Re: [pfSense Support] PPTP not working after update on Tuesday
On Thu, Sep 1, 2011 at 1:34 PM, Chris Buechler cbuech...@gmail.com wrote: That's from a kernel patch that was in one day's snapshots, it's since been reverted. Downgrade to something from the 29th, or early on the 30th, or upgrade to the one that'll come out in the next few hours. Just confirming for the posterity of the list that a September 1 snapshot solved this problem for me. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] packets passed and logged in UI
On Wed, Aug 31, 2011 at 12:49 PM, Mario Ciccarelli ad...@dtlciccarelli.it wrote: So i will wait the stable 2.0 because i have 3 pfsense with 3 ipsec channel each other far away many kilometers and i don't want to have beta problems ! :-) You're still better off with 2.0. The only issue I have (and not tested against latest releases) is that mobile IPsec clients will not get replies back from the fixed IPsec endpoint. For me the easy workaround was to hard-wire the mobile client's IP which is a rarely changing DHCP address as a fixed endpoint as well. Everything else works great in 2.0 -- load balance, regular filtering, etc. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] PPTP not working after update on Tuesday
Office firewall has been running 2.0-RC2 from some time in May. PPTP was working fine and dandy from iOS devices. Just click the vpn on and off you went. Yesterday I updated the firewall to the latest snapshot of RC3 (Aug 30 18:45:48). Since this time, after the PPTP connect succeeds. The pfSense logs show full success and assignment of the IP address to the client, yet no traffic will pass. The only two tools to test on the iOS device are mail and the browser, and neither makes a connection to the server inside the office. The PPTP firewall filter tab has the allow rule. No other changes were made to the configuration other than running the upgrade. If I ping back from the inside host to the assigned IP, it replies sendto: Host is down *immediately*. Normally pinging a dead IP takes a while before it responds with that. Anyone else observing this? What else can I poke around to find exactly where it fails? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PPTP not working after update on Tuesday
On Thu, Sep 1, 2011 at 1:34 PM, Chris Buechler cbuech...@gmail.com wrote: That's from a kernel patch that was in one day's snapshots, it's since been reverted. Downgrade to something from the 29th, or early on the 30th, or upgrade to the one that'll come out in the next few hours. I'll hit up the snapshot server tomorrow early morning when nobody else is in the office. Funny how I picked *just* the right time to update :) Thanks! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] which version
On Thu, Jul 28, 2011 at 6:08 AM, Nick Upson n...@telensa.com wrote: a) the stability of 2.0 in production b) the ease of transition (hopefully I could just load a 1.2.3 backup into the 2.0) 2.0 is great. The *only* fault I have is that IPSec mobile clients are not able to transport traffic *to* the mobile end. You have to configure them as fixed end points. Everything else I throw at it works: OpenVPN, PPTP, basic firewall filtering, CARP clusters for virtual IPs, etc. Loading the 1.2.3 backup mostly works. We had to manually copy the bits for the OpenVPN certificates -- for some reason they did not load in properly. I think one other thing had to be manually reconfigured, but it was easy because we still had the old box for comparison. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] best way to set up extra blacklist only on certain computers
On Wed, Jul 13, 2011 at 3:38 PM, Luke Jaeger ad...@pvpa.org wrote: docs.pvpa.org redirects to www.google.com/a/pvpa.org Not directly. It goes like this: docs.pvpa.org is an alias for ghs.google.com. ghs.google.com is an alias for ghs.l.google.com. ghs.l.google.com has address 72.14.204.121 So you have to be able to hit ghs.l.google.com in order to get the HTTP redirect to www.google.com/a/pvpa.org. This is how the chain looks: % lwp-request -m HEAD -S http://docs.pvpa.org/ HEAD http://docs.pvpa.org/ -- 302 Found HEAD http://docs.google.com/a/pvpa.org -- 302 Moved Temporarily HEAD http://docs.google.com/a/pvpa.org/ -- 302 Moved Temporarily HEAD https://www.google.com/a/pvpa.org/ServiceLogin?service=writelypassive=1209600continue=http://docs.google.com/a/pvpa.org/followup=http://docs.google.com/a/pvpa.org/ltmpl=homepage -- 200 OK So you need to allow the IP addresses of each of the named hosts in the chain. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Update hang with packages
On Wed, Jun 29, 2011 at 8:12 PM, Volker Kuhlmann hid...@paradise.net.nz wrote: It seems I might have accidentally grabbed the snapshot though. After automatic reboot the GUI sits at packages are reinstalled in the background forever. How can I recover from that? The GUI package manager is inaccessible. In Diagnostics - Backup/Restore is a button to clear the packages lock at the bottom of the page. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Diffrent Gateway Adress ( External )
On Mon, Jun 13, 2011 at 4:03 PM, Koray AGAYA insanad...@gmail.com wrote: I tested external gateway IP on 10.0.1.12, I learned deafult external gateway IP , go to www.whatismyip.com and result ip is 2.2.2.2 I dont want this (2.2.2.2 ) I want to go out 2.2.2.4 but I could not. because both interfaces ( WAN and MAIL ) default gateway is same How to make mail server external gateway ip is 2.2.2.4 Please help me ? If it is on the same network, just make it a virtual IP rather than its own interface. I'm guessing you want to 1:1 NAT that address to the internal mail server. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IPSEC problem on pfSense 1.2.3
On Wed, Jun 1, 2011 at 1:12 PM, Carlos Vicente cjpvice...@gmail.com wrote: That's what I thought. Will the version 2.0 support NAT-T and IPSEC VPN supported by iPhone and iPad? I've not tried it with the iPad. However, the remote site (non fixed-IP endpoint) VPN with IPsec is not currently working correctly. The remote will make the IPsec tunnel just fine. The data will flow from the remote site to the fixed endpoint, but return traffic fails. I have support tickets open for this, and am awaiting some kind of fix. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IPSEC problem on pfSense 1.2.3
On Wed, Jun 1, 2011 at 11:47 AM, Carlos Vicente cjpvice...@gmail.comwrote: My pfSense box is behind a ISP modem router, which forwards ports UDP 500 and UDP 4500 (just in case) to the WAN interface of my box (which is on the LAN interface of the router). I use DynDns (on the ISP router) to access my pfSense from internet. On the client side i use the virtual adapter and gave it an IP 192.168.13.1 (doesn't overlap the LAN on the pfSense side). 1.2.3 does not support NAT-T, which you would seem to need for this case. OpenVPN is the way to go.
[pfSense Support] IPSec mobile client not passing traffic back from server
My main office location is on static IP that has mobile IPsec clients enabled. We were running 1.2.3 successfully. I upgraded my home office to pfSense 2.0RC1 and everything still continued to work. The home office was set up to VPN the whole LAN. When we upgraded the office pfSense to 2.0, the mobile client portion stopped working, in that no traffic will pass. The logs show successful negotiation of the tunnels phase 1 and phase 2. Once I try to pass traffic, the main office firewall logs these: ERROR: no configuration found for 68.50.28.223. and ERROR: failed to begin ipsec sa negotication. over and over. I have no idea what the trns_id mismatched: are from. Both ends have all the phase2 encryption algorithms checked as on except DES. I really don't think it has anything to do with firewall rules, because the static point-to-point IPsec tunnels from the main office to the data center work just splendidly with any combination of 1.2.3 and 2.0RC1 software. The only hint I found was that in redmine I found a note that mobile clients were not properly supported in ipsec-tools 0.8, which is the version found on my home office. The main office (and data center) are both running a February 26 snapshot with ipsec-tools 0.6.6. I wanted to ask here before I go and upgrade the main office to a more recent snapshot with the newer ipsec-tools. The home office is running 2.0RC1 built Mon May 2 17:19:57 EDT 2011 The main office is running 2.0RC1 built Sat Feb 26 16:00:14 EST 2011 On my home office firewall: May 4 10:35:08 racoon: [KCI Main Office (rapiddsl)]: INFO: IPsec-SA established: ESP 68.50.28.223[500]-69.46.251.130[500] spi=10457326(0x9f90ee) May 4 10:35:08 racoon: [KCI Main Office (rapiddsl)]: INFO: IPsec-SA established: ESP 68.50.28.223[500]-69.46.251.130[500] spi=145364656(0x8aa16b0) May 4 10:35:08 racoon: [KCI Main Office (rapiddsl)]: INFO: initiate new phase 2 negotiation: 68.50.28.223[500]=69.46.251.130[500] May 4 10:35:07 racoon: [KCI Main Office (rapiddsl)]: INFO: ISAKMP-SA established 68.50.28.223[500]-69.46.251.130[500] spi:f65fa84c8cfe61c9:e816613c9a0d6c33 May 4 10:35:07 racoon: [Self]: [68.50.28.223] INFO: Hashing 68.50.28.223[500] with algo #2 May 4 10:35:07 racoon: [KCI Main Office (rapiddsl)]: [69.46.251.130] INFO: Hashing 69.46.251.130[500] with algo #2 May 4 10:35:07 racoon: INFO: Adding remote and local NAT-D payloads. May 4 10:35:07 racoon: [KCI Main Office (rapiddsl)]: [69.46.251.130] NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. May 4 10:35:07 racoon: INFO: NAT not detected May 4 10:35:07 racoon: INFO: NAT-D payload #0 verified May 4 10:35:07 racoon: [KCI Main Office (rapiddsl)]: [69.46.251.130] INFO: Hashing 69.46.251.130[500] with algo #2 May 4 10:35:07 racoon: INFO: NAT-D payload #-1 verified May 4 10:35:07 racoon: [Self]: [68.50.28.223] INFO: Hashing 68.50.28.223[500] with algo #2 May 4 10:35:07 racoon: [KCI Main Office (rapiddsl)]: [69.46.251.130] INFO: Selected NAT-T version: RFC 3947 May 4 10:35:07 racoon: INFO: received Vendor ID: DPD May 4 10:35:07 racoon: INFO: received broken Microsoft ID: FRAGMENTATION May 4 10:35:07 racoon: INFO: received Vendor ID: RFC 3947 May 4 10:35:07 racoon: INFO: begin Aggressive mode. May 4 10:35:07 racoon: [KCI Main Office (rapiddsl)]: INFO: initiate new phase 1 negotiation: 68.50.28.223[500]=69.46.251.130[500] May 4 10:35:07 racoon: [KCI Main Office (rapiddsl)]: INFO: IPsec-SA request for 69.46.251.130 queued due to no phase1 found. May 4 10:35:06 racoon: INFO: unsupported PF_KEY message REGISTER On the main office firewall: May 4 10:35:58 racoon: ERROR: failed to begin ipsec sa negotication. May 4 10:35:58 racoon: ERROR: no configuration found for 68.50.28.223. May 4 10:35:11 racoon: ERROR: failed to begin ipsec sa negotication. May 4 10:35:11 racoon: ERROR: no configuration found for 68.50.28.223. May 4 10:35:08 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: 192.168.7.0/24[0] 192.168.135.0/24[0] proto=any dir=out May 4 10:35:08 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: 192.168.135.0/24[0] 192.168.7.0/24[0] proto=any dir=in May 4 10:35:08 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP 69.46.251.130[500]-68.50.28.223[500] spi=145364656(0x8aa16b0) May 4 10:35:08 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP 69.46.251.130[500]-68.50.28.223[500] spi=10457326(0x9f90ee) May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES May 4 10:35:08 racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES May 4 10:35:08 racoon: WARNING: trns_id mismatched:
Re: [pfSense Support] pfSense 2.0 IPsec on Mac OS X 10.6
On Mon, Apr 11, 2011 at 4:46 PM, Paul Mather p...@gromit.dlib.vt.eduwrote: Plus, I don't know how well-supported OpenVPN is on devices such as the iPad and iPhone. But, in the absence of it works for me responses for IPsec on Mac OS X, I may just have to try it. :-) iOS does not have OpenVPN built in. I never looked to see if some app provides it, but I highly doubt it. IPsec has been known to work with IPsecuritas. It is just hit-or miss. For us, it worked for some people but not others, and pretty much everyone here was using Comcast as their ISP (including the main office). I think we determined that consumer-grade Verizon DSL was blocking IPsec for some bizarre reason, but my memory is fuzzy on the specifics.
Re: [pfSense Support] pfSense 2.0 IPsec on Mac OS X 10.6
On Tue, Apr 12, 2011 at 11:21 AM, Vick Khera vi...@khera.org wrote: iOS does not have OpenVPN built in. I never looked to see if some app provides it, but I highly doubt it. one more point... the only VPN we've ever succeeded with iOS devices is the PPTP client, but that's just not a very secure thing. I don't think the Cisco client works with pfSense IPSec server.
Re: [pfSense Support] pfSense 2.0 IPsec on Mac OS X 10.6
On Tue, Apr 12, 2011 at 2:04 PM, Fuchs, Martin martin.fu...@trendchiller.com wrote: I have IPSec from my iPhone To pfsense here... Have a look at the Forums. It took some Time but now it works... I found in the forum that it requires pfSense 2.0. Does that still stand true? And do you configure it via pfSense GUI or a manual hack to the racoon config file? I don't find a definitive answer on the forum at all, just a bunch of try this try that and speculation followed by a bunch of doesn't work for me and works for me, sorta. The closest I've found is http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558 Is that the current state of the art for iPhone - pfSense VPN? It seems to be in conflict with how I want mobile client settings for my road warrior network VPNs, such as my home office. Ie, I do not want to have a virtual address pool for those connections.
Re: [pfSense Support] pfSense 2.0 IPsec on Mac OS X 10.6
On Mon, Apr 11, 2011 at 11:19 AM, Paul Mather p...@gromit.dlib.vt.eduwrote: Has anyone managed to get IPsec for mobile clients working with pfSense 2.0 and Mac OS X 10.6? If so, which client are you using on the Mac OS X side? Is anything special needed on the pfSense side? I *used* to use IPsecuritas but it was alway finicky. I finally made the switch for all of the roaming clients to OpenVPN using Tunnelblick and everything has been much, much more stable. I still use IPsec for my fixed end-point tunnels between offices, and that works solidly. All such endpoints are pfSense. Unless you have some hard requirement to use IPSec for your mobile clients, give OpenVPN a try.
Re: [pfSense Support] Problem with update 1.2.3 to 2.0-RC1 Alix
On Thu, Mar 31, 2011 at 5:42 PM, bsd b...@todoo.biz wrote: I manually edited my 1.2.3 config file from the WRAP to change the interface names Ok… Why did you do so ? Do interface name get handled differently in 2.0 than in 1.2.3 ? The ALIX and WRAP boards use different network interfaces, and thus have different names. I still don't see how you can do a self-upgrade from 1.2.3 to 2.0. I'd recommend re-flashing the CF card with the raw 2.0 embedded image. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Problem with update 1.2.3 to 2.0-RC1 Alix
On Thu, Mar 31, 2011 at 12:56 PM, bsd b...@todoo.biz wrote: I am kind of stuck with a 1.2.3 to 2.0 upgrade on a 1Gb Alix CF card. I wanted to know how long the upgrade process is supposed to last ? … And if there is a way to import a 1.2.3 config in 2.0 ? How are you running an upgrade? I have not been able to make 1.2.x self upgrade on my WRAP boards. When I moved to 2.0 I upgraded to the Alix and just re-wrote the CF card. It is totally a different on-disk layout anyhow, so that you can easily self upgrade and revert if necessary by choosing the older version to boot. I have had no success importing the conf (simple install : LAN, WAN, WLAN, couple of filtering rules, OpenVPN client)… Should I recreate everything from scratch directly in 2.0 ? I manually edited my 1.2.3 config file from the WRAP to change the interface names and uploaded it into a 2.0 on Alix and was up and running as soon as it rebooted (and Comcast decided to let my new MAC address get a DHCP public IP). Everything worked just fine, including the IPsec tunnels to the offices. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense as subordinate CA
On Wed, Mar 23, 2011 at 7:03 AM, Fuchs, Martin martin.fu...@trendchiller.com wrote: I’d like to use my Windows 2008R2 CA as the main CA and pfSense as a subordinate CA. When I import an existing certificate of a subordinate ca, I cannot chose this ca, when creating new certs with pfsense… (it displays the ca then as external) Not sure I follow the need, but it sounds like you just need to import the CA certificate into pfSense, then just keep using the windows CA to issue certificates, and pfSense will authenticate them. That's what we do for our 1.2.3 installation -- the CA is on another server. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense 2.0 RC1 Nanobsd Problem
On Sun, Mar 6, 2011 at 5:05 PM, Bao Ha b...@hacom.net wrote: Something happened in BETA5 and it was carried into RC1, up to today snapshot: 20110306-0859. I see this in my embedded BETA5 install at home (I should upgrade soon to RC1 I suppose...) I see no significant amount of writing to it. There are no extra packages installed and all it does is basic NAT + firewall + IPsec VPN. It is a fairly generic CF card too. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Restrict a web site access by remote IP address block, gain access by VPN into that block?
On Tue, Feb 8, 2011 at 11:50 PM, Chuck Mariotti cmario...@xunity.comwrote: Now the client wants to allow a few people access to the web site while at home. Unfortunately, password protecting it is not an option. VPN access seems to be the only options but I’m wondering what the best approach would be. ssh port forwarding could be applied here as well.
Re: [pfSense Support] Buttons or menu options
On Tue, Feb 1, 2011 at 4:07 PM, Atkins, Dwane P atki...@uthscsa.edu wrote: The latest was http://10.10.10.10/reboot.php. I clicked on the reboot menu option and it gave me source code. Is there a way to stop this? stop clicking buttons? :) what version are you running, and what did you to to break it? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: RE: [pfSense Support] Can't build Regular ISO either
On Tue, Feb 1, 2011 at 11:36 AM, Mark Jones mjo...@imagehawk.com wrote: Another error is a missing dprintf which appears to come from glibc and is found on linux. I did have the installer load the linux binary compatibility, but is there some other port I need to load to make dprintf be present? What specific software are you trying to compile that requires linux compatibility libraries? The only modern software that I can think of to want to run that doesn't build natively on freebsd is apache qpid. In any case, to build linux binaries, you need to install the full linux build tool set, usually red hat RPMs of those will suffice. You can't use the freebsd build tools to build linux binaries. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] How to build a Developer ISO
On Mon, Jan 31, 2011 at 10:52 AM, Mark Jones mjo...@imagehawk.com wrote: loading java is a pain on FreeBSD. not really. download from freebsdfoundation.org, install. done. if you prefer you may re-build from sources as well once you have a bootstrapping jdk installed. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Does dnsmasq have a problem with hostnames with hyphens?
On Thu, Jan 27, 2011 at 2:10 AM, Chris Buechler cbuech...@gmail.com wrote: Has nothing to do with the hyphen, it resolves to a private IP, which is rejected by default by the DNS rebinding protection. Disable it under SystemAdvanced if you need that to work. More info in a thread on the same topic within the past 2-3 days. If you know the set of domains for which you want the private IPs to be exposed, I think the better solution is to add the bypass to dns forwarder configuration. Add the domains with a # as the DNS server's IP. This I found to be a better solution to me than disabling the rebinding protection in System-Advanced. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Hardware not supported
2011/1/26 İhsan Doğan ih...@dogan.ch: Can I build myself an 8.2 kernel and copy it to manually to the pfSense disk? Is the kernel config that is used by pfSense somewhere available? What specifically is failing on your hardware? It could be just a matter of replacing a single device driver, or even eliminating one in the pfSense kernel so that your system will boot. If it is an ethernet device, one option is to buy a compatible ethernet PCIe card and install that until pfSense moves to 8.2+. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] dns forwarder failing on some hostnames
On Wed, Jan 19, 2011 at 11:54 AM, Chris Buechler cbuech...@gmail.com wrote: You get both if you just use domain overrides for domains where you expect private IP responses. Domains in domain overrides are excluded since most commonly those return private IPs, generally leaving Internet DNS only as where private IP responses are blocked. Excellent. I'll do that, as there are only three domain names involved (or two, if kcilink.com implies int.kcilink.com) Thanks a bunch! 2.0 is certainly very very nice looking. I have yet to investigate many of the new features but the basic upgrade of uploading my 1.2.3 config file into 2.0 worked splendidly. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] dns forwarder failing on some hostnames
I updated from my 1.2.3 based WRAP box to a 2.0-BETA5 (self-updated after install to have latest image from around 4am today) ALIX box earlier this afternoon. I observe the same behavior from a December 13 firmware (I made the CF card way back then). Almost everything is working. I am having some trouble with the DNS forwarder but only for *some* domains. This did not occur with 1.2.3-RELEASE. 192.168.135.1 is my pfSense LAN address. The WAN is over comcast, which assigns 75.75.75.75 and 75.75.76.76 as the DNS servers. I have selected the allow DHCP to override the DNS servers option on the WAN. It feels like it is eating up any 192.168.0.0/16 IP address returned for a hostname. if I look up certain host names, I get back an empty response from the dns forwarder, but other DNS servers work just fine: [lappy]% dig vk-dev.int.kcilink.com ; DiG 9.6.0-APPLE-P2 vk-dev.int.kcilink.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 7576 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;vk-dev.int.kcilink.com.IN A ;; Query time: 43 msec ;; SERVER: 192.168.135.1#53(192.168.135.1) ;; WHEN: Tue Jan 18 16:35:34 2011 ;; MSG SIZE rcvd: 40 [lappy]% dig vk-dev.int.kcilink.com @75.75.75.75 ; DiG 9.6.0-APPLE-P2 vk-dev.int.kcilink.com @75.75.75.75 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 4576 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;vk-dev.int.kcilink.com.IN A ;; ANSWER SECTION: vk-dev.int.kcilink.com. 3089IN A 192.168.7.96 ;; Query time: 18 msec ;; SERVER: 75.75.75.75#53(75.75.75.75) ;; WHEN: Tue Jan 18 16:35:42 2011 ;; MSG SIZE rcvd: 56 Note below how mmfe1-prv.m1e.net fails but mmfe1.m1e.net does not. mmfe1-prv.m1e.net should resolve to 192.168.100.7 [lappy]% dig mmfe1.m1e.net ; DiG 9.6.0-APPLE-P2 mmfe1.m1e.net ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 10198 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mmfe1.m1e.net. IN A ;; ANSWER SECTION: mmfe1.m1e.net. 14299 IN A 206.112.95.7 ;; Query time: 8 msec ;; SERVER: 192.168.135.1#53(192.168.135.1) ;; WHEN: Tue Jan 18 16:38:26 2011 ;; MSG SIZE rcvd: 47 [lappy]% dig mmfe1-prv.m1e.net ; DiG 9.6.0-APPLE-P2 mmfe1-prv.m1e.net ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 41805 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mmfe1-prv.m1e.net. IN A ;; Query time: 40 msec ;; SERVER: 192.168.135.1#53(192.168.135.1) ;; WHEN: Tue Jan 18 16:38:34 2011 ;; MSG SIZE rcvd: 35 Seems the only solution is to disable the dns forwarder and renew the DHCP leases. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Squid Log and MAC adress
2011/1/6 Koray AGAYA insanad...@gmail.com: I need to MAC adresses because for details logs each computers How can I do Please help force each computer to have a fixed IP address. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Automagically changing upload/download speed for trafic shaping
On Thu, Dec 9, 2010 at 7:29 PM, Kim C. Callis kim.cal...@gmail.com wrote: Because of a Rube Goldberg home network setup, I have to use a CLEAR device (claimed to be a 4G device, but only 3G so far.) as my WAN Are you able to get your clear modem to not NAT the real IP address? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Block traffic to all but WAN
On Fri, Dec 3, 2010 at 5:14 AM, Cyril Jaquier cyril.jaqu...@jaqpot.net wrote: I have WAN, LAN, VOIP and several VAP (WLAN0, WLAN1, etc). I would like to only allow traffic from VOIP to go through WAN and no other interfaces. I didn't find a way to do this easily and the only solution seems to add a block rule for every interface's network (except WAN of course). Or did I miss something? I'm using pfSense 2.0. You could set up a policy routing outbound rule on your LAN such that all traffic from a specific port range is routed via WAN interface. d - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] MAC based Access Control
On Mon, Nov 29, 2010 at 8:11 AM, Adam Piasecki apiase...@midatlanticbb.com wrote: I understand it's a false sense of security, but I can see how it would be helpful. Maybe a package can be made with the understanding that its not 100% full proof. So you have a security feature that works, except when it doesn't. The problem is there is no way to tell when it is not working, so how do you deal with it then? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] inconsistent handling of VPN remote endpoints
On Thu, Nov 11, 2010 at 1:26 PM, Jim Pingle li...@pingle.org wrote: IPsec does not route, OpenVPN does. That's one fundamental difference here. Another is that the policy route exclusion code can find the IPsec Could you explain the difference in behavior of the static IPsec endpoints vs. the roaming IPsec endpoints? Ie, the static ones were not affected by the default LAN rule to direct traffic into the failover pool, but the roaming clients were. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] inconsistent handling of VPN remote endpoints
Yesterday I was diving into why I could not connect *to* openvpn clients from the office, and discovered that having a rule that sends all LAN traffic to our WAN failover pool was interfering with that traffic. Ultimately it dawned on me that this is also the cause that I cannot originate connections to my home office (running roaming IPSec) from the main office, and adding rules to route these LANs to the 'default' gateway before the pool rule allowed such connections to work. Now, the curious part of this is that the fixed end-point IPsec remote offices were never affected by the failover pool rule! There was never any problem connecting to my data center via the vpn from the main office even without my new rules to direct its traffic to the default gateway. I think it would be really nice if the VPN endpoints would all behave like the fixed endpoint IPsec connections so I did not need to add rules to the LAN filter to avoid the failover pool rule. Barring that, it would be really handy to have on the destination drop down an item for OpenVPN and/or IPSec endpoints, similarly to how there is one for PPTP clients. Thanks! ps, I'm running pfSense 1.2.3 everywhere other than the OpenVPN clients, which are random laptops running windows, freebsd, or macos. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: making connections *to* a road-warrior openvpn host
On Fri, May 28, 2010 at 5:50 PM, Vick Khera vi...@khera.org wrote: That desktop can ssh/http/imap/whatever to any host in the office LAN. Any host in the office LAN however cannot ping/ssh/http/whatever to that remote IP. The only system in the office that can ping the remote is the pfSense box itself. Well, after letting this fester for a long time I finally got around to really digging into this. It turns out that at some point we added a second WAN connection, and put in a load-balancing rule for policy routing all traffic form the LAN to the fail-over queue. This pulled in all traffic destined to the openvpn client that did not already have a state rule to route it properly. Ultimately the reply #7 on this thread http://forum.pfsense.org/index.php?topic=11438.0 of the forum lead me to the solution, which was to add a rule for LAN traffic destined to the openvpn client addresses to go via default gateway. This let the routing table get used, and then the openvpn route worked. Posting here so others can discover it on the archives. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] QoS for Dummies?
On Tue, Aug 31, 2010 at 12:55 AM, Glenn Kelley gl...@typo3usa.com wrote: unless something has changed - i never did find a way to do this 100%. I had a similar setup for a call center - folks doing collections of all things... anyhow - I had them spring for a 2nd cable modem and setup 2 pfsense systems Our VoIP issues stem from packet loss and delays. Check the quality of your line(s) too. I think the problem is our building -- even verizon analog lines are craptastical here. The only reliable link we have is our backup microwave link :-( - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Two site2site VPN networks with two home user VPN pools in one pfsense box
On Fri, Aug 27, 2010 at 10:16 AM, Llaminku i...@llaminku.nl wrote: - I need to setup a pfsense box with two VPN tunnels to two (client) networks (site to site). These two networks have an overlapping address space. Can this be done? if the addresses overlap how will the router know over which vpn link to send the data? Renumber one of the remote networks. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] interrupt v kernel usage
On Wed, Aug 25, 2010 at 2:20 AM, David Burgess apt@gmail.com wrote: Was I wrong to expect a drop in CPU usage with the Intel GBE? If you had a more beafy CPU, I'm sure the usage would go down. The 500MHz Geode is a puny processor relatively, so it is spending a lot more time doing the work than a bigger CPU would take. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Ampro ReadyBoard fails to boot - Fixed
On Tue, Aug 17, 2010 at 5:20 PM, Cristian Ionescu-Idbohrn cristian.ionescu-idbo...@axis.com wrote: That is, you have a BIOS configuration that is incorrect, and how an OS behaves with it is undefined. How can one configure borken BIOSes? You have hardware for two serial ports, and the bios says you have 4. Garbage configuration. Garbage results. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Ampro ReadyBoard fails to boot - Fixed
On Sun, Aug 8, 2010 at 4:46 PM, Gerald A geraldabli...@gmail.com wrote: The litmus test would be to try booting another OS, like Windows. If Windows boots without hanging, then FreeBSD isn't handling states properly. If Windows also hangs in the same circumstances, it might be something that needs to be set I'd say if windows boots then it is a grey area. That is, you have a BIOS configuration that is incorrect, and how an OS behaves with it is undefined. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PTPP with Android
On Wed, Aug 11, 2010 at 12:24 AM, Joe Laffey j...@laffey.tv wrote: I am trying to connect to a pfsense 1.2-RC1 box from an Android (Droid-X) phone. I set up the PPTP as described in the docs. I have the ips all set right, and added the firewall rule. When I try to connect, however, it fails, and I am not sure why. Android gives no good log of this (that I can find). Works for me with my Droid Incredible. Doesn't always stay connected for a long time, but it does connect using the basic PPTP vpn on the droid. I wish they'd add an OpenVPN native client. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] iPad ssl vpn client
On Thu, Aug 5, 2010 at 4:28 AM, Seth Mos seth@dds.nl wrote: Viscosity on the Mac works great, but that doesn't apply to iOS. We just punt and use the PPTP client built-in to iOS. It is not really as secure as we'd like but we normally only run ssh or an https connection over it so that part is double secured. I'd *love* to see an OpenVPN client. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PFSENSE 2.0
none of the devices on which I run embedded even *have* VGA, so I disagree. If you have a full system, just run the full release. On Sat, Jul 31, 2010 at 4:17 AM, Anil Garg garg_art2...@yahoo.com wrote: I think VGA with embedded is now major convenience issue.
Re: [pfSense Support] PFSENSE 2.0
On Thu, Jul 29, 2010 at 11:54 PM, Anil Garg garg_art2...@yahoo.com wrote: I also hadn't heard of usb to serial and so will go look for that as well next time I am at best buys... Not so likely to find it there... I get them online from here: http://www.dealextreme.com/details.dx/sku.5859 They work just great plugged into a FreeBSD and MacOS X host. I'm sure they'll work in windows, and likely linux. I've driven them at 115200 baud with no problems. Buy a handful at that price! :-) They are a chinese company and ship directly from there, but the stuff usually arrives within a week. I've bought lots of stuff from them. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] HELP: VPN and Static Routes
On Tue, Jun 22, 2010 at 7:22 AM, Public Dump p...@suspiria.net wrote: I am using PFSENSE to maintain a site to site VPN between two locations. The VPN is PPTP based and PFSENSE is used on one site of the link (passive side). How'd you come to choose PPTP to connect the pair of pfSense routers? PPTP is really not as secure as the other options. In fact, my security auditing company recommends running PPTP over a secure channel like IPSec (make me laugh to think why one would do that...) Seemsto me the better choice would be IPSec or OpenVPN based tunnels. I use IPSec and it is 100% rock solid between the fixed endpoints. I occasionally get a dropped or hung connection on mobile clients. OpenVPN clients have been very stable too. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: CARP ip on different network range
On Thu, Jun 3, 2010 at 3:06 PM, Ian Bowers iggd...@gmail.com wrote: My comment on patching was more abstract than saying Cisco is more of a fire and forget box than BSD. a BSD box, even as a network appliance, is going to have more services listening than a cisco router. Or at least that tends to be the case in practice. Most The stock freebsd install listens on basically nothing unless you tell it to, including ssh. pfSense is not really a BSD Box either, and is even more tightly configured. This argument is a big red herring. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] making connections *to* a road-warrior openvpn host
I have a remote desktop connected in a single-point OpenVPN connection to my office pfSense 1.2.3. That desktop can ssh/http/imap/whatever to any host in the office LAN. Any host in the office LAN however cannot ping/ssh/http/whatever to that remote IP. The only system in the office that can ping the remote is the pfSense box itself. If I traceroute to the remote box' openvpn address from pfSense, it shows one hop. If I traceroute from another box to the remote openvpn IP, it goes out over the public routers to oblivion. What do I need to do to make pfSense take packets for this LAN and shove them down the openvpn tunnel? The routes seem right. The pfsense router is the default route on every machine on the office LAN. Relevant route info from pfSense box: 192.168.60.0/24192.168.60.2 UGS 035501 tun0 192.168.60.2 192.168.60.1 UH 10 tun0 tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST metric 0 mtu 1500 inet6 fe80::203:47ff:fe73:a243%tun0 prefixlen 64 scopeid 0x8 inet 192.168.60.1 -- 192.168.60.2 netmask 0x Opened by PID 53938 # ping 192.168.60.6 PING 192.168.60.6 (192.168.60.6): 56 data bytes 64 bytes from 192.168.60.6: icmp_seq=0 ttl=64 time=52.213 ms 64 bytes from 192.168.60.6: icmp_seq=1 ttl=64 time=291.092 ms ^C --- 192.168.60.6 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 52.213/171.653/291.092/119.439 ms # traceroute !$ traceroute 192.168.60.6 traceroute to 192.168.60.6 (192.168.60.6), 64 hops max, 40 byte packets 1 192.168.60.6 (192.168.60.6) 176.333 ms 46.134 ms 21.489 ms from a MacOS machine on the same LAN as the pfsense: % ping 192.168.60.6 PING 192.168.60.6 (192.168.60.6): 56 data bytes Request timeout for icmp_seq 0 Request timeout for icmp_seq 1 % traceroute 192.168.60.6 traceroute to 192.168.60.6 (192.168.60.6), 64 hops max, 52 byte packets 1 * * * 2 68.85.138.221 (68.85.138.221) 9.050 ms 10.376 ms 11.246 ms 3 po-30-ur01.rockville.md.bad.comcast.net (68.87.129.153) 196.578 ms 7.583 ms 9.222 ms 4 po-60-ur01.chillum.dc.bad.comcast.net (68.87.128.217) 10.244 ms 18.659 ms 9.206 ms 5 po-30-ur01.michiganave.dc.bad.comcast.net (68.87.128.210) 9.875 ms 8.888 ms 9.482 ms 6 po-60-ur01.benning.dc.bad.comcast.net (68.87.128.165) 10.743 ms 9.753 ms 9.936 ms 7 be-30-ar03.capitolhghts.md.bad.comcast.net (68.87.128.174) 10.074 ms 10.757 ms 9.928 ms 8 * * * 9 * * * 10 * * * All the while there is an SSH connection from 192.168.60.6 to this machine, so clearly it can talk to the remote end just fine somehow. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsense 1.23 rc3 - ipsec VPN dies randomly, but stays active in the overview
On Fri, May 21, 2010 at 4:17 AM, Michel Servaes mic...@mcmc.be wrote: PSEC still dies silently from time to time. I have to restart racoon each and every now and then... (and I am preffering the old IPSEC sa's on all pfsense ends (which are 3 nodes now) Do you have the keepalive ping running, and is it pointing to an IP on the other end LAN (not the other endpoint router IP)? I haven't had IPsec break since pfSense 1.2 came out. I used to get random drops that required stop/start of ipsec before then. What version are you running everywhere? Oh... hmm. you seem to have one non-pfSense endpoint. I don't know if that's your problem then. My pfSense endpoints are very stable. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] upgrading wrap to alix
On Sat, May 1, 2010 at 6:26 PM, Jim Pingle li...@pingle.org wrote: The ALIX boards can have a few different configurations, some of which have USB ports, so you may need to check carefully. The enclosures are really cheap though, it would probably be worth getting another given the relatively small cost. true enough... i guess I can get my red case now to make it a real firewall :-) PoE should still work. You will have to change the interfaces in the configuration when you restore it on the ALIX. The interfaces on the WRAP are sis(4), the ALIX has vr(4). Thanks for the tip. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] upgrading wrap to alix
Given that running on the WRAP requires some hackery, and does not support the dual firmware partitions, I'm planning to replace my current WRAP motherboard with the new ALIX board. I have the 2-ethernet, 2 miniPCI version of WRAP. Do I need a new enclosure to fit the ALIX? They appear to be laid out the same, so I'm guessing not, but just wanted to see if anyone here knows. I provide power using PoE so I'm assuming that will still work. Thanks! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OT: VLAN
On Fri, Mar 12, 2010 at 11:13 AM, Michel Servaes mic...@mcmc.be wrote: Basically, I have a cable-tv settopbox, that needs a direct WAN Seriously? The TV box won't work behind a NAT? Them's crazy talk! I think you'll need some extra cabling here, because you really really really do not want to cross connect your LAN and your WAN in any way shape or form, even with a VLAN. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OT: VLAN
On Fri, Mar 12, 2010 at 12:31 PM, Michel Servaes mic...@mcmc.be wrote: The settop box has its own private address range... where my pfsense gets a public address, the settop box has a 10.x.x.x address. (while my own LAN is 172.16.x.x). This way, my provider has it's way to track internet-traffic and settop-box traffic (since they only count the internet one in our monthly limit). If all you need is for the settop box to have its own WAN IP dedicated to it for traffic measurement purposes, just do a 1:1 NAT on pfsense, and leave the rest of your internal network as-is. No need for multiple LANs. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] VPN LAN TO LAN
On Wed, Mar 3, 2010 at 9:28 AM, Rafael Cristian Machado de Avila rcristia...@gmail.com wrote: Also not sure what kind of access will be made between the networks. Example Active Directory, File Server, administrative applications This is one of the main uses we make of pfSense. I have two offices, a data center, and two home offices all linked together via IPsec VPN and pfSense at each point. The offices and data center use fixed endpoints (fixed IP) and the home offices use client mode. In client mode you can only make the connections outbound so if the IPsec circuit is not up, you cannot force it up from the main office, for example. Only a client at the home office can cause it to start up. This is easily worked around using appropriate keepalive settings. You can control what traffic flows to where via the firewall rules under the firewall's IPsec tab. We just leave it open. Over the vpn hops, we run mostly internal HTTP servers, SIP, ssh, and IMAP for mail access to the main office. If you have enough bandwidth to support what your purpose is, pfSense will not be the bottleneck. It is rock solid reliable and has been for years. You will be happy with it. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.3: dnsmasq and mac os x 10.6 snow leopard
On Mon, Mar 1, 2010 at 9:45 AM, Scott Ullrich sullr...@gmail.com wrote: That does not make any sense to me. I have quite a number of Macs and do not see this issue. Ditto. My entire home network is Macs (5 of them) and I never have seen any issues with the dns on pfsense. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IPSec on 1.2-embedded
On Tue, Feb 9, 2010 at 11:19 AM, Gary Buckmaster g...@s4f.com wrote: Using 1.2.3 and setting a low DPD value should help this issue, but keep in mind that it will still be dead until the DPD value has been reached. What is this called on the GUI? I don't see anything obvious in the tunnel configuration page. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IPSec on 1.2-embedded
On Wed, Feb 10, 2010 at 11:26 AM, Gary Buckmaster g...@s4f.com wrote: The field you're looking for is DPD Interval. Thanks! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how does one test for stability?
On Thu, Feb 4, 2010 at 11:46 AM, mehma sarja mehmasa...@gmail.com wrote: Nagios is complex and the Reconnoiter thing looks weird. Now that I think TANSTAAFL. If your requirements involve knowing when things are not working right, you a) need to know what the baseline of working properly means, and b) have a means to detect when that baseline is out of the norm, and c) have a means to notify you of that. The tools that do this are not trivial, because the problem is not trivial. I really don't think your Control Center software at your prior company was easy software. about it, is there a formal database in a pfsense install? Don't know...pkg_info -a shows blank and a find on *.conf does not show a hint of a db. The PHPService package could be used to send messages. Remote syslogging will get some info - not all. Not that I'm aware. I suspect if any package needed a database it'd install it. But that just seems wrong, from a moral standpoint, to have on a firewall. I suppose it would be ok if it were sqlite or BDB... but never anything that listened to a network socket. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how does one test for stability?
On Mon, Feb 1, 2010 at 4:50 PM, mehma sarja mehmasa...@gmail.com wrote: It would be neat to have a cron job reporting certain parameters conveying how a pfsense is running. I use to work at a company managing a hundred and a quarter FreeBSD appliances and we had a custom Control Center webpage where we could track all machines easily. Sounds like you'd be interested in investigating something like Nagios or Reconnoiter (from OmniTI) to collect, sort, and display your statistics and generate alarms when bad things happen. Not sure what kind of plugins are in pfSense for reporting or supporting such monitoring. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Command in Crontab Missing
On Fri, Jan 29, 2010 at 2:36 AM, Indrajaya Pitra Perdana viet...@indo.net.id wrote: I try to insert several command in the /etc/crontab file, but after sometimes (around 30 days) the command that i manually insert is gone, is there something that made the crontab reset as it was before ? i use 1.2.2 version , thx before Pretty much any file you manually edit will go away on reboot. Any configuration you want to persist must be done via the GUI. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] NanoBSD on WRAP
On Sun, Dec 13, 2009 at 7:49 PM, Ugo Bellavance u...@lubik.ca wrote: and I don't have much time to setup a separate freebsd/pfsense box to do the changes. A quickie VMware or VirtualBox image will do just fine. Takes about 10 minutes to install a minimal freebsd image. Add a network interface, and scp the file back and forth from your main machine. You will need that for any updates you want to apply, so having that VM sitting around is probably a good thing. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Is your embedded pfsense stable?
On Thu, Dec 3, 2009 at 1:35 AM, mehma sarja mehmasa...@gmail.com wrote: 1.2.3-RC3, nanobsd on a Netgate Alix board with 256 MB RAM and a 8GB CF card. The firmware and all have been updated. I installed on a WRAP 2-ethernet system at my home the Nov 3 snapshot on Nov 3. I applied the boot sector patch as outlined on the wiki to let it boot on the WRAP. So far, it has locked up twice. The first time I was unable to get the serial console to respond, nor pings, nothing. The second time I was in a hurry (the Boss was in the family room waiting for her laptop to get to the net) so I just power cycled it. Right now I'm suspected it overheated, so I moved stuff around to give it more air. If it happens again, I'll dig deeper. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Power Question for pfsense
I've had my disk get corrupted exactly once in the last several years with pfSense power failure. It confused me how it could happen given that the embedded runs with the disk partition for the config mounted RO. In anycase, a manual fsck fixed it up, but it was definitely not something The Boss could have done on her own at home. At home we get power failures at a ridiculous frequency...
Re: [pfSense Support] CARP and BGP
On Sat, Nov 14, 2009 at 4:53 AM, Aarno Aukia aarnoau...@gmail.com wrote: We have this running in prodution, feel free to contact me off-list for details. Can people contribute these sample configurations for how do I X to the wiki? Having a lot of recipes on how to accomplish various scenarios is key to increasing adoption of the platform, and helps the project community grow and become stronger. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] anyone proxying to an anonymizing vpn service
I'm looking into some privacy VPN services like PublicVPN or StrongVPN. They offer OpenVPN based tunneling from the desktop or from your home router. What I'd like to do is set up a local proxy or port forward that would route traffic over such a VPN circuit without having to route *all* of my traffic over it. That is, I'd like to configure firefox to use a local proxy (either socks5 or regular proxy, what have you) that then uses the privacy forwarding via one of these services. I've already tried out using tor, and it is just way slow. Has anyone rigged up their pfsense to have a proxy that directs all of its traffic out via such an openvpn tunnel? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] FTP proxy
On Wed, Nov 4, 2009 at 3:01 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: Sorry for bringing this back up – what’s the correct way to implement an FTP server behind a 1:1 NAT and not receive 500 Illegal PORT command? I don’t care if it uses the proxy, I just want incoming FTP connections to work. ☺ How many ftp servers do you need to support? If only one, then ignore that you have 1:1 NAT and just set up the ftp with the ftp proxy as per the instructions on the wiki and have it map the ftp port to your ftp server. This is what I do. In this configuration, it is just coincidence that the server has a 1:1 mapping on it. We advertise the ftp server as a different hostname so that makes it easier to move its IP to that of the main firewall IP. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] NIC choice
On Sun, Nov 1, 2009 at 9:12 PM, Ugo Bellavance u...@lubik.ca wrote: 3com 905 (xl) I'd put this on your WAN and the intel on the LAN. 3Com have been well support in FreeBSD (and even in the original 4.2BSD before that) forever. For a long while, back in the early early days of PC's running BSD's, I would only buy 3Com NICs, mostly the 509c (which even had barrel connectors!) and then the 905's when we moved up to the high-speed ethernets. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] PORT command in ftp proxy
I'm trying to figure out how to make my ftp service pass the PCI security compliance (we take credit cards, so need the compliance). I have pfSense 1.2.2 running the ftp proxy to my internal box, which is a FreeBSD 7.2 server running the stock ftpd. A probe from the outside looks like this: telnet 66.250.193.115 21 USER anonymous PASS word PORT 66,250,193,115,21,178 and it responds 200 PORT command successful. In fact, it responds successful to connect to any IP and any port. If I telnet to port 21 from inside the lan to the same freebsd server and issue a PORT command to any host other than the one from where I am connecting I get: 500 Illegal PORT range rejected. The FreeBSD ftpd's PORT command by default is limited to privileged ports on the same host as is connected to it. It seems that the PORT command is handled directly by the proxy (which makes sense). Is there a way to restrict the proxy to this same security restriction? I understand it violates the FTP protocol technically, but in practice it doesn't break anything other than abuse attempts. Sort of disabling the ftp service altogether (which would be a hassle for customers uploading data to us) what can I do to tighten the ftp proxy? Relevant section from ftpd man page: -R With this option set, ftpd will revert to historical behavior with regard to security checks on user operations and restric- tions on PORT requests. Currently, ftpd will only honor PORT commands directed to unprivileged ports on the remote user's host (which violates the FTP protocol specification but closes some security holes). and from the security scanning company's description: It is possible to force the FTP server to connect to third parties hosts, by using the PORT command, aka FTP bounce. The FTP bounce attack is used for establishing a connection to an arbitrary machine by exploiting the PORT command. The basis for successful attacks is in the RFC requirements. The RFC allows the originating server to specify an arbitrary host and port to establish a data connection. This gives an attacker the ability to specify any host and port of their choosing. If the target host is in a protected network, an attacker can use FTP bounce to bypass firewall restrictions as well as have the ability to discreetly perform port scans from the connected host. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PORT command in ftp proxy
On Thu, Oct 1, 2009 at 1:25 PM, Chris Buechler cbuech...@gmail.com wrote: There's quite a bit of irony in using FTP yet wanting to be PCI compliant. I suppose to some extent. However, it is the ideal tool for the job of collecting large data files from arbitrary customers who do not have their own servers, and only need to upload a file once ever. If only sftp had anonymous mode I'd be a happy guy :-) But to the point, what exactly is the setup you have here? NAT, public IPs routed, bridged? I get dropped when trying an invalid port. Plain old NAT on the firewall. There's a hardware load balancer in front, but it is just doing pass-thru for this IP. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PORT command in ftp proxy
On Thu, Oct 1, 2009 at 1:41 PM, Evgeny Yurchenko evg.yu...@rogers.com wrote: I do not believe pftpx has setting this. I would disable ftp-helper on WAN and use NAT port-forwarding top you FreeBSD ftp-server (I use pfSense in this way). How portable is this to various ftp clients? I've done this in the past but it failed with some ftp clients, as I recall. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] streaming video (rtsp, mms)
On Tue, Sep 22, 2009 at 6:00 AM, Jure Pečar pega...@nerv.eu.org wrote: Upon further investigation I learned that these videos use rtsp or mms protocols, which are composed of tcp control channel and udp data channel, ititiated by the server. Client requests video via tcp and server starts Back in the days when I rolled my own proxy based firewall, I recall using an RTSP proxy service. i'm sure you could dig one up and then configure your clients to use it. since pfSense is just freebsd, you could probably get away with just installing a pre-built package of it and manually configuring it... unless of course there is a pfSense native package. i don't know about mms protocol. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] GBE toe
On Tue, Aug 25, 2009 at 3:15 AM, Richard Sperryrich...@wrinklebrain.com wrote: Does anyone know of any Gig Ethernet tcp offload cards that are *fairly inexpensive* that work with PF? that's quite a relative term. I personally only use the Intel NICs when I have a choice, and I find them worth every penny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Patch and ISO: New Feature -- Auto Configuring Interfaces
On Mon, Jul 6, 2009 at 11:27 AM, Tim A.pfse...@lists.goldenpath.org wrote: I missed that episode. POLA? Principle of Least Astonishment - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Appliance support
On Tue, Jun 23, 2009 at 9:14 AM, Gary Buckmasterg...@centipedenetworks.com wrote: Also, the embedded instances of pfSense don't come out-of-the-box ready either. You still need to attach a serial cable and do the initial configuration. This is as it should be. Last time I set up an embedded (1.2.2 on my home router) I booted the device, reset the DHCP lease on my desktop and connected to 192.168.1.1 and configured it by reloading the config file. No serial port required, even though I do have one hooked up. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Attention Firebox X Series Users - Testing Needed
On Fri, Apr 24, 2009 at 10:32 AM, Andrew Cotter andrew.cot...@somersetcapital.com wrote: Is there an update path from 1.2.2 to 1.2.3-RC1 embedded? I only see Full images on the mirrors. I can do a backup/swap CF/restore, but the box I was going to test on is 120 miles away. I have not had a successful embedded in-place upgrade since version 1.0.mumble (or perhaps earlier...) I always expect I will need to re-flash, and I always end up having to re-flash if i try the in-place upgrade. Your best bet is to try the upgrade via the ssh (or serial) console. For our remote office which is *very* far away, we usually make a new CF card with the config pre-loaded on a test box we have here, then ship it to them for swapping. This has worked great the last three major upgrades we did. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Dell PRO/1000VT Quad port NIC
On Mon, Apr 13, 2009 at 2:04 PM, Chris Buechler c...@pfsense.org wrote: I don't have any of the cards myself, but the igb cards should perform considerably better than em cards. Whether the driver is unstable in combination with one specific piece of hardware (most likely), or one particular NIC, or unstable in general I don't know. Also the igb driver was split off the em driver specifically to make it easier to support the newer cards Intel is making, and it actively maintained by an engineer at Intel with intimate knowledge of both the cards (with access to the guys who design them) and FreeBSD kernel guts. If you're having an issue with one of these cards, post to the freebsd hardware/hackers lists and you'll certainly hear from him. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Internet at the lake? Rogers Mobile Internet Stick (Rocket) with pfSense?
On Wed, Mar 25, 2009 at 11:31 PM, Chuck Mariotti cmario...@xunity.com wrote: I have the option of staying/working from a home on a the Lake for a number of weeks this summer here in Ontario/Canada. Nice and relaxed. Unfortunately, the only internet access is dialup, which is not acceptable (of course). I've been pondering building a DIY mobile hot-spot based on a CDMA or other 3g usb stick + pfSense on an ALIX board. I could just plug it into my car and take it along with me wherever I go... When we were at BSDCon in DC last month, the local wifi provided was over a shared connection built this way by hand using an OpenBSD laptop as the gateway to the verizon network via usb stick. It worked quite well for the first day :-) The adapter they had at that time showed itself as a traditional USB serial port with a modem attached to it. All they had to do was run PPP on it to authenticate (not sure if it was PPPoE or just plain PPP). If it is PPPoE then I would think pfSense could do it if we convinced it to talk over the USB serial port rather than a real ethernet. Being an a perpetual lack of time situation I haven't gotten around to diving into this project, but I would be interested in hearing if anyone has gotten pfSense to talk directly to such a modem. Heck, that would make for an awesome failover connection at the office, too! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't get more than 15kpps.
On Mon, Mar 23, 2009 at 8:30 AM, Lenny five2one.le...@gmail.com wrote: I got offered a Sun Fire X2200 with Opteron Dual Core 2210(that's 1.8GHz). Will that do it? (for ~150kpps) Double check the NICs in that box. I believe they're broadcom and nvidia (yes, Sun does a mix and match on the same motherboard! You get two of each.) Also, one of the NICs doubles as the network port for the service processor, so if you're inclined to use the SP, you'll need to account for that dual use on the NIC port 1. I've been extremely happy with my Sun Servers, but I run them for database boxes with gobs and gobs of RAM, and I only use one intel NIC each on the X4100 (4x intel NIC) and X4100M2 (2x Intel, 2x nvidia). FreeBSD support for the nvidia NICs is not as great as for the intels, and the broadcom quality depends on the exact chipset you have. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Massive static route load
add one or two static routes. then try exporting the config file but limit to the network configuration section (or try other sections if that isn't it) and look at its format. then reproduce that format using whatever tools you have, then re-upload that file with the added routes in it. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense to use with production web server
On Wed, Mar 4, 2009 at 11:22 AM, Raleigh Guevarra death...@yahoo.com wrote: With no disrespect to the community, I just need to know the facts after reading about firewalls esp packet filtering types of firewall. Is it safe and secured to use pfSense infront of a web server in production, hosting dozens of websites? Thanks in advance What threats are you defending against? The firewall will not protect you against application flaws such as cross site scripting and SQL injection attacks. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] problems trying to sftp/scp pfSense router
On Fri, Jan 30, 2009 at 8:41 AM, Jorge Marques Pelizzoni jorge.pelizz...@gmail.com wrote: First of all, congratulations on the great work you've been doing on pfSense! Here is my problem: I've enabled ssh on my pfSense 1.2.2 router and am able to run ssh sessions on it normally. However, when it comes to using sftp and scp I receive the following errors after typing the password in: (sftp) Received message too long 170535466 (scp) protocol error: unexpected newline works for me[tm] I have seen the above similar error about message too long when ssh'ing to a FreeNAS box but only on first attempt after boot. FreeNAS is derived from m0n0wall also. I never see it for pfSense for scp or sftp or ssh. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.2 TCP Disconnects (sessions)
On Fri, Jan 30, 2009 at 3:14 PM, Chris Bagnall li...@minotaur.cc wrote: According to the asterisk logs, the phones at the remote sites disconnect and reconnect on an annoyingly regular basis (approximately every 30 minutes). There is no other traffic on the WAN interface apart from the general SIP chatter and RTP traffic during calls. Bandwidth usage is 120kbps at all times, on a connection capable of at least 780kbps in both directions. Running a simple ping test between the two sites for 48 hours shows no packet loss. I was having an annoyingly similar experience with random connections from home to office over the VPN after upgrading to 1.2.2. ssh connections would randomly die, and IMAP would randomly disconnect and reconnect. Over the last week or so it has stopped, and I blame it on Comcast, not on pfSense. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] IPsec connection problems
I'm running 1.2.1 on both ends of this particular IPsec connection. One location is my main office and is running the full version, the other is my home office running embedded on a WRAP based system. The office is connected via a local wireless ISP, and the home is on Comcast. For the longest time this was perfectly reliable with an occasional down time when something in between the two sites was down. Lately, however the VPN has been going down and seemingly having a very hard time coming back up. It was coincidental with upgrading both to 1.2.1. Neither endpoint has any issues connecting with our datacenter (also on a WRAP, but running pfsense 1.0.1). The home office is configured as a mobile client to all remotes, but the other endpoints use fixed endpoint configuration between each other. I sometimes use the IPsec status screen to delete the SAD entries on the home firewall when it is not connecting. In either case, when the connection is down, I see on my home firewall's logs the following: racoon: [KCI Main Office]: INFO: initiate new phase 2 negotiation: 69.140.125.240[0]=66.250.193.115[0] racoon: ERROR: none message must be encrypted last message repeated 2 times racoon: [KCI Main Office]: ERROR: 66.250.193.115 give up to get IPsec-SA due to time up to wait. Then it repeats ad nauseam. The time between the first and list lines is 30 seconds. On the office firewall, at the same timestamp corresponding to the initiate new phase 2 above, I see this: racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, 4092e8f7af1c0d41:01da63468e20618c:e359 last message repeated 2 times Where the number at the end changes every time the initiation starts. The curious thing is that this goes on and on and then eventually I'll see a initiate new phase 1 negotiation and it suddenly connects. Right now, I just went into IPsec config on my home firewall, and disabled the tunnel to the main office. Then I re-enabled it, and it connected immediately. I'm assuming that is because it forced a re-negotiation of phase 1. racoon: [KCI Main Office]: INFO: IPsec-SA request for 66.250.193.115 queued due to no phase1 found. racoon: [KCI Main Office]: INFO: initiate new phase 1 negotiation: 69.140.125.240[500]=66.250.193.115[500] racoon: INFO: begin Aggressive mode. racoon: INFO: received broken Microsoft ID: FRAGMENTATION racoon: INFO: received Vendor ID: DPD racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. racoon: [KCI Main Office]: INFO: ISAKMP-SA established 69.140.125.240[500]-66.250.193.115[500] spi:f7ba1b8598534661:01bfdab8f0897871 racoon: [KCI Main Office]: INFO: initiate new phase 2 negotiation: 69.140.125.240[500]=66.250.193.115[500] racoon: [KCI Main Office]: INFO: IPsec-SA established: ESP 66.250.193.115[0]-69.140.125.240[0] spi=199244852(0xbe03c34) racoon: [KCI Main Office]: INFO: IPsec-SA established: ESP 69.140.125.240[0]-66.250.193.115[0] spi=182261056(0xadd1540) The total time is 1 second. So I guess my question is: how do I force the IPsec subsystem to renegotiate at phase 1 rather than phase 2? Would that be to go in and delete the SPD entries from the status screen? The disable/re-enable hack is painful. Is anyone else observing such failures to connect? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] import DHCP static IP mappings
On Fri, Dec 5, 2008 at 9:58 AM, Kirk Wight [EMAIL PROTECTED] wrote: Hello, Is there any way to import or drop in an existing dhcpd.conf to pfSense, to avoid having to enter dozens of static IP mappings in the GUI? I've tried simply adding my existing mappings to the pfSense /var/dhcpd/etc/dhcpd.conf, but they don't show up in the GUI... does the GUI tie in somewhere else? Merci, Add one static map. Export your config. Find the section of the config where you see your static map and update it to add your other maps from your old conf file, then re-upload the config file. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] lighttpd bug in 1.2
Upgrade to 1.2.1-RC2. It will be released in the next day or so. Scott Exactly where should I check for the release? I looked in http://snapshots.pfsense.org/FreeBSD7/RELENG_1_2/, and there is one version being released every couple of hours, it seems/ You use your time machine to move forward to the next day or so and look for it then. :-) The snapshots usually are very safe to use. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multipe WAN ip's, one not working with 1.2.1
thanks a lot, this is the first time in between changing firewall appliance or version, I had to reset the ADSL modem itself... didn't realize that that a modem would be responsible for ARP entries as well... *All* devices keep an ARP cache, else they'd spend all their time sending ARP packets back and forth. These days some smart switches even keep ARP caches which makes changing devices very entertaining. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Great work releasing 1.2.1 RC1
On Tue, Oct 28, 2008 at 3:59 PM, [EMAIL PROTECTED] wrote: What will the migration path look like from 1.2 to 1.2.1? First Question: On an embedded system (Soekris Net5501), will I need to flash the CF card from scratch or will I be able to use the firmware 'feature' on the GUI? If the answer is NO, you have to re-flash from scratch, will the 1.2.1 release allow flashing to future releases? It failed for me, but I was running a 1.2 RC not final. I've had hit-or-miss luck with self-upgrading of the embedded images. I alway download both the upgrade image and the full flash image as emergency backup plan B. This time I needed it, and just re-flashed the CF and uploaded the configs and was off and running within 10 minutes total. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Full install for 1.2.1-RC1 embedded?
On Tue, Oct 28, 2008 at 11:25 PM, Craig Silva [EMAIL PROTECTED] wrote: To answer my own question - yes there are docs on this - http://devwiki.pfsense.org/FullInstallOnWRAP What I really wanted to ask was - how can I create an embedded image to put onto a flash card (as opposed to a micro drive) utilizing the embedded update? Umm, you don't? You download the pfsense-MMDD-HHMM.img file and dd that to your flash. You'll end up with something newer than RC1, but that's a good thing, IMO. That's what I did on my last re-flash on 9/26. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Question on Broadcom Crypto card
On Tue, Oct 21, 2008 at 6:11 PM, Wade Blackwell [EMAIL PROTECTED]wrote: Good afternoon all, I have 1.2 stable installed on an ancient PII-450 (old Netserver). The redeeming factor is a Broadcom crypto card. I looked through dmesg and the logs and I can't figure out of the systems sees the card. What should I see in the logs if the card is recognized and properly initialized? Is there a widget for it in the webUI anywhere? Thanks. On the status screen you see when you log into the pfSense GUI, if it recognizes your card and can use it, will have a line that reads Hardware crypto right below platform and above uptime. It will identify the crypto chip it found. Usually it is some variant of hifn as those are extremely popular. I'm not sure if the broadcom cards use their own chips or the hifn chips.
Re: [pfSense Support] pfsense 1.2.1 dude
On Mon, Oct 20, 2008 at 6:08 AM, Mikel Jimenez [EMAIL PROTECTED] wrote: Hello Is secure to put pfsense 1.2.1 in production enviroment? If you're asking random people you don't know if it is secure enough, then yes, it is secure enough for you. If you really want to know if it is secure, you need to do your own testing.
Re: [pfSense Support] pfSense 1.2.1 RC1 Time Zone
On Thu, Oct 16, 2008 at 8:54 AM, Atkins, Dwane P [EMAIL PROTECTED] wrote: However, when I went back at looked at users who had logged on to the Captive Portal, the times were still set at a +5. Programs read the timezone database when they first need it. They never re-read it. So whatever program is logging your data needs to be restarted so that it will re-read the timezone file. Simplest way to get all such instances is to reboot. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
