Re: [pfSense Support] how to add the wifi
On Thu, Sep 1, 2011 at 08:31, Ryan Rodrigue wrote: > There is not a 100% definite answer to this. What I do is open the ports I > need (80 for http, 25 for smtp, ect and then put a block all rule below > these. This usually works for 99% of the bit torrent traffic. The problem > is that PFsense blocks based on ports, bit torrent can be intelligent and > change ports. You could also do the traffic shaper and put bit torrent in a > very low spped queue, but I have never tried that. pfSense 2.0 has the capability to categorize traffic at "layer 7", but even that isn't foolproof against bittorrent. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] MAC ADDRESS
On Thu, Sep 1, 2011 at 08:19, suresh suresh wrote: > how to block the bit torrent in pfsense 1.2.3 Don't hijack threads. We know you want to know how to block bittorrent in 1.2.3, wait until someone answers your question in the thread you already posted for that. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to add the wifi
On Thu, Sep 1, 2011 at 08:12, suresh suresh wrote: > No,.. i dont have wifi card.if i configure the wifi router. that goes to the > differnt network. like am pfsense using 192.18.7.10 in wifi coonected > systemshows ip 192.168.1.1 at that time i cant take print or scan both will > come on 7.1 series. how to solve this problem. It appears that you want pfSense to be the router with the Linksys as a simple wireless access point. Just connect one of your Linksys LAN ports to the LAN port on your pfSense system and turn off the DHCP and DNS servers on the Linksys. You should also configure the Linksys to have an IP in the same address range (192.168.7.0/24) as the pfSense box so you can connect to it. > and also more question how to block the bit torrent. You've already asked this question here once, and I specifically ignored it because I'm not interested in it - someone else may answer the question. Blocking bittorrent isn't trivial, nor is it useful in my opinion. > am using pfsense 1.2.3. You REALLY should use one of the 2.0 release candidates. Version 1.2.3 is supported, but unless you have a serious reason to stick with it, 2.0 is equally stable and has far better features. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to add the wifi
On Thu, Sep 1, 2011 at 07:48, suresh suresh wrote: > Hi All, > how to add the wifi in pfsense. i am having the linksys home router.how to > setup wifi in the pf sense. please help me. Do you have a wifi card in your pfSense machine? Are you wanting it to be a wireless client or an access point? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] DHCP Static Mapping
On Wed, Aug 31, 2011 at 11:20, Ivanildo Galvão - IT Services wrote: > How do the machines that have IP with the MAC set to "Services: > DHCP: Editstatic mapping" in the DHCP console, also get information from > the Gatewayand DNS Server? That's provided by the DHCP server, same as to everyone else. Having a static mapping for a system only means that it gets a consistent address when it requests one, all the rest of the settings DHCP provides still come through. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Disabling the GUI?
On Sat, Jul 23, 2011 at 14:07, William Jimenez wrote: > Is there a way to disable to GUI on pfsense to increase performance, and > then re-enable it when needed? What performance loss are you seeing? You could disable the httpd, but if it's sitting idle (not being actively administered) I doubt you are going to see much if any improvement. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] VPNC, xauth, pfsense 2.0
On Tue, Jul 19, 2011 at 17:35, wrote: > This hasn't come up in a while. Back in 09 there was a discussion of VPNC > support on pfsense. > > IIRC (and I probably don't) VPNC support had a dependence on xauth, which is > a feature in 2.0. Does that mean that pfsense 2.0 has a chance of > supporting VPNC or any of the Cisco-centric IPSec extensions? See the following thread for the latest discussion. OS X centered, and I've not been able to test it yet, but vpnc and Snow Leopard's ipsec client are looking for the same thing. http://www.mail-archive.com/support@pfsense.com/msg21955.html - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense 2.0 IPsec on Mac OS X 10.6
I'm actually pretty interested in the fact that on the surface it looks like 2.0 can support the OS X 10.6 native Cisco VPN client out of the box. Has anyone had any success doing so? OpenVPN and Viscosity/Tunnelblick are nice, but not having to pay $9/client and not installing additional software is even more so. Going to try testing this week. RB On Mon, Apr 11, 2011 at 14:02, bsd wrote: > Install the open VPN client package on 2.0 - two clicks and you're done ! > Viscosity is your best bet. > > So straightforward, your grandma could do It. > > ;-) > > > Le 11 avr. 2011 à 18:19, Vick Khera a écrit : > >> On Mon, Apr 11, 2011 at 11:19 AM, Paul Mather >> wrote: >> Has anyone managed to get IPsec for mobile clients working with pfSense 2.0 >> and Mac OS X 10.6? If so, which client are you using on the Mac OS X side? >> Is anything special needed on the pfSense side? >> >> I *used* to use IPsecuritas but it was alway finicky. I finally made the >> switch for all of the roaming clients to OpenVPN using Tunnelblick and >> everything has been much, much more stable. I still use IPsec for my fixed >> end-point tunnels between offices, and that works solidly. All such >> endpoints are pfSense. >> >> Unless you have some hard requirement to use IPSec for your mobile clients, >> give OpenVPN a try. >> >> > > > –– > -> Grégory Bernard Director <- > ---> www.osnet.eu <--- > --> Your provider of OpenSource appliances <-- > –– > OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsense site down?
On Sat, Mar 26, 2011 at 07:14, Nebojsa Djordjevic wrote: > I'm trying to access http://pfsense.com/ for a some time, but I'm getting > connection reset messages. Anyone else having the same problems? Both messages you sent came through, and both the pfsense.com and pfsense.org domains are up from my perspective. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] User with limited privileges
On Fri, Feb 25, 2011 at 05:53, Carlos Vicente wrote: > My question is: is there a way of creating a user, without elevated > privileges, to give access only to the reports of LightSquid. I don't want > any client to have access the others features of pfSense. No, not in pfSense 1.2.3. Multi-user authentication and user-specific privileges were introduced in 2.0 and have worked quite well for nearly as long as the 2.0 development has been going on. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Enclosure recommendations for a Mini ITX Motherboard
On Thu, Oct 14, 2010 at 12:22, Mehma Sarja wrote: > I researched an earlier post of "SUPERMICRO MBD-X7SPE-H-O Mini ITX Intel > Atom" board and it looks like a good option. Albeit a bit expensive. It can > handle 4 GB RAM. So the question is what kinds of enclosures are good for > this form-factor? I'll probably go with a laptop drive. The enclosures at my > local Fry's all look pretty flimsy and crappy. I'm a big fan of the Jetway barebones cases, I have this [1] one, but didn't need huge amounts of processing power. They also produce an Atom-based one [2] that is awfully similar processor-wise and uses standard RAM (not notebook). The main thing that brought me to them was their full-height PCI slots - the number of drive channels didn't count much as I'm just running on a SATA-to-CF adapter anyway. The only problem I had was that the PCI slots are *just* barely large enough, my 4-port FXP card almost didn't fit. The Atom Jetway, 512M of memory, a SATA/CF adapter and a 4GB CF card all together cost about as much as that motherboard by itself. Is there any specific reason you need 4GB of memory? [1] http://www.newegg.com/Product/Product.aspx?Item=N82E16856107059 [2] http://www.newegg.com/Product/Product.aspx?item=N82E16856107036 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] DDNS updates not working
On Wed, Oct 6, 2010 at 16:27, RB wrote: > Just switched over to bridged mode on the modem and am doing PPPoE > directly from the WAN interface (all simple defaults save user/pw). Any ideas on this? I'm seeing pretty conclusively that on my end, even with the dynamic IP terminated on the pfSense box, it's not sensing changes and updating accordingly. If need be I'll just start running a DynDNS updater on another machine, but would rather have all my network dependencies in one location. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] DDNS updates not working
On Wed, Oct 6, 2010 at 08:31, Chris Buechler wrote: > There isn't one that updates your IP. That's kicked off from which > ever process renews your WAN IP, which depends on what kind of WAN it > is. What kind of WAN is it? Just switched over to bridged mode on the modem and am doing PPPoE directly from the WAN interface (all simple defaults save user/pw). Verified the IP was correct, then unplugged the phone side of the modem to simulate a WAN failure, waited several seconds until pfSense identified it as down, then plugged back in. The pfSense box correctly identified it as offline, but once it brought itself back online, DDNS didn't update and hasn't for 60 minutes. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] DDNS updates not working
On Wed, Oct 6, 2010 at 08:31, Chris Buechler wrote: >> So far as I can tell, the cron job for updating the DDNS entries isn't >> being run. > > There isn't one that updates your IP. That's kicked off from which > ever process renews your WAN IP, which depends on what kind of WAN it > is. What kind of WAN is it? Curious - there's a cron job set for 01:01 that runs /etc/rc.dyndns.update, which seems to be calling the right functions. Not as often as I'd thought at first glance, but enough for my purposes. If it's kicked off from renewal of the WAN, that's my problem - it's a static RFC1918 IP. Reason being that I'm using VDSL and must therefore use the telco's hardware since there's none available to directly attach to pfSense. I'll look at seeing if I can set the modem into bridge mode so I can use PPPoE from the pfSense box, but if need be I'll submit a bug/feature request to have "polled" DDNS updates. Thoughts? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] DDNS updates not working
I've noticed this for a while (at least the last two months) and just had never bothered to jump in and say anything. Currently on the 2.0-BETA4 embedded platform, image dated 2010/09/20 22:40:28. So far as I can tell, the cron job for updating the DDNS entries isn't being run. When I visit the page hours after my IP has changed, the cached IP shows in red (recognizing that it's out of date), but I have to manually edit/save the entry for it to be updated. I've not dug into it any farther than this, but has anyone noticed this? Using DynDNS(static) and an IP that randomly changes every 1-7 days. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OpenNTP offset & sync
On Tue, Sep 7, 2010 at 20:05, Chris Buechler wrote: > While it generally works, openntpd tends to do stupid things at times > and has a number of limitations. We've been discussing alternatives > recently, looks like we'll switch back to the stock ntpd for 2.0. One > time guru FreeBSD developer who is a pfSense user switched his out to > the stock ntpd at his day job, a HFT company, where timing is > extremely crucial. You may want to consider the same, though you'd > have to manually hack it in it's not a whole lot of effort if you know > FreeBSD. Being one of those that espoused the move, I'd love to know what things those are, for my own edification. Foolishness is only terminal if not cured. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] question on blocks SSH connections
On Thu, Aug 12, 2010 at 16:29, Cinaed Simson wrote: > Hi - suppose the office LAN has one open outbound port - say IMAP on > port 143. > > I go home and configure my Linux desktop to run a SSH server on port 143. > > Now I return to the office and attempt to connect to my machine at home > via port 143. > > Can pfsense be configured to stop the outbound SSH connection on port 143? It's just a war of escalation. You can do layer-7 filtering to pick off basic abuses like this, but what if someone's really determined and writes an IMAP-based transport for their shell? The standard IMAP port supports switching to an encrypted mode post-connection. My personal favorite was the shell that used a custom SMTP transport layer - that one was nasty. Don't forget IP-over-DNS either. :) Pretty much any port you allow out (or even SSL websites) raw will have this problem and you'll never reach 100% closure. You can approximate 100% with application proxies that monitor for and cut off abberrant behavior, but they'll never be perfect. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Generating graphs
On Fri, Apr 9, 2010 at 07:35, wrote: > I have been running several tests with large downloads using DAP for the > past few weeks. The only concern I would have is whether you're testing one site at a time or multiple. Many sites I encounter have an upstream bandwidth slower than my downstream. Test a series of downloads from kernel.org or a known-fast bittorrent. > I am not only worried that i might not be geting my full capacity but also > internally troubleshooting my LAN is made more difficult. There are several other things that *could* be wrong, but given the attached graph it seems pretty clear your WAN is definitely the bottleneck. The flat tops of your peaks pretty clearly indicate you're maxing out at 512kb/s in both directions, with occasional higher bursts. Wouldn't surprise me if your ISP sold you '1Mb/s up & down' and split it across the two. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] port 80 -> 443
On Fri, Jan 8, 2010 at 17:07, Michel Servaes wrote: > I don't really like port 80 at all on an IIS server... Please forgive my IIS ignorance (and this has gone far afield from pfSense), but what's the difference? Unless you're doing client certificates, random clients are still free to connect, whether encrypted or not. I happen to see just as many scans for servers on 443 as I do on 80, so you're not to going to avoid random discovery either. Is there something intrinsically less secure about IIS running clear HTTP versus HTTP over SSL (content notwithstanding)? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] port 80 -> 443
On Fri, Jan 8, 2010 at 15:03, Michel Servaes wrote: > Also, the machine is acting as a Secure Gateway for Citrix - so I don't want > to tamper a lot on a (for the rest) working config... > I just want to avoid the obligation to let my users type 'https' :-) The problem is that 'https' doesn't just specify the port, it also tells the browser whether it needs to negotiate SSL/TLS or not. If a browser is pointed at http://something, it's not going to expect the SSL negotiation and your user will see garbage. The proper way to do this is to have a minimal service running on port 80 providing 302's for every request to https://. This is trivial to do in Apache, and I'd be surprised if it wasn't trivial in IIS. RB - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.3-RC3 PPPoE
On 2009-12-10, Scott Ullrich wrote: >> I'll try turning off ToE in a few hours and report the results. If >> all goes well, I'd hope the 1.2.3 final version picks up the noted >> stable/7 change. This was the fix - thanks, Tom, for identifying such an edge case and linking it to your bug! > Sorry, but we have missed the boat on that. Release announcement is > forthcoming. Well, for posterity's sake then: if you have trouble in pfSense/FreeBSD with traffic not passing through an Intel 10/100 NIC (fxp), particularly when return/inbound packets aren't showing up in mpd or another user-level program, turn off TCP Offload. For that matter, any troubleshooting "wierd" with inexplicably lost traffic should involve explicitly turning off ToE. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.3-RC3 PPPoE
On Thu, Dec 10, 2009 at 10:29, Tim Dressel wrote: > For me the issue was exactly like you are describing. Can connect and > everything appears OK, but just zero traffic flow. Nothing useful in logs. > Then all of a sudden it would start passing traffic, but then get sketchy > and eventually stop again. Something like a simple ping from LAN to WAN > would fail 20% of the time,,, but ping of the interfaces was always fine. > I moved to the GT giganics and all my pfsense boxen are bullet proof. Tom's explanation is plausible, even probable - thanks Tom! For me there is no traffic flow at all, return traffic is just being silently dropped between fxp3 and ng0. Unfortunately, I can't change to GbE NICs, or I would; this particular system is "embedded" in the sense that it's a repurposed appliance with no external PCI slots, so it has what it has. I'll try turning off ToE in a few hours and report the results. If all goes well, I'd hope the 1.2.3 final version picks up the noted stable/7 change. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.3-RC3 PPPoE
On Wed, Dec 9, 2009 at 07:38, RB wrote: > I made a special trip - log attached. A check of my tcpdump > monitoring actually indicates that while ng0 does not see return > traffic, the physical interface (actually fxp3) does. It's also > indicating that the return packets are 2 bytes larger than it expects > (86B versus 84B for ICMP to 4.2.2.2). I spent several hours last night trying to dig into this, and am coming up empty-handed. I can't explain the 2B tcpdump artifact, but the issue remains that although return traffic is coming in, ng0 is not passing it back. Tried disabling filtering to no avail, but I noticed that 'pfctl -sa' still showed rules configured - does 'Disable Filtering' not perform a flush? I'll try a reboot, but have little confidence that will make a positive difference at this point. "Something" changed with mpd between 1.2.3-RC1 and 1.2.3-RC3 to the extent that it no longer works for my ADSL provider. I don't know if it was a change within mpd itself, the removal of the ng_* modules, or something completely different, but pfSense is not currently a viable router for me. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.3-RC3 PPPoE
On 2009-12-09, Jim Pingle wrote: > Are you sure that your DSL link is solid and noise-free? I have seen > cases where routers would sign on but could not pass traffic and it > turned out to be a weak DSL signal. Does this same line work with any > other router? It works with the same physical setup and 1.2.3-RC1 but not 1.2.3-RC3. > As Ermal said, posting the full log might help, even if you don't see > anything out of the ordinary. Some other info that would be helpful > would be the output of "ifconfig -a" and "netstat -rn" while connected. > Perhaps also a traceroute to the next hop and DNS servers. I made a special trip - log attached. A check of my tcpdump monitoring actually indicates that while ng0 does not see return traffic, the physical interface (actually fxp3) does. It's also indicating that the return packets are 2 bytes larger than it expects (86B versus 84B for ICMP to 4.2.2.2). mpd.log Description: Binary data - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.3-RC3 PPPoE
On Wed, Dec 9, 2009 at 01:34, Ermal Luçi wrote: > Please provide logs of mpd and explain more what you are trying to do and > how you are trying to achive it! What I'm trying to achieve is awfully simple - with a fresh install of 1.2.3-RC3, I'm plugging a dumb Speedport ADSL modem in to one ethernet port (fxp1) and a switch into the other (fxp0). After configuring pfSense with the right PPPoE credentials and _nothing else_, the WAN interface comes up with a valid IP from my ISP and proper-looking MPD logs (I'm running it from the CLI to be certain). However, pinging my next hop or issuing requests to the outside DNS servers results in outbound traffic with no returns (monitoring with "tcpdump -s0 -vni " on fxp1 and ng0). With 1.2.3-RC1, traffic flows smoothly. I don't have logs with me because the system is down, inaccessible due to this. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] 1.2.3-RC3 PPPoE
I've been fighting a losing battle with an update from 1.2.3-RC1 to 1.2.3-RC3 and am at the end of my options. This also exhibits in the 2.0-ALPHA-ALPHA 8.0-based snapshot I grabbed two days ago. With both an upgrade and a fresh install, when I configure a simple LAN + PPPoE WAN, the WAN negotiates and comes up with an appropriate address, but does not get return traffic. I'm able to see outbound traffic on both the physical interface and the generated ng0 interface, but nothing returns. Last time I ran into something like this it was the tcpmssfix/ng_tcpmss.ko stuff (http://forum.pfsense.org/index.php/topic,17644.0.html). Although not precisely the same (mpd isn't dying), I saw the same thing then - packets pass outbound but the returns get dropped somewhere. Suggestions? A fresh 1.2.3-RC1 install does not exhibit this behavior. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Strange DNS problem
On Thu, Oct 8, 2009 at 19:42, Philippe LeCavalier wrote: > Like I said I don't know what other info to supply, when I ssh to a clients > network pfsense redirects me to my local server. The strangest thing to me is > that even when I use the public IP it does that. If it were just the FQDN I > wouldn't really care but this is a true problem for me and I really don't > know where to start troubleshooting this. This doesn't help with the IP redirection bit, but dnsmasq returns its own IP for queries it can't answer (mis-typed domains, usually). I've noticed this with pfSense when I type in a hostname too quickly and end up hitting the external interface of my pfSense box. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Could not unlock lock.
2009/9/1 "Alexandre F. Guimarães" : > Version > 1.2.3-RC2 > built on Sun Aug 30 11:37:03 UTC 2009 > > This Server is used only for Captive Portal Authentication, These messages > are appearing on Syslog page (diag_logs.php). It likely means that the portal process cannot lock the session state file. This could be because the disk is full, or there's a stuck signon that's holding it locked, or some process that had it locked died unexpectedly, etc. If people are actually able to sign in, then something is probably slowing down the authentication process and causing waiting clients to time out - last I checked, the CP only handles one sign-in at a time. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] dynamic load balancing
On Thu, Aug 20, 2009 at 03:58, Paul Mansfield wrote: > could you force squid + transparent proxying to record traffic usage and > use some clever squid configs and cron to change behaviour? That assumes that nearly all of your traffic is HTTP; perhaps valid for some users, but completely not so for technical users. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.3-RC1 Web gui logout
On Wed, Aug 12, 2009 at 10:15, Joseph L. Casale wrote: > Silly question, where the heck is the logout button? There isn't one in the 1.2 series since it uses HTTP authentication. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: SV: [pfSense Support] dhcp and arp list errors
On Tue, Jun 9, 2009 at 13:53, wrote: > I've found one malfunctioning device that was sending 1000pps out on the dhcp > protocol. I shut it off.. > The error is still there. Is there any way I can reset the dhcpd.leases file. Restart your DHCP service; it will take quite a while with that large a lease file, but should clean it up to only the active leases. A much quicker alternative is to stop DHCP, remove the file, and restart it, but that resets everyone's lease and will grant them all new addresses. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] dhcp and arp list errors
On Tue, Jun 9, 2009 at 10:03, wrote: > I'm running 1.2.2 on this: > Super X7SBi > (http://www.supermicro.com/products/system/1U/5015/SYS-5015B-MF.cfm) > Xeon Dual Core > 1Gb Ram > 80Gb sata harddrive > > I recently upgraded from 1.2, and haven't had this problem before. > I have a memory usage of 20% I agree with Jim's statement on the large DHCP pool - could you tell us how many clients you have on this? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] arm arch?
On Wed, May 27, 2009 at 10:58, David Burgess wrote: > I didn't see any discussion on the forums or in the archives of > porting pfsense to the arm architecture. Is this on the horizon? Would > it be a complicated project? Yes, but not directly because of pfSense. The underlying FreeBSD treats ARM as a tier-2 platform and does not provide any direct support for it (binaries, security updates, etc.). This would place the onus of supporting the platform on the pfSense team, and given their current bandwidth wouldn't be very workable. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Snort Updates - How to stop one in progress?
On Tue, May 19, 2009 at 11:47, Chuck Mariotti wrote: > Navigated to the snort tabs, so now it’s trying to run a huge update (never > been updated before) and has brought the network to it’s knees. How can I > stop the update that’s already been started? Quick answer: ssh + kill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] RE: T1 Saturating - Windows update kills the connection... ??
On Wed, May 13, 2009 at 09:53, Chuck Mariotti wrote: > I used cheapo DLink 10/100 Network cards to build the server. But I'm > doubting that would be the cause. The only other oddity is that I threw a > little DLink 8 Port Gigabit Switch between the router and firewall, simply > because I didn't have a crossover cable available at the time. Presumably the rtl8139 chipset? I don't know how [if?] those have improved in recent versions of BSD, but they used to drag my pfSense box to its knees with software interrupts. Check your system's RRD graphs (specifically the utilization & interrupt numbers on the 'system' tab). MTU mismatch could cause a problem, but the DLink is my bet right now. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] syslog-ng config to record events from fws
On Wed, May 13, 2009 at 03:02, luismi wrote: > PF You do, of course, realize that 99.9% of the people that offer help on this list are not paid to do so and that by copping an attitude you've pretty much blown your chances of getting help? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] syslog-ng config to record events from fws
On Tue, May 12, 2009 at 10:59, luismi wrote: > Hi, well, I was looking for something more complex. http://catb.org/~esr/faqs/smart-questions.html#beprecise Ask a nebulous question, you get a nebulous answer. If you wanted a specific configuration, say so. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive Portal Question
On Sat, May 9, 2009 at 00:10, Tim Dressel wrote: > I'm still interested though in anyone out there with large numbers of > mac-bypass entries. Any takers? At the risk of redundancy, that was rather the point. Other than the interface of your manually entering them (which is not critical to the actual operation), the captive portal in its standard configuration makes a mac-bypass entry for every client. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive Portal Question
On Fri, May 8, 2009 at 22:06, Tim Dressel wrote: > Finally, I'd appreciate any feedback out there on installs with counts > on mac bypass entries topping a 1000 count. I am considering tying > together several of my networks and would like to know what the upper > end on the captive portal looks like. The captive portal's default configuration is to filter users by MAC address. The main difference between that and what you're doing is that the MAC entries are made dynamically each time a user logs in. That said, I have run a pair of Dell 2660s (dual 2GHz, 2GB) in that default configuration over a high-churn environment with several thousand unique clients per day with no ill effect. My concern was not whether pfSense could handle the number of entries, but mainly administrative overhead. Maintaining a list of even 100 MACs is terribly cumbersome, especially considering how trivial MAC-only authentication is to bypass. Additionally, some of pfSense's GUI components just don't scale well - there are some diagnostic pages (DHCP status, CP status, ARP tables, etc.) that I've just become accustomed to not using if the client count is over a couple hundred. Check your system's RRD graphs during the slowdown - if your states, queues, or CPU aren't pegged, pfSense is likely not the culprit. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Captive Portal Question
On Thu, May 7, 2009 at 15:55, Tim Dressel wrote: > 1. What is the limitation on the number of mac-bypass entries? And is > what I am seeing expected with 300 entries? I'm sure someone will chime in with the precise ipfw limitation, but this is mostly going to be dependent on your system's performance specs - memory & CPU. > 2. If I should not be doing this with 300 clients, is anyone using > another FOSS product to do MAC authenticated control outbound from > their firewall? Possibly, but [as I hope you know] MAC filtering only keeps honest people honest, it is in no way any form of authentication. At that number of unique users, you may be better served by setting up an actual RADIUS server to do proper authentication and AAA instead of manually maintaining tables. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] vmware appliance using onboard wifi as an interface
On Sat, Apr 18, 2009 at 09:05, Sean Cavanaugh wrote: > KVM and Xen only work on CPUs that have the para-virtualization extensions. > If yer using older hardware, you HAVE to use either bare metal or a standard > virtualizer like VMWare In a word: no. I haven't tried virtualizing PCI devices on non-HVM hardware, but they both run just fine sans acceleration on standard hardware - KVM because it's built on QEMU and Xen because HVM is just a recent addition. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] vmware appliance using onboard wifi as an interface
On Fri, Apr 17, 2009 at 14:02, Sean Cavanaugh wrote: > I really wish it would virtualize wireless cards like that as I could get > rid of my access point at home and just add a card into my system. Both KVM and Xen allow you to directly map a PCI slot into a client's namespace. Right now I'm running pfSense as a VM under KVM and have both a physical Ethernet port and a HiFN card mapped directly to it. With VMWare, VirtualBox, and most other virtualization managers (as Sean noted) it'll present as a generic Ethernet interface with no WiFi extensions, you'll have to use the host to manage the actual wireless association. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] RE: [SPAM] RE: [pfSense Support] RE: [SPAM] RE: [pfSense Support] RE: [SPAM] Re: [pfSense Support] RE: [SPAM] Re: [pfSense Support] website browsing
On Wed, Apr 15, 2009 at 08:00, Christopher M. Iarocci wrote: > This is really off topic for this list, but it sounds to me like > whatever computer is using that IP is probably also running a firewall > that is blocking everything, even ICMP. At this point, you could narrow > down which machine it was using a managed switch if you have one. You > could also visit the machines and manually look at their IP addresses. > The other option (and one I'd choose) is to block all traffic from > 192.168.1.147 at the firewall and see who comes to you to complain about > not being able to get on the internet. Don't forget that DHCP and ARP information are often enough to clearly identify a given machine. If you're using the DHCP server, look in the lease information page or /var/dhcpd/var/db/dhcpd.leases for the machine's lease and the name it provided at negotiation. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't get more than 15kpps.
On Mon, Apr 13, 2009 at 06:53, Lenny wrote: > OpenBSD scares me a bit:) It shouldn't, really. The initial installer dialog is awful, but once you get past it and get stuff running, it's about as smooth and seamless as any good BSD setup. For that matter, neither pf nor iptables should be scary. Like OpenBSD, they both start looking difficult but if you actually take the time to sit down and work with them you'll usually find that they "just work" the way a network admin thinks they should. Too often toolkits wrapped around them end up making them more complex than they really need to be. Don't know if pf has a similarly verbose set of documentation, but this [http://iptables-tutorial.frozentux.net/iptables-tutorial.html] piece for iptables was immensely useful for pushing me over the edge from being an iptables user to understanding iptables. > Regarding the iptables stuff, weird as it may sound - the CEO said that it > would be enough as far as he concerns. > Will something like Endian do the job? No idea, never used it. I was one of those Rainer mentioned that tried a _lot_ of tools (including commercial solutions like PIX) before coming back to pfSense. I actually found pfSense by way of m0n0, I was looking for something like it that was a bit beefier and did (at the time) HA setups. As far as whether you need a GUI is completely up to you. My CLI curve has a dip in the middle - small and huge things I want to do without a GUI, but moderate loads (like daily/weekly rule changes) make clicky-happy tools somewhat more requisite. Most DIY setups won't have the nice reporting tools and extended feature-sets that polished distros like pfSense do, but in your case your need for performance may well outstrip the need for those. RB - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] csico vpn client and pfsense
On Fri, Apr 10, 2009 at 07:18, Mikel Jimenez Fernandez wrote: > I only have client mode acces posibility, and my question is if is that > possibloe to configure this on pfsense a nat vpon traffic through ipsec > interface for al the hosts of my LAN. In a word, 'no'. The Cisco concentrator's default client (not tunnel) configuration is by design incompatible with vanilla IPSEC implementations. It pushes a lot of policy and configuration down to the client, not the least of which is a default setting that forces all traffic through the tunnel (preventing LAN communication) and forcefully disconnects the client if the kernel routing table changes. There is one piece of software available (vpnc) that will allow you to break those restrictions and route as you please, but it's not packaged for pfSense. Be careful if you pursue this route - it's pretty noticeable and some companies will terminate you for doing it. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Very weak wireless signal using an atheros chipset
On Fri, Apr 10, 2009 at 07:44, Markus Golser wrote: > I tried almost everything now still no success :( > I think somehow the antennas are not used and thats why my signal is weak Don't place the AP as close as it is in the picture for testing; depending on the lobe shape of your antennas, testing right next to the AP will not give good results. A reasonable distance is usually 3-5m. Also ensure the U.FL connectors at the card itself are firmly and snugly attached - they have a positive 'snap' connection that will not work [well] unless fully engaged. Less likely (but equally important) ensure your antennas are rated for 2.4GHz operation. If you purchased the hardware as a package deal or normally do your own RF hardware, this is not a probable cause. The hostap drivers will always use one or more of the antennas, the only options are to use them in varying levels of diversity. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] First Embedded System
I pretend to know what I'm doing in the embedded space, and ALIX seems to be in the sweet spot of price & performance right now. The line's breadth is a nice bonus, supporting everything I need short of a [real] PCI-E slot. I'd probably go for one of the VIA Nano-ITX boards for a storage system, but ALIX fits nicely in the network space. Given current flash prices and reliability, there's also little reason to limit yourself to pfSense's embedded image unless you won't need to install packages or need to push the longevity envelope of your flash. YMMV. -Original Message- From: Joseph L. Casale Sent: Wednesday, April 08, 2009 10:13 To: 'support@pfsense.com' Subject: [pfSense Support] First Embedded System I am about to order hardware to make my first embedded system and am thinking of an ALIX.2D3 as it covers port wise all that I need. This will function for a very small lan <10 clients, are there any opinions anyone can share about possibly better choices or more reliable setups? Thanks for any points! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Filtering by URL or regexp
On Tue, Mar 31, 2009 at 10:38, luismi wrote: > Is possible to create rules to match URLs or regext expression? > I would like to provide access just to *.foobar.com but I don't know the > IPs used for that domain :-/ The problem with IP filtering by DNS entry is that you tie your critical filtering path to an external, nondeterministic lookup. There is no guarantee you will get a DNS query back in a reasonable timeframe. You're also at best issuing a DNS query per-connection and at worst issuing one per packet. Yes, there are caches, but those only partially mitigate the issue. Filtering at a higher protocol level (e.g. with an HTTP proxy like squid) allows much better control over what users access. You don't have control over other protocols (vpn, bt, etc.), but if you're seriously worried about such, you could also implement 'positive controls' (default deny, add rules for what users may access) or configure your users' DNS server to block queries for that domain. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Internet at the lake? Rogers MobileInternetStick (Rocket) with pfSense?
On Fri, Mar 27, 2009 at 14:39, Tortise wrote: > "Actually the best 3G router option I've found is an Alix 6b2. It has > a miniPCI Express slot you can use for the cellular connection (no > miniPCI solutions exist AFAIK) /" > > Would the Dell 3G Mini PCI Express modules used in their notebooks work? Probably, but I have no idea what the actual chipset is. The 6b2's Express slot is USB-only (remember that Mini PCI Express is either PCI-E or USB-2.0), so you'd have to make sure that you get a card that supports the USB side. That said, I seem to have seen a lot more USB-based than PCI based mP-E cards, so your chances are good. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Internet at the lake? Rogers Mobile InternetStick (Rocket) with pfSense?
On Fri, Mar 27, 2009 at 08:45, Chuck Mariotti wrote: > Well, I do happen to have an Alix 6b2 here... my question is, what software > are you running to allow you to use 3G? pfSense? If so, what miniPCI Express > slot card are you using exactly? I assume this means I could throw on a HUGE > antenna?! All I have to do is put in a SIM and it goes type of thing? Acts > like a regular WAN port...? > > More info PLEASE! Unfortunately, the project died on the vine before I could get a miniPCI-E card purchased (was using the sierra 595 with the G3G and the sierra 860 on a laptop), but Sierra Wireless cards all work quite well. Generally speaking (as has been noted here), they appear as USB serial devices that you use as a PPP device and dial a short ("*99#" for US AT&T) number. We were using OpenWRT, in which the 'comgt' package provides sane defaults for most 3G setups, including EVDO. Since OpenWRT is packaged for x86, there's no reason it won't run on the 6b2; of course, there's also no reason you shouldn't be able to use pfSense as well. All you need is a card that comes up as a USB serial device (some require special drivers and don't very well), and you should be able to run PPP on your platform of choice. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Internet at the lake? Rogers Mobile InternetStick (Rocket) with pfSense?
On Fri, Mar 27, 2009 at 01:18, Tortise wrote: > Check out the Linksys wrt54g3g which I use with a 3G XU870, (cheap 2nd hand) > works well for portable Internet connections for a > battery of wireless notebooks. It runs from 12V so car battery power is also > an option. Actually the best 3G router option I've found is an Alix 6b2. It has a miniPCI Express slot you can use for the cellular connection (no miniPCI solutions exist AFAIK) and an LX800 with 256MB of memory. $113 for the board, $10 for the case, and $??? for a card and continued connectivity. I also thought the wrt54g3g would be nice and have actually spend a considerable amount of time working with it and getting better support for it into OpenWRT. For the price, the hardware is anemic compared to the 6b2. Their implementation of a TI cardbus on the mipsel architecture is buggy to say the least, and added to the rather awful "open source" releases they made it's been impossible to get a 2.6-series linux kernel running on it. It is one of the two remaining piles of Broadcom fail that force *WRT to continue to support 2.4-series kernels. Linksys' releases are generically okay, but largely just pay lip service to the open source concept. Once you start digging into model-specific features (like the G3G cardbus or the AG310's SIP interface) you run into a brick wall of binary lumps that "happened" to get shipped with the release instead of the source you were looking for. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] plugins for a detailed log
On Tue, Mar 17, 2009 at 02:00, Fabio Palladino wrote: > There are plugins for a detailed log? > With the ability to query by date, protocol, source, etc. .. Basically, no. It wouldn't be too hard to create and I'm sure you can convince someone to do it, but generally speaking most people that are really serious about log analysis and monitoring send their logs to an external system and analyze them there. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't get more than 15kpps.
On Sun, Mar 8, 2009 at 13:17, Chris Buechler wrote: > Based on what I've seen in the FreeBSD list threads describing this > problem, it doesn't help. In the FreeBSD 4.x days polling was better > than it's been in 5.x through 7.x. You and I were likely reading the same threads, but from what I read even though interrupt mitigation has largely made it unnecessary, polling still has a place. I definitely see overwhelming anecdotes that polling doesn't help when trying to push from 400k to 700k-1m PPS. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't get more than 15kpps.
On Sun, Mar 8, 2009 at 12:49, Chris Buechler wrote: >> I do realize it might be a problem with FreeBSD rather than pfSense, >> especially that I saw a couple of related posts on the net(without >> solution). > > There's no "might be", it is. I don't know why, but I don't see anyone in this thread (including myself) suggesting enabling device polling. That generally seems to be the interweb solution to taskq lock with high PPS. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense to use with production web server
On Wed, Mar 4, 2009 at 09:30, Vick Khera wrote: > What threats are you defending against? The firewall will not protect > you against application flaws such as cross site scripting and SQL > injection attacks. I agree, but given the context and content (no disrespect intended either), I'm not sure Raleigh knows what he's looking for or what he's defending against. Raleigh: the most basic form of firewalling today is precisely what you stated - packet filtering. Firewalls in this category (pfSense included) filter at OSI layers 2-4, meaning they don't get any deeper into the packet than IP and port number. This defends against basic attacks & reconnaissance including some DoS, address spoofing, port scanning, and so on. pfSense also adds load balancing, VPN termination, and other border services as well. If, as Ben & Vick have asked, you are interested in application-level filtering (SQL injection, XSS, and other "layer 7" attacks), you'll need to look at something more like a reverse proxy running mod_security - pfSense does not offer application-level filters. RB - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Need help regarding the initial configuration of pfsense
On Wed, Feb 25, 2009 at 08:41, Sumesh T A wrote: > It is static So, presuming all other routing is normal (you've not set up any static routes, no address space conflicts, etc.), can you ping an external IP, like 4.2.2.2? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Need help regarding the initial configuration of pfsense
On Wed, Feb 25, 2009 at 08:24, Sumesh T A wrote: > No i am unable to get connected to internet. I am can ping my WAN IP. I > cannot ping my gateway of WAN network What is your WAN configuration - static, DHCP, PPP, or something else? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Need help regarding the initial configuration of pfsense
On Wed, Feb 25, 2009 at 08:16, Sumesh T A wrote: > Curtis I have tried all these even before i sent this query to the support > forum. > There are no hardware issues. Every network is a little different, but generally speaking pfSense is one of the most trivial firewalls to set up: you plug it in, install the software, put your LAN on the LAN interface and your WAN on the WAN interface. After that, NAT "just works". - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] MAC Filtering
On Fri, Feb 20, 2009 at 07:13, Gary Buckmaster wrote: > pfSense does not do firewalling based on MAC address. Actually, it does, if indirectly. Use the captive portal. More than likely it fits your use case anyway, but can also be used to enter static lists of allowed MAC addresses that do not go through the captive page. L2-attached users will have MAC entries automatically created & destroyed for them by the login process if you do not check the "Disable MAC filtering" box in the CP configuration page. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsync vs contrackd
Slicing and dicing to get context: On Thu, Feb 19, 2009 at 12:26, mikel wrote: > I think that contrackd doenst does this > > On Thu, 19 Feb 2009 13:13:00 -0600, Bill Marquette > wrote: >> All 255 protocols. If it's in state, it's sync'd. At the expense of addressing a fallacy on the wrong list, in short: it does. Both conntrackd and pfsync handle any state the host kernel tracks. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense state question
On Thu, Feb 19, 2009 at 09:30, apiase...@midatlanticbb.com wrote: > icmp 192.168.10.255:54864 <- 192.168.10.11 0:0 > icmp 192.168.10.11:54864 -> 192.168.10.255 0:0 > icmp 192.168.10.255:60489 <- 192.168.10.11 0:0 > icmp 192.168.10.11:60489 -> 192.168.10.255 0:0 > I've discovered that this device is a Linksys access point that is going > nuts for some reason. I will fix that, but was wondering why pfSense is > responding to an IP that isn't in any of it's subnets. Doesn't necessarily look like pfSense is responding, it looks like the Linksys is broadcasting discovery packets - UPnP, Bonjour, etc. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsync vs contrackd
On Thu, Feb 19, 2009 at 09:06, Chris Buechler wrote: > For one, you're not likely to find any Linux users here, at least not any > that are intimately familiar with Linux firewalls. Preferring to hand-roll my own rule sets and knowing the iptables packet stack nearly by heart, I'd say I am familiar with Linux firewalls, but originally chose not to respond since this is not a question about pfSense, but about OS selection. Even so, I choose pfSense for nearly all of my "software" firewall needs. Pick your OS and use the tools available for it. There are far more reasons to choose BSD versus Linux, and firewall state-sharing is only a very small sub-item. Since it seems you and your employer's focus is almost purely Linux, you'd probably be better off sticking to what you know rather than introducing something new based solely on some esoteric technical reason. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: hard drive install failure
On Wed, Feb 18, 2009 at 09:27, Nick Upson wrote: > anyone? Most probably didn't respond because your description of the problem seemed pretty obvious that you have a hard drive failure. pfSense uses modern FreeBSD under the hood, and there's no reason a 320GB drive would be "too large". If the drive works anywhere else, it might be cause for concern with pfSense; otherwise, installing on the smaller (more importantly, different) drive didn't prove anything. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: policy rules with proxy and multiwan
On Tue, Feb 17, 2009 at 08:01, Federico Konig wrote: > I agree with you but what i need is the cisco's "policy". I need only for a > few pcs to use the X gateway, others use the Y gateway and the rest use a > balance pool Z. Due to the way proxying works, your request is simply not possible, not with pfSense, nor with any other non-DPI router. Even with DPI, success would be dubious due to the need to add some header (like X-Forwarded-For) to indicate the client source. The connections will always appear to be sourced from the proxy, and unless you hack DPI into pfSense, it will not be aware of what client originated what request through the proxy. If you insist on applying the same rules whether by proxy or by IP, you could kludge something together on your proxy (assuming it's a readily-configurable UNIX box running squid) with IP aliases and tcp_outgoing_address, but such a solution would be such a hack and utterly unmaintainable I'm unwilling to outline it. A more tenable solution would be to either not proxy the clients that need the dedicated gateway or to set up a dedicated proxy instance for those gateways. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: policy rules with proxy and multiwan
On Mon, Feb 16, 2009 at 07:57, Federico Konig wrote: > Nobody answer? It was unclear whether you meant "policy" in the Cisco sense (route source X via gateway Y) or "policy" in the sense of applying access policies - like who may connect to what site on what port. Either way, a firewall that doesn't do "deep packet inspection" (L7 filtering), cannot distinguish what client issued what request to a proxy - if there is any policy to be applied, it must be done at the proxy level and not at the firewall level. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Issues with upgrade to pfsense version 1.2.2
Don't know if it's changed in the 1.2.2 and 1.2.3 releases, but in 1.2-RELEASE the CP wasn't very well suited for high-volume concurrent logins. Each client spawns its own thread that tries to gain an exclusive lock on the flat file that enumerates sessions, then linearly searches that for a match before appending its own. The catch is when another client holds the lock - the script uses homegrown locking and instead of blocking (as most good lock implementations do), each client sleeps for 10 seconds before retrying. Add a few hundred concurrent logins and your typical CP client's impatient tendency to clickclickclick or hit refresh a few dozen times, and the whole thing snowballs into deadlock. Depending on your CP timeout, you probably never encountered the rush you did this morning, since most clients would have still had a live session. -Original Message- From: Atkins, Dwane P Sent: Thursday, February 12, 2009 13:05 To: support@pfsense.com Subject: [pfSense Support] Issues with upgrade to pfsense version 1.2.2 We upgraded to pfSense version 1.2.2 today around 0530. It seems to have upgraded just fine and personnel started logging into the CaptivePortal and I tested it as well and it worked as expected. However, around 11:30 when I was doing a follow-up, I went to the CaptivePortal area to see how many folks we had logged on and it was locked up. I managed to move so logs over to my desktop prior to a reboot. Is there anything we can do to prevent this from happening again? Is this saying my upgrade did not upgrade properly? I used the firmware upgrade option and did make sure the checksum was OK prior to upgrading. Any ideas? I would also like to see how I make change requests? I would like to see about inserting an intermediate certificate into the next update. Currently, we take a pem file, copy it to /var/etc/ and call it mycert.pem. We then put the following entry in the /etc/inc/system.inc $lighty_config .= "ssl.ca-file = \"/var/etc/mycert.pem\"\n\n"; When upgrading, it sure would provide a warm fuzzy to have some percentage counter or verbose text of what is going on during the upgrade. All one sees is the system will reboot when completed. I would appreciate anyone's help in the first matter. Dwane - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PPPoE and PAT
On Wed, Feb 11, 2009 at 15:28, Chris Buechler wrote: > On Wed, Feb 11, 2009 at 5:01 PM, Brian-Paul Carline > wrote: >> I'm writing to ask of anybody else has experienced the inability to use PAT >> through to a DMZ server(s) with a PPPoE configured WAN interface. >> > > Works fine, you're misconfiguring something. See > http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting Ditto - running complex multi-DMZ test configurations with "PAT" between those and the ADSL WAN with zero issues. No problem deleting rules from the GUI either. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Pfsense 1.2 Alix VPN
On Mon, Feb 9, 2009 at 20:24, Chris Buechler wrote: > On Mon, Feb 9, 2009 at 10:05 PM, Jeremy Bennett wrote: >> RB, >> >> Thank you for review. I typically use PPTP cause it is quick and easy, and >> supported natively by Mac OS X and Windows. >> >> Do you have a favorite OpenVPN client for OS X? I hear good things about Viscosity, and even as a non-free app it's quite tempting at $9. Inasmuch, I too use tunnelblick. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Exchange RPC/HTTPS outbound client
On Mon, Feb 9, 2009 at 19:46, Joseph L. Casale wrote: > I am using 1.2-RELEASE and have a client that needs to connect to an Exchange > Server via > RPC/HTTPS that I know to be in working order. This client cannot connect when > behind pfsense > but can access owa on this server. > > Are there any known issues, I couldn't find anything that suggested any > additional config? pfSense by default does not employ any application-layer logic and would not interfere with typical HTTPS (tcp/443) traffic. If, however, you have installed the Squid package or have some other proxy intercepting the traffic, it's most likely silently dropping methods it's not configured for. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Pfsense 1.2 Alix VPN
On Mon, Feb 9, 2009 at 19:01, Jeremy Bennett wrote: > 4) Assign a address of 10.0.0.X on the same subnet as everything else to the > LAN port (making sure that it doesn't conflict with anything else) > > 5) Turn on the PPTP VPN server with another 10.0.0.X address (making sure > that it doesn't conflict with anything else) > > 6) Create a firewall rule to pass all traffic on PPTP server to same subnet > > 6) Forward all traffic on port 1723 to the PFsense/Alix box. > > 7) connect the LAN port to the network. > > Am I leaving anything out? Should I disable anything else? Is this crazy? Typical VPN-on-a-stick configuration, but I can't imagine why anyone would elect to use PPTP over OpenVPN. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] VLANs/802.1q Trunking
On Mon, Feb 9, 2009 at 02:17, Aarno Aukia wrote: > You need to configure the interface on the 2950 to your pfsense box as > a trunk to send and receive tagged packets. > e.g.: > > Interface fastethernet0/6 > switchport mode trunk > switchport trunk encapsulation dot1q Ditto, but make sure that if you're tagging packets on the laptop as well to set it as a trunking interface also. By using "switchport access", you're telling the switch to drop tagged packets and place any untagged ones on VLAN 101. This is right for end-point ports - it is unwise to allow your client devices to freely tag however they see fit. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Traffic shaping of "Transmission" bittorrent
On Tue, Feb 3, 2009 at 16:35, Thomas Elsgaard wrote: > I have just configured pf sense to do traffic shaping in our network, and i > hoped that the "p2pcatch all" could detect the p2p traffic from the linux > transmission p2p client, but unfortunately this traffic is going into the > default que.. > > By looking i the wireshark traces, it's really hard to detect the p2p > traffic :-( Yes, it is. There aren't many options to "defeat" the many mechanisms p2p uses to bypass restrictions short of enacting very strict controls. If you can clearly define what traffic should not be shaped, you'll be better off, but generally speaking it's impossible to fully control p2p without going to a deny-all stance. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] DNS forwarder or proxy question
On Mon, Feb 2, 2009 at 15:15, Steve Spencer wrote: > The only problem I had was that the ssh to the proprietary accounting > box returned the login immediately, followed by the password, and then > it sat for 2 minutes or more before it returned screens. I noticed on > the Astaro box, that there was a DNS proxy in place for this machine, I > assume because it had the same issue. > > I do have identd being rejected to that server, but have tried dropping > it and also allowing it through with no change. I believe the issue is > DNS related, as when I finally am able to get ssh'ed into the > proprietary accounting box, I'm not able to nslookup the ip of the > firewall (I can do this and return the reverse when the old firewall is > in place). It definitely is a DNS issue - the most basic fix would be to edit the SSH configuration on the accounting box and set (or add) 'UseDNS No', assuming it uses OpenSSH. This prevents the SSH server from performing a reverse-lookup on every authenticated client to perform logging and ACL checks by DNS instead of by IP. I tend to prefer doing so myself, as DNS information is transient by nature and adds another point of failure. If you don't want to disable that, you need to ensure that whatever DNS resolver the accounting server uses is able to return reverse-lookups for the IP range from which you will be SSHing to it. To use pfSense as a resolver, make sure that the accounting server can reach it on UDP/53, and make sure pfSense's resolver is set to something that will answer PTR queries for the SSH source range (presumably your LAN). RB - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] DMZ to LAN access
On Fri, Jan 9, 2009 at 08:31, Chris Buechler wrote: > You rarely want to NAT between internal interfaces. Ditto. The only "internal" NAT I have is when traversing from a trusted VLAN to an untrusted one (open wireless) to mask the systems. If your routing (primarily on the clients) is configured properly, the only thing you should have to do to enable DMZ->LAN is set an 'allow' rule for the specific traffic. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Really need some help
On Wed, Jan 7, 2009 at 10:07, Atkins, Dwane P wrote: > We have 1.2 RC2 installed on a Dell server. Periodically, it locks up > solid. You can web into it, but when you go to see how many users there are > on the Captive Portal, it locks up. It will show you the number of users > but will not display the list. I've encountered this issue when I have a large number of live users, also with the DHCP page. The pages in question aren't designed to scale well over 1000 users and could probably use a revamp. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Can't get more than 15kpps.
On Sun, Dec 21, 2008 at 11:21, Lenny wrote: > actually, they couldn't download higher than 30Mbs or so from each client > (although they said they have the line for it), > so they initiated about 6 of those connections. Does this help in any way? Unfortunately not - it's inconclusive without knowing what their retry rates were. The fact that they got up to 30Mbps seems to indicate that's not the issue, as most ARP issues like this I've seen have limited speeds down to tens of Kbps. > I know for sure that my ISP routed the network. Should I not bother with the > proxyarp solution? If you can try it, it's definitely worth trying. I personally don't _think_ that's the issue, but if I were in your situation would try it anyway since it shouldn't hurt. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Can't get more than 15kpps.
On Sun, Dec 21, 2008 at 10:34, Michael Schuh wrote: > Oh not to understand as "its limit the packets per second", but you get not > all the time answers from the isps-gateway, because it need proxyarp. So your particular ISP expected to see the L2 addresses for your public IPs - they didn't route your subnet to you. You probably never saw unsolicited inbound L3 traffic, but if return packets came back before their ARP cache associating the L3 address to your pfSense's L2 address timed out, you'd see the packets. Add TCP retries on top of that, and you see intermittent but slow traffic. It's possible Lenny is seeing this, but since he's seeing as much traffic as he is (15kpps), I find it less probable. Plausible, but individual streams would likely be much less than the 170Mbps he's quoting. It's easily checked for - a packet capture on the test clients looking for high retransmits will either prove or disprove the issue. RB - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Can't get more than 15kpps.
On Sun, Dec 21, 2008 at 01:00, Lenny wrote: > actually, the blank spaces in RRD during the load made me believe it was a > firewall issue for sure. > Regarding the CPU, I only used the RRD graphs. But you're probably right, I > should use top. The gaps in the graph only indicate that no (or invalid) data is being gathered at those points. That could be something broken with the RRD process, an overloaded system, or something else entirely. Regardless, unless watching top shows otherwise, your system just doesn't seem sufficiently loaded to be the bottleneck. > How do I setup a WAN monitoring IP through webconfig if I don't use a load > balancer feature? The use_rrd_gateway option has never had a GUI setup and is independent of WAN balancing. That's partly by design, as only a small handful of users really need to change that, and it indicates so little. By default, pfSense monitors the RTT of ICMP pings to your default gateway to generate the "Quality" RRD graph, but if you can't reach it via ICMP or need to reach farther up your supplier chain, you can add that attribute (as outlined by the linked posting) by directly editing config.xml. > I noticed that at home(I use pfsense 1.2), I never setup a monitoring IP and > the quality graphs work fine. > Can it be a bug in 1.2.1, and I must set it through config.xml? I doubt it's a bug, it's more likely that your box can't ping its gateway. Regardless, this feature is largely cosmetic - it [typically] shows the latency of lowest-priority packets across a single link and could only indicate part of a larger problem. I can't speak to the proxy-arp bit, but don't see how that particular configuration (or lack thereof) would so steeply limit PPS. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Can't get more than 15kpps.
On Sat, Dec 20, 2008 at 15:45, Lenny wrote: > Another weird thing I noticed is that when looking at RRD graphs I suddenly > see a blank space, like this: > > -- -- . And it shows on all the graphs at the same time. > > I've also noticed that it's about the same time as the load kills the > website. Must be related. Other than this tenuous link, I don't see any indication in your notes above that make me think your pfSense box is the limitation. The only question I have is whether your measurement of the CPU load is sufficiently accurate - I'd recommend watching 'top -S -o cpu -s 1' during the events. > Quality graphs are not showing. They did in the 1.2 version. Have you set the WAN monitoring IP at some point and can't reach it? It's not a critical issue, but check this link for the config.xml change: http://www.mail-archive.com/support@pfsense.com/msg11368.html - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Squid with auto AD (2003) authentication
On Tue, Dec 9, 2008 at 00:21, Wayne Langdon <[EMAIL PROTECTED]> wrote: > Has anyone setup pfsense / squid to automatically authenticate Windows users > based on their domain login rather > than prompting them to enter this when attempting to use the proxy? Looks like the ntlm_auth binary is included in the package (/usr/local/libexec/squid/ntlm_auth), but you'll have to roll your own custom config segment to set up SPNEGO authentication and the associated ACLs. RB - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Sizing for Throughput up to 6Gbit/s
On Fri, Dec 5, 2008 at 09:59, Curtis Maurand <[EMAIL PROTECTED]> wrote: > the last time I checked out the guts of a Cisco PIX, I found that it was > nothing more than commodity PC hardware with an Intel processor. I can't speak to the PPS, but the above statement depends on the model. The 515 series was a single-processor Pentium MMX or Celeron, whereas the 525 & 535 had two 370 sockets, one of which was filled with a Cisco-custom coprocessor, the other a PIII <= 1GHz. The 535 could hit 1.6Gbps; no PPS numbers posted, but comes out to ~140Kpps @ 1500 bytes. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Load-balancing internal net
On Fri, Dec 5, 2008 at 08:31, rgreiner <[EMAIL PROTECTED]> wrote: > could somebody point me to a document on how I could deploy pfSense with > a load balance/failover config, considering 2 pfsense boxes? I'm not > interested in a dual WAN config, because our backbone already handles > that tranparently (OSPF/BGP). What I would like to have is 2 pfSense > boxes load-balancing/failing-over as gateways for my LAN (private IPs) > to the WAN (public IP) gateway address. Is this possible? Is there any > documentation available? Yes - there's a whole subsection of the forum dedicated to this: CARP. There's also a flash video tutorial, but I haven't the time to seek it out ATM. It's pretty simple - you set up your two boxes with two separate LAN IPs, set them to synchronize (paying special attention to the CARP sync options), then configure a virtual IP between them on the LAN segment. Set clients' default route as the virtual IP (via DHCP or statically), and away you go. You can even get cute and float a virtual WAN IP between them as well (with the same CARP ID) and set up an advanced outbound NAT for the LAN subnet, translating to the virtual IP. WAN fails with the LAN, and away you go. RB - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Sizing for Throughput up to 6Gbit/s
On Fri, Dec 5, 2008 at 06:52, Tim Korves <[EMAIL PROTECTED]> wrote: > we're searching for a reliable hardware basis to use as a pfSense firewall > with a maximum concurrent throughput of 6 Gigabits / second. Four questions to start: - If 6Gbps is the peak, what do you expect the sustained throughput to be? - Is 6Gbps unidirectional or duplex? - How many peak/sustained states do you expect? - What kind of functionality are you expecting to use (firewall only, captive portal, bridging, etc.) As long as you are "just" firewalling, your throughput will be more dependent on your bus speeds than anything; *BSD is pretty efficient at shuffling packets. > - 2x Intel Xeon QuadCore Processors Probably overkill if you aren't proxying, using the portal, or doing lots of load-balancing/multiwan. > - 4 or 8 GB of RAM Dependent on the number of concurrent states you expect. There's a good bit of historical traffic on the list explaining how to size your memory for the number of states you expect; future versions (2.0) will attempt to auto-tune that for you. > - QuadPort Intel Pro 1000 Ethernet NICs (PCIe x4) I've not found the Quads to be particularly cost-effective on port density: seeing ~$150 for dual-port and ~$400 for quads. Unless your PCI-E slots are at a premium, you're probably better off spreading your ports across more buses (lanes). That said, remember a single PCI-E lane can /theoretically/ handle 2Gbps duplex. If you intend to use LACP or EtherChannel, remember that 2.0-ALPHA is the only release that has a GUI configurator for that. > - RAID 1 of SAS or SATA HDDs via 3Ware RAID Controller HDD choice is going to be really insignificant unless you're doing enormous amounts of logging. Spend as little as you can while getting the highest reliability you can (high MTBF); I personally wouldn't spend over the RAID card that typically comes with server setups, even if it'll only do 0 & 1. My ideal pfSense system would have an externally-accessible CF slot for the base OS and use the drive buses only if I need logging. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Policy Routing and Re-Direct Question
On Wed, Dec 3, 2008 at 09:09, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: > I'm asking this to see if it is feasible to set up a traditional proxy > server/content filter in a way to avoid having to configure proxy settings Ditto Gary's statement. Even though you want to keep proxying off of the router, it's worth noting that the squid package offers a transparent proxy configuration. I've been using that with an ultra-minimal setup (no caching) pointed at an upstream content filter for just over a year with zero issues. The upstream proxy solely serves that network and averages 40GB/day, but has seen as much as 3x that with no ill effect. pfSense: Dell PE2650, 2xP-IV @ 1.8GHz RB - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: VLAN for dummies
On Sun, Nov 30, 2008 at 00:59, Cozma Szabi <[EMAIL PROTECTED]> wrote: > Is there a description about these card in the pfsense wiki? I found them on > the homepage of the free BSD. That's where you should find them - pfSense is just a UI on top of FreeBSD and doesn't have the need or resources to specify their own HCL. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] vlan editing & status information
> 1/ change the message to say it DOES need rebooting The necessity of rebooting depends on your particular hardware; some drivers don't need to be reloaded to enable VLANs. > 2/ add, to the interface status page, information about the current vlan > tag? You mention telling if there's a problem. Your particular request isn't technically difficult, but what problem are you trying to address? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] VLAN for dummies
On Tue, Nov 25, 2008 at 14:47, Cozma Szabi <[EMAIL PROTECTED]> wrote: > Thank you for the answer, I will try it out tomorrow. > You mean that I have to enable the parent interface and leave all the fields > empty ? Do as you wish; it likely needs to be at least enabled, but that's the equivalent of Cisco's 'native' VLAN. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] VLAN for dummies
On Tue, Nov 25, 2008 at 14:13, Cozma Szabi <[EMAIL PROTECTED]> wrote: > I cannot find what I have to set on the parent card, or what I must to check > on VLAN interfaces. Unlike Cisco equipment, you don't have to set anything on the parent interface, VLAN tagging is turned on by default. If you read the link, you will be shown the steps necessary to set up 802.1q VLAN interfaces. Here's a preview, it's dead simple: - Interfaces->(assign)->VLAN - "+" -> fill out parent interface & tag number - wash, rinse, repeat Once configured, they appear as ethernet interfaces, there is no difference between them and the parent physical interfaces. You can click on the Interfaces->(assign) page and it will show you that particular interfaces are VLAN children of others, but that's about the only differentiation you will see. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] VLAN for dummies
> The description from the wiki is not helpful. > Do you know a general description how VLAN is working in pfsense? What is unhelpful about this document? http://doc.pfsense.org/index.php/HOWTO_setup_vlans_with_pfSense - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: Re: [pfSense Support] Force Speed/Duplex on NIC
> Recommended reading: > http://www.sun.com/blueprints/0704/817-7526.pdf It's funny because Sun cards were some of the original ones to induce the nightmare. I gauge both my peers' age and their susceptibility to the "ghost in the machine" by this one. RB - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsense 1.2.1 dude
On Fri, Oct 31, 2008 at 16:40, JJB <[EMAIL PROTECTED]> wrote: > If I was able to read and understand the source, I would probably be > contributing to it. It really doesn't take that much, you don't even have to be a programmer per se. Reading source code may speed up the process, but identifying replicable errors is probably one of the biggest time consumers, and anyone can do that. > Isn't there usually an oversight process in which source > commits are reviewed by someone before being accepted? Otherwise someone > could be putting back doors or spy-code into the source code? Usually projects have commits limited to a small group; once you're in, though, few have code audits. Stuff gets caught (if ever) by end-users or random chance. > If I worked for an alphabet soup agency, I would certainly ***love*** to be > involved in open source development! That's often speculated, but unless the exploit were extraordinarily clever in nature, the potential social damage a TLA would take for subverting a public project _and_ getting caught is immense. Risk v. return, it's easier to just get a warrantless wiretap, as often as not. > With closed source software there is a level of accountability - if > something like that was discovered the companies reputation would suffer, > there could even be lawsuits, loss of revenue, etc. Bah. I've worked for companies with closed software, and what goes on behind closed doors is worse than what happens in the open. Faking reports, outright lies, etc. Reputations never suffer, marketing adds another glossy & blames it on a "glitch with their supplier in India". Someone too insignificant to matter gets their head on a platter, and the company continues to make mad gobs of money. > My understanding (perhaps ignorant) is that there is some kind of process in > most group-effort open source projects, especially of this importance to > screen code before it is committed to cvs or svn or whatever version > tracking software is used. See above comment; seldom, if ever, do any projects institute code audits after a member's breaking-in period. RB - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] [OT] Fyrewall - Rebranded Spanish pfSense?
> They do mention being pfSense-based. "The Fyrewall is a free software > based on FreeBSD, on pfsense framework" - from google translate. You beat me to the translation... Looking at their live demo (yes, they have one running in a VM) it most certainly is re-branded pfSense, 1.2 by the looks of it (head /etc/inc/globals.inc, uname -a). Looks like they just have a tarball they lay down (www_novo.tar) in /usr/local/www, and they have quite a few coredumps there too... Definitely Portuguese, BTW. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] OpenVPN super-slow upload speeds
On Fri, Oct 24, 2008 at 09:16, JJB <[EMAIL PROTECTED]> wrote: > I, and some of our users are getting very slow, modem like upload speeds on > OpenVPN from home - using Tunnelblick on my DSL (6mbit down 768 up). > Download speed is OK - about 560kbps. The WAN link I am connected to is > 3mbit in both directions. This might be a mac-only issue, not sure, I > haven't heard any complaints from Windows OpenVPN users. I use Tunnelblick with no issue, and I know several of the devs primarily use Macs as well. Your architecture is somewhat unclear - do I correctly surmise that you have a pfSense server *somewhere* on a 3/3 connection, and that several users connect to it via OpenVPN? Depending on who your individual providers are, they could well be throttling encrypted, off-port outbound (upload) traffic; I know Rogers did [does?], effectively killing VPN use. Your long ping time below is definitely indicative of link saturation (tunnel or otherwise), be that done on purpose by the ISP or not. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] multipe remote desktop connections/nat
> so user A can connect to host A behind pfsense box via port 3389 and user B > can connect to host B via port 3389 behind the pfsense firewall and so on > and so forth. > > what should be my approach? Install a Terminal Services Gateway. pfSense does not do policy-NAT, i.e. port-forwarding based on external source address. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Combining olsr and policy based routing
> Does this mean that rules with a gateway field to an inactive > interfcae are simply ignored ? No, you set their gateway as your failover WAN connection. If you set certain traffic to route through an individual gateway by IP, it will not pass if that interface dies. Rather, you want to set up two WAN failover groups, one primary->secondary and the other from secondary->primary. Set rules for the traffic you want going out the secondary with a gateway of 2ndto1st (or whatever you call it), and a default rule with the gateway of 1stto2nd. There's a good MultiWAN document at http://doc.pfsense.org/index.php/MultiWanVersion1.2 that explains all this - highly recommend reading it before trying to solve already-addressed problems. RB - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Combining olsr and policy based routing
On Wed, Oct 1, 2008 at 00:15, Erwan David <[EMAIL PROTECTED]> wrote: >On a multi-wan installation, I'd like to combine policy based > routing (ie send web connections through ADSL with high download > bandwith, and VPNs through slower but more reliable SDSL), and OLSR to > ensure evriything goes through the remaining link if one of them > (probably the ADSL one) is down. > > Is it possible to do so ? AFAIK, you don't even need OLSR to do so; just set up a multi-WAN environment with the appropriate fail-over rules and you should be good to go. I have a somewhat similar setup where certain bits (particular IP destinations) are carved off and sent through the secondary link and everyone else goes through the primary. Should the primary link fail, everyone is automatically shuffled off to the secondary. Policy routing does what we need. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] PFsense on P4 Hyperthreading
On Mon, Sep 29, 2008 at 12:47, Vivek Khera <[EMAIL PROTECTED]> wrote: > If you don't have multiple users, that is a non-issue, IIRC. Who logs > into your pfsense? No one. :) Even so, I've found it best to err on the side of caution. As I stated, the only benefit I see from it is hardware-assisted preemption; some workloads benefit from it, but the majority seem not to. Surprisingly enough, John the Ripper is one of those workloads that seems to be able to squeeze an extra percent or three out of an HT processor. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] PFsense on P4 Hyperthreading
On Mon, Sep 29, 2008 at 10:03, Bill Marquette <[EMAIL PROTECTED]> wrote: > HyperThreading or not though - the FreeBSD SMP scheduler isn't exactly > optimized for HTT. Did FBSD ever post a 'fix' for the HT cache vuln? I've been under the impression ever since that HT on server systems was a Bad Idea and just disabled HT globally, both for that and the fact that it's just hardware-assisted preemption. RB - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] PFSENSE in production 1.2
> By default does pfsense go in stealth and hide the HOP (pfsense > ip wan) or will it show on traceroutes? Absolutely shows up; the primary function is as a L3 router. You can configure it as a 'transparent' bridge, but you obviously won't get NAT that way. > Any feedback on pfsense in production environment. I have 1.2 on > the new > machine ready to go. Not sure what anyone else will say, but 1.2.1 has been in testing for two months and may be about to be released - for a new system it may behoove you to start there, since 1.2 won't be much developed since 1.2.1 & 1.3 move to 7.0 as their base OS. That said, I have 3 systems running 1.2 in public-facing production capacity with 130+ days' uptime and zero issues; they just work. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] importing from multiple iptables ... BOUNTY $100
On Tue, Sep 23, 2008 at 10:29, Glenn Kelley <[EMAIL PROTECTED]> wrote: > sorry - did not mean to sound Ape-ish :-) > > I am pretty easy to get along with - or so I hope. I was a tad harsh; I just think there are better ways to deal with spam and attackers than blanket deny rules for whole regions. Some admins, however, are [forced to be] in emergency mode and don't have the luxury more esoteric solutions and need a right-now fix, in which case the approach would be more acceptable. > I thought snort was in there as a package -but sure enough - its not. > Seems it dropped out. My checks concur; maybe it'll re-enter with 1.3. I think the ideal setup with SnortSAM would be to get a package for it rolled for pfSense; you then would need 'samtool' (not built by default when building SnortSAM) on your system that's centrally collecting the logs, and write a short shell script to use it and the logs to execute blocks. None of it really requires Snort anyway, just the [pretty simple] daemon running on pfSense, maybe a short configuration screen setting up secrets and what IPs can access it. For those in a hurry, 'pkg_add -r snortsam' would get you a long way there. RB - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]