RE: [pfSense Support] boot usb wothout bios support
Booting from CD isn't an option? Why are you trying to boot from USB? _ From: Ernesto Eduardo Medina Núñez [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 06, 2008 3:16 PM To: support@pfsense.com Subject: [pfSense Support] boot usb wothout bios support Hi I'm new to BSD and pfsense. I want to boot pfsense from my usb pen drive but my BIOS it's old and can't boot from a USB drive. Sombody can help me? Note: I don't have Hard Drive nor Floppy Disk, I just have: -Cd-rom drive -1GB USB pen drive with pfsense installed (it works I tested it on my laptop) - the pfsense cd, - computer with 3 network cards. - celeron proccesor (333) very old! -- Lalo: Just do it, life is too short
RE: [pfSense Support] Message repeating in System Log, can't find the reason
I am trying to use DHCP on both, and I think that may be a reasonable explanation. If I pull a lease by other methods and then plug that info in as static, would that likely work? I still have a problem with Gateways though. I can't seem to pull a new IP/Gateway like I used to, by changing my spoofed MAC and at the moment, both modems are pulling IPs with the same gateway. Only other solution is the double NAT right (or something a bit more tricky like 1:1 NAT)? Thanks for the help. I expected this to be a common occurrence, but the response I've seen (aside from yours) says otherwise. _ From: Curtis LaMasters [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 05, 2008 10:05 PM To: support@pfsense.com Subject: Re: [pfSense Support] Message repeating in System Log, can't find the reason Seperate interfaces should work. BSR is nothing more than broadband services router. I think Cox uses the AMT / Motorola BSR64000. Are you using DHCP on both interfaces. I may be mistaken but I though pfSense only supported 1 DHCP connection on the WAN, the other has to be a static. Don't quote me on that though. Curtis
RE: [pfSense Support] Message repeating in System Log, can't find the reason
My reasons are two-fold. One is as Chris said, I work from home AND have servers in the home that need to remain accessible to my hosted servers. The 2nd is because I do a significant amount of off-site backups in 2 directions so a 2nd line allows me to saturate one with file transfers without affecting my more casual activities. I'd like to thank everyone for engaging in this dialog and helping out. I'm still having the same problem though. My 2nd WAN interface refuses to pull an IP via DHCP and by testing with the 1st interface, and other devices I know that the modem is more than happy to hand one out. How do I go about troubleshooting this? -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Thursday, March 06, 2008 2:12 PM To: support@pfsense.com Subject: Re: [pfSense Support] Message repeating in System Log, can't find the reason Anil Garg wrote: Now that the broadband is very reliable, why would anyone use more than one WAN at home. What are the benefits you have seen or desired in multiple dhcp wan at home. Very reliable depends on your provider, your definition of reliable, and even more, your tolerance for downtime. My tolerance for downtime is 0. I work a significant amount out of my home office, largely on servers, routers, firewalls, switches, etc. in remote locations where I must have an Internet connection. My primary 15 Mb cable connection is down around 4 hours a month on average, and once a year or so for 48+ hours straight or longer. While that's no big deal for your typical residence, it's critical for me and *always* happens to me at the worst times. When you have clients that rely on you being accessible to assist any time, the money spent on the backup DSL connection is well worth it and a relatively insignificant cost. When I'm doing something critical after hours, I don't want to be stuck driving into the office or elsewhere with a working Internet connection at 3 AM to finish the job. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Message repeating in System Log, can't find the reason
I'm hoping the log entries below will help because I'm not familiar with tcpdump yet (spoiled GUI user where packet-capturing is concerned). Mar 5 21:34:01 kernel: arpresolve: can't allocate route for 192.168.0.1 Mar 5 21:34:01 kernel: arplookup 192.168.0.1 failed: host is not on local network Mar 5 21:33:43 dhclient[80556]: bound: renewal in 27102 seconds. Mar 5 21:33:42 dhclient[80556]: Trying recorded lease 192.168.0.2 -- This looks interesting Mar 5 21:33:42 dhclient[80556]: No DHCPOFFERS received. Mar 5 21:33:31 last message repeated 3 times Mar 5 21:33:12 kernel: arpresolve: can't allocate route for 192.168.0.1 Mar 5 21:33:12 kernel: arplookup 192.168.0.1 failed: host is not on local network Mar 5 21:33:00 kernel: arpresolve: can't allocate route for 192.168.0.1 Mar 5 21:33:00 kernel: arplookup 192.168.0.1 failed: host is not on local network Mar 5 21:32:58 dhclient[80556]: DHCPDISCOVER on sk0 to 255.255.255.255 port 67 interval 11 Mar 5 21:32:48 dhclient[80556]: DHCPDISCOVER on sk0 to 255.255.255.255 port 67 interval 10 Mar 5 21:32:43 dhclient[80556]: DHCPDISCOVER on sk0 to 255.255.255.255 port 67 interval 5 Mar 5 21:32:41 dhclient[80556]: DHCPDISCOVER on sk0 to 255.255.255.255 port 67 interval 2 Mar 5 21:32:34 last message repeated 3 times Mar 5 21:32:28 php: : Not a valid interface action Mar 5 21:32:28 php: : Processing - Mar 5 21:32:28 php: : Not a valid interface action Mar 5 21:32:28 php: : Processing start - Mar 5 21:32:28 php: : HOTPLUG: Configuring optional interface - opt Mar 5 21:32:28 php: : DEVD Ethernet attached event for sk0 Mar 5 21:32:28 php: : Processing sk0 - start Mar 5 21:32:28 check_reload_status: rc.linkup starting Mar 5 21:32:26 dhclient[80556]: DHCPREQUEST on sk0 to 255.255.255.255 port 67 Mar 5 21:32:26 kernel: sk0: link state changed to UP Mar 5 21:32:24 kernel: sk0: link state changed to DOWN Mar 5 21:32:19 syslogd: kernel boot file is /boot/kernel/kernel -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Thursday, March 06, 2008 3:27 PM To: support@pfsense.com Subject: Re: [pfSense Support] Message repeating in System Log, can't find the reason Michael Richardson wrote: My reasons are two-fold. One is as Chris said, I work from home AND have servers in the home that need to remain accessible to my hosted servers. The 2nd is because I do a significant amount of off-site backups in 2 directions so a 2nd line allows me to saturate one with file transfers without affecting my more casual activities. I'd like to thank everyone for engaging in this dialog and helping out. I'm still having the same problem though. My 2nd WAN interface refuses to pull an IP via DHCP and by testing with the 1st interface, and other devices I know that the modem is more than happy to hand one out. How do I go about troubleshooting this? tcpdump on the interface and see what's really happening. Also I haven't read the entirety of this really long thread, if you've already sent logs from dhclient please re-send them. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Message repeating in System Log, can't find the reason
I'm getting the following 2 messages repeating over and over every 10-30 seconds in my System log (pf 1.2), but NO WHERE in my configuration is 192.168.0.1 mentioned, nor is 192.168.0.0 used in any of our networks. Where is this coming from and why? Mar 5 04:38:01 kernel: arpresolve: can't allocate route for 192.168.0.1 Mar 5 04:38:01 kernel: arplookup 192.168.0.1 failed: host is not on local network
RE: [pfSense Support] Message repeating in System Log, can't find the reason
Thank you, Both my WAN connections are via COX and I found that WAN2 wasn't pulling an IP properly but the Gateway did show as 192.168.0.1. When I released the interface, I stopped getting these messages. I've power cycled the modem and when I try to renew the lease, I get the same results. This a problem at my end, or do I need to have cox re-provision my modem? _ From: Curtis LaMasters [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 05, 2008 7:19 PM To: support@pfsense.com Subject: Re: [pfSense Support] Message repeating in System Log, can't find the reason Check your ARP table and see if possibly that IP is there. I'm guessing it's coming from your ISP's edge device. I see this every now and then with Cox Cable Modems. -- Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com
RE: [pfSense Support] Message repeating in System Log, can't find the reason
I'm using separate interfaces (completely separate nics actually). Could you educate me on the meaning of BSR? I think I have refined the description of my trouble. I found that my 2nd cable modem is more than happy to give up an IP to the first interface, or another machine. I think the following series of entries in my System Log is key to the problem. Following the next few lines is a complete log from the point I try to renew the interface, until it settles and begins looping the aforementioned messages. Trying Recorded lease? Mar 5 21:33:43 dhclient[80556]: bound: renewal in 27102 seconds. Mar 5 21:33:42 dhclient[80556]: Trying recorded lease 192.168.0.2 Mar 5 21:33:42 dhclient[80556]: No DHCPOFFERS received. Complete Log: Mar 5 21:34:01 kernel: arpresolve: can't allocate route for 192.168.0.1 Mar 5 21:34:01 kernel: arplookup 192.168.0.1 failed: host is not on local network Mar 5 21:33:43 dhclient[80556]: bound: renewal in 27102 seconds. Mar 5 21:33:42 dhclient[80556]: Trying recorded lease 192.168.0.2 Mar 5 21:33:42 dhclient[80556]: No DHCPOFFERS received. Mar 5 21:33:31 last message repeated 3 times Mar 5 21:33:12 kernel: arpresolve: can't allocate route for 192.168.0.1 Mar 5 21:33:12 kernel: arplookup 192.168.0.1 failed: host is not on local network Mar 5 21:33:00 kernel: arpresolve: can't allocate route for 192.168.0.1 Mar 5 21:33:00 kernel: arplookup 192.168.0.1 failed: host is not on local network Mar 5 21:32:58 dhclient[80556]: DHCPDISCOVER on sk0 to 255.255.255.255 port 67 interval 11 Mar 5 21:32:48 dhclient[80556]: DHCPDISCOVER on sk0 to 255.255.255.255 port 67 interval 10 Mar 5 21:32:43 dhclient[80556]: DHCPDISCOVER on sk0 to 255.255.255.255 port 67 interval 5 Mar 5 21:32:41 dhclient[80556]: DHCPDISCOVER on sk0 to 255.255.255.255 port 67 interval 2 Mar 5 21:32:34 last message repeated 3 times Mar 5 21:32:28 php: : Not a valid interface action Mar 5 21:32:28 php: : Processing - Mar 5 21:32:28 php: : Not a valid interface action Mar 5 21:32:28 php: : Processing start - Mar 5 21:32:28 php: : HOTPLUG: Configuring optional interface - opt Mar 5 21:32:28 php: : DEVD Ethernet attached event for sk0 Mar 5 21:32:28 php: : Processing sk0 - start Mar 5 21:32:28 check_reload_status: rc.linkup starting Mar 5 21:32:26 dhclient[80556]: DHCPREQUEST on sk0 to 255.255.255.255 port 67 Mar 5 21:32:26 kernel: sk0: link state changed to UP Mar 5 21:32:24 kernel: sk0: link state changed to DOWN Mar 5 21:32:19 syslogd: kernel boot file is /boot/kernel/kernel _ From: Curtis LaMasters [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 05, 2008 7:44 PM To: support@pfsense.com Subject: Re: [pfSense Support] Message repeating in System Log, can't find the reason Are you using seperate interfaces or VLAN's? If you are connected to the same BSR with the cable modem's it's not going to like the MAC address most likely. Also, do you have a switch connected the the cable modems, then the switch connected to the firewall? I have found that when using the same BSR is breaks the second cable modem for some reason. -- Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com
[pfSense Support] Dual-wan Setup issue (Yes, I've read a few Dual-Wan HOWTO docs AND I've rebuilt the router)
First let me say that I love PF and am using it enough that I'm considering the standard support contract, but I'm not quite there yet so I still need community support. I've got a dual-wan setup and I want to cause traffic between an internal machine, and external machine to occur over WAN2 (I could use source or destination as criteria). Both public IPs would share a gateway so I've put a NAT device on WAN2 and connected the modem to it so now both WAN ports are on different subnets. (more) With the appropriate LAN rule in place, traffic doesn't flow UNLESS I start a packet capture on WAN2 (I found this while trying to troubleshoot). Why would this be? Anyone got the time and know-how to help me troubleshoot this? Here's my setup. Hope the art comes through decently. The reason for the SpeedStream device is because otherwise both WAN interfaces would have the same gateway IP and I read that is unacceptable for a dual-wan config. | WAN 67.x.x.12 | Cable Modem1 | | | pfSense 1.2| | LAN 192.168.1.0 | | | | SpeedStream 2601 for NAT | | WAN2 192.168.0.2 |-- | 192.168.0.1 |-- Cable Modem 2 I want to be sure that traffic FROM 192.168.1.22 or traffic TO 78.x.x.10 goes through WAN2 (I can use source, destination, or both). Outbound NAT is set to Automatic and has only the default LAN rule in place. I have added a LAN rule, but instead of trying to communicate what it is and confirm it's right, I think it would be faster if someone could tell me what it should be (at least one of the options), and I'll just use that. ANYthing else I haven't mentioned, I likely don't know about and need pointed out. Thanks in advance, and I'm loving 1.2. The upgrade was flawless. Mike
RE: [pfSense Support] Dual-wan Setup issue (Yes, I've read a few Dual-Wan HOWTO docs AND I've rebuilt the router)
So a LAN rule with the gateway for WAN2 selected, AND the outbound-nat rule are both needed? _ From: Dimitri Rodis [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 04, 2008 6:16 PM To: support@pfsense.com Subject: RE: [pfSense Support] Dual-wan Setup issue (Yes, I've read a few Dual-Wan HOWTO docs AND I've rebuilt the router) You need to use Manual Outbound NAT, and add a rule above the default rule that has the source address of your machine, destination * *, and then select the address of your WAN2 interface. Dimitri Rodis Integrita Systems LLC From: Michael Richardson [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 04, 2008 4:54 PM To: support@pfsense.com Subject: [pfSense Support] Dual-wan Setup issue (Yes, I've read a few Dual-Wan HOWTO docs AND I've rebuilt the router) First let me say that I love PF and am using it enough that I'm considering the standard support contract, but I'm not quite there yet so I still need community support. I've got a dual-wan setup and I want to cause traffic between an internal machine, and external machine to occur over WAN2 (I could use source or destination as criteria). Both public IPs would share a gateway so I've put a NAT device on WAN2 and connected the modem to it so now both WAN ports are on different subnets. (more) With the appropriate LAN rule in place, traffic doesn't flow UNLESS I start a packet capture on WAN2 (I found this while trying to troubleshoot). Why would this be? Anyone got the time and know-how to help me troubleshoot this? Here's my setup. Hope the art comes through decently. The reason for the SpeedStream device is because otherwise both WAN interfaces would have the same gateway IP and I read that is unacceptable for a dual-wan config. | WAN 67.x.x.12 | Cable Modem1 | | | pfSense 1.2| | LAN 192.168.1.0 | | | | SpeedStream 2601 for NAT | | WAN2 192.168.0.2 |-- | 192.168.0.1 |-- Cable Modem 2 I want to be sure that traffic FROM 192.168.1.22 or traffic TO 78.x.x.10 goes through WAN2 (I can use source, destination, or both). Outbound NAT is set to Automatic and has only the default LAN rule in place. I have added a LAN rule, but instead of trying to communicate what it is and confirm it's right, I think it would be faster if someone could tell me what it should be (at least one of the options), and I'll just use that. ANYthing else I haven't mentioned, I likely don't know about and need pointed out. Thanks in advance, and I'm loving 1.2. The upgrade was flawless. Mike
RE: [pfSense Support] Dual-wan Setup issue (Yes, I've read a few Dual-Wan HOWTO docs)
Reinstall from scratch -- Still safe to export/import my config or do you really mean from scratch ? -Original Message- From: sai [mailto:[EMAIL PROTECTED] Sent: Thursday, February 28, 2008 12:12 AM To: support@pfsense.com Subject: Re: [pfSense Support] Dual-wan Setup issue (Yes, I've read a few Dual-Wan HOWTO docs) the fact that the setup works,but only if you start a packet capture (using the last option in the pfsense menu?) is something strange. possibly something wrong in config (maybe routing or gateway?). a lot of small and hard to catch bugs have been fixed in 1.2RELEASE and so i would go for a reinstall from scratch. sai On 2/28/08, Michael Richardson [EMAIL PROTECTED] wrote: I've got a dual-wan setup and I want to cause traffic between an internal machine, and external machine to occur over WAN2 (I could use source or destination as criteria). Both public IPs would share a gateway so I've put a NAT device on WAN2 and connected the modem to it so now both WAN ports are on different subnets. (more) With the appropriate LAN rule in place, traffic doesn't flow UNLESS I start a packet capture on WAN2 (I found this while trying to troubleshoot). Why would this be? Anyone got the time and know-how to help me troubleshoot this? Here's my setup. Hope the art comes through decently. The reason for the SpeedStream device is because otherwise both WAN interfaces would have the same gateway IP and I read that is unacceptable for a dual-wan config. | WAN 67.x.x.12 | Cable Modem1 | | | pfSense 1.2| | LAN 192.168.1.0 | | | | SpeedStream 2601 for NAT | | WAN2 192.168.0.2 |-- | 192.168.0.1 |-- Cable Modem 2 I want to be sure that traffic FROM 192.168.1.22 or traffic TO 78.x.x.10 goes through WAN2 (I can use source, destination, or both). Outbound NAT is set to Automatic and has only the default LAN rule in place. I have added a LAN rule, but instead of trying to communicate what it is and confirm it's right, I think it would be faster if someone could tell me what it should be (at least one of the options), and I'll just use that. ANYthing else I haven't mentioned, I likely don't know about and need pointed out. Thanks in advance, and I'm loving 1.2. The upgrade was flawless. Mike - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Dual-wan Setup issue (Yes, I've read a few Dual-Wan HOWTO docs)
I've got a dual-wan setup and I want to cause traffic between an internal machine, and external machine to occur over WAN2 (I could use source or destination as criteria). Both public IPs would share a gateway so I've put a NAT device on WAN2 and connected the modem to it so now both WAN ports are on different subnets. (more) With the appropriate LAN rule in place, traffic doesn't flow UNLESS I start a packet capture on WAN2 (I found this while trying to troubleshoot). Why would this be? Anyone got the time and know-how to help me troubleshoot this? Here's my setup. Hope the art comes through decently. The reason for the SpeedStream device is because otherwise both WAN interfaces would have the same gateway IP and I read that is unacceptable for a dual-wan config. | WAN 67.x.x.12 | Cable Modem1 | | | pfSense 1.2| | LAN 192.168.1.0 | | | | SpeedStream 2601 for NAT | | WAN2 192.168.0.2 |-- | 192.168.0.1 |-- Cable Modem 2 I want to be sure that traffic FROM 192.168.1.22 or traffic TO 78.x.x.10 goes through WAN2 (I can use source, destination, or both). Outbound NAT is set to Automatic and has only the default LAN rule in place. I have added a LAN rule, but instead of trying to communicate what it is and confirm it's right, I think it would be faster if someone could tell me what it should be (at least one of the options), and I'll just use that. ANYthing else I haven't mentioned, I likely don't know about and need pointed out. Thanks in advance, and I'm loving 1.2. The upgrade was flawless. Mike
[pfSense Support] Manually configure (force) link-speed/duplex?
I've got a Realtek nic that is not playing nice with a cable-modem. The System Log shows the interface is going up and down a couple times per minute. I intend to replace the NIC (when I'm not 200 miles away), but for now I'd like to try and for the speed/duplex to see if that will stabilize it. I found a link that appears to address this, but it's dead. Anyone have a working link, or information/syntax about how to do this? For what it's worth, the dead link is http://faq.pfsense.com/index.php?sid=18033lang=enaction=artikelcat=10id= 38artlang=enhighlight=hidden Thank you, Mike (rainabba on Freenode)
[pfSense Support] Upgrade 1.0.1 to 1.2 RC4 from console (2nd appeal)
I was once given a command (or series of commands really) that fetched, unpacked, and installed (or coppied files anyway) that let me do an update from 1.0.1 to 1.2 RC4, but I've misplaced it. Could someone provide that again? As best I recall, the output of fetch was piped into tar and the output of that was directed at /, but I'm not 100% sure and can't afford to do this wrong :-) Thanks in advance
[pfSense Support] XML error: MEDIA at line 47 cannot occur more than once each time I try to change configuration
In /conf/config.xml MEDIA only occurs twice, each instance under a different interface and neither is on line 47. What's going on?
RE: [pfSense Support] XML error: MEDIA at line 47 cannot occur more than once each time I try to change configuration
Can you tell me how to resolve this? -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Monday, January 28, 2008 7:46 PM To: support@pfsense.com Subject: Re: [pfSense Support] XML error: MEDIA at line 47 cannot occur more than once each time I try to change configuration On 1/28/08, Michael Richardson [EMAIL PROTECTED] wrote: In /conf/config.xml MEDIA only occurs twice, each instance under a different interface and neither is on line 47. What's going on? Looks like at some point you installed a developers version!? Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] XML error: MEDIA at line 47 cannot occur more than once each time I try to change configuration
On 1.2 RC4 :( Really no other ideas but to reset? I have sooo much config time in this box that might make me cry. Really, I'm serious :) -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Monday, January 28, 2008 8:30 PM To: support@pfsense.com Subject: Re: [pfSense Support] XML error: MEDIA at line 47 cannot occur more than once each time I try to change configuration On 1/28/08, Michael Richardson [EMAIL PROTECTED] wrote: The following snippet includes the ONLY instance of media in my entire /conf/config.xml file (I removed the other already). wan iffxp0/if mtu1500/mtu media100baseTX mediaopt full-duplex/media bandwidth100/bandwidth bandwidthtypeMb/bandwidthtype spoofmac00:18:f3:3e:b2:e7/spoofmac blockpriv/ blockbogons/ use_rrd_gateway/ disableftpproxy/ ipaddrdhcp/ipaddr dhcphostnameazprep.dyndns.info/dhcphostname /wan Yet the error remains. Please advise. Thanks Scott. The only thing I can think of is moving to the latest 1.2-RC4. If that fails to work reset to factory configuration. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Upgrade 1.0.1 to 1.2 RC4 from console
I was once given a command (or series of commands really) that fetched, unpacked, and installed (or coppied files anyway) that let me do an update from 1.0.1 to 1.2 RC4, but I've misplaced it. Could someone provide that again? As best I recall, the output of fetch was piped into tar and the output of that was directed at /, but I'm not 100% sure and can't afford to do this wrong :-) Thanks in advance
RE: [pfSense Support] Static Route for IPSEC
So if I create the needed SA's, pfSense will create the routes for me? -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Monday, October 22, 2007 6:48 AM To: support@pfsense.com Subject: Re: [pfSense Support] Static Route for IPSEC On 10/22/07, Michael Richardson [EMAIL PROTECTED] wrote: Perhaps I'm seeing the issue incorrectly then. I have 2 pf boxes at different locations. Box A is Class C (192.168.10.0/24), Box B is Class C (192.168.1.0/24). A and B are connected via an IPSEC VPN tunnel, but Box B also has a tunnel to another VPN terminator. I want to add a static route to Box A to get traffic to the VPN terminator via B. Box A (pf Sense) = 192.168.10.0/24 Connects to (using IPSEC): Box C (pfSense) = 192.168.1.0/24 Connects to (using IPSEC): Router C (unknown brand, managed) = 192.168.3.0/24 I need to get traffic from the network behind Box A to Router C and I thought a static route would be the way, but I don't believe the LAN or WAN interface is appropriate because the use of IPSEC tunnels. Am I thinking about this the wrong way? yes. Traffic can't cross the tunnel unless you have a security association for it. You'll need to add 192.168.3.0/24 to the A-B and B-A tunnels. You'll also need to add 192.168.10.0/24 to the B-C and C-B tunnels. To make this work in pfSense, just create another tunnel between A and B with the 192.168.1.0 subnet in it. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: [Fwd: Re: [pfSense Support] Dual Wan - Same Gateway]
Upstream box isn't pfSense and does VERY little. Nothing I can do on the downstream box (pfSense) ? On Sat, 20 Oct 2007, Bill Marquette ([EMAIL PROTECTED]) wrote: On 10/20/07, Michael Richardson wrote: One of the primary reasons I wanted a dual-wan configuration was so our 1st 15Mb line wasn't saturated with large file transfers, which we do regularly. The next reason is for fail-over and/or load-balancing. That said, I've implemented a NAT device to get the 2nd line on a separate gateway (as far as pf is concerned) and tried to setup ipSec on the WAN2, but I hadn't previously considered NAT traversal with IPSEC which is now an issue. This means that the local pf box doesn't see the remote gateway, it see's the NAT'd IP. I do use advanced outbound NAT to force certain traffic out WAN2. That said, how do I get IPSEC working over WAN2 (aside from changing the selected interface in the SA. Terminate the vpn on the upstream box? --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Static Route for IPSEC
I'd like to create a static route that points to a gateway over an IPSEC tunnel but there is no IPSEC interface (as there is for PPTP). Can this be done? How? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [Fwd: Re: [pfSense Support] Dual Wan - Same Gateway]
One of the primary reasons I wanted a dual-wan configuration was so our 1st 15Mb line wasn't saturated with large file transfers, which we do regularly. The next reason is for fail-over and/or load-balancing. That said, I've implemented a NAT device to get the 2nd line on a separate gateway (as far as pf is concerned) and tried to setup ipSec on the WAN2, but I hadn't previously considered NAT traversal with IPSEC which is now an issue. This means that the local pf box doesn't see the remote gateway, it see's the NAT'd IP. I do use advanced outbound NAT to force certain traffic out WAN2. That said, how do I get IPSEC working over WAN2 (aside from changing the selected interface in the SA. -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Thursday, October 18, 2007 9:24 AM To: support@pfsense.com Subject: Re: [Fwd: Re: [pfSense Support] Dual Wan - Same Gateway] On 10/18/07, Paul M [EMAIL PROTECTED] wrote: Bill Marquette wrote: You'll need another box to handle the WAN2. Can't have two nics on the same network, nor can you do multi-wan on one nic :) not even if you set that nic to trunk/802.1q, and used a vlan-aware switch? I'll correct my terminology. You need two interfaces...virtual, or physical. Not that it helps the original poster any as he still needs another physical box so his load balancer doesn't have two interfaces with the same gateway. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] IPSec Tunnels from different WAN Interfaces
Thanks Scott. My routing experience is limited so I've got a question. Interface: Wan2 Destination Network: 192.168.3.0/24 Gateway: (this a private/public IP? IPSec remote gateway, or the IP of WAN2, or other)? -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Saturday, August 04, 2007 1:35 PM To: support@pfsense.com Subject: Re: [pfSense Support] IPSec Tunnels from different WAN Interfaces On 8/4/07, Michael Richardson [EMAIL PROTECTED] wrote: Bounty needed? Anyone else willing to contribute? Add a static route for the tunnel on wan #2. This works fine for me. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] IPSec Tunnels from different WAN Interfaces
Bounty needed? Anyone else willing to contribute? _ From: Tunge2 [mailto:[EMAIL PROTECTED] Sent: Friday, August 03, 2007 5:31 AM To: support@pfsense.com Subject: RE: [pfSense Support] IPSec Tunnels from different WAN Interfaces this is a know issue.. We are having the same problem _ Van: Michael Richardson [mailto:[EMAIL PROTECTED] Verzonden: vrijdag 3 augustus 2007 14:15 Aan: support@pfsense.com Onderwerp: [pfSense Support] IPSec Tunnels from different WAN Interfaces I've found that if I add an IPSec tunnel (already have 2 running) and assign It to my wan2 interface, all tunnels fail (they stop without error and won't come back up until I change the new tunnel to use the primary wan interface). Should this happen? Known issue? Workaround? I purchase our 2nd line specifically for this purpose so I hope to get this working. I'm running 1.0.1-SNAPSHOT-03-27-2007 built on Sun Apr 8 18:57:04 EDT 2007 Thanks in advance.
RE: [pfSense Support] IPSec Tunnels from different WAN Interfaces
Thanks Scott. My routing experience is limited so I've got a question. Interface: Wan2 Destination Network: 192.168.3.0/24 Gateway: (this a private/public IP? IPSec remote gateway, or the IP of WAN2, or other)? -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Saturday, August 04, 2007 1:35 PM To: support@pfsense.com Subject: Re: [pfSense Support] IPSec Tunnels from different WAN Interfaces On 8/4/07, Michael Richardson [EMAIL PROTECTED] wrote: Bounty needed? Anyone else willing to contribute? Add a static route for the tunnel on wan #2. This works fine for me. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] IPSec Tunnels from different WAN Interfaces
I've found that if I add an IPSec tunnel (already have 2 running) and assign It to my wan2 interface, all tunnels fail (they stop without error and won't come back up until I change the new tunnel to use the primary wan interface). Should this happen? Known issue? Workaround? I purchase our 2nd line specifically for this purpose so I hope to get this working. I'm running 1.0.1-SNAPSHOT-03-27-2007 built on Sun Apr 8 18:57:04 EDT 2007 Thanks in advance.
RE: [pfSense Support] SNMP Monitoring of pfSense
That attack has restarted from 208.115.223.167 !! -Original Message- From: Kelvin Chiang [mailto:[EMAIL PROTECTED] Sent: Thursday, June 07, 2007 9:12 PM To: support@pfsense.com Subject: RE: [pfSense Support] SNMP Monitoring of pfSense Hi Tim, Yes, the rrdtool seems to work fine in the graphing, it generates traffic graphs base on interface (but there is still a graph missing for iflabel0 or something like this, not sure whether this is opennms or pfsense problem). The OpenNMS seems to be able to identify it as the source for Trapd, but I have not tested with any event generation. However, OpenNMS can only assign a single community string to an IP address (at least this is what I realized), this means that the community string you set on your pfsense for both SNMP and Trapd must be using the same community string. About Router, I am not too sure what happened. I remember seeing OpenNMS identifying a cisco equipment as router once before but it does not recognized pfsense as router. I hope these help, I do not know to much about SNMP and still in the process of exploring pfsense SNMP compatibility with varios open source NMS, currently, OpenNMS seems to do the job best. If it helps... May be we can talk more to see how can generate some documents regarding pfsense and NMS. Regards, Kelvin -Original Message- From: Tim Nelson [mailto:[EMAIL PROTECTED] Sent: Friday, June 08, 2007 12:01 PM To: support@pfsense.com Subject: Re: [pfSense Support] SNMP Monitoring of pfSense When you say it doesn't recognize it as a router... in what regard? OpenNMS applies certain attributes to devices that it believes to be routers? Using OpenNMS are you able to poll individual interfaces on your box for graphing and logging purposes? --Tim Kelvin Chiang wrote: Hi Tim, I do not know much to make any comments on what happened to the SNMP daemon on your pfsense. I am using OpenNMS and it seems to work fine, except that it does not recognize it as Router. I am using v2c for SNMP polling. I have not tested the trapd though. Regards, Kelvin -Original Message- From: Tim Nelson [mailto:[EMAIL PROTECTED] Sent: Friday, June 08, 2007 10:35 AM To: support@pfsense.com Subject: Re: [pfSense Support] SNMP Monitoring of pfSense Any word? --Tim Tim Nelson wrote: Hello! I would like to monitor traffic totals with SNMP for each of my interfaces. I use JFFNMS as my network monitoring system. I enable SNMP and set the proper community strings. However, when I poll the pfSense box, SNMP does not show the interfaces. Does pfSense use nonstandard OIDs? Also, does the SNMP daemon allow for per interface monitoring or does it simply provide an aggregate of traffic going through the system? Thank you!!! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
