from:"Sean Cavanaugh"

Re: [pfSense Support] Firewall security compromised by auxillary programs?

2011-02-04 Thread Sean Cavanaugh

?-Original Message- 
From: Mark Jones

Sent: Friday, February 04, 2011 2:54 PM
To: support@pfsense.com
Subject: [pfSense Support] Firewall security compromised by auxillary 
programs?

Well, I hear of people running pfSense in a VM, and I wonder how do you 
avoid exposing the host OS to the network?  How can a firewall be run in a 
VM and not leave the host OS hanging out to be attacked?  Or, go the 
otherway and put the VM in the FreeBSD used by pfSense since there is plenty 
of excess CPU and memory to do the trick.  Only getting vmware to run on 
pfSense FreeBSD might be difficult (I haven't actually tried it) given the 
very few pieces of FreeBSD that are present in a pfSense environment.

Yes, I agree that having a jabber server on the firewall is less secure than 
not having a jabber server, but I question it being less secure than having 
it on my internal server.  If it is on the pfSense box and becomes 
compromised, the hacker will need pfSense skills to get any further, then 
they will need an additional set of skills to get at my primary servers.  If 
I open the ports that the jabber server uses, then they have access to my 
primary servers via the jabber server software because the firewall is 
permitting connections into and out of the network on those ports.

Admittedly running log digesting software increases the attack surface if 
those program actually use networking services, but if they are 
self-contained, the attack surface doesn't change.  Adding a website (like 
say the pfSense PHP website interface) increases my exposure as well, but 
yet we do it to facilitate easy configuration.

If this analysis is wrong, please someone point out where it is wrong.  This 
assumes that the jabber server only opens the ports for XMPP and nothing 
else, no management ports etc.

I currently run my pfSense firewall inside VMware Server on a Windows 2003 
box. I set it up with 2 dedicated physical NICs for pfSense for WAN and LAN 
as well as 1 virtual NIC for all other VMs.

the 2 Physical NICs have every protocol/program/connector turned OFF on them 
except the VMware bridge, meaning that as far as windows sees, there's 
nothing on the interface to talk to. aka, by default, the host system has 
ZERO network connectivity for itself.

the Virtual interface is used for a virtual network on the server for all 
other VMs that need network access as well as internet access for the server 
itself.

inside PfSense I have the virtual interface set up as opt1 and put in rules 
so that opt1 and LAN can communicate with each unhindered. This also means 
that anything on the physical LAN network wanting to talk to the physical 
server host has to pass thru the firewall first, meaning I can put rules in 
place if need be to filter on internal side.

overall this gives my network a single server that handles both my Windows 
file share, FreeBSD hosting servers and my firewall while keeping them all 
properly set up separately on a logical network level and yet physically on 
the same hardware. It is also set up in VMware that if the system crashes, 
the pfSense VM will be rebooted automatically. I have even created a VM with 
snort running that tapped into the same physical interfaces parallel to 
pfSense and has granted me some awesome level packet capture as it will run 
bus speed with only a single interface instead of 2 for physical install 
(you do have to manually disable transmission on the listening interface 
though inside the VM, which varies by OS)

if you have the resources, I would actually recommend use of VMware ESXi as 
the host since it lets you configure virtual switches and gives much tighter 
control over how the VMs and logical systems are configured.

doing it the other way and running jails/VM inside the firewall I feel is a 
really bad idea as nothing should ever be run under a firewall host. you 
could have a glitch and have a jail cause a kernel panic and crash the host.

-Sean 

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfsense and DDOS

2011-02-01 Thread Sean Cavanaugh


sorry for top post.

Some better ISPs have options for rate limiting your connection in the event 
of a DDOS, meaning their systems will take the brunt of the hit and not 
route it to your firewall. this can vary from temporarily offlining you to 
absorb the packet storm or dropping connection attempts after a set pps 
level.


then again, this is also what right sizing your system load to handle and 
making proper systems to handle the load. there has to be some set level at 
which you will just stop trying to stay online and just offline yourself so 
as not to be absorbing useless traffic.


In general I disagree with the idea as some servers/services are harder to 
recover from DDOS attacks than the firewall filling its state table and 
slowly dumping them. I've seen webservers going into full kernel panics 
where a firewall/router taking the hit would have just locked up for a 
minute or so.


In general it should be a multi-staged approach, not a single piece of 
wondergear doing everything.


-Sean

-Original Message- 
From: Charles N Wyble

Sent: Tuesday, February 01, 2011 6:39 PM
To: support@pfsense.com
Subject: Re: [pfSense Support] pfsense and DDOS

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 02/01/2011 11:25 AM, David Burgess wrote:

An article popped up on /. today, and although it's a poorly written
article, some of the ensuing discussion did provoke some thought.

http://it.slashdot.org/story/11/02/01/181200/Firewalls-Make-DDoS-Attacks-Worse


Firewalls do make DDOS attacks worse in front of a large web farm. The
state tables get exhausted very quickly. The various large web farms out
there don't have a firewall in front of them. Just run limited ports.

Of course they also have load balancers, packet sprayers, CDN etc. Not
your typical environment.






So the thing I'm wondering now, is best practice in terms of hardening
pfsense against DDOS.


If it's a well executed DDOS, they can take you out with just a few
thousand pps. Just gotta know how to flood the session/state tables.
Granted with pfsense and an x86 box with lots of ram/cpu you'll probably
be fine for quite a while.

Do some research into the hardware router/firewall vs software based one
(in particular Linux based firewalling/routing) and you'll find all
sorts of material. BSD seems more mature.

- -- 
Charles N Wyble (char...@knownelement.com)

Systems craftsman for the stars
http://www.knownelement.com
Mobile: 626 539 4344
Office: 310 929 8793
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNSJmmAAoJEMvvG/TyLEAt48kQAKT5vTJLx/Uj8lI7JzqNeWcy
oMHnqtKrKLfWPo2XijJ9dgS5eS3Np3HP1CUpEVndmHnlclddXWaJ1CfTVqw6dWkp
mS78e99xOHUjnqEvAnQxPNw9qrUa5g5uoT4VnfsrQl4Gf+osALbC3biOBGvn9BNw
ZpEO4bP0vZyBEILAMCJty/JhplT1q7fDgESQHVj8bz81x/BrYXzkitvs9OYmy9v3
V6Wa647wHKld1cTO4BVlUC68Pb71vjZNYeveUg8C9tWoggKta/sjCZ1Gesb5pIYF
NcOGQ+IR7pLNP0DxvhUO0q7AiGWM/AQ3Uey1QSlep3X8/XOIFf53LCNV2MHSYklz
Q/BWKKgKURFodV2Dp1jAEtUkBvguBO8F8gxHM5oVm38i8Ma85rr0g67NvW2z7+jT
lSU2V/hpRavUKmsUqHYXEAT3Q9OjvF03S1oqQ4mK5/a4egny8k9mntGTYyjlHBZk
YE0wIPXXrARwhTuKwk41rpUqginOtYzDUfbFjMeW5kyABYFY2W3HbmdK4k7Hkvkd
vJqMrtm2IMEvzeAdlcVslgbzg8pG3eBP0Cr5zWNEG7pUWrRsV11OfTtfeE81ZgIl
qkMqbfpSkL65Y+kj/MThpI7odX1DBgtCN+NJ+PiG5ZKYmuHkDYmMsNOEK/EAodQ1
08VDwOt9knO75hvfLLc8
=Nb1x
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

2010-12-23 Thread Sean Cavanaugh


?Update::

I have IPv6 successfully running up to the pfsense box and I can ping out as 
far as the Server IPv6 address but cannot get anything beyond that.


"Destination Net Unreachable"

I will dig deeper into it this afternoon . 



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

2010-12-23 Thread Sean Cavanaugh

?-Original Message- 
From: Seth Mos

Sent: Thursday, December 23, 2010 8:13 AM
To: support@pfsense.com
Subject: Re: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

Hi Sean,

Op 23-12-2010 14:01, Sean Cavanaugh schreef:

?>-Original Message-

From: Sean Cavanaugh Sent: Wednesday, December 22, 2010 7:39 PM To:
support@pfsense.com Subject: Re: [pfSense Support] pfSense 2.0 BETA4 :
IPv6?

Verified with wireshark that the DHCPv6 requests are going out but I am
not seeing any response from pfsense for them. DHCP Log shows (blanked
out part of address):

Dec 23 07:18:36 dhcpd: Listening on Socket/14/em1/2001:470:7:XXXx::/64
Dec 23 07:18:36 dhcpd: Sending on Socket/14/em1/2001:470:7:::/64

Thanks for helping out with this, I've had a heck of a time
troubleshooting this in my test setup and had been unable to verify it's
operation.

I do have rtadvd configured to tell the hosts to use "managed" e.g. dhcp
for ipv6 configuration, but it always falls back to autoconfig.

and no other DHCPv6 entries

I think I need to add other firewall rules for traffic to leave the
pfsense box, specifically for dhcp v6.

I am not sure what rules I exactly need for that. What I have not tried
yet is disabling pf using "pf -d". Maybe that dhcp succeeds without pf
in between.

I think that dhcp v6 uses port 567 but I'm unsure.

Your help in troubleshooting is greatly appreciated.

Regards,

Seth

--
--

I did realize that by default there is a LAN rule to allow all IPv4 out.
I created an equivalent IPv6 rule and BAM I got DHCP to work. now I am just 
verifying the rest of the setup.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

2010-12-23 Thread Sean Cavanaugh

?>-Original Message- 
From: Sean Cavanaugh Sent: Wednesday, December 22, 2010 7:39 PM To: 
support@pfsense.com Subject: Re: [pfSense Support] pfSense 2.0 BETA4 : 
IPv6?
?that helped out a lot. now I at the point of where it is fully set up but 
I cannot seem to get any response from the DHCPv6 server. I am installing 
wireshark on another comp to make sure my desktop is even sending out the 
requests.


Verified with wireshark that the DHCPv6 requests are going out but I am not 
seeing any response from pfsense for them. DHCP Log shows (blanked out part 
of address):


Dec 23 07:18:36 dhcpd: Listening on Socket/14/em1/2001:470:7:XXXx::/64
Dec 23 07:18:36 dhcpd: Sending on Socket/14/em1/2001:470:7:::/64

and no other DHCPv6 entries

em1 is my LAN connection 



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

2010-12-22 Thread Sean Cavanaugh

?that helped out a lot. now I at the point of where it is fully set up but I 
cannot seem to get any response from the DHCPv6 server. I am installing 
wireshark on another comp to make sure my desktop is even sending out the 
requests.





-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

2010-12-21 Thread Sean Cavanaugh

?ok. I got past the gitsync by hitting enter and letting it actually 
continue.


now after the sync I get the nice error
"Parse error: syntax error, unexpected T_SL in /etc/inc/vslb.inc on line 291 
"


this shows up in both console mode and in the web interface as well as shuts 
down all firewall services.


completed on snapshot of 2.0-BETA4 from yesterday 



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

2010-12-21 Thread Sean Cavanaugh


?to me it looks like I never download the git repository info to begin with

-
Or alternatively you may enter a custom RCS branch URL (HTTP).


http://gitweb.pfsense.org/pfsense/pfSense-smos.git



NOTE: http://gitweb.pfsense.org/pfsense/pfSense-smos.git was not found.




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

2010-12-21 Thread Sean Cavanaugh

>-Original Message- 
From: Seth Mos Sent: Tuesday, December 21, 2010 3:02 AM To: 
support@pfsense.com Subject: Re: [pfSense Support] pfSense 2.0 BETA4 : 
IPv6?

Op 21-12-2010 1:52, Sean Cavanaugh schreef:


after that, it asks if I want to sync with master which doesn’t do
anything.


It says press enter if done. Press enter. ;-)

The procedure for entering custom urls is that you enter it the 1st time, 
accept and then press enter to signal it to start.


After that it should promptly start syncing.

Regards,

Seth



that’s my point. It doesn’t look like it does a sync at all as I am missing 
some of the pages like DHCPv6.
when I hit enter, it is done immediately with what looks like no attempt at 
all to sync.



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

2010-12-20 Thread Sean Cavanaugh



That's just telling you it's not one of the official URLs, just tell it 
yes.


after that, it asks if I want to sync with master which doesn’t do anything.

-
Or alternatively you may enter a custom RCS branch URL (HTTP).


http://gitweb.pfsense.org/pfsense/pfSense-smos.git



NOTE: http://gitweb.pfsense.org/pfsense/pfSense-smos.git was not found.

Is this a custom GIT URL? [y]? y
Checkout which branch [master]?

Add a custom RCS branch URL (HTTP) to merge in or press enter if done.




--


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

2010-12-20 Thread Sean Cavanaugh

?>-Original Message- 

From: Seth Mos
Sent: Monday, December 20, 2010 2:37 PM
To: support@pfsense.com
Subject: Re: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

There is a post in the forum, to my git branch and instructions for support 
on 2.0 BETA

http://iserv.nl/files/pfsense/ipv6/

following these instructions, I am unable to download the .git file to start 
the sync.

Current repository is http://gitweb.pfsense.org/pfsense/mainline.git

Please select which branch you would like to sync against:

master   2.0 development branch
RELENG_1_2   1.2* release branch
build_commit The commit originally used to build the image

Or alternatively you may enter a custom RCS branch URL (HTTP).

http://gitweb.pfsense.org/pfsense/pfSense-smos.git

NOTE: http://gitweb.pfsense.org/pfsense/pfSense-smos.git was not found.

Is this a custom GIT URL? [y]?
--- 

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Appliance Recommendation for 100 Mbps (DOCSIS 3.0) Service

2010-09-02 Thread Sean Cavanaugh

not pushing appliance shop either but browsing thru their products they did 
have a "GHz edition" of same dual setup

-Original Message- 
From: Duncan Hall

Sent: Thursday, September 02, 2010 6:28 AM
To: support@pfsense.com
Subject: Re: [pfSense Support] Appliance Recommendation for 100 Mbps (DOCSIS 
3.0) Service

Looking at the specs I'd say there are 2 Alix boards in that appliance.
According to the hardware sizing document
(http://doc.pfsense.org/index.php/Hardware_requirements) you are going
to need something in excess of 700Mhz to handle the full throughput,
more if you start using VPNs and plugins.

Perhaps something atom based?
http://www.logicsupply.com/products/ps_fw101b

(No I don't work for logic supply).

Regards,

Duncan

On 2/09/2010 7:12 PM, Jonathan Marriott wrote:

This place does a two-in-one unit:

http://www.applianceshop.eu/index.php/firewalls/opnsense/opnsense-pfsense-dual-19-appliance.html

I'm
not affiliated with applianceshop.

On 1 September 2010 18:51, Tim Nelson mailto:tnel...@rockbochs.com>> wrote:

- "Tonix (Antonio Nati)" mailto:to...@interazioni.it>> wrote:
 > Is there any case which can contain two motherboards and two power
 > supplies?
 > It would be nice hTo have one 1U case with clustered pfsense 
inside.

 >

Travla makes the T1200 which holds 2x Mini-itx boards with
independent PSUs:

http://www.travla.com/product_d.php?id=16

--Tim

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com

For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Rule / Advanced options / new connections per seconds?

2010-06-27 Thread Sean Cavanaugh

it will block ALL connections from the IP, no matter what service it is for.

--
From: "Jeppe Øland" 
Sent: Sunday, June 27, 2010 3:15 AM
To: 
Subject: [pfSense Support] Rule / Advanced options / new connections per 
seconds?

Hi there,

I have been using the "Max new connections / X seconds" option to
provide anti-hammer support for my SSH server.
Just now, I noticed a few things when I accidentally tripped it:

1) Other rules were affected as well.
   In my case the SSH 4/60 max killed my web server when coming from
the killed IP.
2) The connection didn't come back for 1 hour!
   Is the value in minutes or is something else going on?

This happened on a "few weeks old" 2.0 release, but I think at least
#2 happened on 1.x as well.

Regards,
-Jeppe

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Generating graphs

2010-04-09 Thread Sean Cavanaugh


> Date: Fri, 9 Apr 2010 16:35:43 +0300
> From: innocent.mayu...@pccb.go.tz
> To: support@pfsense.com
> CC: tnel...@rockbochs.com
> Subject: Re: [pfSense Support] Generating graphs
> 
> Hi Tim,
> 
> I have been running several tests with large downloads using DAP for the
> past few weeks.
> As you can see from the attached RRD Graphs generated by Pfsense i have
> never gone past 600 bits/s
> I am not only worried that i might not be geting my full capacity but also
> internally troubleshooting my LAN is made more difficult.
> The fact that i am not able to isolate if its a LAN problem or my ISP
> problem 
> 


 

do you have any traffic shaping enabled?
I know that i used to have my home cable connection shaped around 16mbit, which 
caused me to remain capped there even after my service was upgraded well above 
that.

 

AKA, do you have the limit with a vanilla configuration?

Re: [pfSense Support] add users

2010-02-09 Thread Sean Cavanaugh


Use pfSense 2.0

--
From: "Peter Todorov" 
Sent: Tuesday, February 09, 2010 5:42 AM
To: 
Subject: [pfSense Support] add users


Hi there team,
I was wondering is it possible to add users(different then standard
name ,,admin") for webgui?
Thank you in advance for the answer.
PS - pfsense 1.2

--
честността не е порок

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Old Firebox question

2009-12-03 Thread Sean Cavanaugh



> Date: Thu, 3 Dec 2009 08:18:13 -0800
> From: tjdres...@gmail.com
> To: support@pfsense.com
> Subject: [pfSense Support] Old Firebox question
>
> Hi folks,
>
> In a former like I replaced an overworked Firebox with an IPCop
> installation (this was before I knew about pfSense, all my firewalls
> are now pfSense now.
>
> Anyways... the only thing I miss about that Firebox was this cool
> little graphical traffic graph that updated in real time. On one side
> of the screen they had the external IP and port or protocol, and on
> the other was the internal IP and port/protocol. I've got the rate
> package installed which does a nice job of breaking down the traffic,
> but its not as pretty.
>
> Does anyone know what I'm taking about, and if so, does anyone know
> about a package out there that might replicate this completely
> frivolous non-security related eye-candy?
>
> With regards,
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>

personally i get most of that style info from the ntop package. theres also an 
addon widget that adds IP information next to the traffic graph, forgot what 
its called
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Is your embedded pfsense stable?

2009-12-03 Thread Sean Cavanaugh



>Date: Wed, 2 Dec 2009 22:35:39 -0800
>From: mehmasa...@gmail.com
>To: support@pfsense.com
>Subject: [pfSense Support] Is your embedded pfsense stable?
>
>1.2.3-RC3, nanobsd on a Netgate Alix board with 256 MB RAM and a 8GB CF card. 
>The firmware and all have been>updated.>
>
>Have been playing around with this box as a firewall for the last couple of 
>weeks. Then I did the unthinkable>and ventured out of my comfort shell. 
>Installed DNS Blacklist, Snort and Backup. Well, I can report that>Backup runs 
>without problems. Initially DNS Blacklist ran but then I installed the dreaded 
>pig... Snort.
>
>I had to try a few times for the install to take. Then Snort ran and I got 
>even bolder. I turned on a bunch>of rules without knowing what they actually 
>did. And that did me in. Keeping my eye on the RAM - I reached>84% and then it 
>happened. As Snort rules get exercised, memory usage skyrockets and  froze my 
>little Alix>box.
>
>So, my question really is how far can these little machines be pushed? 
>
>Mehma

 
 
you said it yourself, Snort is a pig. it takes a decent amount of RAM to run it 
effectively. i wouldnt run it with anything less than a gig of ram even on a 
dedicated system as it can consume it pretty fast.
 
the Alix board should be more than enough for any of the other plugins or 
services you put on there, Squid might be an exception depending on how you 
configure it.
 
-Sean
  
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Weird msg in pfsense logs

2009-11-30 Thread Sean Cavanaugh



>can you please make an ASCII drawing of the layout you are talking about? the 
>way you describe it barely makes sense.
> 
>why not have separate interfaces on the router for the 2 ISP connections? or 
>are you using VLAN's on the switch??
>
>Ah, I see why it must be confusing
> 
> 
>ISP A ---|
>  |  
>  |:5 Port Mini Switch | -- Pfsense WAN 
> adapter   --|Pf  |
>  |  | 
> -- Pfsense Optional adapter --|Box   |-- LAN interface
>ISP B    
> 
> 
> 
>This is my FIRST ASCII diagram! So please be nice! And to explain – both my 
>ISP come into modems, which both plug into the same switch –>The modems do not 
>do any NAT and are not the gateways on the LAN. My pfsense box is that. 
>Originally, plugged into  the same switch I have>a fedora box which worked 
>perfectly. My pfsense box is a virtual box, which has two dedicated virtual 
>NICS which are wired directly to the>switch. (Don’t ask how or why, please 
>just take my word for it, it works!)
> 
>Pfsense is the only setup that has complained about this setup, and if it 
>drops packets because of it, I’ve got a real problem, and I’ll have to>go back 
>to a previous working setup without pfsense.
 
 
 
 
Ok, that makes a lot more sense. you do have 2 interfaces from pfsense, even 
though they are only virtual interfaces. yes, in this case you need to turn on 
the option to ignore ARP requests as was previously stated by someone else.
 
also like was stated, the interface that the packet is assigned will respond 
and other will drop so no worries.   
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Weird msg in pfsense logs

2009-11-30 Thread Sean Cavanaugh



 

> Date: Mon, 30 Nov 2009 13:37:49 +
> From: gabr...@impactteachers.com
> To: support@pfsense.com
> Subject: RE: [pfSense Support] Weird msg in pfsense logs
> 
> Arrgh! Is this correct behaviour? Basically, I have two ISP connections
> and those connections are plugged into a switch, into which is plugged
> my router - at the moment I have a fedora box, happily connected to both
> ISP's and routing all inbound and outbound connections properly. This
> does not drop packets.
> 
> My last question, if this message comes up, will the packet be received
> on both interfaces? Because I see no reason why a packet that is not
> destined for that interface is being dropped. How can I check if the
> correct interface has not picked up the packet?
> 
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
> 
> Commercial support available - https://portal.pfsense.org
> 


can you please make an ASCII drawing of the layout you are talking about? the 
way you describe it barely makes sense.

 

why not have separate interfaces on the router for the 2 ISP connections? or 
are you using VLAN's on the switch?

RE: [pfSense Support] Can anyone compare pfsense to zeroshell?

2009-11-18 Thread Sean Cavanaugh


>Date: Tue, 17 Nov 2009 22:37:36 -0800
>From: mehmasa...@gmail.com
>To: support@pfsense.com
>Subject: [pfSense Support] Can anyone compare pfsense to zeroshell?
>
>I am trying to decide between the two.


i would definitely recommend going over the list of features for both products.

 

http://www.zeroshell.net/eng/

http://www.pfsense.org/index.php?option=com_content&task=view&id=40&Itemid=43

 

main things i see:

 

zeroshell is built more for minimal install. I dont see support for adding 
plugins or other options readily available.

zeroshell is a custom linux build from kernel up so you are restricted to their 
developers to maintain security patches

 

pfsense is designed to be more expandable with plugin support (such as snort or 
squid).

pfsense is based directly on FreeBSD and therefore utilizes their security 
updates and leaves more time for core development of the application rather 
than patching the OS

 

-Sean

RE: [pfSense Support] Strange DNS problem

2009-10-09 Thread Sean Cavanaugh


 

> Date: Fri, 9 Oct 2009 10:37:12 -0500
> From: supp...@plecavalier.com
> To: support@pfsense.com
> Subject: Re: [pfSense Support] Strange DNS problem
> 
> Quoting supp...@plecavalier.com:
> 
> > Quoting RB :
> >
> >> On Thu, Oct 8, 2009 at 19:42, Philippe LeCavalier
> >>  wrote:
> >>> Like I said I don't know what other info to supply, when I ssh to 
> >>> a clients network pfsense redirects me to my local server. The 
> >>> strangest thing to me is that even when I use the public IP it 
> >>> does that. If it were just the FQDN I wouldn't really care but 
> >>> this is a true problem for me and I really don't know where to 
> >>> start troubleshooting this.
> >>
> >> This doesn't help with the IP redirection bit, but dnsmasq returns its
> >> own IP for queries it can't answer (mis-typed domains, usually). I've
> >> noticed this with pfSense when I type in a hostname too quickly and
> >> end up hitting the external interface of my pfSense box.
> >>
> >> -
> >


refresh my memory, but in one of your earlier emails you said that your SSH 
server was accessible from the internet with no issue?

 

If thats the case Im wondering if the rule you have set up for that is 
misconfigured and is routing EVERYTHING no matter the source or dest on that 
port to your server. (i.e. its set to an ANY -> ANY instead of an ANY -> 
SERVER1 for port 22 SSH traffic)

Re: [pfSense Support] Firewall Rules for Dynamic Host

2009-08-14 Thread Sean Cavanaugh

--
From: "Tim Nelson" 
Sent: Friday, August 14, 2009 1:47 PM
To: 
Subject: Re: [pfSense Support] Firewall Rules for Dynamic Host

- "Curtis LaMasters"  wrote:

On Fri, Aug 14, 2009 at 12:20 PM, Tim Nelson
wrote:
> Greetings all-
>
> I have a situation where I need to have firewall rules for a
particular host that has a dynamic IP address(PPPoE ADSL).
Unfortunately, getting a static IP is cost prohibitive at this point.
When there is a power outage or after x number of days, the IP address
changes on the connection. My thought was to write a script that would
automagically check for the public IP, and if it is changed, then
update the firewall rule using curl to submit the form and then reload
the rules. Is there a better way to do this or any unforseen caveats
to doing it the way I described?
>
> Tim Nelson
> Systems/Network Support
> Rockbochs Inc.
> (218)727-4332 x105
>
>
-

Unless I am not understanding this, if you were to just put WAN
Address as the rule destination instead of specifying the actual IP,
it would fix the issue.  Right?

Curtis LaMasters
http://www.curtis-lamasters.com
http://www.builtnetworks.com

In my pre-lunch haze of hunger, I probably wasn't as clear as I should 
have been. :-)

The box running pfSense by default denies all traffic to it's protected 
hosts. However, I want to allow traffic from a specific host that has a 
dynamic IP to the protected hosts behind the pfSense box. Since this IP 
changes on occasion, I need a way to update the firewall rules with the 
new IP so it will have proper unrestricted access.

Tim Nelson
Systems/Network Support
Rockbochs Inc.
(218)727-4332 x105

would using something like dyndns at the dynamic IP help any?

-Sean 

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] BGP status

2009-07-30 Thread Sean Cavanaugh




--
From: "Chris Flugstad" 
Sent: Thursday, July 30, 2009 6:18 PM
To: 
Subject: Re: [pfSense Support] BGP status

how did i miss all these packages that were available to install via the 
gui.


that's actually kinda funny considering that's the one main benefit that 
pfSense has over other software firewalls 



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.

2009-07-29 Thread Sean Cavanaugh


this is top posting

 

 

 

 

 

Above all else, this is just spamming the mailing list and wasted 5 minutes of 
my life reading thru that horrible slew of emails

 

 

 

 

 

this is bottom posting

RE: [pfSense Support] RE: T1 Saturating - Windows update kills the connection... ??

2009-05-14 Thread Sean Cavanaugh


Bill

he USED to have 2 bonded T1's but they reduced to a single T1 connection to 
save money.

-Sean





 EMAILING FOR THE GREATER GOOD
Join me

> Date: Thu, 14 May 2009 07:09:33 -0500
> From: bill.marque...@gmail.com
> To: support@pfsense.com
> Subject: Re: [pfSense Support] RE: T1 Saturating - Windows update kills the   
> connection... ??
> 
> On Wed, May 13, 2009 at 10:58 AM, Scott Ullrich  wrote:
> > On Wed, May 13, 2009 at 11:55 AM, Chris Buechler  wrote:
> >> Slowing down considerably when under full load is normal, slowing to
> >> the point that sites don't load anymore when you're just running a few
> >> Windows updates is definitely not. Sounds like there's something wrong
> >> with the T1, or the CPE it's plugged into, whatever has your CSU/DSU.
> >
> > Agree 100%.   The fact that you can plug any firewall in and duplicate
> > the problem shows its not firewall related and most likely a circuit
> > issue.  Call your ISP and tell them this.
> 
> Consider that the bandwidth chokepoint for this particular use is
> upstream of you anyway.  Inbound traffic is choked BEFORE it crosses
> the wire - no changes in network infrastructure on your part can fix
> this.  However, with that said, with the traffic shaper you can allow
> for your important sites to be put into a priority queue such that
> they always get priority - the only way to handle this is to throttle
> your connection even further so the smallest chokepoint is actually
> pfSense, not the link itself.
> 
> At any rate, I'd suggest looking closer at how the bandwidth on the 3M
> circuit is allocated - is this a DS3 circuit with a 3M guarantee, or
> is this two T1s bonded?  If the latter, how are they bonded and can
> you get SNMP stats off the interfaces?  My gut tells me that it's
> bonded and what you are seeing is due to some form of CEF forcing a
> given route down one pipe only.
> 
> --Bill
> 
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
> 
> Commercial support available - https://portal.pfsense.org
>

RE: [pfSense Support] RE: T1 Saturating - Windows update kills the connection... ??

2009-05-13 Thread Sean Cavanaugh

WHY would you want to shape your downstream channel? that kind of defeats the 
purpose of having the bandwidth there in the firstplace.

-Sean

Date: Wed, 13 May 2009 10:21:39 -0700
From: jol...@gmail.com
To: support@pfsense.com
Subject: Re: [pfSense Support] RE: T1 Saturating - Windows update kills the 
connection... ??

> It should just get slower and divide the bandwidth evenly since there are> no 
> rules to shape it.

Thats basically what should happen.
Of course things get all out of whack when the connection isn't symmetric (like 
most consumer connections). On those, you will see severe degradation in speed 
on the fast (download) side if you saturate the slow (upload) side.

I have often seen problems similar to what you are describing when the ISP is 
running a traffic shaper.
I don't know what kind of physical connection you have, but it might be 
something capable of carrying more than 1.5 mbit.
In that case, the ISP will limit you to your allocated bandwidth with a shaper 
on their end.If the shaper is configured incorrectly, you can see dramatic 
changes in speeds when the connection is active.

An easy way to see how bad the problem is would be to ping a server on the 
internet, and then start a download from a fast site while it's running (Like 
grab a kernel from www.kernel.org).
A single PC should *easily* be able to saturate a 1.5 mbit circuit with a 
download. You don't need 4 PCs doing Windows Update. You shouldn't even need to 
use Windows Update at all ... any download should do it.

While the download is running, the ping will go up (say from 20ms to 100ms), 
but with badly configured shapers I have seen it rise to several seconds before 
timing out.

As for the pfSense traffic shaper, there are problems there too.You can easily 
shape your upstream bandwidth since you are in charge of what is being sent.Try 
shaping the downstream side in any significant way, and the connection becomes 
pretty much useless :-(

Regards,-Jeppe

RE: [pfSense Support] RE: T1 Saturating - Windows update kills the connection... ??

2009-05-13 Thread Sean Cavanaugh

> Date: Wed, 13 May 2009 09:57:32 -0600
> From: aoz@gmail.com
> To: support@pfsense.com
> Subject: Re: [pfSense Support] RE: T1 Saturating - Windows update kills the   
> connection... ??
> 
> On Wed, May 13, 2009 at 09:53, Chuck Mariotti  wrote:
> > I used cheapo DLink 10/100 Network cards to build the server. But I'm 
> > doubting that would be the cause. The only other oddity is that I threw a 
> > little DLink 8 Port Gigabit Switch between the router and firewall, simply 
> > because I didn't have a crossover cable available at the time.
> 
> Presumably the rtl8139 chipset?  I don't know how [if?] those have
> improved in recent versions of BSD, but they used to drag my pfSense
> box to its knees with software interrupts.  Check your system's RRD
> graphs (specifically the utilization & interrupt numbers on the
> 'system' tab).  MTU mismatch could cause a problem, but the DLink is
> my bet right now.
> 

D-Link as a whole are not a good choice. their products vary in reliability. It 
all comes down to what chipset the card is based off of. their Marvell based 
cards run like tanks (under windows, use the Marvell drivers instead of D-Link) 
but rest seem to be junk overall.
Another choice for cheap very reliable cards Ive found are Netgear GA311 ($25 
for a gigabit card) and they support some level of TCP/IP offloading.

-Sean

RE: [pfSense Support] RE: T1 Saturating - Windows update kills the connection... ??

2009-05-13 Thread Sean Cavanaugh


If the business warrants it, you might want to look at techniques to save 
bandwidth overall such as running a Windows Server Update Service internally 
(ports repo for FreeBSD, yum repo if you have linux) so you only have to 
download updates once and all internal systems can get their updates from there.

as for pfSense, I would definitely put traffic shaping on there as well as 
perhaps installing the squid package to cache other web content.
The more you can cache internally, the less you have to tax the internet 
connection.

From: cmario...@xunity.com
To: support@pfsense.com
Date: Wed, 13 May 2009 03:43:31 -0400
Subject: RE: [pfSense Support] RE: T1 Saturating - Windows update kills the 
connection... ??
















It did not happen with the other connection. But the previous
firewall didn’t allow me to look at nice graphs and see it maxing out, etc…  It
just worked. It was twice as fast as you said. I hooked up the old connection
and it is not dying with the 4 windows updates… in fact, it’s humming along… 
Unfortunately,
I don’t have the resources at this time of night to try to get 8 or 12 PC’s
running Windows update so I can try to max out the connection (since it’s twice
the speed as the T1, I need at least twice the computers) to see what happens.

 

Yes, it is 1.5/1.5…

 

I’m not sure how I can make a call that the T1 is at fault
exactly. I see the traffic flowing and it’s capping at 1.5Mbit… if I cancel 
window
update, it dropped way back down…. SpeedTest.net indicates 1.5/1.5…

 

I’m kind of stuck…

 

Chuck

 

 

 



From: Jeppe Øland
[mailto:jol...@gmail.com] 

Sent: Wednesday, May 13, 2009 3:28 AM

To: support@pfsense.com

Subject: Re: [pfSense Support] RE: T1 Saturating - Windows update kills
the connection... ??



 





During this new firewall
installation, someone decided to run Windows Updates on a four computers.
Previously, this would not have choked the network, but with the new firewall
(and new T1), it is choking it. Choking it dead. The four machines appear to
contend for connectivity but after a few minutes, a couple of them just stall,
one slows way down to a crawl and another stills keeps going (slower). Trying
to browse the web on another computer is pretty much impossible. It's all
bogged down.





 





It didn't happen with the old connection right?





(sure it was faster, but Microsofts servers are way faster
than that so it shouldn't matter)





 





Sounds like there is a problem with the new connection if
you ask me.





Is it a full duplex 1.5/1.5 connection?





 





Regards,





-Jeppe

Re: [pfSense Support] sipproxd with pfSense on EMBEDDED.

2009-04-22 Thread Sean Cavanaugh

embedded does not use packages as the point of embedded was for CompactFlash 
installs where users will not want active read/writes since it may/will kill 
off the media faster. If you need to use packages, then you need to install 
the full version, prefereably on a Hard Drive.

--
From: "Karl Fife" 
Sent: Wednesday, April 22, 2009 4:31 PM
To: 
Subject: [pfSense Support] sipproxd with pfSense on EMBEDDED.

Has anyone here successfully run sipproxd on embedded pfSense?
Reading through the sipproxd how-to docs I don't see any mention of 
embedded, which usually means (and correct me if I'm wrong) the full 
version.

We don't run the full version in many our locations because of the higher 
expected reliability and low power consumption of embedded, but 
unfortunately (as most are aware) this also means dealing with known 
issues with pfSense and NAT traversal (specifically RTP streams 
successfully traversing NAT when using SIP for VoIP).  We run 1:1 nat on a 
fixed IP, where possible, but of course this is not always possible.

Does anyone have any experience with sipproxd on embedded?

If sipproxd will NOT work on embedded, I would very much like to cast my 
informed vote for a sip proxy rolled into the embedded release of pfSense 
1.3.   I think it would make pfSense a stronger (even obvious) choice as a 
perimeter firewall in many 'long tail' niches as SIP marches steadily 
forward as a preferred protoclol in the VoIP world.

-Karl

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] vmware appliance using onboard wifi as an interface

2009-04-18 Thread Sean Cavanaugh

the extended virtualization such as tagging a CPI port to a VM image is only 
available with a para-virtualization CPU

--
From: "RB" 
Sent: Saturday, April 18, 2009 12:25 PM
To: 
Subject: Re: [pfSense Support] vmware appliance using onboard wifi as an 
interface

On Sat, Apr 18, 2009 at 09:05, Sean Cavanaugh  
wrote:
KVM and Xen only work on CPUs that have the para-virtualization 
extensions.
If yer using older hardware, you HAVE to use either bare metal or a 
standard

virtualizer like VMWare

In a word: no.  I haven't tried virtualizing PCI devices on non-HVM
hardware, but they both run just fine sans acceleration on standard
hardware - KVM because it's built on QEMU and Xen because HVM is just
a recent addition.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] vmware appliance using onboard wifi as an interface

2009-04-18 Thread Sean Cavanaugh

KVM and Xen only work on CPUs that have the para-virtualization extensions. 
If yer using older hardware, you HAVE to use either bare metal or a standard 
virtualizer like VMWare


-Sean


--
From: "RB" 
Sent: Friday, April 17, 2009 7:04 PM
To: 
Subject: Re: [pfSense Support] vmware appliance using onboard wifi as an 
interface


On Fri, Apr 17, 2009 at 14:02, Sean Cavanaugh  
wrote:

I really wish it would virtualize wireless cards like that as I could get
rid of my access point at home and just add a card into my system.


Both KVM and Xen allow you to directly map a PCI slot into a client's
namespace.  Right now I'm running pfSense as a VM under KVM and have
both a physical Ethernet port and a HiFN card mapped directly to it.

With VMWare, VirtualBox, and most other virtualization managers (as
Sean noted) it'll present as a generic Ethernet interface with no WiFi
extensions, you'll have to use the host to manage the actual wireless
association.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] vmware appliance using onboard wifi as an interface

2009-04-17 Thread Sean Cavanaugh

As far as I know, the virtualization layer runs as a protocol on top of the 
interfaces in your computer. you CAN get pfSense to use the network connection 
over the wireless...but it will not see it as a wireless inside the VM, and 
will treat it as wired instead.
remember that VMWare does not virtualize the hardware itself, but offers 
virtual devices that are hooked into the hardware.

I really wish it would virtualize wireless cards like that as I could get rid 
of my access point at home and just add a card into my system.

-Sean


From: Chris Flugstad 
Sent: Friday, April 17, 2009 3:23 PM
To: support@pfsense.com 
Subject: [pfSense Support] vmware appliance using onboard wifi as an interface


Im trying to run a vm of pfsense in windows, but be able to use the onboard 
wireless card(atheros chip) as opt1.  anyone succesfully done this?  I don't 
need to use the wireless on the windows xp side as i have a ethernet connection 
or a evdo usb device.  Any thoughts or help would rock.

So far i've booted the vmware appliance in vmplayer.  I think i need to edit 
the "computer" in vmserver to allow the wireless as an interface and prolly 
have it "bridge"?

just a thought, i'll try that but thought i'd ask around in here

thanks,

Chris Flugstad
Cascadelink
900 1st ave s, suite 201a
seattle, wa 98134
p: 206.774.3660 | f: 206.577.5066
ch...@cascadelink.com 
- To 
unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, 
e-mail: support-h...@pfsense.com Commercial support available - 
https://portal.pfsense.org

[pfSense Support] error in latest snapshot

2009-03-25 Thread Sean Cavanaugh

Installed the following snapshot

1.2.3-PRERELEASE-TESTING-VERSION 
built on Tue Mar 24 23:54:30 EDT 2009  

and it failed to boot with the following message

Trying to mount root from ufs:/dev/da0s1a
/etc/rc: 43: Syntax error: "else" unexpected (expecting "then")


I looked in the code and found the file had the following and it is missing a 
"then" statement

if [ "$hideplatform" = "true" ];
platformbanner="" # hide the platform
else
   platformbanner=" on the '${PLATFORM}' platform"
fi



added the "then" in there and it booted right up


-Sean

Re: [pfSense Support] Help with NIC Hardwares

2009-03-18 Thread Sean Cavanaugh

I've actually had VERY good results with NetGear GA311 gigabit cards. they 
have TCP/IP offloading too. run like tanks and are pretty inevpensive.


not sure about the pps rating on them though

-Sean


--
From: ""Alexandre F. Guimarães"" 
Sent: Wednesday, March 18, 2009 9:11 PM
To: 
Subject: [pfSense Support] Help with NIC Hardwares


Hello Pfsensers!

I need some help with brands of NIC to buy, I need Giga ether cards with 
more or less 300kpps (real throughput) only for routing.


What card is the best for this? Intel? 3com? What model?

Can anyone help me?


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] ISA to pfSense or Windows to FreeBSD - FQDN and DNS

2009-03-01 Thread Sean Cavanaugh

im assuming the webserver is behind the firewall and he wants to allow people 
on the internet to be able to see it.

From: Abdulrehman 
Sent: Sunday, March 01, 2009 11:06 AM
To: support@pfsense.com 
Subject: Re: [pfSense Support] ISA to pfSense or Windows to FreeBSD - FQDN and 
DNS

No yo do not have to declare FQDNand why you want to forward port 80 o 
webserverif your webserver is live then you dont have to do port 
forwarding..

Regards
Abdulrehman

On Sun, Mar 1, 2009 at 10:17 AM, Raleigh Guevarra  wrote:

  Hi, 

  I am currently doing the migration from ISA to pfSense firewall and I have a 
webserver hosting different sites, when trying to duplicate the rules of ISA, I 
noticed  the FQDN of the sites was declared in the firewall rules of ISA (I was 
not the one who setup the ISA server). 

  What does this mean, FQDN in firewall rules?

  Do I really have to declare the FQDN in pfSense, instead of just forward port 
80 to the webserver?

  All domains were set to our own NS servers (NS1 in W2k3 Active Directory, NS2 
in Freebsd), is it safe and wise to use the pfSense gateway as the NS server to 
replace the current NS1 server?

  As you noticed, my ultimate goal is to replace the current windows boxes to 
BSD boxes. Any ideas and info would be greatly appreciated... Thank you in 
advance.

  Raleigh

RE: [pfSense Support] snort and ntop

2008-10-07 Thread Sean Cavanaugh

1.2 or 1.2.1 full install both run snort and/or ntop. embedded image does not 
support packages. Also if the package is marked as broken, then it will not be 
listed in the package list as available for install ( I believe snort was still 
marked as broken, havent checked in a while)
From: [EMAIL PROTECTED]
To: support@pfsense.com
Date: Mon, 6 Oct 2008 19:40:18 -0400
Subject: Re: [pfSense Support] snort and ntop

hmmm 
the 1.2.1 i am running does not perhaps I need a snapshot... 
Glenn
On Oct 6, 2008, at 10:09 AM, Curtis LaMasters wrote:If I'm not mistaken, 1.2.1 
will allow this.
Curtis LaMasters
http://www.curtis-lamasters.com
http://www.builtnetworks.com

On Sun, Oct 5, 2008 at 11:08 AM, Glenn Kelley <[EMAIL PROTECTED]> wrote:
 Greetings:

 I am looking for a version of pfSense that will allow us to run both snort and 
ntop.

 Glenn

 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] PureFTP extension for PfSense

2008-10-06 Thread Sean Cavanaugh

Most people do not and should not run server style services on their 
firewall. if you are just trying to put a few files on the firewall such as 
changing the Captured portal, there are easier ways to get it done than 
setting up an FTP server.

--
From: "ozan ucar" <[EMAIL PROTECTED]>
Sent: Monday, October 06, 2008 3:26 AM
To: 
Subject: [pfSense Support] PureFTP extension for PfSense

Hello ,
I search pureftp extension for pfsense ( 
http://www.pfsense.com/screens/package-pureftp.gif )

Please help me .
Thanks for relation

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] pfSense talked about on linux.com

2008-10-03 Thread Sean Cavanaugh

http://www.linux.com/feature/148624

RE: [pfSense Support] Can't connect to subaru.com on port 80

2008-10-02 Thread Sean Cavanaugh

have you run wireshark between the firewall and the system to see if it is 
actually entering the LAN traffic and might just be the mac screwing up?
> From: [EMAIL PROTECTED]
> To: support@pfsense.com
> Date: Thu, 2 Oct 2008 10:53:31 -0500
> Subject: Re: [pfSense Support] Can't connect to subaru.com on port 80
> 
> This is a cable modem, and it works if I directly connect to my modem.
> 
> -Phil G
> 
> 
> 
> 
> On Oct 2, 2008, at 10:45 AM, "Ermal Luçi" <[EMAIL PROTECTED]> wrote:
> 
> > Open /etc/inc/filter.inc and search for pppoeclient:
> > after 4 line of that enter this
> > set iface enable tcpmssfix
> >
> > and retry connecting the pppoe and see if that fixes the problem.
> > I was having the same problems with mail.yahoo/hotmail/msn messenger
> > and some other sites on one installation and that fixed it.
> > I think its worth a try.
> >
> > Other than that it might be a timestamp handling issue on the client
> > stack that is failing to open the site.
> >
> > On Thu, Oct 2, 2008 at 6:38 AM, BSD Wiz <[EMAIL PROTECTED]> wrote:
> >> i know, i just want to check out the new wrx's and sti!!
> >>
> >> tried messing with the mtu without any luck.
> >>
> >> ok, here is tcpdump running on my pfsense firewall(unixbox.gnet).  
> >> you can
> >> see my request to subaru.com and then the reply comes to the  
> >> firewall but
> >> never get's passed to my computer. what's weird is the reset.
> >>
> >> 23:30:04.664256 IP UNIXBOX.gnet.49796 > subaru.com.http: S
> >> 1787975612:1787975612(0) win 65535  >> 0,nop,nop,timestamp
> >> 2090781090 0,sackOK,eol>
> >> 23:30:04.710299 IP subaru.com.http > UNIXBOX.gnet.49796: S
> >> 2731372884:2731372884(0) ack 1787975613 win 4380  >> 0,nop,nop,timestamp 311872670 2090781090,sackOK,eol>
> >> 23:30:05.321055 IP 12.120.5.14.http > UNIXBOX.gnet.49740: R
> >> 2533320030:2533320030(0) ack 10685623 win 0
> >> 23:30:07.420107 IP UNIXBOX.gnet.49796 > subaru.com.http: S
> >> 1787975612:1787975612(0) win 65535  >> 0,nop,nop,timestamp
> >> 2090781095 0,sackOK,eol>
> >>
> >>
> >>
> >> so in search of what the ip of the reset flag is i pointed my  
> >> browser to it.
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> so they are behind some type of load balancer but wtf??
> >>
> >>
> >>
> >>
> >> On Oct 1, 2008, at 11:30 PM, Bill Marquette wrote:
> >>
> >>> On Wed, Oct 1, 2008 at 11:12 PM, Chris Buechler  
> >>> <[EMAIL PROTECTED]>
> >>> wrote:
> 
>  On Wed, Oct 1, 2008 at 11:55 PM, BSD Wiz <[EMAIL PROTECTED]> wrote:
> >
> > yep, i looked at it using tcpdump. i just see syn packets going  
> > out the
> > door, i never get any syn-acks back.
> >
> > 22:50:47.417326 IP unixbox.gnet.49330 > subaru.com.http: S
> > 3917131801:3917131801(0) win 65535  > 0,nop,nop,timestamp
> > 2090776378 0,sackOK,eol>
> >
> 
>  Have you tried lowering MTU on your WAN, or just on the problem
>  machine? Doing it on the WAN will MSS clamp everything, so if  
>  this is
>  limited to one machine I wouldn't do that. With the 1460 MSS that
>  shows and likely 1500 MTU end to end, that should not be a problem.
>  It's worth a shot though.
> >>>
> >>> Wouldn't explain no syn/ack's coming back.  This would seem more  
> >>> like
> >>> an upstream routing (or firewalling) issue to me.  That, or a
> >>> conspiracy against BSD Wiz and his desire to look at new cars.
> >>>
> >>> --Bill
> >>>
> >>> --- 
> >>> --
> >>> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >>> For additional commands, e-mail: [EMAIL PROTECTED]
> >>>
> >>
> >>
> >>
> >> -
> >> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >> For additional commands, e-mail: [EMAIL PROTECTED]
> >>
> >
> >
> >
> > -- 
> > Ermal
> >
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>

Re: [pfSense Support] ipv6 possibility

2008-09-29 Thread Sean Cavanaugh

Leon Strong | Technical Engineertunneling IPv6 would just let you forward 
traffic in IPv4to an external gateway that translates from IPv4 to IPv6. the 
developers would rather not do that in favor of just fully implementing support 
for pfSense to be able to route IPv6 directly without the encapsulation.
Personally, I think that if you just want to tap into IPv6 networks, then a 
tunnel wrapper wouldn't be a bad idea, but as a package only and not part of 
the base install.


From: Leon Strong 
Sent: Monday, September 29, 2008 9:34 PM
To: support@pfsense.com 
Subject: Re: [pfSense Support] ipv6 possibility


I was thinking the same thing, and am still wondering why/how using an ipv6 
"tunnel" would result in a "half assed" implementation.

admittedly, i'm not a pfsense dev, and they can say what they like *shrug*

Re: [pfSense Support] ipv6 possibility

2008-09-29 Thread Sean Cavanaugh

technically this can already can be done if you use the developers build.

--
From: "Eugen Leitl" <[EMAIL PROTECTED]>
Sent: Monday, September 29, 2008 7:01 AM
To: 
Subject: Re: [pfSense Support] ipv6 possibility

On Mon, Sep 29, 2008 at 11:20:20AM +0100, Paul Mansfield wrote:

I can't make an official commitment, but IPv6 support would probably
help me get employer to take a support contract. As a startup, budgets
are tight, but the prospect of the quality of pfSense along with ipv6
would be a compelling idea!

Here's a thought: make the default pfsense kernel dual-stack capable 
but disable the IPv6 part by default, and don't support it anywhere 
in the PHP/XML config framework. Explicitly mark it as unsupported. 
Null-route all IPv6 support requests.

That way anyone who needs the functionality can hack it manually using
stock FreeBSD configuration tools, yet there would be no support load 
for the developer team.

--
Eugen* Leitl http://leitl.org";>leitl http://leitl.org
__
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] ipv6 possibility

2008-09-25 Thread Sean Cavanaugh

My only input into the matter is that if you NEED ipv6 implemented into pfSense 
that you submit a proposal to the developers through their corporate support 
for development services. They have stated before that from a hobbyist 
development point of view, they do not have access to ipv6 systems to warrant 
them to do it in the near future but would work on it if there was an official 
paid development effort.

In the mean time, pf as a service can run ipv6 and can run dual stacked with 
ipv4 for those that need it.
https://solarflux.org/pf/pf+IPv6.php

in summary, unless someone pays for it or adds it themselves, it wont be added 
anytime soon.

-Sean

RE: [pfSense Support] Vista's DHCP Issues

2008-09-23 Thread Sean Cavanaugh

This is an issue that I honestly have never seen between my firewall and Vista. 
Is this something that was potentially fixed with a Windows update or is 
handled differently in 1.2.1?

-Sean
> Date: Tue, 23 Sep 2008 00:49:13 -0600
> From: [EMAIL PROTECTED]
> To: support@pfsense.com
> Subject: Re: [pfSense Support] Vista's DHCP Issues
> 
> I've had users complain about this, once i show them XP works fine, I 
> tell them to contact Microsoft.
> 
> I haven't had any complaints(That I know of) since I started using 
> pfSense, but it was obvious with other Firewall vendors.
> 
> Adam
> 
> Tim Nelson wrote:
> > I recently ran into an issue where one of our client's laptops would/could 
> > not get an IP address from one of our boxes running pfSense 1.2-RELEASE. 
> > Connecting via wireless or wired made no difference and other machines 
> > could connect just fine without issue. After doing some searching, I've 
> > found that Vista has some "issues" with DHCP. The full Microsoft Article is 
> > here:
> >
> > http://support.microsoft.com/kb/928233/EN-US/
> >
> > In short, Vista needs to have it's DHCP broadcast flags modified to use 
> > DHCP on "some routers and some non-Microsoft DHCP servers". I can only 
> > assume it is a problem with Vista and not the underlying DHCPD daemons as I 
> > don't believe any other OS's have this problem currently.
> >
> > Just thought I'd post this to the list as I'm assuming some of you may run 
> > into the same problem at some point.
> >
> > Tim Nelson
> > Systems/Network Engineer
> > Rockbochs Inc.
> > (218)727-4332 x105
> >
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> >
> >   
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>

RE: [pfSense Support] 64-bit pfsense

2008-08-20 Thread Sean Cavanaugh

pfSense is based on i386 code so it is only 32-bit. it will run perfectly fine 
on a Dell R200. 
 
-Sean



Date: Wed, 20 Aug 2008 09:56:40 +0400From: [EMAIL PROTECTED]: [EMAIL 
PROTECTED]: [pfSense Support] 64-bit pfsense
Hi all.I am new to the pfsense list and like to know from your experience about 
the pfsense 1.2 installation on a 64-bit hardware.We are planing to protect the 
Data Center (consists of around 40+ RH Servers running Apache and MySQL). 
Intention is to install pfsense on Dell R200 Servers (very recently brought. I 
couldn't see a clear information about pfsense support for64-bit hardware. If 
anybody have experience or any pointers about this topic kindly shareTIAJose-- 
Office: +971-4-3671912Cell: +971-50-9943477

Re: [pfSense Support] cannot update firmware

2008-07-31 Thread Sean Cavanaugh

--
From: "Chris Buechler" <[EMAIL PROTECTED]>
Sent: Thursday, July 31, 2008 6:12 PM
To: 
Subject: Re: [pfSense Support] cannot update firmware

On Thu, Jul 31, 2008 at 9:38 AM, Sean Cavanaugh
<[EMAIL PROTECTED]> wrote:

I have a 1.2-RELEASE setup that runs perfectly fine. I wanted to install
1.2.1 on it to try it out
but I cannot get the system to upgrade the firmware at all. Thru the web
interface i get the usual
hoops about the file not being digitally signed but it takes it and goes 
on

its merry way of processing it.
I even get the pages all saying "An upgrade is currently in progress. The
firewall will reboot when the operation is complete."

It will just sit there and never do anything more. I have also tried 
using

the upgrade thru the console which
gets me the following before dumping back to the main menu screen

Broadcast Message from [EMAIL PROTECTED]
(/dev/ttyp0) at 6:01 EDT...

Beginning pfSense upgrade.

/etc/rc.firmware: Cannot fork: Resource temporarily unavailable
/etc/rc.firmware: Cannot fork: Resource temporarily unavailable
/etc/rc.firmware: Cannot fork: Resource temporarily unavailable

further testing shows that this happens no matter what firmware i give 
it,

even tried 1.2-RELEASE again

A Google of that site:pfsense.org brings back nothing so it's
apparently something no one has seen before.

That makes it sound like too many processes are running which is a bit
strange. Try rebooting it then upgrading.

it looks like I just had a random group of addons that together caused that 
problem. I ended up having to reinstall 1.2-RELEASE and now the firmware 
upgrades work perfectly fine.
For future reference, just uninstalling all the addons and rebooting didn't 
clear out the glitch that was causing it.

now I'm off to try/abuse 1.2.1.

-Sean 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] cannot update firmware

2008-07-31 Thread Sean Cavanaugh


I have a 1.2-RELEASE setup that runs perfectly fine. I wanted to install 1.2.1 
on it to try it out
but I cannot get the system to upgrade the firmware at all. Thru the web 
interface i get the usual
hoops about the file not being digitally signed but it takes it and goes on its 
merry way of processing it.
I even get the pages all saying "An upgrade is currently in progress. The 
firewall will reboot when the operation is complete."

It will just sit there and never do anything more. I have also tried using the 
upgrade thru the console which
gets me the following before dumping back to the main menu screen
 
Broadcast Message from [EMAIL PROTECTED]
(/dev/ttyp0) at 6:01 EDT...
 
Beginning pfSense upgrade.
 
/etc/rc.firmware: Cannot fork: Resource temporarily unavailable
/etc/rc.firmware: Cannot fork: Resource temporarily unavailable
/etc/rc.firmware: Cannot fork: Resource temporarily unavailable

further testing shows that this happens no matter what firmware i give it, even 
tried 1.2-RELEASE again

so far it looks like i will have to do a full reinstall to get it to 1.2.1.

any insights?

-Sean

[pfSense Support] Removing DHCP Leases

2008-05-28 Thread Sean Cavanaugh

Is there a nice quick way to forcibly remove a DHCP lease for a MAC address?

-Sean

RE: [pfSense Support] Virtualizing pfSense

2008-05-15 Thread Sean Cavanaugh


> From: [EMAIL PROTECTED]
> Date: Thu, 15 May 2008 21:07:04 +0200
> To: support@pfsense.com
> Subject: Re: [pfSense Support] Virtualizing pfSense
> 
> 
> Am 15.05.2008 um 20:55 schrieb Sean Cavanaugh:
> 
> >
> > for the record, VMWare tools is included in the ports collection
> 
> 
> Well, the port uses the stuff from the mounted iso-image ;-)
> You can't download them separately, AFAIK.
 
like i said, the ISOs are part of VMWare Server

> 
> > and they dont really do anything beyond provide a clock sync  
> > between the virtual image and the host PC
> 
> That's not completely true, IIRC.
> AFAIK, the tools are also helping with memory management (on ESX at  
> least, maybe Server 2.0 gained something here on Server 1.0)

Linux had the memory management as part of its tools package, not BSD. from 
what ive seen, the only things VMWare-tools did was assist with clock sync, 
enable better driver for X and enable copy/paste between the image and 
host/other images. Timer issues can be lessened (never resolved, even with 
VMware tools)
by reducing kern.hz to something like 50 or 100 Hz (in loader.conf), and
installing ntpd. and Xorg has a vmware driver in it now. still no copy paste or 
mouse focus at all. 

> 
> > they are almost not worth installing. pfSense has an option to sync  
> > to an NTP server already and i just run an NTP sync program within  
> > my BSD server image.
> >
> 
> 
> IMO, the biggest problem of VMware is clock-syncing.
> Even on "supported" platforms.
> It's a nightmare.
> 
> 
> 
> > but yes VMWare Server does come with the tools ISO's
> >
> > -Sean
> >
> > Make Windows Vista more reliable and secure with Windows Vista  
> > Service Pack 1. Learn more.
> 
> 
> 
> I thought it was one of those witty tag-lines along "Make Vista more  
> reliable  by installing Ubuntu" or so.
> Interestingly, it doesn't say "faster" ;-)))
> 
> 
> cheers,
> Rainer
> -- 
> Rainer Duffner
> CISSP, LPI, MCSE
> [EMAIL PROTECTED]
> 
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>

RE: [pfSense Support] Virtualizing pfSense

2008-05-15 Thread Sean Cavanaugh


> From: [EMAIL PROTECTED]
> Date: Thu, 15 May 2008 20:47:26 +0200
> To: support@pfsense.com
> Subject: Re: [pfSense Support] Virtualizing pfSense
> 
> 
> Am 15.05.2008 um 19:24 schrieb Sean Cavanaugh:
> 
> >
> >> __
> >> Date: Thu, 15 May 2008 12:05:53 -0400
> >> From: [EMAIL PROTECTED]
> >> To: support@pfsense.com
> >> Subject: [pfSense Support] Virtualizing pfSense
> >>
> >> Good Day All,
> >>
> >> I would like to take a reasonable machine and run some  
> >> virtualization software on it so that I can run both pfSense and a  
> >> copy of a standard workstation image so I can>use it for remote  
> >> testing.  The workstation image will not need to run that often  
> >> but I need to make sure it is running in the same type of  
> >> environment as the rest of the>internal workstations.
> >>
> >> Can I safely run pfSense and another OS in a virtualized  
> >> environment without compromising security?
> >>
> >> If so can you give me a basic idea of what I need.  Do I need 3  
> >> physical NICs in the machine 1 WAN, 1 LAN, 1 for the workstation  
> >> image.  I will probably use VMWare>Workstation 6.0 is there  
> >> anything special I need to do with it, etc.
> >>
> >> Your help is greatly appreciated.  I have pfSense running in a  
> >> number of buildings and it works great but this is just one more  
> >> new twist to it for me.
> >>
> >> Ron.
> >>
> >
> > I currently run this type of setup at home. I have a windows 2003  
> > server with VMWare server 2.0 beta running on it.
> 
> 
> 
> Does VMware Server 2.0 come with VMware Tools for FreeBSD6?
> And how do you install them in pfSense?
> 
> 
> 
> Rainer


for the record, VMWare tools is included in the ports collection and they dont 
really do anything beyond provide a clock sync between the virtual image and 
the host PC which if set up properly wont skew off by enough to really worry 
about anyway. they are almost not worth installing. pfSense has an option to 
sync to an NTP server already and i just run an NTP sync program within my BSD 
server image.

but yes VMWare Server does come with the tools ISO's

-Sean

_
Make Windows Vista more reliable and secure with Windows Vista Service Pack 1.
http://www.windowsvista.com/SP1?WT.mc_id=hotmailvistasp1banner

RE: [pfSense Support] Virtualizing pfSense

2008-05-15 Thread Sean Cavanaugh


>__
>Date: Thu, 15 May 2008 12:05:53 -0400
>From: [EMAIL PROTECTED]
>To: support@pfsense.com
>Subject: [pfSense Support] Virtualizing pfSense
>
>Good Day All,
>
>I would like to take a reasonable machine and run some virtualization software 
>on it so that I can run both pfSense and a copy of a standard workstation 
>image so I can>use it for remote testing.  The workstation image will not need 
>to run that often but I need to make sure it is running in the same type of 
>environment as the rest of the>internal workstations.
>
>Can I safely run pfSense and another OS in a virtualized environment without 
>compromising security?
>
>If so can you give me a basic idea of what I need.  Do I need 3 physical NICs 
>in the machine 1 WAN, 1 LAN, 1 for the workstation image.  I will probably use 
>VMWare>Workstation 6.0 is there anything special I need to do with it, etc.
>
>Your help is greatly appreciated.  I have pfSense running in a number of 
>buildings and it works great but this is just one more new twist to it for me.
>
>Ron.
>

I currently run this type of setup at home. I have a windows 2003 server with 
VMWare server 2.0 beta running on it. The computer has 3 NICs to help segregate 
traffic.
onboard NIC is for Win2k3 network access, NIC card 1 is for WAN use for 
pfSense, NIC card 2 is a gigabit for LAN for pfSense image as well as LAN 
access for my FreeBSD server image. i have all protocols turned off on NIC 
cards 1 and 2 except for the VMWare connector so Win2k3 will only see raw 
traffic on those ports and not do any processing of it. i also turned off the 
VMWare connector to the onboard NIC so i cannot accidentally bind it with a 
virtual image.

security of the system is for the most part no worse than having them all on 
different systems. as long as the host system is treated with more care since 
it controls when those virtual images run, it should not be any more concern 
than normal.





_
Make Windows Vista more reliable and secure with Windows Vista Service Pack 1.
http://www.windowsvista.com/SP1?WT.mc_id=hotmailvistasp1banner
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] Intel Pro 1000 VT

2008-05-15 Thread Sean Cavanaugh


>From: [EMAIL PROTECTED]
>To: support@pfsense.com
>Date: Thu, 15 May 2008 15:47:09 +0100
>Subject: RE: [pfSense Support] Intel Pro 1000 VT
>
>Hi Sean,
>
>Sorry didn’t put this in the message below, the Broadcom (NetXtreme BCM5722) is
>actually the embedded NIC so I can’t replace :(
>
>Is my only option a custom build (if I can find the FreeBSD drivers for it)?
>
>Cheers
>Adam

I was referring to adding in a PCI, PCI-X or PCI-E network card with a 
supported chipset.

pfSense includes all the network drivers from the FreeBSD version it is 
tracking. Currently pfSense-1.2.RELEASE uses FreeBSD 6.2 but there is a testing 
release that is based on 6.3 that I'm seeing referenced more and more to solve 
some hardware related issues. If the chipset manufacturer has made their own 
drivers that work for FreeBSD (HIGHLY unlikely) then a custom build would be 
feasible but a pretty daunting task in of itself.

-Sean




_
Windows Live SkyDrive lets you share files with faraway friends.
http://www.windowslive.com/skydrive/overview.html?ocid=TXT_TAGLM_WL_Refresh_skydrive_052008
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] Intel Pro 1000 VT

2008-05-15 Thread Sean Cavanaugh



> From: [EMAIL PROTECTED]
> To: support@pfsense.com
> Date: Thu, 15 May 2008 09:50:17 +0100
> Subject: RE: [pfSense Support] Intel Pro 1000 VT
> 
> I originally thought the problem was that the Intel was not working and the
> Braodcom was, however with my recent findings have led me to believe neither
> were working originally :(
> 
> I've had a look at the supported hardware list for FreeBSD 7 and it doesn't
> appear in there. I'm quite worried that there is no way round this problem.
> 
> Cheers
> 
> Adam

If the hardware is not on the supported hardware list, they will NOT work with 
pfSense. You will have to get another NIC for the server.

_
Windows Live SkyDrive lets you share files with faraway friends.
http://www.windowslive.com/skydrive/overview.html?ocid=TXT_TAGLM_WL_Refresh_skydrive_052008

RE: [pfSense Support] RRD errors

2008-05-14 Thread Sean Cavanaugh


why didnt you go straight to 1.2-RELEASE?


From: [EMAIL PROTECTED]
To: support@pfsense.com
Date: Wed, 14 May 2008 13:55:20 -0700
Subject: [pfSense Support] RRD errors





RRD errors







Good afternoon,


Yesterday I re-imaged my primary PF box with 1.2RC2 and then upgraded 
to 1.2-RELEASE. My RRD graphs are broken and the RRD page says look at the log. 
Upon looking at the logs I see the following;

May 14 13:52:27  php: /status_rrd_graph_img.php: Failed to create graph with 
error code 1, the error is: /libexec/ld-elf.so.1: Shared object "libpng.so.5" 
not found, required by "rrdtool"  

May 14 13:52:27  php: /status_rrd_graph_img.php: Failed to create graph with 
error code 1, the error is: /libexec/ld-elf.so.1: Shared object "libpng.so.5" 
not found, required by "rrdtool"  

May 14 13:52:27  php: /status_rrd_graph_img.php: Failed to create graph with 
error code 1, the error is: /libexec/ld-elf.so.1: Shared object "libpng.so.5" 
not found, required by "rrdtool"  

May 14 13:52:27  php: /status_rrd_graph_img.php: Failed to create graph with 
error code 1, the error is: /libexec/ld-elf.so.1: Shared object "libpng.so.5" 
not found, required by "rrdtool"  

May 14 13:52:26  php: /status_rrd_graph_img.php: Failed to create graph with 
error code 1, the error is: /libexec/ld-elf.so.1: Shared object "libpng.so.5" 
not found, required by "rrdtool"  

May 14 13:52:26  php: /status_rrd_graph_img.php: Failed to create graph with 
error code 1, the error is: /libexec/ld-elf.so.1: Shared object "libpng.so.5" 
not found, required by "rrdtool" 

What can be done? TIA.


-W


Wade Blackwell


"Integrity is often more painful and always more profitable than perception 
management" 




_
With Windows Live for mobile, your contacts travel with you.
http://www.windowslive.com/mobile/overview.html?ocid=TXT_TAGLM_WL_Refresh_mobile_052008

RE: [pfSense Support] Trouble installing on old Dell 6450

2008-03-19 Thread Sean Cavanaugh


> Date: Wed, 19 Mar 2008 16:35:11 -0400
> From: [EMAIL PROTECTED]
> To: support@pfsense.com
> Subject: Re: [pfSense Support] Trouble installing on old Dell 6450
> 
> On 3/19/08, Sean Cavanaugh <[EMAIL PROTECTED]> wrote:
> 
> > I just find it odd that straight FreeBSD will install fine on it but
> > FreeSBIE and pfsense freeze or crash.
> 
> Straight FreeBSD does not use GEOM for labeling the various partitions.
> 
> The two do not operate the same, so there is nothing strange about it.
> 
> Scott
> 
then it makes sense. I will try and see about trying a different drive as I 
dont have another slimline drive but do have normal sized ones.

Sean

_
Do more with your photos with Windows Live Photo Gallery.
http://www.windowslive.com/share.html?ocid=TXT_TAGLM_Wave2_photos_022008

RE: [pfSense Support] Trouble installing on old Dell 6450

2008-03-19 Thread Sean Cavanaugh


> Date: Wed, 19 Mar 2008 16:20:59 -0400
> From: [EMAIL PROTECTED]
> To: support@pfsense.com
> Subject: Re: [pfSense Support] Trouble installing on old Dell 6450
> 
> On 3/19/08, Sean Cavanaugh <[EMAIL PROTECTED]> wrote:
> > The system is 32-bit only and I only have required devices enabled. I have
> > tried it with many different configurations of devices turned on or off as
> > well as with ACPI mode on or off. Either its frozen in best case, or Kernel
> > Trap in worst case.
> 
> This will sound strange but try a different cd-rom drive.
> 
> Scott
> 
I just find it odd that straight FreeBSD will install fine on it but FreeSBIE 
and pfsense freeze or crash.

Sean

_
Do more with your photos with Windows Live Photo Gallery.
http://www.windowslive.com/share.html?ocid=TXT_TAGLM_Wave2_photos_022008

RE: [pfSense Support] Trouble installing on old Dell 6450

2008-03-19 Thread Sean Cavanaugh


> Date: Mon, 10 Mar 2008 11:14:45 +
> From: [EMAIL PROTECTED]
> To: support@pfsense.com
> Subject: Re: [pfSense Support] Trouble installing on old Dell 6450
> 
> Sean Cavanaugh wrote:
> > FreeSBIE also freezes. it sits at the line "Trying to mount root from
> > cd9660:/dev/iso9660/FreeSBIE"
> > I can scroll back thru the loader but it will not go any farther and I
> > don't see any activity on the CD drive.
> 
> 
> have you got 32bit access enabled in the BIOS? can you check that you
> don't have shared IRQs (disable hardware you don't need, usb, serial,
> parallel) to free up resources?
> 
The system is 32-bit only and I only have required devices enabled. I have 
tried it with many different configurations of devices turned on or off as well 
as with ACPI mode on or off. Either its frozen in best case, or Kernel Trap in 
worst case.

_
Don't get caught with egg on your face. Play chicktionary!
http://club.live.com/chicktionary.aspx?icid=chick_wlhmtextlink1_feb

Re: [pfSense Support] Trouble installing on old Dell 6450

2008-03-09 Thread Sean Cavanaugh

--
From: "Chris Buechler" <[EMAIL PROTECTED]>
Sent: Saturday, March 08, 2008 8:54 PM
To: 
Subject: Re: [pfSense Support] Trouble installing on old Dell 6450

Sean Cavanaugh wrote:
I can install FreeBSD on it with zero issue. don't even have to disable 
ACPI.

pfsense freezes right after it sees the raid array as a viable HDD.

Interesting, not what I would have suspected. Can you try booting FreeSBIE 
2.0.1 on that box?  http://www.freesbie.org/downloads.php

I'm guessing it's related to our LiveCD, and that FreeSBIE will exhibit 
exactly the same problem because the pfSense LiveCD is built using 
FreeSBIE's scripts. Either way it would be good to know what happens.

FreeSBIE also freezes. it sits at the line "Trying to mount root from 
cd9660:/dev/iso9660/FreeSBIE"
I can scroll back thru the loader but it will not go any farther and I don't 
see any activity on the CD drive. 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Trouble installing on old Dell 6450

2008-03-06 Thread Sean Cavanaugh

I can install FreeBSD on it with zero issue. don't even have to disable 
ACPI.

pfsense freezes right after it sees the raid array as a viable HDD.

-Sean

--
From: "Chris Buechler" <[EMAIL PROTECTED]>
Sent: Thursday, March 06, 2008 2:22 PM
To: 
Subject: Re: [pfSense Support] Trouble installing on old Dell 6450


Sean Cavanaugh wrote:
Has anyone else attempted to install pfsense on a Dell 6450? booting from 
the CD in normal mode it will freeze durring hardware lookup and booting 
with ACPI turned off it gets a kernel trap 12 error almost immediately.


Google found a suggestion from someone to enable "OS install mode" in the 
BIOS for the initial install (which limits the accessible RAM), do the 
install, then turn that back off after confirming you can successfully 
boot the install. Someone did get stock FreeBSD installed successfully 
this way.


Also I'd make sure it has the latest BIOS on it, I've seen many various 
pieces of Dell hardware do weird stuff on FreeBSD and/or pfSense with old 
BIOS revisions when they work flawlessly on the latest.




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] Trouble installing on old Dell 6450

2008-03-06 Thread Sean Cavanaugh

Has anyone else attempted to install pfsense on a Dell 6450? booting from the 
CD in normal mode it will freeze durring hardware lookup and booting with ACPI 
turned off it gets a kernel trap 12 error almost immediately.

worth a shot. doesn't have to happen.

-Sean

RE: [pfSense Support] Load Balancing further info

2008-03-04 Thread Sean Cavanaugh


load balancing is fairly easy to learn.
 
first step, the user sends a request (i.e. visiting www.cnn.com)
his computer will forward the request to the gateway (lets assume pfsense set 
up with load balanced WAN connections)
pfsense will then assign the current connection state to a WAN interface. this 
should happen with states spread evenly accross all WAN links.
as long as information being transmitted between the users computer and 
www.cnn.com are part of the same stream, it will use the same connection path 
on the WAN link. if the user goes to www.msnbc.com also, this will start a new 
state connection on the firewall and would theoretically use a different WAN 
link than the first connection to www.cnn.com.
 
some issues with this is if the state is set to a very short TTL, then the user 
will constantly be setting up new states and will be bouncing all over the WAN 
links. this can make it really bad if theyre trying to use encrypted protocols 
as it will not be valid and will more than likely be denied a lot. 
 
if the value is set to high, states will build up on a WAN interface and 
persist longer than need be. they will however be more reliable as encrypted 
protocols will have a nice stable connection.
 
a misconfiguration in how the states are load balanced will lead to one WAN 
link being more heavily favored than others.
 
this isnt the BEST explanation but should help some.
 
-Sean> From: [EMAIL PROTECTED]> To: support@pfsense.com> Date: Tue, 4 Mar 2008 
16:50:26 +0200> Subject: [pfSense Support] Load Balancing further info > > Hi,> 
> Excuse my ignorance on this one. > > I am having a debate with my boss. > > 
Please explain to me the basics of load balancing ? > > IP address x is 
accessing www.cnn.com > > It arrives at the load balancer which at that point 
in time pings a> pre-determined gateway / IP address. Based on that speed, it 
will then> submit the request over that line and wait for the transmission ? > 
> How does it actually decide which WAN port to send the packet ? is it> 
constantly pinging on all WAN ports ? > > How is a typical webpage broken down 
into packets ? i.e. how many packets> are there in a typical page ? > > Again 
apologies for the simple ness...just want to get my head around the> load 
balancing / round robin concept. > > Lastly, looking at usage on the 
interfaces. My WAN port is showing quite a> bit of throughput while my OPT1 and 
OPT2 aren't. I have setup my system as> close to the manual as possible but it 
doesn’t seem to be load balancing> correctly. > > > > Regards,> > > Mike Lever> 
> Tenacity Films (Pty) Ltd t/a> Velocity Films> > (T) +2711-807-0100> (F) 
086-681-7518> > http://www.velocityfilms.com> >  > CONFIDENTIALITY CAUTION: If 
you have received this communication in error,> please note that it is intended 
for the addressee only, is privileged and> confidential and dissemination or 
copying prohibited. Please notify us> immediately by e-mail and return the 
original message. Thank you.>  > > > > 
-> To 
unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: [EMAIL 
PROTECTED]> 
_
Helping your favorite cause is as easy as instant messaging. You IM, we give.
http://im.live.com/Messenger/IM/Home/?source=text_hotmail_join

Re: [pfSense Support] Help Get Games And SW Working Please

2008-02-29 Thread Sean Cavanaugh

are you trying to set the ports up under "rules" or under "NAT" in the menu?

-Sean

--
From: "SD" <[EMAIL PROTECTED]>
Sent: Friday, February 29, 2008 8:15 PM
To: 
Subject: [pfSense Support] Help Get Games And SW Working Please

We recently installed pfSense firewall/routers, now none of my games 
work (BF2, america's army).

My trading software isn't working either.

I tried the static port thing but it didn't help.

Can someone please help.  Thank you.

SD.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] pfSense Hardware opinion

2008-02-29 Thread Sean Cavanaugh

guestimating high user loads on the systems since you said its for a 
university. Those servers will do very nicely. pfsense doesnt use up much 
resources. average home user can run a 233MHz system with 128 megs of RAM and 
be good. something like 1k of RAM per state on the firewall. you will prob not 
ever use more than 500 meg on the HDD unless you install packages that do a lot 
of logging.
 
also look over the sizing recommendations on the pfsense website
http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49
 
comparatively, those servers look like they should be able to handle a full 
gigabit throughput with high number of states with no issue.
-Sean


Date: Fri, 29 Feb 2008 14:41:01 +From: [EMAIL PROTECTED]: [EMAIL 
PROTECTED]: [pfSense Support] pfSense Hardware opinion
Hi All,I was wondering of testing pfsense in a production enviroment like (a 
university).What do you guys think of this hardware ?DELL PowerEdge R200Quad 
Core Intel® Xeon® X3210,  2.13GHz OR Quad Core Intel® Xeon® X3210,  2.13GHz2 
Gigabit nics2GB RAM 667MHz dual rank ECC (2x1GB)160GB SATA 7200rpmI think that 
the Harddisk and RAM is more thank enough, but what about the processor and the 
hardwaredo you ever tried this DELL PowerEdge R200 with pfsense ? Did you find 
any drawbacks ?Best regards and thanks on your opinionNuno
_
Connect and share in new ways with Windows Live.
http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_012008

RE: [pfSense Support] Load kernel error

2008-02-28 Thread Sean Cavanaugh

pfSense will run the CD as a LiveCD. it doesn not do an automated installer. 
When the system is fully up, select Option 99 on the console to initialte the 
HDD installer which will step you thru the partitioning and formating of the 
HDD. make sure to use the GRUB loader as it avoids some other problems.
 
-Sean



> From: [EMAIL PROTECTED]> To: support@pfsense.com> Date: Thu, 28 Feb 2008 
> 20:04:47 +0200> Subject: RE: [pfSense Support] Load kernel error> > Hi Gary, 
> > > Thanks for that info. I am using a standard installation not an embedded> 
> device (I think, I'm working off a standard desktop, HDD, no CF) > > I also 
> tried a fresh re-install and it installs fine, then boots up. I> noticed the 
> problem. The platform is CDROM and obviously disk usage is at> 100%. So it 
> appears to be working off the CD and not the HDD> > During installation, how 
> do I set it to format the HDD and install on the> hard drive ? I have watched 
> the installation and it is all automated and> doesn't allow me to set the 
> target installation. > > Regards,> > > Mike Lever> > Tenacity Films (Pty) Ltd 
> t/a> Velocity Films> > (T) +2711-807-0100> (F) 086-681-7518> > 
> http://www.velocityfilms.com> > > CONFIDENTIALITY CAUTION: If you have 
> received this communication in error,> please note that it is intended for 
> the addressee only, is privileged and> confidential and dissemination or 
> copying prohibited. Please notify us> immediately by e-mail and return the 
> original message. Thank you.> > > -Original Message-> From: Gary 
> Buckmaster [mailto:[EMAIL PROTECTED] > Sent: 28 Feb 2008 07:55 PM> To: 
> support@pfsense.com> Subject: Re: [pfSense Support] Load kernel error> > Can 
> I assume that this is an embedded device you're trying to upgrade? > If so, 
> this is a reported issue and has been discussed several times on > this 
> mailing list. Use the shell upgrade method provided or re-flash > your CF 
> card.> > Mike Lever wrote:> > While trying to upgrade to 1.2 using the webgui 
> update I received an error> > during the next bootup> >> > Loading 
> /boot/defaults/loader.conf> > Unable to load a kernel !> > -> > Cant load 
> 'kernel' > >> > It freezes there.. I've tried to reinstall from scratch, the 
> setup runs> fine> > but freezes at the same point in bootup. > >> > What did 
> I do wrong and what can I do to correct it ? using the > > Regards,> >> >> > 
> Mike Lever> >> > Tenacity Films (Pty) Ltd t/a> > Velocity Films> >> > (T) 
> +2711-807-0100> > (F) 086-681-7518> >> > http://www.velocityfilms.com> >> > > 
> > CONFIDENTIALITY CAUTION: If you have received this communication in error,> 
> > please note that it is intended for the addressee only, is privileged and> 
> > confidential and dissemination or copying prohibited. Please notify us> > 
> immediately by e-mail and return the original message. Thank you.> > > >> >> 
> >> > -> > 
> To unsubscribe, e-mail: [EMAIL PROTECTED]> > For additional commands, e-mail: 
> [EMAIL PROTECTED]> >> > > > > 
> -> To 
> unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: 
> [EMAIL PROTECTED]> > > 
> -> To 
> unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: 
> [EMAIL PROTECTED]> 
_
Climb to the top of the charts! Play the word scramble challenge with star 
power.
http://club.live.com/star_shuffle.aspx?icid=starshuffle_wlmailtextlink_jan

RE: [pfSense Support] Setting gateways ?

2008-02-26 Thread Sean Cavanaugh

scratch that. i see rl3 now. what I dont see is the IP address assigned to the 
interface.
 
-Sean


From: [EMAIL PROTECTED]: [EMAIL PROTECTED]: Tue, 26 Feb 2008 12:33:42 
-0500Subject: RE: [pfSense Support] Setting gateways ?


i only see rl0, rl1, and rl2 listed as your interfaces. where do you have an 
rl3?and for the ones listed, they all seem to have correct gateways assigned to 
them. -Sean


From: [EMAIL PROTECTED]: [EMAIL PROTECTED]: Tue, 26 Feb 2008 17:48:30 
+0200Subject: [pfSense Support] Setting gateways ? 





Hi,
 
I haven’t had a reply from anyone.. please !! any assistance would greatly be 
appreciated. I know this may seem like a basic question but its bringing my 
network to a halt  !
 
For some reason my rl3 interface has adopted the same gateway as rl0
 
It should be 196.38.235.105, I have set it up statically that way in interfaces 
setup. Where else can I change it or what is causing it to be set that way ? 
 
Regards,
 
 
Mike Lever
 
Tenacity Films (Pty) Ltd t/a
Velocity Films
 
(T) +2711-807-0100
(F) 086-681-7518

http://www.velocityfilms.com
 
 
CONFIDENTIALITY CAUTION: If you have received this communication in error, 
please note that it is intended for the addressee only, is privileged and 
confidential and dissemination or copying prohibited. Please notify us 
immediately by e-mail and return the original message. Thank you.
 
 

Helping your favorite cause is as easy as instant messaging. You IM, we give. 
Learn more. 
_
Need to know the score, the latest news, or you need your Hotmail®-get your 
"fix".
http://www.msnmobilefix.com/Default.aspx

Re: [pfSense Support] Squid - storeDiskdInit: msgget: (28) No space left on device

2008-02-23 Thread Sean Cavanaugh

you can install one of the recent snapshots as they are as stable as they 
get. also if you hit any roadblocks and let the devs know about it, they 
will fix it for release.


-Sean

--
From: "Javier Enrique Tiá Marín" <[EMAIL PROTECTED]>
Sent: Friday, February 22, 2008 6:35 PM
To: 
Subject: Re: [pfSense Support] Squid - storeDiskdInit: msgget: (28) No space 
left on device



 I'm just telling you before Scott and the other devs tell you to.
 There have been a huge number of bugfixes and changes since 1.01.


OK, I'm waiting for Final Release 1.2.


 Are you trying to install this package on your own, or as one of the
 supported packages through the GUI?


Supported packages

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Updated Snort not blocking on alerts

2008-02-12 Thread Sean Cavanaugh

you should upgrade pfSense to 1.2-RC4 as 1.0.1 has a lot of bugs that have 
long since been patched.

--
From: "Brent" <[EMAIL PROTECTED]>
Sent: Tuesday, February 12, 2008 5:14 PM
To: 
Subject: [pfSense Support] Updated Snort not blocking on alerts

I ve been running pfsense 1.0.1 built on Sun Oct 29 01:07:16 and using the
version of snort that came with that. I had snort blocking hosts that 
generate
a snort alert..well that feature doesnt seem to work after upgradeing 
snort to
the latest version snort 2.7.0.1_3 ..is there something im missing ? or 
anyone

got any insight to snort installation / upgrade on pfsense 1.0.1

thanks in advance

--
Brent

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] Strategy for Multiple-Subnet LAN on Single Port

2008-02-07 Thread Sean Cavanaugh

set the LAN interface to use VLANs?
 
-Sean



> Date: Thu, 7 Feb 2008 04:36:40 -0800> To: support@pfsense.com> From: [EMAIL 
> PROTECTED]> Subject: [pfSense Support] Strategy for Multiple-Subnet LAN on 
> Single Port> > After searching the archives, the forum and conferring with 
> Mr. Google,> I've not found anything about the best/correct strategy to use 
> to support> multiple LAN subnets on a single LAN port.> > The Questions> 
> => - is using address aliases the correct/optimal/best way to 
> create the WAN> aliases?> > - if using address aliases is *not* the best way, 
> what is?> > - if using address aliases *is* the best way, I assume that the 
> commands> should be entered in a /etc/rc script:> > * if a /etc/rc script is 
> the right way, what's the rc processing flow> on FreeBSD ... i.e., usually 
> there's a standard script naming that will> automatically cause it to get 
> included in the startup processing ... what> is it on this *NIX?> > * if a 
> /etc/rc script isn't the right way, what is (I'm not familiar> with pearl or 
> php but am very comfortable with shell scripting)?> > - are there any 
> problems with the overall approach we're using, here?> > TIA> > Background 
> Info> ===> Graphically, we have (all addresses are "made up", LAN 
> switches omitted)> ... view in mono-spaced font:> > Aliased IPs: Ultimately 
> Mapped To:> +--+ 172.16.1.50 WAN : domain1.com> | | 172.16.2.50 WAN2: 
> domain2.com> | | 172.16.3.50 WAN3: domain3.com> |Server|+ WAN> |4.4.8.4> 
> | | | +---+ +---+> |domain1.com> | | | 172.16.1.1| | | 4.4.8.4 | 
> +--+> |+> +--+ | 172.16.2.1| |--+ +--| | |> | 172.16.3.1| 
> | WAN2 | | +---+ |> domain2.com> > 
> +===+===+=|pfSense|--+--|Switch|--|DSL|--+>
>  | | | 1.2RC4| 4.4.16.4 | | +---| |> 4.4.16.4> +-+ +-+ | |---+ +--| | 
> |> | Mac |  | PC | | | | WAN3 | +--|> +> +-+ +-+ 
> +---+ +--+> domain3.com> 172.16.1.100 172.16.1.200 4.4.32.4> 
> 4.4.32.4> > > Being 2 small offices, our pfSense setup and requirements are 
> relatively> simple:> > - we have a single LAN port and 3 WAN ports for 3 
> DHCP-assigned static> public IP addresses> > - since the DHCP assignment 
> relies on a MAC address, we have the "normal"> WAN port plus WAN2 and WAN3 
> (i.e., OPT1 and OPT2)> > - Outbound NAT is set to "Automatic outbound NAT 
> rule generation (IPsec> passthrough)"> > - all 3 WANs have ports mapped onto 
> a LAN-resident server that supports> the web serving for the 3 different 
> domain names via virtual hosts based> upon IP:port binding using the 3 
> different subnets (the server's single> port is aliased to reside on the 3 
> subnets)> > - the WAN port is the only one that sees any "general" 
> LAN-resident> traffic (i.e., other than the traffic that's mapped to/from the 
> server)> and the WAN2/WAN3 ports only see/allow traffic that's mapped onto 
> the> LAN-resident server> > - I split our DNS services for private/public 
> address access so NAT> reflection is not an issue (being a development shop, 
> we have multiple> internal-only servers as well)> > - we have a second basic 
> LAN/WAN-only pfSense at another office with an> IPSec tunnel running and we 
> have PPTP configured> > What's Been Done> > What I've done is 
> simply added address aliases on the otherwise> 172.16.1.1 LAN port via> 
> ifconfig sk0 alias 172.16.2.1/24> ifconfig sk0 alias 172.16.3.1/24> (the Web 
> interface then reports it as the last-added alias)> > The only rules are:> > 
> - Port Forward: for each of WAN/WAN2/WAN3, allow incoming HTTP/HTTPS ...> 
> e.g.:> allow TCP to port 80 on WAN2/4.4.16.4/domain2.com into 172.16.2.50 
> port 80> > - Firewall Rules: for each of WAN/WAN2/WAN3, allow inbound 
> HTTP/HTTPS ...> e.g.:> allow TCP from any IP on any port in via> 
> gateway/WAN2/4.4.16.4/domain2.com to 172.16.2.50 port 80> > - Firewall Rules: 
> for each of the LAN subnets, allow all out via the> mapped WAN/gateway ... 
> e.g.:> allow any protocol from 172.16.2.0/24 on any port to any destination 
> out> on any port via gateway/WAN2/4.4.16.4/domain2.com (this could be more> 
> restrictive for WAN2 & WAN3)> > This all seems to work quite well but I need 
> to automate the aliasing, if> that's the end solution.> > 
> -> To 
> unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: 
> [EMAIL PROTECTED]> 
_
Connect and share in new ways with Windows Live.
http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_012008

RE: [pfSense Support] Multiple servers behind NAT'd firewall

2008-02-06 Thread Sean Cavanaugh

you have "internal NAT reflection" turned off?-Sean


Date: Wed, 6 Feb 2008 15:03:34 -0500From: [EMAIL PROTECTED]: [EMAIL PROTECTED]: 
[pfSense Support] Multiple servers behind NAT'd firewall




I am having a problem:
 
I have multiple virtual mail servers behind a pfsense firewall. Now on each 
server, I have multiple domains. Now sending to the domain from google or yahoo 
is perfect and out again is perfect but when I send a message from one virtual 
server to another which is hosting the destination domain, it errors out. 
 
Now when I telnet the public IP that the 1st virtual is assigned, it just sits 
there and times out. This is making it impossible to send messages from domain 
to domain within the network. 
 
Any ideas?
 
 
 
 
_
Need to know the score, the latest news, or you need your Hotmail®-get your 
"fix".
http://www.msnmobilefix.com/Default.aspx

Re: [pfSense Support] Problem with pfSense-1.2-RC4-Embedded

2008-02-02 Thread Sean Cavanaugh

to double check, did you extract the image before trying to install it? you 
cannot install it as a .gz

-Sean

--
From: "Javier León" <[EMAIL PROTECTED]>
Sent: Saturday, February 02, 2008 3:19 PM
To: 
Subject: [pfSense Support] Problem with pfSense-1.2-RC4-Embedded

Hello!!!

I have problems when I try to install pfSense-1.2-RC4-Embedded.img.gz. We
indicated that the hardware on the install:

FabiaTech, modelo FX5620

Once installed last 5 minutes and the system is blocked. Why because it
can be?

Javier León Villamayor
Técnico Informático
Departamento Nuevas Tecnologías
Ayuntamiento de Daganzo
Teléfono: 91 884 52 59 EXT. 633
Móvil: 670335307
[EMAIL PROTECTED]
http://www.ayto-daganzo.org

Antes de imprimir este e-mail piense bien si es necesario hacerlo. If you
want to print this email please think if you need to do it

Este mensaje se dirige exclusivamente a su destinatario. Contiene
información CONFIDENCIAL sometida a secreto profesional o cuya divulgación
esta prohibida por la ley. Si ha recibido este mensaje por error, debe
saber que su lectura, copia y uso están prohibidos. Le rogamos que nos lo
comunique inmediatamente por esta misma vía y proceda a su destrucción.

This message is intended exclusively for its addressee. It contains
information that is CONFIDENTIAL and protected by a professional privilege
or whose disclosure is prohibited by law. If this message has been
received in error, you should know that it is forbidden to read, copy or
use it. Please immediately notify us via e-mail and delete it.

!DSPAM:100,47a4d03446941384719569!

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] Pfsense public intenet w/ authentication

2008-01-31 Thread Sean Cavanaugh

security wise, remember that more and more programs are using HTTP tunneling to 
get out thru firewalls. this type of traffic cannot really be stopped that well 
without layer 4+ firewalls that look at packet content. you will however block 
most of the joe blow users that will try stuff. also adding in blocks to 
specific sites will help cut down on nefarious activities.
 
-Sean




> Date: Thu, 31 Jan 2008 10:40:23 -0600> From: [EMAIL PROTECTED]> To: 
> support@pfsense.com> Subject: [pfSense Support] Pfsense public intenet w/ 
> authentication> > I have a small computer shop and would like to setup free / 
> open access> point so that clients can use it while in the shop. But I don't 
> want it> so open that my neighbors are using it for nefarious purposes. Can> 
> somebody recommend a configuration.> > My thoughts:> Add another nic and a 
> wireless router or access point w/ captive portal> Add a wireless nic Ad-Hod 
> w/ captive portal> Setup up some sort of VLan w/ Access point> > Any 
> recommendation on the route I should go? Another route?> > And a lazy 
> questions (I've not really looked into it) - what is best /> easiest way to 
> lock this connection down to HTTP only. And will failure> to log into the 
> captive portal block all traffic or just prevent browsing?> > Thanks,> -Dane> 
> > -> To 
> unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: 
> [EMAIL PROTECTED]> 
_
Connect and share in new ways with Windows Live.
http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_012008

Re: [pfSense Support] 1.2rc4 fresh install - Disable Paging

2008-01-25 Thread Sean Cavanaugh

perhaps that's the log files being written?

I run my system with 256 megs of RAM with heavy bandwidth usage of my 16 mbit 
connection and I barely peak over 35% memory utilization (that's with THOUSANDS 
of states due to bittorrent)

-Sean


From: Anil Garg 
Sent: Friday, January 25, 2008 3:47 PM
To: support@pfsense.com 
Subject: Re: [pfSense Support] 1.2rc4 fresh install - Disable Paging


Ok. I will leave paging on.  I just kind of think its silly that for one user 
at home I still hear my hdd constantly make noise of read-write... But then I 
am not technical enough to know what is causing that..

Thanks for your advice.


- Original Message 
From: Vivek Khera <[EMAIL PROTECTED]>
To: support@pfsense.com
Sent: Friday, January 25, 2008 11:09:37 AM
Subject: Re: [pfSense Support] 1.2rc4 fresh install - Disable Paging



On Jan 25, 2008, at 1:46 PM, Anil Garg wrote:


  I have a machine with 1GB of Ram on which I wish to install pfsense 1.2rc4.

  Does anyone know how to disable paging after installation since we have much 
more memory than we need.

  Essentially, is there a way to run pfsense entirely from ram.



Unless your system needs more than that RAM, you will never hit the swap 
partition.  However, what you're asking is essentially to run your system 
without swap, means that when you *do* need more memory, you would rather the 
system panic than degrade performance.


I'd recommend monitoring if you ever go to swap, and then react to it, rather 
than making the system panic for out of memory.

RE: [pfSense Support] Attempting to install pfSense; gets stuck

2008-01-25 Thread Sean Cavanaugh

are you trying to use VMware to install straight to the CF card? if so, thats 
now how you install to them.
http://doc.pfsense.org/index.php/HOWTO_Install_pfSense#Embedded_.28Compact_Flash.29_Installation
 
-Sean



> From: [EMAIL PROTECTED]> To: support@pfsense.com> Date: Fri, 25 Jan 2008 
> 09:00:33 -0800> Subject: Re: [pfSense Support] Attempting to install pfSense; 
> gets stuck> > > On Jan 25, 2008, at 3:51 AM, Paul M wrote:> > > Scott Ullrich 
> wrote:> >> That portion of the installer takes quite a while depending on 
> speed> >> of the CF card, etc. Give it a bit longer.> >> >> > I presume the 
> CF card is mounted noatime,async (or whatever it is in> > freebsd, I am 
> thinking linux here)? I found that async makes a huge> > difference in speed 
> - I had a flash memory card I though was broken as> > it took so long to 
> write, then I remembered to do async and it was so> > much faster!> > I did 
> not do anything special. I booted the live CD under vmware and > everything 
> works great, until it gets stuck.> > I tried booting without ACPI and left it 
> running for 11 hours so far, > and it is STILL stuck.> > Any ideas?> > 
> -Galen> > 
> -> To 
> unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: 
> [EMAIL PROTECTED]> 
_
Need to know the score, the latest news, or you need your Hotmail®-get your 
"fix".
http://www.msnmobilefix.com/Default.aspx

RE: [pfSense Support] License

2008-01-24 Thread Sean Cavanaugh

technically it already is. if you want elevated support, they charge for it. 
but out of that comes upgrades and feature enhancements of the software for all 
users. also the rewards programs on the forum for adding functionality that is 
being asked for.
 
-Sean



> From: [EMAIL PROTECTED]> To: support@pfsense.com> Date: Thu, 24 Jan 2008 
> 10:34:08 -0800> Subject: [pfSense Support] License> > Since this is becoming 
> more of a commercial project, do we have to worry about this becoming a pay 
> software?> > > Richard Sperry> > > > 
> -> To 
> unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: 
> [EMAIL PROTECTED]> 
_
Need to know the score, the latest news, or you need your Hotmail®-get your 
"fix".
http://www.msnmobilefix.com/Default.aspx

Re: [pfSense Support] vista_problem

2008-01-18 Thread Sean Cavanaugh

remember that Vista tries to use IPv6 as the default protocol instead of 
IPv4. double check your network connection settings that they are properly 
configured under vista as it is a little bit more finicky.


-Sean

--
From: "Gary Buckmaster" <[EMAIL PROTECTED]>
Sent: Friday, January 18, 2008 9:31 AM
To: 
Subject: Re: [pfSense Support] vista_problem

Is the Vista machine able to see other devices on the network (ie: inside 
your LAN)?  Is the networking configuration information for the Vista 
machine identical to the XP Pro machine?  What shows up in the pfSense 
firewall logs?  Have you used tcpdump to capture the packet traffic and 
ensure its actually hitting the interfaces?  Whatever problem you are 
having, its either specific to the Vista machine, or your firewall rules.

-Gary

Vino wrote:

Hi,

I have a problem  with windows VISTA  connecting to an Aten KVM switch 
cn6000.  behind   PFsense 1.2rc4   with client tool  or web based


i am running  pfsense in filtered bridge mode

with Vista (vista firewall  disabled or enabled)  and PFsense  set with 
all ports open , source and destination set properly   and using all or 
any protocol setting, there is no connection whatsoever.


with windows XP pro from within the same network it works well

of course disabling PFsense altogether makes it work.

any suggestions?

regards,

Luigi
















-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] 802.11x

2008-01-16 Thread Sean Cavanaugh

comcast requires only basic TCP/IP connection. it does not use 802.1x for any 
advanced traffic flow that would affect pfsense.
just put pfsense with DHCP on WAN and that's all you should need to get going.

-Sean

From: Curtis LaMasters 
Sent: Wednesday, January 16, 2008 11:06 PM
To: support@pfsense.com 
Subject: Re: [pfSense Support] 802.11x

I guess I'm failing to put this together802.11x is a wireless standard that 
has not yet been defined...and 802.1x is network access control...does Comcast 
require this?

Curtis

Re: [pfSense Support] 802.11x

2008-01-16 Thread Sean Cavanaugh

I get all 16 mbit of my comcast connection here. if anything pfsense runs 
BETTER than crappy linksys/netgear/dlink/belkin standalone routers for 
broadband connections. windows systems have no issue

-Sean

From: Richard Sperry 
Sent: Wednesday, January 16, 2008 9:04 PM
To: support@pfsense.com 
Subject: [pfSense Support] 802.11x

Does anyone know  if 802.11x is enabled on the WAN?  I have really slow speeds 
on comcrap, and I know this is an issue if your running windows.

RE: [pfSense Support] Problem during dev_bootstrap and big sound when boot

2008-01-08 Thread Sean Cavanaugh

that's the sound that pfsense uses to let you know audibly that it is fully up. 
it plays the same notes in reverse when its shutting down. VMWare screws it up 
and drags the half second melody into a long drawn out mess. by default, it is 
played thru the PC speaker, not the soundcard hence why VMWare will still play 
it even if the pfsense image does not have a sound card associated with it.
 
-Sean


From: [EMAIL PROTECTED]: [EMAIL PROTECTED]: Tue, 8 Jan 2008 23:54:39 
+0800Subject: [pfSense Support] Problem during dev_bootstrap and big sound when 
boot




Dear all,
 
I already installed the development edition of pfsense on Vmware workstation 6. 
It is almost well, but I still met two problems:
1. During the dev bootstrap process, the script reported the below errors:
  Unknown collection “tools”
  Unknown collection “www”
  
  However, it still download the collection “pfSense”. It looks like that it 
could not download collection “tools”&”www”, do I have another way to get them?
 
2. when booting the development edition on Vmware workstation 6, before the 
console menu showing up, it always send several seconds big sound though I 
remove the sound card in VM setting. Do you have solution for disabling this 
sound?
 
Highly appreciated for any comment, suggestions for the above problems!
 
Have a good day!
 
Best wishes,
Jian
  
_
Watch “Cause Effect,” a show about real people making a real difference.
http://im.live.com/Messenger/IM/MTV/?source=text_watchcause

RE: [pfSense Support] Virtual Ips

2007-12-26 Thread Sean Cavanaugh

First step, upgrade to latest release, 1.2-RC3 as there have been MANY fixes 
put in since 1.0.1
 
-Sean



> Date: Wed, 26 Dec 2007 09:17:45 -0800> From: [EMAIL PROTECTED]> To: 
> support@pfsense.com> Subject: RE: [pfSense Support] Virtual Ips> > I am 
> having the same problem. I have an external IP from Qwest which is> part of 
> an 8-IP address block. That IP is the "gateway" and the others> are for my 
> use. SO I am trying to assign them to devices on my local> net.> > I set up 
> mine in virtual IP, and created a NAT rule with the option> selected to also 
> create an associated firewall rule.> > I can surf out to the internet just 
> fine but I can not access the device> through the IP I designated, from the 
> outside going in.> > I don't know about you, but I am using pfSense 1.01 and 
> no extra> services like Squid. One person suggested that Squid was installed 
> and> was block the entrance from the outside. But that was not the case> 
> because it is not installed.> > So I am in the same boat you are.> > > James 
> Kusler, Information Technology Manager > PHONE| 509.624.1613 or 800.822.4456 
> FAX| 509.624.1604> [EMAIL PROTECTED] | www.sound-tele.com | www.solaxis.com > 
> -Original Message-> From: Ryan Rodrigue [mailto:[EMAIL PROTECTED] > 
> Sent: Wednesday, December 26, 2007 9:19 AM> To: support@pfsense.com> Subject: 
> [pfSense Support] Virtual Ips> > I have a stupid question.. I am trying to 
> set up 2 servers with a> seperate> external IP adresses. My wan IP is 
> x.x.x.74 I want to use x.x.x.73 for> server 1 and x.x.x.72 for server 2. 
> Server 1 is 192.168.1.10 and server> 2> is 192.168.1.11. I think i have to 
> set this up in 1:1 nat, Firewall> rules,> and also in Virtual IPs. Is there 
> anywhere else i need to set this up,> It> doesn't seem to be working. Maybe I 
> have this way off or something> else.> Thanks for your help.> > > 
> -> To 
> unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: 
> [EMAIL PROTECTED]> > > 
> -> To 
> unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: 
> [EMAIL PROTECTED]> 
_
The best games are on Xbox 360.  Click here for a special offer on an Xbox 360 
Console.
http://www.xbox.com/en-US/hardware/wheretobuy/

RE: [pfSense Support] Setting up on Soekris NET5501-70 with all features

2007-12-19 Thread Sean Cavanaugh

the full install image is an ISO, meaning CD based install.
the embedded install image has a disk image for putting it on compact flash, 
but that wont let you install any packages once up and running.
 
-Sean



> From: [EMAIL PROTECTED]> To: support@pfsense.com> Date: Wed, 19 Dec 2007 
> 14:09:22 -0500> Subject: RE: [pfSense Support] Setting up on Soekris 
> NET5501-70 with all features> > > > -Original Message-> From: Chris 
> Buechler [mailto:[EMAIL PROTECTED] > Sent: Wednesday, December 19, 2007 1:24 
> PM> To: support@pfsense.com> Subject: Re: [pfSense Support] Setting up on 
> Soekris NET5501-70 with all features> > Christopher Iarocci wrote:> > Is 
> there no way to default it to the serial console before putting the hard 
> drive in the 5501 except this procedure? This means I have to have a piece of 
> hardware with VGA, keyboard and 2 NIC cards that also will connect a SATA II 
> drive. I don't have that sort of hardware laying around that is not in use.> 
> >> > I appreciate trying to get around modifying the image, but I really need 
> to do it that way due to the hardware constraints. What I really need is a 
> how-to modify the image to have serial enabled on a full pfsense version. Is 
> it as simple as modifying the default config.xml file in the image?> > > > 
> You can modify config.xml or loader.conf, but you need some way to > install 
> to the HD and you can't put a CD-ROM on a 5501, so I don't see > what the 
> problem is with doing it that way.> > I was going to install to the hard 
> drive by using my USB to SATA adapter hung off another computer the same way 
> I do m0n0wall. Will PFSense boot from USB? Maybe I can do it your way if it 
> does. Maybe I am not sure on the install procedure and am missing something. 
> You refer to a CDRom. Is it not possible to download and put the image on a 
> hard drive without a CDRom? Maybe I need to be pointed in the direction of 
> RTFM. I was assuming the image could simply be put on a hard drive using 
> physdiskwrite in the same manner as m0n0wall.> > Chris> > > > 
> -> To 
> unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: 
> [EMAIL PROTECTED]> > > > -- > No virus found in this incoming message.> 
> Checked by AVG Free Edition. > Version: 7.5.503 / Virus Database: 
> 269.17.4/1189 - Release Date: 12/18/2007 9:40 PM> > > > 
> -> To 
> unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: 
> [EMAIL PROTECTED]> 
_
i’m is proud to present Cause Effect, a series about real people making a 
difference.
http://im.live.com/Messenger/IM/MTV/?source=text_Cause_Effect

Re: [pfSense Support] Checkin 20231

2007-11-28 Thread Sean Cavanaugh

it would never effect fall because DST rolls back at 2am. 2:58, 
1:59,1:00,1:01.

it would only ever catch it once.
spring it could screw up because it skips ahead. 1:59,3:00

fix it and set it to sync at 3 am and there will never be a problem.

--
From: "Chris Buechler" <[EMAIL PROTECTED]>
Sent: Wednesday, November 28, 2007 1:53 PM
To: 
Subject: Re: [pfSense Support] Checkin 20231


Bill Marquette wrote:

You might look at the code a little closer.  It happens on the first
day of the month at 2:01am.  In fall the worst that would happen if it
happens to fall on the same day is the code will run twice.  In
spring, we could potentially miss the run _if_ the time zone change
occurs on the first.



Which doesn't happen in the spring during the next 50 years.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: SV: [pfSense Support] Needed broadband speed OpenVPN

2007-11-26 Thread Sean Cavanaugh

Im guessing you might want something with at least a 512kbps MINIMUM upload 
speed, more like a 1-5mbps upload depending on what your budget will be.
download speeds only count for internet traffic and most DSL service is more 
than adequate to handle a small office like that.


-sean

--
From: "Leif Nilsson" <[EMAIL PROTECTED]>
Sent: Monday, November 26, 2007 2:32 PM
To: 
Subject: SV: [pfSense Support] Needed broadband speed OpenVPN


Thanks for your answer!

Well the fileserver is domain server for all employees to log on to.
So I think that this will generate some load on the broadband.
To PfSense we will use 2Ghz with 2Gb RAM.

But as I said I'm not sure what kind of speed on the broadband I need.

-Ursprungligt meddelande-
Från: Chris Buechler [mailto:[EMAIL PROTECTED]
Skickat: den 26 november 2007 20:04
Till: support@pfsense.com
Ämne: Re: [pfSense Support] Needed broadband speed OpenVPN

Leif Nilsson wrote:


Hi all!



I have a question what kind of speed you need for OpenVPN tunnels with
clients.

Total employees are on site A 15, site B 10 and site C 5, and approx.
15 employees on different locations with client access.

Most of the traffic will be http, mail, fileserver on site A.



That sounds like pretty minimal load, but you'll have to tell us what
kind of expected throughput you require. If it's less than 5 Mbps or so
sustained, a 300-400 MHz system will be plenty.



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] error /libexec/ld-elf.so.1: squid: Undefined symbol "__sbmaskrune"

2007-11-23 Thread Sean Cavanaugh

upgrade to 1.2-RC3 and install the packages.


From: Nicolas Fabris 
Sent: Friday, November 23, 2007 2:03 PM
To: support@pfsense.com 
Subject: [pfSense Support] error /libexec/ld-elf.so.1: squid: Undefined symbol 
"__sbmaskrune"


 

Folks, after of download bash, mc and squid with pkg_add -rv ***

 

I run  bash, mc, or squid command but always have the same error

 

/libexec/ld-elf.so.1: squid: Undefined symbol "__sbmaskrune"

 

Can someone help me?

 

Thks a lot

 

Ver. 1.0.1

 

 

Lic. Nicolas A. Fabris
Seguridad Informática
Gcia. De Procesos y Sistemas
O.S.P.R.E.R.A.
( 4312-2500 Int. 3181
+ [EMAIL PROTECTED]

Re: [pfSense Support] pfSense 1.01 - Logging Problems

2007-11-20 Thread Sean Cavanaugh

upgrade to latest version, there has been a lot of bugs fixed since 1.0.1 
was released


--
From: "Sally Janghos" <[EMAIL PROTECTED]>
Sent: Tuesday, November 20, 2007 9:17 PM
To: 
Subject: [pfSense Support] pfSense 1.01 - Logging Problems


Hi All,

 I've noticed after running for a week or two my pfSense 1.0.1 box stops 
logging.  It appears the following processes just die off:

  /usr/sbin/tcpdump -l -n -e -ttt -i pflog0
  logger -t pf -p local0.info

 Is this a known issue?  Can anyone help out?

Thanks,
 S.J

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] 1.2RC3 update

2007-11-20 Thread Sean Cavanaugh

If you have an embedded system (running off a CompactFlash card) use the
embedded update. If you are running a full install (i.e, running from HDD
and have packages installed) then use full update.

-Sean

  _  

From: Atkins, Dwane P [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, November 20, 2007 3:51 PM
To: support@pfsense.com
Subject: RE: [pfSense Support] 1.2RC3 update

I see it when I go to pfsense.org, I go to download pfsense in the left
window pane, and then under "Upgrading the Previous Version", I click on
updates.  Then I click on a mirrored site, normally the one out of Seattle.

Then I see the one that says pfSense-Embedded-Update-1.2-RC3.tgz , not full
and embedded as I stated.  Sorry.  And I also see the one that states, [ ]
pfSense-Full-Update-1.2-RC3.tgz

Which one do I use if I want to just upgrade my system?  Thanks

Dwane

-Original Message-
From: Chris Buechler [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, November 20, 2007 9:40 AM
To: support@pfsense.com
Subject: Re: [pfSense Support] 1.2RC3 update

Atkins, Dwane P wrote:

> 

> We are confused as to which is the upgrade we need to do for the 

> latest firmware.  Is it the Full-and-embedded update or is it just the 

> full update?

> 

Where are you seeing a Full-and-embedded file?  There shouldn't be any 

of those around anymore for RC3, it's split into two files. Use the full 

update for full installs, embedded for embedded installs.

-

To unsubscribe, e-mail: [EMAIL PROTECTED]

For additional commands, e-mail: [EMAIL PROTECTED]

<>

Re: [pfSense Support] Support in 1.3 for nforce ethernet driver?

2007-11-10 Thread Sean Cavanaugh

its not part of FreeBSD 6.2 so I don't see it happening at all until pfSense 
goes to FreeBSD7 next year like Scott said. also 1.2 has been on feature 
freeze anyway dues to getting a full release out. There is nothing wrong 
with compiling your own version of pfSense from the developers ISO with the 
driver compiled in the mean time.


-Sean

- Original Message -
From: "Mike Myers" <[EMAIL PROTECTED]>
To: 
Sent: Saturday, November 10, 2007 5:47 PM
Subject: Re: [pfSense Support] Support in 1.3 for nforce ethernet driver?

I expected you'd be moving to freebsd 7 at some point, but is their no 
chance to get it supported in 1.2?


Thanks,
Mike


- Original Message 
From: Scott Ullrich <[EMAIL PROTECTED]>
To: support@pfsense.com
Sent: Saturday, November 10, 2007 2:34:35 PM
Subject: Re: [pfSense Support] Support in 1.3 for nforce ethernet driver?


On Nov 10, 2007 5:29 PM, Mike Myers <[EMAIL PROTECTED]> wrote:

I've had pretty decent with these boards under linux, but pfsense is

my first foray into freebsd territory.  Pfsense supports a ton of
ethernet interfaces, and I was just surprised this didn't work.

Support for these types of NICS are in FREEBSD 7 and will be coming to
pfSense early next year.

Scott

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] Installing new NIC with unsupported drivers

2007-11-09 Thread Sean Cavanaugh

DLink is mostly crap anyway. Experience with and straight from a former
DLink employee. I have had great success with cheap netgear cards though
(have a gigabit with offloading running currently in my firewall). But yes,
stick with approved hardware as its overall easier.

-Sean

-Original Message-
From: Scott Ullrich [mailto:[EMAIL PROTECTED] 
Sent: Friday, November 09, 2007 4:33 PM
To: support@pfsense.com
Subject: Re: [pfSense Support] Installing new NIC with unsupported drivers

On Nov 9, 2007 11:11 AM, Rahav Nathaniel <[EMAIL PROTECTED]> wrote:
> Hello,
>
> Apologies for the cross-post with the forum.pfsense.com but I am
>  working under a very urgent deadline to get my box up and running and
have
>  encountered a major hurdle:
>
>
> I have a D-Link DGE-560T NIC that I'm trying to get working on a new
>  pfsense box running 1.2-RC3 .
>
> As per this post:
>  http://www.mail-archive.com/support@pfsense.com/msg10873.html
> I have downloaded the Marvell drivers for the DLink.
> (note the user comments on New Egg for why Marvell drivers are better
>  than DLinks :
>
http://www.newegg.com/Product/Product.aspx?Item=N82E16833127163&Tpk=dlink%2b
DGE560T)
>
> First problem I had was that libmbpool.ko was missing and required by
>  the driver.
> A kind soul on the pfsense forums gave me a copy for 1.2-RC3 which I
>  put in /boot/kernel/
>
> next, executing the command kldload if_myk.ko (the driver) completes
>  successfully but the NIC does not come up.
>
> Since I am new to FreeBSD (but not to *nix) can somebody please give me
>  advice how to troubleshoot this?
>
> I
> checked dmsg and saw a Network Controller without a driver assigned to
> it on PCI7. I can assume this is my DLink since all the other NIC's are
> loaded fine.
>
> Please, any advice as to how to trouble shoot this would be greatly
>  appreciated.


Why not purchase a NIC that is supported?  They are CHEAP these days.
Pick up a Intel NIC.

Scott

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] VIPs + NAT??

2007-11-08 Thread Sean Cavanaugh

Theres an option under System >> Advanced called "Disable NAT Reflection".
Unckeck this option to let you browse internal servers using the external IP
or DNS.

 

-Sean

 

  _  

From: Justin Refice [mailto:[EMAIL PROTECTED] 
Sent: Thursday, November 08, 2007 8:38 PM
To: support@pfsense.com
Subject: [pfSense Support] VIPs + NAT??

 

I've got what appears to be simple question, but for the life of me I can't
figure this one out.

I've got a pfsense firewall setup between a local subnet (192.168/16) and my
internet provider.  The provider has given me two subnets 11.22.33.192/29
and 11.22.44.16/28.

The WAN IP is in the larger subnet:  11.22.44.17/28

For any given IP in the above subnets, 1 or more IP's exist in the private
domain.  Eg: 

11.22.33.194 port 25 = 192.168.0.2 port 25
11.22.33.194 port 80 = 192.168.0.3 port 80
11.22.44.17 port 25 = 192.168.0.4 port 25

This is all working fine (yay!).  The problem is that the private subnet
can't access IP's on the public subnet.  So, for example, 192.168.0.2 can
connect to www.google.com just fine.  192.168.0.2 can NOT connect to
11.22.33.194   though...  the packet just gets dropped
somewhere.

I've got the VIP's setup using Proxy ARP, because there are two subnets (And
apparently CARP requires that the IP exist in the same subnet as the WAN
IP). 

Just as a test, I setup a CARP for 11.22.44.18, and the same problem exists.

Basically, it seems like I need to tell the firewall the right rules on the
LAN interface to clear this up... but like I said, I can't figure it out. 

Thanks for any help,  

Justin

RE: [pfSense Support] Diff (1.2-RC3 and 1.3)

2007-11-05 Thread Sean Cavanaugh

Put it simply, use the 1.2-RC3 snapshot. It's the most current.

-Sean

-Original Message-
From: DLStrout [mailto:[EMAIL PROTECTED] 
Sent: Monday, November 05, 2007 6:46 PM
To: support@pfsense.com
Subject: [pfSense Support] Diff (1.2-RC3 and 1.3)

Just wondering if there is a difference between
1.2RC3 & 1.3.  If so then where might one find a
feature list or change log.  I looked on the
CVStrack "timeline", and could see anything there
is the release.

Thanks.
--
David L. Strout
Engineering Systems Plus, LLC

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] Best method to upgrade a 1.0 on a wrap

2007-10-31 Thread Sean Cavanaugh

you stated the procedures of how to update the embedded version perfectly, back 
up config, reflash new image, and import config. This is the reason some users 
have been looking at the 4gig solid state "drives" that plug into the IDE 
socket on some of their systems so they can run the full version and not have 
to suffer the restrictions of an embedded style install while not having to run 
a bulky or noisy HDD.
 
here is an example of what I am refering to  
http://linitx.com/viewproduct.php?prodid=11281
 
-Sean



> To: support@pfsense.com> From: [EMAIL PROTECTED]> Date: Wed, 31 Oct 2007 
> 08:05:05 -0400> Subject: [pfSense Support] Best method to upgrade a 1.0 on a 
> wrap> > Hi,> > I'm currently running 1.0-RELEASE (embedded) on a wrap and I 
> was > wondering what was the best way to upgrade to 1.2-RC2. I tried via the 
> > web interface and it didn't work, so I guess the only way left is to > 
> backup my config, write 1.2-RC2 image on the flashcard, then restore my > 
> config. Is there another way?> > Regards,> > Ugo> > > 
> -> To 
> unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: 
> [EMAIL PROTECTED]> 
_
Peek-a-boo FREE Tricks & Treats for You!
http://www.reallivemoms.com?ocid=TXT_TAGHM&loc=us

RE: [pfSense Support] Multi Link Router instead of Firewall

2007-10-30 Thread Sean Cavanaugh

it should. in simplest terms, a router passes all, a firewall blocks all. same 
actual packet routing occurs.

Date: Tue, 30 Oct 2007 15:25:42 -0500From: [EMAIL PROTECTED]: [EMAIL 
PROTECTED]: Re: [pfSense Support] Multi Link Router instead of Firewall
So, it would still load Balance/Failover as a router in that case I assume.  
Thanks for the information.-- Heath [EMAIL PROTECTED]

From: Sean Cavanaugh <[EMAIL PROTECTED]>Reply-To: Date: 
Tue, 30 Oct 2007 16:08:06 -0400To: Subject: RE: [pfSense 
Support] Multi Link Router instead of Firewall

> Date: Tue, 30 Oct 2007 14:07:13 -0500> From: [EMAIL PROTECTED]> To: 
> support@pfsense.com> Subject: [pfSense Support] Multi Link Router instead of 
> Firewall> > Is it possible to setup a Multi WAN (Failover/Load Balance) 
> configuration> and bypass the Firewall? Basically setting the pf box up as a 
> router and> using another firewall behind the Pf box to act as a filter?> > I 
> noticed an option in the pF interface to do such a thing, but figured I> 
> better check before I get into it too deep.> > Will it still function the 
> same way?> > Thanks> > -- > Heath Henderson> [EMAIL PROTECTED]> --it will run 
> as a router only if you want it to just fine. only difference is a "Pass all" 
> rule thats generated.

Help yourself to FREE treats served up daily at the Messenger Café. Stop by 
today! 
<http://www.cafemessenger.com/info/info_sweetstuff2.html?ocid=TXT_TAGLM_OctWLtagline>

_
Climb to the top of the charts!  Play Star Shuffle:  the word scramble 
challenge with star power.
http://club.live.com/star_shuffle.aspx?icid=starshuffle_wlmailtextlink_oct

RE: [pfSense Support] Multi Link Router instead of Firewall

2007-10-30 Thread Sean Cavanaugh



> Date: Tue, 30 Oct 2007 14:07:13 -0500> From: [EMAIL PROTECTED]> To: 
> support@pfsense.com> Subject: [pfSense Support] Multi Link Router instead of 
> Firewall> > Is it possible to setup a Multi WAN (Failover/Load Balance) 
> configuration> and bypass the Firewall? Basically setting the pf box up as a 
> router and> using another firewall behind the Pf box to act as a filter?> > I 
> noticed an option in the pF interface to do such a thing, but figured I> 
> better check before I get into it too deep.> > Will it still function the 
> same way?> > Thanks> > -- > Heath Henderson> [EMAIL PROTECTED]> --
it will run as a router only if you want it to just fine. only difference is a 
"Pass all" rule thats generated.
_
Help yourself to FREE treats served up daily at the Messenger Café. Stop by 
today.
http://www.cafemessenger.com/info/info_sweetstuff2.html?ocid=TXT_TAGLM_OctWLtagline

RE: [pfSense Support] rrdtool core dump

2007-10-30 Thread Sean Cavanaugh

 



> Date: Tue, 30 Oct 2007 06:42:09 -0500> From: [EMAIL PROTECTED]> To: 
> support@pfsense.com> Subject: Re: [pfSense Support] rrdtool core dump> > 
> Rainer Duffner wrote:> >> > Am 30.10.2007 um 00:39 schrieb Wally Mono:> >> >> 
> >> Rainer,> >>> >> Thanks so much for your response.> >> To be clear, I am 
> running the live cd version, so there is nothing to > >> re-install. Are you 
> saying just reconfigure from scratch? Would this > >> imply some sort of 
> corruption in the configuration file?> >>> >>> >> > Ah.> > Can't you just try 
> a newer snapshot? (Yours said to be from August)> > Just to be sure it isn't 
> fixed already.> > I know that the devs don't like to debug problems with 
> months-old > > snapshots> >> > I just checked - I'm running an August 8th 
> snapshot on a WRAP and I > > don't have this problem.> > I'm too lazy to 
> update regularly (I've got to dismantle the WRAP > > completely and I don't 
> like to do that too often)> >> >> >> > cheers,> > Rainer> So if I understand 
> you correctly, the pfSense-1.2-RC2-Embedded.img.gz on > 
>  > 
> on the download site today is not the same as the one I downloaded in > 
> August? That seems a little problematic. Perhaps I COULD contribute > 
> something to this project in the way of version control advice; put a > build 
> # on the release! It could be yy.mm.dd.> > I'm not sure this is actually how 
> they are released, but I have always > been a little annoyed and leery of the 
> fact that the timestamp on the > files in the download area always have the 
> current date. If indeed the > current RC2 is actually a silently rolling 
> version, some indication > needs to be place either on it (my preference) or, 
> at the very least, in > a readme file called something like AA_VERSION.txt> > 
> I will try burning a new copy this weekend. FWIW I have another box > running 
> the identical version, but not using OPT1(multiwan) and I do not > have this 
> same problem of the rrdtool crashing.> 
The build server rebuilds the image every 2 hours incorporating CVS changes 
that are going on. after 1.2 release they are already looking at incorporating 
a build version into the image nameto be able to discern whether your version 
is actually out of date. its an issue with the build server that they are 
treating as a low priority until the next full release.
 
to actually see what changes are currently incorporated, check the CVStrac 
website at http://cvstrac.pfsense.com/timeline
 
so in essence, build version issue is old news and will be fixed eventually. 
until then, the image on the snapshots server will always be the latest and 
greatest even if version name doesnt change.
 
-Sean 
 
> > -> To 
> > unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: 
> > [EMAIL PROTECTED]> 
_
Windows Live Hotmail and Microsoft Office Outlook – together at last.  Get it 
now.
http://office.microsoft.com/en-us/outlook/HA102225181033.aspx?pid=CL100626971033

RE: [pfSense Support] DNS Issues with 1.2 RC2

2007-10-26 Thread Sean Cavanaugh

I try and stay away from ISP's that do that kind of stuff as much as possible 
(even though I use comcast which got nailed for throttling BitTorrent traffic). 
I know some areas don't have an alternative ISP to dump to. If you are using 
this for a business service then that is something you might be able to get a 
Service Level Agreement worked out with them to unrestrict the ports. Home 
users will pretty much always be boned on that front though.

-Sean

> Date: Fri, 26 Oct 2007 17:00:21 +0100> From: [EMAIL PROTECTED]> To: 
> support@pfsense.com> Subject: Re: [pfSense Support] DNS Issues with 1.2 RC2> 
> > Sean Cavanaugh wrote:> > I personally use OpenDNS for everything since 
> theyre outside of what the> > ISP handles.> > surely it's easier to simply 
> run your own caching resolvers? that way> you can force a cache flush if 
> you're changing your own DNS.> > the only time either your or my strategy 
> fails is when you have an ISP> like NTL in the UK who do udp:53 hijacking 
> (just like they force all web> traffic through their proxies, they do similar 
> with DNS!). the only way> I found round that was to put my own resolver on a 
> public lan at work on> a different port and hack my local bind9 config to 
> resolve off it! > > 
> -> To 
> unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: 
> [EMAIL PROTECTED]> 
_
Peek-a-boo FREE Tricks & Treats for You!
http://www.reallivemoms.com?ocid=TXT_TAGHM&loc=us

RE: [pfSense Support] DNS Issues with 1.2 RC2

2007-10-26 Thread Sean Cavanaugh

I personally use OpenDNS for everything since theyre outside of what the ISP 
handles.
only "downside" is that if it cannot resolve a domain for HTTP, it pulls up 
their search page instead.
 
-Sean




> From: [EMAIL PROTECTED]> To: support@pfsense.com> Date: Fri, 26 Oct 2007 
> 09:20:52 -0400> Subject: Re: [pfSense Support] DNS Issues with 1.2 RC2> > I 
> will try this later to see what the result is. Scott's suggestion of using > 
> a static route worked perfectly. The trouble seemed to come from using OPT1 > 
> and OPT2 DNS servers as the default. The pfsense machine was trying to > 
> resolve with those DNS servers using the WAN interface. I added entries for > 
> the LAN section of the firewall rules. This set the correct outbound > 
> interface for machines on the LAN but did not seem to help the pfsense > 
> machine itself. If the ISP used on the WAN interface did not has lousy DNS > 
> servers, I would never have noticed this issue. > > Robert> > On Friday 26 
> October 2007 05:36, Paul M wrote:> > Robert Goley wrote:> > > based routing. 
> DNS refuses to work. This is because the pfsense machine> > > can> >> > I 
> have no answer for you, but an idea to try.> >> > run "tcpdump -l -n -i xxx 
> udp and port 53" on the firewall for each> > interface xxx in turn whilst 
> trying to resolve and see if any packets> > are seen.> >> >> >> >> > 
> -> > To 
> unsubscribe, e-mail: [EMAIL PROTECTED]> > For additional commands, e-mail: 
> [EMAIL PROTECTED]> > 
> -> To 
> unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: 
> [EMAIL PROTECTED]> 
_
Help yourself to FREE treats served up daily at the Messenger Café. Stop by 
today.
http://www.cafemessenger.com/info/info_sweetstuff2.html?ocid=TXT_TAGLM_OctWLtagline

Re: [pfSense Support] Re: Inbound TCP/53, auto?

2007-10-17 Thread Sean Cavanaugh

if you are running your own internal DNS server to handle the DNS traffic 
then set a rule to forward all TCP/UDP port 53 to the server.

-Sean

- Original Message -
From: "Ugo Bellavance" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, October 17, 2007 8:27 PM
Subject: [pfSense Support]  Re: Inbound TCP/53, auto?

Vivek Khera wrote:

On Oct 17, 2007, at 4:16 PM, Ugo Bellavance wrote:

Are TCP packets automatically accepted by pfsense or should I open 
TCP/53 at wide?  I query DNS servers directly, I don't use my ISP's DNS 
servers for many reasons, so I can't just open TCP/53 for these DNS 
servers.

enable the DNS proxy on pfsense.  it will use the public DNS servers you 
configure.  then point your clients to the pfsense proxy (which DHCP on 
pfsense will do automatically).

end of problem.

No,

as I said we don't use external DNS servers because we have high DNS load 
(between 200 and 500 DNS queries/sec) and we don't want to have any extra 
steps in a DNS query.  We don't want to run more services than necessary 
on pfsense so the dns proxy and DHCP server are off on the pfsense.

Thanks,
Ugo

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] Default number of states

2007-10-16 Thread Sean Cavanaugh

just look at how much total RAM and CPU you are using durring high state usage 
and adjust accordingly. most likely it is low enough that you can up it to 
where you need it to be. just dont run more states than the box can handle. aim 
for 80-90% resource utilization at most to find your maximum number of states.
 
-Sean
 



> To: support@pfsense.com> From: [EMAIL PROTECTED]> Date: Tue, 16 Oct 2007 
> 08:07:04 -0400> Subject: [pfSense Support] Default number of states> > Hi,> > 
> The default number of max states is 10 000. I use a dual core xeon > with 2 
> GB ram. Can I increase it considerably? I'm already constantly > over 10 000 
> and the heaviest part of the day has yet to come.> > I've set it to 25 000 
> now just to make sure, but since a PIX 501 > guarantees 75 000 concurrent 
> sessions and a 515, 125 000, could I > increase it a lot more?> > Regards,> > 
> Ugo> > > 
> -> To 
> unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: 
> [EMAIL PROTECTED]> 
_
Windows Live Hotmail and Microsoft Office Outlook – together at last.  Get it 
now.
http://office.microsoft.com/en-us/outlook/HA102225181033.aspx?pid=CL100626971033

Re: [pfSense Support] jabber and NAT woes

2007-09-26 Thread Sean Cavanaugh

realistically you don't want to do anything not directly kernel related in 
kernel space. that's the reason old windows would Blue Screen when a word 
document loaded incorrectly. kernel should be untouched and as such will 
make for a much more reliable OS, hence why FreeBSD is way more stable than 
linux.


just because you can, doesn't mean you should.

-Sean

- Original Message -
From: "Chris Buechler" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, September 26, 2007 9:03 PM
Subject: Re: [pfSense Support] jabber and NAT woes


Will Miles wrote:
The Linux kernel supports doing NAT reflection directly in the kernel, 
which is why it 'just works' with IPCop.  Unfortunately, the FreeBSD 
gurus claim that their NAT system is not capable of doing this within the 
packet filtering framework.  That said, it /is/ possible to trick it into 
behaving this way, and I assembled a patch for my own usage to solve this 
specific problem, but since the experts claim it's not possible there's 
no guarantee it will behave correctly in all circumstances.  I'll see if 
I can get it together over the weekend - I'm still using one of the 1.2 
betas, though, so it'd take me a bit to update it for the RC build.  That 
said, it doesn't remove the proxy-based reflection scheme, so if you're 
interested in the patch you can always go back to whichever model you 
find works best for you.




I don't think anyone's ever said it isn't possible, the things I recall 
reading were more along the lines of not wanting to do it. I don't recall 
the reasoning offhand.


If you have some change that makes it work, it would be interesting to 
see. Please post it.



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] Re: jabber and NAT woes

2007-09-26 Thread Sean Cavanaugh

I have same issue with port forwarding. thought it was a config problem for me. 
I have SSH on a non-standard port on the WAN side and it is supposed to be 
forwarding to standard port 22 on the LAN side server. I get a connection 
established, but no data (not even a logon prompt) and then about 15 seconds 
later it will finally drop the connection.
 
-Sean



> Date: Wed, 26 Sep 2007 12:50:50 +1000> From: [EMAIL PROTECTED]> CC: 
> support@pfsense.com> Subject: [pfSense Support] Re: jabber and NAT woes> > 
> I've done a further test. I also get my connection dropped if I use ssh> and 
> ssh to a public IP address that is port forwarded to a server in the> LAN.> > 
> So I'm guessing this issue is something to do with NAT on pfSense,> rather 
> than ejabberd.> > Any help will be very appreciated.> > Geoff Crompton 
> wrote:> > We've just transition from using IPCop 1.4.13 to using pfSense 
> 1.2-RC2.> > The transition wasn't so bad. However we are having problems with 
> jabber> > connections now.> > > > Our ejabberd (version 1.1.2-6, from the 
> Etch Debian package) runs inside> > a vserver in our dmz zone. Our domain 
> name jabber.strategicdata.com.au> > resolves to the IP address on the WAN 
> interface (not an Virtual IP). We> > have configured NAT rules to port 
> forward the connections to the> > ejabberd vserver.> > > -- > Geoff Crompton> 
> Debian System Administrator> http://www.strategicdata.com.au> Phone: +61 3 
> 9340 9000> Fax: +61 3 9348 2015> > 
> -> To 
> unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: 
> [EMAIL PROTECTED]> 
_
Connect to the next generation of MSN Messenger 
http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline

RE: [pfSense Support] Sluggish network performance

2007-09-18 Thread Sean Cavanaugh

Upgrade to 1.2-RC2 first and see if that helps. its based on FreeBSD 6.2 as 
opposed to 6.1 that the 1.0 release was on.
 
-Sean
 



> Date: Tue, 18 Sep 2007 08:57:09 -0700> From: [EMAIL PROTECTED]> To: 
> support@pfsense.com> Subject: [pfSense Support] Sluggish network performance> 
> > Good morning,> I am seeing intermittent performance issues, particularly 
> with> samba traffic, between the LAN and DMZ. The machine PF is running AMD> 
> Athlon(tm) processor (950.04-MHz 686-class CPU) with a gig of memory.> The 
> NICS in the box are xl0: 3Com 3c905B-TX, fxp0: Intel 82558> Pro/100, fxp1: 
>  10/100BaseTX>. PF version is 
> 1.0-RC1. The rulesets on the box are> almost nothing and the only impacting 
> change is I changed the state to> 1,000,000 maximum connections (they run 
> allot of nmap scans through> the box). I know this is a very general issue 
> and there may not be> enough good information to diagnose it but has anyone 
> seen> intermittent sluggish samba performance through PF? If so was PF the> 
> culprit and what did you do to remedy it? The only errors I saw that> looked 
> related are below. Thanks.> > xl0: tx underrun, increasing tx start threshold 
> to 120 bytes> dc0: TX underrun -- increasing TX threshold> dc0: TX underrun 
> -- increasing TX threshold> > -- > Wade Blackwell> "Women don't want to hear 
> what you think, women want to hear what they> think---in a deeper voice" Bill 
> Cosby> "Integrity is often more painful and always more profitable than> 
> perception management"> > 
> -> To 
> unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: 
> [EMAIL PROTECTED]> 
_
Can you find the hidden words?  Take a break and play Seekadoo!
http://club.live.com/seekadoo.aspx?icid=seek_wlmailtextlink

RE: [pfSense Support] anyone noticed slowdown in RC1 or RC2?

2007-09-05 Thread Sean Cavanaugh



> Date: Tue, 4 Sep 2007 23:13:42 -0400> From: [EMAIL PROTECTED]> To: 
> support@pfsense.com> Subject: Re: [pfSense Support] anyone noticed slowdown 
> in RC1 or RC2?> > Jonathan Horne wrote:> > On Monday 03 September 2007 
> 03:20:00 Chris Buechler wrote:> > > >> No clue... I haven't heard back since 
> I emailed him offlist with some> >> info on his captures. I would definitely 
> be interested in knowing what> >> caused that to happen, hopefully he'll post 
> back.> >>> >> I'm running Vista and don't have this issue.> >> > >> > hi 
> chris, does your vista have the ipv6 turned off, or are you running the > > 
> default setup?> > > > It's completely stock, I haven't made any changes to 
> the default network > configuration. Still has IPv6 enabled.> > I find it odd 
> that FreeBSD is doing that to you. IPv6 has been on by > default for quite 
> some time, but I've never seen any of my boxes attempt > v6 prior to v4. Most 
> of mine are running custom kernels that strip out > anything not used 
> including IPv6, but some are running GENERIC and I > haven't seen this at 
> all.> 
If i remember correctly, FreeBSD uses IPv6 and IPv4 protocol stacks seperately. 
even though v6 is enabled by default, it wont use it unless it gets settings 
for it. Vista on the otherhand is IPv6 native with technically a backport to 
IPv4, so it will try and do network traffic with v6 before v4. Also remember 
that Microsoft set their TCP/IP protocol to use a private subnet incase it was 
unable to pick up an IP from DHCP (169.254.x.x) and I wouldnt be surprised if 
they did the same thing with v6 protocol also. If youre not using v6, you 
should remove it or at least disable it on your interfaces.
 
-Sean
_
Discover the new Windows Vista
http://search.msn.com/results.aspx?q=windows+vista&mkt=en-US&form=QBRE

1 2 >

1 - 100 of 150 matches

Mail list logo