from:"Fuchs, Martin"

AW: [pfSense Support] IPSec crl

2011-08-21 Thread Fuchs, Martin

Hmmm, in larger setups it could be annoying, but perhaps there will be a 
solution one day ;-)

Perhaps to chose one crl, ipsec should use... ?

Regards,

martin

-Ursprüngliche Nachricht-
Von: Jim Pingle [mailto:li...@pingle.org] 
Gesendet: Mittwoch, 17. August 2011 23:55
An: support@pfsense.com
Betreff: Re: [pfSense Support] IPSec crl

On 8/17/2011 4:56 PM, Fuchs, Martin wrote:
> Hi,
> Does the IPSec config make use of crl's defined in the certified-Manager ?
> I cannot See any references To used crl in the cert-Manager when a crl 
> is d= efined there, neither can i Chose a crl in the IPSec-config.=20 
> This is a Security-Risk i think, that should Be fixed  2.0 leaves the 
> door = or am i mistaken ?

The IPsec config doesn't currently hook into the CRLs from the system.
It's been discussed on the forum a bit.
http://forum.pfsense.org/index.php?topic=35872.0 is the thread I was thinking 
of specifically. The way racoon wants the crl written out and named wasn't very 
easy to work with.

It's not that dangerous to run without a CRL unless you need to revoke access, 
then you can always just switch up the CA and certs for both ends if it's 
custom.

Jim

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional 
commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

AW: [pfSense Support] Happy Birthday Chris

2011-08-18 Thread Fuchs, Martin

>From Germany too ;-)
Have fun and enjoy your day ;-)

Regards,
martin

-Ursprüngliche Nachricht-
Von: Serg [mailto:serg.dvorian...@gmail.com] 
Gesendet: Donnerstag, 18. August 2011 13:26
An: support@pfsense.com
Betreff: Re: [pfSense Support] Happy Birthday Chris

Happy Birthday Chris!


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional 
commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] IPSec crl

2011-08-17 Thread Fuchs, Martin

Hi,
Does the IPSec config make use of crl's defined in the certified-Manager ?
I cannot See any references To used crl in the cert-Manager when a crl is d=
efined there, neither can i Chose a crl in the IPSec-config.=20
This is a Security-Risk i think, that should Be fixed  2.0 leaves the door =
or am i mistaken ?

Regards, Martin=

[pfSense Support] IPSec crl

2011-08-17 Thread Fuchs, Martin



von unterwegs gesendet ...

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

AW: [pfSense Support] pfSense 2.0 IPSec-VPN with Certs

2011-08-10 Thread Fuchs, Martin

Hi !

ASN.1 and the remote CA Cert made it work :)

Thanks !

Von: Dan Candea [mailto:dan.can...@quah.ro]
Gesendet: Dienstag, 9. August 2011 14:21
An: support@pfsense.com
Betreff: Re: [pfSense Support] pfSense 2.0 IPSec-VPN with Certs

On 03.08.2011 14:46, Fuchs, Martin wrote:
Hi !

Does anyone have mutual-RSA-IPSec VPN working with 2.0 ?
All settings I tried do not work, I always get errors:

racoon: ERROR: failed to get subjectAltName
racoon: ERROR:
racoon: ERROR: no peer's CERT payload found.

These errors are away as soon as I use PSKs, so I think it hust have something 
to do with the generated certs...

Any ideas ?

Regards,

Martin

I've generated a CA and use it to make certificate for server and users.
software from shrew.net as a client

remote anonymous
{
ph1id 1;
exchange_mode aggressive;
my_identifier asn1dn ;
peers_identifier asn1dn ;
ike_frag on;
generate_policy = unique;
initial_contact = off;
nat_traversal = on;
certificate_type x509 "cert-1.crt" "cert-1.key";
ca_type x509 "ca-1.crt";
dpd_delay = 10;
dpd_maxfail = 5;
support_proxy on;
proposal_check claim;
passive on;

proposal
{
authentication_method xauth_rsa_server;
encryption_algorithm 3des;
hash_algorithm sha1;
dh_group 2;
lifetime time 28800 secs;
}
}

--

Dan Cândea

Does God Play Dice?

[pfSense Support] pfSense 2.0 IPSec-VPN with Certs

2011-08-03 Thread Fuchs, Martin

Hi !

Does anyone have mutual-RSA-IPSec VPN working with 2.0 ?
All settings I tried do not work, I always get errors:

racoon: ERROR: failed to get subjectAltName
racoon: ERROR:
racoon: ERROR: no peer's CERT payload found.

These errors are away as soon as I use PSKs, so I think it hust have something 
to do with the generated certs...

Any ideas ?

Regards,

Martin

AW: [pfSense Support] To integrate AD users to specific rule groups

2011-07-31 Thread Fuchs, Martin

Hi !

Hmmm, any chance to get this working without installing samba on the 
firewall-system ?
And which squid-version did you use ? the package-provided or 3.x ?

Regards,

Martin

Von: Younes EL AMRAOUI [mailto:oun...@gmail.com]
Gesendet: Montag, 1. August 2011 08:34
An: support@pfsense.com
Betreff: Re: [pfSense Support] To integrate AD users to specific rule groups

The version is Samba35
Younes EL AMRAOUI

Engineering Student at ESIREM.
Computer Science Engineering School.

Dijon ,FRANCE .

Re: [pfSense Support] To integrate AD users to specific rule groups

2011-07-31 Thread Fuchs, Martin

Hi !
Which version did you build and which patch did you use ?
Sounds interesting ;-)

Regstes,
Martin

von unterwegs gesendet ...

Am 31.07.2011 um 13:26 schrieb "Younes EL AMRAOUI" 
mailto:oun...@gmail.com>>:

Hi,

I have do the same thing that you searching for, by using 
Samba(nmbd,smbd,winbindd), Squid, Kerberos5, I used NTLM authentification 
because it's more secure than the others like NT Domain (plaine text password 
cached with Wireshark ;) ), NTLM is not provided with Squid/pfSense but you can 
patch Squid to use it( what I have done), A other thing is to create a 
precompiled packege of Samba that containse ADS support to connect to the 
active directory and install it on your pfSense. I don't see the need of the 
Captive Portail because in my case the authentification into the AD is done by 
openiong the session of Windows if this session is in the AD, to searf into 
internet too ;).

Hope this will help ;)



--
Younes EL AMRAOUI

Engineering Student at ESIREM.
Computer Science Engineering School.

Dijon ,FRANCE .

 [X]

[pfSense Support] AW: snort broken ?

2011-07-08 Thread Fuchs, Martin

Many thanks :)
Just wondered why after my pfsense update snort was gone :)

Von: Conrad Brown [mailto:cbr...@radnetworx.com]
Gesendet: Freitag, 8. Juli 2011 23:55
An: support@pfsense.com
Betreff: [pfSense Support] RE: snort broken ?

This post from James might explain that.

http://forum.pfsense.org/index.php/topic,37557.msg199104.html#msg199104

From: Fuchs, Martin 
[mailto:martin.fu...@trendchiller.com]<mailto:[mailto:martin.fu...@trendchiller.com]>
Sent: Friday, July 08, 2011 5:49 PM
To: 'support@pfsense.com'
Subject: [pfSense Support] snort broken ?

Hi !

Is anyone able to install snort from the packages selection ?

Regards,

martin

[pfSense Support] snort broken ?

2011-07-08 Thread Fuchs, Martin

Hi !

Is anyone able to install snort from the packages selection ?

Regards,

martin

AW: [pfSense Support] psSense , AD, Kerberos, FreeBSD, Samba,Squid,SquidGuard

2011-06-23 Thread Fuchs, Martin

NTLM is auth against the AD via integrated auth (IE)
Basic is auth via tying username and password...

Von: Younes EL AMRAOUI [mailto:oun...@gmail.com]
Gesendet: Donnerstag, 23. Juni 2011 21:22
An: support@pfsense.com
Betreff: Re: [pfSense Support] psSense , AD, Kerberos, FreeBSD, 
Samba,Squid,SquidGuard

Thank you for your response.
Yes it's different of what I'm looking for, but I found I way, actually there 
is category in Squid configuration in pfSense GUI called Authori ..., in this 
category we can specify our Domain and the method of authorization ( LPDA, 
RADIUS, NT Domain) , I choose NT Domain, and for now I need to integrate my 
pfSense machine in the AD(Active Directory) of the Windows Server of the 
company to test if it works ( I will do this tomorrow ), we can test with a 
client in the AD having my pfSense Squid by seeing in the access.log file the 
username of the client machine.
I found that there an implementation of squid_raduis_auth package ( you can 
check this with pkg_info ).RADUIS replace kerberos and samba, I think!!,I'm not 
shore.
I can't find the difference between :
-NTLM ( auth_param ntlm program  )
AND
-NT Domain ( when I choose NT Domain in pfSense's Squid it builds a 4 or 5 
lines in squid.conf begining like this auth_param basic program ...).
??
What's the difference between "ntlm" and "basic" options in squid.conf 

My those information helping you too,or in the future,

Thanks again
2011/6/23 Ermal Luçi mailto:ermal.l...@gmail.com>>

On Thu, Jun 23, 2011 at 10:30 AM, Younes EL AMRAOUI 
mailto:oun...@gmail.com>> wrote:

Hi,

I'm trying to set up Kerberos on my FreeBSD (command line of pfSense) to 
specify NTLM users of AD of Windows Server.
The problem is that I don't know how to install it and configure it?Any 
documentation please??

You can try something like 
http://siphon9.net/loune/2007/10/simple-lightweight-ntlm-in-php/?
It needs some adoption for pfSense(FreeBSD),
Or you are looking at something completely different.

Regards,
--
Younes EL AMRAOUI

Engineering Student at ESIREM.
Computer Science Engineering School.
+33629153757
Dijon ,FRANCE .





--
Ermal



--
Younes EL AMRAOUI

Engineering Student at ESIREM.
Computer Science Engineering School.
+33629153757
Dijon ,FRANCE .

Re: [pfSense Support] Current Production Version

2011-06-17 Thread Fuchs, Martin

Is's RC2 atm. It may contain a few bugs though. 
For production I'd recommend 1.2.3 so far, but RC3 will arrive soon.

Regards,
Martin

Am 17.06.2011 um 20:00 schrieb "Nathan Eisenberg" :

> Apologies for the dumb question...  Is the general consensus that 2.0-RC1 is 
> production ready, or is 1.2.3 still recommended for production deployments?
> 
> Best Regards,
> Nathan Eisenberg
> 
> 
> 
> 
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
> 
> Commercial support available - https://portal.pfsense.org
> 
> 

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] CertManager

2011-06-16 Thread Fuchs, Martin

Hi !
I have an old cert that was used as the webui cert.
I replaced this and wanted to delete the old cert, but the certmanager tells me 
it's still in use by IPSec Tunnel...

I have IPSec-Tunnels but no one with certs...
I already looked into my config in the IPSec-settings but I really cannot find 
this cert...

Any idea where to find it or how to get rid of the old cert ?

Regards,

martin

[pfSense Support] Pfsense 2.0 dyndns

2011-06-01 Thread Fuchs, Martin

Hi !
Do we know about any dyndns issues ?
I have some systems where sometimes dyndns does not update, the client shows it 
in red, but does not update ?
Shouldn't this be done when it's printed in red ?
Only manually saving or reconnect triggers the update of dyndns...
Any ideas ?

Regards,
Martin
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

AW: [pfSense Support] PPTP password issue

2011-04-13 Thread Fuchs, Martin

Did you try playing around with the user privileges in the user manager ?
Iirc there is something like pptp access ?

Regards,

martin

-Ursprüngliche Nachricht-
Von: Ernst den Broeder [mailto:erns...@gmail.com] 
Gesendet: Mittwoch, 13. April 2011 16:32
An: support@pfsense.com
Betreff: [pfSense Support] PPTP password issue

Hi.

We are running 2.0-RC1 on our systems.  I recently assigned a PPTP user the 
following password: x2758>A6g924"B

The webConfigurator accepts this password but we cannot get it to authenticate. 
 We tried resetting it in the webConfigurator but in the end we just changed it 
to something different.  I did not play around with it to see which 
character(s) were causing the problem.  We were using Mac OS 10.6 PPTP client.

Assuming the problem wasn't the PPTP client in Mac OS 10.6,  are there 
limitations as to what characters may be used for the password with pfSense?  I 
don't recall any warnings or messages in the pfSense webConfigurator stating 
otherwise.

regards,
Ernst

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional 
commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 IPsec on Mac OS X 10.6

2011-04-12 Thread Fuchs, Martin

That's strange, my config works with NAT-T too, but i never had problems with 
non-natted, natted or any other  network. 

Am 12.04.2011 um 21:46 schrieb "Paul Mather" :

> On Apr 12, 2011, at 3:17 PM, Vick Khera wrote:
> 
>> On Tue, Apr 12, 2011 at 2:04 PM, Fuchs, Martin 
>>  wrote:
>> I have IPSec from my iPhone To pfsense here...
>> Have a look at the Forums. It took some Time but now it works...
>> 
>> I found in the forum that it requires pfSense 2.0.  Does that still stand 
>> true?
>> 
>> And do you configure it via pfSense GUI or a manual hack to the racoon 
>> config file?
>> 
>> I don't find a definitive answer on the forum at all, just a bunch of try 
>> this try that and speculation followed by a bunch of "doesn't work for me" 
>> and "works for me, sorta".
>> 
>> The closest I've found is 
>> http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558
>> 
>> Is that the current "state of the art" for iPhone -> pfSense VPN?  It seems 
>> to be in conflict with how I want mobile client settings for my "road 
>> warrior" network VPNs, such as my home office.  Ie, I do not want to have a 
>> virtual address pool for those connections.
> 
> 
> I have used pfSense 2.0 to set up up an IPsec VPN usable from an iPod Touch, 
> which I believe uses the same client as the iPhone and iPad.  I used pretty 
> much the setup from the link you give above.  In my case, my Phase 2 has 
> "Local Network" of type "Network" and the address is that of my pfSense LAN 
> (whereas the forum post uses Local Network Type "None").  (I actually have 
> two Phase 2 entries, the one just described and another that is the same 
> except the address is 10.0.0.0/24, to allow VPN access to that private 
> network reachable from the pfSense LAN.)
> 
> I did all configuration via the pfSense GUI.  The setup routes all traffic 
> for the network behind the pfSense gateway (172.23.23.0/24 and 10.0.0.0/24) 
> over the IPsec VPN; other traffic goes out as per normal.  Split DNS works, 
> and private DNS hostnames are resolved correctly.
> 
> The VPN works fine when NAT-T is in use.  (The same config doesn't work for 
> my office Mac, which is not behind a NAT.)
> 
> I also tried the L2TP server in pfSense 2.0 today with the Mac OS X L2TP VPN 
> client but couldn't even get it to connect. :-(
> 
> Cheers,
> 
> Paul.
> 
> 
> 
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
> 
> Commercial support available - https://portal.pfsense.org
> 
> 

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 IPsec on Mac OS X 10.6

2011-04-12 Thread Fuchs, Martin

I use 2.0 and configure via GUI only, no hacks.
The only Problem is the users privilege  as a local user - Admin works for me 
so far, but a ticket is already opened. The local user is for xauth.

Am 12.04.2011 um 21:18 schrieb "Vick Khera" 
mailto:vi...@khera.org>>:

On Tue, Apr 12, 2011 at 2:04 PM, Fuchs, Martin 
<<mailto:martin.fu...@trendchiller.com>martin.fu...@trendchiller.com<mailto:martin.fu...@trendchiller.com>>
 wrote:
I have IPSec from my iPhone To pfsense here...
Have a look at the Forums. It took some Time but now it works...

I found in the forum that it requires pfSense 2.0.  Does that still stand true?

And do you configure it via pfSense GUI or a manual hack to the racoon config 
file?

I don't find a definitive answer on the forum at all, just a bunch of try this 
try that and speculation followed by a bunch of "doesn't work for me" and 
"works for me, sorta".

The closest I've found is 
<http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558>
 
http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558

Is that the current "state of the art" for iPhone -> pfSense VPN?  It seems to 
be in conflict with how I want mobile client settings for my "road warrior" 
network VPNs, such as my home office.  Ie, I do not want to have a virtual 
address pool for those connections.

Re: [pfSense Support] pfSense 2.0 IPsec on Mac OS X 10.6

2011-04-12 Thread Fuchs, Martin

I have IPSec from my iPhone To pfsense here...
Have a look at the Forums. It took some Time but now it works...

Am 12.04.2011 um 17:24 schrieb "Vick Khera" 
mailto:vi...@khera.org>>:

On Tue, Apr 12, 2011 at 11:21 AM, Vick Khera 
<vi...@khera.org> wrote:
iOS does not have OpenVPN built in. I never looked to see if some app provides 
it, but I highly doubt it.

one more point... the only VPN we've ever succeeded with iOS devices is the 
PPTP client, but that's just not a very secure thing.  I don't think the Cisco 
client works with pfSense IPSec server.

[pfSense Support] german pfSense article on PC-Welt

2011-04-01 Thread Fuchs, Martin

Hi !

There a german article about pfSense 2.0 RC1 on PC-Welt:

http://www.pcwelt.de/ratgeber/m0n0wall-Fork-pfSense-Firewall-und-Router-mit-Open-Source-1507333.html

regards,

martin

AW: [pfSense Support] www.pfsense.org down?

2011-03-29 Thread Fuchs, Martin

> FWIW, I used to sell a lot of HP ProCurve gear; the only switches of 
> theirs I ever had to return were 1800-series switches (and _one_ 2524, 
> IIRC).  A very small proportion, to be sure, effectively zero warranty 
> service rate compared to Cisco, but relatively speaking... I suspect 
> it has to do with the fanless design being slightly less robust - 
> IMHO, anyway.

1800 or 1810?

We never had any problems with 1800 and 1810 until now... both as 24G models...
And we have a lot of them...

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

AW: [pfSense Support] pfSense as subordinate CA

2011-03-24 Thread Fuchs, Martin

Well thats not exactly what i want to do...

I want pfsense to be its own subordinate ca that's authenticated by the windows 
ca.
This way it would be possible for me to use the pfsense ca for all ssl issues 
on the pfsense and would not have to use the windows ca for that, but the trust 
would be established, because the windows ca authenticated the pfsense ca.
When I import the ca it seems pfsense cannot use it (because it displays 
external ?)

-Ursprüngliche Nachricht-
Von: Vick Khera [mailto:vi...@khera.org] 
Gesendet: Mittwoch, 23. März 2011 13:35
An: support@pfsense.com
Betreff: Re: [pfSense Support] pfSense as subordinate CA

On Wed, Mar 23, 2011 at 7:03 AM, Fuchs, Martin  
wrote:
> I'd like to use my Windows 2008R2 CA as the main CA and pfSense as a 
> subordinate CA.
>
> When I import an existing certificate of a subordinate ca, I cannot 
> chose this ca, when creating new certs with pfsense. (it displays the 
> ca then as
> external)

Not sure I follow the need, but it sounds like you just need to import the CA 
certificate into pfSense, then just keep using the windows CA to issue 
certificates, and pfSense will authenticate them.  That's what we do for our 
1.2.3 installation -- the CA is on another server.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional 
commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] pfSense as subordinate CA

2011-03-23 Thread Fuchs, Martin

Hi !

Is it possible to configure pfSense as a subordinate CA ?
I'd like to use my Windows 2008R2 CA as the main CA and pfSense as a 
subordinate CA.
When I import an existing certificate of a subordinate ca, I cannot chose this 
ca, when creating new certs with pfsense... (it displays the ca then as 
external)

Is it generally possible or can pfsense only be it's own ca ?

Regards,

martin

[pfSense Support] AW: update bogons

2011-03-18 Thread Fuchs, Martin

Just one question remains: how are updates scheduled in 1.2.3 and how is it 
done in 2.0, even though this is nearly obsolete ?

Von: Fuchs, Martin [mailto:martin.fu...@trendchiller.com]
Gesendet: Freitag, 18. März 2011 11:35
An: support@pfsense.com
Betreff: [pfSense Support] AW: update bogons

Solved:

by searching the forum:
http://forum.pfsense.org/index.php?topic=21144.0
http://forum.pfsense.org/index.php/topic,13278.0.html


Von: Fuchs, Martin [mailto:martin.fu...@trendchiller.com]
Gesendet: Freitag, 18. März 2011 11:08
An: support@pfsense.com
Betreff: [pfSense Support] update bogons

Hi !

Today we encountered some problem with pfSense 1.2.3 (in production), because 
of this we were not able to update by now...
We boiled it down to the bogons-filter on the WAN-interface (which is senseless 
by now since all IP-blocks are delivered).
How often is this list updated by default and from where is it updated (just 
for debigging purposes) ?
We now disabled the filtering and all works fine...
The filter blocked a subnet that is delivered since 10/2010, so I was wondering 
how the update frequency might be ;-)

Regards,
martin

[pfSense Support] AW: update bogons

2011-03-18 Thread Fuchs, Martin

Solved:

by searching the forum:
http://forum.pfsense.org/index.php?topic=21144.0
http://forum.pfsense.org/index.php/topic,13278.0.html


Von: Fuchs, Martin [mailto:martin.fu...@trendchiller.com]
Gesendet: Freitag, 18. März 2011 11:08
An: support@pfsense.com
Betreff: [pfSense Support] update bogons

Hi !

Today we encountered some problem with pfSense 1.2.3 (in production), because 
of this we were not able to update by now...
We boiled it down to the bogons-filter on the WAN-interface (which is senseless 
by now since all IP-blocks are delivered).
How often is this list updated by default and from where is it updated (just 
for debigging purposes) ?
We now disabled the filtering and all works fine...
The filter blocked a subnet that is delivered since 10/2010, so I was wondering 
how the update frequency might be ;-)

Regards,
martin

[pfSense Support] update bogons

2011-03-18 Thread Fuchs, Martin

Hi !

Today we encountered some problem with pfSense 1.2.3 (in production), because 
of this we were not able to update by now...
We boiled it down to the bogons-filter on the WAN-interface (which is senseless 
by now since all IP-blocks are delivered).
How often is this list updated by default and from where is it updated (just 
for debigging purposes) ?
We now disabled the filtering and all works fine...
The filter blocked a subnet that is delivered since 10/2010, so I was wondering 
how the update frequency might be ;-)

Regards,
martin

[pfSense Support] packahe reinstallation on every reboot

2011-03-04 Thread Fuchs, Martin

Hi !

On 2.0 EVERY reboot my packages are deinstalled and then reinstalled...

Is this intended behavior ? - Why ?

Regards,

martin

AW: [pfSense Support] Re: Intel Gigabit - em0: Watchdog Timeout

2011-03-04 Thread Fuchs, Martin

Same problem here, but seems to work without problems... so far... ;-)

-Ursprüngliche Nachricht-
Von: Jim Pingle [mailto:li...@pingle.org] 
Gesendet: Freitag, 4. März 2011 17:19
An: support@pfsense.com
Cc: Moshe Katz
Betreff: Re: [pfSense Support] Re: Intel Gigabit - em0: Watchdog Timeout

On 3/4/2011 11:15 AM, Moshe Katz wrote:
> Does em0 seem to work OK for you otherwise? Just log/console spam?
> 
> I just noticed that it doesn't just make the console useless, it also
> spams the system log, filling that up as well.
> 
> If it operates OK but just has annoying logs, that should hopefully be
> easily solved.
> 
> It appears to be working properly as far as i can tell.  It is just 
> annoying to have in the console and the logs.  I have not run extended 
> tests (very large file transfers, etc.) to make sure of that - it just 
> seems to be working for normal internet, Windows File Sharing, and 
> Printing traffic.  I may be able to run extended tests next week.
> 
> From a curiosity perspective, I would like to find out why this is 
> happening.

We're discussing it and trying to find out the cause of the error being 
printed. Since it's easy to reproduce it should hopefully be easy to know when 
it's fixed.

> Also out of curiosity, when was the driver changed?  I tried searching 
> on rcs.pfsense.org  but search appears to be 
> broken there.

https://rcs.pfsense.org/projects/pfsense-tools/repos/mainline/commits/f7a0d0d634b787fede5b54ec26c625423c12b624

Jim

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional 
commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] pfSense 2.0 & Dashboard-Widgets (CPU)

2011-03-04 Thread Fuchs, Martin

Hi !

After an upgrade from 1.2.3 to 2.0 RC1 i'm missing the 
dashboard-cpu-usage-widget...
I have an error in my Dashboard which tells me that the files are missing :(

Will this widget be updated or is it suspended ?

Regards,

martin

[pfSense Support] pfsense 1.2.3 ipsec stopping to work after too many unsuccessful connects

2011-02-10 Thread Fuchs, Martin

Hi !

I run pfsense 1.2.3 and use 4 ipsec tunnels with dynamic endpoints.
Everything works fine, but when one endpoint continuously gets a new WAN-IP due 
to numerous reconnects, raccoon stops working and has to be started manually...

Can anyone confirm this issue ?

Regards,

martin

[pfSense Support] AW: USB Wifi nic

2011-01-19 Thread Fuchs, Martin

Should work if you pass it by using VMDirectPath

-Ursprüngliche Nachricht-
Von: Joseph L. Casale [mailto:jcas...@activenetwerx.com] 
Gesendet: Mittwoch, 19. Januar 2011 22:57
An: 'support@pfsense.com'
Betreff: [pfSense Support] USB Wifi nic

I have a vm running under esxi 4.1 that I need to pass in a usb wifi dongle. 
It's a dev environment so I am not too worried about the fact 1) it's a vm and 
b) passing the dongle in could be unstable.

Would pfsense work happily with this so long as the chip in the dongle was on 
the HCL and supported AP mode?

Thanks!
jlc

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional 
commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

AW: [pfSense Support] Squid traffic management Maximum download size not working

2011-01-07 Thread Fuchs, Martin

:)

Von: Shali K.R. [mailto:sh...@vidyaacademy.ac.in]
Gesendet: Freitag, 7. Januar 2011 11:39
An: support@pfsense.com
Betreff: Re: [pfSense Support] Squid traffic management Maximum download size 
not working

Thank you sir its working fine now
On Fri, Jan 7, 2011 at 4:00 PM, Fuchs, Martin 
mailto:martin.fu...@trendchiller.com>> wrote:
Hi !

I found the error, i'll try to fix it as soon as time permits...

Until then please change the following lines

/usr/local/pkg/squid.inc: line 896:
FROM   $conf .= 'reply_body_max_size ' . ($down_limit * 1024) . " allow all\n";
TO  $conf .= 'reply_body_max_size ' . ($down_limit * 1024) . " deny 
all\n";

Then configure and save again !

Regards,

Martin !
Von: Shali K.R. 
[mailto:sh...@vidyaacademy.ac.in<mailto:sh...@vidyaacademy.ac.in>]
Gesendet: Freitag, 7. Januar 2011 10:17
An: support@pfsense.com<mailto:support@pfsense.com>
Betreff: [pfSense Support] Squid traffic management Maximum download size not 
working

Dear all,

i added 51200 ( 50 MB) in Maximum download size of proxy  page  but its not 
working i checked squid.conf file it shows
reply_body_max_size 52428800 allow all but i can download large files. is there 
any way to configure it properly

--
Thanks & Regards

Shali K R
Server Administrator
Vidya Academy of Science & Technology
Thrissur,Kerala.
Mob:9846303531



--
Thanks & Regards

Shali K R
Server Administrator
Vidya Academy of Science & Technology
Thrissur,Kerala.
Mob:9846303531

AW: [pfSense Support] Squid traffic management Maximum download size not working

2011-01-07 Thread Fuchs, Martin

Hi !

I found the error, i'll try to fix it as soon as time permits...

Until then please change the following lines

/usr/local/pkg/squid.inc: line 896:
FROM   $conf .= 'reply_body_max_size ' . ($down_limit * 1024) . " allow all\n";
TO  $conf .= 'reply_body_max_size ' . ($down_limit * 1024) . " deny 
all\n";

Then configure and save again !

Regards,

Martin !
Von: Shali K.R. [mailto:sh...@vidyaacademy.ac.in]
Gesendet: Freitag, 7. Januar 2011 10:17
An: support@pfsense.com
Betreff: [pfSense Support] Squid traffic management Maximum download size not 
working

Dear all,

i added 51200 ( 50 MB) in Maximum download size of proxy  page  but its not 
working i checked squid.conf file it shows
reply_body_max_size 52428800 allow all but i can download large files. is there 
any way to configure it properly

--
Thanks & Regards

Shali K R
Server Administrator
Vidya Academy of Science & Technology
Thrissur,Kerala.
Mob:9846303531

[pfSense Support] IPSec dies after more reconnects

2010-08-11 Thread Fuchs, Martin

Hi !

I have 3 ipsec tunnels.
One of these endpoints has bad wan-connectivity, so it connects some times  day.
This problem exists since a week.
I had to restart my raccoon-service on the central firewall every day, because 
it is stopped there ?

Has anyone a similar problem or is there a watchdog to restart the raccoon 
service ?

I'm using pfsense 1.2.3 on all systems.

Regards,

martin

AW: [pfSense Support] OpenVPN and CARP

2010-06-29 Thread Fuchs, Martin

On 23 June 2010 13:01, Fuchs, Martin  wrote:
> Hi !
>
> I already looked up the forums, but i have a problem i cannot solve on 
> my own...
>
> I have two pfSenses with CARP.
>
> Internal LAN-CARP is 10.11.1.1 and external WAN-CARP let's say is
> 12.12.12.12 (gw1.bk), where pfSense_1 WAN is 12.12.12.13 (gw2.bk) and
> pfSense_2 WAN is 12.12.12.14 (gw3.bk).
>
> When I try to connect to gw1 (CARP) it does not respond... my WAN rule 
> allows any on OpenVPN port incoming to WAN-subnet.
>
> I tried to set up two different OpenVPN-Address-pools on both servers 
> for then using load-balancer-mode.
>
> I also tried to set up the same-Address-pool on both servers for CARP-mode.
>
> When I try to connect to gw2 (non-CARP) it works and the back-route 
> works, too (pfSense_1 is CARP-master).
>
> When I try to connect to gw3 (non-CARP) it does connects and the 
> back-route does NOT work (pfSense_2 ist CARP-slave), because all 
> traffic is routed to
> 10.11.1.1 (LAN-CARP) which is held by pfSense_1.
>
> Any idea how I can use the WAN-CARP for OpenVPN ?
>
> Or
>
> Any idea how I can tell the LAN-CARP-master to route the pfSense_2 
> OpenVPN traffic to pfSense_2 (without static routes because these 
> replicate via
> CARP) ?

I asked this a while ago and got the following answer:
Works now, put local x.x.x.x in custom options, where x.x.x.x is a CARP IP. You 
will have to manually configure the secondary to match the primary since the 
config doesn't sync on 1.2.x.

---

Neat...
It works :-)
Thanks a lot !
Ist there a way to add more than one local ip ?

Regards,

martin



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

AW: [pfSense Support] IPSec from WAN to DMZ (with racoon on WAN)

2010-06-24 Thread Fuchs, Martin

...

GRE has nothing to do with IPsec.
My suspicion is you haven't disabled NAT for the publicly addressed interface, 
so replies are getting translated to the WAN IP by your outbound NAT.

YEAH !
It works...
Late answer, but thanks a lot... my fault...

Regards,

martin

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] OpenVPN and CARP

2010-06-23 Thread Fuchs, Martin

Hi !

I already looked up the forums, but i have a problem i cannot solve on my own...

I have two pfSenses with CARP.

Internal LAN-CARP is 10.11.1.1 and external WAN-CARP let's say is 12.12.12.12 
(gw1.bk), where pfSense_1 WAN is 12.12.12.13 (gw2.bk) and pfSense_2 WAN is 
12.12.12.14 (gw3.bk).

When I try to connect to gw1 (CARP) it does not respond... my WAN rule allows 
any on OpenVPN port incoming to WAN-subnet.

I tried to set up two different OpenVPN-Address-pools on both servers for then 
using load-balancer-mode.
I also tried to set up the same-Address-pool on both servers for CARP-mode.

When I try to connect to gw2 (non-CARP) it works and the back-route works, too 
(pfSense_1 is CARP-master).
When I try to connect to gw3 (non-CARP) it does connects and the back-route 
does NOT work (pfSense_2 ist CARP-slave), because all traffic is routed to 
10.11.1.1 (LAN-CARP) which is held by pfSense_1.

Any idea how I can use the WAN-CARP for OpenVPN ?
Or
Any idea how I can tell the LAN-CARP-master to route the pfSense_2 OpenVPN 
traffic to pfSense_2 (without static routes because these replicate via CARP) ?


Regards,

Martin

[pfSense Support] Nagios/Icinga icons for pfSense

2010-06-19 Thread Fuchs, Martin

Are now available here:
http://pfsense.trendchiller.com/pfSense_nagios_icons.zip

I was so annoyed to not have the pfSense-logo in my status-map...

Regards,

Martin

AW: [pfSense Support] IPSec from WAN to DMZ (with racoon on WAN)

2010-05-26 Thread Fuchs, Martin

On WAN we have 195.22x.234.90 with GW 195.22x.234.89 / 29 mask.
On DMZ weh have 195.22x.234.97 /97 (where 22x is the same as out WAN). There is 
nothing natted nor bridged or else, it'all routed.
On LAN we have 10.0.0.0/16 (NATted) and another VPN-Interface owns the 
172,16,100,0/24

On out WAN there runs raccoon-service.
We want another IPSec service in the DMZ.
Outbound NAT could be an option, I'll have a look at this...

But this setup could be possible or are there ny objections ?

Regards,
martin

Von: Trevor Benson [mailto:tben...@a-1networks.com]
Gesendet: Mittwoch, 26. Mai 2010 17:52
An: support@pfsense.com
Betreff: Re: [pfSense Support] IPSec from WAN to DMZ (with racoon on WAN)

Your configuration seems a bit strange.

First is your DMZ on the SAME wan network or is it another block of 
195.x.x.x/29?  Faking your numbers instead of letter replacements might make it 
easier to understand (ie are they both 195.1.2.0/29 or is another 
195.2.3.0/29?).

Are you bridging your DMZ interface to the WAN interface, or are you using port 
forwarding?  If you using port forwarding your not really 195.x.x.x/29, you 
have internal addresses and are using NAT in some fashion to pass the traffic.

If you are using an internal DMZ network with NAT, then NAT-T is what your 
having problems with, I believe they removed the NAT-T support in RC2 or RC3 
because of problems.

pfSense makes custom rules for IPSec 500/4500 when enabled, you might have to 
change automatic outbound nat to manual or Advanced Outbound NAT, where you 
customize your rules.  This way you can ensure the IPSec 500/4500 ports 
configured in the rules are not conflicting with your setup, although again 
answering the above questions will help with tracking down what you are 
actually doing.

--
Trevor Benson
dCAP, LPIC-1, CLA, Network+, MCP, CNA
A1 Networks - Network Engineer
DID (707)703-1041
FAX (707)703-1983






On May 20, 2010, at 11:31 AM, Fuchs, Martin wrote:


Hi !
I've got a question !

We have the following setup:

WAN 195.x.x.x/29 --- WAN pfSense - LAN 10.x.x.x/16
   |
DMZ 195.x.x.x/29

On pfSense WAN there is racoon enabled for IPSec-termination of our teleworkers.

In our DMZ we have another IPSec endpoint, that shall terminate some 
connections of some remote-systems for management purposes.

Now it seems as if the remote endpoint connects to some IP in the DMZ network 
(also official, external IPs), that the remote endpoint gets it's IPSec-answers 
from out pfSense WAN, not the DMZ-IP.

Any ideas why this might be so or is it impossible to set it up this way ?
Is GRE filtered out by pfSense on the WAN side it there is IPSec enabled ?

With disabled IPSec on pfSense WAN it works with the connection to the DMZ 
IPSec-endpoint...

Looking forward to answers,

Regards,

martin

[pfSense Support] IPSec from WAN to DMZ (with racoon on WAN)

2010-05-20 Thread Fuchs, Martin

Hi !
I've got a question !

We have the following setup:

WAN 195.x.x.x/29 --- WAN pfSense - LAN 10.x.x.x/16
   |
DMZ 195.x.x.x/29

On pfSense WAN there is racoon enabled for IPSec-termination of our teleworkers.

In our DMZ we have another IPSec endpoint, that shall terminate some 
connections of some remote-systems for management purposes.

Now it seems as if the remote endpoint connects to some IP in the DMZ network 
(also official, external IPs), that the remote endpoint gets it's IPSec-answers 
from out pfSense WAN, not the DMZ-IP.

Any ideas why this might be so or is it impossible to set it up this way ?
Is GRE filtered out by pfSense on the WAN side it there is IPSec enabled ?

With disabled IPSec on pfSense WAN it works with the connection to the DMZ 
IPSec-endpoint...

Looking forward to answers,

Regards,

martin

[pfSense Support] racoon binding to separate interfaces

2010-04-29 Thread Fuchs, Martin

Hi !

Is racoon bound to all interfaces by default ?
It there the possibility to change this (for testing) ?
I try to route ipsec thru pfsense (ipsec endpoint itself(x.x.x.90)) to an 
official ip in the dmz (x.x.x.110).
The other endpoint gets replies from .90, but wants to establish a connection 
to .110.

Any ideas =

Regards,

martin

AW: [pfSense Support] no packages for 2.0

2010-04-19 Thread Fuchs, Martin

Same here

-Ursprüngliche Nachricht-
Von: David Burgess [mailto:apt@gmail.com] 
Gesendet: Montag, 19. April 2010 19:58
An: support
Betreff: [pfSense Support] no packages for 2.0

The Available Packages page for 2.0 beta x86_64 full snapshot from
Friday shows no packages, with the warning "Unable to communicate with
www.pfsense.com. Please verify DNS and interface configuration, and
that pfSense has functional Internet connectivity." My DNS works. I
don't see anything related in the forum. Am I doing it wrong?

db

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

AW: [pfSense Support] About promiscuous mode

2010-01-23 Thread Fuchs, Martin

Well... same phenomenon here...
Useful package, but no idea if the nic really has to be in promiscuous mode

Von: Koray AGAYA [mailto:insanad...@gmail.com]
Gesendet: Samstag, 23. Januar 2010 20:34
An: support@pfsense.com
Betreff: Re: [pfSense Support] About promiscuous mode

Yes I installed rate package !
On Fri, Jan 22, 2010 at 4:09 PM, Fuchs, Martin 
mailto:martin.fu...@trendchiller.com>> wrote:
-Ursprüngliche Nachricht-
Von: Koray AGAYA [mailto:insanad...@gmail.com<mailto:insanad...@gmail.com>]
Gesendet: Freitag, 22. Januar 2010 14:38
An: support@pfsense.com<mailto:support@pfsense.com>
Betreff: [pfSense Support] About promiscuous mode

Hi,

I use 1.2.3-RELEASE  Pfsense, System log have a error,  I dont
understand What is problem ?

Jan 22 15:29:01 kernel: vge0: promiscuous mode disabled
Jan 22 15:29:01 kernel: vge0: promiscuous mode enabled
Jan 22 15:28:58 kernel: vge0: promiscuous mode disabled
Jan 22 15:28:57 kernel: vge0: promiscuous mode enabled
Jan 22 15:28:54 kernel: vge0: promiscuous mode disabled
Jan 22 15:28:54 kernel: vge0: promiscuous mode enabled
Jan 22 15:28:51 kernel: vge0: promiscuous mode disabled
Jan 22 15:28:51 kernel: vge0: promiscuous mode enabled
Jan 22 15:28:48 kernel: vge0: promiscuous mode disabled
Jan 22 15:28:48 kernel: vge0: promiscuous mode enabled
Jan 22 15:28:45 kernel: vge1: promiscuous mode disabled
Jan 22 15:28:45 kernel: vge1: promiscuous mode enabled
Jan 22 15:28:42 kernel: vge1: promiscuous mode disabled
Jan 22 15:28:41 kernel: vge1: promiscuous mode enabled
Jan 22 15:28:38 kernel: vge1: promiscuous mode disabled
Jan 22 15:28:38 kernel: vge1: promiscuous mode enabled
Jan 22 15:28:35 kernel: vge1: promiscuous mode disabled
Jan 22 15:28:35 kernel: vge1: promiscuous mode enabled
Jan 22 15:28:33 kernel: vge0: promiscuous mode disabled
Jan 22 15:28:33 kernel: vge0: promiscuous mode enabled


---

Do you have the rate package installed ?
Then it's this...

-
To unsubscribe, e-mail: 
support-unsubscr...@pfsense.com<mailto:support-unsubscr...@pfsense.com>
For additional commands, e-mail: 
support-h...@pfsense.com<mailto:support-h...@pfsense.com>

Commercial support available - https://portal.pfsense.org



--
-Hayatı Ciddiye Alma Asla Sağ Çıkamıycaksın 
!

AW: [pfSense Support] About promiscuous mode

2010-01-22 Thread Fuchs, Martin

-Ursprüngliche Nachricht-
Von: Koray AGAYA [mailto:insanad...@gmail.com] 
Gesendet: Freitag, 22. Januar 2010 14:38
An: support@pfsense.com
Betreff: [pfSense Support] About promiscuous mode

Hi,

I use 1.2.3-RELEASE  Pfsense, System log have a error,  I dont
understand What is problem ?

Jan 22 15:29:01 kernel: vge0: promiscuous mode disabled
Jan 22 15:29:01 kernel: vge0: promiscuous mode enabled
Jan 22 15:28:58 kernel: vge0: promiscuous mode disabled
Jan 22 15:28:57 kernel: vge0: promiscuous mode enabled
Jan 22 15:28:54 kernel: vge0: promiscuous mode disabled
Jan 22 15:28:54 kernel: vge0: promiscuous mode enabled
Jan 22 15:28:51 kernel: vge0: promiscuous mode disabled
Jan 22 15:28:51 kernel: vge0: promiscuous mode enabled
Jan 22 15:28:48 kernel: vge0: promiscuous mode disabled
Jan 22 15:28:48 kernel: vge0: promiscuous mode enabled
Jan 22 15:28:45 kernel: vge1: promiscuous mode disabled
Jan 22 15:28:45 kernel: vge1: promiscuous mode enabled
Jan 22 15:28:42 kernel: vge1: promiscuous mode disabled
Jan 22 15:28:41 kernel: vge1: promiscuous mode enabled
Jan 22 15:28:38 kernel: vge1: promiscuous mode disabled
Jan 22 15:28:38 kernel: vge1: promiscuous mode enabled
Jan 22 15:28:35 kernel: vge1: promiscuous mode disabled
Jan 22 15:28:35 kernel: vge1: promiscuous mode enabled
Jan 22 15:28:33 kernel: vge0: promiscuous mode disabled
Jan 22 15:28:33 kernel: vge0: promiscuous mode enabled



---

Do you have the rate package installed ?
Then it's this...

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

AW: [pfSense Support] do we support ipsec-nat ?

2009-10-27 Thread Fuchs, Martin

On Mon, Oct 26, 2009 at 9:31 AM, Fuchs, Martin
 wrote:
> Hi !
>
> Do we support IPsec-NAT ?
>

-Ursprüngliche Nachricht-
Von: cbuech...@gmail.com [mailto:cbuech...@gmail.com] Im Auftrag von Chris 
Buechler
Gesendet: Dienstag, 27. Oktober 2009 00:42
An: support@pfsense.com
Betreff: Re: [pfSense Support] do we support ipsec-nat ?

No, PF can't do it. See a recent thread on freebsd-net for details.

Hmmm, thats bad...
So i really have to take a cisco device for this one gateway :-( but our main 
firewall stays pfsense ;-)

Are there any planst o ever support this ?
Do you have the link oft he thread ?

Thanks a lot... 
martin

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] do we support ipsec-nat ?

2009-10-26 Thread Fuchs, Martin

Hi !
Do we support IPsec-NAT ?
We had a discussion today about monitoring some clients systems with identical 
client subnets...
Does pfsense support natting ipsec tunnels ? a colleague  told me that for 
example cisco, wg, etc... does a 1:1 nat for translating the remote subnets...

Regards,

martin

AW: [pfSense Support] more users for the webgui (running 1.2.3 rc3)

2009-10-19 Thread Fuchs, Martin

You'll have to wait for 2.0...
It's a feature there...

Regards,

Martin

-Ursprüngliche Nachricht-
Von: Michel Servaes [mailto:mic...@mcmc.be] 
Gesendet: Montag, 19. Oktober 2009 11:28
An: support@pfsense.com
Betreff: [pfSense Support] more users for the webgui (running 1.2.3 rc3)

Hi,

I am wondering, if it would be possible to add more users to the webgui access ?
Currently I have a monowall & pfsense - and in such, monowall does
allow me to do this...
But the pfSense seems to be missing this function.

What I want to do, is to offer regular users (with a bit of IT
background) access to the captive-portal user administration.
That way, when a "stranger" passes by, we can give him access to our
WLAN. (the WLAN itself, would be handled by a normal Access Point).

Kind regards,
Michel

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

AW: AW: [pfSense Support] 192.0.2.112

2009-09-29 Thread Fuchs, Martin

-Ursprüngliche Nachricht-
Von: Chris Buechler [mailto:cbuech...@gmail.com] 
Gesendet: Dienstag, 29. September 2009 23:05
An: support@pfsense.com
Betreff: Re: AW: [pfSense Support] 192.0.2.112

On Tue, Sep 29, 2009 at 4:48 PM, Jeppe Øland  wrote:
>>> > Do you have this 192.x.x.x for WAN at your Stauts->Interfaces page?
>>> No, it's not :-( that's what irritates me...
>> There is no other option, it had to be on the WAN interface at some
>> point if the firewall registered it. It's impossible for it to just
>> pick some arbitrary IP and register it. Check the system log, it will
>> show what it's registering.
>
> If so, wouldn't the DynDNS option publish the correct IP once it changed 
> again?
>

Yes, the new WAN IP script will re-register, but maybe that's failing
for some reason if the IP changes very quickly. System logs will show.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

What also irritates me is that this IP is also used in the interfaces.inc...

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

AW: AW: [pfSense Support] 192.0.2.112

2009-09-29 Thread Fuchs, Martin

-Ursprüngliche Nachricht-
Von: Chris Buechler [mailto:cbuech...@gmail.com] 
Gesendet: Dienstag, 29. September 2009 23:05
An: support@pfsense.com
Betreff: Re: AW: [pfSense Support] 192.0.2.112

On Tue, Sep 29, 2009 at 4:48 PM, Jeppe Øland  wrote:
>>> > Do you have this 192.x.x.x for WAN at your Stauts->Interfaces page?
>>> No, it's not :-( that's what irritates me...
>> There is no other option, it had to be on the WAN interface at some
>> point if the firewall registered it. It's impossible for it to just
>> pick some arbitrary IP and register it. Check the system log, it will
>> show what it's registering.
>
> If so, wouldn't the DynDNS option publish the correct IP once it changed 
> again?
>

Yes, the new WAN IP script will re-register, but maybe that's failing
for some reason if the IP changes very quickly. System logs will show.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

I'll have a look again, but i also wonder why the script does not re-register 
the official-wan ip...

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

AW: AW: [pfSense Support] 192.0.2.112

2009-09-29 Thread Fuchs, Martin

-Ursprüngliche Nachricht-
Von: Evgeny Yurchenko [mailto:evg.yu...@rogers.com] 
Gesendet: Dienstag, 29. September 2009 20:09
An: support@pfsense.com
Betreff: Re: AW: [pfSense Support] 192.0.2.112

Fuchs, Martin wrote:
> On Tue, Sep 29, 2009 at 1:26 PM, Michel Servaes  wrote:
>   
>> Is 192.0.2.112 not a public range ?
>> 
>
> 192.0.2.0/24 is reserved for documentation/example uses, RFC 3330.
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
> It's not a NATted adress on the WAN interface...
>
> It registers ths 192.x.x.x IP on dyndns and has a public IP...
> Even after a fresh install...
> I've only seen this on that system...
>
> Sorry,
>
> Martin
>
>   
Do you have this 192.x.x.x for WAN at your Stauts->Interfaces page?
Eugene

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

No, it's not :-( that's what irritates me...



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

AW: [pfSense Support] 192.0.2.112

2009-09-29 Thread Fuchs, Martin

On Tue, Sep 29, 2009 at 1:26 PM, Michel Servaes  wrote:
>
> Is 192.0.2.112 not a public range ?

192.0.2.0/24 is reserved for documentation/example uses, RFC 3330.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

It's not a NATted adress on the WAN interface...

It registers ths 192.x.x.x IP on dyndns and has a public IP...
Even after a fresh install...
I've only seen this on that system...

Sorry,

Martin

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] 192.0.2.112

2009-09-29 Thread Fuchs, Martin

Hi !

A friend of mine has a strange problem: everytime he reboots his pfsense his 
dyndns updates with 192.0.2.112

He had this problem with 1.2.2 and now updatet to 1.2.3 RC3 and it still 
exists...

Anyone hast he same issues ?

Any ideas ?

Regards,

Martin

AW: [pfSense Support] GBE toe

2009-08-25 Thread Fuchs, Martin

I prefer intel... :-)

-Ursprüngliche Nachricht-
Von: cbuech...@gmail.com [mailto:cbuech...@gmail.com] Im Auftrag von Chris 
Buechler
Gesendet: Dienstag, 25. August 2009 20:19
An: support@pfsense.com
Betreff: Re: [pfSense Support] GBE toe

On Tue, Aug 25, 2009 at 3:15 AM, Richard Sperry wrote:
> Does anyone know of any Gig Ethernet tcp offload cards that are *fairly 
> inexpensive* that work with PF?
>

Every worthwhile server class gig NIC has TCP offload. Intel and
Broadcom the two most widely used.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

AW: [pfSense Support] VPN Questions

2009-08-03 Thread Fuchs, Martin

Ahh, yes.. that's correct..., then i have misunderstood the question 
yesterday...
But on this server you can setup your different dns-request-forwardings, etc..

-Ursprüngliche Nachricht-
Von: cbuech...@gmail.com [mailto:cbuech...@gmail.com] Im Auftrag von Chris 
Buechler
Gesendet: Dienstag, 4. August 2009 02:25
An: support@pfsense.com
Betreff: Re: [pfSense Support] VPN Questions

On Mon, Aug 3, 2009 at 9:55 AM, Joseph L.
Casale wrote:
 You can filter OpenVPN. Short howto is here:
 http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN
>>>
>>> if you're running multiple openVPN servers, how does pfSense know which
>>> tun device is allocated to which server/daemon?
>>>
>>
>>Updated that page.
>
> Chris, does the OpenVPN setup with the DHCP-Opt.: DNS-Domainname and
> DHCP-Opt.: DNS-Server config params mimic the Cisco Split-DNS concept
> where once the client connects, and queries for a host qhos FQDN has
> a search domain equal to "DHCP-Opt.: DNS-Domainname" will be redirected
> to the "DHCP-Opt.: DNS-Server" server?
>

DNS queries are done based on the binding order of the interfaces on
the client. The domain name option acts no differently than that same
option from a DHCP server, it doesn't send queries for only that
domain to the defined DNS servers.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

AW: [pfSense Support] VPN Questions

2009-08-03 Thread Fuchs, Martin

It is intended to do so...

Regards,

martin

-Ursprüngliche Nachricht-
Von: Joseph L. Casale [mailto:jcas...@activenetwerx.com] 
Gesendet: Montag, 3. August 2009 15:55
An: support@pfsense.com
Betreff: RE: [pfSense Support] VPN Questions

>>> You can filter OpenVPN. Short howto is here:
>>> http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN
>>
>> if you're running multiple openVPN servers, how does pfSense know which
>> tun device is allocated to which server/daemon?
>>
>
>Updated that page.

Chris, does the OpenVPN setup with the DHCP-Opt.: DNS-Domainname and
DHCP-Opt.: DNS-Server config params mimic the Cisco Split-DNS concept
where once the client connects, and queries for a host qhos FQDN has
a search domain equal to "DHCP-Opt.: DNS-Domainname" will be redirected
to the "DHCP-Opt.: DNS-Server" server?

Thanks!
jlc

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

AW: [pfSense Support] openssh flaw

2009-05-21 Thread Fuchs, Martin

In 1.2.2 (release version) we use OpenSSH_4.5p1

Regards,

Martin

-Ursprüngliche Nachricht-
Von: David Burgess [mailto:apt@gmail.com] 
Gesendet: Donnerstag, 21. Mai 2009 21:37
An: support
Betreff: [pfSense Support] openssh flaw

http://linux.slashdot.org/article.pl?sid=09/05/21/1824220&from=rss

What versions run in pfsense? Is this something we should be concerned about?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

AW: [pfSense Support] Attention Firebox X Series Users - Testing Needed

2009-04-23 Thread Fuchs, Martin

As far as i know the fireboxes support single-sided dimms with 512 mb...

1gb is recognized as 512mb only :-(

Regards,

martin

-Ursprüngliche Nachricht-
Von: Tim Nelson [mailto:tnel...@fudnet.net] 
Gesendet: Freitag, 24. April 2009 04:43
An: support@pfsense.com
Betreff: Re: [pfSense Support] Attention Firebox X Series Users - Testing Needed

Well, I threw the latest 1.2.3-RC1 on a CF card and booted up my X500. 
I've been passing all sorts of traffic through it (WAN and OPT1 bridge) 
with no pauses in traffic or watchdog timeouts. My traffic has been 
anything from netperf tests TCP and UDP, raw FTP traffic, random web 
browsing, and some very heavy bittorrent traffic (Latest Ubuntu released 
today :-) ). In fact, I've run some of those tests concurrently.

Thus far, after saturating the 100mbit link through the bridge for 
nearly 4 hours, I've yet to see a problem. I can post any additional 
information you need, just let me know. This X500 is 100% stock with the 
exception of the CF card. The 64MB CF was a bit small so it was replaced 
with a Sandisk 256MB I had lying around.

Out of curiosity, what is the largest DIMM these units will accept? They 
come with 256MB which seems a bit light. I'd like to throw a 1GB stick 
in if possible.

--Tim

Dimitri Rodis wrote:
> Attention Firebox X500/700/1000 Users using pfSense:
> 
>  
> 
> Watchdog timeouts getting' you down? Thinkin' about throwin' that old 
> Firebox in to the fireplace? Don't do that just yet! J
> 
>  
> 
> Thanks to the pfSense devs, along with Pyun YongHyeon, the maintainer 
> for the FreeBSD Realtek network driver, it appears that we may have 
> solved the issue with the watchdog timeouts on the Realtek 8139C+ chips 
> that are used in these units. For the past couple of days, I have worked 
> with Pyun, and yesterday Pyun sent me a patch, and that patch was 
> committed to the 1.2.3 snapshot builds, as well as to the 2.0 alpha 
> snapshot builds by the pfSense devs, and is part of any snapshot build 
> as of yesterday (4/17) at 2pm Eastern time, or later.
> 
>  
> 
> Snapshot builds can be downloaded from
> 
> http://snapshots.pfsense.org/FreeBSD7/RELENG_1_2/
> 
> or
> 
> http://snapshots.pfsense.org/FreeBSD7/HEAD/
> 
>  
> 
> I have been testing a build with this patch since yesterday, and have 
> yet to see a single watchdog timeout on my interfaces-and no 
> modifications to loader.conf have been made. This is a default 
> install-no special options have been set anywhere.
> 
>  
> 
> If at all possible, please try to install a recent snapshot build on 
> your firebox units (those of you that have them) and test this patch. 
>  If you do still receive watchdog timeouts, please let me know either on 
> this list, or off-list. Either way, please try to detail what you were 
> doing when the watchdog timeout occurred so that we can try to reproduce 
> it, and Pyun can fix it.
> 
>  
> 
> Thanks to all that have helped, and thanks to those that are willing to 
> test!
> 
>  
> 
> Dimitri Rodis
> 
> Integrita Systems LLC
> 
> http://www.integritasystems.com
> 
>  
> 

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] AW: Is there any reason I can't Remote desktop through an ipsec tunnel?

2009-03-30 Thread Fuchs, Martin

Sometimes RDP connection cannot be established, sometimes the connection gets 
stuck...
You can try to lower the MTU on the WAN-side and see it the issie gets 
resolved...
Regards and good luzck, martin

Von: Marty Nelson [mailto:mnel...@transdyn.com]
Gesendet: Freitag, 27. März 2009 15:43
An: support@pfsense.com
Betreff: [pfSense Support] RE: Is there any reason I can't Remote desktop 
through an ipsec tunnel?

That's a good point.  Where would I see if that was an issue?

Thanks,

-Marty

From: Fuchs, Martin [mailto:martin.fu...@trendchiller.com]
Sent: Thursday, March 26, 2009 5:11 PM
To: 'support@pfsense.com'
Subject: [pfSense Support] AW: Is there any reason I can't Remote desktop 
through an ipsec tunnel?

Perhaps some kind of MTU issue ?
RDP often has MTU issues ;-)

Regards,

Martin

Von: Marty Nelson [mailto:mnel...@transdyn.com]
Gesendet: Donnerstag, 26. März 2009 23:30
An: support@pfsense.com
Betreff: [pfSense Support] Is there any reason I can't Remote desktop through 
an ipsec tunnel?

I have an IPSec tunnel connecting my network to one of our customer sites, and 
while I can ping a computer on their network I am unable to remote desktop to.  
Currently all of our customer tunnels are setup to terminate in our DMZ to 
limit access back into our network.  I have a second firewall (monowall) in our 
DMZ that then routes all traffic out through the tunnel.  I've drawn a 
rudimentary layout of how it's setup (see below).

I have the IPsec rules to pass all traffic, and currently I have it setup to 
log all traffic as well.  What's strange is that when I attempt to remote 
desktop to it, I see no traffic relating to that at all.  Nothing passing, 
nothing getting blocked.  Like I said, I can ping the box just fine (and it 
shows up in the log), but I am unable to remote desktop to it and I don't see 
anything getting blocked, or passed.

Hopefully this made sense.  If it's unclear, please let me know and I'll try my 
best to clear it up.

LAN (192.168)---[pfSenseFW]---DMZ (10.100)---[monowall]---[ipsec tunnel to cust 
site]---Cust site

Thanks,

-Marty

[pfSense Support] AW: Is there any reason I can't Remote desktop through an ipsec tunnel?

2009-03-26 Thread Fuchs, Martin

Perhaps some kind of MTU issue ?
RDP often has MTU issues ;-)

Regards,

Martin

Von: Marty Nelson [mailto:mnel...@transdyn.com]
Gesendet: Donnerstag, 26. März 2009 23:30
An: support@pfsense.com
Betreff: [pfSense Support] Is there any reason I can't Remote desktop through 
an ipsec tunnel?

I have an IPSec tunnel connecting my network to one of our customer sites, and 
while I can ping a computer on their network I am unable to remote desktop to.  
Currently all of our customer tunnels are setup to terminate in our DMZ to 
limit access back into our network.  I have a second firewall (monowall) in our 
DMZ that then routes all traffic out through the tunnel.  I've drawn a 
rudimentary layout of how it's setup (see below).

I have the IPsec rules to pass all traffic, and currently I have it setup to 
log all traffic as well.  What's strange is that when I attempt to remote 
desktop to it, I see no traffic relating to that at all.  Nothing passing, 
nothing getting blocked.  Like I said, I can ping the box just fine (and it 
shows up in the log), but I am unable to remote desktop to it and I don't see 
anything getting blocked, or passed.

Hopefully this made sense.  If it's unclear, please let me know and I'll try my 
best to clear it up.

LAN (192.168)---[pfSenseFW]---DMZ (10.100)---[monowall]---[ipsec tunnel to cust 
site]---Cust site

Thanks,

-Marty

[pfSense Support] AW: ACPI/APIC in loader.conf - watchdog timeouts

2009-03-23 Thread Fuchs, Martin

A friend of mine will test this apic.disable with his WG config...
Hope it helps...

Regards,

Martin !

Von: Dimitri Rodis [mailto:dimit...@integritasystems.com]
Gesendet: Montag, 23. März 2009 05:39
An: support@pfsense.com
Betreff: [pfSense Support] ACPI/APIC in loader.conf - watchdog timeouts

So I just came across this little tidbit while searching for potential 
solutions to the re: watchdog timeout issue on the firebox installs that I have 
pfSense running on. Some folks suggest that the problem is due to an interrupt 
storm which can result in a partial/total system hang. While doing further 
research, I found this:

http://www.freebsd.org/doc/en/books/handbook/acpi-debug.html

Specifically:
--
11.16.3.3 System Hangs (temporary or permanent)
Most system hangs are a result of lost interrupts or an interrupt storm. 
Chipsets have a lot of problems based on how the BIOS configures interrupts 
before boot, correctness of the APIC (MADT) table, and routing of the System 
Control Interrupt (SCI).
Interrupt storms can be distinguished from lost interrupts by checking the 
output of vmstat -i and looking at the line that has acpi0. If the counter is 
increasing at more than a couple per second, you have an interrupt storm. If 
the system appears hung, try breaking to DDB (CTRL+ALT+ESC on console) and type 
show interrupts.
Your best hope when dealing with interrupt problems is to try disabling APIC 
support with hint.apic.0.disabled="1" in loader.conf.
--

hint.apic.0.disabled=1? I thought it was hint.acpi.0.disabled=1 (see 
http://doc.pfsense.org/index.php/Booting_Options, and also the forum posts 
regarding firebox installs)

Is there a typo here or are these two totally different things? I have not 
tried the hint.apic.0.disabled=1 yet, but I plan to tomorrow. Also, are the 
double quotes of particular importance? Some docs show them there, others don't.

Any info appreciated I think these old end of life firebox x series units 
would be great for pfSense, provided we can get the watchdog timeouts to go 
away (and a specially sized sticker than can cover up the Firebox X logo :))

Dimitri Rodis
Integrita Systems LLC

AW: AW: [pfSense Support] Squid authentication against AD.

2009-03-14 Thread Fuchs, Martin

Hmmm,... sounds interesting...

-Ursprüngliche Nachricht-
Von: Gary Buckmaster [mailto:g...@centipedenetworks.com] 
Gesendet: Freitag, 13. März 2009 14:52
An: support@pfsense.com
Betreff: Re: AW: [pfSense Support] Squid authentication against AD.

Fuchs, Martin wrote:
>
> Would only be possible with integrated authentication in IE and with 
> squid using it.
>
> Afaik it works with isa and even there only with IE. so. no.
>
> Regards,
>
> Martin
>
> *Von:* Wayne Langdon [mailto:wa...@langdon.co.za]
> *Gesendet:* Freitag, 13. März 2009 12:56
> *An:* support@pfsense.com
> *Betreff:* [pfSense Support] Squid authentication against AD.
>
> Hi,
>
> Has anyone managed to successfully setup pfsense+squid to authenticate 
> Windows users automatically
> against AD, ie: based on their Windows domain signon and not prompting 
> for user/pass when using proxy?
>
> Any help regarding this will be appreciated.
>
> Thank you,
>
> Wayne.
>
>
>
Martin,

That's actually incorrect. It is entirely possible to use squid+ad 
authentication simply using proxy settings put into the browser, and the 
authentication piece works fine with IE, Firefox, even Opera. The issue 
is getting squid to authenticate to AD and query for group membership. A 
lot of this was stubbed into the squid package, but never completed by 
the author and no one has been interested in finishing it.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

AW: [pfSense Support] Squid authentication against AD.

2009-03-13 Thread Fuchs, Martin

Would only be possible with integrated authentication in IE and with squid 
using it...
Afaik it works with isa and even there only with IE... so... no...
Regards,

Martin

Von: Wayne Langdon [mailto:wa...@langdon.co.za]
Gesendet: Freitag, 13. März 2009 12:56
An: support@pfsense.com
Betreff: [pfSense Support] Squid authentication against AD.

Hi,

Has anyone managed to successfully setup pfsense+squid to authenticate Windows 
users automatically
against AD, ie: based on their Windows domain signon and not prompting for 
user/pass when using proxy?

Any help regarding this will be appreciated.

Thank you,

Wayne.

AW: [pfSense Support] Re: Can't get more than 15kpps.

2009-03-08 Thread Fuchs, Martin

It depends where most traffic flows...

We have VPN and LAN on one NIC and WAN and DMZ on the other...

It solved that problems...

Von: Lenny [mailto:five2one.le...@gmail.com]
Gesendet: Sonntag, 8. März 2009 15:54
An: support@pfsense.com
Betreff: Re: [pfSense Support] Re: Can't get more than 15kpps.

Yeah, but I'm already using a Dual NIC - I wrote that.
I only use WAN and OPT1 - they're both on the same card.
On Sun, Mar 8, 2009 at 3:01 PM, Fuchs, Martin
mailto:martin.fu...@trendchiller.com>> wrote:

We once had a similar problem and solved it by using multiport cards, so when
the traffic leaves the physical card to be routed to another card there are
more interrupts generated as when the traffic only is routed between the
interfaces of one physical cars, we used 2-port or 4-port em0 and it works
really cool, we got out interrupt rate from 100% under heavy load to 12% under
heavy load by this...

Regards,

Martin

Von: Lenny [mailto:five2one.le...@gmail.com<mailto:five2one.le...@gmail.com>]
Gesendet: Sonntag, 8. März 2009 12:57
An: support@pfsense.com<mailto:support@pfsense.com>
Betreff: Re: [pfSense Support] Re: Can't get more than 15kpps.

Guys,

I'm really desperate:(
Last week I replaced the Intel Dual NIC with a new one of the same kind
(82546GB).
For a week of low load (6kpps on average) I never saw a single error on the
interfaces, but yesterday came the high load and it happened again.
So I'm totally out of ideas.

The main problem remains: the minute I get high load (about 14-18kpps, 25
states, 120Mb traffic), the em0 and em1 taskq processes lock on 100% each and
the website becomes unresponsive or very slow. I also started to see errors on
the interfaces again. The moment I release some of that load - everything is
back to normal.
Just to remind you, my hardware is IBM x335 server, 2 x Xeon 3.06GHz CPU, 2GB
RAM, Intel Dual NIC PCI-X.
By the way, the total CPU load I see at these situations is 40-50%. It's a SMP
setup, so the taskq processes lock the 2 out of 4 CPUs available.
Should I go on and mess with em drivers? What should I change there if so?

Please, please help!

Lenny.

On Tue, Feb 10, 2009 at 7:49 PM, Lenny
mailto:five2one.le...@gmail.com>> wrote:

Hi,

apparently my last few emails were only between me and Curtis, so I'm attaching
them all.

so as far as I understand my problem is whether with one of the cables (which
is less likely, as I see errors on both interfaces), whether with the NIC
itself?

Can anyone confirm that?

Thank a lot,

Lenny.

Lenny wrote:

I drew you a diagram you asked for:
http://rapidshare.com/files/195843186/file3.jpg.html

Hope it makes things clearer, and also explains why I'm a bit skeptical about
the switch/cable issues...

I ran the command you asked me to and these are the results.

seems OK, doesn't it?

2948-cis> show port counters 2/49

Port Align-Err FCS-ErrXmit-Err Rcv-ErrUnderSize
- -- -- -- -- -
2/49 - 0 0 0 0

Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants
- -- -- -- -- - - -
2/49 0 0 0 0 0 0 0

Last-Time-Cleared
--
Mon Aug 4 2008, 09:03:45

2948-cis> show port counters 2/50

Port Align-Err FCS-ErrXmit-Err Rcv-ErrUnderSize
- -- -- -- -- -
2/50 - 0 0 0 0

Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants
- -- -- -- -- - - -
2/50 0 0 0 0 0 0 0

Last-Time-Cleared
--
Mon Aug 4 2008, 09:03:45

Regarding the NICs - the Broadcom NICs are on PCI bus and I had CPU loaded with
interrupt, so I've never even had a chance to reach this kind of load without
hitting 80% CPU(even with device polling), on the other hand I don't remember
the blank spaces on RRD graphs. This is why I'm not throwing the Intel Dual NIC
out of the equation just yet.

Curtis LaMasters wrote:

A static route should be enough. If they are both plugged into the same LAN
you may want to enable the checkbox that says supress ARP messages. Do you
have a little diagram available of this setup? IP's do not have to be
included. I am not versed with CatOS but Google brought me to this
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008010e9d5.shtml
that says you should do "show port counters". You've tested both Intel and
Broadcom nic's right? This would lead me to a switch or cable issue 100%. Let
me know what the Cisco switch says

AW: [pfSense Support] Re: Can't get more than 15kpps.

2009-03-08 Thread Fuchs, Martin

Regards,

Martin

Von: Lenny [mailto:five2one.le...@gmail.com]
Gesendet: Sonntag, 8. März 2009 12:57
An: support@pfsense.com
Betreff: Re: [pfSense Support] Re: Can't get more than 15kpps.

Guys,

Please, please help!

Lenny.

On Tue, Feb 10, 2009 at 7:49 PM, Lenny
mailto:five2one.le...@gmail.com>> wrote:

Hi,

apparently my last few emails were only between me and Curtis, so I'm attaching
them all.

so as far as I understand my problem is whether with one of the cables (which
is less likely, as I see errors on both interfaces), whether with the NIC
itself?

Can anyone confirm that?

Thank a lot,

Lenny.

Lenny wrote:

I drew you a diagram you asked for:
http://rapidshare.com/files/195843186/file3.jpg.html

Hope it makes things clearer, and also explains why I'm a bit skeptical about
the switch/cable issues...

I ran the command you asked me to and these are the results.

seems OK, doesn't it?

2948-cis> show port counters 2/49

Port Align-Err FCS-ErrXmit-Err Rcv-ErrUnderSize
- -- -- -- -- -
2/49 - 0 0 0 0

Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants
- -- -- -- -- - - -
2/49 0 0 0 0 0 0 0

Last-Time-Cleared
--
Mon Aug 4 2008, 09:03:45

2948-cis> show port counters 2/50

Port Align-Err FCS-ErrXmit-Err Rcv-ErrUnderSize
- -- -- -- -- -
2/50 - 0 0 0 0

Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants
- -- -- -- -- - - -
2/50 0 0 0 0 0 0 0

Last-Time-Cleared
--
Mon Aug 4 2008, 09:03:45

Curtis LaMasters wrote:
A static route should be enough. If they are both plugged into the same LAN
you may want to enable the checkbox that says supress ARP messages. Do you
have a little diagram available of this setup? IP's do not have to be
included. I am not versed with CatOS but Google brought me to this
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008010e9d5.shtml
that says you should do "show port counters". You've tested both Intel and
Broadcom nic's right? This would lead me to a switch or cable issue 100%. Let
me know what the Cisco switch says. Do you have anything plugged into LAN?

Curtis LaMasters
http://www.curtis-lamasters.com
http://www.builtnetworks.com

On Sun, Feb 8, 2009 at 3:15 PM, Lenny
mailto:five2one.le...@gmail.com>> wrote:

another thing I just thought of:

Is it possible I need a VLAN in my configuration or is the static route enough
for this?

Curtis LaMasters wrote:
I would have to say bad hardware or cable, or speed/duplex issue. The traffic
difference is probably due to blocked traffic. If you have cli access to the
cisco switch run "show int | i errors" and report the output.

Curtis LaMasters
http://www.curtis-lamasters.com
http://www.builtnetworks.com

On Sun, Feb 8, 2009 at 2:54 PM, Lenny
mailt

AW: [pfSense Support] what VPN to use

2009-02-06 Thread Fuchs, Martin

Use OpenVPN

We use it here with 10 sites and 100 road-warriors...

Works like a charm :-)

-Ursprüngliche Nachricht-
Von: Nick Upson [mailto:nick.up...@gmail.com] 
Gesendet: Freitag, 6. Februar 2009 15:50
An: support@pfsense.com
Betreff: [pfSense Support] what VPN to use

Hi,

I'm intending to implement VPN into our network, from various windows
machines at peopel's houses.
Can anyone reccomend a product that will work well with pfsense

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

AW: [pfSense Support] Squid / swap.state issue

2009-01-31 Thread Fuchs, Martin

Try using the log-rotate-feature...
So every night your swap.state should be compacted...
Are you on the latest pfsense release and the newest squid package ?

Regards,

Martin

-Ursprüngliche Nachricht-
Von: Wayne Langdon [mailto:wa...@langdon.co.za] 
Gesendet: Freitag, 30. Januar 2009 05:40
An: support@pfsense.com
Betreff: [pfSense Support] Squid / swap.state issue

Hi,

Yesterday I encountered a concerning problem with my pfSense 1.2 box. I 
added a site to my Squid access list to be
blocked which worked perfectly. However shortly thereafter users where 
unable to use the proxy (all sites timedout).
Disabling the proxy worked fine. When I disabled the transparent mode on 
the proxy, they also appeared to be able to browse for a while.
What also appeared strange is that the error was not consistent to all 
users, some could work and some not.

I later found that my swap.state file had suddenly increased to 109gb 
causing my disk to be 100%.

Can anyone advise as to whether they have experienced this and perhaps 
the cause for this as I do need this site blocked but for now
have allowed access to it again.

Thank you in advance,

Wayne.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

AW: [pfSense Support] FTP Server in Routed DMZ

2009-01-21 Thread Fuchs, Martin

:-)

For the usernames and passwords, there are no users, it's just me to configure 
the accounts so I hope it's a bit more secure ;-) thanks a lot for your help...

-Ursprüngliche Nachricht-
Von: Michael Schuh [mailto:michael.sc...@gmail.com] 
Gesendet: Dienstag, 20. Januar 2009 01:18
An: support@pfsense.com
Betreff: Re: [pfSense Support] FTP Server in Routed DMZ

:-D
> Any objections against active FTP data ?
No. Not really  (i think so), ftp-protocol is ftp-protocol regardless
of the used ports

But objections against some ftp-Server-software *grin*
like proftpd or some others with sporadic but serious bugs.
every time hold an open eye on Bug-Lists and  Security Certs ...

in my own experience, most servers getting defaced
through an buggy ftp-server.first target for hackers,
because many ftp-servers allow anonymous ftp-login or have
 weak user accounts or passwords, this in combination with an
buggy ftp-server is really dangerous

but this is eventually off topic.for this list

2009/1/20 Fuchs, Martin :
> Hi !
>
> I opened up port 20 for active FTP data from the DMZ now and the upper ports 
> defined in the server for passive FTP data from WAN to DMZ...
>
> I works...
>
> Any objections against active FTP data ?
>
> Regards,
>
> martin
>
> -Ursprüngliche Nachricht-
> Von: Michael Schuh [mailto:michael.sc...@gmail.com]
> Gesendet: Dienstag, 20. Januar 2009 00:41
> An: support@pfsense.com
> Betreff: Re: [pfSense Support] FTP Server in Routed DMZ
>
> Hmm,
> hi martin,
>
> i has made such a config, and i have for me realized, that
> i have 2 options
> a) ftp-Server w/ ftp-proxy on WAN, IIRC this needs special setup in XML-Config
> also result is : i can't use the ftp-proxy on lan interface
> I be not 100% sure but i believe i remember me that the activation of
> ftp-proxy on WAN
> is not possible from Browser-User-Interface,
>
> b) open ftp-highrange-ports from wan to ftp-server and you can use
> ftp-proxy for users
> from lan.if you like to do so
>
> i have used option b) because it is no security risk if no other
> services listen on such a port
> on the ftp-server-system, the port on the ftp-servers system is only opened if
> a ftp-user made a transferthis behavior underlays the
> ftp-protocols features of
> PASV switching. Other words active ftp-transfer or passive. this is
> handled by the ftp-protocol
> between server and each individual client.
> with option b) you are on the secure side that every User ( if it has
> experiences or not)
> can make transfers from and to the ftp-server, regardless of transfer-mode.
> Works all the time.
>
> Special attention is only needed if another Service listen on the ports
> that you must open for ftp-server ( in almost cases not given).
>
> cheers
>
> michael
>
> 2009/1/20 Fuchs, Martin :
>> No problem ;-)
>>
>> Thats the answer i expected...
>>
>> So there is really no way to accomplish this with some kind of FTP-helper 
>> used in pfSense to open up just a few ports... ?
>> I really need the whole portrange for FTP to be opened as defined in the 
>> FTP-server ?
>>
>> Thanks so far for your help ;-)
>>
>> Regards,
>>
>> martin
>>
>> -Ursprüngliche Nachricht-
>> Von: Michael Schuh [mailto:michael.sc...@gmail.com]
>> Gesendet: Dienstag, 20. Januar 2009 00:27
>> An: support@pfsense.com
>> Betreff: Re: [pfSense Support] FTP Server in Routed DMZ
>>
>> Hi,
>>
>> in my possible solution NO, because you use the ftp-server w/o
>> Proxy. Communication goes directly to your ftp-server.
>> Please checkout also the portranges from your ftp-server
>> if it is not an OpenFTPD (used by FreeBSD/OpenBSD). It can differ
>> from the ports that i have described. (sorry i have forgotten to say,
>> that my tips are related to this ftpd).
>>
>> The proxy is needed for the users in your holy internal LAN.
>>
>> 2009/1/20 Fuchs, Martin :
>>> Should the FTP-helper service be activated or deactivated on the 
>>> WAN-Interface ?
>>>
>>> -Ursprüngliche Nachricht-
>>> Von: Michael Schuh [mailto:michael.sc...@gmail.com]
>>> Gesendet: Dienstag, 20. Januar 2009 00:14
>>> An: support@pfsense.com
>>> Betreff: Re: [pfSense Support] FTP Server in Routed DMZ
>>>
>>> Hi,
>>>
>>> solution:
>>> Open the Ports described in man 4 ip IP_PORTRANGE_HIGH
>>> referenced by man ftp-proxy or lookup in sysctl net.inet.ip.portrange
>>> like:
>>> net.inet.ip.portrange.hilast: 65535
>>> net.inet.ip.portrange.hifirst: 4915

AW: [pfSense Support] FTP Server in Routed DMZ

2009-01-19 Thread Fuchs, Martin

Hi !

I opened up port 20 for active FTP data from the DMZ now and the upper ports 
defined in the server for passive FTP data from WAN to DMZ...

I works...

Any objections against active FTP data ?

Regards,

martin

-Ursprüngliche Nachricht-
Von: Michael Schuh [mailto:michael.sc...@gmail.com] 
Gesendet: Dienstag, 20. Januar 2009 00:41
An: support@pfsense.com
Betreff: Re: [pfSense Support] FTP Server in Routed DMZ

Hmm,
hi martin,

i has made such a config, and i have for me realized, that
i have 2 options
a) ftp-Server w/ ftp-proxy on WAN, IIRC this needs special setup in XML-Config
also result is : i can't use the ftp-proxy on lan interface
I be not 100% sure but i believe i remember me that the activation of
ftp-proxy on WAN
is not possible from Browser-User-Interface,

b) open ftp-highrange-ports from wan to ftp-server and you can use
ftp-proxy for users
from lan.if you like to do so

i have used option b) because it is no security risk if no other
services listen on such a port
on the ftp-server-system, the port on the ftp-servers system is only opened if
a ftp-user made a transferthis behavior underlays the
ftp-protocols features of
PASV switching. Other words active ftp-transfer or passive. this is
handled by the ftp-protocol
between server and each individual client.
with option b) you are on the secure side that every User ( if it has
experiences or not)
can make transfers from and to the ftp-server, regardless of transfer-mode.
Works all the time.

Special attention is only needed if another Service listen on the ports
that you must open for ftp-server ( in almost cases not given).

cheers

michael

2009/1/20 Fuchs, Martin :
> No problem ;-)
>
> Thats the answer i expected...
>
> So there is really no way to accomplish this with some kind of FTP-helper 
> used in pfSense to open up just a few ports... ?
> I really need the whole portrange for FTP to be opened as defined in the 
> FTP-server ?
>
> Thanks so far for your help ;-)
>
> Regards,
>
> martin
>
> -Ursprüngliche Nachricht-
> Von: Michael Schuh [mailto:michael.sc...@gmail.com]
> Gesendet: Dienstag, 20. Januar 2009 00:27
> An: support@pfsense.com
> Betreff: Re: [pfSense Support] FTP Server in Routed DMZ
>
> Hi,
>
> in my possible solution NO, because you use the ftp-server w/o
> Proxy. Communication goes directly to your ftp-server.
> Please checkout also the portranges from your ftp-server
> if it is not an OpenFTPD (used by FreeBSD/OpenBSD). It can differ
> from the ports that i have described. (sorry i have forgotten to say,
> that my tips are related to this ftpd).
>
> The proxy is needed for the users in your holy internal LAN.
>
> 2009/1/20 Fuchs, Martin :
>> Should the FTP-helper service be activated or deactivated on the 
>> WAN-Interface ?
>>
>> -Ursprüngliche Nachricht-
>> Von: Michael Schuh [mailto:michael.sc...@gmail.com]
>> Gesendet: Dienstag, 20. Januar 2009 00:14
>> An: support@pfsense.com
>> Betreff: Re: [pfSense Support] FTP Server in Routed DMZ
>>
>> Hi,
>>
>> solution:
>> Open the Ports described in man 4 ip IP_PORTRANGE_HIGH
>> referenced by man ftp-proxy or lookup in sysctl net.inet.ip.portrange
>> like:
>> net.inet.ip.portrange.hilast: 65535
>> net.inet.ip.portrange.hifirst: 49152
>> net.inet.ip.portrange.last: 65535
>> net.inet.ip.portrange.first: 49152
>>
>> from WAN to your FTP server and all gets fine.
>>
>> regards
>>
>> michael.
>>
>>
>>
>> 2009/1/20 Fuchs, Martin :
>>> Hi !
>>>
>>> I have set up a FTP server in my DMZ with an official IP address.
>>> From WAN -> DMZ the IPs are routed (no NAT).
>>> I opened up port 21 from WAN -> DMZ for FTP but of course I cannot transfer 
>>> any files.
>>> It seems to require some more ports, so I thought the FTP-helper on the 
>>> WAN-side could be helpful, but this also does not work...
>>>
>>> Does anyone have any idea how to set this up without opening this ton of 
>>> ports FTP requires ?
>>>
>>> I know FTP is not the preferred way, but we need this :-(
>>>
>>> I'd be thankful for every hint...
>>>
>>> Active FTP is not really an option because most FTP-clients live behind NAT 
>>> devices so there's the problem of the data-connection again...
>>>
>>> Regards,
>>>
>>> Martin
>>>
>>> -
>>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
>>> For additional commands, e-mail: support-h...@pfsense.com
>>>
>>> Commercial

AW: [pfSense Support] FTP Server in Routed DMZ

2009-01-19 Thread Fuchs, Martin

No problem ;-)

Thats the answer i expected...

So there is really no way to accomplish this with some kind of FTP-helper used 
in pfSense to open up just a few ports... ?
I really need the whole portrange for FTP to be opened as defined in the 
FTP-server ?

Thanks so far for your help ;-)

Regards,

martin

-Ursprüngliche Nachricht-
Von: Michael Schuh [mailto:michael.sc...@gmail.com] 
Gesendet: Dienstag, 20. Januar 2009 00:27
An: support@pfsense.com
Betreff: Re: [pfSense Support] FTP Server in Routed DMZ

Hi,

in my possible solution NO, because you use the ftp-server w/o
Proxy. Communication goes directly to your ftp-server.
Please checkout also the portranges from your ftp-server
if it is not an OpenFTPD (used by FreeBSD/OpenBSD). It can differ
from the ports that i have described. (sorry i have forgotten to say,
that my tips are related to this ftpd).

The proxy is needed for the users in your holy internal LAN.

2009/1/20 Fuchs, Martin :
> Should the FTP-helper service be activated or deactivated on the 
> WAN-Interface ?
>
> -Ursprüngliche Nachricht-
> Von: Michael Schuh [mailto:michael.sc...@gmail.com]
> Gesendet: Dienstag, 20. Januar 2009 00:14
> An: support@pfsense.com
> Betreff: Re: [pfSense Support] FTP Server in Routed DMZ
>
> Hi,
>
> solution:
> Open the Ports described in man 4 ip IP_PORTRANGE_HIGH
> referenced by man ftp-proxy or lookup in sysctl net.inet.ip.portrange
> like:
> net.inet.ip.portrange.hilast: 65535
> net.inet.ip.portrange.hifirst: 49152
> net.inet.ip.portrange.last: 65535
> net.inet.ip.portrange.first: 49152
>
> from WAN to your FTP server and all gets fine.
>
> regards
>
> michael.
>
>
>
> 2009/1/20 Fuchs, Martin :
>> Hi !
>>
>> I have set up a FTP server in my DMZ with an official IP address.
>> From WAN -> DMZ the IPs are routed (no NAT).
>> I opened up port 21 from WAN -> DMZ for FTP but of course I cannot transfer 
>> any files.
>> It seems to require some more ports, so I thought the FTP-helper on the 
>> WAN-side could be helpful, but this also does not work...
>>
>> Does anyone have any idea how to set this up without opening this ton of 
>> ports FTP requires ?
>>
>> I know FTP is not the preferred way, but we need this :-(
>>
>> I'd be thankful for every hint...
>>
>> Active FTP is not really an option because most FTP-clients live behind NAT 
>> devices so there's the problem of the data-connection again...
>>
>> Regards,
>>
>> Martin
>>
>> -
>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
>> For additional commands, e-mail: support-h...@pfsense.com
>>
>> Commercial support available - https://portal.pfsense.org
>>
>>
>
>
>
> --
> === m i c h a e l - s c h u h . n e t ===
> Michael Schuh
> Postfach 10 21 52
> 66021 Saarbrücken
> phone: 0681/8319664
> mobil:  0177/9738644
> @: m i c h a e l . s c h u h @ g m a i l . c o m
>
> === Ust-ID: DE251072318 ===
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
=== m i c h a e l - s c h u h . n e t ===
Michael Schuh
Postfach 10 21 52
66021 Saarbrücken
phone: 0681/8319664
mobil:  0177/9738644
@: m i c h a e l . s c h u h @ g m a i l . c o m

=== Ust-ID: DE251072318 ===

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

AW: [pfSense Support] FTP Server in Routed DMZ

2009-01-19 Thread Fuchs, Martin

Should the FTP-helper service be activated or deactivated on the WAN-Interface ?

-Ursprüngliche Nachricht-
Von: Michael Schuh [mailto:michael.sc...@gmail.com] 
Gesendet: Dienstag, 20. Januar 2009 00:14
An: support@pfsense.com
Betreff: Re: [pfSense Support] FTP Server in Routed DMZ

Hi,

solution:
Open the Ports described in man 4 ip IP_PORTRANGE_HIGH
referenced by man ftp-proxy or lookup in sysctl net.inet.ip.portrange
like:
net.inet.ip.portrange.hilast: 65535
net.inet.ip.portrange.hifirst: 49152
net.inet.ip.portrange.last: 65535
net.inet.ip.portrange.first: 49152

from WAN to your FTP server and all gets fine.

regards

michael.



2009/1/20 Fuchs, Martin :
> Hi !
>
> I have set up a FTP server in my DMZ with an official IP address.
> From WAN -> DMZ the IPs are routed (no NAT).
> I opened up port 21 from WAN -> DMZ for FTP but of course I cannot transfer 
> any files.
> It seems to require some more ports, so I thought the FTP-helper on the 
> WAN-side could be helpful, but this also does not work...
>
> Does anyone have any idea how to set this up without opening this ton of 
> ports FTP requires ?
>
> I know FTP is not the preferred way, but we need this :-(
>
> I'd be thankful for every hint...
>
> Active FTP is not really an option because most FTP-clients live behind NAT 
> devices so there's the problem of the data-connection again...
>
> Regards,
>
> Martin
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>



-- 
=== m i c h a e l - s c h u h . n e t ===
Michael Schuh
Postfach 10 21 52
66021 Saarbrücken
phone: 0681/8319664
mobil:  0177/9738644
@: m i c h a e l . s c h u h @ g m a i l . c o m

=== Ust-ID: DE251072318 ===

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] FTP Server in Routed DMZ

2009-01-19 Thread Fuchs, Martin

Hi !

I have set up a FTP server in my DMZ with an official IP address.
>From WAN -> DMZ the IPs are routed (no NAT).
I opened up port 21 from WAN -> DMZ for FTP but of course I cannot transfer any 
files.
It seems to require some more ports, so I thought the FTP-helper on the 
WAN-side could be helpful, but this also does not work...

Does anyone have any idea how to set this up without opening this ton of ports 
FTP requires ?

I know FTP is not the preferred way, but we need this :-(

I'd be thankful for every hint...

Active FTP is not really an option because most FTP-clients live behind NAT 
devices so there's the problem of the data-connection again...

Regards,

Martin

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

AW: AW: [pfSense Support] em0: Watchdog timeout -- resetting

2009-01-05 Thread Fuchs, Martin

That's true, but I know some cases where I used Intel cards 1000 MBit and had 
this problem...
Therefore I said "sometimes this helps..." (even a pfsense-system but with a hp 
switch)
Of course it's better to use autodetect, but it's worth a try...

Regards,

Martin

-Ursprüngliche Nachricht-
Von: Paul Mansfield [mailto:it-admin-pfse...@taptu.com] 
Gesendet: Montag, 5. Januar 2009 12:01
An: support@pfsense.com
Betreff: Re: AW: [pfSense Support] em0: Watchdog timeout -- resetting


Fuchs, Martin wrote:
> And perhaps try to set the port speed in pfsense AND the switch, e.g. 
> 1000MBit FD...
> Sometimes this helps, too

Once you start setting port speeds to fix rates and duplex you're going
down a long and slippery slope, it's best to avoid it unless there's a
proven good reason!

> -Ursprüngliche Nachricht-
> Von: apiase...@midatlanticbb.com [mailto:apiase...@midatlanticbb.com] 
> Can't help with your pfsense problem, but it might help to configure 
> this on your switch.
> 
> "spanning-tree portfast" Configured on your cisco switch will change the 
> port to a forwarding state immediately.

this might help hide the symptom of the interface bouncing but isn't
really a cure

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

AW: [pfSense Support] em0: Watchdog timeout -- resetting

2009-01-04 Thread Fuchs, Martin

And perhaps try to set the port speed in pfsense AND the switch, e.g. 1000MBit 
FD...
Sometimes this helps, too

Regards,

Martin

-Ursprüngliche Nachricht-
Von: apiase...@midatlanticbb.com [mailto:apiase...@midatlanticbb.com] 
Gesendet: Sonntag, 4. Januar 2009 04:17
An: support@pfsense.com
Betreff: Re: [pfSense Support] em0: Watchdog timeout -- resetting

Can't help with your pfsense problem, but it might help to configure 
this on your switch.

"spanning-tree portfast" Configured on your cisco switch will change the 
port to a forwarding state immediately.

Nathan Eisenberg wrote:
>
> Hello,
>
>  
>
> I am deploying a new set of firewall boxes using PFSense 1.2.1.  These 
> boxes have 4GB of RAM, Intel Quad Core CPUs, and a PCI-E Intel 4 Port 
> 10/100/1000 NIC (em0-3) in addition to the 2 onboard 10/100/1000 NICs 
> (em4-5).
>
>  
>
> The Intel NIC seems to go to pieces whenever load is passed through 
> it; the two onboard NICs do fine.   Since I'm using a Cisco switch, 
> the port takes about 30 seconds to start forwarding packets after the 
> issue passes.  I've seen this on my home PFSense box, as well 
> (completely different hardware config), but since I'm not using a 
> Cisco switch at home, I don't notice its effects as severely.
>
>  
>
> The error I am seeing is "em0: Watchdog Timeout -- Resetting", which 
> seems to have several root causes.  I have tried disabling ACPI, both 
> in the BIOS, and in the bootloader.  I have disabled all nonessential 
> devices in the BIOS (except USB), and swapped all cables out (they're 
> all brand new CAT6).  The problem occurs if em0 is connected to a 
> switch, or to my laptop via crossover.  After three hours of Googling, 
> I am stumped.
>
>  
>
> Help?
>
>  
>
> dmesg follows (although em0 and em1 have been replaced with em4 and 
> em5 temporarily).
>
>  
>
> $ dmesg
>
> Copyright (c) 1992-2008 The FreeBSD Project.
>
> Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
>
> The Regents of the University of California. All 
> rights reserved.
>
> FreeBSD is a registered trademark of The FreeBSD Foundation.
>
> FreeBSD 7.0-RELEASE-p7 #0: Thu Dec 25 14:39:15 EST 2008
>
> 
> sullr...@freebsd7-releng_1_2_1.pfsense.org:/usr/obj.pfSense/usr/src/sys/pfSense_SMP.7
>  
> 
>
> Timecounter "i8254" frequency 1193182 Hz quality 0
>
> CPU: Intel(R) Xeon(R) CPU   E5410  @ 2.33GHz (2333.43-MHz 
> 686-class CPU)
>
>   Origin = "GenuineIntel"  Id = 0x1067a  Stepping = 10
>
>   
> Features=0xbfebfbff
>
>   
> Features2=0x40ce3bd,>
>
>   AMD Features=0x2010
>
>   AMD Features2=0x1
>
>   Cores per package: 4
>
> real memory  = 2146467840 (2047 MB)
>
> avail memory = 2090897408 (1994 MB)
>
> MPTable: 
>
> FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
>
>  cpu0 (BSP): APIC ID:  0
>
>  cpu1 (AP): APIC ID:  1
>
>  cpu2 (AP): APIC ID:  2
>
>  cpu3 (AP): APIC ID:  3
>
> ioapic0: Assuming intbase of 0
>
> ioapic1: Assuming intbase of 24
>
> ioapic0  irqs 0-23 on motherboard
>
> ioapic1  irqs 24-47 on motherboard
>
> wlan: mac acl policy registered
>
> kbd1 at kbdmux0
>
> ath_hal: 0.9.20.3 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413)
>
> hptrr: HPT RocketRAID controller driver v1.1 (Dec 25 2008 14:38:55)
>
> cryptosoft0:  on motherboard
>
> cpu0 on motherboard
>
> est0:  on cpu0
>
> est: CPU supports Enhanced Speedstep, but is not recognized.
>
> est: cpu_vendor GenuineIntel, msr 721072106000721
>
> device_attach: est0 attach returned 6
>
> p4tcc0:  on cpu0
>
> cpu1 on motherboard
>
> est1:  on cpu1
>
> est: CPU supports Enhanced Speedstep, but is not recognized.
>
> est: cpu_vendor GenuineIntel, msr 721072106000721
>
> device_attach: est1 attach returned 6
>
> p4tcc1:  on cpu1
>
> cpu2 on motherboard
>
> est2:  on cpu2
>
> est: CPU supports Enhanced Speedstep, but is not recognized.
>
> est: cpu_vendor GenuineIntel, msr 721072106000721
>
> device_attach: est2 attach returned 6
>
> p4tcc2:  on cpu2
>
> cpu3 on motherboard
>
> est3:  on cpu3
>
> est: CPU supports Enhanced Speedstep, but is not recognized.
>
> est: cpu_vendor GenuineIntel, msr 721072106000721
>
> device_attach: est3 attach returned 6
>
> p4tcc3:  on cpu3
>
> pcib0:  pcibus 0 on motherboard
>
> pci0:  on pcib0
>
> pcib1:  irq 24 at device 1.0 on pci0
>
> pci1:  on pcib1
>
> pcib2:  at device 0.0 on pci1
>
> pci2:  on pcib2
>
> pcib3:  at device 2.0 on pci2
>
> pci3:  on pcib3
>
> pcib3: unable to route slot 0 INTB
>
> em0:  port 
> 0x2000-0x201f mem 0xd802-0xd803,0xd800-0xd801 irq 11 
> at device 0.0 on pci3
>
> em0: Using MSI interrupt
>
> em0: Ethernet address: 00:15:17:90:09:c1
>
> em0: [FILTER]
>
> em1:  port 
> 0x2020-0x203f mem 0xd806-0xd807,0xd804-0xd805 irq 28 
> at device 0.1 on pci3
>
> em1: Using MSI interrupt
>
> em1: Ethernet address: 00:15:17:90:09:c0
>
> em1: [FILTER]
>
> pcib4:  at device 4.0 on pci2
>

AW: AW: [pfSense Support] pfsense 1.3

2008-09-21 Thread Fuchs, Martin

You can create the certs in the web-gui and import and export and download 
complete openvpn package with certs and and and...

Everything you can imagine ;-)

-Ursprüngliche Nachricht-
Von: Joe Laffey [mailto:[EMAIL PROTECTED]
Gesendet: Sonntag, 21. September 2008 19:24
An: 'support@pfsense.com'
Betreff: Re: AW: [pfSense Support] pfsense 1.3

On Sun, 21 Sep 2008, Fuchs, Martin wrote:

> And yes... Certificates will be possible over web :-)

Out of curiosity, what do we mean by certificates over web? Right now we
can paste the certs for the server into the openvpn settings.

Is this refferring to the client somehow?

Thanks,

--
Joe Laffey|   Visual Effects for Film and Video
LAFFEY Computer Imaging   | -
St. Louis, MO |   Show Reel http://LAFFEY.tv/?e11845
USA   | -
. |-*- Digital Fusion Plugins -*-
--

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: [pfSense Support] pfsense 1.3

2008-09-21 Thread Fuchs, Martin

And yes... Certificates will be possible over web :-)

-Ursprüngliche Nachricht-
Von: Eugen Leitl [mailto:[EMAIL PROTECTED]
Gesendet: Sonntag, 21. September 2008 14:51
An: support@pfsense.com
Betreff: Re: [pfSense Support] pfsense 1.3

On Sun, Sep 21, 2008 at 02:49:05PM +0200, Mikel Jimenez wrote:

> more or less? months? years?

Your guess is as good as mine but I'd expect 1.3 in a year or two.
1.2.1 should be ready in a couple of months.

--
Eugen* Leitl http://leitl.org";>leitl http://leitl.org
__
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: [pfSense Support] Trouble with NAT states

2008-09-05 Thread Fuchs, Martin

Hi !

We're currently working on this afaik...

Regards,

Martin

-Ursprüngliche Nachricht-
Von: Fridtjof Busse [mailto:[EMAIL PROTECTED]
Gesendet: Freitag, 5. September 2008 10:52
An: support@pfsense.com
Betreff: [pfSense Support] Trouble with NAT states

Hi,

I'm running pfSense 1.2-RELEASE and have a problem with NAT-states:
My ISP disconnects the PPPoE every 24h and upon reconnect, I get a new
IP address. pfSense reconnects just fine, but the old NAT-states are
still there. Now the applications using those states (mostly keepalive)
cannot communicate any longer, as the mapping is for the old IP-address
and packets are leaving the router with wrong addresses.
Until I remove the state causing the problem, my applications stay
offline. After flushing the states, everything works until the next
reconnect.
I was under the impression this problem was already solved with 1.2.

What is the best way to flush the rules upon reconnect? Custom script
in /usr/local/sbin/ppp-linkup? Or did I miss something in the GUI?

Thanks.
--
Fridtjof Busse

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: [pfSense Support] Squid Help

2008-08-24 Thread Fuchs, Martin

Have a look at the access control tab...
You can configure it all there...

-Ursprüngliche Nachricht-
Von: Ronald L. Rosson Jr. [mailto:[EMAIL PROTECTED]
Gesendet: Sonntag, 24. August 2008 21:24
An: support@pfsense.com
Betreff: [pfSense Support] Squid Help

I have recently added squid to my pfsense gateway and have it
configured in transparent mode. One of the things I like to do in
moving forward is that I would like to limit one host on what it can
access through the proxy. I am open to instructions on how this can be
accomplished.

TIA
-Ron
--
Ron Rosson
[EMAIL PROTECTED]
http://blog.oneinsane.net

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: AW: [pfSense Support] filesystem runs out of space

2008-08-22 Thread Fuchs, Martin

Jep, thanks a lot !

There were no bit files...

Just a reboot oft he box and the usage was not 94% but 0 %...

Strange, but true ;-)

Regards,

Martin

-Ursprüngliche Nachricht-
Von: Chris Buechler [mailto:[EMAIL PROTECTED]
Gesendet: Freitag, 22. August 2008 17:32
An: support@pfsense.com
Betreff: Re: AW: [pfSense Support] filesystem runs out of space

On Fri, Aug 22, 2008 at 10:59 AM, David Meireles <[EMAIL PROTECTED]> wrote:
> you can use the switch "-h" (human readable). Also, try the following
> combination, and increase the value at your taste
>
> du -h --max-depth=1
>

Which is the same as du -hd1 that I suggested.  :)

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: [pfSense Support] filesystem runs out of space

2008-08-22 Thread Fuchs, Martin

Cool !

Thanks a lot !


-Ursprüngliche Nachricht-
Von: Chris Buechler [mailto:[EMAIL PROTECTED]
Gesendet: Freitag, 22. August 2008 15:10
An: support@pfsense.com
Betreff: Re: [pfSense Support] filesystem runs out of space

On Fri, Aug 22, 2008 at 8:33 AM, Fuchs, Martin
<[EMAIL PROTECTED]> wrote:
> Hi !
>
> At one of my systems I have a strange issue, the file-system runs out of 
> space...
> So is there the possibility to have some "ls" combination or else that can 
> check fort he biggest files in the fs instead of having me to search in 
> thousands of directories ?
>

Try 'cd / && du -hd1'  You can drill down into further directories from there.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] AW: filesystem runs out of space

2008-08-22 Thread Fuchs, Martin

I made a df, it shows:

Filesystem  1K-blocks Used   Avail Capacity  Mounted on
/dev/da0s1a  30376810 26361244 158542294%/
devfs   11   0   100%/dev
/dev/md0 1710   341540 2%/var/run
devfs   11   0   100%/var/dhcpd/dev

can that be ?

i have NO packages installed...

-Ursprüngliche Nachricht-
Von: Fuchs, Martin [mailto:[EMAIL PROTECTED]
Gesendet: Freitag, 22. August 2008 14:34
An: 'support@pfsense.com'
Betreff: [pfSense Support] filesystem runs out of space

Hi !

At one of my systems I have a strange issue, the file-system runs out of 
space...
So is there the possibility to have some "ls" combination or else that can 
check fort he biggest files in the fs instead of having me to search in 
thousands of directories ?

Thanks,

martin

-Ursprüngliche Nachricht-
Von: Paul Mansfield [mailto:[EMAIL PROTECTED]
Gesendet: Freitag, 22. August 2008 13:41
An: support@pfsense.com
Betreff: Re: [pfSense Support] OpenVPN firewall rules

Chris Buechler wrote:
> On Thu, Aug 21, 2008 at 12:06 PM, Curtis LaMasters
> <[EMAIL PROTECTED]> wrote:
>> Sure  you can.
>
> Outbound only, traffic coming in over OpenVPN is automatically allowed in 1.2.

thanks, that's what I meant.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] filesystem runs out of space

2008-08-22 Thread Fuchs, Martin

Hi !

At one of my systems I have a strange issue, the file-system runs out of 
space...
So is there the possibility to have some "ls" combination or else that can 
check fort he biggest files in the fs instead of having me to search in 
thousands of directories ?

Thanks,

martin

-Ursprüngliche Nachricht-
Von: Paul Mansfield [mailto:[EMAIL PROTECTED]
Gesendet: Freitag, 22. August 2008 13:41
An: support@pfsense.com
Betreff: Re: [pfSense Support] OpenVPN firewall rules

Chris Buechler wrote:
> On Thu, Aug 21, 2008 at 12:06 PM, Curtis LaMasters
> <[EMAIL PROTECTED]> wrote:
>> Sure  you can.
>
> Outbound only, traffic coming in over OpenVPN is automatically allowed in 1.2.

thanks, that's what I meant.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: AW: [pfSense Support] OpenVPN Server & Client

2008-07-30 Thread Fuchs, Martin

Yepp... i mean the dynamic sourceport option...
try to check it to select a dynamic sourceport so the 1194 port should not be 
in use then...
with ifconfig i have 3 tun interfaces for 3 openvpn instances...

Von: David Meireles [EMAIL PROTECTED]
Gesendet: Mittwoch, 30. Juli 2008 13:05
An: support@pfsense.com
Betreff: Re: AW: [pfSense Support] OpenVPN Server & Client

You mean "Dynamic sourceport" option on the client configuration? That
option is not check, I can try that, but only latter, when all the road
warriors go home. But Martin, if you do an ifconfig, how many tun
interfaces do you have?

Fuchs, Martin escreveu:
> Hi, David !
>
> I have client and servermode working with pfsense on one system and it
> works like a charm...
> My server is running on UDP/1194 and the clients (2 of hem) are
> running on UDP/dynamic port...
>
> no problem with it at all...
>
> Please recheck your config and make sure the OpenVPN services are not
> using the same ports.
> Further check /status.php if there really is only one
> tun-interface... should be one for each service...
>
> which version are you running ?
> you should at least update to *1.2-RELEASE *built on Sun Feb 24
> 17:13:15 EST 2008 ...
>
> good luck,
>
> Martin
> 
> *Von:* David Meireles [EMAIL PROTECTED]
> *Gesendet:* Mittwoch, 30. Juli 2008 12:23
> *An:* support@pfsense.com
> *Betreff:* Re: [pfSense Support] OpenVPN Server & Client
>
> Yes, but I want to use a pfsense box to act both as OpenVPN Server and
> OpenVPN Client. For example, the box is now acting as a server,
> althrough I have the client connection to site X configurated, but not
> enabled... If I enable this connection, I immediately loose the Server,
> because both are using the same interface (tun0). Isn't there a way to
> use, maybye, tun0 for server ans tun1 for client!?
>
> Paul Mansfield escreveu:
> > David Meireles wrote:
> >> noticed I couldn't use the same box for this, because there was only
> >> ONE tun device, and it would be used for whatever service (the openvpn
> >
> >
> > you can have as many openvpn servers running as you like, just give
> > each one its own port. they can each have entirely different
> > configurations, some using shared key. some on x509 cert authentication.
> >
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: [pfSense Support] OpenVPN Server & Client

2008-07-30 Thread Fuchs, Martin

Hi, David !

I have client and servermode working with pfsense on one system and it works 
like a charm...
My server is running on UDP/1194 and the clients (2 of hem) are running on 
UDP/dynamic port...

no problem with it at all...

Please recheck your config and make sure the OpenVPN services are not using the 
same ports.
Further check /status.php if there really is only one 
tun-interface... should be one for each service...

which version are you running ?
you should at least update to 1.2-RELEASE built on Sun Feb 24 17:13:15 EST 2008 
...

good luck,

Martin

Von: David Meireles [EMAIL PROTECTED]
Gesendet: Mittwoch, 30. Juli 2008 12:23
An: support@pfsense.com
Betreff: Re: [pfSense Support] OpenVPN Server & Client

Yes, but I want to use a pfsense box to act both as OpenVPN Server and
OpenVPN Client. For example, the box is now acting as a server,
althrough I have the client connection to site X configurated, but not
enabled... If I enable this connection, I immediately loose the Server,
because both are using the same interface (tun0). Isn't there a way to
use, maybye, tun0 for server ans tun1 for client!?

Paul Mansfield escreveu:
> David Meireles wrote:
>> noticed I couldn't use the same box for this, because there was only
>> ONE tun device, and it would be used for whatever service (the openvpn
>
>
> you can have as many openvpn servers running as you like, just give
> each one its own port. they can each have entirely different
> configurations, some using shared key. some on x509 cert authentication.
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] AW: [SPAM] Re: [pfSense Support] OpenVPN::Muitiple Clients

2008-07-22 Thread Fuchs, Martin

Try to add the following to your clients config:

ping 10
ping-restart 60

that should help...

regards and good luck...


martin

-Ursprüngliche Nachricht-
Von: Diego A. Gomez [mailto:[EMAIL PROTECTED]
Gesendet: Dienstag, 22. Juli 2008 17:20
An: support@pfsense.com
Betreff: [SPAM] Re: [pfSense Support] OpenVPN::Muitiple Clients

I see like a timout problem...

[Finish of client A]

Tue Jul 22 12:07:48 2008 TUN/TAP device tun0 opened
Tue Jul 22 12:07:48 2008 TUN/TAP TX queue length set to 100
Tue Jul 22 12:07:48 2008 ifconfig tun0 10.12.0.6 pointopoint 10.12.0.5 mtu 1500
Tue Jul 22 12:07:48 2008 route add -net 192.168.20.0 netmask
255.255.255.0 gw 10.12.0.5
Tue Jul 22 12:07:48 2008 route add -net 10.20.0.2 netmask
255.255.255.255 gw 10.12.0.5
Tue Jul 22 12:07:48 2008 GID set to nogroup
Tue Jul 22 12:07:48 2008 UID set to nobody
Tue Jul 22 12:07:48 2008 Initialization Sequence Completed

[Then of 1, or 2 minutes... the same client A]

Tue Jul 22 12:09:48 2008 [xxx.xxx.com] Inactivity timeout
(--ping-restart), restarting
Tue Jul 22 12:09:48 2008 TCP/UDP: Closing socket
Tue Jul 22 12:09:48 2008 SIGUSR1[soft,ping-restart] received, process restarting
Tue Jul 22 12:09:48 2008 Restart pause, 2 second(s)
Tue Jul 22 12:09:50 2008 WARNING: No server certificate verification
method has been enabled.  See http://openvpn.net/howto.html#mitm for
more info.
Tue Jul 22 12:09:50 2008 Re-using SSL/TLS context
Tue Jul 22 12:09:50 2008 LZO compression initialized

If I have only 1 client, all work fine.
There aren't bandwith problems...

Thanks!

--
Diego.-

2008/7/22 Curtis LaMasters <[EMAIL PROTECTED]>:
> Are you getting an error message?  Could you put up your client logs for us
> to see.
>
>
> Curtis LaMasters
> http://www.curtis-lamasters.com
> http://www.builtnetworks.com
>
>



--
Diego.-

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: [pfSense Support] OpenVPN::Muitiple Clients

2008-07-22 Thread Fuchs, Martin

Hi, Diego !

1.) try the Dynamic IP-option for DHCP-clients
2.) use an address pool that is big enough for all users
3.) use different certs and everything for each user
4.) have the Maximum clients option set for enough users

then it should work...

regards,

Martin

Von: Diego A. Gomez [EMAIL PROTECTED]
Gesendet: Dienstag, 22. Juli 2008 06:18
An: support@pfsense.com
Betreff: [pfSense Support] OpenVPN::Muitiple Clients

I have a OpenVPN Server (with PfSense)

I'm using pki-auth.

My problem is that I can't to connect 2 users at same time. When user
"A"connects itself,  user "B" is disconnected. Both users can't be
connected at same time (both users have diferents certs). What can be
the problem?

Thanks!

--
Diego.-

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: [pfSense Support] Selling Net4501 and Net4801

2008-07-11 Thread Fuchs, Martin

No problem... just for clarification ;-)

-Ursprüngliche Nachricht-
Von: Anders Dahl [mailto:[EMAIL PROTECTED]
Gesendet: Freitag, 11. Juli 2008 09:39
An: support@pfsense.com
Betreff: SV: [pfSense Support] Selling Net4501 and Net4801

I'm sorry no. It's only net4801 and net4501

net4801: 233 Mhz CPU, 128 Mbyte SDRAM, 3 Ethernet, 1 serial, USB connector,
CF socket, 44 pins IDE connector, 1 Mini-PCI socket, 3.3V PCI connector.

net4501: 133 Mhz CPU, 64 Mbyte SDRAM, 3 Ethernet, 1 Serial, CF socket, 1
Mini-PCI socket, 3.3V PCI connector.

Anders

-Oprindelig meddelelse-
Fra: Fuchs, Martin [mailto:[EMAIL PROTECTED]
Sendt: 11. juli 2008 09:33
Til: 'support@pfsense.com'
Emne: AW: [pfSense Support] Selling Net4501 and Net4801

Net4801-60 ?

Regards,

Martin

-Ursprüngliche Nachricht-
Von: Anders Dahl [mailto:[EMAIL PROTECTED]
Gesendet: Freitag, 11. Juli 2008 09:26
An: support@pfsense.com
Betreff: [pfSense Support] Selling Net4501 and Net4801

Hi all

I have some Soekris Net4501 and Net4801 leftover. Since I'm using booth
pfsense and monowall, I thought that I would try and sell them here, and
then donate the money to both teams, and thereby give you a chance to
contribute as well...

They come with a CF-card of various sizes, but with no power supply.

The shipping cost will be between 35$ and 45$ depending on the destination.

Is anyone interested?

Kind regards

Anders


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: [pfSense Support] Selling Net4501 and Net4801

2008-07-11 Thread Fuchs, Martin

Net4801-60 ?

Regards,

Martin

-Ursprüngliche Nachricht-
Von: Anders Dahl [mailto:[EMAIL PROTECTED]
Gesendet: Freitag, 11. Juli 2008 09:26
An: support@pfsense.com
Betreff: [pfSense Support] Selling Net4501 and Net4801

Hi all

I have some Soekris Net4501 and Net4801 leftover. Since I'm using booth
pfsense and monowall, I thought that I would try and sell them here, and
then donate the money to both teams, and thereby give you a chance to
contribute as well...

They come with a CF-card of various sizes, but with no power supply.

The shipping cost will be between 35$ and 45$ depending on the destination.

Is anyone interested?

Kind regards

Anders


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: [pfSense Support] SSL VPN

2008-07-08 Thread Fuchs, Martin

Watchguard also has some "SSL-VPN" and I know the sales-man entering the boss' 
office...

But pfSense won...

We use OpenVPN cause the boss looks at the bucks it costs... and that was the 
argument :-)

Try OpenVPN on pfSense... you'll love it...

Only thing with WatchGuard: it uses SSL-VPN via browser... some kind like 
SSL-Explorer...

If your boss likes that, trya the SSL-Exploer Community edition...

Regards,

MArtin

-Ursprüngliche Nachricht-
Von: Michel Servaes [mailto:[EMAIL PROTECTED]
Gesendet: Dienstag, 8. Juli 2008 21:57
An: support@pfsense.com
Betreff: Re: [pfSense Support] SSL VPN

I totally agree with you, but you know what happens if an external IT
man enters your office, and tells your boss that a solution like Juniper
is better than anything else...
So I am going to use your comments to discourage this kind of use... I
still like to have control of what comes in, and what goes out.

I haven't enabled OpenVPN on my pfSense... I have no knowledge about
OpenVPN.
I only use IPSEC for endpoint to endpoint, and PPTP for mobile
solutions, or collegues who don't have an out-of-the box VPN capable
router at home.

Thank you for your response already ;)

RB wrote:
>> Does pfSense offer an alternative to the Juniper SSL VPN solutions ?
>>
> 
> It is unfortunate that Juniper seems to have somewhat subverted the
> meaning of the phrase "SSL VPN".  IMO, the nomenclature indicates a
> VPN that uses SSL for its authentication and encryption as opposed to,
> say, IKE and ESP.  It has nothing to do with whether the technology is
> browser-based or not.  OpenVPN is a _very_ good SSL VPN implementation
> that requires no GUI components whatsoever, even though there are good
> GUI clients written for it.
>
> Furthermore, the "clientless" VPN solutions reduce the operator's
> control over the endpoints, degrading the overall security of the
> system.  Some solutions attempt mitigating controls, but you can't
> change the fact that you're allowing rather arbitrarily secured
> machines to utilize your resources.  Of course, if you don't plan to
> vet the systems clients will be using (when issuing certificates or
> the like), that doesn't matter much.
> 
>
> That said, pfSense does not offer what you are looking for.  Your best
> bet to implement precisely that would probably be to purchase a
> solution like SSL Explorer (still cheaper than a Juniper) and run it
> on a dedicated machine in a DMZ off of pfSense with limited access in
> & out.
>
>
> RB
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: [pfSense Support] Wanted: Tips for a VLAN capable switch (for home use)

2008-06-12 Thread Fuchs, Martin

get a hp procurve 1800-24g

it's passive (without fans)

it's about 350 $

regards,

Martin

Von: Ryan L. Faircloth [EMAIL PROTECTED]
Gesendet: Donnerstag, 12. Juni 2008 04:33
An: support@pfsense.com
Betreff: RE: [pfSense Support] Wanted: Tips for a VLAN capable switch (for home 
use)

I use HP Procurve 2626 switches around 350 on ebay most days

From: Nelson Papel [mailto:[EMAIL PROTECTED]
Sent: Monday, June 09, 2008 2:28 AM
To: support@pfsense.com
Subject: RE: [pfSense Support] Wanted: Tips for a VLAN capable switch (for home 
use)

A Nortel Baystack 450-24, they are dirt cheap on Ebay ($15-30).  I used one for 
a couple years with no faults.

Also the Cisco 2924 and 2950, but those are a bit pricier.


From: Victor Padro [mailto:[EMAIL PROTECTED]
Sent: Monday, June 09, 2008 0:46
To: support@pfsense.com
Subject: Re: [pfSense Support] Wanted: Tips for a VLAN capable switch (for home 
use)

I'm about to buy one myself, cos my old 1900 Catalyst can't handle VLANs 
properly.

Anyone has experienced 3com baseline 2226 switch?

I was even thinking of getting the Linksys SLM2008 for its cheap price, any 
suggestions?



P.S. here in mexico I can't find the HP Procurve switches for less than 560 dls.


Saludos.

Victor.
On Fri, May 30, 2008 at 7:31 AM, Espen Johansen <[EMAIL 
PROTECTED]> wrote:
Not for those swtiches they are EOL and you can get it with any cisco login.

On Thu, May 29, 2008 at 11:11 AM, Paul Mansfield <[EMAIL 
PROTECTED]> wrote:
Espen Johansen wrote:
all. And most of them come with Enterprise Image (if you need the newest image, 
email me offlist and I'll get it for you.

erm, IOS updates are a commercial service from Cisco, so it's probably not a 
wise move to offer this kind of "help" on a public mailing list!


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: [pfSense Support] Where do I put squid ?

2008-05-11 Thread Fuchs, Martin

Try this:

Add a portforward at interface LAN, external adress any (not interface adress), 
protocol TCP, external port range 80, NAT IP proxy at OPTx, local port 80. 
Save, apply.

Hope, it works,

Martin
-Ursprüngliche Nachricht-
Von: Mike Lever [mailto:[EMAIL PROTECTED] 
Gesendet: Sonntag, 11. Mai 2008 21:57
An: support@pfsense.com
Betreff: RE: [pfSense Support] Where do I put squid ?

Thaks David ! Bear in mind that I am using it as a transparent proxy. Surely I 
must set some rules on the firewall to route all http traffic to the squid box 
and back to the pfsense box ?

Mike Lever

Tenacity Films (Pty) Ltd
t/a Velocity Films
(t) +2711-807-0100
(f) +2711-807-1208


-Original Message-
From: "David Meireles" <[EMAIL PROTECTED]>
To: support@pfsense.com
Sent: 08-05-11 21:27
Subject: RE: [pfSense Support] Where do I put squid ?

Ok, on the DHCP Server you have as gateway the squid server, and the
squid server will have as gateway the pfsense IP (that way you won't
need to have 2 interfaces on the squid server, since it's all in the
same subnet). About the rules, use only the squid server to apply the
squid rules, and the rest, leave it on the pfsense (port blocking and
stuff).

Dom, 2008-05-11 s 21:19 +0200, Mike Lever escreveu:

> Done that, but where I was battling was setting IP addresses on the pfsense 
> interface (the squid is static) what do I set as the ip address and gateway ? 
> Also how do I configure the firewall rules ? 
> 
> Any ideas there ?
> 
> Mike Lever
> 
> Tenacity Films (Pty) Ltd
> t/a Velocity Films
> (t) +2711-807-0100
> (f) +2711-807-1208
> 
> 
> -Original Message-
> From: "David Meireles" <[EMAIL PROTECTED]>
> To: support@pfsense.com
> Sent: 08-05-11 20:18
> Subject: RE: [pfSense Support] Where do I put squid ?
> 
> Just setup the pfSense DHCP Server to use the squid box as gateway
> address.
> 
> Dom, 2008-05-11 s 15:23 +0200, Mike Lever escreveu:
> 
> > Hi Dean , 
> > 
> > Thanks for the feedback, so are you suggesting I only use 1 NIC for the
> > squid box ? as opposed to 2, 1 coming IN from the Pfsense / internal network
> > and 1 going BACK to the Pfsense. 
> > 
> > Regards,
> >  
> > 
> > Mike Lever
> >  
> > Tenacity Films (Pty) Ltd t/a
> > Velocity Films
> >  
> > (T) +2711-807-0100
> > (F) 086-681-7518
> > 
> > http://www.velocityfilms.com
> >  
> > 
> > CONFIDENTIALITY CAUTION: If you have received this communication in error,
> > please note that it is intended for the addressee only, is privileged and
> > confidential and dissemination or copying prohibited. Please notify us
> > immediately by e-mail and return the original message. Thank you.
> >  
> > 
> > -Original Message-
> > From: Dean Larson [mailto:[EMAIL PROTECTED] 
> > Sent: 11 May 2008 01:28 PM
> > To: support@pfsense.com
> > Subject: RE: [pfSense Support] Where do I put squid ?
> > 
> > 
> > i think it would be cool to route http traffic to the squid box, but put a
> > rule just infront of it to allow your squid box to go out the firewall.  for
> > security i would not allow a second nic to go out the squid box onto the
> > internet.  
> > 
> > i myself set up the browsers manually for the squid box.  at another gig i
> > had, we put a file on a server that gave the browser setting: included proxy
> > settings as well as browser bypass for local browsing.  it's been a while,
> > so i'd have to do some digging through my old files.  : i'm a bit brain dead
> > today
> > 
> > 
> > 
> > > From: [EMAIL PROTECTED]
> > > To: support@pfsense.com
> > > Date: Sun, 11 May 2008 10:25:14 +0200
> > > Subject: [pfSense Support] Where do I put squid ? 
> > > 
> > > I've got Pfsense running on one box going out to 5 DSL WAN Ports. I have
> > now
> > > setup a squid box running separately. I would like to run it as a
> > > transparent proxy on my network. How do you suggest I set it up ? 
> > > 
> > > Do I put another NIC in the squid box, then setup a firewall rule to route
> > > all http traffic to the squid box / gateway and then load balance the
> > squid
> > > box's traffic out ? 
> > > 
> > > The Pfsense box IP = 10.0.0.3
> > > Squid IP = 10.0.0.197  
> > > 
> > > Regards,
> > > 
> > > 
> > > Mike Lever
> > > 
> > > Tenacity Films (Pty) Ltd t/a
> > > Velocity Films
> > > 
> > > (T) +2711-807-0100
> > > (F) 086-681-7518
> > > 
> > > http://www.velocityfilms.com
> > > 
> > >  
> > > CONFIDENTIALITY CAUTION: If you have received this communication in error,
> > > please note that it is intended for the addressee only, is privileged and
> > > confidential and dissemination or copying prohibited. Please notify us
> > > immediately by e-mail and return the original message. Thank you.
> > >  
> > > 
> > > 
> > > 
> > > -
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > 
> > 
> >

AW: [pfSense Support] Squid transparent proxy and Vista

2008-05-04 Thread Fuchs, Martin

Cannot test this due to lack of vista... but why should the mtu not work when 
it works with all other os ?
And the question: does it make sense to enable or disable http pass thru, when 
squid is enabled in transparent mode ?

-Ursprüngliche Nachricht-
Von: Xhark [mailto:[EMAIL PROTECTED] 
Gesendet: Samstag, 3. Mai 2008 22:08
An: support@pfsense.com
Betreff: Re: [pfSense Support] Squid transparent proxy and Vista

change the MTU (lower)
- Original Message - 
From: "Fuchs, Martin" <[EMAIL PROTECTED]>
To: 
Sent: Saturday, May 03, 2008 3:31 PM
Subject: [pfSense Support] Squid transparent proxy and Vista


Hi all !

I have a strange issue:

A friend of mine has Windows Vista. On the pfSense i have enabled squid
in transparent mode and http (TCP/80) switched OFF in firewall-rules
LAN->WAN.

Windows XP has no issues, everything works fine...
Windows Vista tells us to have no internet connection. It detects the
gateway and tells it has no connection tot he WWW.

When enabling http (TCP/80) LAN->WAN (and squid in transparent mode)
Vista detects the WWW-connection.

If I understand it right, I do not need http LAN-> WAN if I have squid
in transparent mode (listening on port 80 on LAN pfSense interface),
correct ? Or does it makes sense to have tcp/80 allowed/passed thru the
firewall from LAN->WAN if squid transparent is active ?

What do you mean ?

Regards,

Martin

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] Squid transparent proxy and Vista

2008-05-03 Thread Fuchs, Martin

Hi all !

I have a strange issue:

A friend of mine has Windows Vista. On the pfSense i have enabled squid
in transparent mode and http (TCP/80) switched OFF in firewall-rules
LAN->WAN.

Windows XP has no issues, everything works fine...
Windows Vista tells us to have no internet connection. It detects the
gateway and tells it has no connection tot he WWW.

When enabling http (TCP/80) LAN->WAN (and squid in transparent mode)
Vista detects the WWW-connection.

If I understand it right, I do not need http LAN-> WAN if I have squid
in transparent mode (listening on port 80 on LAN pfSense interface),
correct ? Or does it makes sense to have tcp/80 allowed/passed thru the
firewall from LAN->WAN if squid transparent is active ?

What do you mean ?

Regards,

Martin

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: [pfSense Support] PPPoE gets disconnected on WAN port

2008-04-16 Thread Fuchs, Martin

I suggest you to use intel nics... they work very well right out of the box...

-Ursprüngliche Nachricht-
Von: Tortise [mailto:[EMAIL PROTECTED] 
Gesendet: Mittwoch, 16. April 2008 21:41
An: support@pfsense.com
Betreff: Re: [pfSense Support] PPPoE gets disconnected on WAN port

Also what are you guys respective NIC's brand, model and chip?
Kind regards
David Hingston 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: [pfSense Support] Filtering OpenVPN Road Warrior Clients

2008-04-05 Thread Fuchs, Martin

In 1.3 it will be possible…

 

Von: Jared B. Griffith [mailto:[EMAIL PROTECTED] 
Gesendet: Samstag, 5. April 2008 03:38
An: support@pfsense.com
Betreff: [pfSense Support] Filtering OpenVPN Road Warrior Clients

 

Is it possible to filter OpenVPN Road Warrior clients on the 1.2 Release?
If not, is it going to be possible and when?

-- 
- Thank you,
- Jared B. Griffith
- Farheap Solutions, Inc.
- Lead Systems Administrator
- California IT Department
- Email - [EMAIL PROTECTED]
- Phone - 949.417.1500 ext. 266
- Cell Phone - 949.910.6542

AW: [pfSense Support] openvpn tunnel using public ip's from 1 side

2008-04-03 Thread Fuchs, Martin

Else... if you want to use this with release 1.2 have a look at 
pfsense.trendchiller.com...

There's an update script... it downloads the patchest o your full-install...

Regards,

Martin

-Ursprüngliche Nachricht-
Von: Fuchs, Martin [mailto:[EMAIL PROTECTED] 
Gesendet: Donnerstag, 3. April 2008 22:43
An: support@pfsense.com
Betreff: AW: [pfSense Support] openvpn tunnel using public ip's from 1 side

Fix for this committed to cvs...

RELENG and HEAD

-Ursprüngliche Nachricht-
Von: Graham Beneke [mailto:[EMAIL PROTECTED] 
Gesendet: Mittwoch, 2. April 2008 15:47
An: support@pfsense.com
Betreff: Re: [pfSense Support] openvpn tunnel using public ip's from 1 side

Curtis LaMasters wrote:
> I know with OpenVPN you can use 'push "redirect-gateway"' but I'm not 
> sure if pfSense can implement this.
> 

You can add any of the valid server OpenVPN config directives into the 
"Custom options" box at the bottom of the GUI page.


-- 
Graham Beneke
Apolix Internet Services
E-Mail/MSN/Jabber: [EMAIL PROTECTED]   Skype: grbeneke
VoIP: 087-750-5696   Cell: 082-432-1873
http://www.apolix.co.za/

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: [pfSense Support] openvpn tunnel using public ip's from 1 side

2008-04-03 Thread Fuchs, Martin

Fix for this committed to cvs...

RELENG and HEAD

-Ursprüngliche Nachricht-
Von: Graham Beneke [mailto:[EMAIL PROTECTED] 
Gesendet: Mittwoch, 2. April 2008 15:47
An: support@pfsense.com
Betreff: Re: [pfSense Support] openvpn tunnel using public ip's from 1 side

Curtis LaMasters wrote:
> I know with OpenVPN you can use 'push "redirect-gateway"' but I'm not 
> sure if pfSense can implement this.
> 

You can add any of the valid server OpenVPN config directives into the 
"Custom options" box at the bottom of the GUI page.


-- 
Graham Beneke
Apolix Internet Services
E-Mail/MSN/Jabber: [EMAIL PROTECTED]   Skype: grbeneke
VoIP: 087-750-5696   Cell: 082-432-1873
http://www.apolix.co.za/

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: AW: [pfSense Support] IP Aliases

2008-03-03 Thread Fuchs, Martin

Well, no... we have a GW: 62.x.56.41 and the IPs 62.xx.56.42-50

I use PArp, sorry, no CARP, but Proxy-Arp and have these IPs possible for 
natting and else...

-Ursprüngliche Nachricht-
Von: Paulo Almeida [mailto:[EMAIL PROTECTED] 
Gesendet: Montag, 3. März 2008 15:42
An: support@pfsense.com
Betreff: Re: AW: [pfSense Support] IP Aliases


> With CARP it's working here :-)

Tell me please, if yours 8 public ip's are in the same
subnet that the real ip of wan interface.

In your environment, the ip of wan interface is 195.22.21.
and the public ip's are in 195.22.20. Not in same subnet.
In pfSense manual tell that "...the virtual ip addresses fall within
the same subnet of an ip address defined on real interface
(wan, lan, opt1, vlan, etc.)."

So, i think that is not possible to apply our configuration on
pfSense. This is correct?

Regards,
Paulo Almeida




-- 
Escola Superior de Enfermagem do Porto
Rua Dr. António Bernardino de Almeida
4200-072 Porto - Portugal
Tel: +351 22 5073500 - Fax: +351 22 5096337
http://portal.esenf.pt


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: [pfSense Support] IP Aliases

2008-03-03 Thread Fuchs, Martin

With CARP it's working here :-)

Ok, we just have 8 IPs but more should also be suitable...

-Ursprüngliche Nachricht-
Von: Paulo Almeida [mailto:[EMAIL PROTECTED] 
Gesendet: Montag, 3. März 2008 11:44
An: support@pfsense.com
Betreff: [pfSense Support] IP Aliases


Hi,

We have a Watchguard Firebox X700 as a Firewall/Gateway for a 10Mb
Synchronous link to internet.
We want to substitute this equipment and we are investigating the
open source solutions.
Our Firefox system have one public ip (195.22.21.218) and our ISP
give us a 14 block public ip's (195.22.20.97-195.22.20.110).
The pfSense is capable to make ip aliasing on public interface?
If so, how to do this on pfSense version 1.2?

Best regards,
Paulo Almeida


-- 
Escola Superior de Enfermagem do Porto
Rua Dr. António Bernardino de Almeida
4200-072 Porto - Portugal
Tel: +351 22 5073500 - Fax: +351 22 5096337
http://portal.esenf.pt


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: [pfSense Support] IPSEC

2008-02-27 Thread Fuchs, Martin

So then go on and use OpenVPN site-to-site... it works woth 2 dynamic
IPs...

 

Dynamic IPs for IPSec will be in 1.3... 

 

Regards,

 

Martin

 

Von: Anil Garg [mailto:[EMAIL PROTECTED] 
Gesendet: Donnerstag, 28. Februar 2008 04:51
An: support@pfsense.com
Betreff: [pfSense Support] IPSEC

 

Hey guys - I am a happy camper with pfsense and recently upgraded to 1.2
and have no issues to report so far.

I am trying to hook up two pfsense boxes with IPSEC site to site

It looks like that it needs a public ip address to create a tunnel.  I
could try and get public IP address at one place but it looks like it
still will not work because I need public IP address on both sides.


Have looked at all documents and spent many hours without avail...

Will some of you learned people suggest a way out.. I can only get a
Public IP address at one location and I am happy to do pay for that.
But the second location being a AT&T DSL in San Jose, CA - this is not
an option,.

Much appreciate your help and guidance.


Best Regards
Anil Garg

AW: [pfSense Support] FreeRADIUS Package

2008-02-11 Thread Fuchs, Martin

Or just replace the chenged files in your pfsense-install (using putty or 
WinSCP when using windows)

The files are mostly placed under /usr/local/xxx (have a look there)

Try your changes and fix all errors... then send your patches using diff-rub to 
[EMAIL PROTECTED]

:-)

Martin

-Ursprüngliche Nachricht-
Von: Scott Ullrich [mailto:[EMAIL PROTECTED] 
Gesendet: Dienstag, 12. Februar 2008 00:26
An: support@pfsense.com
Betreff: Re: [pfSense Support] FreeRADIUS Package

On 2/11/08, Dimitri Rodis <[EMAIL PROTECTED]> wrote:
> Once I have changes made, how should I go about getting these changes
> into a pfSense install to test before I send any patches up? Should I be
> using the dev iso?

Look in the packages are on the forum where there is a good howto.

Scott

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: [pfSense Support] Wifi NIC

2008-01-24 Thread Fuchs, Martin

Afaik it will be supported in freebsd 7

 

Von: Espen Johansen [mailto:[EMAIL PROTECTED] 
Gesendet: Donnerstag, 24. Januar 2008 22:07
An: support@pfsense.com
Betreff: Re: [pfSense Support] Wifi NIC

 

As far as I know there is still no MIMO cards supported in FreeBSD.

You might have some luck with project evil (ndisulator) but this is not
supported at all.

-lsf

 

On Jan 17, 2008 1:58 AM, MyStiC <[EMAIL PROTECTED]> wrote:

I have an Airlink 101 MIMO XR PCI and am trying to use it as the WAN.
The first problem is pfSense doesn't show it's match as an option, if 
there is a fix for this, I could problably take it from there.  Is
this possible & if so, how.  I'm running the latest & greatest RC4.

- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

1 2 3 4 >

1 - 100 of 306 matches

Mail list logo