[pfSense Support] pfsense - carp - windows - mac address issues
Hi, I have pfSense Version2.0-RC1 (i386). I have 2 LAN and a WAN interface. On one of the LAN interface, I have a few Windows servers. The LAN2 carp ip on pfSense is the default gateway for the LAN2 servers. I have some Linux servers in the network too. There are issues with Windows servers. The Windows servers are not getting the correct mac address for the CARP ip. The arp set is mostly the mac address of real LAN1 or LAN2 interface but never the mac address of the carp ip. Hence, the Windows servers are not able to ping the gateway or get into the network. How to get around this problem? I am on windows 2008 server R2. I also have a couple of layer 2 Cisco 2960G between them. Thanks. ShiB. while ( ! ( succeed = try() ) );
[pfSense Support] Restrict bandwidth for a virtual ip
Hi, I have pfSense Version2.0-RC1 (i386) which runs multiple websites and acts as a load balancer too. I have a website which is eating up all my bandwidth. I want to restrict that ip to use 10Mbps of my bandwidth and keep the rest for others. How do I restrict that one ip to not eat all my bandwidth? ShiB. while ( ! ( succeed = try() ) );
Re: [pfSense Support] best practices [SOT?]
On Thu, Aug 4, 2011 at 5:03 PM, mayak-cq ma...@australsat.com wrote: ** hi all, i have deployed pfsense since its earliest versions and it has simply proven to be one of the best pieces of software that i have ever used. i have had several calls now from clients asking me questions about network security in light articles like this one: http://finance.yahoo.com/news/Report-Global-cyberattack-apf-4118716199.html and the obvious question is how to protect a network against such an attack. assuming that i have configured pfsense correctly and that i have an additional firewall on my servers, and that i have tcpwrappers and selinux running, what else can one do? i am aware of snort, etc, but these attacks appear to be related to specially crafted e-mails that infect the workstation (unbeknownst to the antivirus) and start accessing and sending files over the wire on legitimate ports. other than snort, are they things that i should be doing (most notably inbound lan rules) in order to defend against threats? many thanks m Fantastic question... even I have the same query and would like to know more... maybe the experts can throw some light on this. Also, some tips or best-practice methods in pfSense would be great ! ShiB. while ( ! ( succeed = try() ) );
Re: [pfSense Support] which version
On Thu, Jul 28, 2011 at 3:38 PM, Nick Upson n...@telensa.com wrote: Hi, I'm about to build a replacement firewall for my existing hardware, which is running 1.2.3, I see 2.0 is available. would anyone care to comment on a) the stability of 2.0 in production b) the ease of transition (hopefully I could just load a 1.2.3 backup into the 2.0) -- Nick Upson (01799 533252) I am on Version 2.0-RC1 (i386) built on Thu Mar 17 07:27:35 EDT 2011 . was on version 1.2.3 earlier. 2.0 running from end of April 2011. Running high volume production website. ShiB. while ( ! ( succeed = try() ) );
[pfSense Support] Carp failover time
Hi, What is the average time for the carp failover to kick in... i.e. how much time does it take for the backup to become master and start serving requests and vice versa? Is the timing parameter configurable? I have both the WAN and LAN gw as carp ip. Version2.0-RC1 (i386) built on Thu Mar 17 07:27:35 EDT 2011 ShiB. while ( ! ( succeed = try() ) ); - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Diffrent Gateway Adress ( External )
2011/6/14 Koray AGAYA insanad...@gmail.com Thank you for your information I added 1:1 NAT section like bellow I tested same result external gateway not changed. Gateway adresses is 2.2.2.2 What is my mistake ? MAIL 2.2.2.4/32 10.0.1.12/32 mail.mems.metu.edu.tr On Tue, Jun 14, 2011 at 4:02 AM, Vick Khera vi...@khera.org wrote: On Mon, Jun 13, 2011 at 4:03 PM, Koray AGAYA insanad...@gmail.com wrote: I tested external gateway IP on 10.0.1.12, I learned deafult external gateway IP , go to www.whatismyip.com and result ip is 2.2.2.2 I dont want this (2.2.2.2 ) I want to go out 2.2.2.4 but I could not. because both interfaces ( WAN and MAIL ) default gateway is same How to make mail server external gateway ip is 2.2.2.4 Please help me ? If it is on the same network, just make it a virtual IP rather than its own interface. I'm guessing you want to 1:1 NAT that address to the internal mail server. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- -Hayatı Ciddiye Alma Asla Sağ Çıkamıycaksın ! Mine works... Firewall: NAT: 1:1 Interface External IP Internal IP Destination IP Description WAN 11.22.33.44 192.168.1.122 * mail server ShiB. while ( ! ( succeed = try() ) );
Re: [pfSense Support] pfsense config for failover
On Sat, Jun 4, 2011 at 10:18 AM, Ahmed Ndaula anda...@spurtechnologies.comwrote: Hello folks, Here's the situation I am having; Right now I have a functional dual box. I have another with the right side not responding. My goal is to have 2 x dual boxes set up for fail-over. What would I need to have a successful fail-over configuration? I will be grateful getting a response on this issue. Best, -- Thanks for setting up your website on our reliable web servers. Ndaula Ahmed Systems/Network Administrator SPUR Technologies Off: +256-414-267247 Mob: +256-702-066343 Skype: ndaula Email: anda...@spurtechnologies.com Web: http://www.spurtechnologies.com --- Managed Networks | IT Infrastructure | Web Development | Web Hosting | Training | System Security Cameras http://www.pfsense.org/mirror.php?section=tutorials/carp/carp-cluster-new.htm http://www.pfsense.org/mirror.php?section=tutorials/carp/carp-cluster-new.htm ShiB. while ( ! ( succeed = try() ) );
[pfSense Support] VIP bandwidth usage monitoring
Hi, I am on pfSense 2.0-RC1 (i386). Is there a way to measure or graph the bandwidth usage of the VIPs or the bandwidth of the Virtual Servers configured in Load Balancer? I need this because I need to find out which website(s) are eating up the most bandwidth. ShiB. while ( ! ( succeed = try() ) );
[pfSense Support] pFsense... unexpected behaviour
Hi, I am running pfSense 2.0-RC1 (i386) as FW + LB. I saw a weird behavior yesterday on the box, the webonfigurator was working and i was able to add/change rules as well as load-balancing policies, but the policies would not take effect, i.e. there was no change in the traffic behavior although it showed that the configuration was in effect. I tried to change the lb pool, redirect to different set of backend servers, still no change. On digging further, i found 2 lines in dmesg ... WARNING: / was not properly dismounted WARNING: R/W mount of / denied. Filesystem is not clean - run fsck But, I was able to create and rm a file on the file-system. There was no hard reboot of the server and it had an uptime of 45+ days. 1. Why should the filesystem become dirty... how do i prevent it? 2. Shouldn't the webconfigurator show warnings/errors if this happens? I rebooted the FW box and things seem ok now. ShiB. while ( ! ( succeed = try() ) );
Re: [pfSense Support] pFsense... unexpected behaviour
On Tue, May 17, 2011 at 1:15 PM, Warren Baker war...@decoy.co.za wrote: On Tue, May 17, 2011 at 9:14 AM, Shibashish shi...@gmail.com wrote: Hi, I am running pfSense 2.0-RC1 (i386) as FW + LB. I saw a weird behavior yesterday on the box, the webonfigurator was working and i was able to add/change rules as well as load-balancing policies, but the policies would not take effect, i.e. there was no change in the traffic behavior although it showed that the configuration was in effect. I tried to change the lb pool, redirect to different set of backend servers, still no change. On digging further, i found 2 lines in dmesg ... Remember that there are active sessions which are in the firewall state table, these sessions will continue to work regardless of your changes until these sessions expired. I am no expert on the server load balancer so I am not sure whether states are removed when changes are made to pool (i know states are changed when there is a server that is marked as down). So someone else will need to answer on that. *To add, I did flush out all the states, i.e. did a reset states. I missed writing this.* WARNING: / was not properly dismounted WARNING: R/W mount of / denied. Filesystem is not clean - run fsck This indicates that there was a hard reboot and the system was not cleanly shutdown due to a power failure, OS crash or similar. So on the next boot a file system check took place to ensure the consistency of the file system which would have fixed any problems automatically. *Does pfSense do a fsck on reboot/boot... can you/someone please confirm.* But, I was able to create and rm a file on the file-system. There was no hard reboot of the server and it had an uptime of 45+ days. This would then have happened prior to the 45 days. *I did a touch and rm after seeing the issue and the log file. The filesystem was writeable.* 1. Why should the filesystem become dirty... how do i prevent it? Besides a hard reboot from an OS crash, use a UPS to ensure the system is up when there is a power failure so that you can at least have time to shut it down. *The FW is in the datacenter, so the power and ups issue is taken care of. There might have been a fluctuation in one of the circuits, this cannot be proved as of now.* 2. Shouldn't the webconfigurator show warnings/errors if this happens? No since fsck fixes the file system on boot. If it didn't or could not fix it, the system would not boot and drop you to a shell. You would then have to manually fix it. *My point was that, shouldn't webconfigurator show a warning/error that fs is readonly and new config cannot be saved/activated.* thanks -- .warren Thanks a ton Warren. ShiB. while ( ! ( succeed = try() ) );
Re: [pfSense Support] Traffic shaping for specific file type
On Mon, May 16, 2011 at 10:56 AM, A Mohan Rao mohanra...@gmail.com wrote: yes very easy u can use acl its working fine with groups and individual.. Thanks A Mohan Rao indore india On Mon, May 16, 2011 at 10:53 AM, Shibashish shi...@gmail.com wrote: I'm on pfSense 2.0-RC1 (i386) and have been using it as a firewall+load-balancer. Can i do Traffic Shaping for certain file type... like flv and mpg? I have to serve big sized (~50Mb each) flv and mpg videos but i have a limited bandwidth... can i allocate a specific bandwidth like 5Mbps only for flv/mpg requests so that rest of my sites do not get choked. Thanks. ShiB. while ( ! ( succeed = try() ) ); Can you please provide some more (technical) details, steps how to do it, etc. Thanks. ShiB. while ( ! ( succeed = try() ) );
[pfSense Support] Traffic shaping for specific file type
I'm on pfSense 2.0-RC1 (i386) and have been using it as a firewall+load-balancer. Can i do Traffic Shaping for certain file type... like flv and mpg? I have to serve big sized (~50Mb each) flv and mpg videos but i have a limited bandwidth... can i allocate a specific bandwidth like 5Mbps only for flv/mpg requests so that rest of my sites do not get choked. Thanks. ShiB. while ( ! ( succeed = try() ) );
[pfSense Support] Load-balancing on LAN network
Hi All, I have a clustered service which needs to be load-balanced on the lan network. The following setup doesn't work for me. --- lan ip 1 load balanced lan vip --- lan ip 2 --- lan ip 3 Thanks in advance. ShiB. while ( ! ( succeed = try() ) );
[pfSense Support] pfSense to use more memory
My pfSense box says real memory = 12884901888 (12288 MB) avail memory = 2567946240 (2448 MB) How can i ask pfSense to use more memory? I tried the 64-bit version but it kept crashing, hence reverted back to 32-bit. Version 2.0-RC1 (i386) built on Thu Mar 17 07:27:35 EDT 2011 ShiB. while ( ! ( succeed = try() ) ); - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense to use more memory
On Thu, Mar 31, 2011 at 10:50 PM, David Burgess apt@gmail.com wrote: On Thu, Mar 31, 2011 at 11:17 AM, Shibashish shi...@gmail.com wrote: My pfSense box says real memory = 12884901888 (12288 MB) avail memory = 2567946240 (2448 MB) How can i ask pfSense to use more memory? Use the 64-bit version. I tried the 64-bit version but it kept crashing, hence reverted back to 32-bit. 2.0 is in RC. Please provide feedback so we can determine the cause of the problem, and either you or the devs can fix it, depending where it lies. db Thank you for your reply. Since the pfSense box are in production, I was not able to debug much on why the 64-bit kept crashing. I'll share more info in a separate mail about the crash. ShiB. while ( ! ( succeed = try() ) ); - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Traffic shaping related
Hi, I run a relatively high traffic website on pfSense (Version2.0-RC1 (i386) built on Thu Mar 17 07:27:35 EDT 2011). During very heavy traffic, I see that my OpenVPN connections or SSH connections drop or are not able to get through. I'd like to enable traffic shaping and reserve some bandwidth based on 2 conditions... first, reserve for VPN users, second, reserve some bandwidth for my office users, http and openvpn traffic (they connect from a fixed ip). How do i go about it... what is the best method to shape? I have checked some of the links... http://forum.pfsense.org/index.php/topic,33160.0.html http://forum.pfsense.org/index.php/topic,31184.0.html Thanks. ShiB. while ( ! ( succeed = try() ) ); - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] pfSense network throughput issues
Hi, I run pfSense as my firewall + load balancer. I run a website which is a high-traffic website. Sometimes I have 1000 to 2000 concurrent connections on my sites. Under heavy load, i see that some clients encounter timeouts or connection drops. Also, i have noticed that during those times, sometime the sync to firewall2 also doesn't happen and the error is logged. I have a 15Mbps internet link burstable to 30Mbps which is usually between 10-15Mbps utilization. My State table size is upped to 10. My webserver is optimized and most of the content is served from CDNs, only dynamic content comes to me. I tried adding more servers to the farm but doesn't help. I have checked the following links... http://www.pfsense.org/index.php?option=com_contenttask=viewid=52Itemid=49 http://forum.pfsense.org/index.php/topic,14208.0.html 1. What are the steps to not let timeouts happen? 2. Should I change Firewall Optimization Options? 3. How to run a high-volume traffic on pfSense? 4. Is the network getting blocked on the NIC (how to check this)? Info about the pfSense box Version 1.2.3-RELEASE built on Sun Dec 6 23:21:36 EST 2009 State table size 48940/10 Firewall Optimization Options - Normal Hardware details.. Handle 0x0011, DMI type 8, 9 bytes Port Connector Information Internal Reference Designator: J8A1 - NIC 1 Internal Connector Type: None External Reference Designator: NIC 1 External Connector Type: RJ-45 Port Type: Network Port Handle 0x0012, DMI type 8, 9 bytes Port Connector Information Internal Reference Designator: J8A1 - NIC 2 Internal Connector Type: None External Reference Designator: NIC 2 External Connector Type: RJ-45 Port Type: Network Port Handle 0x0013, DMI type 8, 9 bytes Port Connector Information Internal Reference Designator: J7A2 - NIC 3 Internal Connector Type: None External Reference Designator: NIC 3 External Connector Type: RJ-45 Port Type: Network Port Handle 0x0014, DMI type 8, 9 bytes Port Connector Information Internal Reference Designator: J7A2 - NIC 4 Internal Connector Type: None External Reference Designator: NIC 4 External Connector Type: RJ-45 Port Type: Network Port Handle 0x0015, DMI type 8, 9 bytes Port Connector Information Internal Reference Designator: J6A1 - NIC 5 Internal Connector Type: None External Reference Designator: NIC 5 External Connector Type: RJ-45 Port Type: Network Port OR igb0@pci0:3:0:0:class=0x02 card=0x34f28086 chip=0x10c98086 rev=0x01 hdr=0x00 class = network subclass = ethernet igb1@pci0:3:0:1:class=0x02 card=0x34f28086 chip=0x10c98086 rev=0x01 hdr=0x00 class = network subclass = ethernet igb2@pci0:6:0:0:class=0x02 card=0x34f28086 chip=0x10c98086 rev=0x01 hdr=0x00 class = network subclass = ethernet igb3@pci0:6:0:1:class=0x02 card=0x34f28086 chip=0x10c98086 rev=0x01 hdr=0x00 class = network subclass = ethernet em0@pci0:12:0:0:class=0x02 card=0x34f28086 chip=0x10d38086 rev=0x00 hdr=0x00 class = network subclass = ethernet Thanks. ShiB. while ( ! ( succeed = try() ) );
[pfSense Support] Traceroute repeating itself
Following is an output from traceroute... C:\tracert -d 114.113.93.41 Tracing route to 114.113.93.41 over a maximum of 30 hops 11 ms1 ms1 ms 192.168.1.11 2 1 ms1 ms 1 ms 11.241.82.161 3 3 ms 5 ms 6 ms 11.241.80.109 4 3 ms 3 ms 3 ms 203.17.13.6 5 4 ms 3 ms 3 ms 59.13.55.149 6 3 ms 3 ms 3 ms 59.13.55.149 711 ms 6 ms 5 ms 29.64.42.55 8 6 ms 6 ms 6 ms 114.113.8.4 9 5 ms 5 ms 5 ms 114.113.87.44 10 6 ms 6 ms14 ms 114.113.87.43 11 5 ms 5 ms 5 ms 114.113.87.44 1212 ms *6 ms 114.113.87.43 1326 ms 8 ms13 ms 114.113.87.44 1425 ms 7 ms 8 ms 114.113.87.43 1510 ms 5 ms 5 ms 114.113.87.44 1611 ms17 ms17 ms 114.113.87.43 17 8 ms31 ms 5 ms 114.113.87.44 1817 ms19 ms16 ms 114.113.87.43 1918 ms 6 ms11 ms 114.113.87.44 20 6 ms 6 ms10 ms 114.113.87.43 21 6 ms 6 ms 6 ms 114.113.87.44 22 6 ms 6 ms 7 ms 114.113.87.43 23 6 ms 6 ms 6 ms 114.113.87.44 24 9 ms17 ms 8 ms 114.113.87.43 2556 ms64 ms25 ms 114.113.87.44 26 9 ms 7 ms14 ms 114.113.87.43 27 6 ms12 ms 6 ms 114.113.87.44 28 7 ms 7 ms 7 ms 114.113.87.43 2916 ms12 ms10 ms 114.113.87.44 30 7 ms 9 ms 8 ms 114.113.87.43 Trace complete. After the 9th hop, the traffic seems to be coming in/out of the pfsense box, is this normal... have I configured something wrong? 114.113.87.44 is the real IP of the pfsense firewall 114.113.87.43 is the VRRP IP provided to me by my ISP and is the gateway to pfsense Note: all IP are changed for this post. ShiB. while ( ! ( succeed = try() ) );
Re: [pfSense Support] Traceroute repeating itself
My setup... ISP-WAN1-- FW1 (pfsense) -- VRRP IP -- LAN ISP-WAN2-- FW2 (pfsense) The traceroute is looping between the FW1 and VRRP IP. ShiB. while ( ! ( succeed = try() ) ); On Wed, Mar 9, 2011 at 5:47 PM, James Bensley jwbens...@gmail.com wrote: I don't quite understand your set up but basically you have a routing loop, you need to view and amend your routes if they are static or reconfiguring your routing protocol if your using one. --James. (This email was sent from a mobile device)
Re: [pfSense Support] Traceroute repeating itself
On Wed, Mar 9, 2011 at 6:53 PM, James Bensley jwbens...@gmail.com wrote: So WAN1 is on one pfSense box and WAN2 is on another? Also, you connect each box to an ISP and to the LAN? -- James. http://www.jamesbensley.co.cc/ There are 10 kinds of people in the world; Those who understand Vigesimal, and J others...? No... ISP gives me 1 connection. The VRRP IP is 114.113.87.43. This VRRP IP is the gateway to my pfsense boxes. The pfsense boxes get 2 wan ip, 114.113.87.44 114.113.87.45. ShiB. while ( ! ( succeed = try() ) );
Re: [pfSense Support] Traceroute repeating itself
114.113.93.41 is a ip from the Routed segment/Server Segment alotted to me by my ISP. ShiB. while ( ! ( succeed = try() ) ); On Wed, Mar 9, 2011 at 8:33 PM, e...@tm-k.com wrote: On Wed, Mar 9, 2011 at 6:53 PM, James Bensley jwbens...@gmail.com wrote: So WAN1 is on one pfSense box and WAN2 is on another? Also, you connect each box to an ISP and to the LAN? -- James. http://www.jamesbensley.co.cc/ There are 10 kinds of people in the world; Those who understand Vigesimal, and J others...? No... ISP gives me 1 connection. The VRRP IP is 114.113.87.43. This VRRP IP is the gateway to my pfsense boxes. The pfsense boxes get 2 wan ip, 114.113.87.44 114.113.87.45. ShiB. while ( ! ( succeed = try() ) ); Where is 114.113.93.41 you are tracing to? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Traceroute repeating itself
On Wed, Mar 9, 2011 at 11:30 PM, Chris Buechler cbuech...@gmail.com wrote: On Wed, Mar 9, 2011 at 10:20 AM, Shibashish shi...@gmail.com wrote: 114.113.93.41 is a ip from the Routed segment/Server Segment alotted to me by my ISP. If you have a routed subnet that isn't assigned on a local interface, and that doesn't have traceroute directed to another host via NAT, you'll have a routing loop. It doesn't affect functionality and is normal under such circumstances. Forward traceroute to another host via 1:1 or port forward entries, or assign the subnet directly to an internal interface, and it won't do that. It doesn't have a routing table entry for that host as is so it sends it back to its default gateway. - Works the way as you have described... awesome.. thanks man ! ShiB. while ( ! ( succeed = try() ) );
[pfSense Support] Add p2p link alongwith internet
Hi, I have a internet connection (WAN) added to my pfsense box. The LAN network is 172.16.x.x. The carp ip for sync is 192.168.1.x. Now I want to add a p2p link to this box which has an ip 192.168.14.x. I have extra ethernet port on the pfsense box. How do i do this? How can i route traffic to p2p if the internal hosts want to reach 192.168.14.x. Thanks. ShiB. while ( ! ( succeed = try() ) );
[pfSense Support] Master Backup not in sync - VIP proxy ARP
I have 2 pfSense box with Carp sync and failover configured. I have 2 Virtual IPs of the type Proxy ARP on the Master FW which do not get sync to the Backup FW. Is this a feature or a bug? Do i have to add the vip manually to backup fw server ? Also, I see that the packages or its configs are not synced, how do i do this? ShiB. while ( ! ( succeed = try() ) );
[pfSense Support] outgoing gw to be vip
Hi, I have a mail server running on a vip which is natted to a real-lan ip. I have added the VIP in load-balancer option and added my lan server as the virtual-server-pool. But now my outgoing traffic is taking the ip of firewall as the firewall is its gateway. I want to set the vip as the outgoing ip for all the mail traffic... how do i change/set this? Thanks. ShiB. while ( ! ( succeed = try() ) );
Re: [pfSense Support] outgoing gw to be vip
Awesome... this seems to be working !! ShiB. while ( ! ( succeed = try() ) ); On Mon, Jan 24, 2011 at 7:14 PM, Seth Mos seth@dds.nl wrote: Op 24-1-2011 14:39, Shibashish schreef: Hi, I have a mail server running on a vip which is natted to a real-lan ip. I have added the VIP in load-balancer option and added my lan server as the virtual-server-pool. But now my outgoing traffic is taking the ip of firewall as the firewall is its gateway. I want to set the vip as the outgoing ip for all the mail traffic... how do i change/set this? Have you tried using 1:1 NAT? That should make the traffic use the correct VIP. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: FW rules on load-balanced virtual ip
On Tue, Jan 18, 2011 at 5:07 PM, Shibashish shi...@gmail.com wrote: Hi, Can i (how to) write Firewall rules on the Virtual created/added in Pfsense? The Virtual Server IP is added for load-balancing purpose. e.g. webserver runs on 10.10.10.10 port 80, 443 mail server on 10.10.10.11 port 25, 110 vpn on 10.10.10.12 port 1195 So i want to set individual rules for each ip. Anyone?
[pfSense Support] FW rules on load-balanced virtual ip
Hi, Can i (how to) write Firewall rules on the Virtual created/added in Pfsense? The Virtual Server IP is added for load-balancing purpose. ShiB. while ( ! ( succeed = try() ) );
[pfSense Support] Load balancing of LAN hosts
Hi, Is it possible to load-balance LAN hosts... any example, any configuration? I have an application which will connect to multiple databases (read-operations), hence i need LAN load-balancing. I do understand i can do it other ways, but is it possible using pfsense? Thanks. ShiB. while ( ! ( succeed = try() ) );
[pfSense Support] Not able to add virtual carp ip on different subnet
My WAN ip is xx.xx.87.44 I am trying to add a Virtual IP CARP as xx.xx.93.193, but i am not able to. Sorry, we could not locate an interface with a matching subnet for xx.xx.93.193/27. Please add an ip in this subnet on a real interface. I want the carp ip to be used for haproxy without which haproxy doesnt start. How do i add this? Thanks. ShiB. while ( ! ( succeed = try() ) );
Re: [pfSense Support] Not able to add virtual carp ip on different subnet
xx.xx.87.40/29 ShiB. while ( ! ( succeed = try() ) ); On Thu, Jan 13, 2011 at 4:06 PM, Warren Baker war...@decoy.co.za wrote: On Thu, Jan 13, 2011 at 12:29 PM, Shibashish shi...@gmail.com wrote: My WAN ip is xx.xx.87.44 I am trying to add a Virtual IP CARP as xx.xx.93.193, but i am not able to. Sorry, we could not locate an interface with a matching subnet for xx.xx.93.193/27. Please add an ip in this subnet on a real interface. I want the carp ip to be used for haproxy without which haproxy doesnt start. How do i add this? Thanks. Whats your netmask for your WAN? -- .warren
Re: [pfSense Support] Not able to add virtual carp ip on different subnet
My ISP has given xx.xx.93.192/27 (32 IPs – 30 Usable IPs excluding Network Broadcast) ShiB. while ( ! ( succeed = try() ) ); On Thu, Jan 13, 2011 at 4:07 PM, Shibashish shi...@gmail.com wrote: xx.xx.87.40/29 ShiB. while ( ! ( succeed = try() ) ); On Thu, Jan 13, 2011 at 4:06 PM, Warren Baker war...@decoy.co.za wrote: On Thu, Jan 13, 2011 at 12:29 PM, Shibashish shi...@gmail.com wrote: My WAN ip is xx.xx.87.44 I am trying to add a Virtual IP CARP as xx.xx.93.193, but i am not able to. Sorry, we could not locate an interface with a matching subnet for xx.xx.93.193/27. Please add an ip in this subnet on a real interface. I want the carp ip to be used for haproxy without which haproxy doesnt start. How do i add this? Thanks. Whats your netmask for your WAN? -- .warren
Re: [pfSense Support] Not able to add virtual carp ip on different subnet
Thanks for explaining. I wanted to use haproxy and this was not starting. The reason as someone suggested is that the VIP must be a CARP ip. http://forum.pfsense.org/index.php?topic=21748.0 http://forum.pfsense.org/index.php?topic=21748.0I'm on 1.2.3-RELEASE. ShiB. while ( ! ( succeed = try() ) ); On Thu, Jan 13, 2011 at 6:38 PM, Jim Pingle li...@pingle.org wrote: On 1/13/2011 5:29 AM, Shibashish wrote: My WAN ip is xx.xx.87.44 I am trying to add a Virtual IP CARP as xx.xx.93.193, but i am not able to. Sorry, we could not locate an interface with a matching subnet for xx.xx.93.193/27. Please add an ip in this subnet on a real interface. I want the carp ip to be used for haproxy without which haproxy doesnt start. How do i add this? Thanks. CARP VIPs have to be in the same subnet as an existing IP address on the interface. On 1.2.x, this means it must be in the same subnet as the WAN IP. On 2.0 you can also add an IP alias VIP inside of the same subnet as x.x.93.193/27 and then you can add a CARP VIP for x.x.93.193/27 If this is part of a CARP cluster, each unit will need a separate IP alias inside of that subnet (the same way they each need an IP in the WAN subnet). If it's a standalone unit you may as well use an IP alias in place of a CARP VIP. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Bandwidth calculation on multiple ip
I have about 10 ip address which are load-balanced on my pfSense box. I want to find out the individual bandwidth consumption for each ip, how can i do this? Thanks in advance. ShiB. while ( ! ( succeed = try() ) );
[pfSense Support] Using_OpenVPN_With_FreeRADIUS
My openvpn works with keys. I want authentication for the same and using this doc for reference... http://doc.pfsense.org/index.php/Using_OpenVPN_With_FreeRADIUS The doc says to add in... /etc/radius.conf acct 192.168.1.1:1892 password auth 192.168.1.1:1893 password But, in netstat, i see the ports running as.. udp4 0 0 192.168.1.1.1813*.* udp4 0 0 192.168.1.1.1812*.* radiusd -X shows... Module: Instantiated radutmp (radutmp) Listening on authentication 192.168.1.1:1812 Listening on accounting 192.168.1.1:1813 Ready to process requests. *Should the port nos. be changed in radius.conf?* I'm not able to get the authentication working. ShiB. while ( ! ( succeed = try() ) );
Re: [pfSense Support] freeradius not installing
# uname -a FreeBSD fw1.xx.abc.com 7.2-RELEASE-p5 FreeBSD 7.2-RELEASE-p5 #0: Sun Dec 6 23:20:31 EST 2009 sullr...@freebsd_7.2_pfsense_1.2.3_snaps.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.7 i386 System Packages freeradius http://www.freeradius.org/ System BETA 1.1.2_1 platform: 1.2.1 No info, check theforumhttp://forum.pfsense.org/index.php/board,15.0.htmlA free implementation of the RADIUS protocol. ShiB. while ( ! ( succeed = try() ) ); On Thu, Jan 6, 2011 at 6:52 PM, Jim Pingle li...@pingle.org wrote: On 1/6/2011 8:18 AM, Shibashish wrote: Freeradius not installing, can anyone please fix this? Downloading package configuration file... done. Saving updated package information... done. Downloading freeradius and its dependencies... done. Checking for successful package installation... failed! Installation aborted. We need a lot more detail than that. Are you on 1.2.3 or 2.0? If it's 2.0, what's the snapshot date? Is it a full install or NanoBSD? Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] WAN routing issues with VRRP
# uname -a FreeBSD 7.2-RELEASE-p5 FreeBSD 7.2-RELEASE-p5 #0: Sun Dec 6 23:20:31 EST 2009 sullr...@freebsd_7.2_pfsense_1.2.3_snaps.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.7 i386 I am able to ping yahoo.com but not able to ping google.com, some sites work while some sites do not. My network is like this... LAN --- FW1 --- VRRP ip (gateway) real-ip-1 of ISP router LAN --- FW2 VRRP ip (gateway) --- real ip-2 ISP router I guess, the packets moving out of FW1 with the WAN ip is not being routed back. How to solve this? From a windows host on the LAN, i am able to ping google.com after i force the Firewall Rules LAN For LAN subnet, use the VRRP ip as the Gateway ShiB. while ( ! ( succeed = try() ) );
Re: [pfSense Support] freeradius not installing
On Thu, Jan 6, 2011 at 7:49 PM, Jim Pingle li...@pingle.org wrote: [Please don't top post] On 1/6/2011 8:46 AM, Shibashish wrote: On Thu, Jan 6, 2011 at 6:52 PM, Jim Pingle li...@pingle.org mailto:li...@pingle.org wrote: On 1/6/2011 8:18 AM, Shibashish wrote: Freeradius not installing, can anyone please fix this? Downloading package configuration file... done. Saving updated package information... done. Downloading freeradius and its dependencies... done. Checking for successful package installation... failed! Installation aborted. We need a lot more detail than that. Are you on 1.2.3 or 2.0? If it's 2.0, what's the snapshot date? Is it a full install or NanoBSD? Jim # uname -a FreeBSD fw1.xx.abc.com http://fw1.xx.abc.com 7.2-RELEASE-p5 FreeBSD 7.2-RELEASE-p5 #0: Sun Dec 6 23:20:31 EST 2009 sullr...@freebsd_7.2_pfsense_1.2.3_snaps.pfsense.org: /usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.7 i386 System Packages freeradius http://www.freeradius.org/ System BETA 1.1.2_1 platform: 1.2.1 No info, check theforum http://forum.pfsense.org/index.php/board,15.0.html A free implementation of the RADIUS protocol. I just tried it on a 1.2.3 box and it installed fine for me. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Thanks for your email Jim. The pfsense server is not able to connect to some sites and hence is not able to download the required packages. I connected it directly (changed gateway) so now i am able to install.
Re: [pfSense Support] unable to see the slave status ... both are showing master
The link is http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP) Both the hosts on the cluster are being shown as Master. Using pfSense-1.2.3-RELEASE-LiveCD-Installer.iso for installation. http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP) ShiB. while ( ! ( succeed = try() ) ); On Thu, Dec 30, 2010 at 8:52 PM, Agnello George agnello.dso...@gmail.comwrote: Hi we have been trying to set up a master/slave set up of pfsense , we tried every thing as per documentation in http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP2) we have almost the same set up as in the link above , however we are are not able to see the the slave status on backup firewall , we can see the master status in primary firewall . We can see both servers showing master status I am compleatly new to freebsd and espically new to pfsense . Thank if you can guide me through. -- Regards Agnello D'souza
Re: [pfSense Support] unable to see the slave status ... both are showing master
Just to add, I am trying to do a CARP/pfsync redundancy only on the LAN (and not on WAN). ShiB. while ( ! ( succeed = try() ) ); On Thu, Dec 30, 2010 at 11:54 PM, Shibashish shi...@gmail.com wrote: The link is http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP) Both the hosts on the cluster are being shown as Master. Using pfSense-1.2.3-RELEASE-LiveCD-Installer.iso for installation. http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP) ShiB. while ( ! ( succeed = try() ) ); On Thu, Dec 30, 2010 at 8:52 PM, Agnello George agnello.dso...@gmail.comwrote: Hi we have been trying to set up a master/slave set up of pfsense , we tried every thing as per documentation in http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP2) we have almost the same set up as in the link above , however we are are not able to see the the slave status on backup firewall , we can see the master status in primary firewall . We can see both servers showing master status I am compleatly new to freebsd and espically new to pfsense . Thank if you can guide me through. -- Regards Agnello D'souza
