.168.0.1)
                              |
                              |
              SERVER (192.168.0.2)

I need to confgiure that the outgoing traffic of port 25 of server goes to 
virtual ip (X.X.X.135)
The incoming traffic of port 25 from VIRTUALIP is working correct using NAT, 
and NAT returns by virtual ip ok.
The problem is when the source of traffic starts in the SERVER, because the 
outgoing traffic goes by WAN (X.X.X.134)

Has someone any solution?

Thanks.

-- Lluís Serra
www.jad.es

Configure outbound nat in the way if traffic comes from this server put 
VIP as a source. Make sure this nat rule preceeds other nat rules for 
LAN traffic.

Evgeny.

Re: [pfSense Support] BGP & ARP problems

[Evgeny Yurchenko]

Adam Thompson wrote:

So I've got OpenBGPd up and running fine on my pfSense 1.2.3-REL router (the 
GUI makes setting things up so ridiculously simple it's amazing! Thanks, guys!) 
but am now running into a secondary problem of some sort:

arplookup 192.139.69.161 failed: host is not on local network
arpresolve: can't allocate route for 192.139.69.161

where 192.139.69.161 is my BGP peer.  These messages appear several dozen times in a ~15-minute period.  This 
started shortly after I imported BGP routes into the kernel FIB.  BGPd had received ~11000 routes from my 
peer, I had the FIB import flag set to "no" in the GUI, and used "bgpctl fib couple" to 
manually import them.  Everything seemed to work OK, so I switched the flag to "yes", killed and 
restarted bgpd.  (Didn't want to reboot router in the middle of the day.)
Shortly (<2 minutes, I think) thereafter I noticed my routing table shrinking 
from 11k+ to ~270 to ~200 to ... etc.  Noticed these messages in system log.  Ran 
tcpdump on that vlan, noticed traffic inbound FROM that host but absolutely 
nothing going out from the pfSense host.

Any idea a) what I did wrong, and b) what I do to fix it?  I probably won't be 
able to reboot until several hours from now.

Thanks,

-Adam Thompson
 Chief Technical Architect, C3A Inc.
 athom...@c3a.ca
 (204) 272-9628 / fax: (204) 272-8291
  

Subnet on the interface 192.139.69.xxx got screwed?


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] passive ftp problem

[Evgeny Yurchenko]

Cihan Saglamoz wrote:
Client from somewhere wants to connect to the ftp servers (more than 
1) behind the pfsense..





Cihan SAĞLAMÖZ



On Fri, Jun 11, 2010 at 4:25 PM, Evgeny Yurchenko 
mailto:evg.yu...@rogers.com>> wrote:


Cihan Saglamoz wrote:

Hi,

Is there a way for allowing passive ftp on pfsense?


I don't want to give permit all ports between 1024 - 65535


Cihan

Your client behind pfSense wants to connect to public FTP-server
somewhere outside?
Or client from somewhere outside want to connect to FTP-server
which is sitting behind your pfSense?



Usually you do not need to send e-mail twice we receive it after your 
first attempt.
If your server is behind pfsense then it depends on your server 
configuration - what ports to open and to map to this server. So you 
decide which range to be used.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] passive ftp problem

[Evgeny Yurchenko]

Cihan Saglamoz wrote:

Hi,

Is there a way for allowing passive ftp on pfsense?


I don't want to give permit all ports between 1024 - 65535


Cihan
Your client behind pfSense wants to connect to public FTP-server 
somewhere outside?
Or client from somewhere outside want to connect to FTP-server which is 
sitting behind your pfSense?


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: RES: [pfSense Support] Is it possible?

[Evgeny Yurchenko]

Michel Servaes wrote:


I understand, but would be great if If I do a rule that have a 
address like:


login.live.com

but when I try to do this, I receive the error

A valid destination IP address or alias must be specified.

I tried to do a firewall>Aliases but they ask me a valid IP... but
login.live.com change the IP sometimes...
What is your advice?
  

You can't add a DNS name in an IP field !
You should only add IP's in this list - but that would make you have 
to enter dozens and dozens of ip's.


You'd probably be better of, using squidguard - but then again, this 
won't stop them from using https !!


I am using trendmicro worry free solution, which has a built in URL 
filter based on per category... I almost always have to add the 
category "social networking" and "webmail"... these will block them 
from using facebook and/or hotmail/gmail and the alikes !!


kind regards,
Michel
BTW 
http://doc.pfsense.org/index.php/Blocking_websites#Using_Firewall_Rules 
has an error I think.
"You can enter a hostname in a network alias, and then apply that alias 
to a block rule. Note the hostname will only be resolved when the filter 
rules are loaded, so you will want to schedule a filter reload with 
cron."!?!?!?


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Re: CARP ip on different network range

[Evgeny Yurchenko]

Matias wrote:

El 01/06/10 17:14, Evgeny Yurchenko escribió:

Matias wrote:

El 01/06/10 17:00, Evgeny Yurchenko escribió:

Matias wrote:

Hi,

I've an internet connection on which my ISP provides a /29 network,
just one IP for my pfSense (1.2.1) box and on ip for their gateway.

I'd like to set up this IP as CARP and be shared with the second
pfSense box I have, but as far as I understand, in order to have this
IP address as CARP I must set up another two IPs on **the same 
range**

the CARP IP is.But I don't have more real IPs.

What is your recommendation in this situation?


Thanks for your help.


/29 gives you 6 usable IPs.
pfSense-1
pfSense-2
Gateway
and you can configure 3 CARPs.

Evgeny.

-
To unsubscribe, e-mail:
support-unsubscr...@pfsense.com
For additional commands, e-mail:
support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org





Sorry, it is a /30 actually.


Oh. In this case you have to get more public IPs from your provider.


-
To unsubscribe, e-mail:
support-unsubscr...@pfsense.com
For additional commands, e-mail:
support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org




Do you know if with pfSense 2.0 there will be the option to usea a 
CARP IP outside the interface(s) network?


To me it just does not make sense - to use IPs on WAN than can not be 
routed to you by Provider. What for?


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Re: CARP ip on different network range

[Evgeny Yurchenko]

Matias wrote:

El 01/06/10 17:00, Evgeny Yurchenko escribió:

Matias wrote:

Hi,

I've an internet connection on which my ISP provides a /29 network,
just one IP for my pfSense (1.2.1) box and on ip for their gateway.

I'd like to set up this IP as CARP and be shared with the second
pfSense box I have, but as far as I understand, in order to have this
IP address as CARP I must set up another two IPs on **the same range**
the CARP IP is.But I don't have more real IPs.

What is your recommendation in this situation?


Thanks for your help.


/29 gives you 6 usable IPs.
pfSense-1
pfSense-2
Gateway
and you can configure 3 CARPs.

Evgeny.

-
To unsubscribe, e-mail:
support-unsubscr...@pfsense.com
For additional commands, e-mail:
support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org





Sorry, it is a /30 actually.


Oh. In this case you have to get more public IPs from your provider.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] CARP ip on different network range

[Evgeny Yurchenko]

Matias wrote:

Hi,

I've an internet connection on which my ISP provides a /29 network, 
just one IP for my pfSense (1.2.1) box and on ip for their gateway.


I'd like to set up this IP as CARP and be shared with the second 
pfSense box I have, but as far as I understand, in order to have this 
IP address as CARP I must set up another two IPs on **the same range** 
the CARP IP is.But I don't have more real IPs.


What is your recommendation in this situation?


Thanks for your help.


/29 gives you 6 usable IPs.
pfSense-1
pfSense-2
Gateway
and you can configure 3 CARPs.

Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Proxy ARP Trouble

[Evgeny Yurchenko]

Yehuda Katz wrote:

On Thu, May 27, 2010 at 1:02 PM, Chris Buechler  wrote:
  

On Thu, May 27, 2010 at 10:30 AM, Yehuda Katz  wrote:


We had Verizon DSL for our primary WAN connection.
Our primary IP (the WAN interface IP) was 71.248.x.114
We had this entry in the Virtual IP list:
Type: Proxy ARP
Interface: WAN
IP Address: Network 71.248.x.112/28

To get that to work, we had to set the WAN interface IP to each of the
virtual IPs (ending with 114), after which we had no trouble.


Yesterday we switched to Verizon FiOS which meant that we got new IPs.
I switched the WAN interface IP to the new address 71.179.x.83
and I switched the entry in Virtual IPs to
Type: Proxy ARP
Interface: WAN
IP Address: Network 71.179.x.80/28

We went through the same procedure, setting the WAN to each IP.
Some time during the night, each of the IPs stopped working.
This morning, we set the WAN interface to each of the IPs and they are
working now, but we have no way of knowing what will happen tonight.

Any ideas?

  

Use CARP VIPs instead.




Maybe someone could point me to a walk-through for that.
The CARP page looks so much more complicated and I have never used it before.


  
http://www.pfsense.org/mirror.php?section=tutorials/carp/carp-cluster-new.htm 
is very good tutorial



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] install package

[Evgeny Yurchenko]

Gokhan Mollamehmetoglu wrote:

Hi;
when I install  a package occur error.
unable the retrieve package info from www.pfsense.com.Cached data will 
be used"


What version of pfSense? 32 or 64 bit? Can you ping www.pfsense.com from 
this box?

Most probably DNS issues.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] port forward

[Evgeny Yurchenko]

Gökhan Mollamehmetoğlu wrote:

Hi;
I am using pfsense and having a problem.
I want to write a rule as following.

Source --> 192.168.120.0/22 
destination --> any

destination  port 80
to 10.10.0.173 port 80 (port forward a lan network to a lan IP)

  
Currently it is not possible to specify source IP/range in port 
forwarding rules (at least in 1.2.3 version).


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] FTP problems behind 1.2.3 box

[Evgeny Yurchenko]

Danny wrote:



On Thu, May 13, 2010 at 4:17 PM, Evgeny Yurchenko 
mailto:evg.yu...@rogers.com>> wrote:


Danny wrote:



On Thu, May 13, 2010 at 2:50 PM, Evgeny Yurchenko
mailto:evg.yu...@rogers.com>
<mailto:evg.yu...@rogers.com <mailto:evg.yu...@rogers.com>>>
wrote:

   Danny wrote:

   Hi,

   My clients in OPT behind 2xpfsense (Carped), cannot
connect to
   outside ftp servers using active mode. If they switch to
   passive the ftp works fine.

   FTP Userland proxy is disabled in LAN OPT And WAN and
there愀

   outbound NAT

   Any ideas?

   -- dpc

   Try enable FTP proxy on your OPT.
   Evgeny.

 
 -


Not working either. Can connect, but cannot retrieve, put or
list directories

Regards.

-- 
dpc


Just tested it - works. Start with TCP dump on WAN and make sure
you receive SYN packets to some high TCP port from remote server.

Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
<mailto:support-unsubscr...@pfsense.com>
For additional commands, e-mail: support-h...@pfsense.com
<mailto:support-h...@pfsense.com>

Commercial support available - https://portal.pfsense.org


The clients, should specify firewall as ftp proxy isn´t?

Regards

--
dpc


No.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] FTP problems behind 1.2.3 box

[Evgeny Yurchenko]

Danny wrote:



On Thu, May 13, 2010 at 2:50 PM, Evgeny Yurchenko 
mailto:evg.yu...@rogers.com>> wrote:


Danny wrote:

Hi,

My clients in OPT behind 2xpfsense (Carped), cannot connect to
outside ftp servers using active mode. If they switch to
passive the ftp works fine.

FTP Userland proxy is disabled in LAN OPT And WAN and there´s
outbound NAT

Any ideas?

-- 
dpc


Try enable FTP proxy on your OPT.
Evgeny.

-

Not working either. Can connect, but cannot retrieve, put or list 
directories


Regards.

--
dpc
Just tested it - works. Start with TCP dump on WAN and make sure you 
receive SYN packets to some high TCP port from remote server.

Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] FTP problems behind 1.2.3 box

[Evgeny Yurchenko]

Danny wrote:

Hi,

My clients in OPT behind 2xpfsense (Carped), cannot connect to outside 
ftp servers using active mode. If they switch to passive the ftp works 
fine.


FTP Userland proxy is disabled in LAN OPT And WAN and there´s outbound NAT

Any ideas?

--
dpc

Try enable FTP proxy on your OPT.
Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Weird behaviour accessing from WAN to LAN using PAT on CARped system

[Evgeny Yurchenko]

Danny wrote:

Hi,

I´ve got to pfsense 1.2.3 boxes (CARPed), and I´m experiencing issues 
accessing from the outside to the inside using PAT. (From WAN to OPT2)


I don´t think the problem are rules, becasue sometimes works and 
sometimes not


I tcpdumped the traffic, and it seems is working but sometimes not... 
I also parse the log


First try connection, dropped
May 6 18:20:19 block em1 TCP 88.215.163.167:55944 
 192.168.212.171:22 



Second try connection timed out
May 6 18:30:09 pass em1 TCP 88.215.163.167:56122 
 192.168.212.171:22 



Third try, dropped (but the intial prompt was seen)
May 6 18:35:24 block em1 TCP 88.215.163.167:55944 
 192.168.212.171:22 



PAT Rules are ok. Access rules ok, but sometimes I see dropped the 
traffic by default rule, when a couple of rules below there are a 
explicit rule to permit the traffic WAN and LAN


PAT for 88.215.163.167 to SSH is 22171 > 192.168.212.171 port 22
Any clue?

(Obviously IPs are fictitious)
--
dpc

Isn't 192.168.212.171 OPT's IP by chance?


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Add/Change PPTP user accounts from SSH command line.

[Evgeny Yurchenko]

Karl Fife wrote:
I am trying to create a 2-factor authentication system for PPTP on 
pfSense, and its feasibility depends upon being able to script the 
addition/deletion/modification of PPTP user accounts.  Can anyone tell 
me what the command-line would be for adding user 'scott' identified 
by the password 'tiger1234'?  What would be the command for removing 
the user 'scott'?


The bigger picture would be that a road-warrior (Instead of carrying 
an RSA, SecurID or Yubikey) would simply call a special telephone 
number (Hosted by our Asterisk PBX) just prior to PPTP connection. The 
call would trigger our Asterisk server to generate a single-use 
password suffix.  The single-use password suffix would be sent to the 
user's known phone number ("something you have") via our SMS gateway, 
or via callback for voice delivery (to eliminate CALLID spoof 
vulnerability).  Asterisk would then look up, and prepend the user's 
'chosen' password to the single-use password ("something you know"), 
and then connect to pfSense to insert the PPTP user account, and 
schedule its subsequent removal.


I may also require to have the user record something in their own 
voice to validate "Something you are".  While not a true third factor, 
this would give a margin of security for detecting unauthaorized 
access attemps.


Any CLI help would be appreciated!

Thanks!
-Karl

What's the budget?


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] no packages for 2.0

[Evgeny Yurchenko]

David Burgess wrote:

On Mon, Apr 19, 2010 at 2:03 PM, Evgeny Yurchenko  wrote:

  

Can you trace what request is generated by your pfSense when you try to
access list of available packages?



Where would I find that?

db


  

tcpdump -ni  -s0 -wpfSensePkg.cap host 69.64.6.21
Then load pfSensePkg.cap into Wireshark and see (or send it to me off-list).
Evgeny.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] no packages for 2.0

[Evgeny Yurchenko]

David Burgess wrote:

On Mon, Apr 19, 2010 at 1:29 PM, Jim Pingle  wrote:

  

It's probably looking for a package file that doesn't exist. Did this
ever work before?



It's the first time I've tried PFS on 64-bit.

  

I'm not sure if there are any 64-bit packages setup in the repo yet.



That's possible, and unfortunate.

db
  
Apparently there is no proper pkg_conifg.8.xml.XXX  (or 
pkg_conifg.7.xml.XXX - depends on FreeBSD version) file for these boxes.

From xmlrpc.php:
   if($params['freebsd_machine'])
   if($params['freebsd_machine'] != "i386")
   $freebsd_machine = "." . $params['freebsd_machine'];

Can you trace what request is generated by your pfSense when you try to 
access list of available packages?

For example my 32-bit system generates:


pfsense.get_pkgs



pkg
all

info


noembedded
name
category
website
version
status
descr
maintainer
required_version
pkginfolink



freebsd_version
7






I think yours inserts freebsd_machine parameter in its request.

Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Wierd CARP problem

[Evgeny Yurchenko]

Joshua Schmidlkofer wrote:

Does pfSense' log say CARP is moved from Active to Passive?
Evgeny.



Evgeny,

 It appears we are getting some of that: (JAX2)

Apr 19 14:48:13 kernel: carp1: link state changed to DOWN
Apr 19 14:48:13 kernel: carp1: MASTER -> BACKUP (more frequent
advertisement received)
Apr 19 14:48:10 kernel: carp1: link state changed to UP
Apr 19 14:48:07 kernel: carp1: link state changed to DOWN
Apr 19 14:48:07 kernel: carp1: MASTER -> BACKUP (more frequent
advertisement received)
..
Apr 19 14:31:22 kernel: carp1: MASTER -> BACKUP (more frequent
advertisement received)
Apr 19 14:31:14 kernel: carp1: link state changed to UP
Apr 19 14:31:10 kernel: carp1: link state changed to DOWN
Apr 19 14:31:10 kernel: carp1: MASTER -> BACKUP (more frequent
advertisement received)
Apr 19 14:31:07 kernel: carp1: link state changed to UP


 I have just been brought in (again) for this problem, and I now see
another correlation.   I just realized that the timestamps of the
CARP1 UP match a message from JAX1: kernel: re1: watchdog timeout

  Apparently, this may be the source of my problem.

Sincerely,
 Joshua


  
Yes, do not blame your switch, something is wrong with your pfSense 
cluster. Most probably your re1 becomes overloaded with traffic.

Evgeny.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Wierd CARP problem

[Evgeny Yurchenko]

Joshua Schmidlkofer wrote:

I have a site in Jacksonville, FL.   We have two Watchguard Firebox
X700s, with upgraded RAM and a pfSense embedded deployment.

 Since installation we have had WEIRD problems with the VPN.  We
THOUGHT it was the vpn.  However, weeks and work revealed an apparent
switch problem.  Basically, what we've determined is happening is that
our HP 2524 is getting confused and moving the internal CARP address
over to the second firewall.

...

Sincerely,
 Joshua

  

Does pfSense' log say CARP is moved from Active to Passive?
Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Generating graphs

[Evgeny Yurchenko]

innocent.mayu...@pccb.go.tz wrote:

Dear support,

We are using pfsense and with a subscribed bandwidth of 1 Mb up and down.
While monitoring through the RRD Graphs we are not going past 600 bits/s

Kindly advice what we can amend or configure in order to monitor our true
bandwidth usage.
Moreover if there is another utility i could use to monitor the usage
through the Pfsense.

Regards,

Innocent.
  
Try to look at Status->Traffic graph when you downloading something. 
Does it show something close to true?

Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] in config.xml

[Evgeny Yurchenko]

Hello,
what meaning do these lines in config.xml have please?
   100
   Mb
I know that for setting up speed and duplex we use  and 
Thanks!
Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfsense reset

[Evgeny Yurchenko]

Brent Clark wrote:

Hiya

I need would like to reset my pfsense to the factory default settings.

How would one setup pfsense via command line to enable access the webgui.

Kind Regards
Brent Clark

Connect console or ssh to your pfSense and choose option 4)
pfSense console setup
***
0)  Logout (SSH only)
1)  Assign Interfaces
2)  Set LAN IP address
3)  Reset webConfigurator password
4)  Reset to factory defaults
5)  Reboot system
6)  Halt system
7)  Ping host
8)  Shell
9)  PFtop
10)  Filter Logs
11)  Restart webConfigurator
12)  pfSense Developer Shell
13)  Upgrade from console
14)  Disable Secure Shell (sshd)

Enter an option:


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] MultiWAN Failover via internal networks with WAN as secondary

[Evgeny Yurchenko]

Danny wrote:

  
  On Tue, Mar 30, 2010 at 4:56 PM, Evgeny
Yurchenko <evg.yu...@rogers.com>
wrote:
  Danny
wrote:

  I cannot do that, because the main
infrastructured is already built-in.
  
  
I mean 192.168.212.0/24 <http://192.168.212.0/24>
and 172.24.24.0/24 <http://172.24.24.0/24>,
both got ROUTER GW as default router "today".
  
  
I have installed 2xPfsense, plugged in this way
  
    OPT1 in 192.168.212.0/24 <http://192.168.212.0/24>
    OPT2 in 172.24.24.0/24 <http://172.24.24.0/24>
  
    We have leased a WAN Link, (pfSense WAN interface)
  
"Tomorrow" we have to change the default gateway for both networks, to
point to pfsense, LoadBalacing with failover, to continue using former
link, and in case the ROUTER GW is down, use the WAN of pfSense as an
alternative
  
  
ROUTER GW, and inet (172.16.0.2), is managed by third parties, that愀
the reason I cannot plug directly to pfsense
  
Thank you
Regards
  
  
       
On Tue, Mar 30, 2010 at 4:14 PM, Evgeny Yurchenko <evg.yu...@rogers.com evg.yu...@rogers.com>> wrote:
  
   Evgeny Yurchenko wrote:
  
       Danny wrote:
  
           Hi,
  
           I'm trying to setup this:
  
  
                                                                   
           ___
                      (    )                                          
          (    )
                     ( inet )                                          
        ( inet )
                      ()                                          
          ()
                        |22.22.22.4                                    
           |172.16.0.2
                        |                                              
|
                        |                                              
|
                        |22.22.22.1(WAN)                              
            |172.16.0.1
                 -                                
 172.24.24.12___|__
            --|pfSense x2 |---|
           ROUTER GW  |
            LAN   |___|172.24.24.20 (OPT2) |                  
      ||
                        |                         |                    
           | 192.168.212.20
                        |192.168.212.254(OPT1)    |                    
|
                        |                         |172.24.24.0/24
  
           <http://172.24.24.0/24> <http://172.24.24.0/24>
      |
  
                        |                                              
|
                        |                                              
|
                       
|___|
                                            |
                                            |  192.168.212.0/24
  
           <http://192.168.212.0/24> <http://192.168.212.0/24>
  
                                            |
                 Requirements:
  
                  Connection should alway go via ROUTER GW, but
           default gateway for all machines in both   networks should
           be pfsense (OPT1 and OPT2)
                  If 172.24.24.12 is down conection should go via
           pfSense WAN interface
                  If 192.168.212.20 is down conection should go via
           pfSense WAN interface
  
           Interface LAN not used because Failover gateway cannot be
           specified at pfSense 1.2.3 in LAN Interface
  
  
           I惴 stucked. I followed MutiWAN tutorial, but when I
  
           create Failover using gateways to monitor, I see the same
           address for WAN an OPT1 in the pool...
  
           Any ideas
           Thanks
  
  
           --             dpc
  
  
       I am afraid you have wrong understanding of MultiWAN.
  
   I think you should be doing the next:
  
  
             (    )                         (    )
            ( inet )                       ( inet )
             ()                         ()
               |22.22.22.4                     |172.16.0.2
               |                               |
               |                               |
               |22.22.22.1(WAN)                |172.16.0.1(OPT1)
               |           -       |
                ---|pfSense x2 |---
                           |___|
         172.24.24.20 (LAN) |      |192.168.212.254(OPT2)
  
                            |      |                                  
              |      |
  
      172.24.24.0/24 <http://172.24.24.0/24>
       |
    192.168.212.0/24 <http://192.168.212.0/24>
  
                                      
-
  
  
  
   ---

Re: [pfSense Support] MultiWAN Failover via internal networks with WAN as secondary

[Evgeny Yurchenko]

Danny wrote:

I cannot do that, because the main infrastructured is already built-in.

I mean 192.168.212.0/24 <http://192.168.212.0/24> and 172.24.24.0/24 
<http://172.24.24.0/24>, both got ROUTER GW as default router "today".


I have installed 2xPfsense, plugged in this way
 OPT1 in 192.168.212.0/24 <http://192.168.212.0/24>
 OPT2 in 172.24.24.0/24 <http://172.24.24.0/24>
 We have leased a WAN Link, (pfSense WAN interface)

"Tomorrow" we have to change the default gateway for both networks, to 
point to pfsense, LoadBalacing with failover, to continue using former 
link, and in case the ROUTER GW is down, use the WAN of pfSense as an 
alternative


ROUTER GW, and inet (172.16.0.2), is managed by third parties, that´s 
the reason I cannot plug directly to pfsense


Thank you
Regards

    

On Tue, Mar 30, 2010 at 4:14 PM, Evgeny Yurchenko 
mailto:evg.yu...@rogers.com>> wrote:


Evgeny Yurchenko wrote:

Danny wrote:

Hi,

I'm trying to setup this:


  
  ___
   ()
 ()
  ( inet )  
 ( inet )
   ()
 ()
 |22.22.22.4  
  |172.16.0.2

 |   |
 |   |
 |22.22.22.1(WAN)
   |172.16.0.1
  -  
172.24.24.12___|__

 --|pfSense x2 |---|
ROUTER GW  |
 LAN   |___|172.24.24.20 (OPT2) |
 ||
 | |  
  | 192.168.212.20

 |192.168.212.254(OPT1)| |
 | |172.24.24.0/24
<http://172.24.24.0/24> <http://172.24.24.0/24>   |
 |   |
 |   |
 |___|
 |
 |  192.168.212.0/24
<http://192.168.212.0/24> <http://192.168.212.0/24>
 |
  Requirements:

   Connection should alway go via ROUTER GW, but
default gateway for all machines in both   networks should
be pfsense (OPT1 and OPT2)
   If 172.24.24.12 is down conection should go via
pfSense WAN interface
   If 192.168.212.20 is down conection should go via
pfSense WAN interface

Interface LAN not used because Failover gateway cannot be
specified at pfSense 1.2.3 in LAN Interface

I´m stucked. I followed MutiWAN tutorial, but when I
create Failover using gateways to monitor, I see the same
address for WAN an OPT1 in the pool...

Any ideas
Thanks


-- 
dpc



I am afraid you have wrong understanding of MultiWAN.

I think you should be doing the next:


  () ()
 ( inet )   ( inet )
  () ()
|22.22.22.4 |172.16.0.2
|   |
|   |
|22.22.22.1(WAN)|172.16.0.1(OPT1)
|   -   |
 ---|pfSense x2 |---
|___|
  172.24.24.20 (LAN) |  |192.168.212.254(OPT2)

 |  |
 |  |

172.24.24.0/24 <http://172.24.24.0/24>    |
 192.168.212.0/24 <http://192.168.212.0/24>
 -



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
<mailto:support-unsubscr...@pfsense.com>
For additional commands, e-mail: support-h...@pfsense.com
<mailto:support-h...@pfsense.com>

Commercial support available - https://portal.pfsense.org




--
dpc

Please do no

Re: [pfSense Support] MultiWAN Failover via internal networks with WAN as secondary

[Evgeny Yurchenko]

Evgeny Yurchenko wrote:

Danny wrote:

Hi,

I'm trying to setup this:


  ___
()  ()
   ( inet )( inet )
()  ()
  |22.22.22.4 
|172.16.0.2

  |   |
  |   |
  |22.22.22.1(WAN)
|172.16.0.1

   -   172.24.24.12___|__
 --|pfSense x2 |---| ROUTER GW  |
 LAN   |___|172.24.24.20 (OPT2) |  ||
  | | | 
192.168.212.20

  |192.168.212.254(OPT1)| |
  | |172.24.24.0/24 
<http://172.24.24.0/24>   |

  |   |
  |   |
  |___|
  |
  |  192.168.212.0/24 
<http://192.168.212.0/24>

  |
   
Requirements:


Connection should alway go via ROUTER GW, but default gateway 
for all machines in both   networks should be pfsense (OPT1 and OPT2)
If 172.24.24.12 is down conection should go via pfSense WAN 
interface
If 192.168.212.20 is down conection should go via pfSense WAN 
interface


Interface LAN not used because Failover gateway cannot be specified 
at pfSense 1.2.3 in LAN Interface


I´m stucked. I followed MutiWAN tutorial, but when I create Failover 
using gateways to monitor, I see the same address for WAN an OPT1 in 
the pool...


Any ideas
Thanks


--
dpc


I am afraid you have wrong understanding of MultiWAN.


I think you should be doing the next:

   () ()
  ( inet )   ( inet )
   () ()
 |22.22.22.4 |172.16.0.2
 |   |
 |   |
 |22.22.22.1(WAN)|172.16.0.1(OPT1)
 |   -   |
  ---|pfSense x2 |---
 |___|
   172.24.24.20 (LAN) |  |192.168.212.254(OPT2)
  |  |
  |  |

172.24.24.0/24    |  192.168.212.0/24
  -


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] MultiWAN Failover via internal networks with WAN as secondary

[Evgeny Yurchenko]

Danny wrote:

Hi,

I'm trying to setup this:


  ___
()  ()
   ( inet )( inet )
()  ()
  |22.22.22.4 |172.16.0.2
  |   |
  |   |
  |22.22.22.1(WAN)|172.16.0.1
   -   172.24.24.12___|__
 --|pfSense x2 |---| ROUTER GW  |
 LAN   |___|172.24.24.20 (OPT2) |  ||
  | | | 
192.168.212.20

  |192.168.212.254(OPT1)| |
  | |172.24.24.0/24 
   |

  |   |
  |   |
  |___|
  |
  |  192.168.212.0/24 


  |



Requirements:

Connection should alway go via ROUTER GW, but default gateway 
for all machines in both   networks should be pfsense (OPT1 and OPT2)
If 172.24.24.12 is down conection should go via pfSense WAN 
interface
If 192.168.212.20 is down conection should go via pfSense WAN 
interface


Interface LAN not used because Failover gateway cannot be specified at 
pfSense 1.2.3 in LAN Interface


I´m stucked. I followed MutiWAN tutorial, but when I create Failover 
using gateways to monitor, I see the same address for WAN an OPT1 in 
the pool...


Any ideas
Thanks


--
dpc


I am afraid you have wrong understanding of MultiWAN.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] PPTP Connected?

[Evgeny Yurchenko]

Tortise wrote:

Hi
Using  1.2.3-RELEASE (embedded) I have a PPTP server configured and I 
can connect remotely however I still cannot "connect" with anything on 
the LAN.  I think the issue is the IP assigned to remote connections 
is remotely said to be 255.255.255.255 while the LAN is using 
255.255.255.0, the IP address assigned seems OK.  Can someone guide me 
from here?  No Radius or WINS server is involved.




Does IP assigned via PPTP belong to LAN subnet?
Can you you give us netstat -rn from computer connected to this PPTP?


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] NAT behind IPSEC

[Evgeny Yurchenko]

Ståle Johnsen wrote:

Hello,
We have a customer who routes their internet through their IT-service 
provider. We need a secure ipsec connection from our internal network 
to the customers internal network. The other IT-service provider do 
not allow any new RFC1918 into their transport network. So they say we 
have to NAT our internal network or server to an official IP adress in 
our firewall/VPN. Is this possible to do behind an IPSEC with pfsense? 
If not, we are very happy for any suggestions to solve this. The 
solution has to be an IPSEC because the nodes we are trying to reach 
on the customers network is embedded terminals without possibilites 
for openvpn etc.


Thanks in advance.

Regards,
Stale Johnsen 
I think it is impossible. 
http://forum.pfsense.org/index.php/topic,14650.0.html

Evgeny

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] Firewall->Rules dropdown list strange behavior

[Evgeny Yurchenko]

Hi!
If you have many interfaces (or interfaces with long names) you get 
dropdown box instead of tabbed representation in Firewall->Rules.
Yesterday I noticed that only Firefox handles dropdown Interface box 
properly (neither IE nor Chrome reacted to changes of selection). Not 
very nice surprise when you without your laptop at client's site and 
urgently need to make changes -(


I think the problem is none of these browsers pay attention to onClick=...> handler.
It seems modification below makes it work properly in all browsers. This 
is for 1.2.3-RELEASE.

# diff -ru pfsense-utils.inc.bak pfsense-utils.inc
--- pfsense-utils.inc.bak   2009-12-07 03:12:36.0 +
+++ pfsense-utils.inc   2010-03-03 17:49:33.0 +
@@ -2264,13 +2264,13 @@
   // then show a select item dropdown menubox.
   if($tabcharcount > 82) {
   echo "Currently viewing: ";
-   echo "\n";
+   echo "onChange=\"document.location=this.options[this.selectedIndex].value\">\n";

   foreach ($tab_array as $ta) {
   if($ta[1]=="true")
   $selected = " SELECTED";
   else
   $selected = "";
-   echo "onClick=\"document.location='{$ta[2]}';\"{$selected}>{$ta['0']}\n";
+   echo "onClick=\"document.location='{$ta[2]}';\"{$selected}>{$ta['0']}\n";

   }
   echo "\n";
   }  else {

Thanks,
Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Slow TCP connection

[Evgeny Yurchenko]

Hiren Joshi wrote:

Hi,

I'm running a load of performance tests and I've found that one in every
100 odd TCP connections takes a few seconds to make the initial call.
Once the connection has been established things go quickly but the
initial connection sometimes hangs for a second or two.

Can someone point me in the right direction as to what sort of debugging
I can run or what logs to look at for this?

Thanks,
Josh.
pfsense 1.2-RELEASE.
  

Aren't you running into maximum number of states/
Do you get tcpdump for this slow TCP connection initiation?
Evgeny.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Possible Bug in rule parsing

[Evgeny Yurchenko]

Chris Buechler wrote:

On Sun, Feb 21, 2010 at 11:14 PM, Jim Spaloss  wrote:
  

Hello,
I'm not sure if this is the proper place to post a bug, but I couldn't find
the proper place. I'm a long time lurker on the M0n0wall list, but have
begun to use PFSense for some of my more complicated installs. I'm currently
working on setting up a shop for myself.
The Tech Bench has 20 ports, each on it's own VLAN and pfSense interface. I
am using a whitelist approach to the rules for the Tech Bench interfaces and
when I add a rule to allow DNS traffic to the pfSense interface address it
works fine on interfaces opt1-opt9. However, when I hit opt10, the rule
stops working and the the text "Interface IP address" in the Destination
field of the rule screen is blank. I tried editing the rule and re-saving it
multiple times, but the result is the same. Changing the destination from
the interface address to the subnet instead is a work-around that I am
currently using.



Please send me a full backup of your config off list.
  
I've noticed the same some time ago but never got time to troubleshoot 
it. First of all OPT10and+ do not appear properly in web gui - instead 
of "Interface IP address" you get empty space.
The only incorrect thing I found is in guiconfig.inc function 
print_address($adr):

   if (preg_match("/opt[0-999]ip/", $adr['network'])) {
does not work as "opt0 through opt999". I think it should be replaced with
   if (preg_match("/opt[0-9]{1,3}ip/", $adr['network'])) {


Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] 1.2 to 1.2.3 upgrade

[Evgeny Yurchenko]

Aloysius Lloyd wrote:

Hi All,

Apologies for the inconvenience. Please ignore the email

Thanks,
Lloyd


Did anybody call? just wondering -)

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] VPN Problem

[Evgeny Yurchenko]

Abdulrehman wrote:
Thanks for all your helpbut still the issue is there...here is the 
screen-shot of may outbound NAT rule...please help



On Tue, Feb 16, 2010 at 3:22 AM, Chris Buechler > wrote:


On Mon, Feb 15, 2010 at 4:04 AM, Abdulrehman
mailto:arvagabo...@gmail.com>> wrote:
> I have added a rule at my LAN interface for UDP 500. But still same
> issue...cannot access remote websites...
>

Outbound NAT rule, not firewall rule. Needs to be on WAN.



Try to move your ISAKMP line to the top of the list, enter destination 
port 500, make it static and make non-static other entries in the list.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] BGP MD5 weird behavior when connection closes

[Evgeny Yurchenko]

Ermal Luçi wrote:



On Fri, Feb 5, 2010 at 11:22 PM, Evgeny Yurchenko 
mailto:evg.yu...@rogers.com>> wrote:


I think it is more FreeBSD's problem than pfSense's but decided
anyway to post it here as somebody might run into the same issue.
When we use MD5 TCP signing with OpenBGP package TCP connection
termination does not go properly which results in BGP password
errors on remote cisco side and thus problems with reestablishing
connection/routing.

So, normal tcp connection tearing down procedure:
---FIN--->

<---ACK---
<---FIN---
ACK--->
All these TCP packets must be MD5 signed (correct me if I am
wrong). The problem is: when pfSense initiates connection
termination (you want to clear BGP session) the last ACK is not
MD5 signed. It makes cisco keep this connection active for some
time sending FINs as it attempts to close the connection.
If somebody has a clue how to fix this I would be very grateful
for solution.


Try disabling selective acks.
should be net.inet.tcp.sack.enable=0

--
Ermal

No luck. The same story.

Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] IPSec on 1.2-embedded

[Evgeny Yurchenko]

Hello.
There is Soekris with 1.2-RELEASE-embedded on CF. It has an IPSec tunnel 
to 1.2.3 carp-cluster. When carp-switchover occurs on the cluster the 
tunnel remains active but dead (active to former active node).

1. Will upgrade to pfSense-nano solve this problem?
2. Is it possible to do this upgrade remotely?
Thanks.

Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] BGP MD5 weird behavior when connection closes

[Evgeny Yurchenko]

Ermal Luçi wrote:



On Fri, Feb 5, 2010 at 11:22 PM, Evgeny Yurchenko 
mailto:evg.yu...@rogers.com>> wrote:


I think it is more FreeBSD's problem than pfSense's but decided
anyway to post it here as somebody might run into the same issue.
When we use MD5 TCP signing with OpenBGP package TCP connection
termination does not go properly which results in BGP password
errors on remote cisco side and thus problems with reestablishing
connection/routing.

So, normal tcp connection tearing down procedure:
---FIN--->

<---ACK---
<---FIN---
ACK--->
All these TCP packets must be MD5 signed (correct me if I am
wrong). The problem is: when pfSense initiates connection
termination (you want to clear BGP session) the last ACK is not
MD5 signed. It makes cisco keep this connection active for some
time sending FINs as it attempts to close the connection.
If somebody has a clue how to fix this I would be very grateful
for solution.


Try disabling selective acks.
should be net.inet.tcp.sack.enable=0
--
Ermal

I will but I do not think SACK algorithm is in use here.
Thanks.
Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] BGP MD5 weird behavior when connection closes

[Evgeny Yurchenko]

I think it is more FreeBSD's problem than pfSense's but decided anyway 
to post it here as somebody might run into the same issue.
When we use MD5 TCP signing with OpenBGP package TCP connection 
termination does not go properly which results in BGP password errors on 
remote cisco side and thus problems with reestablishing connection/routing.


So, normal tcp connection tearing down procedure:
---FIN--->

<---ACK---
<---FIN---
ACK--->
All these TCP packets must be MD5 signed (correct me if I am wrong). The 
problem is: when pfSense initiates connection termination (you want to 
clear BGP session) the last ACK is not MD5 signed. It makes cisco keep 
this connection active for some time sending FINs as it attempts to 
close the connection.
If somebody has a clue how to fix this I would be very grateful for 
solution.

Thanks.

Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Dual Gateways, Dual IPs on the same net

[Evgeny Yurchenko]

Mr Gabriel wrote:

If I configure a second virtual ip address on a device, will it always
send packets to the gateway configured, or to it's primary gateway.

I do not think Virtual IPs and gateways are somehow related.


For example, two ISPs configured, two firewalls configured, gateway IP's
192.168.1.1 and .2.  

Part about 'two firewalls' is not clear, may be to Vitual IPs on LAN?

Internal server has IP 192.168.1.100 with gateway
.1. Incoming packets that have been forwarded from outside, (for
instance an SSH session), will be returned to .1 for routing back to the
internet.

If a virtual adapter is configured with ip 192.168.1.101 and a gateway
of .2 will traffic that is destined to 101, always be returned .2???
I am confused here but if you want different servers (.100 and .101) to 
use different ISP you do not have to create virtual IPs. Use policy 
based routing- chose appropriate gateways in rules depending on source 
IP. If you want to route traffic from Internet to your servers using 
different ISP then use NAT port forward with corresponding WAN Interfaces.


Evgeny.



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: SV: SV: [pfSense Support] virtual ip

[Evgeny Yurchenko]

a_subscribti...@fiberby.dk wrote:

But what virtual ip should I choose?
Both 'other' and 'proxy-arp' should be ok but I've never used 'other' 
and I think 'proxy-arp' should definitely work in your case.


Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] port 80 -> 443

[Evgeny Yurchenko]

Michel Servaes wrote:

Is there a way to redirect a port 80 (wanside) to 443 (lanside).
Firewall->NAT->Port Forward. And make sure you have correct rule on WAN 
interface.
I can do port translation, but the IIS doesn't seem to accept this way 
of redirection...

IIS should not be aware of this translation at all.
Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] ip range, how to setup a rule for using a different outgoing ip from within that pool

[Evgeny Yurchenko]

Michel Servaes wrote:

I have a pool of ip-adresses... the gateway is x.y.18.17, and the
ending is x.y.18.22
I have two servers, that use the same outgoing protocol and the first
is working fine, as I have setup a rule to use the default gateway
.18.17 on the WAN side.

But I want to setup the second server to go out on .18.20 for
instance... but setting up rules, will allow me only to choose
"default" or ".18.17" (mind you, that the "default" is a second
network card, used for backup)
I have added virtual ip's (.18.18, .18.19, .18.20, ...), but cannot
choose them for outgoing rules... I'm sure I'm missing something basic
here.

Kind regards,
Michel


  
1. Create a rule on LAN interface with source IP of your second server 
and x.y.18.17 as a gateway. Make sure this rule is above other rules for 
your LAN subnet with default gateway.
2. Go to Outbound NAT, switch to AON and create one rule: 
Interface=interface with x.y.18.17 gateway, Source=IP address of your 
second server, Destination=Any, NAT Address=OneOfYourVirtualIPs 
x.y.18.z. Make sure this rule goes above any other rules for Interface.


Should work. By the way Virtual IPs do not have to be CARP unless you 
have pfSense cluster with at least two boxes.


Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] routed / RIP -- No buffer space available?

[Evgeny Yurchenko]

Tim Nelson wrote:

- "Tim Nelson"  wrote:
  

----- "Evgeny Yurchenko"  wrote:


When you restart pfSense does RIP work? What MBUF usage shows? Does 
itcontinuously grow?
Evgeny.

  

RIP works for a little while upon reboot, then after about 30 minutes
or so, stops. The logs say nothing of consequence other than what I've
posted already.

However, upon first boot, MBUF usage is this:  426 /645  and RIP works
fine. Then, later, MBUF usage jumps up and RIP stops working. VERY
odd. And, I know there is no traffic through this box since the other
5 NICs are not connected to anything. Only one is connected to my
management network...

I've been using RIPv2 but for 'gits and shiggles' I'll try RIPv1 and
see if that makes any difference. I'm rather stumped on this one...




Well, for some reason, The system has been online and working properly now for 
nearly 4 days. The only setting that has been changed is going to RIPv1 instead 
of the previously selected RIPv2. Why this makes any difference, I don't know. 
Thanks all for the help. I'll continue to look into the MBUF area as it still 
interests me. :-)

Tim Nelson
Systems/Network Support
Rockbochs Inc.
(218)727-4332 x105
  

Has MBUF been growing since you switched to RIPv1?
Evgeny.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] please help me

[Evgeny Yurchenko]

chetan gohil wrote:

i have not configured any rules in firewall

all lan traffic can go to wan

and all wan traffic can go to lan

there is no any other configuration i did

thanks

Please do not top-post.
You do not have to configure any rules to be able to ping Google's IP 
from pfSense itself. Thus if your internet connection is up and running 
then you have to be able to ping 209.85.225.104. Just go to 
Diagnostics->Ping choose WAN and ping it.

Your tcpdump does not show any attempts to ping.
Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] ip range, how to setup a rule for using a different outgoing ip from within that pool

[Evgeny Yurchenko]

Michel Servaes wrote:


Does the book cover my kind of issue... I guess I'd better buy one 
very soon now :-)


If you understood what you were doing you would definitely save lots of 
your time.

Evgeny.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] sshlockout in 2.0

[Evgeny Yurchenko]

Hello,
# uname -a
FreeBSD 2.0-alpha-alpha 7.2-RELEASE-p3 FreeBSD 7.2-RELEASE-p3 #0: Wed 
Aug  5 16:55:16 UTC 2009 
sullr...@releng_2_0__freebsd_7_2-snaps.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.7  
i386


as soon as I connect to pfsense with the second ssh session I get blocked:
# pfctl -t sshlockout -T show
  192.168.7.113

Could somebody please explain this pfSense' behavior? If it is done 
intentionally by developers then why?

Thanks,
Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] routed / RIP -- No buffer space available?

[Evgeny Yurchenko]

Tim Nelson wrote:

- "Evgeny Yurchenko"  wrote:
  

When you restart pfSense does RIP work? What MBUF usage shows? Does it

continuously grow?
Evgeny.




RIP works for a little while upon reboot, then after about 30 minutes or so, 
stops. The logs say nothing of consequence other than what I've posted already.

However, upon first boot, MBUF usage is this:  426 /645  and RIP works fine. 
Then, later, MBUF usage jumps up and RIP stops working. VERY odd. And, I know 
there is no traffic through this box since the other 5 NICs are not connected 
to anything. Only one is connected to my management network...

I've been using RIPv2 but for 'gits and shiggles' I'll try RIPv1 and see if 
that makes any difference. I'm rather stumped on this one...

Tim Nelson
Systems/Network Support
Rockbochs Inc.
(218)727-4332 x105
  

Try
ping 224.0.0.9
from pfSense when there is a problem and right after you reboot.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] routed / RIP -- No buffer space available?

[Evgeny Yurchenko]

Tim Nelson wrote:

- "Tim Nelson"  wrote:
  

- "Tim Nelson"  wrote:


Greetings all-

I've got a system running 1.2-RELEASE embedded in my home lab
  

(haven't


upgraded to 1.2.3 because I don't have a larger CF available
  

yet...).


It's been working fine for quite some time but recently I enabled
  

RIP


on it. The route updates seem to be sent/received properly for
  

awhile,


then my logs start going nuts with errors like this:

routed[1242]: Send mcast sendto(re5, 224.0.0.9.520): No buffer
  

space


available

The Status -> System page shows memory usage at 22% (256MB total)
  

and


disk usage at 57% (256MB CF). So, where else would buffer space be
required that it's not available?

Thanks for any pointers you can lend!

  
Something else I didn't notice before... my MBUF Usage: 5337 /5505 


Does that make a difference?




While my MBUF usage isn't 100%, is it possible that it's high enough to prevent 
routed/RIP from working properly? Is the fix to simply add more RAM to the 
system in question?

Tim Nelson
Systems/Network Support
Rockbochs Inc.
(218)727-4332 x105
  


When you restart pfSense does RIP work? What MBUF usage shows? Does it 
continuously grow?

Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] OpenBGPD status page

[Evgeny Yurchenko]

I know it is cosmetic but it is easy to fix, please do it.

1) Status has two "OpenBGPD Routing" sections, one of them should be 
renamed to "Forwarding" as it shows fib not rib.

2) "OpenBGPD IP" section returns error

missing argument:
valid commands/args:
 bgp

it happens because not there is not "bgpctl show ip" command, we have to use "bgpctl 
show ip bgp"

Fix for both issues:
--- openbgpd_status.php.20091211.bak2009-12-10 11:26:10.0 -0500
+++ openbgpd_status.php 2009-12-11 19:20:28.83700 -0500
@@ -140,10 +140,10 @@
defCmdT("OpenBGPD Summary","bgpctl show summary"); 
defCmdT("OpenBGPD Interfaces","bgpctl show interfaces"); 
defCmdT("OpenBGPD Routing","bgpctl show rib"); 
-defCmdT("OpenBGPD Routing","bgpctl show fib"); 
+defCmdT("OpenBGPD Forwarding","bgpctl show fib"); 
defCmdT("OpenBGPD Network","bgpctl show network"); 
defCmdT("OpenBGPD Nexthops","bgpctl show nexthop"); 
-defCmdT("OpenBGPD IP","bgpctl show ip"); 
+defCmdT("OpenBGPD IP","bgpctl show ip bgp"); 
defCmdT("OpenBGPD Neighbors","bgpctl show neighbor"); 


?>

Thanks,
Evgeny.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] OpenBGPD missing breaket

[Evgeny Yurchenko]

When you do not specify groups and more then one neighbor bgpd.conf is 
missing right closing breaket and 'descr' does not look:

neighbor 2.2.2.252 {
   descr "left"
   set localpref 50
   remote-as 65444
neighbor 2.2.3.253 {
   descr "right"
   remote-as 65444
}


Could you please fix this?
--- openbgpd.inc.20091211.bak2009-12-10 11:26:10.0 -0500
+++ openbgpd.inc2009-12-11 17:15:09.76300 -0500
@@ -110,7 +110,7 @@
$used_this_item = false;
if($neighbor['groupname'] == "") {
  $conffile .= "neighbor {$neighbor['neighbor']} {\n";
-  $conffile .= "descr \"{$neighbor['descr']}\"\n";
+  $conffile .= "descr \"{$neighbor['descr']}\"\n";
  $setkeycf .= "delete {$openbgpd_conf['listenip']} 
{$neighbor['neighbor']} tcp 0x1000;\n";

  if  ($neighbor['md5sigpass']) {
$setkeycf .= "add {$openbgpd_conf['listenip']} 
{$neighbor['neighbor']} tcp 0x1000 -A tcp-md5 
\"{$neighbor['md5sigpass']}\";\n";

@@ -125,9 +125,9 @@
$conffile .= "{$row['paramaters']} {$row['parmvalue']} \n";
  }
}
+if($used_this_item)
+  $conffile .= "}\n";
  }
-  if($used_this_item)
-$conffile .= "}\n";
}   
   
// OpenBGPD filters


Thanks,
Evgeny.



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] How to ensure packets go out of the IP they came I on?

[Evgeny Yurchenko]

Chris Buechler wrote:

On Thu, Dec 3, 2009 at 7:42 PM, Gabriel - IP Guys
 wrote:
  

Dear All,


I have multiple ISP’s connected to my pfSense box, but only the ISP that is
configured as the WAN seems to be able to route traffic. 




That's how it works by default. Not enough info there to tell you what
you have setup that makes it not do that. Post your NAT, rules, and
anything else that may be relevant.
  
By the way last time I checked UDP OpenVpn it did not work this way. 
Incoming packet comes on OPTx outgoing comes out of WAN. There was no 
such problem with TCP. Is it known issue?


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] PFSense advocacy

[Evgeny Yurchenko]

Ron García-Vidal wrote:
I realize this is a support forum, so if there is a better place to 
post this, I will take it there.


So, I'm trying to get a pfsense box in the shop because I've enjoyed 
working with it on my own setup.  The boss is fairly open-minded and 
open to a healthy discussion on the topic, but in the end, he wants to 
know why this would be preferable to a Cisco solution.


Since I've never worked extensively with Cisco, can someone give me a 
few salient points to throw at him. I already used the cost argument, 
he wants more.


Thanks.


I think it's better to start with providing of what you expect from 
'firewall in shop'. In what way are you going to use this firewall? what 
functionality/bandwidth do you need?


Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] throughput, haproxy

[Evgeny Yurchenko]

Scott Ullrich wrote:

On Thu, Nov 19, 2009 at 12:35 PM, Scott Ullrich  wrote:
  

OK, give me a bit to get it ready.   Should be back to you in a couple hours.



Lenny,

First of all make sure you backup your configuration and have
installation media handy (just in case).

Run this from a shell (option 8):

fetch -o /boot/kernel/ http://cvs.pfsense.org/~sullrich/7-yandex/kernel.gz

Then reboot the firewall and let me know how it goes.

Scott


  

I got very interesting results after moving to new kernel.
From:
[ ID] Interval   Transfer Bandwidth
[  3] 14090.0-14100.0 sec799 MBytes670 Mbits/sec
[ ID] Interval   Transfer Bandwidth
[  3] 14100.0-14110.0 sec795 MBytes667 Mbits/sec

 PID USERNAME PRI NICE   SIZERES STATE  C   TIME   WCPU COMMAND
  13 root 171 ki31 0K 8K RUN1  24.3H 100.00% idle: cpu1
  11 root 171 ki31 0K 8K CPU3   3  24.3H 100.00% idle: cpu3
  39 root -68- 0K 8K CPU2   2 401:49 97.17% em0 taskq
  40 root -68- 0K 8K CPU0   0 401:43 96.68% em1 taskq
  14 root 171 ki31 0K 8K RUN0  17.7H 11.08% idle: cpu0
  12 root 171 ki31 0K 8K RUN2  17.7H 10.79% idle: cpu2

To:
[ ID] Interval   Transfer Bandwidth
[  3]  0.0-10.0 sec  3.66 MBytes  3.07 Mbits/sec
[ ID] Interval   Transfer Bandwidth
[  3] 10.0-20.0 sec  3.21 MBytes  2.69 Mbits/sec

 PID USERNAME PRI NICE   SIZERES STATE  C   TIME   WCPU COMMAND
  11 root 171 ki31 0K 8K RUN3   5:40 100.00% idle: cpu3
  12 root 171 ki31 0K 8K CPU2   2   5:37 100.00% idle: cpu2
  13 root 171 ki31 0K 8K CPU1   1   5:41 99.17% idle: cpu1
  14 root 171 ki31 0K 8K CPU0   0   5:37 98.78% idle: cpu0
 495 root   40 44808K 18540K accept 1   0:01  0.00% php
  41 root  43- 0K 8K WAIT   2   0:01  0.00% 
em0_rx_kthread_0
  42 root  43- 0K 8K WAIT   1   0:01  0.00% 
em0_rx_kthread_1
  46 root  43- 0K 8K WAIT   0   0:00  0.00% 
em1_rx_kthread_1
  45 root  43- 0K 8K WAIT   3   0:00  0.00% 
em1_rx_kthread_0


Should I adjust something manually in config?
Evgeny.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] throughput, haproxy

[Evgeny Yurchenko]

Bill Marquette wrote:

I'm not positive if netstat shows a 32 or 64 bit number, but it's
certainly not limited to 9 digits.  Your Ibytes column alone has 10
2,605,426,760.  32 bit will still wrap pretty quick however and is not
suitable for gigabit links.

--Bill
  
Yes, ten digits, sorry. Anyway, we can't get true picture of bandwidth 
usage looking at rrd graphs and having speed 'after 500Mb/s', is it what 
you are saying?

Thanks.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] throughput, haproxy

[Evgeny Yurchenko]

Lenny wrote:

Evgeny Yurchenko wrote:


Lenny wrote:
I always got 300-400Mb/s, even with firewall off. And I could never 
get more than 85kpps.
Unfortunately, I can't run these tests now, as the server is in 
production.


Thanks, Lenny.
 
May be stupid question but.. How did you measure 85kpps and how do 
you measure speed and pps in production?

Evgeny.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org


To tell you the truth I don't remember, as it was a few months ago, 
but I'm attaching the RRD graphs: traffic, packets and throughput. You 
can clearly see the peaks, although as you might know, on the graph 
from previous weeks the numbers actually become a bit smaller than 
they really were. For example, on the traffic graph it says 270Mb was 
a maximum outgoing, when in fact my actual maximum was about 310Mb. I 
would attach some newer graphs, but my next peak is in 2 days.


Just to be clear: at those peaks I had my CPUs at maximum or very near 
that.



Lenny.
Ok. But looking into this 
http://forum.pfsense.org/index.php/topic,20624.0.html and watching my 
own box during tests peformed for you I see weird things:

[ ID] Interval   Transfer Bandwidth
[  3] 930.0-940.0 sec744 MBytes624 Mbits/sec
[ ID] Interval   Transfer Bandwidth
[  3] 940.0-950.0 sec748 MBytes627 Mbits/sec
[ ID] Interval   Transfer Bandwidth
[  3] 950.0-960.0 sec745 MBytes625 Mbits/sec




But!


So I looked into how these graphs are populated - /var/db/rrd/updaterrd.sh
counter=1
while [ "$counter" -ne 0 ]
do
...
sleep 60
done
So, every 60 seconds you take data by means of '/usr/bin/netstat -nbf 
link -I bge0' and feed it to RRD.


Now let's do /usr/bin/netstat -nbf link -I bge0:
NameMtu Network   AddressIpkts   
IerrsIbytes Opkts   Oerrs Obytes  Coll
bge0   1500   00:0b:cd:52:5b:41 299767100 0 2605426760 
299287128 0  191226159 0


Bytes Number has 9 digits so wrap will happen after 
receiving/transmitting 999 999 999 bytes / 60sec * 8 = 133 333 333 
bits/s which is approx 130 Mb/s


I believe RRD can handle wraps through 0 but at some point (speed) 
you'll have two(or even 3-4) wraps.

What am I missing here?

Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] throughput, haproxy

[Evgeny Yurchenko]

Lenny wrote:

I always got 300-400Mb/s, even with firewall off. And I could never get more 
than 85kpps.
Unfortunately, I can't run these tests now, as the server is in production.

Thanks, 
Lenny.
  

May be stupid question but.. How did you measure 85kpps and how do you 
measure speed and pps in production?

Evgeny.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] CARP and BGP

[Evgeny Yurchenko]

Aarno Aukia wrote:

Hello,

On Sat, Nov 14, 2009 at 03:36, Chris Buechler  wrote:
  

On Fri, Nov 13, 2009 at 9:13 PM, Glenn Kelley  wrote:


Am I correct in assuming that CARP and BGP cannot work together - as CARP
pushes private ip addresses ?

  

CARP doesn't push private IPs, not sure what you mean by that, but it
can work just the same as anything with public IPs. Though there are
likely complications related to the BGP package in combination with
CARP. Haven't tried it personally, not sure.



It works fine, you have to configure openbgpd to use the carp-address
using "local-address".
You will still have a short interruption of service until the backup
bgpd resyncs the session, but it is a lot faster than to manually
reconfigure the routers...
We have this running in prodution, feel free to contact me off-list for details.

Regards,
Aarno
  
Could you explain how it works please? I have no questions about 
active(CARP) one but what about passive? bgpd on passive one will be 
continuously trying to connect to peer... using what source IP?

Thanks,
Evgeny.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org