RE: [pfSense Support] Network Device pooling
On Tue, 2005-11-01 at 10:43 -0600, Fleming, John (ZeroChaos) wrote: Also I wrote when stall happens I can't telnet to port 80 on web server host - which means it is not just program causing stall. Are you trying this from the same host as the benchmark program? I wonder if a 2nd host would have the same problem. I did not have an extra host for test. I've finally figured out it looks like client is running out of local ports as increasing ip_local_port_range allowed to get to the different point. Two things confused me here 1) For some reason it does not fail if firewall is disabled. Probably something is different with connect closure. 2) The error code reported by ab is connect timeout. for this kind of error it should be Can't assign requested address or something similar. I guess it could be apache runtime abstraction library does not report this error well enough. -Original Message- From: Peter Zaitsev [mailto:[EMAIL PROTECTED] Sent: Monday, October 31, 2005 3:53 PM To: support@pfsense.com Subject: Re: [pfSense Support] Network Device pooling On Mon, 2005-10-31 at 16:31 -0500, Scott Ullrich wrote: Are we absolutely sure this program works as intended? Personally I wouldn't trust anything like this but smartbits. Well... It works if filtering is disabled on pfsese - this is what worries me. If the program would be broken it should not work in both cases. Also I wrote when stall happens I can't telnet to port 80 on web server host - which means it is not just program causing stall. If it is protection on FreeBSD side from too much activity from same IP (Ie as it limits response to flood ping) this would be good to know. I hope this problem is actually something like that - I know there are a lot of FreeBSD based routers out where - if it would be broken for real workloads something would scream already. One more interesting thing I noticed: Percentage of the requests served within a certain time (ms) 50% 32 66% 33 75% 33 80% 33 90% 44 95%295 98%324 99%330 100% 21285 (longest request) Even if apache benchmark does not timeout it often shows too long response rate - (21 sec in this case) What I've noticed - it can be 3, 9 or 21 secs in this case - This really look like the times at which SYN packets are resent by TCP/IP stacks if no reply for previous one arrives. Doing more experiments I also discovered I can increase chance of passing benchmark (still not to 100%) if i reduce tcp_fin_timeout and increase ip_local_port_range variables ob my test driver host. This still brings the question why with filtering and without behavior is different but it makes me worry less :) Scott On 10/31/05, Peter Zaitsev [EMAIL PROTECTED] wrote: On Mon, 2005-10-31 at 16:25 -0500, Scott Ullrich wrote: apr_poll: The timeout specified has expired (70007) What is the above from? Your benchmark testing box? Yes. This is output from apache benchmark program. Benchmarking 111.111.111.158 (be patient) Completed 1 requests Completed 2 requests Completed 3 requests apr_poll: The timeout specified has expired (70007) Total of 30517 requests completed On 10/31/05, Peter Zaitsev [EMAIL PROTECTED] wrote: On Mon, 2005-10-31 at 15:48 -0500, Scott Ullrich wrote: Are you viewing the traffic queue status? This would be normal if you are... Heh, yes good quess. These were running in the other window. So here is the output for stalled case # pfctl -ss | wc -l 51898 I have number of states set to 100.000 in advanced page so it is not peak number. Note what really surprises me is the number of request when if fails: apr_poll: The timeout specified has expired (70007) Total of 28217 requests completed This number of 28217 is seen so often... Sometimes it is a bit more ot less but it is very frequently withing +/- 100 of it. I was asked if I can connect to the remote box when this problem happens - yes. I can SSH to the same box which runs Apache, but I can't connect to the port 80 when this problem happens. So it looks like it does not like to see all these states corresponding to the same target port number. Scott On 10/31/05, Peter Zaitsev [EMAIL PROTECTED] wrote: On Mon, 2005-10-31 at 14:39 -0500, Scott Ullrich wrote: On 10/31/05, Fleming, John (ZeroChaos) [EMAIL PROTECTED] wrote: I wonder if part of the problem is PF isn't seeing the TCP tear down. It seems a little odd that the max gets hit and nothing else gets through. I guess it could be the benchmark isn't shutting down the session right after its down
Re: [pfSense Support] Dump states featue
On Sun, 2005-10-30 at 17:25 -0500, Scott Ullrich wrote: If you want to push 50,000 states do you think this box is enough juice? With that amount of states it seems you want to use much better hardware. Well... I'm not going to have 50.000 states - I'm just stress testing to see the limit. Now I see these number of states takes just few MB of memory - I never got amount of memory used over 15% CPU usage in my understanding should grow with number of packets and rules - states are secondary. It must be implemented as hash table with semi-constant lookup time. And once again - my problem is not amount of packets I can pass at this point but the way it keeps up with high load. Also This is better hardware which is included in Most of Firewalls. For example SonicWall 2040 has 800Mhz x86 CPU, Cisco PIX - 300Mhz Celeron. They might have some extra hardware offloading but also have extra features such as deep packet inspections etc. On 10/30/05, Peter Zaitsev [EMAIL PROTECTED] wrote: On Sun, 2005-10-30 at 15:45 -0400, Scott Ullrich wrote: If you don't mind me asking, what hardware are you running pfsense on for these tests? This is Dell PowerEdge 750 - 512Mb RAM, Celeron 2.4Ghz 2 Intel 1Gbit NICs This seems to be much better than all firewalls below 5K$ have :) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Dump states featue
On Mon, 2005-10-31 at 11:30 -0600, Fleming, John (ZeroChaos) wrote: John, I didn't see but are you using Nat? If so do things change with Nat disabled? Also could you try disabling the Scrub option and seeing if that makes a difference? I'm using bridging - no NAT What is SCRUB and how to disable it ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Dump states featue
On Mon, 2005-10-31 at 11:28 -0600, Fleming, John (ZeroChaos) wrote: FYI a PIX 520 (the 300 mhz version) can not handle 50,000 entries in the state table. It may on paper, but just because it has enough ram. I want to say it starts to have problems at about 35,000, but then again all my PIX firewalls were fully loaded with nics (6 10/100 I think). Right. I guess number of states is not only issue - packet rate is other thing - the state which is having packet passing by once per minute is different than one which constantly needs attention. Number of rules is another ( I had single rule in this test) And I guess 300Mhz CPU is a lot different from 2.4Ghz I have :) Kind of funny to boot a 520 and hear a video failure beep code. :) -Original Message- From: Peter Zaitsev [mailto:[EMAIL PROTECTED] Sent: Monday, October 31, 2005 10:48 AM To: support@pfsense.com Subject: Re: [pfSense Support] Dump states featue On Sun, 2005-10-30 at 17:25 -0500, Scott Ullrich wrote: If you want to push 50,000 states do you think this box is enough juice? With that amount of states it seems you want to use much better hardware. Well... I'm not going to have 50.000 states - I'm just stress testing to see the limit. Now I see these number of states takes just few MB of memory - I never got amount of memory used over 15% CPU usage in my understanding should grow with number of packets and rules - states are secondary. It must be implemented as hash table with semi-constant lookup time. And once again - my problem is not amount of packets I can pass at this point but the way it keeps up with high load. Also This is better hardware which is included in Most of Firewalls. For example SonicWall 2040 has 800Mhz x86 CPU, Cisco PIX - 300Mhz Celeron. They might have some extra hardware offloading but also have extra features such as deep packet inspections etc. On 10/30/05, Peter Zaitsev [EMAIL PROTECTED] wrote: On Sun, 2005-10-30 at 15:45 -0400, Scott Ullrich wrote: If you don't mind me asking, what hardware are you running pfsense on for these tests? This is Dell PowerEdge 750 - 512Mb RAM, Celeron 2.4Ghz 2 Intel 1Gbit NICs This seems to be much better than all firewalls below 5K$ have :) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Network Device pooling
On Mon, 2005-10-31 at 13:26 -0600, Fleming, John (ZeroChaos) wrote: Benchmarking 111.111.111.158 (be patient) Completed 1 requests - isn't 10,000 the default limit of the state table? That sure would explain a lot. I boosted it to 10 of course - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Locked out in bridging mode
On Mon, 2005-10-31 at 15:04 -0500, Scott Ullrich wrote: If you do not provide an address on the LAN ip then there is no anti-lockout rule. To get around it, add a lan address. I have LAN address at this point set to be the same as WAN address. Also see below - pfctl was disabled after I booted and I could not connect. (I initially tried to add the rule to lock me out) and after pfctl -e I did not even need the rule. So I guess something else triggered it. On 10/31/05, Peter Zaitsev [EMAIL PROTECTED] wrote: Hi, After the tests today ( I guess I disabled firewall mode for test and then enabled it back) I got locked out of my pfsense box - it is inaccessible both from WAN and LAN (which are bridged and so anti lockout rule does not work). There seems to be no way to operate web interface from console :( Looking more into it - it looks like the problem is I actually rebooted the box while firewall was disabled. This resulted in very interesting effect - I could connect to the box behind the firewall but not to the box itself. - SSH as well as Web were dead. As soon as I did pfctl -e I could connect :) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Locked out in bridging mode
On Mon, 2005-10-31 at 15:12 -0500, Scott Ullrich wrote: pfctl runs pfctl -f /tmp/rules.debug. What happens if you run this? There is no rules.debug if you have disabled firewall in advanced setting and rebooted. That was my first surprise :) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Traffic shaping broken in 0.90
Just upgraded to 0.90 and traffic shaping seems to be broken. Even after rerunning the wizard I get: # pfctl -f /tmp/rules.debug bandwidth for qWANRoot higher than interface /tmp/rules.debug:17: errors in queue definition parent qWANRoot not found for qWANdef /tmp/rules.debug:18: errors in queue definition bandwidth for qLANRoot higher than interface /tmp/rules.debug:19: errors in queue definition parent qLANRoot not found for qLANdef /tmp/rules.debug:20: errors in queue definition parent qLANRoot not found for qLANacks /tmp/rules.debug:21: errors in queue definition parent qWANRoot not found for qWANacks /tmp/rules.debug:22: errors in queue definition parent qWANRoot not found for qOthersUpH /tmp/rules.debug:23: errors in queue definition parent qLANRoot not found for qOthersDownH /tmp/rules.debug:24: errors in queue definition parent qWANRoot not found for qOthersUpL /tmp/rules.debug:25: errors in queue definition parent qLANRoot not found for qOthersDownL /tmp/rules.debug:26: errors in queue definition pfctl: Syntax error in config file: pf rules not loaded First I should note again - this may on the boot and firewall boots without firewall at all initially. What I needed to do to fix this is to go to interfaces and set speeds for them back again - For some reason my selection for these was lost again. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Locked out in bridging mode
On Mon, 2005-10-31 at 15:33 -0500, Scott Ullrich wrote: So what your saying is after disabling the firewall and rebooting pf is still enabled? No. That is what is the mystery. The firewall is disabled after I reboot. pf is not running but I can't connect to the firewall host (both SSH and HTTPS). I can connect the boxes which are behind firewall but not firewall host itself. It seems somehow related to the same IP on LAN and WAN interfaces according to my previous tests. On 10/31/05, Peter Zaitsev [EMAIL PROTECTED] wrote: On Mon, 2005-10-31 at 15:12 -0500, Scott Ullrich wrote: pfctl runs pfctl -f /tmp/rules.debug. What happens if you run this? There is no rules.debug if you have disabled firewall in advanced setting and rebooted. That was my first surprise :) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Network Device pooling
On Mon, 2005-10-31 at 14:39 -0500, Scott Ullrich wrote: On 10/31/05, Fleming, John (ZeroChaos) [EMAIL PROTECTED] wrote: I wonder if part of the problem is PF isn't seeing the TCP tear down. It seems a little odd that the max gets hit and nothing else gets through. I guess it could be the benchmark isn't shutting down the session right after its down transferring data, but I would think it would kill the benchmark client to have 10K(ish) of open TCP sessions. One way to deterimine this would be to run pfctl -ss | wc -l once pfSense stops responding? Very interesting I tried running this before the problems but it looks strange already: # pfctl -ss | wc -l 4893 Killed # pfctl -ss | wc -l 23245 Killed There is nothing in dmesg or system logs. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Network Device pooling
On Mon, 2005-10-31 at 13:25 -0600, Fleming, John (ZeroChaos) wrote: Can you send these while the machine is normal and when the machine is choking? (send the output.txt file btw) Normal: # cat /tmp/output.txt Mon Oct 31 07:50:52 PST 2005 564/336/900 mbufs in use (current/cache/total) 555/269/824/17088 mbuf clusters in use (current/cache/total/max) 0/3/4528 sfbufs in use (current/peak/max) 1253K/622K/1875K bytes allocated to network (current/cache/total) 0 requests for sfbufs denied 0 requests for sfbufs delayed 0 requests for I/O initiated by sendfile 0 calls to protocol drain routines NameMtu Network Address Ipkts IerrsOpkts Oerrs Coll em01500 Link#1 00:14:22:0a:64:4c 2200575 0 2004248 0 0 em01500 fe80:1::214:2 fe80:1::214:22ff:0 -4 - - em01500 111.111.111.152 111.111.111.154 3395 -0 - - em11500 Link#2 00:14:22:0a:64:4d 2003036 0 2195974 0 0 em11500 fe80:2::214:2 fe80:2::214:22ff:0 -4 - - em11500 111.111.111.152 111.111.111.1540 - 6162 - - pfsyn 2020 Link#3 0 00 0 0 lo0 16384 Link#4 0 00 0 0 lo0 16384 127 127.0.0.10 -0 - - lo0 16384 ::1/128 ::1 0 -0 - - lo0 16384 fe80:4::1/64 fe80:4::10 -0 - - pflog 33208 Link#5 0 00 0 0 bridg 1500 Link#6 ac:de:48:e1:dd:5f 4197981 0 4200265 0 0 Choking: Mon Oct 31 07:48:44 PST 2005 515/385/900 mbufs in use (current/cache/total) 514/310/824/17088 mbuf clusters in use (current/cache/total/max) 0/3/4528 sfbufs in use (current/peak/max) 1156K/716K/1873K bytes allocated to network (current/cache/total) 0 requests for sfbufs denied 0 requests for sfbufs delayed 0 requests for I/O initiated by sendfile 0 calls to protocol drain routines NameMtu Network Address Ipkts IerrsOpkts Oerrs Coll em01500 Link#1 00:14:22:0a:64:4c 2011449 0 1838611 0 0 em01500 fe80:1::214:2 fe80:1::214:22ff:0 -4 - - em01500 111.111.111.152 111.111.111.154 2644 -0 - - em11500 Link#2 00:14:22:0a:64:4d 1835313 0 2007595 0 0 em11500 fe80:2::214:2 fe80:2::214:22ff:0 -4 - - em11500 111.111.111.152 111.111.111.1540 - 5336 - - pfsyn 2020 Link#3 0 00 0 0 lo0 16384 Link#4 0 00 0 0 lo0 16384 127 127.0.0.10 -0 - - lo0 16384 ::1/128 ::1 0 -0 - - lo0 16384 fe80:4::1/64 fe80:4::10 -0 - - pflog 33208 Link#5 0 00 0 0 bridg 1500 Link#6 ac:de:48:e1:dd:5f 3841883 0 3846209 0 0 Some of your advised commands fail: # sysctl hw.em0.stats=1 /tmp/output.txt sysctl: unknown oid 'hw.em0.stats' # # sysctl hw.em1.stats=1 /tmp/output.txt sysctl: unknown oid 'hw.em1.stats' # # sysctl hw.em2.stats=1 /tmp/output.txt sysctl: unknown oid 'hw.em2.stats' Are you able to try this test using routing ver bridging? I did not try with routing as this is not what I'm going to use. I however tried doing this with firewall disabled and bridging enabled which seems to show it is not bridging itself at least. -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Monday, October 31, 2005 1:09 PM To: support@pfsense.com Subject: Re: [pfSense Support] Network Device pooling On 10/31/05, Peter Zaitsev [EMAIL PROTECTED] wrote: On Mon, 2005-10-31 at 12:03 -0500, Scott Ullrich wrote: Please describe the hardware your using fully. NICS, etc. This is not normal behavior. Sure It is Dell Poweredge 750 512MB RAM, SATA150 disk, Celeron 2.4Ghz ACPI APIC Table: DELL PE750 Timecounter i8254 frequency 1193182 Hz quality 0 CPU: Intel(R) Celeron(R) CPU 2.40GHz (2400.10-MHz 686-class CPU) Origin = GenuineIntel Id = 0xf29 Stepping = 9 Features=0xbfebfbffFPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE ,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE Features2=0x4400CNTX-ID,b14 real memory = 536608768 (511 MB) avail memory = 515547136 (491 MB) Nics are build in Intel 10/100/1000 NICs: em0: Intel(R) PRO/1000 Network Connection, Version - 2.1.7 port 0xece0-0xecff mem 0xfe1e-0xfe1f irq 18 at device 1.0 on pci1 em0: Ethernet address: 00:14:22:0a:64:4c em0: Speed:N/A Duplex:N/A It does not looks like this is hardware issue for me as if I disable firewall it works fine. I tried turning off scrub
Re: [pfSense Support] Traffic shaping broken in 0.90
On Mon, 2005-10-31 at 16:20 -0500, Dan Swartzendruber wrote: A Why not to set it to 1000Mbit ? Seriously If you're looking for something fail safe it could be fails safe. this is not ever going to happen unless there is something misdefined. very few people need to shape more than 10mb/sec of traffic. Well... In this case it happened on upgrade. I did set interface bandwiths previously but they were lost. Also my idea (possibly very wrong) - it should be impossible to create broken rules.debug file from web interface.If setting bandwith on interface is required - it should be forced in initial setup wizard etc. The thing is even such feature as traffic shaping breaks no rules are loaded on reboot at all leaving you in interesting state. This is of course requirement for stable software which a lot of newbies can easily use.I know it is alpha yet - but how you make alpha stable not highlighting deficiencies ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Locked out in bridging mode
On Mon, 2005-10-31 at 16:27 -0500, Scott Ullrich wrote: Well for one your setting the _SAME_ ip on two interfaces, your wan and LAN. Don't do this! Use a different IP or use a fake ip on the LAN such as 192.168.1.1. Scott, I guess we're back to the reason why I set it this way :) The fake IP address results in a lot of rules generated which should apply to LAN but actually do not work because LAN is set to the IP which no one uses. For example LAN lockout rule is created very wrong. I tried with empty LAN address and this one and both of them normally work. I tested benchmark in both configurations and there is the same effect. Scott On 10/31/05, Scott Ullrich [EMAIL PROTECTED] wrote: I still don't have any idea what your trying to do. Send me your config.xml off-list. Scott On 10/31/05, Peter Zaitsev [EMAIL PROTECTED] wrote: On Mon, 2005-10-31 at 15:33 -0500, Scott Ullrich wrote: So what your saying is after disabling the firewall and rebooting pf is still enabled? No. That is what is the mystery. The firewall is disabled after I reboot. pf is not running but I can't connect to the firewall host (both SSH and HTTPS). I can connect the boxes which are behind firewall but not firewall host itself. It seems somehow related to the same IP on LAN and WAN interfaces according to my previous tests. On 10/31/05, Peter Zaitsev [EMAIL PROTECTED] wrote: On Mon, 2005-10-31 at 15:12 -0500, Scott Ullrich wrote: pfctl runs pfctl -f /tmp/rules.debug. What happens if you run this? There is no rules.debug if you have disabled firewall in advanced setting and rebooted. That was my first surprise :) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Network Device pooling
On Mon, 2005-10-31 at 16:31 -0500, Scott Ullrich wrote: Are we absolutely sure this program works as intended? Personally I wouldn't trust anything like this but smartbits. Well... It works if filtering is disabled on pfsese - this is what worries me. If the program would be broken it should not work in both cases. Also I wrote when stall happens I can't telnet to port 80 on web server host - which means it is not just program causing stall. If it is protection on FreeBSD side from too much activity from same IP (Ie as it limits response to flood ping) this would be good to know. I hope this problem is actually something like that - I know there are a lot of FreeBSD based routers out where - if it would be broken for real workloads something would scream already. One more interesting thing I noticed: Percentage of the requests served within a certain time (ms) 50% 32 66% 33 75% 33 80% 33 90% 44 95%295 98%324 99%330 100% 21285 (longest request) Even if apache benchmark does not timeout it often shows too long response rate - (21 sec in this case) What I've noticed - it can be 3, 9 or 21 secs in this case - This really look like the times at which SYN packets are resent by TCP/IP stacks if no reply for previous one arrives. Doing more experiments I also discovered I can increase chance of passing benchmark (still not to 100%) if i reduce tcp_fin_timeout and increase ip_local_port_range variables ob my test driver host. This still brings the question why with filtering and without behavior is different but it makes me worry less :) Scott On 10/31/05, Peter Zaitsev [EMAIL PROTECTED] wrote: On Mon, 2005-10-31 at 16:25 -0500, Scott Ullrich wrote: apr_poll: The timeout specified has expired (70007) What is the above from? Your benchmark testing box? Yes. This is output from apache benchmark program. Benchmarking 111.111.111.158 (be patient) Completed 1 requests Completed 2 requests Completed 3 requests apr_poll: The timeout specified has expired (70007) Total of 30517 requests completed On 10/31/05, Peter Zaitsev [EMAIL PROTECTED] wrote: On Mon, 2005-10-31 at 15:48 -0500, Scott Ullrich wrote: Are you viewing the traffic queue status? This would be normal if you are... Heh, yes good quess. These were running in the other window. So here is the output for stalled case # pfctl -ss | wc -l 51898 I have number of states set to 100.000 in advanced page so it is not peak number. Note what really surprises me is the number of request when if fails: apr_poll: The timeout specified has expired (70007) Total of 28217 requests completed This number of 28217 is seen so often... Sometimes it is a bit more ot less but it is very frequently withing +/- 100 of it. I was asked if I can connect to the remote box when this problem happens - yes. I can SSH to the same box which runs Apache, but I can't connect to the port 80 when this problem happens. So it looks like it does not like to see all these states corresponding to the same target port number. Scott On 10/31/05, Peter Zaitsev [EMAIL PROTECTED] wrote: On Mon, 2005-10-31 at 14:39 -0500, Scott Ullrich wrote: On 10/31/05, Fleming, John (ZeroChaos) [EMAIL PROTECTED] wrote: I wonder if part of the problem is PF isn't seeing the TCP tear down. It seems a little odd that the max gets hit and nothing else gets through. I guess it could be the benchmark isn't shutting down the session right after its down transferring data, but I would think it would kill the benchmark client to have 10K(ish) of open TCP sessions. One way to deterimine this would be to run pfctl -ss | wc -l once pfSense stops responding? Very interesting I tried running this before the problems but it looks strange already: # pfctl -ss | wc -l 4893 Killed # pfctl -ss | wc -l 23245 Killed There is nothing in dmesg or system logs. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
[pfSense Support] Empty LAN IP is broken once again
Hi, It looks like there is some newly added bug in 0.90 with empty LAN address (WAN bridging) # FTP proxy rdr-anchor pftpx/* rdr on em1 proto tcp from any to any port 21 - 127.0.0.1 port 8021 pass in on em1 proto tcp from /29 to any port 5900:5930 keep state tag qOthersDownH pass out on em0 proto tcp from any to any port 5900:5930 keep state tag qOthersUpH pass in on em0 proto tcp from any to /29 port 5900:5930 keep state tag qOthersUpH pass out on em1 proto tcp from any to /29 port 5900:5930 keep state tag qOthersDownH I guess this is part of traffic shaper. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Empty LAN IP is broken once again
On Mon, 2005-10-31 at 17:51 -0500, Scott Ullrich wrote: After all of the problems from the last couple days its obvious that an IP address is required on the LAN interface so I have reinstalled the code that prevents someone from not entering an IP address. The shaper is another area that gets broken by this careless move on my part. Heh. So we're back dead in a water. IP is required. The same IP as on WAN leads to trouble. Fake IP leads to less trouble but still some stuff does not work this way Scott On 10/31/05, Peter Zaitsev [EMAIL PROTECTED] wrote: Hi, It looks like there is some newly added bug in 0.90 with empty LAN address (WAN bridging) # FTP proxy rdr-anchor pftpx/* rdr on em1 proto tcp from any to any port 21 - 127.0.0.1 port 8021 pass in on em1 proto tcp from /29 to any port 5900:5930 keep state tag qOthersDownH pass out on em0 proto tcp from any to any port 5900:5930 keep state tag qOthersUpH pass in on em0 proto tcp from any to /29 port 5900:5930 keep state tag qOthersUpH pass out on em1 proto tcp from any to /29 port 5900:5930 keep state tag qOthersDownH I guess this is part of traffic shaper. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Empty LAN IP is broken once again
On Tue, 2005-11-01 at 02:42 +0100, Espen Johansen wrote: Hi Peter, I'm sorry, but I for one have had quite enough emails from you by now. You have clearly demonstrated that you do not understand enough about firewalls, filtering, BSD etc. to use pfSense in it's current state. Thank you. I guess that is the most helpful answer of all :) And I have more then enough emails to read without this mailing list getting filled up with unneeded info. It seems some devs has already tried to nicely inform you that you are somewhat on the wrong track here. Wrong track with what ? Testing pfsense and reporting bugs ? Like comparing a i386 generic OS and HW, with a Cisco PIIX, I mean come on, what on earth are you thinking ? As I mentioned it my emails Firewalls may have hardware acceleration, which means direct comparison might not be possible. But so which hardware acceleration does PIX have ? Watchguard is even better case - as I remember it has very limited if any acceleration. You mentioned PIX had a trouble with 35K sessions on Celeron 300Mhz... well in this case I should say it has very limited acceleration.Few years ago I had software firewall on Linux with PIII-550 CPU and I had close to this number of states. And yes. number of states is not only criteria :) A OS created to do routing and packet filtering running with ASICs is not comparable to FreeBSD on I386 at all. There is certain actions you need to perform to route/filter the packet. You may assume how compute how many instructions efficient code would take and route the packet in fully software solution and use it ballpark. I mean a Junpier M40 might have a PII 233Mhz processor and 256 MB RAM. It does 40 million pps +++. So then I guess FreeBSD running on a 500Mhz with 512MB ram should handle twice as much ?!? Junos is even derived from freebsd so it _MUST_ be somewhat the same :p Seriously in this case main CPU does not really do the main job, it is mainly for controlling the functions. I did not have Jupiter as an example - you did. If you want to look at Jupiter solutions take a look at Netscreen. The M40 is Router platform (which has some firewalling functions) this is not the product which would be functionally compared to pfSense. NetScreen, SonicWall, Watchguard - these would. Oh well even Linksys at lower end. Take a look at NetScreen 25. http://www.juniper.net/products/glance/nscn_25_50.html We have 32.000 of sessions advertised. I do not remember which CPU it has but it is some few hundreds Mhz. On my box I can get some 100.000 of sessions with simple firewall and traffic shaping. 40millions packets per seconds. I guess you must be kidding - I'm speaking about few thousands, which is well within what the box should be able to handle. Actually as serious expert in TCP/IP as you should probably know you can create very many active sessions with very limited number of packets per second :) Seriously, you have clearly demonstrated that you do not have a clue about what your doing, even suggesting to put the same IP on two interfaces clearly shows me that you do not know the first thing about how things works. Oh yeah. I did not like that one myself. Honestly. But it proved to be the best working configuration. Note I'm not routing the stuff between betwork - the interfaces are bridged and so the same IP is practically visible from both interfaces anyway. Even thinking about using pfsense in a datacenter to protect your boxes with your kind of knowledge is at best a BAD move. You like to judge people do not you ? Now please sit down and read up on routing, TCP/IP and BSD in general. Then learn how the things work from sitting in your own LAB and test things (not with ab btw.). What do you have against ab ? Just curious ? Does it represent the real load - no, but it is good stress test.I would move one quickly if this one would work. Then put what you have learned to good use (and NO, that does not mean writing another 60 emails to this list). That means test, and figure out the problem, and give us a fix/patch. Or at least a detailed description of the problem, and how to repeat it. We already know that there are many bugs in the system and that performance is not close to what it can be. Knowing what the bugs exist is not the same as knowing what the bugs are.You probably would not argue most of the bugs are reported are real - well you may judge it as silly actions from me - probably but you're targeting SOHO market - do you guys expect to have Certified Cisco engineers to use it ? I mentioned that but I repeat it for you specially - I reported the bugs only because there was positive feedback from developers. If everyone would be as helpful as you I would probably used other solution or found workarounds to have it work for my case. But the goal for 1.0 is to have something that works and gives users a
Re: [pfSense Support] Traffic shaping broken in 0.90
On Mon, 2005-10-31 at 17:14 -0600, Bill Marquette wrote: On 10/31/05, Peter Zaitsev [EMAIL PROTECTED] wrote: The fact it is not production ready as you put it makes me cautious - this is why I go in bridging mode as this way I can bypass firewall physically by switching couple of cables which staff at remote facility can do for me. Right, so you use the most untested part of the product, which frankly increases the chance that you're going to switch a couple cables. Well... It is looks like there is not much of well tested Open Source products designed for collocation needs as mine.Ability to operate in Transparent mode and decent traffic shaper are two main reason I have chosen pfSense. If I'm lucky it will work well for my case, if not I'll have to do something. Someone have to make a move and try to use the feature so it becomes solid - if everyone would just wait for others to test out the feature first before starting to use it it will never be tested. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Dump states featue
On Sun, 2005-10-30 at 14:29 -0400, Scott Ullrich wrote: With that amount of states it does not surprise me. You're most likely better of doing a pfctl -ss and using grep to find what your looking for. Yes... It is however not total excuse for web page simply not loading. It would look like a bug to normal user :) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Dump states featue
On Sun, 2005-10-30 at 15:31 -0400, Scott Ullrich wrote: How many users have 50,000 states? I doubt very many! Yet I got to this point just running about 500 requests/sec in apache benchmark. No keepalive. Once you get more of pfsense installations in data centers I guess it will be quite typical. Why do I think it is especially attractive ? Well because for home use you can buy firewall pretty cheap. The same applies for small business usage - there are solutions going for below 500$ costing just a bit more than decent hardware for pfsense would. If you look at higher end firewalls, ie for collocation purposes - you instantly get to be charged a lot of money. I've looked at PIX, Watchguard, SonicWall, Netscreen and few others before going to pfsense. I spoke to the people using them and found it is not exactly problem less and not paramount in stability. You also forced to get support/update contract - you will not even get bug fixes without it, which all gets it pretty expensive. Finally some people who had some peoblems with firewall which could not be resolved by vendor ended up selling it on Ebay. With pfSense running on commodity hardware it is not the case - if I'm not happy with it for some reason I can try different firewall solution or simply put OpenBSD or any other OS on it and set it up as firewall. I love flexibility and hate vendor lockin Scott On 10/30/05, Peter Zaitsev [EMAIL PROTECTED] wrote: On Sun, 2005-10-30 at 14:29 -0400, Scott Ullrich wrote: With that amount of states it does not surprise me. You're most likely better of doing a pfctl -ss and using grep to find what your looking for. Yes... It is however not total excuse for web page simply not loading. It would look like a bug to normal user :) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Dump states featue
On Sun, 2005-10-30 at 15:45 -0400, Scott Ullrich wrote: If you don't mind me asking, what hardware are you running pfsense on for these tests? This is Dell PowerEdge 750 - 512Mb RAM, Celeron 2.4Ghz 2 Intel 1Gbit NICs This seems to be much better than all firewalls below 5K$ have :) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Tests of new version (apache benchmark problem remains)
On Sun, 2005-10-30 at 04:08 -0400, Scott Ullrich wrote: This is not a release to test. Wait for OFFICIAL release around monday. Yes I know it is still RC1 based... I just need to ship the box around Monday for installation so I'm testing each new release, to increase the chance of all my cases being fixed :) I hope there is official release in time :) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Traffic shaping breaks
On Sat, 2005-10-29 at 23:05 -0500, Bill Marquette wrote: Fixed. update_file.sh /usr/local/www/system_advanced.php and re-run shaper wizard or add: schedulertypehfsc/schedulertype to shaper tag in /conf/config.xml and reboot. Thanks. I actually simply rerun traffic shaper. Anyway this possibility of firewall disabling itself and allowing all traffic to pass due to internal error is warring. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Pfsense causing problems on high load.
Hi, As I mentioned I'm trying to deploy pfsense for colocation envinronment. Today I did some performance tests, using main type of the traffic - HTTP requests - apache benchmark from my laptop to Linux server with only pfsense firewall in between firewall is with 2 Gbit nicks and Celeron-2.4Ghz CPU, 512M RAM I'm testing very basic setup initially - having single rule which allows traffic from test host to any port on my apache web server. What happens with pfsense is: 0 4 0 41432 460856 344 0 0 0 314 0 0 1859 432 3519 1 11 89 0 3 0 36736 461816 393 0 0 0 412 0 1 5636 489 10521 1 27 72 0 4 0 41432 460856 344 0 0 0 315 0 0 4555 432 8495 1 26 73 0 3 0 36964 461760 402 0 0 0 419 0 1 120 500 305 0 2 98 0 4 0 41660 460800 344 0 0 0 313 0 0 121 434 303 1 1 98 0 3 0 36736 461816 398 0 0 0 416 0 0 115 493 294 1 1 98 On my test box: [EMAIL PROTECTED]:/download /tmp/ab2 -n 10 http://host/ This is ApacheBench, Version 2.0.41-dev $Revision: 1.121.2.12 $ apache-2.0 Copyright (c) 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ Copyright (c) 1998-2002 The Apache Software Foundation, http://www.apache.org/ Benchmarking host (be patient) Completed 1 requests apr_poll: The timeout specified has expired (70007) Total of 12327 requests completed So as you can see it starts well and when it just dies. If I simply plug the cable to the test box directly bypassing firewall it works just great completing the test. Concurrency Level: 1 Time taken for tests: 107.391084 seconds Complete requests: 10 Failed requests:0 Write errors: 0 Non-2xx responses: 10 Total transferred: 41290 bytes HTML transferred: 39310 bytes Requests per second:931.18 [#/sec] (mean) Time per request: 1.074 [ms] (mean) Time per request: 1.074 [ms] (mean, across all concurrent requests) Transfer rate: 3754.71 [Kbytes/sec] received As you can see it even dies at minimal concurrency level of 1! I started with limiting number of states in the state table to 10 but tried with 100 as well - still no luck. Tables get just some 50.000 of states during the test. Setting lower state timeout does not help. I tried playing with state in firewall and none and synproxy did not seem to work at all - I could not connect to port 80 after I set these. After more tests I can see 1) setting agressive optimization and 1 states make it work. states however go well above 1 so this limit seems to be missleading. 2) aggressive and 10 states also work. 3) going to normal optimization causes the box to stop processing after certain number of connection. 4) going to conserative behaves the same way as normal stopping responding. This looks like a serious issue to me - any advice here ? One more strange issue - after I stopped the test and made sure there is no more traffic on the interface I still see CPU loaded some 10-15% by vmstat. top does not allow to identify which process takes it: # vmstat 5 procs memory page disk faults cpu r b w avmfre flt re pi po fr sr ad2 in sy cs us sy id 1 3 0 39508 459700 1461 0 0 0 1438 0 0 1578 2066 3069 11 11 77 0 3 0 39508 459700 2115 0 0 0 2080 0 22 174 3278 463 12 6 82 0 3 0 39272 459756 2126 0 0 0 2095 0 22 179 3288 473 12 6 82 1 3 0 48280 453448 2458 0 0 0 2110 0 22 175 3508 465 14 7 79 0 3 0 39272 459756 2140 0 0 0 2418 0 22 177 3314 468 11 6 82 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Pfsense causing problems on high load.
On Thu, 2005-10-27 at 23:32 -0700, Peter Zaitsev wrote: Hi, As I mentioned I'm trying to deploy pfsense for colocation envinronment. Small followup, Even agressive mode does not seems to keep up with traffic well. In apache benchmark it works with concurrency=1 but fails with 30 for example: Completed 1 requests Completed 2 requests apr_poll: The timeout specified has expired (70007) Total of 28227 requests completed This behavior is repeatable - I tried rebooting the box etc. You can also look at VMSTAT at concurrency 30 vs 1 Concurrency 30: 2 3 0 43064 460496 114 0 0 0 22 0 0 693 131 543 1 28 71 procs memory page disk faults cpu r b w avmfre flt re pi po fr sr ad2 in sy cs us sy id 4 4 0 47384 458212 567 0 0 0 439 0 12 1426 2120 541 1 98 0 1 2 0 36804 462320 436 0 0 0 641 0 9 1342 611 642 3 96 1 0 3 0 36804 462320 653 0 0 0 636 0 19 388 2217 423 2 22 76 0 3 0 36804 462320 638 0 0 0 620 0 19 149 2203 401 1 3 96 1 3 0 42760 460900 94 0 0 0 22 0 0 140 116 329 0 0 99 Concurrency 1: 1 3 0 36804 462324 649 0 0 0 633 0 19 5668 2213 10362 1 38 61 0 3 0 36784 462324 638 0 0 0 622 0 19 6401 2204 11948 1 35 63 0 3 0 36784 462324 638 0 0 0 619 0 19 6120 2204 11277 2 42 56 0 3 0 36784 462324 638 0 0 0 621 0 19 5843 2203 10882 2 40 58 2 4 0 42492 460368 526 0 0 0 415 0 12 5752 612 10613 1 36 62 0 3 0 36784 462324 112 0 0 0 204 0 7 6393 1618 11973 0 35 65 0 3 0 36784 462320 638 0 0 0 623 0 19 4136 2204 7715 2 27 71 0 3 0 36784 462320 638 0 0 0 621 0 19 6074 2205 11351 2 37 61 0 3 0 36784 462320 638 0 0 0 623 0 19 6002 2203 10880 2 36 62 0 3 0 36804 462320 638 0 0 0 621 0 19 5485 2204 10421 2 28 70 0 3 0 36784 462320 638 0 0 0 620 0 19 4781 2204 8802 2 29 69 0 3 0 36804 462320 1131 0 0 0 1119 0 21 5475 2825 10282 5 38 57 0 3 0 37012 462264 655 0 0 0 635 0 19 5775 2229 10576 1 34 66 As you see at concurrency 30 cpu usage falls significantly and context switches become very low For few first seconds CPU actually does spike to 100% and this is why we have some 20.000 requests completed and when it dies... Very interesting however even with high CPU usage number of context switches are no where near concurrency=1 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Summary of problems in Bridging Mode
On Fri, 2005-10-28 at 12:11 -0400, Scott Ullrich wrote: All these issues have been fixed. Please wait until the next version. Sure. I'm checking mirrors and your home directory every day for new stuff to try :) So what is going to be official way for bridging mode ? Is it no IP for LAN or same as WAN ? On 10/28/05, Peter Zaitsev [EMAIL PROTECTED] wrote: Hi, I've recently tried number of variants of setting pfsense in Bridging mode of my small subnet and I guess here is the state of things as it is now. Scott was going to fix some of these issues but I guess it is good to summarize them anyway. So running in bridging mode you set 111.111.111.154/29 as IP on your WAN interface. Your options for LAN are 1) Set LAN ip empty. You're allowed to set IP empty but this breaks a lot of rules in pf tables, as lan IP does not exist any more. And check does not seems to present. 2) Set lan IP address to be the same as WAN IP. This is also allowed, but It breaks wan spoof protection rule which does not seems like can be disabled. I was told Block traffic from private networks does it but by my tests it does not. 3) Set lan IP address to be some fake one, I used 10.25.15.1. In this case it is the closet to be functional. It however does not identify LAN subnet right so firewall rules which include lan subnet do not work. There are some lesser items such as lockout protection does not work and this kind of stuff: (All these rules have LAN wrong) nat on em0 from 10.25.15.0/29 port 500 to any port 500 - (em0) port 500 nat on em0 from 10.25.15.0/29 to any - (em0) pass in quick on em1 proto udp from any port = 68 to 10.25.15.1 port = 67 label allow access to DHCP server on LAN pass out quick on em1 proto udp from 10.25.15.1 port = 67 to any port = 68 label allow access to DHCP server on LAN block in log quick on em0 from 10.25.15.0/29 to any label WAN spoof check block in log quick on em0 proto udp from any port = 67 to 10.25.15.0/29 port = 68 label allow dhcp client out wan pass in quick from 10.25.15.0/29 to 10.25.15.1 keep state label anti-lockout web rule How I would expect it to work ? Leave it empty or set it same as WAN I think one or another should be made to work. Wan spoofing should not be enabled in such case and LAN network should be made identified correctly for setting firewall rules. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Summary of problems in Bridging Mode
On Fri, 2005-10-28 at 13:05 -0400, Scott Ullrich wrote: I think it will work better with a dummy ip. But it will work without a ip as well now. Hm. Dummy IP looks like ugliest and the most unintuitive solution. Also as I noted it results in few options breaking - anti lockout and stuff. If you'we fixed these to use WAN IP address in this case instead, I do not understand why do you need fake address at all. Practically speaking all rules with fake IP are broken and functionality which they expect to provide to provide does not work. Well. Anyway I'll just wait for new version and check how it works in all 3 cases. Scott On 10/28/05, Peter Zaitsev [EMAIL PROTECTED] wrote: On Fri, 2005-10-28 at 12:11 -0400, Scott Ullrich wrote: All these issues have been fixed. Please wait until the next version. Sure. I'm checking mirrors and your home directory every day for new stuff to try :) So what is going to be official way for bridging mode ? Is it no IP for LAN or same as WAN ? On 10/28/05, Peter Zaitsev [EMAIL PROTECTED] wrote: Hi, I've recently tried number of variants of setting pfsense in Bridging mode of my small subnet and I guess here is the state of things as it is now. Scott was going to fix some of these issues but I guess it is good to summarize them anyway. So running in bridging mode you set 111.111.111.154/29 as IP on your WAN interface. Your options for LAN are 1) Set LAN ip empty. You're allowed to set IP empty but this breaks a lot of rules in pf tables, as lan IP does not exist any more. And check does not seems to present. 2) Set lan IP address to be the same as WAN IP. This is also allowed, but It breaks wan spoof protection rule which does not seems like can be disabled. I was told Block traffic from private networks does it but by my tests it does not. 3) Set lan IP address to be some fake one, I used 10.25.15.1. In this case it is the closet to be functional. It however does not identify LAN subnet right so firewall rules which include lan subnet do not work. There are some lesser items such as lockout protection does not work and this kind of stuff: (All these rules have LAN wrong) nat on em0 from 10.25.15.0/29 port 500 to any port 500 - (em0) port 500 nat on em0 from 10.25.15.0/29 to any - (em0) pass in quick on em1 proto udp from any port = 68 to 10.25.15.1 port = 67 label allow access to DHCP server on LAN pass out quick on em1 proto udp from 10.25.15.1 port = 67 to any port = 68 label allow access to DHCP server on LAN block in log quick on em0 from 10.25.15.0/29 to any label WAN spoof check block in log quick on em0 proto udp from any port = 67 to 10.25.15.0/29 port = 68 label allow dhcp client out wan pass in quick from 10.25.15.0/29 to 10.25.15.1 keep state label anti-lockout web rule How I would expect it to work ? Leave it empty or set it same as WAN I think one or another should be made to work. Wan spoofing should not be enabled in such case and LAN network should be made identified correctly for setting firewall rules. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Summary of problems in Bridging Mode
On Fri, 2005-10-28 at 13:42 -0400, Scott Ullrich wrote: On 10/28/05, Peter Zaitsev [EMAIL PROTECTED] wrote: On Fri, 2005-10-28 at 13:05 -0400, Scott Ullrich wrote: I think it will work better with a dummy ip. But it will work without a ip as well now. Hm. Dummy IP looks like ugliest and the most unintuitive solution. Also as I noted it results in few options breaking - anti lockout and stuff. Which I noted that I fixed. As I understand you've fixed by simply not generating this rule... For this one it might be proper solution as in bridging configuration you can't easily split LAN and WAN. There are however some other rules such DHCP enabling rule which as I understand should remain actually enabling access from LAN. There are few others which I'm not sure about Well you probably know their purpose the best. If you're sure all they simply can be dropped in bridging configuration that is cool. If you'we fixed these to use WAN IP address in this case instead, I do not understand why do you need fake address at all. Because you cannot add rules to the LAN interface without it? But the rule will will not be functional with fake IP address - it typically does not make sense as there are no from/to ips in the network - fake is not really used anywhere. So why to keep them with fake IP wasting resources instead of simply removing if they are not needed. Practically speaking all rules with fake IP are broken and functionality which they expect to provide to provide does not work. If you do not enter an IP on the interface, that is correct. And if you do you get non sense rules for fake IP which does not exist :) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Summary of problems in Bridging Mode
Hi, I've recently tried number of variants of setting pfsense in Bridging mode of my small subnet and I guess here is the state of things as it is now. Scott was going to fix some of these issues but I guess it is good to summarize them anyway. So running in bridging mode you set 111.111.111.154/29 as IP on your WAN interface. Your options for LAN are 1) Set LAN ip empty. You're allowed to set IP empty but this breaks a lot of rules in pf tables, as lan IP does not exist any more. And check does not seems to present. 2) Set lan IP address to be the same as WAN IP. This is also allowed, but It breaks wan spoof protection rule which does not seems like can be disabled. I was told Block traffic from private networks does it but by my tests it does not. 3) Set lan IP address to be some fake one, I used 10.25.15.1. In this case it is the closet to be functional. It however does not identify LAN subnet right so firewall rules which include lan subnet do not work. There are some lesser items such as lockout protection does not work and this kind of stuff: (All these rules have LAN wrong) nat on em0 from 10.25.15.0/29 port 500 to any port 500 - (em0) port 500 nat on em0 from 10.25.15.0/29 to any - (em0) pass in quick on em1 proto udp from any port = 68 to 10.25.15.1 port = 67 label allow access to DHCP server on LAN pass out quick on em1 proto udp from 10.25.15.1 port = 67 to any port = 68 label allow access to DHCP server on LAN block in log quick on em0 from 10.25.15.0/29 to any label WAN spoof check block in log quick on em0 proto udp from any port = 67 to 10.25.15.0/29 port = 68 label allow dhcp client out wan pass in quick from 10.25.15.0/29 to 10.25.15.1 keep state label anti-lockout web rule How I would expect it to work ? Leave it empty or set it same as WAN I think one or another should be made to work. Wan spoofing should not be enabled in such case and LAN network should be made identified correctly for setting firewall rules. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Traffic shaping
Hi,
I'm running 0.89.6
I tried to experiment with traffic shaping today. I'm to use it for
collocation so my goal is to avoid long traffic spikes, as this is what
I'll need to pay for. So lets say I have 100MB connection and I want to
cap it at 15Mbit or something.
Anyway at this point I just went via EZ Shaper wizard and only set
bandwidth leaving all default as rest. The following rules were
generated:
queue qWANRoot bandwidth 10Kb priority 6 hfsc { qWANdef, qWANacks }
queue qWANdef bandwidth 1% priority 3 hfsc ( default upperlimit(100%
100 90%) linkshare(0% 1000 10%) realtime(10% 1 10%) )
queue qLANRoot bandwidth 10Kb priority 6 hfsc { qLANdef, qLANacks }
queue qLANdef bandwidth 1% priority 3 hfsc ( default upperlimit(100%
100 90%) linkshare(0% 1000 10%) realtime(10% 1 10%) )
queue qLANacks bandwidth 1% priority 6 hfsc ( upperlimit(80% 1 80%)
linkshare(0% 1000 10%) realtime(10% 1 10%) )
queue qWANacks bandwidth 1% priority 6 hfsc ( upperlimit(80% 1 80%)
linkshare(0% 1000 10%) realtime(10% 1 10%) )
I get the error loading these rules, basically in every line:
hp: /wizard.php: There were error(s) loading the
rules: /tmp/rules.debug:17: queue qWANRoot has no
parent /tmp/rules.debug:17: errors in queue
definition /tmp/rules.debug:18: queue qWANdef has no
parent /tmp/rules.debug:18: errors in queue
definition /tmp/rules.debug:19: queue qLANRoot has no
parent /tmp/rules.debug:19: errors in queue
definition /tmp/rules.debug:20: queue qLANdef has no
parent /tmp/rules.debug:20: errors in queue
definition /tmp/rules.debug:21: queue qLANacks has no parent /tmp/rul
Any help with these ?
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Traffic shaping
On Tue, 2005-10-25 at 19:52 -0500, Bill Marquette wrote:
Any 'altq on' lines? I'll try and duplicate this tonight (or not,
it's already 8PM and I'm still at work).
Thanks. It does not seems like there are any.
I actually repeated the wizard and now selected one of the traffic
shaping features.
It looks like you can't simply continue with Wizard to the end without
setting any shaping - it will create wrong rules.
Also in remote access services I did not find SSH - very surprising
omission for FreeBSD based product. There is VNC, RDP but not SSH.
--Bill
On 10/25/05, Peter Zaitsev [EMAIL PROTECTED] wrote:
Hi,
I'm running 0.89.6
I tried to experiment with traffic shaping today. I'm to use it for
collocation so my goal is to avoid long traffic spikes, as this is what
I'll need to pay for. So lets say I have 100MB connection and I want to
cap it at 15Mbit or something.
Anyway at this point I just went via EZ Shaper wizard and only set
bandwidth leaving all default as rest. The following rules were
generated:
queue qWANRoot bandwidth 10Kb priority 6 hfsc { qWANdef, qWANacks }
queue qWANdef bandwidth 1% priority 3 hfsc ( default upperlimit(100%
100 90%) linkshare(0% 1000 10%) realtime(10% 1 10%) )
queue qLANRoot bandwidth 10Kb priority 6 hfsc { qLANdef, qLANacks }
queue qLANdef bandwidth 1% priority 3 hfsc ( default upperlimit(100%
100 90%) linkshare(0% 1000 10%) realtime(10% 1 10%) )
queue qLANacks bandwidth 1% priority 6 hfsc ( upperlimit(80% 1 80%)
linkshare(0% 1000 10%) realtime(10% 1 10%) )
queue qWANacks bandwidth 1% priority 6 hfsc ( upperlimit(80% 1 80%)
linkshare(0% 1000 10%) realtime(10% 1 10%) )
I get the error loading these rules, basically in every line:
hp: /wizard.php: There were error(s) loading the
rules: /tmp/rules.debug:17: queue qWANRoot has no
parent /tmp/rules.debug:17: errors in queue
definition /tmp/rules.debug:18: queue qWANdef has no
parent /tmp/rules.debug:18: errors in queue
definition /tmp/rules.debug:19: queue qLANRoot has no
parent /tmp/rules.debug:19: errors in queue
definition /tmp/rules.debug:20: queue qLANdef has no
parent /tmp/rules.debug:20: errors in queue
definition /tmp/rules.debug:21: queue qLANacks has no parent /tmp/rul
Any help with these ?
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Traffic shaping
On Tue, 2005-10-25 at 23:50 -0400, Scott Ullrich wrote:
http://faq.pfsense.com/index.php?sid=3552〈=enaction=artikelcat=10id=56artlang=enhighlight=ssh%20traffic%20shaper
Scott,
I've actually read this (as all FAQ but later forgot, sorry)
Actually this FAQ raises more questions than it provides answers:
It already is, a SSH key is an ACK. If you put ssh in, then bulk will
kill all other ssh traffic (interactive).
Last update: 2005-10-18 17:29
Author: Matt Bailey
It is not clear
- Why SSH key is ACK is it stands for something ? Why is not it named
SSH ?
To be honest I would think ACK corresponds to IP packets with ACK
flag.
- So SSH is not in ? (If you put ssh in...)
- What is bulk
- Why it would kill all other ssh traffic and what it suppose to mean ?
On 10/25/05, Peter Zaitsev [EMAIL PROTECTED] wrote:
On Tue, 2005-10-25 at 19:52 -0500, Bill Marquette wrote:
Any 'altq on' lines? I'll try and duplicate this tonight (or not,
it's already 8PM and I'm still at work).
Thanks. It does not seems like there are any.
I actually repeated the wizard and now selected one of the traffic
shaping features.
It looks like you can't simply continue with Wizard to the end without
setting any shaping - it will create wrong rules.
Also in remote access services I did not find SSH - very surprising
omission for FreeBSD based product. There is VNC, RDP but not SSH.
--Bill
On 10/25/05, Peter Zaitsev [EMAIL PROTECTED] wrote:
Hi,
I'm running 0.89.6
I tried to experiment with traffic shaping today. I'm to use it for
collocation so my goal is to avoid long traffic spikes, as this is what
I'll need to pay for. So lets say I have 100MB connection and I want to
cap it at 15Mbit or something.
Anyway at this point I just went via EZ Shaper wizard and only set
bandwidth leaving all default as rest. The following rules were
generated:
queue qWANRoot bandwidth 10Kb priority 6 hfsc { qWANdef, qWANacks }
queue qWANdef bandwidth 1% priority 3 hfsc ( default upperlimit(100%
100 90%) linkshare(0% 1000 10%) realtime(10% 1 10%) )
queue qLANRoot bandwidth 10Kb priority 6 hfsc { qLANdef, qLANacks }
queue qLANdef bandwidth 1% priority 3 hfsc ( default upperlimit(100%
100 90%) linkshare(0% 1000 10%) realtime(10% 1 10%) )
queue qLANacks bandwidth 1% priority 6 hfsc ( upperlimit(80% 1 80%)
linkshare(0% 1000 10%) realtime(10% 1 10%) )
queue qWANacks bandwidth 1% priority 6 hfsc ( upperlimit(80% 1 80%)
linkshare(0% 1000 10%) realtime(10% 1 10%) )
I get the error loading these rules, basically in every line:
hp: /wizard.php: There were error(s) loading the
rules: /tmp/rules.debug:17: queue qWANRoot has no
parent /tmp/rules.debug:17: errors in queue
definition /tmp/rules.debug:18: queue qWANdef has no
parent /tmp/rules.debug:18: errors in queue
definition /tmp/rules.debug:19: queue qLANRoot has no
parent /tmp/rules.debug:19: errors in queue
definition /tmp/rules.debug:20: queue qLANdef has no
parent /tmp/rules.debug:20: errors in queue
definition /tmp/rules.debug:21: queue qLANacks has no parent /tmp/rul
Any help with these ?
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Traffic shaping
On Wed, 2005-10-26 at 00:28 -0400, Scott Ullrich wrote:
SSH interactive is keystrokes. Bulk is SCP and friends. Feel free to
spice up the article if you can make it better.
Thanks.
Let me check if I get it right - SSH interactive forces some socket
option set which pushes packets as soon as possible. This is detected
as ACK flag in IP packets and such packets are routed with high
priority ?
Does it mean however any application which does same socket set up will
obey the same rule ?
On 10/26/05, Peter Zaitsev [EMAIL PROTECTED] wrote:
On Tue, 2005-10-25 at 23:50 -0400, Scott Ullrich wrote:
http://faq.pfsense.com/index.php?sid=3552〈=enaction=artikelcat=10id=56artlang=enhighlight=ssh%20traffic%20shaper
Scott,
I've actually read this (as all FAQ but later forgot, sorry)
Actually this FAQ raises more questions than it provides answers:
It already is, a SSH key is an ACK. If you put ssh in, then bulk will
kill all other ssh traffic (interactive).
Last update: 2005-10-18 17:29
Author: Matt Bailey
It is not clear
- Why SSH key is ACK is it stands for something ? Why is not it named
SSH ?
To be honest I would think ACK corresponds to IP packets with ACK
flag.
- So SSH is not in ? (If you put ssh in...)
- What is bulk
- Why it would kill all other ssh traffic and what it suppose to mean ?
On 10/25/05, Peter Zaitsev [EMAIL PROTECTED] wrote:
On Tue, 2005-10-25 at 19:52 -0500, Bill Marquette wrote:
Any 'altq on' lines? I'll try and duplicate this tonight (or not,
it's already 8PM and I'm still at work).
Thanks. It does not seems like there are any.
I actually repeated the wizard and now selected one of the traffic
shaping features.
It looks like you can't simply continue with Wizard to the end without
setting any shaping - it will create wrong rules.
Also in remote access services I did not find SSH - very surprising
omission for FreeBSD based product. There is VNC, RDP but not SSH.
--Bill
On 10/25/05, Peter Zaitsev [EMAIL PROTECTED] wrote:
Hi,
I'm running 0.89.6
I tried to experiment with traffic shaping today. I'm to use it for
collocation so my goal is to avoid long traffic spikes, as this is
what
I'll need to pay for. So lets say I have 100MB connection and I
want to
cap it at 15Mbit or something.
Anyway at this point I just went via EZ Shaper wizard and only set
bandwidth leaving all default as rest. The following rules were
generated:
queue qWANRoot bandwidth 10Kb priority 6 hfsc { qWANdef,
qWANacks }
queue qWANdef bandwidth 1% priority 3 hfsc ( default
upperlimit(100%
100 90%) linkshare(0% 1000 10%) realtime(10% 1 10%) )
queue qLANRoot bandwidth 10Kb priority 6 hfsc { qLANdef,
qLANacks }
queue qLANdef bandwidth 1% priority 3 hfsc ( default
upperlimit(100%
100 90%) linkshare(0% 1000 10%) realtime(10% 1 10%) )
queue qLANacks bandwidth 1% priority 6 hfsc ( upperlimit(80% 1 80%)
linkshare(0% 1000 10%) realtime(10% 1 10%) )
queue qWANacks bandwidth 1% priority 6 hfsc ( upperlimit(80% 1 80%)
linkshare(0% 1000 10%) realtime(10% 1 10%) )
I get the error loading these rules, basically in every line:
hp: /wizard.php: There were error(s) loading the
rules: /tmp/rules.debug:17: queue qWANRoot has no
parent /tmp/rules.debug:17: errors in queue
definition /tmp/rules.debug:18: queue qWANdef has no
parent /tmp/rules.debug:18: errors in queue
definition /tmp/rules.debug:19: queue qLANRoot has no
parent /tmp/rules.debug:19: errors in queue
definition /tmp/rules.debug:20: queue qLANdef has no
parent /tmp/rules.debug:20: errors in queue
definition /tmp/rules.debug:21: queue qLANacks has no parent
/tmp/rul
Any help with these ?
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED
Re: [pfSense Support] pfsense 0.88
On Mon, 2005-10-24 at 10:34 -0400, Chris Buechler wrote: I'd agree with Alan's description. for more detail, see: http://doc.m0n0.ch/handbook/examples-filtered-bridge.html It should work just like that. Chris, Thanks for writing. I've read in FAQ and I was wondering what was your email a this piece simply does not work. I've read it closely at least 10 times :) You also might see it is way different from what Alan was advising me... Unfortunately even Alan's advise does not work. May be it was broken in the newer version - I do not know. Few things about this document. First it says: 14.3.3. OPT Interface Configuration Click Interfaces - OPT. Name the interface to your liking (for the example, we'll use Servers for the name). In the Bridge with box, select WAN. Click Save. OPT is not LAN but what is the most important it says nothing about setting IP address. You do need to set one initially in pfsense to configure bridging and stuff and it is not entirely sure how to unset it right. 14.3.4. Enable Filtering Bridge Go to the System - Advanced page and check the Enable filtering bridge box. Click Save. There is no such setting in pfsense which makes me to wonder if it is always enabled so you need to skip this step or it needs to be changes somewhere else. And this is basically two main points this documentation reflects about bridging - the rest is setting firewall rules - I set allow everything rule right now to test it which should be good enough. alan walters wrote: I have a similar configuration where the lan is bridged to the wan. I just made a rule to allow access to the wan IP. This is accessable from anywhere as the bridge is in place. Configuration. Start with a clean install. Setup ip address in wan. Gateway etc. Configure firewall rules access wan IP from https and ssh Ie: allow all to wan port 443 etc. Setup allow rules for your other services. If the block is a private block you will have to turn off Block private blocks etc on wan interface. Disable dhcp server on lan Save the config. Incase it fails. Then remove ip address from lan and bridge it to wan. Wait a couple of minutes. Manually restart the box and access the wan ip address. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] bridging troubleshooting (i guess 0.89.2 is broken ?)
Hi, Might be this one would point out why it works for everyone but not for me. As I mentioned firewall rules fail to load in such configuration, which is obviously the problem but it looks like it is not the only one. I've replaced real IP prefix with 111.111.111. in this example # ifconfig em0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 options=bRXCSUM,TXCSUM,VLAN_MTU inet 111.111.111.154 netmask 0xfff8 broadcast 111.111.111.159 inet6 fe80::214:22ff:fe0a:644c%em0 prefixlen 64 scopeid 0x1 ether 00:14:22:0a:64:4c media: Ethernet autoselect (1000baseTX full-duplex) status: active em1: flags=8902BROADCAST,PROMISC,SIMPLEX,MULTICAST mtu 1500 options=bRXCSUM,TXCSUM,VLAN_MTU ether 00:14:22:0a:64:4d media: Ethernet autoselect status: no carrier pfsync0: flags=41UP,RUNNING mtu 2020 pfsync: syncdev: lo0 maxupd: 128 pflog0: flags=141UP,RUNNING,PROMISC mtu 33208 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 bridge0: flags=8041UP,RUNNING,MULTICAST mtu 1500 ether ac:de:48:f6:b9:13 priority 32768 hellotime 2 fwddelay 15 maxage 20 member: em0 flags=7LEARNING,DISCOVER,STP port 1 priority 128 path cost 55 forwarding member: em1 flags=7LEARNING,DISCOVER,STP port 2 priority 128 path cost 55 forwarding As you can see em1 for some reason has no carrier status. The funny thing is the cable is there and It worked great before bridging configuration. Now If I do ifconfig em1 upthe bridge starts to function. So it looks like we have 2 problems in 0.89.2 in bridge configuration: 1) The rules are built wrong in case there is no IP on the LAN 2) The LAN interface is not brought up in bridging configuration. Please let me know if more details are needed to troubleshoot these. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] pfsense 0.88
On Tue, 2005-10-25 at 00:41 +0100, alan walters wrote: You should really disable this check and add the rules manually afterward. How should I do that ? In FAQ it is written /tmp/rules.debug is generated by scripts every few minutes so it is not right place to edit. I've checked config.xml and I did not find any option which would look like it disables these rules In any case we must ask - is it expected to work in bridged mode and if in this mode IP address on LAN should be empty ? If yes it is a bug :) I use this configuration on wireless hotspots with wireless nics bridged to the wan. It works excellent. I only gave so much detail cos I found that the wrap boards can be a little funny changing that much and liked to be rebooted. I am sure a pc config would work much better. Without the unplugs and so on. I just tested this today, a filtered bridge to a vpn concentrator and it works fine. :( In my case this is PC but it still has problems for some reason :( - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] bridging troubleshooting (i guess 0.89.2 is broken ?)
On Tue, 2005-10-25 at 00:46 +0100, alan walters wrote: Could this be an issue with the duplex. Maybe different speeds on the lan the wan and switches? Well... to be honest I do not understand why it would be - ifconfig em1 up brought it up without any problems so I guess the problem is it is not run for some reason or might be run with wrong parameters or something. I see the wan is on 1G connections. Is it the same on the wan. See if you can checkout an earlier version I was on 0.88 and 0.89.2 today with no troubles but I was only working on 100mb switches all the same with vlans Actually it is test environment - I have 3 boxes with pfsense on the middle one. One acts as WAN gateway, other runs as server behind firewall. Network is NIC to NIC in both cases - no switches and as soon as I being interface up it works without problems :( - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Pfsense in transparent mode
Hi, I'm still struggling to set up pfsense in transparent mode - to make it act only as Firewall without doing NAT for me or something. I have network 111.111.111.152/29 assigned to me by provider, 111.111.111.153 is gateway. I set WAN interface of pfsense to 111.111.111.154 and LAN interface to 111.111.111.155 with same netmask /29 and enabled bridging for them. First problem: I was initially allowed to set LAN and WAN ips to the same (111.111.111.154) - it does not produce any warning or errors, however LAN interface became inaccessible and I had to set LAN ip via pfsense boot menu to fix it. Second problem: Firewall does not function as expected. I enable all ICMP on WAN interface but I still can't ping even pfsense itself from external hosts (both interfaces) - however outgoing ping works. I also tried to create TCP/UDP filter to allow all incoming connection - I still however can't connect from external network to pfsense Web GUI Next step was to try to disable Firewall all together in advanced settings to ensure it will work. This lead to Third problem: With firewall disabled strange thing happened. I can now ping externally and internally, I can even connect to internal services from outside (of course wide open without filtering) but pfsense box became non-existent. .154 and .155 IPs respond to the pings but they do not respond any ports at all. (I tried nmap with no success) This last one is the most worrying as I lost all contacts to pfsense box and have no idea how to get to its web interface, without reseting configuration. P.S I think it would be nice to include lynx or some other text based browser with pfsense so even if you screw up something completely you can use web interface from local console to configure things. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfsense 0.88
On Sun, 2005-10-23 at 09:23 -0500, Bill Marquette wrote: O Is there any way I could have pfsense ip at .154 and use .155-158 for my applications ? Yes, configure the pfSense LAN IP to .154 (and configure it for the full subnet - you'll need to set the default gateway too) and then bridge LAN to WAN. You'll need rules on the WAN interface to allow for remote management of the pfSense box, but that should work just fine. Well, Both LAN and WAN wants their IPs set. And never of configurations seems to work decent way. First, I have to set IP address to WAN network, otherwise it complains field 'IP address' is required. I may only set IP to WAN network and leave LAN ip empty and enable bridging.In this case PfSense however becomes unreachable from LAN network (should not it be fixed to also require IP if it is really required ?)In this case I however can access WebGUI from external network (I allowed all incoming traffic for tests). One more bug around it - If I provide empty LAN address in configuration it continues to work... until reboot. Reboot causes system to be inaccessible from LAN. This especially worries me as if reboot happens few months after you've done some changes you might not remember what they were... If I set both LAN and WAN to use the same IP address (.154) access from WAN breaks, even with firewall which permits everything ... Went do do some research. Ok. It looks like I got what the problem is. There is wanspoof rule which blocks all traffic from WAN network which comes from IPs which are set for LAN network, which seems to be wrong in case of Network bridging. Also... I see there is the rule SSHLockout - any way to disable it ? It is to be used in collocation environment and there are certain hosts which will need such access. Thanks. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Firmware update bug
Hi, I seems to have found why the following happens for me on system firmware check as well as on packages page: Warning: raiseerror(PEAR.php): failed to open stream: No such file or directory in /etc/inc/xmlrpc_client.inc on line 562 Warning: raiseerror(): Failed opening 'PEAR.php' for inclusion (include_path='.:/etc/inc:/usr/local/www:/usr/local/captiveportal') in /etc/inc/xmlrpc_client.inc on line 562 Fatal error: Undefined class name 'pear' in /etc/inc/xmlrpc_client.inc on line 5 I'm testing pfsense without Internet connection right now so I guess this is why this error only happens by me and is not seen by other users. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfsense 0.88
On Sat, 2005-10-22 at 14:39 -0500, Randy B wrote: Basically I'm concerned about what if it fails? - keeping same as external IPs would allow me to simply take of pfSense and temporary use local firewalls. It is not great but better than having it down. After thinking further, I think I'd recommend the NAT, myself - that way, should one of your internal hosts fail, it would be a rather simple operation to map it's external IP to another internal host's internal IP. Right. My point in this case if pfsense fails I can't simply remove it and have my boxes directly available to the internet. This might sound strange and insecure but I hope this will not need to happen plus - this is hosting environment - these are Linux boxes which already do not have much stuff open outside so the risks are not that high. You'd either set up a mapping between, say, 192.168.0.1/29 and your external block. pfSense would then map 192.168.0.1 to your first external up through 192.168.0.8 to your last; you could also do that mapping manually, it's really up to you. You'd still maintain the internal private IPs, and would probably want to set up your internal DNS to point to them instead of your external ones, but (depending on what firewall rules you set up) will have access to each one of them via their independent external IPs. Right. I actually though to use load balancer for HA purpose - well if it works as needed. Also in worse case scenario I can simply change external address on the box - this is not a bit problem as I have private interface going. That, and I too recommend putting up two firewalls and CARPing between them - even with reasonably cheap hardware, you're going to get far greater reliability and easier maintenance than with one really expensive, really good piece of hardware. If your concern is availability, that, by far, is the way to go. Right. I guess I will be looking at CARP later on if high availability does not proves to be enough. I have smaller, kind of hobby project which I'm to use this for so If I can fix problem in half an hour it is already good enough. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Upgrading pfsense
Hi, I see pfsense is moving fast. I got 0.88 yesterday and today 0.89.2 was available... This makes me to ask couple of questions 1) Is there changelog available somewhere so I could decide it I should upgrade to recent version ? 2) Firmware upgrade is still broken in 0.89.2, or am I only the person being so lucky ? Warning: raiseerror(PEAR.php): failed to open stream: No such file or directory in /etc/inc/xmlrpc_client.inc on line 562 Warning: raiseerror(): Failed opening 'PEAR.php' for inclusion (include_path='.:/etc/inc:/usr/local/www:/usr/local/captiveportal') in /etc/inc/xmlrpc_client.inc on line 562 Fatal error: Undefined class name 'pear' in /etc/inc/xmlrpc_client.inc on line 5 3) Is there any way to upgrade manually ? I got 0.89.2 LiveCD today and found out it has no option to upgrade, it could only overwrite installed system. Sorry if these are kind of silly questions but I found only limited documentation available on the Internet :( - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfsense 0.88
On Sat, 2005-10-22 at 19:02 -0500, Bill Marquette wrote: Then bridge the interfaces. Any advice how exactly it should work ? Yep. Take the WAN interface and bridge it to the LAN interface. Now your internal machines are directly on the internet with pfSense transparently filtering them. Thanks. that sounds great. I guess I still can use all FireWall and Traffic shaping functions in such case but I can't do any NAT ? Now I'm trying to figure out How bridging should be set up if I have subnet Lets say I have 111.111.111.152/29 How Do I split it so I keep the largest portion usable for my applications ? .153 is gateway Is there any way I could have pfsense ip at .154 and use .155-158 for my applications ? It just looks like I can't use arbitrary range for LAN but only full subnet. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
