Re: [pfSense Support] openvpn: client side uses address pool ip rather than subnet ip
On Thu, Jan 20, 2011 at 4:09 PM, mayak-cq wrote: > My Lord, > > You're a genius! > > Nuking the the interface declaration solves it!! > > Intermediate solution yes, but a solution nonetheless! Amen! Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Snapshot Build Logs
On Wed, Dec 15, 2010 at 2:33 PM, Yehuda Katz wrote: > Is there a reason the i386 build log uses EST and the AMD64 log uses UTC? > - Yehuda Is there a reason? No. I just fixed it, however. In this day and age a lot of us have gotten used to GMT and didn't even think twice about it. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: HA: Re: HA: Re: [pfSense Support] 2.0 - don't work Ipsec!
On Wed, Dec 15, 2010 at 12:11 PM, Moshe Katz wrote: > And the other side of the > coin: http://bsd.slashdot.org/story/10/12/15/1524202/BSD-Coder-Denies-Adding-FBI-Backdoor > Moshe Here is more information on this situation. http://maycontaintracesofbolts.blogspot.com/2010/12/openbsd-ipsec-backdoor-allegations.html pfSense will match DES's offer for anyone that can prove that this backdoor exists. Otherwise our official stance on the issue is that it's a bit preposterous at best. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] SSD partition alignment in 2.0
On Mon, Aug 16, 2010 at 2:03 PM, Scott Ullrich wrote: > That is a good question. The 2.0 installer uses pc-sysinstaller > which I am not entirely sure if it takes into account this or not. Sorry, I meant 2.1 here, not 2.0. > However I am looking at adding this utility to the pc-sysinstaller > which might help out here: > http://lulf.geeknest.org/blog/freebsd/Using_4k_sector_drives/ > > Scott > - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] SSD partition alignment in 2.0
On Sat, Aug 7, 2010 at 1:07 PM, David Burgess wrote: > Is the 2.0 installer aware of 4k sector discs, and does it align its > partitions accordingly? > > I realize better SSD controllers have minimized the effects of > partition boundary misalignment, but I still prefer to introduce as > little entropy as possible. Call me teutonic. That is a good question. The 2.0 installer uses pc-sysinstaller which I am not entirely sure if it takes into account this or not. However I am looking at adding this utility to the pc-sysinstaller which might help out here: http://lulf.geeknest.org/blog/freebsd/Using_4k_sector_drives/ Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] no packages for 2.0
On Mon, Apr 19, 2010 at 3:31 PM, David Burgess wrote: > On Mon, Apr 19, 2010 at 1:29 PM, Jim Pingle wrote: > > > It's probably looking for a package file that doesn't exist. Did this > > ever work before? > > It's the first time I've tried PFS on 64-bit. > > > I'm not sure if there are any 64-bit packages setup in the repo yet. > > That's possible, and unfortunate. > > That is correct, I have not finished adding all of the 64 bit packages and there are still a few math bugs in the base pfSense system when using amd64 versions of pfSense. Scott
Re: [pfSense Support] 1.2.3: dnsmasq and mac os x 10.6 snow leopard
On Mon, Mar 1, 2010 at 2:38 AM, Aarno Aukia wrote: > Hello, > > I just found out my new mac os x 10.6 snow leopard machine seems to > have problems with DNS TTL 0, dnsmasqs default TTL for local entries > (http://www.mac-forums.com/forums/os-x-operating-system/164649-snow-leopard-keeps-dropping-dns.html#post912124). > Adding " --local-ttl 1" to the dnsmasq $args in /etc/inc/services.inc > (around line 634 on this 1.2.3-rc3 nanobsd) seems to work out the > issues, although I'll keep testing it for some more time... That does not make any sense to me. I have quite a number of Macs and do not see this issue. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2 to 1.2.3 upgrade
On Fri, Feb 19, 2010 at 10:01 AM, wrote: > Please call me 416 479 0606 > Pardon us but who is supposed to call you? Scott
Re: [pfSense Support] How to forward protocol 41
On Thu, Feb 11, 2010 at 8:37 PM, Nathan Eisenberg wrote: > I'd argue that it is the role of the user to advocate for desired features, > regardless of what price was paid for the software. The fact that IPv6 > support doesn't seem to be finished yet is an issue that gains significance > every day. While it could probably have been phrased in more polite way, and > possibly with more research behind it, With these requirements a majority of the open source projects would never have releases. Almost everyone that contributes to the project are volunteers. There is no way we can dictate how a volunteer spends their time. This goes for pfSense and a lot of open source projects. Heck even a recent study showed that a majority of Linux kernrel commits are now sponsored in some fashion by companies. I am not arguing that open source is commercialized I am trying to emphasize that it is a scratch your itch type of deal. Either you get paid for XYZ company to do their work or you are scratching an itch somewhere that you feel the need. There are very few people that just come along and say your user base demands are my priority. Most of the cutting edge features in pfSense have come from a developer scratching an itch or a commercial support customer sponsoring the development time. > I do understand the sentiment, though. I too would like to see more > resources go towards completing IPv6 support in PFSense. I am relieved to > see and hear that efforts are being made to address real IPv6 support, but > the day when it is done cannot come soon enough. See above. > I have native IPv6 transport today to all of my facilities. The time of > 'IPv6 is coming' has passed; we have moved into 'IPv6 to the last mile > provider and consumer is coming', and with Comcast starting last mile IPv6 > betas, it's looking like we're talking about sooner, rather than later. That's pretty cutting edge in terms of American internet and you are lightyears ahead of us. Last I heard Youtube just came online and a huge spike of traffic was seen on the IPV6 backbone in America. That goes to show how little IPV6 is used overall in the USA still. It's unfortunate but it's the truth in the USA. I would love to have native IPV6 connectivity from my local carrier and I applaud comcast for taking that important first step in terms of cable modem subscribers. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OpenBGPd package on 1.2.3-release
On Fri, Jan 29, 2010 at 11:03 AM, Aarno Aukia wrote: > Thanks for committing, Committed. Thanks for submitting. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OpenBGPd package on 1.2.3-release
On Thu, Jan 28, 2010 at 10:57 AM, Aarno Aukia wrote:
> Hello,
>
> bgpd is started twice when booting on 1.2.3-release with the newest
> package. I suspect once from /usr/local/pkg/openbgpd.inc and once from
> /usr/local/etc/rc.d/bgpd.sh ? When commenting out the exec("bgpd") in
> /usr/local/pkg/openbgpd.inc it is only started once. Should the check
> is_openbgpd_running() also be added to /usr/local/etc/rc.d/bgpd.sh or
> is there a more favorable way ?
Sounds reasonable.
> In addition I discovered support for tcp-md5sig, which only works for
> openbgpd-configurations made with the assisstant. I'll try to hack
> something up for parsing the "raw config" and generating a
> bgpdsetkey.conf. Any suggestions there ?
No suggestions at the moment but I would appreciate anything you can
send over in form of patches. Have been super busy lately and not
enough time to go around unfortunately.
Scott
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1:1 NAT - bind actual external IP to an optional interface?
On Sat, Jan 9, 2010 at 5:39 PM, Chris Buechler wrote: > Yes but: > http://forum.pfsense.org/index.php/topic,21606.0.html That and the fact that our snapshot server is up and down (currently DOWN) due to bad hardware. It will be swapped out in the next coming days. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] which image?
On Tue, Jan 5, 2010 at 11:02 AM, David Newman wrote: > Greetings. I'd welcome recommendations for which pfSense image to > install on this system, which currently runs OpenBSD: > > Nexcom 1563 > VIA 667-MHz CPU > 512 Mbytes RAM > 512-Mbyte disk-on-chip (not CF) storage > 3 x 100Base-T Ethernet > > OpenBSD sees the DOC storage as a regular IDE drive. > > For pfSense, I *think* I want the 512-Mbyte embedded image, but am > unsure about what changes, if any, the installation requires. (The docs > for installing/upgrading the embedded images seem oriented toward CF > cards and I don't know if installing to them differs from disks.) It depends on if you have VGA or not. If you have VGA you will want the Full Installation ISO. If not then you will want the NanoBSD image. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Virtual IP ProxyARP vs. CARP
On Wed, Dec 16, 2009 at 7:14 PM, Trevor Benson wrote: > I noticed that when creating a CARP virtual that it requires it to be > attached to an interface with the same network. However when creating a > proxy arp, it does not have this requirement. Wouldn't it be logical to > allow them to have the same validation check? I am currently using proxy arp > virtuals on a pair of failover pfSense 1.2.3 systems, so if firewall A fails > I will need to manually create the Proxy ARP's on B. I know i can download > the config.xml and modify the entries to perform as expected, and will once i > get a chance to test it outside of business hours, however if Proxy ARP is > allowed, I do not see the reason to deny this from CARP. It is more of a kernel limitation than anything. CARP will panic (or at least used to prior to FreeBSD 7.2) under many circumstances so we have to have more input validation. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Watch Chris and myself on FLOSS Weekly Live at 4:30 PM EDT
http://live.twit.tv Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Disable plugin via ssh
On Mon, Dec 14, 2009 at 4:07 PM, Glenn Kelley wrote: > We have a plugin that is acting up quite a bit suddenly (snort) > on reboot the system works for a few minutes - but then nothing > > We cannot gain access to the web interface @ all. > > Does anyone know how to disable a plugin via ssh ? > > We get ssh access for about 4 minutes on a reboot - then it appears memory is > gone > :-( > > box has 3GB of ram SSH into the box. Option #8 for shell, then run: rm /usr/local/etc/rc.d/snort* shutdown -r now Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] NanoBSD on WRAP
On Sun, Dec 13, 2009 at 7:49 PM, Ugo Bellavance wrote: > Hi, > > http://doc.pfsense.org/index.php/NanoBSD_on_WRAP > > Has someone done the first step what would be kind enough to put the > resulting image available for download? I worked a few hours on this before > discovering that article, and I don't have much time to setup a separate > freebsd/pfsense box to do the changes. If we where to do this then nobody would read the page and they would then complain later down the road when they finally learn the limitations of the image. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OpenBGPD status page
On Fri, Dec 11, 2009 at 7:26 PM, Evgeny Yurchenko wrote:
> I know it is cosmetic but it is easy to fix, please do it.
>
> 1) Status has two "OpenBGPD Routing" sections, one of them should be renamed
> to "Forwarding" as it shows fib not rib.
> 2) "OpenBGPD IP" section returns error
>
> missing argument:
> valid commands/args:
> bgp
>
> it happens because not there is not "bgpctl show ip" command, we have to use
> "bgpctl show ip bgp"
>
> Fix for both issues:
> --- openbgpd_status.php.20091211.bak 2009-12-10 11:26:10.0 -0500
> +++ openbgpd_status.php 2009-12-11 19:20:28.83700 -0500
> @@ -140,10 +140,10 @@
> defCmdT("OpenBGPD Summary","bgpctl show summary"); defCmdT("OpenBGPD
> Interfaces","bgpctl show interfaces"); defCmdT("OpenBGPD Routing","bgpctl
> show rib"); -defCmdT("OpenBGPD Routing","bgpctl show fib");
> +defCmdT("OpenBGPD Forwarding","bgpctl show fib"); defCmdT("OpenBGPD
> Network","bgpctl show network"); defCmdT("OpenBGPD Nexthops","bgpctl show
> nexthop"); -defCmdT("OpenBGPD IP","bgpctl show ip"); +defCmdT("OpenBGPD
> IP","bgpctl show ip bgp"); defCmdT("OpenBGPD Neighbors","bgpctl show
> neighbor");
> ?>
Thanks, all of the submissions have been committed.
Scott
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense 1.2.3 release now available!
On Fri, Dec 11, 2009 at 1:22 PM, Oliver Hansen wrote: > Sorry if I'm missing it somewhere but is there a changelog between 1.2.3-RC3 > and 1.2.3-RELEASE? The notes in the blog post seem to reference anything > that changed since 1.2.2. Complete list of changes is here: https://rcs.pfsense.org/projects/pfsense/repos/mainline/logs/RELENG_1_2 Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Issue upgrading from 1.2.3-RC3 to RELEASE
On Thu, Dec 10, 2009 at 7:12 PM, Chris Buechler wrote: > I don't believe there were any changes between RC3 and release though? > It's been a while since the image size changed. Yes, there where a couple NanoBSD fixes. One in particular was on Thu Sep 10 18:50:55 2009 -0400 Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Issue upgrading from 1.2.3-RC3 to RELEASE
On Thu, Dec 10, 2009 at 7:04 PM, mitch wrote: > Same error I'm afraid, status at top says something went wrong updating the > fstab entry, > > Log still reports same error message. Please see my response here: http://forum.pfsense.org/index.php/topic,20347.msg108712.html#msg108712 In a nutshell, NanoBSD had many many changes up until a month or two ago. You will need to reflash. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.3-RC3 PPPoE
On Thu, Dec 10, 2009 at 6:54 PM, RB wrote: > Well, for posterity's sake then: if you have trouble in > pfSense/FreeBSD with traffic not passing through an Intel 10/100 NIC > (fxp), particularly when return/inbound packets aren't showing up in > mpd or another user-level program, turn off TCP Offload. For that > matter, any troubleshooting "wierd" with inexplicably lost traffic > should involve explicitly turning off ToE. We will make note of it in the release notes, thanks Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.3-RC3 PPPoE
On Thu, Dec 10, 2009 at 1:21 PM, RB wrote: > On Thu, Dec 10, 2009 at 10:29, Tim Dressel wrote: >> For me the issue was exactly like you are describing. Can connect and >> everything appears OK, but just zero traffic flow. Nothing useful in logs. >> Then all of a sudden it would start passing traffic, but then get sketchy >> and eventually stop again. Something like a simple ping from LAN to WAN >> would fail 20% of the time,,, but ping of the interfaces was always fine. >> I moved to the GT giganics and all my pfsense boxen are bullet proof. > > Tom's explanation is plausible, even probable - thanks Tom! For me > there is no traffic flow at all, return traffic is just being silently > dropped between fxp3 and ng0. Unfortunately, I can't change to GbE > NICs, or I would; this particular system is "embedded" in the sense > that it's a repurposed appliance with no external PCI slots, so it has > what it has. > > I'll try turning off ToE in a few hours and report the results. If > all goes well, I'd hope the 1.2.3 final version picks up the noted > stable/7 change. Sorry, but we have missed the boat on that. Release announcement is forthcoming. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: PFsense + Load Balance + Squid
On Fri, Dec 4, 2009 at 3:58 PM, Rafael Cristian wrote: > Thank you. > But is version 2.0 now is available Yes, but it is alpha-alpha (soon to be alpha): http://snapshots.pfsense.org/ Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PFSense advocacy
On Wed, Dec 2, 2009 at 4:26 PM, Ron García-Vidal wrote: > I realize this is a support forum, so if there is a better place to post > this, I will take it there. > > So, I'm trying to get a pfsense box in the shop because I've enjoyed working > with it on my own setup. The boss is fairly open-minded and open to a > healthy discussion on the topic, but in the end, he wants to know why this > would be preferable to a Cisco solution. > > Since I've never worked extensively with Cisco, can someone give me a few > salient points to throw at him. I already used the cost argument, he wants > more. Commercial support should help put Boss's worries at bay: https://portal.pfsense.org/ Between this, the mailing list and forum you are covered. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Migrate from Embedded
On Tue, Nov 24, 2009 at 6:59 PM, Joseph L. Casale wrote: > I have a machine that was setup as embedded but now we need packages > functional so I need to migrate it to install based. Given it's the very > same server, can I simply restore the xml config from the embedded install > w/o issue? Extremely short answer: Yep. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] throughput, haproxy
On Sat, Nov 21, 2009 at 6:12 AM, Lenny wrote: > Scott, > > Does it have to be 1.2.3? Because I have 1.2.2 installed right now. > Should I upgrade before that? yes, we are moving on to 1.2.3 shortly and 1.2.2 is fading into the sunset. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] throughput, haproxy
On Thu, Nov 19, 2009 at 12:35 PM, Scott Ullrich wrote: > OK, give me a bit to get it ready. Should be back to you in a couple hours. Lenny, First of all make sure you backup your configuration and have installation media handy (just in case). Run this from a shell (option 8): fetch -o /boot/kernel/ http://cvs.pfsense.org/~sullrich/7-yandex/kernel.gz Then reboot the firewall and let me know how it goes. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] throughput, haproxy
On Thu, Nov 19, 2009 at 12:07 PM, Lenny wrote: > I sure would. > Thanks. OK, give me a bit to get it ready. Should be back to you in a couple hours. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] throughput, haproxy
On Thu, Nov 19, 2009 at 2:27 AM, Lenny wrote: > > # iperf -c 2.2.2.11 -t 1200 -i 10 -w 75000 > > > > Client connecting to 2.2.2.11, TCP port 5001 > TCP window size: 73.5 KByte (WARNING: requested 73.2 KByte) > > > [ 3] local 1.1.1.1 port 14852 connected with 2.2.2.11 port 5001 > [ ID] Interval Transfer Bandwidth > [ 3] 0.0-10.0 sec746 MBytes626 Mbits/sec > [ ID] Interval Transfer Bandwidth > [ 3] 10.0-20.0 sec762 MBytes639 Mbits/sec > [ ID] Interval Transfer Bandwidth > [ 3] 20.0-30.0 sec765 MBytes642 Mbits/sec > [ ID] Interval Transfer Bandwidth > [ 3] 30.0-40.0 sec776 MBytes651 Mbits/sec > [ ID] Interval Transfer Bandwidth > [ 3] 40.0-50.0 sec772 MBytes648 Mbits/sec > [ ID] Interval Transfer Bandwidth > [ 3] 50.0-60.0 sec776 MBytes651 Mbits/sec > [ ID] Interval Transfer Bandwidth > [ 3] 60.0-70.0 sec768 MBytes644 Mbits/sec > > I found my old results of iperf and this was the command I executed: > > iperf -c server-ip -t 60 -M 500 > > > I always got 300-400Mb/s, even with firewall off. And I could never get more > than 85kpps. > Unfortunately, I can't run these tests now, as the server is in production. > > Thanks, > Lenny. > Would you like to test a kernel with the Yandex driver? 1.2.3-* does not have the yandex driver included. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PFI w/ floppy
On Thu, Nov 12, 2009 at 7:34 PM, Joseph L. Casale wrote: > Does the PFI work with a floppy? I tried it, but saw a read error for the > floppy but I am sure there is nothing wrong with the floppy, is it just not > supported? It should work if it is formatted as MS-DOS. Or at least it did previously. Flash drive is a better solution if you can swing it. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] where is the support? is bank holiday in usa?
On Thu, Nov 12, 2009 at 6:08 PM, luismi wrote: > As far as I see right now in the web: live support is offline Looks online here: https://portal.pfsense.org/ Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] varnish proxy in pfsense?
On Wed, Nov 11, 2009 at 10:21 AM, Rainer Duffner wrote: > varnish also works in 32bit FreeBSD. > At least for test-purposes, it did for me. > You have to limit the amount of RAM it grabs, though, or it will crash > immediately. Even with enough memory it can cause a deadlock on FreeBSD... been there, done that.. Not fun. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] varnish proxy in pfsense?
On Wed, Nov 11, 2009 at 9:57 AM, Paul Mansfield wrote: > I'd be very interested if there was a project to add varnish reverse proxy > to pfsense. It claims to be both linux and freebsd compatible. > > http://varnish.projects.linpro.no/ > > One could of course hack it in manually but having it as even the simplest > package would be nice. Two problems with that (I am a varnish user @ work). 1. It requires a 64 bit OS (pfSense is 32 bit currently) 2. It requires a compiler (CC, Make, etc). The compiler bit could be handled with FreeBSD ports but the 64 bit part is a sticking point ATM. But I agree, varnish is the goods and it would be nice to see it in packages one day. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] throughput, haproxy
On Tue, Nov 10, 2009 at 1:50 AM, Lenny wrote: > Lenny wrote: > > Scott Ullrich wrote: > > On Mon, Nov 9, 2009 at 3:45 PM, Scott Ullrich wrote: > > > Contact me off list. I have a kernel I need you to test. > > > In the meantime, please try increasing these sysctl's: > > pfSense:~# sysctl -a | grep rx_processing_limit > dev.em.0.rx_processing_limit: 100 > dev.em.1.rx_processing_limit: 100 > dev.em.2.rx_processing_limit: 100 > dev.em.3.rx_processing_limit: 100 > > Try increasing each to 256, then 512, 1024, 2048, etc. > > If these do not help contact me for a new kernel. > > Scott > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > > > > Hi Scott, > > Actually, I have them set on a 1000 for quite a while now. Before I did that > I had errors on interfaces. Do you still want me to increase to 2048 and > more? > > Thanks, > > Lenny. > > At second thought, to get rid of the errors I told you about, I did 2 > things: > added this to /boot/loader.conf: > hw.em.rxd="4096" > hw.em.txd="4096" > > and added to /etc/sysctl.conf: > dev.em.0.rx_processing_limit=1000 > dev.em.1.rx_processing_limit=1000 > > plus, I changed > net.inet.ip.intr_queue_maxlen=4096 > > and added > kern.ipc.somaxconn=1024 > > These were the changes I did outside of the WebGUI. > > So should I still increase the dev.em.X.rx_processing_limit value? Also let me know what this sysctl is showing: net.inet.ip.intr_queue_drops If it shows >0 then you might want to increase net.inet.ip.intr_queue_maxlen Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] throughput, haproxy
On Tue, Nov 10, 2009 at 1:50 AM, Lenny wrote: > At second thought, to get rid of the errors I told you about, I did 2 > things: > added this to /boot/loader.conf: > hw.em.rxd="4096" > hw.em.txd="4096" > > and added to /etc/sysctl.conf: > dev.em.0.rx_processing_limit=1000 > dev.em.1.rx_processing_limit=1000 > > plus, I changed > net.inet.ip.intr_queue_maxlen=4096 > > and added > kern.ipc.somaxconn=1024 > > These were the changes I did outside of the WebGUI. > > So should I still increase the dev.em.X.rx_processing_limit value? Yes, give that a try. My kernel that I have here increased em.txd and em.txr but I was unaware they where able to be set since they are hard coded in the driver? Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] throughput, haproxy
On Mon, Nov 9, 2009 at 3:45 PM, Scott Ullrich wrote: > Contact me off list. I have a kernel I need you to test. In the meantime, please try increasing these sysctl's: pfSense:~# sysctl -a | grep rx_processing_limit dev.em.0.rx_processing_limit: 100 dev.em.1.rx_processing_limit: 100 dev.em.2.rx_processing_limit: 100 dev.em.3.rx_processing_limit: 100 Try increasing each to 256, then 512, 1024, 2048, etc. If these do not help contact me for a new kernel. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] throughput, haproxy
On Mon, Nov 9, 2009 at 12:41 AM, Lenny wrote: > Now I'm totally lost:( > > I had this long thread this year on this issue here and eventually the only > thing the guys could advise me is to buy a newer server. I did. And while I > do see an improvement in performance (it's about twice it was before) I'm > still nowhere near what you have. > > I realize that your traffic is lab UDP and mine is production TCP, so let's > say you'd get half of that in production, but then still - you're only on > 54% CPU. By the way, how come your second NIC is only loading the CPU 4%? > Shouldn't it be pretty much like the first one? It's what I have. > > I'm ready to show you my config/diagrams/whatever, but I need this issue > resolved. > > Please? Contact me off list. I have a kernel I need you to test. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] snort issue w/ memory
On Sun, Nov 8, 2009 at 5:39 PM, Glenn Kelley wrote: > Any clue how to remove an ip that is blocked w/o having the gui ? > We uninstalled but still have some IP's blocked - > Reinstalled - same thing Try /usr/local/sbin/expiretable -v -t 1 virusprot Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] snort issue w/ memory
On Sat, Nov 7, 2009 at 9:53 PM, Glenn Kelley wrote: > No such luck > > Scott - if it helps - you guys had us (via paid support) upgrade to the rc > version due to BGP implementation BTW: did the error message change after reinstalling the package with my changes? Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] snort issue w/ memory
On Sat, Nov 7, 2009 at 9:53 PM, Glenn Kelley wrote: > No such luck > > Scott - if it helps - you guys had us (via paid support) upgrade to the rc > version due to BGP implementation Thanks, I will forward this to the snort maintainer. Maybe he can help. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] snort issue w/ memory
On Fri, Nov 6, 2009 at 10:57 PM, Glenn Kelley wrote: > Grace and Peace Friends: > In Snort we are seeing the following: > Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to > allocate 74957108 bytes) in /usr/local/pkg/snort.inc on line 1488 > When we attempt to see if there are any ip addresses being blocked. > This is a bit annoying - any suggestions? This should be resolved. Reinstall your package 15 minutes after this message (1:05PM EDT Saturday). Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] why delete captive portal accts on expiry?
On Fri, Oct 9, 2009 at 1:23 PM, Pete Boyd wrote: > Why are captive portal accounts automatically deleted when they expire? > > To my mind, it would be more useful if they were left in place, but expired, > so that to re-enable them for the admin person was an easy task of just > choosing a new expiry date. > > As it is, when we have a subscriber pay again for their Internet access, > rather than just paying remotely and telephoning in that they've done so, > the whole captive portal account has to be re-created which can potentially > be time consuming communicating username and password effectively. Inherited from m0n0wall, I suspect. Start a bounty on the Forum if you would like to see it changed in a future version or submit patches. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Strange DNS problem
On Thu, Oct 8, 2009 at 9:00 PM, Philippe LeCavalier wrote: > Hi Everyone, > > As of late, pfsense somehow maps dns entries intended for remote hosts to > my local samba server. When I try to SSH to a clients network I'm logged > into my office file server. I'm not sure what else to write here so if you > think you can help me just ask questions. > Please supply more details. This is not really a lot of information to start from. Scott
Re: [pfSense Support] Block rule creates syntax error
On Thu, Oct 8, 2009 at 6:58 PM, Joseph L. Casale wrote: > I all of a sudden am getting syntax errors in the logs which I don't recall > seeing before with respect to a few generic block rules I have on an opt > interface. > > Action: Reject > Interface: OPT2 > Protocol: Any > Source: Any > Destination: LAN Subnet > > I use this to block anything destined to the LAN interface? Is this not the > right way to do this? Please switch to raw logs and show us the entry text and syntax error from the alert. Sanitize before-hand if you want. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
On Thu, Oct 8, 2009 at 12:51 PM, Evgeny Yurchenko wrote: > Yes, sorry. It was about 100Mb/s During heavy load what does this sysctl show? sysctl net.inet.ip.intr_queue_drops Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
On Thu, Oct 8, 2009 at 11:42 AM, Evgeny Yurchenko wrote: > Thanks I will. 20 Mbit/s is nothing though... I agree but you failed to mention how much traffic you are pushing. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
On Thu, Oct 8, 2009 at 11:24 AM, Evgeny Yurchenko wrote: > Yesterday it happened twice on one of my production firewalls. CPU load was > less than 10%. Did not pay attention at the moment but accoring to RRD > number of states was not unusual - 4-5k. I reproduced it in my lab - only > test connection, so number of states was less than 100. > Evgeny. I would lean toward hardware. We regularly push 20 megabit out one of my CARP clusters and I do not see this behavior. If something is preempting the network stack (CARP) from sending its Heartbeats than it's doing what it is designed to do. Probably not what you want to hear but I would look at the hardware closer, interrupts, etc. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Static routes
On Thu, Oct 8, 2009 at 11:13 AM, Aarno Aukia wrote:
> Replying to myself, sorry.
>
> On Thu, Oct 8, 2009 at 16:21, Aarno Aukia wrote:
>> I would propose to compare the "old" {$g['vardb_path']}/routes.db to
>> the current set of configured static routes and "route delete" the
>> superfluous routes. Any comments/objections ?
>
> On a closer look, all previous static routes are removed if they are
> found in the current routing table. Altough I could rewrite that to
> use "route get", why not try to remove all previous routes and
> ignoring failure to do so to achieve the same effect ?
>
> -Aarno
> --
> Aarno Aukia
> Atrila GmbH
> Switzerland
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>
You are probably the first person to run into this, that is why.We
will happily accept patches for this considering its a bug for 1.2.3.
However we also need to fix it in 2.0.
Scott
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense and SpamD
On Tue, Oct 6, 2009 at 1:32 PM, Fabian Abplanalp wrote: > Is this in any way changeable? If it's a configfile or so... Unfortunately it is not. I will look into what is required to change once I catch up on a few other outstanding projects. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Problem with apinger
On Tue, Oct 6, 2009 at 9:41 AM, Matthias Niggemeier wrote: > Any news on this topic? It takes 2-12 hours for my load balancer pools to go > offline; > unfortunately I cannot go back to 1.2.2 since some VoIP connections do not > work with > 1.2.2. > Is there a URL that can be geted regularly to restart apinger? Try a recent snapshot where this should be fixed. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Pfsense 1.2.3 alix 2d13 IDE disk installation problem
On Mon, Oct 5, 2009 at 11:19 AM, ozan ucar wrote: > to abandon. > > Install pfsense embedded image on 4 GB CF disk, how to i resize image. > I search script for 4 GB resize image , can you send me CF disk resize ( 4 > GB ) script ? http://snapshots.pfsense.org/FreeBSD_RELENG_7_2/pfSense_RELENG_1_2/nanobsd/pfSense-1.2.3-4g-20091005-1043-nanobsd.img.gz Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense and SpamD
On Mon, Oct 5, 2009 at 7:16 AM, Fabian Abplanalp wrote: > Hi > > I'm trying to setup pfSense with SpamD (Greylisting and tarpit). In the > first setup with the "real" Mailserver behind the NAT it works perfectly, > but if I setup the forwarding to a server with a "public" IP no mails are > forwarded. Are there any limitations? Yeah, I don't think that will work. It's designed to forward to mail exchangers behind the firewall. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] One check-box is missing in Rules-Edit-Advanced of 1.2.3-RC3 snapshot
On Wed, Sep 30, 2009 at 5:27 PM, Evgeny Yurchenko wrote:
> Well, I am sorry for confusion... but could you please confirm that this is
> from 2.0 filter.inc, starting at line 1961:
> if ($type == "pass") {
> if (isset($rule['allowopts']))
> $aline['allowopts'] = " allow-opts ";
> if( isset($rule['source-track']) or
> isset($rule['max-src-nodes']) or isset($rule['max-src-states']) )
> if($rule['protocol'] == "tcp")
> $aline['flags'] = "flags S/SA
> ";
No, I see:
$cron_item = array();
> PS: I must stop playing with pfSense -(((
Why do you say that?
Scott
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] One check-box is missing in Rules-Edit-Advanced of 1.2.3-RC3 snapshot
On Wed, Sep 30, 2009 at 5:21 PM, Evgeny Yurchenko wrote: > May I send you screenshot? It will not do any good. I just downloaded 1.2.2 from: ftp://reflection.ncsa.uiuc.edu/pub/pfSense/updates/pfSense-Full-Update-1.2.2.tgz [su:~/Desktop/pfSense-Full-Update-1.2.2] sullrich% cd usr/local/www/ [su:usr/local/www] sullrich% cat firewall_rules_edit.php | grep allowopts [su:usr/local/www] sullrich% That option is not in there. You must have mixed and matched code from 2.0 when you where testing something. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.3-RC2 IPSec SPD is not updated if you disable IPSec tunnel
On Fri, Sep 25, 2009 at 10:39 AM, Evgeny Yurchenko wrote:
> Hi all!
>
> probably it is fixed in the latest snapshots but in 1.2.3-RC2 built on Mon
> Aug 31 06:09:28 UTC 2009 it is a problem.
> If you disable IPSec tunnel SPD entries for this tunnel are not removed.
> I was struck by this problem because I use IPSec tunnels automatically
> brought up when primary dedicated links between sites fail/come back up. So
> when primary link comes up and the tunnel is disabled by my script SPD
> entries are still in place, so no traffic goes over primary link.
> I fixed this by
> # diff -ru vpn.inc.20090925.bak vpn.inc
> --- vpn.inc.20090925.bak 2009-09-25 10:30:24.0 -0400
> +++ vpn.inc 2009-09-25 10:31:49.0 -0400
> @@ -1258,7 +1258,7 @@
> $spdconf = "";
>
> /* Delete old SPD policies if there are changes between the old and
> new */
> - if(($tunnel != $oldtunnel) && (is_ipaddr($oldgw))) {
> + if(($tunnel != $oldtunnel) && (is_ipaddr($oldgw)) ||
> $tunnel['disabled']) {
> $spdconf .= "spddelete {$oldsa}/{$oldsn} " .
> "{$oldtunnel['remote-subnet']} any -P out ipsec " .
> "{$oldtunnel['p2']['protocol']}/tunnel/{$oldep}-" .
> @@ -1278,7 +1278,7 @@
> }
> }
> }
> -
> +if (!$tunnel['disabled']){
> /* Create new SPD entries for the new configuration */
> /* zap any existing SA entries beforehand */
> foreach($sad_arr as $sad) {
> @@ -1298,7 +1298,7 @@
> "{$sa}/{$sn} any -P in ipsec " .
> "{$tunnel['p2']['protocol']}/tunnel/{$rgip}-" .
> "{$ep}/unique;\n";
> -
> +}
> log_error("Reloading IPsec tunnel '{$tunnel['descr']}'. Previous IP
> '{$oldgw}', current IP '{$rgip}'. Reloading policy");
>
> $now = time();
>
> It is not a problem in 1.2-RELEASE
Thanks, Commited!
Scott
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Quad NIC's?
On Tue, Sep 22, 2009 at 8:26 PM, Luke Jaeger wrote: > Hello, > > Are there any known issues with quad NIC cards on a pfSense box? > > I'm looking at a Proliant DL360 G3 with an Intel Pro 1000 GT Quad Port > adapter > > http://www.intel.com/products/server/adapters/pro1000gt-quadport/pro1000gt-quadport-overview.htm Should work well. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] interesting traffic is not encapsulated
On Tue, Sep 22, 2009 at 12:46 PM, Evgeny Yurchenko wrote: > Then sorry Scott, I do not understand your statement: "Traffic on the > firewall itself prefers the system routing table. Clients behind the > firewall will prefer the IPSEC tunnel." > In my case traffic initiated on the firewall itself goes over the tunnel, > client behind firewall goes over normal routing table/nat while it must go > over the tunnel. And I've almost broken my head trying to understand why. Sorry, I meant when you are pinging from the firewall itself. Double check your subnet information. This should work and I know folks running IPSEC on PPPoE hosts. If you continue to have problems we need more information such as the IPSEC SPD/SAD entries. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] interesting traffic is not encapsulated
On Tue, Sep 22, 2009 at 12:39 PM, Evgeny Yurchenko wrote: > So, it is impossible to use IPSec with PPPoE on WAN? > Eugene That would be news to me. It should work fine. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] interesting traffic is not encapsulated
On Tue, Sep 22, 2009 at 12:32 PM, Evgeny Yurchenko wrote: > I know it looks stupid, but... > 1.2.3-RC1 > LAN=10.29.1.19/24 > WAN(PPPoE)=x.x.x.106 > > remote LAN=10.29.11.1/24 > remote WAN=x.x.x.225 > Tunnel is up. > > When I do from pfSense itself ping -S 10.29.1.19 10.29.11.1 everything goes > well, ESP packets and ping reply. > When I do ping 10.29.11.1 from 10.29.1.34 connected to LAN traffic goes > NATed out of WAN: > 18:51:33.862273 IP x.x.x.106 > 10.29.11.1: ICMP echo request, id 22499, seq > 57389, length 40 > > 10.29.1.0/24[any] 10.29.1.19[any] any > in none > spid=45 seq=3 pid=4536 > refcnt=1 > 10.29.11.0/24[any] 10.29.1.0/24[any] any > in ipsec > esp/tunnel/x.x.x.225-x.x.x.106/unique#16418 > spid=48 seq=2 pid=4536 > refcnt=1 > 10.29.1.19[any] 10.29.1.0/24[any] any > out none > spid=46 seq=1 pid=4536 > refcnt=1 > 10.29.1.0/24[any] 10.29.11.0/24[any] any > out ipsec > esp/tunnel/x.x.x.106-x.x.x.225/unique#16417 > spid=47 seq=0 pid=4536 > refcnt=1 > > Pleeease any hint -( > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > That is normal. Traffic on the firewall itself prefers the system routing table. Clients behind the firewall will prefer the IPSEC tunnel. Pretty sure that is documented somewhere on the doc site. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Is pfsense.org down?
On Sat, Sep 19, 2009 at 2:58 PM, Jostein Elvaker Haande wrote: > http://downforeveryoneorjustme.com/pfsense.org Sorry folks. Our datacenter had a power blip and our UPS battery has died. One of our switches did not reset correctly after the blip. We have moved one of our firewalls and all the switches to Liebert battery backed power so hopefully will not be an issue again. However we still need a UPS battery (replacement) if anyone has a spare email me sullr...@gmail.com Thanks Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Crazy Session State requirement
On Fri, Sep 18, 2009 at 1:26 PM, Ermal Luçi wrote: > Activate sticky option on 1.2.3-RC* installations. http://snapshots.pfsense.org has the RC3 file. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: SV: [pfSense Support] Running out of memory
On Wed, Sep 16, 2009 at 11:42 AM, Oliver Hansen wrote: > > > a_subscribti...@fiberby.dk wrote: >> >> That immediately reduced the memory use from 50% -22% >> But as you state, it doesn't solve the underlying problem. Thanks, I just committed a change to prevent this from being a problem. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Problems with installation Developers-2.0
On Wed, Sep 2, 2009 at 4:38 PM, Evgeny Yurchenko wrote: > Trying to install from pfSense-Developers-2.0-ALPHA-ALPHA-20090901-1924.iso > on HP DL380 G4. MD5 is correct. Tried to burn another CD. Tried to install > it in VMWare - result is the same. > I see lots of errors like: > ... > /usr/sbin/clog: ERROR: could not write /var/log/ntpd.log (No space left on > device) > /usr/sbin/clog: ERROR: could not write /var/log/relayd.log (No space left on > device) > ..done. > .: Can't open /etc/rc.php_ini_setup: No such file or directory > Enter full pathname of shell or RETURN for /bin/sh: > After I hit ENTER and get shell prompt I see that /var has 31M allocated and > used at 102% > /etc has 9.4M and 102% used. Install the default layout with only / ... No need for separate /var/ Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Help with physdiskwrite
On Wed, Sep 2, 2009 at 2:46 PM, Victor Padro wrote: > Hello everyone! > > I wonder if someone could send me the physdiskwrite EXE, because I > can't access to the m0n0.ch website, I don't know if it's down or what > is wrong with it, and I am in the middle of a embeded Pfsense install > here! ;) > > TIA http://cvs.pfsense.org/~sullrich/physdiskwrite-0.5.2.zip http://cvs.pfsense.org/~sullrich/physdiskwrite-0.5.2-PhysGUI-bundle.zip Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IGMPproxy and Router Alert option
On Tue, Sep 1, 2009 at 12:13 PM, Evgeny Yurchenko wrote: > If I were to work on it should I install > http://snapshots.pfsense.org/FreeBSD_RELENG_7_2/pfSense_HEAD/livecd_installer/pfSense-Developers-2.0-ALPHA-ALPHA-20090831-1029.iso.gz > ? As I understand changes would be done in pfSense, pfSense packages and > pfSense tools. Yep, you got it. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IGMPproxy and Router Alert option
On Tue, Sep 1, 2009 at 1:05 AM, Evgeny Yurchenko wrote: > This is again about igmpproxy. > As I mentioned earlier to be RFC compliant (RFC 2236 IGMP V2 and 3376 IGMP > V3) we must send IGMP packets with Router Alert in IP header (RFC 2113). > It is very easy to code but a problem with pf arises. To be able to send > these packets we have to add "allow-opts" in pass out quick on 'Upstream > Interface'. > I tried to modify \"let out anything from firewall host itself\" rule in > /etc/inc/filter.inc and it worked. > Please answer these questions: > 1) I can't see a way to insert "allow-opts" only for upstream interface at > the igmpproxy package configuration web-interface. Is there a way? Not currently. > 2) Is it wise to add this functionality via another option in > System->Advanced options (or where)? Yeah, that might be the best place for it. We need to do it for 2.0 first and take a look at if this is something that can make it into 1.2.3 or not. > 3) Do we need at all this functionality (Router Alert in IP header)? I have no idea. Only IGMP users can make that call. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Ticket #1931: NAT reflection bug
On Thu, Aug 27, 2009 at 2:15 PM, David Rees wrote: > I've recently run into the issue described on ticket #1931 and on the > forum thread below: > > http://cvstrac.pfsense.org/tktview?tn=1931 > http://forum.pfsense.org/index.php/topic,16314.0.html > > Even though we only have about 200 port forwards, we have 6 local > interfaces so we've quickly run into this limitation. > > So a couple questions before I go and tackle this issue: > > 1. Why the limitation of 1000? Is that more or less arbitrary to keep > from too many local ports from being used by the inetd nc rules, or > could it be increased some? Because of some of the issues you outlined in #2. > 2. If I write a patch to limit the number of inetd entries below the > above limit, will it be accepted upstream? We should be able to stop > the inetd nc port multiplication issue so we will be able to reflect > up to 1000 ports, but there will still be $num_interfaces * > $num_portforwards NAT redirect rules generated. If the patch is > likely to be accepted upstream, I'm more likely to spend time to write > a 'proper' solution instead of just hacking it. :-) We will gladly accept changes for this. Thanks! Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Load Balancing on vlans
On Thu, Aug 27, 2009 at 11:05 AM, Jesse Vollmar wrote: > I tried again this morning to change the allow rule on a vlan > interface to send traffic out on a gateway other than "default" and > after about five minutes of working like it should, all traffic > stopped. Hosts on that vlan could no longer ping the gateway of that > vlan or anything on another network. This is only happening on my vlan > interfaces (parent interface is LAN). Sounds like a NIC driver issue. Make sure you are using Intel NICS. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Routing Between VLANs
On Wed, Aug 26, 2009 at 9:29 PM, Jesse Vollmar wrote: > Okay I deleted that vlan and now there is a system error and the web gui > doesn't work. I'm on my phone now (no internet from pfsense). The error is > "xml error: opt cannot occur more than once". I opened a shell and then > opened config.xml and it has a entry... I don't know how to edit > this in bsd since my user has read only I just fixed this bug a few days ago. Run /etc/rc.conf_mount_rw vi /conf/config.xml Find the optxxx interfaces and rename it to something like opt200909261213 where as the numbers are basically MMDDHHSS Might have to sweep the config.xml file and locate any references to that old opt rule and delete them out of the config file. Then run rm /tmp/config.cache Then you should be in good shape. Finally run shutdown -r now Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.3-RC1-embedded dhcp relay windows XP broadcast flag
On Wed, Aug 26, 2009 at 11:28 AM, Chris Kleeschulte wrote: > I can dhcp relay all my hosts except for Windows-based hosts. > I narrowed the problem down to the Windows machine setting the broadcast > flag on the dhcp initial request. > I also know that Microsoft claims this is a problem in Vista, but all my > hosts are XP and the flag seems to be set there too. > Tcpdump on the pfsense machine confirms the broadcast flag set. The dhcp > server (a dnsmasq server) can handle the request, but the pfsense will not > forward the packet from one subnet to the other, I think. I know broadcast > is really destined for the local network only and that is the proper way to > handle it, so it is a hack to force the pfsense to send the request anyway? > So is the proper way to fix this to hack the registry on all the windows > machines to nuke out the broadcast flag OR take the easy route and make the > pfsense/dhcrelay forward the packet anyway? Fix the problem on the SP3 box(s). But if you know C and can force pfSense to forward the broadcast flag then go for that by modifying isc-dhcp-relay. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IGMP packet out of WAN
On Sun, Aug 23, 2009 at 9:23 PM, Evgeny Yurchenko wrote: > Gentlemen, > Please take a look at http://forum.pfsense.org/index.php/topic,16943.15.html > last post from the6thday. > It seems after reinstalling igmpproxy package he still has old version > (which does not have this commit > https://rcs.pfsense.org/projects/pfsense-tools/repos/mainline/commits/e9921d5342ffa6d15d88a36789c5b03d2249fb3e) > > This guy's log: > Note: RECV V2 member report from 192.168.0.1 to 239.255.255.250 (ip_hl > 24, data 8) > Debu: Should insert group 239.255.255.250 (from: 192.168.0.1) to route > table. Vif Ix : 0 > Debu: No existing route for 239.255.255.250. Create new. > Debu: No routes in table. Insert at beginning. > Info: Inserted route table entry for 239.255.255.250 on VIF #0 > Debu: Joining group 239.255.255.250 upstream on IF address 79.238.123.48 > Note: joinMcGroup: 239.255.255.250 on ng0 > Debu: > Current routing table (Insert Route); > > And with this patch it should and like this: > Note: joinMcGroup: 239.255.255.250 on ng0 > Debu: SENT V2 member report from ... to 239.255.255.250 > Debu: > Current routing table (Insert Route); > > Could somebody please clarify how to get this new version of igmpproxy for > pfSense-1.2.3-RC1? > Thanks, > Eugene. Upgrade to a recent snapshot. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] tcsh problem
On Sat, Aug 22, 2009 at 3:02 PM, Zhu Sha Zang wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi there, what this problem? > > Enter an option: 8 > > tcsh: Cannot open /etc/termcap. > tcsh: using dumb terminal settings. > # > > I don't change nothing, and this message appear in my two hosts. > > Thanks for now. This has been resolved with the latest snapshots. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IGMP packet out of WAN
On Fri, Aug 21, 2009 at 3:41 AM, Ermal Luçi wrote: > Send a merge request to mainline. If you do not succeed i will merge > it manually. Item has been merged. Thanks! Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] XMLRPC debugging
On Fri, Aug 21, 2009 at 3:45 PM, Ian Levesque wrote: > php: /xmlrpc.php: Disallowing CARP sync loop. > You have a CARP sync loop. You do not want to do that. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Triple CARP setup
On Tue, Aug 18, 2009 at 10:28 AM, Veiko Kukk wrote: > How should I configure pfsync if I want to use three machines? > > ## > Synchronize to IP > Enter the IP address of the firewall you are synchronizing with. > ## > > Should I list there all IP-s I want to sync to? Separated by commas or No. Put the next cluster member in this box (only one host). On the next host put the next members IP in creating a chain. Cluster Primary -> Backup -> Tertiary Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OpenBGPD package: excessive } if if neighbor does not belong to a group
On Sun, Aug 16, 2009 at 1:18 AM, Evgeny Yurchenko wrote:
> Again me -(((
> found one more bug in OpenBGPD. When you add/modify neighbor which does not
> belong to any group you get excessive } in bgpd.conf after neighbor{} block.
>
> # diff -rub openbgpd.inc.20090816.bak openbgpd.inc
> --- openbgpd.inc.20090816.bak 2009-08-16 05:09:38.0 +
> +++ openbgpd.inc 2009-08-16 05:10:33.0 +
> @@ -113,8 +113,6 @@
> $conffile .= " }\n";
> }
> }
> - if($used_this_item)
> - $conffile .= "}\n";
> }
>
> // OpenBGPD filters
Thanks, this one is commited.
Scott
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OpenBGPD package: impossible to edit group in use but it can easily be deleted
On Sat, Aug 15, 2009 at 7:32 PM, Evgeny Yurchenko wrote:
> 1) When a BGP group is in use it is impossible to modify group's parameters.
> Click 'Save' gives you "Sorry this group is in use... and can not be
> deleted"
> Probably it is intended behavior but then we have to change the error
> message to "... can not be edited" which is not very logical as the idea
> behind using groups is to have some parameters common for all peers
> belonging to this group. If you agree with me please delete this check:
>
> # diff -rub openbgpd_groups.xml.20090815.bak openbgpd_groups.xml
> --- openbgpd_groups.xml.20090815.bak 2009-08-15 22:07:13.0 +
> +++ openbgpd_groups.xml 2009-08-15 22:41:28.0 +
> @@ -111,9 +111,4 @@
>
> openbgpd_install_conf();
>
> -
> - $status = check_group_usage($_POST['groupname']);
> - if($status != "")
> - $input_errors[] = "Sorry this group is in use by
> {$status} and cannot be deleted.";
> -
>
>
> 2) The group can be easily deleted even if it is in use without any impact
> on /usr/local/etc/bgpd.conf which leads to little mess. After that if you
> will edit your neighbor then this neighbor will be excluded from this group
> and thus probably will loose AS number. I could not find a way how to
> prevent this.
> Probably we could create some tag in openbgpd_groups.xml like:
>
> $status = check_group_usage($_POST['groupname']);
> if($status != "")
> $input_errors[] = "Sorry this group is in use by
> {$status} and cannot be deleted.";
>
>
> ... and use it in /usr/local/www/pkg.php before it actually deletes
> parameter:
>
> line 66 if ($a_pkg[$_GET['id']]) {
> + if($pkg['custom_php_del_validation'] <> "") {
> + $status =
> eval($pkg['custom_php_del_validation'] );
> + if ($status != ""){
> + header("Location: pkg.php?xml=" .
> $xml);
> + exit;
> + }
> + }
> unset($a_pkg[$_GET['id']]);
> write_config();
>
> ... and it works (it's not deleted) but I can't find a way to tell user
> about the error.
>
> Thanks,
> Eugene
>
>
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>
Please sign up for a rcs.pfsense.org account and email me the info
off-list. It is time for you to have a commit bit to be able to push
these changes since you are showing an interest in the BGPD package.
Scott
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Small remarks about OpenBGPD packaget
On Sat, Aug 15, 2009 at 11:15 AM, Evgeny Yurchenko wrote: > I do not know why but your commit put my piece of code in slightly wrong > place (1 line higher than needed). > Please correct this. Thanks. [snip] Fixed, thanks! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.3-RC1 Web gui logout
On Wed, Aug 12, 2009 at 1:10 PM, David Burgess wrote: > You could use a different browser for pfsense. It's an inconvenience, > but probably more convenient than closing all your tabs. Install the "Web Developer Toolbar" for firefox and then select Miscellaneous -> Clear Private Data -> HTTP Authentication http://chrispederick.com/work/web-developer/ Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IGMP packet out of WAN
On Wed, Aug 12, 2009 at 10:57 AM, Scott Ullrich wrote: > On Tue, Aug 11, 2009 at 8:02 PM, Evgeny Yurchenko wrote: >> >> cd /usr/ports/devel/git && make install >> >> -- Ends with >> ===> Configuring for git-1.6.4 >> ===> Building for git-1.6.4 >> GIT_VERSION = 1.6.4 >> * new build flags or prefix >> ... many compilations here ... >> http-push.c:14:19: error: expat.h: No such file or directory >> http-push.c:852: error: expected ';', ',' or ')' before '*' token >> http-push.c: In function 'lock_remote': >> http-push.c:936: error: 'XML_Parser' undeclared (first use in this function) >> http-push.c:936: error: (Each undeclared identifier is reported only once >> http-push.c:936: error: for each function it appears in.) >> http-push.c:936: error: expected ';' before 'parser' >> http-push.c:943: error: 'parser' undeclared (first use in this function) >> http-push.c:946: error: 'xml_cdata' undeclared (first use in this function) >> http-push.c: In function 'remote_ls': >> http-push.c:1179: error: 'XML_Parser' undeclared (first use in this >> function) >> http-push.c:1179: error: expected ';' before 'parser' >> http-push.c:1186: error: 'parser' undeclared (first use in this function) >> http-push.c:1189: error: 'xml_cdata' undeclared (first use in this function) >> http-push.c: In function 'locking_available': >> http-push.c:1262: error: 'XML_Parser' undeclared (first use in this >> function) >> http-push.c:1262: error: expected ';' before 'parser' >> http-push.c:1269: error: 'parser' undeclared (first use in this function) >> gmake: *** [http-push.o] Error 1 >> *** Error code 1 >> >> Stop in /usr/ports/devel/git. >> *** Error code 1 >> >> Stop in /usr/ports/devel/git. >> >> ***sigh*** -((( > > Try this: > > rm -rf /usr/ports && portsnap extract && cd /usr/ports/devel/git && > make install BATCH=yes OK -- I figured out what was the problem here. Do this and you should be OK: cd /usr/ports/textproc/expat2 && make depends install cd /usr/ports/devel/git && make depends install Ignore what I sent earlier. I have updated the DevWiki page to reflect these changes. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IGMP packet out of WAN
On Tue, Aug 11, 2009 at 8:02 PM, Evgeny Yurchenko wrote: > > cd /usr/ports/devel/git && make install > > -- Ends with > ===> Configuring for git-1.6.4 > ===> Building for git-1.6.4 > GIT_VERSION = 1.6.4 > * new build flags or prefix > ... many compilations here ... > http-push.c:14:19: error: expat.h: No such file or directory > http-push.c:852: error: expected ';', ',' or ')' before '*' token > http-push.c: In function 'lock_remote': > http-push.c:936: error: 'XML_Parser' undeclared (first use in this function) > http-push.c:936: error: (Each undeclared identifier is reported only once > http-push.c:936: error: for each function it appears in.) > http-push.c:936: error: expected ';' before 'parser' > http-push.c:943: error: 'parser' undeclared (first use in this function) > http-push.c:946: error: 'xml_cdata' undeclared (first use in this function) > http-push.c: In function 'remote_ls': > http-push.c:1179: error: 'XML_Parser' undeclared (first use in this > function) > http-push.c:1179: error: expected ';' before 'parser' > http-push.c:1186: error: 'parser' undeclared (first use in this function) > http-push.c:1189: error: 'xml_cdata' undeclared (first use in this function) > http-push.c: In function 'locking_available': > http-push.c:1262: error: 'XML_Parser' undeclared (first use in this > function) > http-push.c:1262: error: expected ';' before 'parser' > http-push.c:1269: error: 'parser' undeclared (first use in this function) > gmake: *** [http-push.o] Error 1 > *** Error code 1 > > Stop in /usr/ports/devel/git. > *** Error code 1 > > Stop in /usr/ports/devel/git. > > ***sigh*** -((( Try this: rm -rf /usr/ports && portsnap extract && cd /usr/ports/devel/git && make install BATCH=yes Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IGMP packet out of WAN
On Tue, Aug 11, 2009 at 8:16 AM, Evgeny Yurchenko wrote: > All my production boxes are 1.2-release so FreeBSD 6.2. But I am planning to > move to the latest 1.2.3 and I will do it as soon as I find out why my HPs > hung during high load with 1.2.3-RC1. > To answer your question - I'd like to make igmpproxy to work on 1.2.3. > I wish I could build everything by myself but last time I tried to use git > it errored on me (I posted the errors here). If you could help me to figure > out how to start using this development environment it would be greatly > appreciated. Getting started with our dev environment has become a lot easier in the last couple weeks. Check out the updated document here: http://devwiki.pfsense.org/DevelopersBootStrapAndDevIso Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Kernelbug on Triple Core Processor
On Sat, Aug 8, 2009 at 2:56 PM, Walter Kugler wrote: > Hello! > > > About myself: > I have no great knowledge about FreeBSD. I use mostly the WebGUI of pfSense, > but i have some years experience on Debian GNU/Linux, including building a > custom kernel. > > My Problem: > I have bought a new machine with an AMD Phenom II X3 Processor that has 3 > Cores. I want to use pfSense on it and until now i tried version 1.2.3-RC1. > > When booting the default system the kernel hangs after 'SMP: AP CPU#2 > Launched!' > > I have already found the exact reason, it's a bug with sched_ule + SMP, take > a look at: > http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/120138 > > My questions now are: > Is there a version of pfSense (at least in RC-Stage) that includes already > the patch for this bug? > If not, i have to compile a patched custom kernel: > What do i have to do to just recompile the kernel and its modules (not the > whole world)? > As far as i understand i need the exact kernel-version and the > configuration-file that is used for pfSense 1.2.3-RC1. Where do i find these > things? > > Is the developer-installation the complete environment i need to build a > kernel? > > If i know these things i hope that i am able to build a kernel with the > documentation at http://www.freebsd.org/docs.html. > > > I hope that you can help me :) > > Try a 1.2.3-RC2 snapshot. http://snapshots.pfsense.org/FreeBSD_RELENG_7_2/pfSense_RELENG_1_2/livecd_installer/pfSense-1.2.3-20090807-2005.iso.gz Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Small remarks about OpenBGPD packaget
On Thu, Aug 6, 2009 at 10:48 AM, Evgeny Yurchenko wrote: > I'll ask very trivial question but please bear with me as I am new here. > What does 'commited this' mean? Does it mean that it is in > http://snapshots.pfsense.org/FreeBSD_RELENG_7_2/pfSense_RELENG_1_2/livecd_installer/pfSense-1.2.3-20090805-0554.iso.gz It generally takes 4-5 hours for a commit to reach the snapshots. It might or might not be in there but will be in future snapshots. > My general question is how these snapshots are related to the content I can > find on mirrors to download (for example > http://files.pfsense.org/mirror/downloads/pfSense-1.2.3-RC1-LiveCD-Installer.iso) > ? Trying to understand production cycle... You are on the right track... You will want a snapshot to test. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Small remarks about OpenBGPD packaget
On Wed, Aug 5, 2009 at 12:35 AM, Evgeny
Yurchenko wrote:
> Hi!
> 1) I find it a little bit inconvenient that you can not add a neighbor
> when you do not have any group configured. Suppose I want to add just
> two neighbors without messing with groups set up.
> This small thing solves it:
> # diff -rub openbgpd_neighbors.xml.bak openbgpd_neighbors.xml
> --- openbgpd_neighbors.xml.bak 2009-07-22 21:31:13.0 +
> +++ openbgpd_neighbors.xml 2009-08-05 04:11:06.0 +
> @@ -171,6 +171,11 @@
> $counter++;
> }
> }
> + else{
> + $newoptions['option'][0]['name'] = "";
> + $newoptions['option'][0]['value'] = "";
> + $pkg['fields']['field'][2]['options'] =
> $newoptions;
> + }
>
>
>
>
>
> 2) Cosmetic but may be you would wish to implement it. Neighbors not
> belonging to any group not aligned properly:
> group "G1" {
> remote-as 11
> neighbor 1.1.1.1 {
> descr "N1"
> announce all
> remote-as 1
> }
> }
> neighbor 2.2.2.2 {
> descr "N2"
> announce all
> holdtime 300
> remote-as 2
> }
>
>
> This small patch
> # diff -rub openbgpd.inc.bak openbgpd.inc
> --- openbgpd.inc.bak 2009-07-22 21:31:13.0 +
> +++ openbgpd.inc 2009-08-05 03:31:14.0 +
> @@ -103,14 +103,14 @@
> foreach($openbgpd_neighbors as $neighbor) {
> $used_this_item = false;
> if($neighbor['groupname'] == "") {
> - $conffile .= " neighbor {$neighbor['neighbor']} {\n";
> + $conffile .= "neighbor {$neighbor['neighbor']} {\n";
> $conffile .= " descr
> \"{$neighbor['descr']}\"\n";
> $used_this_item = true;
> foreach($neighbor['row'] as $row) {
> $conffile .= " {$row['paramaters']}
> {$row['parmvalue']} \n";
> }
> if($used_this_item)
> - $conffile .= " }\n";
> + $conffile .= "}\n";
> }
> }
> if($used_this_item)
>
> makes it more intuitive (at least for me)
> group "G1" {
> remote-as 11
> neighbor 1.1.1.1 {
> descr "N1"
> announce all
> remote-as 1
> }
> }
> neighbor 2.2.2.2 {
> descr "N2"
> announce all
> holdtime 300
> remote-as 2
> }
>
> Eugene
Thanks, I commited this.
Scott
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Problem with apinger
On Tue, Aug 4, 2009 at 10:56 AM, Matthias Niggemeier wrote: > Von: Matthias Niggemeier [mailto:m...@thias.de] > Gesendet: Dienstag, 4. August 2009 08:47 > An: support@pfsense.com > Betreff: [pfSense Support] Problem with apinger > >> Hi there, >>since the upgrade to 1.2.3-RC2 (July 23) parts of my failoverpools go > offline once a day. The system log shows entries >like this: >> >>apinger: ALARM: 208.67.220.220(208.67.220.220) *** down ***. Loss 0.0%, > Delay 75.436ms >> >>In this situation, I have to go to load_balancer_pool.php, edit one pool > and hit save. After that, everything is >>fine and online. >>Is there a workaround for this? > > Update: > > The sequence before failing is as follows: > > Aug 4 15:38:33 apinger: Target "208.67.220.220": Lost packet count mismatch > (-7(recently_lost) != 0(really_lost))! > Aug 4 15:38:33 apinger: Target "208.67.220.220": Received packets buffer: > ## #... > Aug 4 15:38:40 apinger: ALARM: 208.67.220.220(208.67.220.220) *** down ***. > Loss 12.0%, Delay 72.620ms > > After that apinger does not recover until I go to the pool configuration and > hit save. This is a known issue that we are working on. No workarounds exist at present. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] BGP status
On Thu, Jul 30, 2009 at 2:19 PM, Chris Flugstad wrote: > Any word on BGP status. or a simple alternative, until pfsense has BGP > function? BGP has existed in system -> packages for 2+ years. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
On Thu, Jul 30, 2009 at 8:21 AM, Eugen Leitl wrote: > On Thu, Jul 30, 2009 at 02:08:38PM +0300, Veiko Kukk wrote: >> This is a good example, why bottom-posting sucks... > > God gracious help us. What's wrong with interleaved > posting? > >> Why do i need to scroll past all previous teks i read just few seconds >> ago, following that thread? > > Because they're Doing It Wrong(tm). > >> If i need to read it, then i could scroll down, but rarely there is need >> for that. > > Thinking does help, at times. > > -- > Eugen* Leitl http://leitl.org";>leitl http://leitl.org > __ I agree with Eugen. Folks, this is the lists rules. If you do not like it I kindly ask you to go to the forum and participate there. It's either that or I will stop reading these lists altogether. Bottom post or do not post at all. Thanks. Scott PS: my kill bit is armed and folks that continue to do so will be removed from the list. Sorry to be harsh but I have had enough with this subject. Thanks. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
On Wed, Jul 29, 2009 at 1:54 PM, Curtis LaMasters wrote: > I actually find that to be annoying to read. However, in the spirit > of good internetship, I'll oblige. Sorry any problems I may have > caused. Let me know if I did that correctly. That looks correct. Unfortunately this is the way mailing lists have operated for as long as I have remembered. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
On Wed, Jul 29, 2009 at 1:45 PM, Curtis LaMasters wrote: > Gotta tell you guys...this is out right frustrating. Is it the fact > that I'm using Gmail or that by definition, threading in email is > broken by design. I would have imagined that the Spamassassin mailing > list would have eaten all Gmail users alive if Gmail were the issue. > > Curtis LaMasters > http://www.curtis-lamasters.com > http://www.builtnetworks.com > > > > On Wed, Jul 29, 2009 at 12:42 PM, David Burgess wrote: >> The current is an example of top-posting, in response to your >> top-post. I don't think you've bottom-posted in this thread yet. >> >> db >> >> On Wed, Jul 29, 2009 at 11:41 AM, Curtis >> LaMasters wrote: >>> To which one? >>> >>> Curtis LaMasters >>> http://www.curtis-lamasters.com >>> http://www.builtnetworks.com >>> >>> >>> >>> On Wed, Jul 29, 2009 at 12:40 PM, David Burgess wrote: Yes. On Wed, Jul 29, 2009 at 11:38 AM, Curtis LaMasters wrote: > This is top posting apparently. > > Curtis LaMasters > http://www.curtis-lamasters.com > http://www.builtnetworks.com > > > > On Wed, Jul 29, 2009 at 12:34 PM, wrote: >> >> >> On Wed, Jul 29, 2009 at 1:33 PM, Curtis LaMasters >> wrote: >>> >>> And I think the point is being missed. WHY WAS MY MESSAGE VIEWED AS >>> TOP POSTED. Ok, I committed my internet crime of YELLING in caps for >>> the day. In Gmail, is there a proper way to not top post? >>> >>> Curtis LaMasters >>> http://www.curtis-lamasters.com >>> http://www.builtnetworks.com >>> >>> >>> >>> On Wed, Jul 29, 2009 at 12:28 PM, David Burgess >>> wrote: >>> > On Wed, Jul 29, 2009 at 11:25 AM, Curtis >>> > LaMasters wrote: >>> >> Thanks Scott. I know what top posting is...I just don't know why you >>> >> think I did. I hit reply, type my message and go forth. Didn't >>> >> think >>> >> it needed to be any harder than that. >>> > >>> > It can be a lot harder than that. It's effectively illustrated in the >>> > links that Scott provided. A little effort in replying can save a lot >>> > of wasted effort in trying to bring oneself up to speed or refresh >>> > one's memory on a long thread. >>> > >>> > db >>> > >>> > - >>> > To unsubscribe, e-mail: support-unsubscr...@pfsense.com >>> > For additional commands, e-mail: support-h...@pfsense.com >>> > >>> > Commercial support available - https://portal.pfsense.org >>> > >>> > >>> >>> - >>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >>> For additional commands, e-mail: support-h...@pfsense.com >>> >>> Commercial support available - https://portal.pfsense.org >>> >> >> flick the scroll wheel to get to the bottom of the post basically. >> > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org >>> >>> - >>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >>> For additional commands, e-mail: support-h...@pfsense.com >>> >>> Commercial support available - https://portal.pfsense.org >>> >>> >> >> - >> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >> For additional commands, e-mail: support-h...@pfsense.com >> >> Commercial support available - https://portal.pfsense.org >> >> > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > HItting reply resulted in the above A proper bottom post then looks like this: On Wed, Jul 29, 2009 at 1:45 PM, Curtis LaMasters wrote: > Gotta tell you guys...this is out right frustrating. Is it the fact > that I'm using Gmail or that by definition, threading in email is > broken by design. I would have imagined that the Spamassassin mailing > list would have eaten all Gmail users alive if Gmail were the issue. This is a bottom post. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail:
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
On Wed, Jul 29, 2009 at 1:42 PM, Curtis LaMasters wrote: > On Wed, Jul 29, 2009 at 12:41 PM, David Burgess wrote: >> On Wed, Jul 29, 2009 at 11:38 AM, Curtis >> LaMasters wrote: >>> And this is bottom posting. Correct? >> >> Well, I don't think it's top-posting or bottom-posting if you delete >> all prior content. >> >> - >> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >> For additional commands, e-mail: support-h...@pfsense.com >> >> Commercial support available - https://portal.pfsense.org >> >> > How about now? Bottom posting? > > Curtis LaMasters > http://www.curtis-lamasters.com > http://www.builtnetworks.com > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > No. This is bottom posting. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
On Wed, Jul 29, 2009 at 1:31 PM, wrote: > Unfortunately Gmail top posts by default. So expecting bottom posting to be > and to remain the default behavior may be an exercise in futility. proper > ettiquite or not, some people just bang off replies and figure everything is > a-ok. This being a reason, not an excuse. I use gmail daily. It's really not that hard and took me less than 2 seconds to trim and bottom post this message. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
On Wed, Jul 29, 2009 at 1:25 PM, Curtis LaMasters wrote: > Thanks Scott. I know what top posting is...I just don't know why you > think I did. I hit reply, type my message and go forth. Didn't think > it needed to be any harder than that. I did not think anything -- This is my 1st message to this list in days and days Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
http://www.caliburn.nl/topposting.html http://idallen.com/topposting.html Thank you Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IGMP packet out of WAN
On Sun, Jul 26, 2009 at 12:42 AM, Evgeny Yurchenko wrote: > Can somebody please say whether pfSense's kernel was compiled with MROUTING > option or not? [pfsense-org:tools/builder_scripts/conf] sullrich% pwd /Users/sullrich/pfSense_GIT/tools/builder_scripts/conf [pfsense-org:tools/builder_scripts/conf] sullrich% cat pfSense.7 | grep MROUT options MROUTING Yes, it includes it. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OT: web based performance testing
On Sat, Jul 25, 2009 at 4:31 PM, Chris Buechler wrote: > Saw that, doesn't have latency or loss though. That's the piece that's > missing from all the options I've seen. Maybe this will fit the bill. Kinda expensive. http://www.ookla.com/linequality.php Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OT: web based performance testing
On Sat, Jul 25, 2009 at 4:26 PM, Chris Buechler wrote: > Looking for something, preferably open source but commercial is an > option, sort of like a host your own private speed test site. The idea > is when someone connects in via VPN they can easily hit a URL on a > server across the VPN and click a button to test throughput, latency, > and loss. The average end user is not highly technical, so something > like "download this 50 MB test file and ping x.x.x.x" isn't viable. I > figure someone out there has done something similar in the past. > Granted there isn't anything you can do about poor connectivity other > than find a different Internet connection, but at least it's a way to > tell. > > Any ideas much appreciated. http://www.speedtest.net/mini.php Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Patch: Realtek 8102EL support for Dell Mini 10v (1010)
On Fri, Jul 24, 2009 at 2:37 PM, Ingmar Hupp wrote: > pfSense 1.2.3-RC1. FreeBSD RELENG_7_2 doesn't have support for this as far > as I can tell (but FreeBSD HEAD [8.0] does as I've just noticed). Thanks, I have committed this and snapshots should start building them soon. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Patch: Realtek 8102EL support for Dell Mini 10v (1010)
On Fri, Jul 24, 2009 at 1:39 PM, Ingmar Hupp wrote: > Hi, > > seems Dell is using a previously unknown revision of that chip in their Mini > 10v (1010) netbooks, so here's a patch to add support for that revision. > This probably should also/instead go to FreeBSD kernel. I've built a pfSense > iso with this patch and it now recognizes the re0 interface and works fine > while previously it'd return a "re0: Unknown H/W revision: 0x24c0". > > re0: port 0x2000-0x20ff mem > 0xf051-0xf0510fff,0xf050-0xf050 irq 18 at device 0.0 on pci4 > re0: Using 1 MSI messages > re0: Chip rev. 0x2480 > re0: MAC rev. 0x0040 [snip] What version of pfSense where you testing with? 1.2.3-RC1 snapshots have the latest RELENG_7_2 FreeBSD. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
