Re: [pfSense Support] Can't get basic routing to work.

2006-08-04 Thread Jan Zorz 

A. Jones wrote:

This is why I'm so confused...
There is no reason why it should not work.

Is there a way for me to see what the system is doing to the 
individual packets?
The scenario, exactly as you described, works for me very well without 
NAT-ing the public IP-s behind the firewall.


Do as Scott told you to do. Enable Advanced Oubound NAT rules and delete 
the one, used for your public network and/or add correct incoming rules 
on wan interface to accept the traffic.


On the other hand, you can always use this:

/usr/sbin/tcpdump -n -e -ttt -i pflog0

This will give you pretty clear idea, what's wrong.

/jan

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Editing firewall rules outside of the GUI

2006-09-13 Thread Jan Zorz 
On Wednesday 13 of September 2006 00:01, Scott Ullrich wrote:
> On 9/12/06, Fuchs, Martin <[EMAIL PROTECTED]> wrote:
> > But nevertheless, you can filter packets outgoing to the internet...
> >
> > Bill, is there a consideration to make rules for packets going into the
> > firewall ?
>
> There have been many threads about this subject.   Please refer to the
> archives.
>
> In the meantime Jan Z was working on support for this but I don't
> believe his patch was quite done.

Hi gang...

I'm still working on this, but I was away from computer now for a month or so 
(illness). Now I'm up&running and back to work :)

I'm running my patches on our production firewall, and so far - so good. 

This patches adds drop down menu to rule creation/edit menu, so you can 
choose, if the rule impacts IN or OUT traffic on interface. 

I'll try to do some tests, that Bill requested and keep everybody concerned 
posted.

/jan


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Dying connections, possibly high load

2006-11-27 Thread Jan Zorz 


Try to use "*device polling"* in "Advanced" configuration (bottom of the 
page)


Intel suxx for high volume traffic, unless device polling is used.

Maybe this could help...

/jan

Daniel Orcutt wrote:

Hello,

I currently have PFSense sitting between my private LAN and my DMZ

My FTP Server is located in the DMZ and I have 6 IP Cameras on my 
private LAN that all record to the FTP Server.  However, after a 
number of days of recording they are suddenly unable to connect to the 
FTP Server and the only resolution I have found is to reboot PFSense.  
My initial thoughts were that maybe it was too high of a load or 
possibly that resetting the states would help, but it didn't.  The 
firewall handles a very large amount of traffic and connections as 
well as a large number of rules, routing and NATs, but this is the 
only issue I have seen so far.  Any ideas?


I am running the latest 1.01 version on decent hardware (decent for a 
firewall).  Thanks a ton,


-Daniel


Get FREE company branded e-mail accounts and a Web site from Microsoft 
Office Live  
- 
To unsubscribe, e-mail: [EMAIL PROTECTED] For additional 
commands, e-mail: [EMAIL PROTECTED] 



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Dying connections, possibly high load

2006-11-27 Thread Jan Zorz 

Scott Ullrich wrote:

I don't think "intel sucks".  I do believe there are a number of
issues that have been addressed in FreeBSD 6.2 RC1.

I forgot to clarify, "Intel processor" sucks as architecture for that 
kind of task.  Simply, interrupts, interrupts, interrupts.


/jan

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] Captive portal and CARP

2007-08-15 Thread Jan Zorz 

Hi gang.

I have two pfsense firewalls, fw1 and fw2, 10 VLAN interfaces and CARP 
addresses in between. Everything works fine, untill I enable Captive 
portal on one of interfaces.
First sign of trouble is, that all CARP interfaces on primary fw (fw1) 
goes to backup mode and fw2 becomes master. Then, if I disable CARP on 
fw2, fw1 goes to master mode (all interfaces). When I re-enable CARP on 
secondary firewall, all CARP interfaces goes to backup, except the 
interface, where Captive portal is enabled on fw1. This interface is 
suddenly in master mode on both firewalls.


I entered IP of that interface on fw2 into Captive portal "Allowed IP 
addresses", added MAC of that interface into "Passthrough MAC" in 
Captive portal configuration, I added "allow any->any" rule on that 
interface on fw1, but no luck.


Any idea? My first thought is that CARP packets gets blocked on fw1, but 
no quick idea why...


And, if even this starts to work, what would happen if fw1 dies and CARP 
on fw2 takes over? Is there any possibility to have "synchronized 
Captive portal" on both fw's?


Thank you, Jan Zorz.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] multi interface traffic shaper.

2007-08-15 Thread Jan Zorz 

Hi gang (again).

I already posted this question on forum, but no replies, so I'm trying 
my luck here.


I went through traffic shaper wizard and created limited badwith rules 
between WAN and LAN interface and assigned all priorities and bandwith 
limit to 1/10 of WAN actual speed. Now I would like to add same rules 
and limit between newly created OPT1 interface and WAN.


Any quick tips, tricks or links, how to do that in any way?

If no idea, any tips just how to limit bandwith between OPT1 and WAN to 
1/10 of actual WAN speed?


Thank you, Jan Zorz

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] multi interface traffic shaper.

2007-08-29 Thread Jan Zorz 

sai wrote:

Traffic shaper currently only works with 1 WAN interface

sai
  

Hi.

I understand that (and I have only 1 WAN interface). I would like shaper 
to work between 1 WAN and multiple LAN interfaces in the same manner


/jan


On 8/15/07, Jan Zorz <[EMAIL PROTECTED]> wrote:
  

Hi gang (again).

I already posted this question on forum, but no replies, so I'm trying
my luck here.

I went through traffic shaper wizard and created limited badwith rules
between WAN and LAN interface and assigned all priorities and bandwith
limit to 1/10 of WAN actual speed. Now I would like to add same rules
and limit between newly created OPT1 interface and WAN.

Any quick tips, tricks or links, how to do that in any way?

If no idea, any tips just how to limit bandwith between OPT1 and WAN to
1/10 of actual WAN speed?

Thank you, Jan Zorz

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

  



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] blocking to destination ports

2008-04-10 Thread Jan Zorz 
Don't bother with this. I ran through a small flame-war with Scott about 
this, wrote my own patches for pfsense, that were working flawlessly on 
1.0.1 and were applying rules on out-traffic, but politic persuation on 
dev's side prevented those patches to be implemented...


Too bad, from my point of view.

Don't start that all over again, just learn to live with in-only rules.

/jan

Randy Schultz wrote:

Hiya,

We are running 1.2-RELEASE with a bridge across OPT1 and OPT2.  Is 
there any
way to block to destination ports?  I have found blocking from source 
ports
but cannot find anything that allows me to block traffic to a port.  
Have I

just overlooked something?

--
 Randy([EMAIL PROTECTED])  765.983.1283 <*>

Love with your heart, think with your head;  not the other way around.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] IPv6

2008-08-06 Thread Jan Zorz 


Currently none of the developers has an IPv6 network with which to do 
testing. 
IPv6 lab network can be very easily setup, if you know how to do it. No 
expensive hardware involved, just a bunch od bsd and linux boxes, some 
IPv6 daemons and a tunnel to IPv6 broker, if there is no native IPv6 
connectivity.


How hard can it be?

/jan



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] IPv6

2008-08-07 Thread Jan Zorz 




How hard can it be?




Maybe if m0n0wall takes the lead a little softer ;-)... 
http://m0n0.ch/wall/ has basic ipv6 support since a few weeks.



True :)

What I see from changes, only basiv tunneling is implemented. What we 
need is also stateless autoconfiguration daemon (radvd), statefull 
autoconfig support (dhcpv6),  full graphical config support (interfaces 
IP-s, rules definitions, etc...), OSPFv6, DNS "tip or trick daemon" 
(totd) and pTRTd as v6 to v4 "translator"...


That would suffice for a start of even thinking of the idea of using 
pfsense (or m0n0wall) in ipv6 environment as router :)


I have several networks on dual-stack, some of them even on v6 only and 
I think development on ipv6 in firewall area should be quicker. A lot 
quicker. I don't want to sound like an clairvoyant, but 10.10.2010 date 
as predicted v.4 dead-end is near.


/jan

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] IPv6

2008-08-07 Thread Jan Zorz 




but instead of waiting, i decided to make a "Tunnelrouter" inside my 
private Network with this services. Therefore i can play with v6 
without waiting for miracles ;-) (but for graphical IPv6 
Firewall-Rules will still Checkpoint products be the Choice)



That's perfectly correct...

But, I can't imagine migrating servers to dual-stack and adding  
record to DNS, relying on "tunnelrouter" inside my network. We have 
possibility to do native IPv6 routing, we have allocated /32 of IP's 
from RIPE, so WTF?


The only thing that I can imagine now is completely parallel new linux 
based dual firewall setup for native IPv6 access and IPv6 firewalling 
(in parallel with redundant pfsense v4 setup).


How much nonsense one can take?

/jan

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] ipv6 possibility

2008-09-25 Thread Jan Zorz 



"an addressing crisis" for years, and the fact that someone has
slapped a ruler on the current allocation trend and come up with a
number of days under 1000 doesn't really cause me concern.  Who can
present a reasonable case for adoption before the current 2-3 year
timeline?



Do you realize how long hardware deployment takes? Right now
we're driving at a nearby brick wall with a floored pedal.

It's going to hurt, a lot.

  
Couldn't agree more. Bravo! As would Randy Bush say, we are on a train, 
that is soon to be train-wreck. But, we at least know, that we're gonna 
crash, so we can fasten our seatbelts and hurry up a bit to finish with 
desert. Imagine all those people on Titanic, that was never able to 
finish their desert...


I suggest we take our heads out of the sand and start deploying IPv6 stuff.

Personally I don't like the idea of two separate firewalls, pfsense for 
IPv4 and whatever else for IPv6. But, sadly, this is what I am doing now.


/jan



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] ipv6 possibility

2008-09-25 Thread Jan Zorz 

Paul Mansfield wrote:

Eugen Leitl wrote:
  

I have a small business with a /24. In order for me to make money
I will soon have to order another /24. And then another.



there's also the problem of getting globally routable PI space - you
need a /23 to ensure your prefix isn't discarded by some ISPs, but
getting a /23 these days is very difficult without very good
justification - we found it easier to team up with an ISP to make use of
their /22 for load-balancing and failover!

  
Yup, you got that right... but after Pakistan Telekom -> Youtube fsck-up 
even /23 announces are not safe anymore and filtered out by some IX-es 
and ISP-s.


/jan

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] ipv6 possibility

2008-09-25 Thread Jan Zorz 



RB wrote:

I suggest we take our heads out of the sand and start deploying IPv6 stuff.



It is regrettable you consider asking for a valid business case for
accelerating a largely hobbyist project to be sticking one's head in
the sand.
  
I meant this one widely. Much more widely and on larger scale. Not just 
pfsense project, untill the "magic" date 10.10.2010 we are supposed to 
have criticall mass of deployment of IPv6 done, this is the only way we 
can go through this transition process with as less pain as possible.


"Is there gonna be IPv6 as main protocol?" - this is not a question 
anymore. There are no other ways. On RIPE meetings I spoke with a lot of 
exchange providers and european largest ISP-s, the common idea I got 
from these guys was "hey, we must grow as a company, when there is no 
more IPv4 available, we are ready to make a switch to v6. We calculate, 
that it is far too expensive for an ISP to mantain dual-stack for long 
time."


So, ISP will not break any part of contract with you, providing you IPv6 
only access. Being said that, on the other hand we know, that 
translation mechanisms are total crap. NAT-PT is deprecated by IETF, 
maybe there is a little hope for SIIT (ptrtd), that does translation on 
3rd level and not trying to translate IP headers from v4 to v6, which is 
nonsense.


How can we get away with this, possibly with as less mess as possible?

Content providers, hosting providers, everybody that is providing any 
sort of content *must* deploy dual-stack and start serving content on 
both protocols. Ideally, if everybody would do that, there would be no 
need for any rubbish translation devices...


That's why I chose to run two gateways, pfsense as brilliant v4 firewall 
and one linux box with v6 stuff and firewall on it, providing access for 
dual-stack servers in the system. That's the only way we can test our 
applications and you would be surprised, the v6 network is not dead and 
silent, there is increasing amount of traffic going on...


Google is preparing their site, to go dual stack, for now they are 
testing on http://ipv6.google.com/ . I spoke with Lorenzo, main guy @ 
google for this stuff, they are still experiencing some problems with 
dual-stack. So, if google is experiencing problems and is testing and 
developing two years ahead, why woul that not be the good example for 
everybody in internet business?


I hope I answered most of your questions.

Regards, /jan
  

Personally I don't like the idea of two separate firewalls, pfsense for IPv4
and whatever else for IPv6. But, sadly, this is what I am doing now.



Yet you still do not answer the question - what value is v6 providing
you now?  Would you mind sharing what made you make the agreeably
painful decision to run two separate gateways?


RB

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

  


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] ipv6 possibility

2008-09-27 Thread Jan Zorz 

Beat Siegenthaler wrote:

RB wrote:

  

This question comes back up every few months, and every time I wonder:
what is the justification case for IPv6?  



Maybe it's the simple argument:
Jump on the Train!!!
Hype or not, IPv6 is coming. Let the "we get out of IP's" yells beside
this time.

It's like talk about that a cellular does not need a camera.
Or that cameras with more than 5Megapixels are never needed.
Or "640k are enough" Take it or leave it as Customer. But: Take it or
dissapear as Manufacturer.

I love pfSense!!

But I play around with IPv6 because I want to have a advance.

If there is suddenly a other project that has IPv6 and it is similar to
pfSense: Bye Bye faithfulness. Many good products made this way...


Last Point:

The energy we put in NAT, overlapping Networks, strange VPN's in legacy
v4 is enormous. Many of this Problems are inexistant with v6.
And a Firewall would  be again what it ever was:
A routing device were I can enforce who, what, when, why can talk to
some other Node


  

Amen.

/jan

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] ipv6 possibility

2008-09-28 Thread Jan Zorz 



Chris Bagnall wrote:

Availability is a major constraint. At least for Scott and myself,
neither of us have an option to even get IPv6 connectivity on a
residential grade connection.



Obviously I don't know where Scott and yourself are based, but that's kinda... 
shocking, for want of a better way of putting it. Are there no *DSL providers 
in your neck of the woods that'll offer an IP6-compatible connection?

And we keep being told how far behind the rest of the world the UK is for 
broadband ;-)
  
You have strong proponents inside British Telecom for IPv6 stuff... 
AFAIK BT ran their core network on experimental IOS releses just to have 
dual stack for 2 years. Now they implemented official releases, as Cisco 
put IPv6 stack into stable branch :)


You english types a quite advanced on that area :)

/jan

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] redundant DHCP issues in 1.2.3-RC1

2009-05-26 Thread Jan Zorz 

Hi.

We set-up redundant pfsense firewalls and everything used to work fine, 
untill we upgraded them from 1.2.2 to 1.2.3-RC1.


With this upgrade failover DHCP (redundant) stopped working. Previously 
DHCPd on both machines were talking to each other, updating the DHCP 
leases.


After upgrade, things seemed to work fine, but after 3 days DHCP refused 
to affer any new IP's with message in the log "peer holds all free leases".


Any ideas, why this behaviour started to show after 1.2.3-RC1 upgrade?

Thnx, Jan Zorz

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] How to forward protocol 41

2010-02-11 Thread Jan Zorz 

Mikel,

You have two options:

1. configure your cron on linux box to ping6 some IPv6 address out there 
to keep tunnel up.
2. Bang the bell very hard to wake up PfSense developers, so they 
finally deploy IPv6 mechanisms at last.


I liked PfSense a lot, but I moved to Mikrotik devices. They have IPv6 
(and a lot of v6 mechanisms, like ospf-v3 and others) fully deployed.


/jan

Mikel Jimenez wrote:

Hi!

I have  a Linux box, with a ipv6 tunnel with hurricane tunnel broker. 
The tunnel works fine and all the clients of my LAN surf 
ip6.google.com (I have configured radvd).


The problem is that the connections from internet, stops at the 
pfsense. If I listen in the WAN interface I can look protocol IP 41 
(ipv6ipv4).


My question is, how can I forward prtocol 41 to my Linux box, who have 
the tunnel configured? I donĀ“t see the option in NAT section, to 
forward ip protocol 41.


I think taht waht I want is this (iptables): iptables -t nat -A 
PREROUTING -i wan -p 41 -j DNAT --to 192.168.1.100 (linux box)


How can accomplise this in Pfsense?

Thanks

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org