Re: [pfSense Support] 1.2.3RC1 embedded: wireless communication with Nokia N97 stops after a few KB but the connection desn't drop
Angelo wrote: I have a weird wireless connection issue with my new Nokia N97, hope ... Yesterday I bought a Nokia N97 and as soon as I came back home I started playing with it. I joined my wireless network and typed the PSK and the Hi Angelo, there's definitely something odd in the latest Nokias; my sister-in-law has a Nokia N96 and a Netgear DG834GT wireless/router/adsl. the wireless router works with every other device I have - dual-boot winXP linux laptop, nokia tablet, nokia e65, but I get exactly the same problem as you described with the N96, it's been reported by many http://www.google.co.uk/search?q=n96+wireless+dg834gt I tried reflashing the nokia with the latest *generic* firmware instead of the slightly crippled and dated T-Mobile version, but it didn't work. my guess is that the dg834gt uses a specific atheros wifi chipset and there's some incompatibility with Nokia; I didn't manage to get it working, but since she had an all-you-can-eat data tariff she wasn't too bothered. Paul - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] em0: Watchdog timeout -- resetting
Nathan Eisenberg wrote: The error I am seeing is em0: Watchdog Timeout -- Resetting, which seems to have several root causes. I have tried disabling ACPI, both in we had this, it was very odd, it only started happening when we upgraded the bios on a tyan motherboard to fix other problems, the firewalls had never shown the problem before. in desperation we tried a fix which we'd only ever previously used for linux - there used to be a problem with the e1000 driver when power saving is enabled in the e1000's eeprom. the fix worked, and I applied it by booting a linux rescue disk and ran the eeprom fix program that I got from the e1000 sourceforce website; their wiki seems to have disappeared so I can't find the script, so I've placed a copy here: http://www.zaurus.org.uk/download/scripts/fixeep-82573-dspd.sh if you have the problem on linux you get detected tx unit hang thus: http://sourceforge.net/tracker/index.php?func=detailaid=1463045group_id=42302atid=447449 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Openvpn - same client ip with users.
Ezat wrote: Thanks Paul, The config looks sane to me.. Ive rebooted the device but still no go. I've compared your config closely with mine, so it has to be the client config. Here's my definitively working client config: client log /etc/openvpn/client.log status /etc/openvpn/client.status daemon dev tun3# Generate/use tun proto udp keepalive 10 60 # Some ping like messages persist-tun # Some persist options persist-key # Some persist options resolv-retryinfinite comp-lzo# Enable compression verb1 # Log verbosity # nobind # UDP high local port remote xxx.xxx.xxx 1194# OpenVPN server it's important there's no ifconfig line at all. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Openvpn - same client ip with users.
Ezat wrote: Hey Paul, Yeh this has got me baffled. Anyway, Ive attached my client log which looks to be okay.. The client I am using is from openvpn.se... v1.0.3 from what the about info states.. Not sure if that is a problem either. are your users behind the same NAT gateway by any chance? drop the port 1194 and use nobind? also drop the tls-client, dev-node, ns-cert-type-server and pull lines just for the moment. Here is my client config #float port 1194 dev tun dev-node ovpn #proto tcp-client remote x.x.x.x 1194 ping 10 persist-tun persist-key tls-client ca ezat.crt cert ezat.crt key ezat.key ns-cert-type server comp-lzo pull verb 4 Off to get some shuteye... 2am here in Syd.. Thanks soo muchly for the help. Ezat Paul M wrote: Ezat wrote: Thanks Paul, The config looks sane to me.. Ive rebooted the device but still no go. I've compared your config closely with mine, so it has to be the client config. Here's my definitively working client config: client log /etc/openvpn/client.log status /etc/openvpn/client.status daemon dev tun3# Generate/use tun proto udp keepalive 10 60 # Some ping like messages persist-tun # Some persist options persist-key # Some persist options resolv-retryinfinite comp-lzo# Enable compression verb1 # Log verbosity # nobind # UDP high local port remote xxx.xxx.xxx 1194# OpenVPN server it's important there's no ifconfig line at all. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OpenVPN super-slow upload speeds
on OpenVPN from home - using Tunnelblick on my DSL (6mbit down 768 up). OT: we've started switching Mac OSX users to viscosity, much nicer/easier to use - a proper OSX application instead of a simple GUI to openvpn executable. It will also import tunnelblick settings too. It does have a programming error whereby if you entered anything into X509 settings for CA use, it doesn't disable them if you switch to a shared key. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Why DHCP and portal logs are limited to 65535 octets?
Xhark wrote: It's not configured in conf file ? Possible to syslog loopback 127.0.0.1 with special package ? future releases will make syslog bind only to 127.0.0.1 so that you can have syslog-ng running in parallel - see my other posts about this. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Why DHCP and portal logs are limited to 65535octets?
[EMAIL PROTECTED] wrote: Have you some URL about installation of syslog-ng ? thank you ! search the mailing list? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Virtualizing pfSense
Make Windows Vista more reliable and secure with Windows Vista Service I thought it was one of those witty tag-lines along Make Vista more http://www.flickr.com/photos/[EMAIL PROTECTED]/2146586273/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Why DHCP and portal logs are limited to 65535 octets?
Gary Buckmaster wrote: This is intentional as part of the design of m0n0wall, which pfSense inherited. pfSense uses clog for system logging and all logs are kept in a circular format so as not to consume limited disk space available to embedded systems. The work-around for this is to use a remote syslog. it's also possible to install syslog-ng which binds to the sync or lan IP, make syslog bind to just 127.0.0.1, then make it syslog remote syslog to that new instance of syslog-ng so that you can keep full files locally and also remote log again to your log server. search the mailing lists for more details. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] bsdperimeter.com down -- what is the state of commercial support for pfSense?
Timo Schoeler wrote: thus Chris Buechler spake: On Fri, May 9, 2008 at 5:32 AM, Timo Schoeler [EMAIL PROTECTED] wrote: Hi there, I'm about to sell a bunch of pfSense-based Firewalls to a customer (who wants to run a nice loadbalanced setup). What about commercial support? bsdperimeter.com is down, as it seems to me... Thanks for the heads up, our hosting server rebooted yesterday and all the jails didn't start properly. Thought we got them all, but missed that one. Working now. Yeah, thought something like this: nmap probed port 80, 443 and another one as /closed/. This is a sign that perfectly fits in your description. Cheers, just a thought... is it possible to have pfsense's load balancer system report* when it cannot find any of the hosts in the pool. also, if operating in failover mode, report when the primary has gone down? *by email? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] How to tell current OpenVPN clients
Merul Patel wrote: If my PHP were worth more than diddly squat I'd be tempted to write something. sounds like an excuse to learn a bit of php! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] boot usb wothout bios support
people have already suggested booting the live CD with the config on USB, so that problem's solved. try www.bootdisk.com for useful stuff, and I recommend Ultimate Boot CD as a valuable resource. http://www.ultimatebootcd.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Pfsense problem..
Daniel Rapp wrote: Hi, we have two firewalls running pfsense, theay are running version 1.2-rc2 embedded 1.2 release has been out for quite a while and you should strong consider updating, even though it wont fix your bridging - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Who has some good numbers to share for load balancing?
Wade Blackwell wrote: -intelligent load balancing of TCP services (fail a load balanced node/server out of the pool when the service fails) the load balancing does detect failed back-ends but only if they cease listening on their TCP sockets, there's no content checking, so you can't detect, for example, a jsp problem where server is b0rked but still doing the http stuff. otherwise pfSense will fit your needs very well. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] multiple openvpn clients using shared key?
Paul M wrote: to answer my own question, no, you can't use shared key and have multiple clients. OK, so I was being lazy!!! I generated the keys using the instructions here: http://openvpn.net/howto.html#pki note. I found I had two sets of easy-rsa scripts for making keys, /usr/share/openvpn and also in /usr/share/openvpn/2.0, and the ones in the former caused an unsupported certificate purpose error, I used the scripts in the 2.0 directory and it all worked. I'm still setting up separate openvpn daemons each with their own CA for the moment. this approach seems to work fairly well, each person gets their own CA and multiple client certs, so that if someone leaves I simply kill their server, and I don't need to hack around with the config to ensure each person gets an IP unique to them as each openvpn server then has its own net block. the easy-rsa scripts make generating all the certs and keys really easy. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] System Time
Curtis LaMasters wrote: status.php probably has it somewhere. If not you could issue a command via the GUI in the diagnostic menu. it does. it would probably be useful to have the system time on the index.php system summary page? how would you browse to status.php, there doesn't seem to be a link to it on from the menus? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: AW: [pfSense Support] Filtering OpenVPN Road Warrior Clients
because you can't specify filters on openvpn clients, we simply built a separate box which is a dedicated openvpn server; this also means we can keep our main firewalls locked down better and the openvpn clients come in via a DMZ which gives better tracking. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Wanted: Tips for a VLAN capable switch (for home use)
Eugen Leitl wrote: I have a Netgear ProSafe GS108T-xy, which is GBit, managed, and fanless. You might have to upgrade the latest firmware, as Netgear consumer stuff is typically buggy in the first generation, and the support sucks. let me help you... s/first generation//g - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] multiple openvpn clients using shared key?
Paul M wrote: Curtis LaMasters wrote: Is this client connected over wireless? That looks like a TKIP replay error and not really anything to do with OpenVPN. To have multiple people connecting with the same key in OpenVPN you will need to use duplicate-cn on the server side under custom options. no, they're at home on the end of a cable modem or adsl sorry, I should said, that log is from the pfsense system logs-openvpn log to answer my own question, no, you can't use shared key and have multiple clients. OK, so I was being lazy!!! I generated the keys using the instructions here: http://openvpn.net/howto.html#pki note. I found I had two sets of easy-rsa scripts for making keys, /usr/share/openvpn and also in /usr/share/openvpn/2.0, and the ones in the former caused an unsupported certificate purpose error, I used the scripts in the 2.0 directory and it all worked. I'm still setting up separate openvpn daemons each with their own CA for the moment. Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] openvpn tunnel using public ip's from 1 side
Chris Flugstad wrote: In my colo, where I have lots of public IPs, and my openvpn server, id like to use these ip's at a remote location on the other end of a vpn I think you'd have to use a userspace redirection program like jumpgate. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] multiple openvpn clients using shared key?
I've set up a bunch of openvpn daemons on a separate server, so that each person who connects gets a distinct IP address allowing me to give very fin-grained control over who can access what when connecting remotely. I am using shared keys for simplicity. I allocated a /29 (block of 8) IPs to each person, so that they could have multiple vpns at the same time, e.g. from multiple machines at home, or one from home and one from their laptop if on the road. My problem is that the 2nd client connection breaks the first, neither then work at all, and I get a lto of errors like the following appearing openvpn[77421]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #18 / time = (1207153193) Wed Apr 2 16:19:53 2008 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings Is the problem that I cannot have a multiple-client-one-server scenario when using shared key? thanks very much Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Seagate Microdrive 8GB
Michel Servaes wrote: microdrive)... but it seems the drive cannot be found with the installer of pfsense. I can however format and install Windows 2003 if I want to (I cancelled the install, since this is not the use I intended it to be on this machine- but this is just to mention that the drive geometry is recognized by other OS - on the same motherboard) There are microdrives around which have non-standard firmware, designed for mp3 player OEMs, to ensure that people don't buy up the cheap players and rip out the microdrive. http://www.stevesforums.com/forums/view_topic.php?id=35786forum_id=52page=3 Make sure you weren't ripped off by buying the wrong device! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] unexpected network throughput
Eric Baenen wrote: Using scp -c blowfish definitely improved things - went from 60Mbps transfer to 70Mbps and cpu load on the pfSense firewalls varied from 50% to 70%. interesting, I tried this across our lanex and got 20MB/s default (3des), 24MB using blowfish, and 29MB/s using plain old des. both machines were core2duo, receiving end was laptop (but copying file to /dev/null), sending end big server with core2duo @2.8GHz, so I'm surprised the CPU was playing such a big part. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] No routing between internal zones
Tim Nelson wrote: I'd throw a nice big ALLOW ANY PROTOCOL ANY DESTINATION ANYWHERE AND EVERYWHERE at the top of your rules and see if the problem is fixed. If not, you've got bigger problems. If so, check your rules a bit more carefully. ouch! don't you come near my firewalls! if you really really had to, make rules which allow from any of YOUR ip addresses to any, with a protocol/service you can trust (ssh, dns). quite often these problems are caused because if you have multiple possible routes between networks, and the routing is asymmetric, then stateful inspection will kill things. using tcpdump -l -n -i interface icmp and ensuring that packets enter/leave on the same interface will help - test all interfaces to make sure the ingress and egress interfaces are correct! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Strange problem
Curtis Maurand wrote: No iptables. wasn't even installed until 2 minutes ago. No http proxy statements very generic gentoo installation on the laptop. I have not tried wget, but I did try telnet to a host on port 80 and the connection hung. I had to do a ^] to get out of it. I have not tried wget, lynx or curl, though they are all installed. if telnet hasn't connected, ^] won't have any effect, you'd use ctrl-c to kill it. it sounds as if the TCP connects but doesn't connect. I'll try a tcpdump from the pfsense machine the next time I'm in there and see what I find. could it be an MTU problem - if you're dropping packets over a certain size then the tcp 3WH will complete but no data will flow. try reducing the mtu on the broken box to, say, 1000. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Microdrive or CF card
Eugen Leitl wrote: Noise: I think the microdrive is next to silent. IIRC reliability is a problem. I've never heard the microdrive in my zaurus c3100, and I can't remember the last time I heard of one fail! damn, I've just doomed myself, haven't I? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC
Bryan Derman wrote: If curl is available on the development disk (or somewhere) and was installed on the production version, the script could easily be modified login as root and install it thus? # curl curl: Command not found. # pkg_add -r curl Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6.2-release/Latest/curl.tbz... Done. # rehash # curl -I www.google.com HTTP/1.1 302 Found Location: http://www.google.co.uk/ Cache-Control: private Set-Cookie: PREF=ID=3edd03dd328b5c04:TM=1204632103:LM=1204632103:S=YYPAA8zXB5IAp1wM; expires=Thu, 04-Mar-2010 12:01:43 GMT; path=/; domain=.google.com Content-Type: text/html Server: gws Content-Length: 221 Date: Tue, 04 Mar 2008 12:01:43 GMT - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Re: Typo in 1.2 Release RRD?
Ugo Bellavance wrote: Jason J. Ellingson wrote: I see on my RRD graphs for traffic (haven't looked elsewhere yet)... that the last 6 month graph is showing Nov twice and skipping Feb. At the bottom of the graph, I see: Sep Oct Nov Nov Dec Jan Mar Perhaps just mine doing this? I had this pfSense box offline for about 25 days (mid Jan to mid Feb) to test a different box. - Jason Same here, 1.2 RELEASE sorry, but we don't have this machine started as 1.2rc2, upgraded each time and now on 1.2-release - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Ping
Anil Garg wrote: In my pass-through for PPTP and IPSEC, I had a rule that allowed any...all..any for only TCP IP protocol. I have now changed that to any protocol all the way to the end any. Is this ok on the VPN interfaces like PPTP and IPSEC? adding rules which permit any-any, even if it's all kinds of icmp is a bad idea. if you don't know why, you need to read a good book on firewalls etc. here's a good start. http://preview.tinyurl.com/26fm8z I don't want to be rude, in the main, pfsense is a product for people who understand internet security at least in some detail. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] wrong email addresses on mail list page
http://www.pfsense.org/index.php?option=com_contenttask=viewid=66Itemid=71 the unsubscribe email address is incorrect in the href for support-unsubscribe, it's the same as the subscribe one! HTH Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense Hardware opinion
Nuno Gonçalves wrote: DELL PowerEdge R200 Quad Core Intel® Xeon® X3210, 2.13GHz OR Quad Core Intel® Xeon® X3210, 2.13GHz 2 Gigabit nics 2GB RAM 667MHz dual rank ECC (2x1GB) 160GB SATA 7200rpm probably far more than you need, though admittedly we are running with pairs of machines of similar specification (because we reduce the number of different types of machines for which to keep spares). I would opt for low voltage/power xeons, lower clock speed to save power, western digital green power drives as they consume less power and you won't notice the performance hit. even if you don't care about the environmental impact, your datacentre will thank you for reduced electricity bills and lower heat dissipation! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] enabling high performance tcp - freebsd
Scott Ullrich wrote: On 2/21/08, Paul M [EMAIL PROTECTED] wrote: apparently since kernel 2.6.17 linux auto-tunes, so this advice is a bit out of date... in fact it might be really bad advice because usign setsockopt and setting RCVBUF and SNDBUF will actually disable autotuning. pfSense does not use linux and has absolutely nothing to do with any linux kerenls. yes, I know that, but the referenced article had large sections about linux, and there will be a number of people on this list who use linux who might read the article and go off with out of date information. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfsense crashed out
Ngawang Sangye wrote: There were error(s) loading the rules: /tmp/rules.debug:191: rule label too long (max 63 chars) pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [191]: pass in quick on $wan proto { tcp udp } from any to { 192.168.2.58 } port = 36239 keep state label USER_RULE: NAT John Doe - taking over from Jane torrent I have a feeling that the dash character - in the description caused a big problem with the NAT rules list, script. I kept getting this reload error and a lot of things stopped working. Now Pfsense has crashed as I try to remove the entries. Changing the NAT entry didn't change the firewall rule entry that was related. the overlong tag is a known bug, shorten the text and the problem will go away. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] syslogd parameters in /etc/inc/system.inc
can the system script be modified, please to tell syslogd to only bind to localhost? # diff system.inc.orig system.inc 412c412 $retval = mwexec(/usr/sbin/syslogd -s -f {$g['varetc_path']}/syslog.conf); --- $retval = mwexec(/usr/sbin/syslogd -b 127.0.0.1 -s -f {$g['varetc_path']}/syslog.conf); 415c415 $retval = mwexec(/usr/sbin/syslogd -ss); --- $retval = mwexec(/usr/sbin/syslogd -b 127.0.0.1 -ss); thanks! Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] bug report - missing network device still listed as up
Ermal Luçi wrote: Can you please open a ticket for this! done http://cvstrac.pfsense.com/tktview?tn=1652,6 On Thu, Feb 14, 2008 at 5:03 PM, Paul M [EMAIL PROTECTED] wrote: Is this a known bug? when you remove a network device from a working configured pfsense 1.2rc4 machine, it still boots up, and the web UI interface summary says the device is up, but has no details (no mac, no IP, etc) we discovered this when one of our firewall servers died, and problem was the PCIX twin-port NIC. luckily we are able to do without that NIC, so we booted the machine without it, using the motherboard's intel twin giga ports for wan lan, and intel e100 for sync. so, devices BGE0 and BGE1 disappeared completely, but the webui still lists interface we called DMZ as being up! Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] syslogd parameters in /etc/inc/system.inc
Scott Ullrich wrote: I will look into it. In the future, please see this for submitting patches: http://devwiki.pfsense.org/SubmittingPatches sorry I stand corrected - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] bug report - missing network device still listed as up
Is this a known bug? when you remove a network device from a working configured pfsense 1.2rc4 machine, it still boots up, and the web UI interface summary says the device is up, but has no details (no mac, no IP, etc) we discovered this when one of our firewall servers died, and problem was the PCIX twin-port NIC. luckily we are able to do without that NIC, so we booted the machine without it, using the motherboard's intel twin giga ports for wan lan, and intel e100 for sync. so, devices BGE0 and BGE1 disappeared completely, but the webui still lists interface we called DMZ as being up! Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] enabling high performance tcp - freebsd
http://www.psc.edu/networking/projects/tcptune/#FreeBSD this has some recommendations for setting options in freebsd to improve network performance; I don't know whether it's current wisdom though. the stuff about linux kernel autotuning is quite interesting, especvally where it says to not use setsockopt to change buffering otherwise you break autotuning. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] 1.2RC5 or release
Hi, given the a number of minor bug fixes, we will be seeing a 1.2RC5 variant sometime, or is the next step a full release? thanks Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] BGP status
Royce Mitchell III wrote: Is the BGP package for pfsense available, yet? Also, does it play nice with CARP, or is CARP even necessary when you have BGP? I think CARP is a very different thing - BGP is a way of having multiple circuits to different ISPs to get resilience internet connectivity. CARP is a way of having two devices share an IP. Or am I missing some clever use of BGP and CARP? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] carp status page wish
Hi, would it be possible to have the carp status page also show the carp description field, as as the moment it's not very informative. AtDhVaAnNkCsE Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Multiple servers behind NAT'd firewall
I'm not 100% sure, but I've noticed that if you create a new CARP entry on the WAN, the nat reflection doesn't get set up until you make some other change. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] router failover
Curtis LaMasters wrote: I've been operating in this configuration for 6 months in two locations without a problem. The version upgrade went very nicely as well because I could fail over to the 2nd firewall, do the upgrade and reboot without taking down the network. We are running on Dell 1750's w/ 2Gb ram, dual proc, dual power supplies and 4 NIC's per server (1 wan, 1 lan, 1 sync, 1 future 2nd ISP). Probably the cheapest and most robust solution on the market. aol we too /aol - three sets of paired machined firewall clusters. except we're using commodity Tyan 1U servers with core2duo motherboards with 2GB RAM. the motherboards have dual Intel 1000baseT (em0) and a single Intel 100baseT (fxp), the latter used for sync; some also have twin-port 1000baseT pcix cards for DMZs. I use vlans for the internal network into cisco 3560E's (wire speed gig switch). when they're not fiddled with they just work. our only problem has been split brain at our colo site, we think because the separate patching to the ISPs routers is filtering traffic which is affecting CARP, we don't get this elsewhere. we also use pfSense as a VPN termination server, core2quad for number crunching. so, we're happy. memo to self: look into making another donation. Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Fresh Install -- Broken logging
Jack Doyle wrote: I've just reinstalled (fresh this time) 1.2-RC4 and logging has, once again, stopped. The last log entry I have anywhere is at 16:22 (it is now 18:28). I just generated some traffic that should be logged and it is not. This includes the system log, firewall log, DHCP log, all of them. Anyways, I can't seem to figure out why this is happening. Please help. could you start syslogd manually with debug enabled and no-daemon so you can see why it dies? sorry if this is really obvious, but is /var or /var/log a separate partition, and is it full, or are you seeing errors on the console indicating a disk fault? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Re: IPv6
Eugen Leitl wrote: On Wed, Jan 30, 2008 at 09:19:21PM +0200, Graham Beneke wrote: While I can appreciate that this is an issue of supply vs demand - I would like to say that I think that it would be in the best interests of the project to aim for at least an IPv6 capable beta release before the end of this year. That sounds like good advice (I'm not particular to that date). IPv6 support on home and company LAN is already easy, but 6to4 tunnels across WAN is I would agree that IPv6 shouldn't be left totally on the back burner - at the very least ensure that consideration is given to ipv6 support when any changes are being made - start early and it should be less of a burden! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] possible bug in filter rule replication
Gary Buckmaster wrote: Paul M wrote: I've noticed that if I have a pair of firewalls - master/slave - and have a comment in the filter rules which contains a colon or a fullstop, they are replaced by spaces when the rules are replicated. is this a known bug? Without looking at the code, I suspect that this is intentional. Colons and other special characters can munge up the rules parsing and I'm guessing there's some input validation code that's cleaning out characters that can cause problems. well, sounds reasonable, but why don't these punctuations get removed on the master's rule set? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] minor fix/request: button positions on NAT page compared to rules
on the nat page, the buttons to the right of the nat look like this E + on the rules page, the buttons to the right are E X + maybe I'm being fussy, but could the nat page be changed to suit the rules? thanks! Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] VLAN NIC's
Curtis LaMasters wrote: I agree with Ngawang, Intel is the way to go for a well supported NIC. The pfSense website has a HCL on it for FreeBSD at http://pfsense.com/index.php?id=37. Let us know if you have any issues. Curtis aolme too!/aol however, be warned, if you need jumbo frame support, choose the NIC carefully. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] VLAN NIC's
Paul Cockings wrote: Many thanks for the quick responses :-) p.s. the twin-port gigabit NIC cards work very well too. oh, yes, I am using PCI-X cards, the single-port ones are modest price, the dual-port ones are quite pricey (GBP110-ish or US$220). I have also used some broadcom twin-port NICs but haven't tested them for vlan, they two are PCI-X and quite expensive - similar to above Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] nat labelling bug?
Chris Buechler wrote: There were error(s) loading the rules: /tmp/rules.debug:149: rule label ... Looks like a missing or incorrect input validation check, can you open a ticket at http://cvstrac.pfsense.org please? done! http://cvstrac.pfsense.com/tktview?tn=1619 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] WG: Why there is no possibility to Filter the Firewallogs per Day/Week/Source IP etc.?
Marco Henggeler wrote: Now without Cert... -Ursprüngliche Nachricht- Von: Marco Henggeler Gesendet: Dienstag, 29. Januar 2008 11:11 An: 'support@pfsense.com' Betreff: WG: Why there is no possibility to Filter the Firewallogs per Day/Week/Source IP etc.? Under Diagnostics: System logs: System there is a possibility to filter the system logfiles. Are there any chance to look more than 2000 Entries in the firewallog? pfsense doesn't keep the full logs, uses circular log files, if you want that you'll have to set up syslog to send logs to other server. I've had a hack at making syslogd bind to one IP on the firewall, making it send logs to a different IP on itself, and installing syslog-ng bound to the other IP... I can get it working but not repeatably... ... pfsense ignores settings in /etc/rc.conf.local and /usr/local/etc/rc.conf.local, so when you reboot everything breaks. paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Alternative Full Install Installation Methods
[EMAIL PROTECTED] wrote: I am trying to do a full install of pfSense onto a CF card. I have could you create a file of the right size, loopback mount it as a file system and install to that, tweak it as much as you want, and then 'dd' it to the CF card? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Attempting to install pfSense; gets stuck
Scott Ullrich wrote: That portion of the installer takes quite a while depending on speed of the CF card, etc. Give it a bit longer. I presume the CF card is mounted noatime,async (or whatever it is in freebsd, I am thinking linux here)? I found that async makes a huge difference in speed - I had a flash memory card I though was broken as it took so long to write, then I remembered to do async and it was so much faster! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 1.2rc4 fresh install - waiting for backend
Scott Ullrich wrote: turned blue with a top grey bar saying F10 to refresh and a bar at the bottom saying Waiting for backed. any ideas what to look for? Not sure but please tell us every step of the boot process you take. What assigned interfaces you selected, etc. Also it might help to include a copy of /tmp/installer.log as well. on a suspicion, I decided to md5 the CD that my colleague burned, and it didn't match, burned a fresh disk and now it boots and goes to the assign interfaces stuff which is, I believe correct; it hangs on starting WAN, but that's to be expected since WAN's not plugged in! so, I think I've wasted your time and apologise profusely! Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] 1.2rc4 fresh install - waiting for backend
we had a test core2due/1.8G tyan machine running 1.2rc3 which upgraded without a hitch, however, we wanted to use it for something else, so it got wiped. we then tried to install 1.2rc4, booted fine from cdrom, chose option99 (no network cables being plugged in) and the screen turned blue with a top grey bar saying F10 to refresh and a bar at the bottom saying Waiting for backed. waited and waited, went away to do something more interesting nothing happened for a couple of hours. now, the machine had previously been set up with mirrored disks on freebsd, so I booted a rescue disk and zeroed the whole disk to ensure the system was clean. tried again and still the same problem. so, tried a different machine, a supermicro core2duo which had been through the same process, as it was to be the backup firewall for the above, same problem. any ideas what to look for? thanks Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Re: Log problems
Jack Doyle wrote: Yes, I did that with the old version, too, and it stopped logging after a short while. what happens if you kill and restart syslogd? does logging restart, or is the problem upstream? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Intermediate CA in pfSense Captive Portal
Richard Sperry wrote: FYI Godaddy has certs for 14.95USD vs verisign, etc at 150ish. Other than making sure the chain is right, I have had no issues. I bought a wildcard ssl cert for not much more than that, and so I could use in all my firewalls as well as mail servers etc. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Making a VPN Connection
Ryan Neily wrote: *_Return Receipt_* I emailed the guy to suggest he turn off his auto-acknowledge. sigh. But I wish people wouldn't post to the list with delivery status notifications and html etc etc. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] log rotation - keeping logs on x86 server as well as pushing via syslog
Scott Ullrich wrote: pfSense does not use newsyslog. It uses clog + syslogd. is there any way, even with a slight kludge, to have regular log files which rotate in a normal way with pfsense? Replace pfSense's syslogd with a stock FreeBSD's syslog and then edit ah, marvellous, thanks. /etc/rc and remove the clog statements. Just remember every time you update you'll have to go through this song and dance. one good thing about pfsense is the steady and not rushed progress, so I don't see this as too much of a problem thanks very much - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] log rotation - keeping logs on x86 server as well as pushing via syslog
Scott Ullrich wrote: Replace pfSense's syslogd with a stock FreeBSD's syslog and then edit /etc/rc and remove the clog statements. Just remember every time you update you'll have to go through this song and dance. might I offer this patch to the /etc/rc file which detects if syslog-ng is installed and doesn't start clog. thanks Paul 151,176c151,172 pkg_info | grep syslog-ng /dev/null if [ $? -ne 0 ] ; then # generate circular logfiles if [ ! $PLATFORM = cdrom ]; then clog -i -s 512144 /var/log/system.log clog -i -s 512144 /var/log/filter.log clog -i -s 65535 /var/log/dhcpd.log clog -i -s 65535 /var/log/vpn.log clog -i -s 65535 /var/log/openvpn.log clog -i -s 65535 /var/log/portalauth.log clog -i -s 65535 /var/log/ipsec.log clog -i -s 65535 /var/log/slbd.log clog -i -s 65535 /var/log/lighttpd.log clog -i -s 65535 /var/log/ntpd.log else clog -i -s 65535 /var/log/system.log clog -i -s 65535 /var/log/filter.log clog -i -s 65535 /var/log/dhcpd.log clog -i -s 65535 /var/log/vpn.log clog -i -s 65535 /var/log/openvpn.log clog -i -s 65535 /var/log/portalauth.log clog -i -s 65535 /var/log/ipsec.log clog -i -s 65535 /var/log/slbd.log clog -i -s 65535 /var/log/ntpd.log fi --- # generate circular logfiles if [ ! $PLATFORM = cdrom ]; then clog -i -s 512144 /var/log/system.log clog -i -s 512144 /var/log/filter.log clog -i -s 65535 /var/log/dhcpd.log clog -i -s 65535 /var/log/vpn.log clog -i -s 65535 /var/log/openvpn.log clog -i -s 65535 /var/log/portalauth.log clog -i -s 65535 /var/log/ipsec.log clog -i -s 65535 /var/log/slbd.log clog -i -s 65535 /var/log/lighttpd.log clog -i -s 65535 /var/log/ntpd.log else clog -i -s 65535 /var/log/system.log clog -i -s 65535 /var/log/filter.log clog -i -s 65535 /var/log/dhcpd.log clog -i -s 65535 /var/log/vpn.log clog -i -s 65535 /var/log/openvpn.log clog -i -s 65535 /var/log/portalauth.log clog -i -s 65535 /var/log/ipsec.log clog -i -s 65535 /var/log/slbd.log clog -i -s 65535 /var/log/ntpd.log 185c181 mount_devfs devfs /dev --- mount_devfs devfs /dev 196c192 rm -rf /etc/rc.conf --- rm -rf /etc/rc.conf - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] log rotation - keeping logs on x86 server as well as pushing via syslog
sorry to bring this up again, there was a brief discussion a while back, but I just wanted to clarify. we've got lots of disk space on our firewalls (100+ GB!), so that we don't need to worry about minimising logging, and also so that old logs can be archived at our leisure. however, pfsense rolls the logs over very frequently, and although I've looked at /etc/newsyslog.conf the settings there don't tie in with what's ending up on disk - various files name on disk don't have an equivalent in the file! is there any way, even with a slight kludge, to have regular log files which rotate in a normal way with pfsense? thanks Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] relayd - was Re: [pfSense Support] hoststated
Scott Ullrich wrote: Well now it would be relayd since hostated has been renamed. I would love to add this for 1.3 but unfortunately a lot of projects are piling up that might prevent me from working on this particular item in time for 1.3. if relayd exists in freebsd ports, I will consider looking into doing some sort of integration, but I must admit to knowing very little about the internals of pfSense (so, maybe this is a chance to learn)! cheers Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] relayd - was Re: [pfSense Support] hoststated
Scott Ullrich wrote: On Dec 20, 2007 6:01 AM, Paul M [EMAIL PROTECTED] wrote: if relayd exists in freebsd ports, I will consider looking into doing I can get it ported over for you very easily. Should not be hard to turn it into a FreeBSD port as well. I just do not have time to do the actual pfSense code conversion at the moment. we currently don't have any freebsd machines apart from the pfsense boxes, but we do have a spare server or two we could play with, so we were thinking of hacking a freebsd box for building packages. so, even if it were the most basic package you could provide, even just a binary we could run on pfsense test box, I'd be very happy to test it and provide feedback and config files etc. thanks very much Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] PPTP VPN
Richard Sperry wrote: Did you change the “use default gateway.” arrggghhh! HTML and advertising! stop the pain! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Intel PRO/1000 PT Quad Port Copper PCI-E Support?
Tim Nelson wrote: Does pfSense (any version) support any of Intel's quad port gigabit cards for PCI-E? I'm looking specifically at the PRO/1000PT that uses the 82571GB chipset. The FreeBSD HCL lists this controller but I was hoping to see if anyone had used it successfully on pfSense. Thank you! we're successfully using a dual-port intel giga nic card if that helps. it's an Intel PRO/1000MT - a PCIX part the boot message indicates it looks like the onboard Intel (em) giga devices - em0 and em1 are on-board, 2 and 3 are the PCIX ones. em0: Intel(R) PRO/1000 Network Connection Version - 6.2.9 port 0x4000-0x403f m em 0xdc18-0xdc19,0xdc10-0xdc13 irq 11 at device 3.0 on pci3 em0: Ethernet address: 00:1b:21:01:24:5a em1: Intel(R) PRO/1000 Network Connection Version - 6.2.9 port 0x4040-0x407f m em 0xdc1a-0xdc1b,0xdc14-0xdc17 irq 10 at device 3.1 on pci3 em1: Ethernet address: 00:1b:21:01:24:5b pcib4: ACPI PCI-PCI bridge irq 11 at device 28.4 on pci0 pci4: ACPI PCI bus on pcib4 em2: Intel(R) PRO/1000 Network Connection Version - 6.2.9 port 0x5000-0x501f m em 0xdc08-0xdc09,0xdc00-0xdc07 irq 10 at device 0.0 on pci4 em2: Ethernet address: 00:e0:81:4a:42:d2 pcib5: ACPI PCI-PCI bridge irq 10 at device 28.5 on pci0 pci5: ACPI PCI bus on pcib5 em3: Intel(R) PRO/1000 Network Connection Version - 6.2.9 port 0x6000-0x601f m em 0xdc28-0xdc29,0xdc20-0xdc27 irq 11 at device 0.0 on pci5 em3: Ethernet address: 00:e0:81:4a:42:d3 uhci0: UHCI (generic) USB controller port 0x3000-0x301f irq 9 at device 29.0 o n pci0 HTH Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] OpenVPN Practical Application
Curtis LaMasters wrote: This weekend I've been reading a lot about OpenVPN on pfSense and OpenVPN in general. I guess I still have a few missing parts in my head because I can't connect the dots. Is OpenVPN a viable replacement for the Cisco VPN software and IPSec services on a PIX/ASA or is it not it works very well for us; however, you can't put access control on the pfsense box doing the termination, anyone connecting is essentially connected to the LAN (as a routable network). we simply built a separate pfSense box for vpn and connected it to a DMZ off the main firewall, that way I can have specific access rules for each openvpn user - inbound AND outbound. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Symlink gone after power outage
Scott Ullrich wrote: On Nov 23, 2007 7:34 AM, Christian Krützfeldt [EMAIL PROTECTED] wrote: The other day I had an unexpected power outage and then when it was back on pfsense (1.2 RC2) didn't work. It booted fine until the point where it wanted to start pfsense. The hard disk somehow lost the symlink for the directory where the configuration file is stored. I have no idea how that could happen, but all I needed to do is recreate the symlink and after a reboot everything worked fine. The problem obviously is, when this happens the symlink has to be created locally as the server isn't reachable over the network. Since the code that creates the symlink for the configuration folder and all other symlinks is somewhere in there, would it be an option to run this code every time the server boots and simply recreate them every time. I know this won't solve the problem of the symlink disappearing, but it should overcome situations where this happens. Not really an option since we have so many ways of storing config.xml. Hard disk, compact flash, floppy disks, etc.Maybe we need to record where the config.xml resides and restore from that. But I am hesitant to make this change to the 1.2 branch as we are about to release. when I first started using pfsense with rc1, it was so unstable when either configuring CARP or expecting CARP to failover that the machine would crash or lockup and would nearly always lose the config.xml. even RC2 when changing carp interfaces can still crash pfsense, and I would have to manually recover the config.xml. (this is on regular x86 server)... so, if I'm not the only one who gets this problem then maybe the system needs a boot-time config.xml find/recovery/rescue option? Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Split DNS LAN/DMZ
Volker Kuhlmann wrote: On Thu 22 Nov 2007 17:04:02 NZDT +1300, Jaye Mathisen wrote: Use split-horizon DNS, Sure, how do I do this with pfsense? I can't find any docs about it and the DNS forwarder config page doesn't mention any interfaces (1.2RC3). just use different views? http://www.isc.org/sw/bind/arm95/Bv9ARM.ch06.html#view_statement_grammar - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] haproxy on a pfsense box?
is there a port of haproxy (or equivalent) to run on pfsense, and if so does it work reliably? we previously used pound as a load balancer and it works well, but we need a load balancer which can do more than just detect that there's a tcp listener, in case our web app stops working but still listens to http. thanks Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] suggestion change to UI - locking pages on slave firewalls
Chris Buechler wrote: Scott Ullrich wrote: On 11/20/07, Paul M [EMAIL PROTECTED] wrote: two firewalls, fwa, fwb, fwa is the master and replicated to fwb Could there be added in the UI (advanced options maybe) a flag to indicate that this FW is a slave, and then grey out anything which is This is a great idea but it needs to be further thought out. What if you loose the master firewall and in an emergency you need to change a firewall rule but it is greyed out? just go to advanced and uncheck the slave box. It could allow editing if it has master status. It would have to go further than that as well. If you allow any editing on the secondary, when the primary came back online it would get overwritten with the old config. perhaps when the slave box is unchecked it will *receive* the update from the master but *not load* it - offering a UI request to say there's an update queued from the master firewall, accept? it could even offer a diff to allow you to see what changes you made. A number of issues to address with this, though it's something we'd like to see done eventually. yes, making it foolproof would be tricky, there's probably not much middle ground between a simple edit-lockout and a full blown multi-master system. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Re: pfSense with 3 internal VLANs?
Angelo Turetta wrote: Curtis LaMasters wrote: and Firewall myself, however, I'm still having problems with the VLAN config. I would like the LAN interface to be VLAN1. Please let me know if you have any questions, or if I missed something. Curtis, this is quite easy to do. I manage two similar configs with 5 and 7 internal vlans respectively. During the first boot, define the VLANs on top of the physical interface BEFORE you assign your LAN. one gotcha is that, unlike linux where you have a sort of sub-device (e.g. eth0.22 for vlan22), freebsd names the vlans devices sequentially and there's a tag on it, so vlan0 device will be be vlan1, vlan1 device could be vlan100, vlan2 device vlan200 etc. once I realised this getting vlans working was easy. my next trick will be bonding multiple devices together to make a single trunk, and running vlans over that ; managed to do this with linux (had to add a simple script to do the final config); don't know enough freebsd to know where to start --paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] openvpn Question hope someone can help...
Tom Bishop wrote: I have done a tcpdump, I don't see the return packets...thats the troubling part On Nov 20, 2007 8:13 AM, Paul M [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Tom Bishop wrote: Ok this one has been bugging me for sometime, I'm new to Pfsense could it be a NAT problem - check what outbound rules you have. login to firewall interactively and use tcpdump to check for outbound and return packets. so on the external interface you see packets leaving with the correct source address (that of the firewall and correct UDP port - as per state table), and the destination and port is correct? is there a possibility that you have an openvpn process running on the firewall which is listening on the same ports and thus breaking things? I found a bug whereby deleting an openvpn client config didn't kill the openvpn process - check with ps auxgw | grep open, netstat -an and also ifconfig -a to see if there's a tun device which has the IP address. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] suggestion change to UI - locking pages on slave firewalls
two firewalls, fwa, fwb, fwa is the master and replicated to fwb I made the mistake of modifying something on fwb, and then of course had to go back and reproduce the changes on fwa. Could there be added in the UI (advanced options maybe) a flag to indicate that this FW is a slave, and then grey out anything which is overwritten by the master. Could it, when the pages are greyed out, put a timestamp at the top to indicate when the changes were last propagated? Just a thought. OK, it's pandering to people who do stupid things, but I'm sure I'm not the only one. thanks Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] openvpn Question hope someone can help...
Tom Bishop wrote: Ok this one has been bugging me for sometime, I'm new to Pfsense (looks nice btw ;) I have been testing several of the firewall products to find one that will meet most of my needs for some work that I need done. One of the issues I have come across is that when I try to fire up a openvpn session through the firewall i don't see any return packets ( let me be clear I am talking about an openvpn windows client behind pfsense firewall, connecting to an external server through the firewall, not using the firewall as the client). I am running the firewall in a vm (vmware) and everything appears to work just fine except this. I am using udp for the connection traffic. I have a working openvpn client config that works outside of the firewall just not through it, I have also tried this on several other firewall packages and none of them work. I am familiar with iptables and linux and do a good bit of linux admin work, so if there is something that I can log or look at from the command promt I'm all game. Thanks in advance... could it be a NAT problem - check what outbound rules you have. login to firewall interactively and use tcpdump to check for outbound and return packets. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ping oddness
Joe Laffey wrote: Hi, When I ping www.apple.com at 17.112.152.32 from my pfsense box (from the shell) I am getting rtts of around 500ms. When I ping the same ip (not dnsname) from a box on my DMZ I am getting 50ms rtts. Any clue what is causing this? I tried disabling the traffic shaper, and this had no effect. Note that this is not always they case, in fact it only seem to happen in the evenings. I do not have any time based rules in my firewall. Any thoughts? This is rather strange if you ask me. do you get any packet loss if you ping either your firewall or anything through it? any errors on your switch? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] tuning incoming load balancer
Bill Marquette wrote: On 9/25/07, Bill Marquette [EMAIL PROTECTED] wrote: no, it says the IP is already in the list and refuses to add it; I guess that javascript could be changed to say are you sure and make it possible. Hmmm, the hackathon is coming up in a couple weeks. I'll take a look at this there (it won't make the 1.2 release). I removed this check. Please test with a snapshot newer than October 19th, 8PM US Eastern time -RC3 definitely allows you to add the same server multiple times in the Load Balancer Pool - Edit page. thanks for that. Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Default number of states
Bill Marquette wrote: JA: Taking into account the limitations imposed by hardware, what is the maximum packet rate pf can be expected to handle? Daniel Hartmeier: The smallest legal ethernet frame is 84 bytes, which ... not fast enough. But real traffic consists of larger packets on average, which means packet rates of 16000 pps are common, and handled without loss by pf. sorry to revive an old thread, but I've been asked to identify the bottlenecks in our service. how many packets per second, as a guess to the nearest order of magnitude, should an Intel core2duo running at 1.8GHz manage over a gigabit (not jumbo frame) fully non-blocking switch fabric? Would we be able to manage 160,000 pps? thanks, Paul -- Newsflash: following a catastrophic devaluation, 101 in binary is now worth just 5 in decimal - Stob. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Problem with Syncing 2 nodes in 1.2-RC2
Jarkka Kivikanta wrote: Fail-over of the virtual ip's work correctly if I create the rules manually. The following error can be found in the MASTER's system log: Nov 6 11:20:32 php: : New alert found: An error code was received while attempting XMLRPC sync with username admin http://192.168.200.1:9090 - Code 2: Invalid return payload: enable debugging to examine incoming payload Nov 6 11:20:32 php: : An error code was received while attempting XMLRPC sync with username admin http://192.168.200.1:9090 - Code 2: Invalid return payload: enable debugging to examine incoming payload it looks as if, simply, in the master's carp configs you've not put the right username and password for the slave into the form! ensure the slave is NOT set to replicate to anything, uncheck all the boxes and leave the IP blank to make sure! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] NAT'ing on an openVPN interface
Graham Beneke wrote: Hi I have an openVPN connection to a VPN server and i have a single IP from the server. I need to NAT my local subnet before putting the traffic over the VPN. I'm not so clued up on custom config files but it looks like I can do everything that I need to in the advanced NAT gui - except for the fact that the VPN interface is not available as an interface to NAT to. Any suggestions as to how I could achieve this. can you not simply add routes on the vpn server to the network behind the client - there's an option for this. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DNS Issues with 1.2 RC2
Robert Goley wrote: based routing. DNS refuses to work. This is because the pfsense machine can I have no answer for you, but an idea to try. run tcpdump -l -n -i xxx udp and port 53 on the firewall for each interface xxx in turn whilst trying to resolve and see if any packets are seen. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DNS Issues with 1.2 RC2
Sean Cavanaugh wrote: I personally use OpenDNS for everything since theyre outside of what the ISP handles. surely it's easier to simply run your own caching resolvers? that way you can force a cache flush if you're changing your own DNS. the only time either your or my strategy fails is when you have an ISP like NTL in the UK who do udp:53 hijacking (just like they force all web traffic through their proxies, they do similar with DNS!). the only way I found round that was to put my own resolver on a public lan at work on a different port and hack my local bind9 config to resolve off it! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] openvpn bug when removing configurations.
Bug: removing an openvpn configuration entry does not kill the openvpn daemon triggered by that config. Background: I've built (yet) another pfsense box to act as a vpn server (which will hang off a DMZ so that I can set up distinct access rules for individual vpn users since they'll be coming from different addresses). The DMZ was handled by an existing firewall, which now routes to the VPN client addresses via the vpn appliance, so I removed the openvpn configurations off it. I observed during testing that I couldn't ping the old firewall, traffic was coming in from the vpn IP, but not returning. Netstat-rn indicated that there was still a tun device, so I killed off the openvpn daemon and it began to work. Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Multiple User Support
On this idea of multiple users, it would be great if you could have multiple logins for the web interface, and then * make a simple change log against that user * have a field for nat and filter rules which gives a created/last-edited-by and a timestamp, so you can see when a rule was last touched on the subject of the rule base, one thing I liked (I didn't like much about ch*ckp**nt!) rules were the section headers and ability to collapse and expand sections, made managing complex firewall much easier. It also allowed two comment fields, short and long, I used the short one for the user + timestamp feature I mention above. thanks Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Re: 2 networks on the LAN interface, vlan, trunk?
Ugo Bellavance wrote: Still not working, the arp tables show nothing on the hosts on vlan103. I've tried again, and still no luck. The pfsense can ping the opt1 interface (192.168.10.1), but no hosts on this network. I'm beginning to suspect that the switch there doesn't really support vlans. dell powerconnect 2724. Any ideas? are you setting the switch port to 802.1q encapsulation which is how multiple vlans are carried over a single ether? don't want to be rude but you probably need to read a tutorial on 802.1q and vlans. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Re: 2 networks on the LAN interface, vlan, trunk?
Ugo Bellavance wrote: are you setting the switch port to 802.1q encapsulation which is how multiple vlans are carried over a single ether? I had a choice of -not member -member - untag -member - tag for each port erm, I don't know dell switches; in cisco you set the port to be 'access' or 'trunk/802.1q', and if access you say which vlan. BTW, it'd a Good Thing to set access ports, particularly for a DMZ and non-firewalled lan segments to be nonegotiate, so that if a host gets compromised the attacker can't turn on trunking on the port and then gain access to all your internal protected vlans! don't want to be rude but you probably need to read a tutorial on 802.1q and vlans. You're not rude, I totally agreee. Do you have any links to recommmend? sorry, no idea google? We'll be replacing the dell by a HP 2626 shortly. It should be easier I think (and more reliable). although I was tempted by Dell, the old noone got fired for buying cisco applied; I've found that cisco prices vary enormously, and ended up with some 3560G and 3560E switches, which do a bit of routing as well as being high-spec switches. Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[Fwd: Re: [pfSense Support] Dual Wan - Same Gateway]
Bill Marquette wrote: You'll need another box to handle the WAN2. Can't have two nics on the same network, nor can you do multi-wan on one nic :) not even if you set that nic to trunk/802.1q, and used a vlan-aware switch? --Bill On 10/17/07, Michael Richardson [EMAIL PROTECTED] wrote: I've got two 15Mb connections from my ISP, each with its own IP, but both having the same gateway. Should there be any problems with this? I'd like to use 1-1 NAT to direct certain traffic out WAN2. I'd also like to maintain VPN (IPSEC and/or PPTP) tunnels on WAN2. Any special steps I'll need to know/take? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Re: ntop hung
Ugo Bellavance wrote: ntop is using 100% of one of my 2 CPUs on my pfsense. I tried to After rebooting, all came back to normal. ntop using less than 1% cpu and running correctly. maybe it's just me, but I've never found a version/build of ntop which was stable and didn't have problems when used for high-traffic measurement! I certainly wouldn't want to run ntop on the firewall, I'd set up a mirror port on your internal switch and hang a dedicated NIDS (snort) and NTOP box on that. When faced with this problem a few years back I tried darkstat instead, but it was pretty primitive at the time, I fixed it up to work a bit better and submitted new code but not sure it made it in. Darkstat is a lot less resource hungry, and it's a lot smaller. Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] load balancing for internal and external servers
Bill Marquette wrote: You won't be able to test load balancing of virtual servers from inside your network. It's a pf thing and unlikely to ever get resolved. ah, thanks, I did wonder if that might be the case. I put a machine outside the firewalls on which I put squid as an intermediate fix, and it works well enough for testing. thanks Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] load balancing for internal and external servers
Bill Marquette wrote: Technically we can make this work if the virtual servers are in a DMZ (all you need is a NAT on the DMZ interface to hide the source address of your test machine). But there's no way to make it work if the test machine is in the same network as the server. thanks again; the issue will go away somewhat when we move our server farm to a colocation facility, at which point I have to build more firewalls anyway! On 10/10/07, Paul M [EMAIL PROTECTED] wrote: Bill Marquette wrote: You won't be able to test load balancing of virtual servers from inside your network. It's a pf thing and unlikely to ever get resolved. ah, thanks, I did wonder if that might be the case. I put a machine outside the firewalls on which I put squid as an intermediate fix, and it works well enough for testing. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] load balancing for internal and external servers
Thanks for reading this. pair of pfsense firewalls with * external carp IP 1.2.3.4 * internal carp IP 192.168.0.1 with each machine on .2 and .3 the bit that works: we have a couple of web servers, and I created a pool, and a virtual server which listens on external carp IP, then added the rule permitting traffic. works just fine, I can see the web servers from outside world the bit that doesn't wanting to test the load balanced pool from inside, I created a virtual server listening on the internal 192.168 address, no rules were required because internal (LAN) traffic is 100% permitted. Using tcpdump I see the tcp connection coming from desktop:highport to 192.168.0.1:80, there's then a conn from 1921.68.0.1:highport to webserver:80 which completes, but no traffic goes back to desktop! nothing in the firewall logs indicates dropped traffic! any clues gratefully received. thanks Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] load balancing for internal and external servers
Paul M wrote: Thanks for reading this. pair of pfsense firewalls with * external carp IP 1.2.3.4 * internal carp IP 192.168.0.1 with each machine on .2 and .3 the bit that works: we have a couple of web servers, and I created a pool, and a virtual server which listens on external carp IP, then added the rule permitting traffic. works just fine, I can see the web servers from outside world the bit that doesn't wanting to test the load balanced pool from inside, I created a virtual server listening on the internal 192.168 address, no rules were required because internal (LAN) traffic is 100% permitted. Using tcpdump I see the tcp connection coming from desktop:highport to 192.168.0.1:80, there's then a conn from 1921.68.0.1:highport to webserver:80 which completes, but no traffic goes back to desktop! nothing in the firewall logs indicates dropped traffic! any clues gratefully received. p.s. I do have the Bypass firewall rules for traffic on the same interface option ticked in system-advanced settings - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 2 networks on the LAN interface, vlan, trunk?
Ugo Bellavance wrote: VLAN 101 contains ports that are connected directly to the internet (PfSense WAN port, internet port (it is in colocation), other servers that would be connected directly to the internet (not behind PfSense). VLAN 102 contains ports that are connected to devices in the Subnet1, let's say 10.10.10.0/24. VLAN 103 contains ports that are connected to devices in the Subnet2, let's say 192.168.10.0/24. this seems OK, I think, once you've created vlans you assign the wan and lan ports appropriately, then make vlan103 be say OPT1 (and rename it to LAN2?) However, subnet2 is completely isolated. It cannot talk to anyone, nor to the fw, nor the subnet1, nor the internet. if you manually add static routes to hosts on vlan103, does it work? what are you seeing in the arp tables on the hosts? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] tuning incoming load balancer
Bill Marquette wrote: Yep, again, the load balance itself is performed in kernel. pf itself doesn't really care about icmp unreachables (and that only addresses the issue of Apache going down, not of the whole box crashing). OK, thanks for that clarification. BTW, we've been testing with and without the stickiness set and as far as we can tell 1.2RC2 doesn't actually do the round-robin load balancing, or just does the failover. I'd raise a bug but thought I'd check first. I suppose the main questions here are how important it is that you ... We could probably do to the nearest second (I'd suggest that the .. I am happy to have a hack at the code and/or be a beta tester for this. I'll likely hit on this during the hackathon, I'll shoot you an email in mid October. great! thanks again Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Re: jabber and NAT woes
Sean Cavanaugh wrote: I have same issue with port forwarding. thought it was a config problem for me. I have SSH on a non-standard port on the WAN side and it is supposed to be forwarding to standard port 22 on the LAN side server. I get a connection established, but no data (not even a logon prompt) and then about 15 seconds later it will finally drop the connection. what does ssh -v report? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Issue with stalling on static route
jamespev wrote: works perfectly. So it seems something is happening on the pfsense machine. Shorter transactions seem to be fine, pinging always works. try ping with a large payload If anyone has any ideas I would be very appreciative. I think the users are starting to gather torches and pitchforks... try reducing the MTU at both ends of the link down to say 1300. is icmp being blocked - might be breaking MTU path discovery, when that happens you get all sorts of odd effects. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Re: jabber and NAT woes
Paul M wrote: Sean Cavanaugh wrote: I have same issue with port forwarding. thought it was a config problem for me. I have SSH on a non-standard port on the WAN side and it is supposed to be forwarding to standard port 22 on the LAN side server. I get a connection established, but no data (not even a logon prompt) and then about 15 seconds later it will finally drop the connection. what does ssh -v report? p.s. check MTU (reduce to 1300 to test) and blocking of ICMP - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] tuning incoming load balancer
Bill Marquette wrote: Thus I would like to ask 1/ how quickly should pfsense discover one of the units in the pool is dead? 5 seconds thanks for that. From my limited testing that's what I observed. I'm told we can live with that. I must admit to being lazy^W overworked, trying to find a usable solution without having to roll a full HA strategy for now ;-) 2/ why didn't pfsense pick up the dead unit when I connected and know to redirect, or at least only fail the once? Nope. The load balancing is performed by pf which has no concept of dead servers. The actual monitoring is performed in userland and the rules modified based on detection of dead servers. It'd be nice if it also picked up the icmp dest unreachable, but that might involve a bit of work! 3/ can I tune the timers, can I add weights to favour one server over Nope. I might be convinced to make the timers a tunable. And I believe someone did try to do ratio style load balancing by adding the same server multiple times (I'm pretty sure the ratio load balancing works, I'm not sure if we actually allow for it in the UI). no, it says the IP is already in the list and refuses to add it; I guess that javascript could be changed to say are you sure and make it possible. Well, pfSense is a firewall, not a load balancer. It was easy to add simple load balancing features, going any further would be a significant undertaking and in my opinion would distract from the goals of pfSense. yes, I agree that trying to add a complex load balancing solution (such as LVS) would detract from pfsense, I am just wondering where a comfortable position would lie, even haproxy or balance might be too much? I suppose the main questions here are how important it is that you have more frequent polling (which btw, will increase the load on the web servers since we'll be hitting them more frequently), how important the better load balancing features are to you, and how much you're willing to spend. I think being able to tune the time would be most practical to the nearest tenth of a second (above, say, 5s could have a granularity of 1s), we're likely to be a high traffic site so it'd represent a negligible impact overall. I am happy to have a hack at the code and/or be a beta tester for this. If we do go fully live with pfsense I anticipate a favourable reception asking senior management to pay for pfsense support as they were expecting to have to pay for a commercial option! regards Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] tuning incoming load balancer
p.s. does the load balancer have any sort of session affinity? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] tuning incoming load balancer
Hi, Having successfully used pfsense as a clustered firewall with CARP for external and internal shared IPs, I am trying its load balancing feature to manage a pool of web servers. So, created a pool with 2 httpd's, and it works. However, when I killed httpd on one box, I got a few errors when connecting from outside world for about five seconds, and then pfsense failed over to the other box. Thus I would like to ask 1/ how quickly should pfsense discover one of the units in the pool is dead? 2/ why didn't pfsense pick up the dead unit when I connected and know to redirect, or at least only fail the once? 3/ can I tune the timers, can I add weights to favour one server over another, can I make the load balancer interrogate the web servers to determine their loading and not just that there's a tcp listener? I am sure I am asking too much of pfsense loadbal, but I just need to get an idea of whether it will be useful initially under I need to go get a fully-featured complex load bal. thanks very much Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DHCP log error
Roberto Greiner wrote: As a note. I've installed the latest snapshot (dated 14-Sept.), and the problem repeated itself. The lease appears in the DHCP logs, but not in the DHCP Leases page. what timeout have you set for dhcp leases? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]