[pfSense Support] any comment or need to worry about the recent TCP/IP DoS found by Outpost24?
I've read a lot about how windows and linux are vulnerable, but not much info regarding FreeBSD. Does anyone know how worried we should be? Any comment on possible corrective measures being implemented by the dev team? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] any comment or need to worry about the recent TCP/IP DoS found by Outpost24?
On Fri, Oct 3, 2008 at 11:06 AM, BSD Wiz [EMAIL PROTECTED] wrote: And how could the dev team implement a fix if we don't know the specifics of the exploit? This will be something that the freebsd dev team will need to fix and I'm sure they will asap. So, I need to know everything you know or don't know to ask if you might know something? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] any comment or need to worry about the recent TCP/IP DoS found by Outpost24?
On Fri, Oct 3, 2008 at 3:02 PM, Chris Buechler [EMAIL PROTECTED] wrote: We had a discussion on it on our private developer list a couple days ago, end result is there isn't anything we can do without knowing more, and even at that nothing we can do until FreeBSD fixes it if it is a problem. Thanks for the info. I'll keep an eye out on the blog for any news. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ipv6 possibility
On Mon, Sep 29, 2008 at 7:22 AM, Sean Cavanaugh [EMAIL PROTECTED] wrote: technically this can already can be done if you use the developers build. or even 1.2.1 RC. i was pleasantly surprised to see IPv6 info from the network status pages. of course, this was after YetAnotherFailedEmbededUpgrade so I had to re-flash, but that was 99.44% expected to happen by me :-( - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] PFsense on P4 Hyperthreading
On Mon, Sep 29, 2008 at 10:58 AM, Ryan Rodrigue [EMAIL PROTECTED] wrote: Will PF sense work with a P4 using hypthreading? I know I can disable it in the BIOS, but i was just wondering if I could use it. If I can, in the install, should I tell it I have a single CPU or a multi CPU setup? Thanks for the help, Ryan FreeBSD treats it as multiple CPUs, so use the SMP kernel. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Transferring configs
On Mon, Sep 29, 2008 at 12:03 PM, Rainer Duffner [EMAIL PROTECTED] wrote: Hi, my WRAP died and I finally managed to order an ALIX from PC-Engines. But I think I can't find a backup of my config - can I just take the config.xml from the old CF card and use the restore-option with that? Or can the WARP-CF just be put into the ALIX? It's 1.2, IIRC. Just plug the CF card into the new box. The software image is identical. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] PFsense on P4 Hyperthreading
On Mon, Sep 29, 2008 at 11:15 AM, Ryan Rodrigue [EMAIL PROTECTED] wrote: Thanks for the super quick reply. I thought as much, but just wanted to confirm. Is there a limit to the number of processors it supports? Will a dual zeon quad core (8 processors) work? i really don't have a need for that much, but I was just curious while I have you here. The most I've ever run FreeBSD on is a dual dual-core AMD64 system from Sun. The 4 procs scale nicely, and especially with the AMD enhanced memory bus it really flies. I understand from the mailing lists that 8 cores is about the max to where FreeBSD scales well. This may be old information, though. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] PFsense on P4 Hyperthreading
On Mon, Sep 29, 2008 at 2:08 PM, RB [EMAIL PROTECTED] wrote: On Mon, Sep 29, 2008 at 10:03, Bill Marquette [EMAIL PROTECTED] wrote: HyperThreading or not though - the FreeBSD SMP scheduler isn't exactly optimized for HTT. Did FBSD ever post a 'fix' for the HT cache vuln? I've been under the impression ever since that HT on server systems was a Bad Idea and just disabled HT globally, both for that and the fact that it's just hardware-assisted preemption. If you don't have multiple users, that is a non-issue, IIRC. Who logs into your pfsense? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] strategies for an internet cafe
On Fri, Sep 26, 2008 at 8:45 AM, lartc [EMAIL PROTECTED] wrote: hi all, i've got a small internet cafe on a lan behind pfsense (soekris net 4801). works great. yesterday (not the first time) someone connected up their laptop, that started spewing spam mail. Just plain disallow direct to port 25 connections. There's no reason for it for random client machines. If they need to use their own ISP or office mail server, they can use the SMTP submission port, or a VPN. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ipv6 possibility
On Thu, Sep 25, 2008 at 10:51 AM, RB [EMAIL PROTECTED] wrote: Personally I don't like the idea of two separate firewalls, pfsense for IPv4 and whatever else for IPv6. But, sadly, this is what I am doing now. Yet you still do not answer the question - what value is v6 providing you now? Would you mind sharing what made you make the agreeably painful decision to run two separate gateways? Either you believe that IPv6 is coming, or you don't. I fall in the former camp though there are people who believe IPv6 is not necessary. I agree that it will be a long time before there are hosts that are IPv6 that are not also visible via IPv4. That all being said, it is important to start gaining experience with IPv6 deployments, and that pretty much makes it necessary that your firewall support it as well. In short, there may not be a strong business case to *need* IPv6 today, but it is prudent to start exploring it and gaining the experience necessary to manage it in preparation for the day when it is necessary and when the bulk of traffic flows via it. The sooner the better, I say. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] random lock up
On Wed, Sep 24, 2008 at 11:03 AM, Matias Surdi [EMAIL PROTECTED]wrote: Hi, I'm experiencing random crashed with 1.2, sometimes happens when saving a rule, other times when saving advanced settings.No reply from the pfSense box, no ping replies.nothing.Completly dead. I'll point at hardware faults. This is the only reason ever that pfSense (or FreeBSD in general) has ever crashed or locked up on my to the point it couldn't be rebooted via software.
Re: [pfSense Support] OpenVPN Tunnel Quality with VoIP Applications
I've tried both UDP and TCP tunnels with the same result. The setup is nothing special, just plain old SIP to an Asterisk box using G.711u codec. Any ideas on what I can do to decrease the effect OpenVPN is having on the traffic? All suggestions welcome and appreciated! Is the CPU capable of keeping up the OpenVPN encrypting? Perhaps you need more CPU or RAM for your firewall(s). Another thing to try is a better codec. I personally use G.729 on all non-local SIP clients. It works extremely well on slow long-haul links, and the G.729 codec license for Asterisk is pretty cheap from Digium.
Re: [pfSense Support] OpenVPN Tunnel Quality with VoIP Applications
Depending on bandwidth requirements, we may eventually use G.729 but we're currently testing in our lab on a completely unloaded 100mbit network. G.729 also handles higher latency well. But still, your latency is under 150, which shouldn't affect G.711u so much.
Re: [pfSense Support] nokia n810 vpn?
On Jul 11, 2008, at 5:22 AM, Paul Mansfield wrote: Openvpn works perfectly for me on the n800; just be sure you have it start up when you want it too, as it will start up by default. I discovered this when I didn't realise it was running, and when I was actually directly on the network the tunnel would normally connect to, it all broke! Thanks! I do need to only turn it on when I'm away from one of my normal locations since they're all already connected via VPN. There's no end of breakage that happens if you try to set up an IPsec tunnel from a device to the same endpoint that the router is tunneling the whole LAN... took several days to figure out that problem! :-( Which OpenVPN software do you run on your n800? Is it from the maemo garage or some other place? Or did you build it by hand? Also, were there any unique configs you had to set up for pfSense or just the normal OpenVPN setup? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] nokia n810 vpn?
I just ordered up an N810 for myself, and was wondering if anyone had success with the vpn solutions for it. There is a package for it called VPNC (garage: VPNC Maemo Port: Project Info) which is described as: VPN client compatible with Cisco's EasyVPN equipment. Supports IPSec (ESP) with Mode Configuration and Xauth. Supports only shared-secret IPSec authentication with Xauth,AES (256, 192, 128), 3DES, 1DES, MD5, SHA1, DH1/2/5 and IP tunneling. It looks to me like all the buzzwords are in line with pfSense, but wanted to see if anyone had actually gotten it to work with a mobile IPsec configuration.
Re: [pfSense Support] monitoring bandwidth usage of individual lan addresses MORE
On Jun 16, 2008, at 6:11 AM, Patrick M. Murray, M.F.A. wrote: just crap. But my ALIX board has 2 miniPCI slots on it that I have yet to mess with. I need something super powerful in regards to range, speed, and multicast. And I know you can't throw 2 wireless cards in there, so what can the other slot be used for? And what miniPCI wireless card would you recommend that I could I put some Soekris crypto accelerator cards in a few of my older WRAP based routers. Hard to tell if it really speeds up IPSec, but it was fun to do :-) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Backup of Configuration Script
On Jun 3, 2008, at 11:10 AM, Scott Ullrich wrote: I manage too many firewalls with pfsense and i´d like to know if there is a way to automate the backup of the configuration (the XML config file)!!! Yes, search the archives. I have given wget syntax in the past. And when you find it, add it to the wiki if it is not already there... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] setting time
On May 10, 2008, at 11:16 AM, Dean Larson wrote: computer kept near perfect time before under different o/s. this seems real strange. A long long time ago, in a galaxy far far away, I had a box that ran 100% fine with linux under load. under FreeBSD and BSD/OS it would lock up randomly, and the clock would drift several minutes per day.ap You likely have faulty hardware. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] setting time
On May 10, 2008, at 4:13 PM, Chris Buechler wrote: 3) ACPI issues - try disabling ACPI, sometimes it causes time keeping issues. You can also selectively disable the ACPI timer device without turning ACPI off entirely. Add the following to your /boot/loader.conf file: debug.acpi.disabled=timer You'll see a change at the beginning of your kernel boot messages like this: Timecounter i8254 frequency 1193182 Hz quality 0 Timecounter ACPI-fast frequency 3579545 Hz quality 1000 Timecounter HPET frequency 14318180 Hz quality 900 The ACPI-fast line will go away, and the kernel will then be forced to choose a different timekeeping method. You can verify your timekeeper with this command: sysctl sysctl kern.timecounter.hardware It will list one of the available Timecounter options, such as HPET or ACPI-fast. By default, it picks the highest quality timer. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] brilliant advice from a security audit...
This one is precious: quote Description: The remote host appears to be running a PPTP (VPN) service. This service allows remote users to connect to the internal network and gain a trusted user role. This service should be protected with a strong encryption scheme like IPSEC. By default the service leaks out such information as Server version (PPTP version), Hostname and Vendor string this could help an attacker better perpare her next attack. General solution: Restrict access to this port from untrusted networks. Make sure only encrypted channels are allowed through the PPTP (VPN) connection. /quote Seriously, if the client could use IPSEC why would you need PPTP?!??!?!?!?!!??!?! For those curious, the service doing the scanning is ScanAlert (the folks who bring you the HackerSafe seal of approval). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Anyone get Wii working with pfSense?
On Apr 29, 2008, at 2:46 PM, Adam Van Ornum wrote: Does anyone have any ideas that don't include having multiple WAN IPs? :) I only have one WAN IP and I'm having the same problem as the original message poster. I can connect fine to World and Regional games but can't connect to or host Friend games. Like I said, Works for Mii :-) I haven't tried any online games yet (just got my first), but friend connections work, and i get update notification messages and the upgrades download just fine. I have uPNP enabled, and nothing else specific configured for the Wii on the pfSense router. I have a single LAN and a single WAN port hooked up to my cable modem in a mostly default configuration.
Re: [pfSense Support] Anyone get Wii working with pfSense?
On Apr 28, 2008, at 9:16 PM, Tom wrote: I can connect to Worldwide and Regional events with Mario Kart, but I can't connect to Friends. Nintendo says they are different types of connections so connecting to Worldwide and Regional events doesn't necessarily mean connecting to Friends should work since Friends are a direct connect between systems. I've tried creating a NAT and forwarding all UDP traffic to the Wii, but that didn't make a difference. When I connect, I get a Nintendo Error: 86420 Works for Mii :-) Sometimes it takes several days to weeks to complete the pairing with some friends, but it does eventually recognize the friend's box. I believe this is a Nintendo issue, not a networking issue on my end. I do have uPNP enabled on the router since I trust everyone inside (basically one winderz box, plus a handful of macs and one kubuntu aside from the wii.) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DROP database
On Apr 14, 2008, at 3:14 AM, Chris Buechler wrote: 1.2.1 will include some improvements in the upgrade process. Largely to accommodate 1.2 to 1.3 full install upgrades, though it may help embedded. We haven't had a chance to work with embedded much yet, not sure if it's made any difference. I know I've piped up many times regarding embedded upgrades... I've been using the FreeNAS software (also in embedded version), which is also derived from m0n0wall, and it seems to have a very robust upgrade process. I've upgraded it several times and never had a failure. It seems to in-place reflash the disk image while preserving the config file. I don't know if pfSense can pull this off with the larger image size, since it would need to use RAM to store image during upgrade. Of course, my ideal preference would be to have the dual zone firmware and a menu to allow one to choose which version to boot. Given that CF cards come no smaller than 1-2Gb these days, it seems possible to do. But in any case, I really look forward to safer upgrades for embedded release (especially if /etc/ttys doesn't get clobbered like it always seems to be). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Some basic rules help with IPSEC VPN
On Apr 9, 2008, at 12:38 PM, Paul Cockings wrote: RULES : IPSEC : TCP SRC:192.168.8.0/24 * DST 192.168.101.0/24 * * RULES : IPSEC : UDP SRC:192.168.8.0/24 * DST 192.168.101.0/24 * * RULES : IPSEC : ICMP SRC:192.168.8.0/24 * DST 192.168.101.0/24 * * For my IPSEC rules, I have just a single rule for allow all traffic of all protocols in both directions. Try that instead of being very selective. Another thing to try is to enable logging of those rules and see whether they get matched. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] More Ethernet ports on a pfsense box
On Apr 9, 2008, at 4:46 PM, Tim Nelson wrote: pfSense/FreeBSD shows the interface names as hme0-3. I can only assume hme stands for Happy Meal Ethernet man hme on a freebsd 6.3 system tells me this: NAME hme -- Sun Microelectronics STP2002-STQ Ethernet interfaces device driver HARDWARE The hme driver supports the on-board Ethernet interfaces of many Sun UltraSPARC workstation and server models. Cards supported by the hme driver include: o Sun PCI SunSwift Adapter (``SUNW,hme'') o Sun SBus SunSwift Adapter (``hme'' and ``SUNW,hme'') o Sun PCI Sun100BaseT Adapter 2.0 (``SUNW,hme'') o Sun SBus Sun100BaseT 2.0 (``SUNW,hme'') o Sun PCI Quad FastEthernet Controller (``SUNW,qfe'') o Sun SBus Quad FastEthernet Controller (``SUNW,qfe'')
Re: [pfSense Support] problem with ipsec
On Feb 28, 2008, at 4:07 AM, Christos Pelekis wrote: Hi, i have 2 pfsense installs (both have 1.2 release) I have setup in aggressive mode a vpn channel and work fine. But if i change this to main (only this change, all the remain config is the same) then i have this errors: What kind of identity negotiation do you have enabled? In main mode you *must* use 'My IP address' as the identifier. I'll bet that when you had aggressive mode you used a User FQDN with an email address or some such. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] enabling high performance tcp - freebsd
On Feb 22, 2008, at 5:02 AM, Paul M wrote: Scott Ullrich wrote: On 2/21/08, Paul M [EMAIL PROTECTED] wrote: apparently since kernel 2.6.17 linux auto-tunes, so this advice is a bit out of date... in fact it might be really bad advice because usign setsockopt and setting RCVBUF and SNDBUF will actually disable autotuning. pfSense does not use linux and has absolutely nothing to do with any linux kerenls. yes, I know that, but the referenced article had large sections about linux, and there will be a number of people on this list who use linux who might read the article and go off with out of date information. he bulk of the freebsd settings proposed are also the current defaults, so there's not much to do there either. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Multiple servers behind NAT'd firewall
On Feb 6, 2008, at 3:03 PM, Trave Harmon wrote: Now when I telnet the public IP that the 1st virtual is assigned, it just sits there and times out. This is making it impossible to send messages from domain to domain within the network. configure your servers to bypass the default MX lookup business and route the traffic for the given domain directly to the internal IP address. in postfix, this is trivial with a transport map.
Re: [pfSense Support] Does phydiskwrite method work for non-embedded install?
On Feb 4, 2008, at 10:44 AM, Lance Cotton wrote: Does phydiskwrite work to write the non-embedded image to a Microdrive CF device? there is no non-embedded image. It is an ISO file which makes a bootable CD which can run live, or can install to a hard drive. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] minor issue with latest upgrade, mostly success.
I upgraded from RC3 to RC4 last night using the snapshots. Embedded platform on a WRAP. I copied the tar file to /tmp then ran option 13 on the console. After it asked me which kernel to install, it had a failure writing some .txt to /boot/kernel directory with a complaint of read only file system. Then it proceeded to do its work, but within about a few seconds, it reported something about some processes being killed, and returned to the menu. From the shell, I could still see the firmware upgrade running, so I left it. After a few minutes, it rebooted and I was up and running 99.44% correct. I had my usual /etc/ttys file being the wrong one. I just copied over my copy of ttys_wrap and did a kill -1 1 and considered it a success. It seems just fine to me. This is just on my home LAN, so all I have is a basic NAT for outbound access. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Upgrade 1.0.1 to 1.2 RC4 from console
On Jan 26, 2008, at 5:02 PM, Michael Richardson wrote: I was once given a command (or series of commands really) that fetched, unpacked, and installed (or coppied files anyway) that let me do an update from 1.0.1 to 1.2 RC4, but I’ve misplaced it. Could someone provide that again? As best I recall, the output of fetch was piped into tar and the output of that was directed at /, but I’m not 100% sure and can’t afford to do this wrong J I believe this is known as option 13 on the console (or ssh login) to recent pfSense. For 1.0.1, download the update tarball (compressed) and put it on /tmp on your system, then run the rc.firmware script as follows: /etc/rc.firmware pfSenseupgrade /tmp/upgradefile.tgz sit back, cross your fingers, and hope it doesn't croak and kill your router. if you're on embedded, this may happen; if you're on full install, it *should* work. but in the latter case, just use the web- based upgrade.
Re: [pfSense Support] config.xml example / avoid serial terminal
On Jan 26, 2008, at 10:32 AM, [EMAIL PROTECTED] wrote: I am having trouble with this point and would appreciate a example configurational file that will allow at least one of the ethernet ports to grab an IP via DHCP, or just have a static IP... something... anything. The basic problem is that I don't have a serial cable anywhere! (I thought I was done with such old technologies!) by default, the LAN answers as 192.168.1.1 so just take a laptop or other computer, right it to IP 192.168.1.2, and then configure your box as you see fit. or you can ssh into it and set the IP that way if you prefer. you don't *have* to have the serial port to do the initial config. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 1.2rc4 fresh install - Disable Paging
On Jan 25, 2008, at 1:46 PM, Anil Garg wrote: I have a machine with 1GB of Ram on which I wish to install pfsense 1.2rc4. Does anyone know how to disable paging after installation since we have much more memory than we need. Essentially, is there a way to run pfsense entirely from ram. Unless your system needs more than that RAM, you will never hit the swap partition. However, what you're asking is essentially to run your system without swap, means that when you *do* need more memory, you would rather the system panic than degrade performance. I'd recommend monitoring if you ever go to swap, and then react to it, rather than making the system panic for out of memory.
Re: [pfSense Support] 1.2rc4 fresh install - Disable Paging
On Jan 25, 2008, at 3:47 PM, Anil Garg wrote: Ok. I will leave paging on. I just kind of think its silly that for one user at home I still hear my hdd constantly make noise of read- write... But then I am not technical enough to know what is causing that.. login to your box (ssh [EMAIL PROTECTED]) select option 8. type pstat -s it should show 0 pages swap used. if not, you don't have enough RAM. my office firewall never hits swap.
Re: [pfSense Support] pfSense support for usb to serial converter
On Dec 17, 2007, at 7:49 PM, Chris Buechler wrote: on my other (recently setup) BSD system, which is: FreeBSD 6.2- RELEASE #0: Fri Jan 12 10:40:27 UTC 2007 I see in /usr/src/sys/dev/usb that uftdi.c and usbdevs contain a definition for this device. I'm not sure exactly what kernel change would be necessary to add this. What does it show up as in dmesg on a stock FreeBSD system? The driver needed depends on the device. I have one which requires the uplcom driver loaded (I pull it in as a module in /boot/ loader.conf) Others may require umct, uvscom, or just ucom. I suppose some might require some other driver, too. The man page for ucom list all the additional drivers you may need. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Facing Problems with IPSec
On Dec 16, 2007, at 9:14 AM, Tim Korves wrote: I'm facing problems while routing traffic trough an IPSec tunnel. This is my configuration: Branch 1 pfSense IPSec server (HQ) Branch 2 | | Branch 3 You need to set up tunnels from branches 1, 2, and 3 to each other to make a mesh. Routing and IPsec are not friends to each other :-( - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] 99.44% successful upgrade to RC3
Wow! I finally successfully did a firmware update on my embedded platform which didn't require a reflash. I updated from 1.2-RC2 to 1.2-RC3 downloaded a few minutes ago. The process I used was: upload tgz file to /tmp/firmware.tgz select option 13, and used local file for upgrade ... sat nervously watching serial console ... system rebooted and everything came up. VPN (3 IPsec tunnels), rules, etc. The *only* thing not right, and this has been reported before but never reproduced it seems, is that the /etc/ttys file was for the full version. Thus, there was no menu on the serial port console. Copying over the ttys_wrap file from CVS and kill -1 1 fixed that. I do notice that there is one funny error on the Firmware screen now: Just to the left of the Enable Firmware Uplaod button is this string: echo This platform cannot be upgraded. Consider using option 13 from the console.; exit; and then it lets you click the button anyhow. (I needed this to make the file system writable for updating the ttys file, so I'm glad that bug was there). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 99.44% successful upgrade to RC3
On Nov 29, 2007, at 12:14 PM, Scott Ullrich wrote: The *only* thing not right, and this has been reported before but never reproduced it seems, is that the /etc/ttys file was for the full version. Thus, there was no menu on the serial port console. Copying over the ttys_wrap file from CVS and kill -1 1 fixed that. That is strange. The system executes /tmp/post_upgrade_command which detects the platform and writes out the tty file. I know! :-) It must just be something special to me, as nobody else seems to observe this... :-( PS: I really like the IPsec status summary view. Much more useful than just staring at SAD entries. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Upgrading To RC2 on Embedded Platforms
On Oct 30, 2007, at 4:31 PM, Jared B. Griffith wrote: Is it possible to upgrade to RC2 on the Embedded platforms without having to reflash the image? upgrade from what version? of late, I've had no end of trouble upgrading embedded without re- flashing. i know that the rc2 can't self-upgrade reliably.
Re: [pfSense Support] Upgrading To RC2 on Embedded Platforms
On Oct 31, 2007, at 12:26 PM, Jared B. Griffith wrote: From version 1.0.1 to 1.2-RC2 i got a 1.0.1 embedded to upgrade once, but i think that was luck. you're better off prepping a new CF card and swapping it out.
Re: [pfSense Support] Watchguard X series platform
On Oct 29, 2007, at 11:37 AM, Eugen Leitl wrote: I'm going to remove the CFs from my twin mini-ITXen, and substitute them I just replaced the CF adapter thingy from my mini-ITX box and replaced it with one of these, so upgrade are trivial -- just swap CF cards from the back of the box. http://www.e-itx.com/ide-cf-adapter-rear-bracket.html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Inbound TCP/53, auto?
On Oct 17, 2007, at 4:16 PM, Ugo Bellavance wrote: Are TCP packets automatically accepted by pfsense or should I open TCP/53 at wide? I query DNS servers directly, I don't use my ISP's DNS servers for many reasons, so I can't just open TCP/53 for these DNS servers. enable the DNS proxy on pfsense. it will use the public DNS servers you configure. then point your clients to the pfsense proxy (which DHCP on pfsense will do automatically). end of problem. on my office LAN, I have a local DNS server that has a 1:1 mapping on pfsense, and for that host, I have allow rules for 53/tcp+udp for DNS to work. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] RIP and routing protocols
On Oct 7, 2007, at 11:37 AM, Gabriel Green wrote: I just got a new T1 from Sprint in the office. My other WAN connections are SDSL and ADSL from ATT; at my remotes I have IPSEC devices capable of running RIP as well. I was wondering if I even need to run *any* routing protocols, and if so, what the advantage would be. do all of your wan's share the same IP addresses? if not, then no need to run any routing. IPsec doesn't follow any routes -- it just follows the endpoints.
Re: [pfSense Support] How to schedule shutdown and box heartbeat
On Sep 22, 2007, at 7:05 AM, tester wrote: min etc) This was the command I typed from the shell: echo shutdown -r now | at xx:yy why not more simply shutdown -r xx:yy shutdown has its own timing mechanism. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] WRAP Support Images
On Sep 13, 2007, at 5:11 AM, Jonathan GF wrote: Bearing this in mind, will pfSense keep on providing images for WRAP or will leave that arm? pfSense's embedded image is not specific to the WRAP. i doubt that just because you can't buy them that they won't keep working for many years to come, so I suspect that there will be nothing done to break such compatibility... there are still some shops online that have the boards available... just look hard enough :-) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] LAN / WAN Disconnections continue in 1.2-RC1, Intel Pro/1000GT NICs with 370M RAM
On Aug 29, 2007, at 6:20 AM, Tortise wrote: we had a lot of problems with linux drivers and the intel giga nics onboard our tyans; we turned off power management in the intel's eeprom. maybe the same problem affects freebsd? I've not had any issues with Intel NICs across several dozen FreeBSD systems of varying vintage (from the 10/100 fxp devices thru the 1Gb em devices). Broadcom NICs on the other hand have been mostly nothing but trouble until the most recent FreeBSD releases. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] LAN / WAN Disconnections continue in 1.2-RC1, Intel Pro/1000GT NICs with 370M
On Aug 27, 2007, at 4:58 AM, Tortise wrote: That restores the connection. (I initially did it on the LAN, but reconnected the LAN and did the same with the WAN, as soon as ifconfig XXX up was run it was up again.) What does that tell us? the NIC's don't like each other. replace one or both of the NICs for your pfsense box or your cable modem. i'd vote to replace the cable modem.
Re: [pfSense Support] i just can't succeed in upgrading anymore...
On Aug 26, 2007, at 5:35 PM, David Strout wrote: Try using the console upgrade method (option 13) ... I had the very issues w/ a Soekris box some time ago and the console option was the only way I could get that box to upgrade. I alread tried it as noted in my original message... it also lead to disk full... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] i just can't succeed in upgrading anymore...
On Aug 27, 2007, at 6:27 AM, Eugen Leitl wrote: We definitely need to get away from fixed partition size on the embedded. A way to grow the filesystem would seem to be required, or at least images which can handle larger flash cards (1 GByte CF is a dime a dozen these days). It's too bad there's no vanilla CF which can take a real r/w filesystem. I'd be willing to put up some money to build a dual-flash image system. There would be three physical partitions on the CF card: firmware A, firmware B, and config. To upgrade you upload the firmware IMG file to the other partition, click some buttons to tell it to boot the new partition, and it does so. On failure, you click buttons (or select via the boot menu) and make it boot the original partition. This could easily fit on even a 512Mb CF card. Is there interest? Should I start a bounty? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] i just can't succeed in upgrading anymore...
On Aug 27, 2007, at 2:51 AM, Eugen Leitl wrote: Try switching from https to http. There seems a bug which prevents firmware upgrades via https. on my home lan, I don't have https enabled for management. i doubt my wife will be snooping on it :-) thanks for the suggestion. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DHCP Static Clients
On Aug 26, 2007, at 4:37 PM, David Strout wrote: wondering if you can edit the /var/dhcpd/etc/dhcpd.conf file directly to delete these 40 entries in bulk I'd download the config file via the web interface for the DHCP component, edit that, then upload it back. I wouldn't trust editing files directly on the file system to stick across reboot. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] i just can't succeed in upgrading anymore...
I don't know if my fingers are emitting some radiation that makes it fail, but the last three upgrades I've attempted have all ended in disaster, requiring a re-flash and restore on my WRAP boxes. My prior upgrade brought my personal firewall up to the July 29 snapshot. This was an upgrade from an early-june snapshot. This one I upgraded by uploading the firmware upgrade file, then running the rc.firmware upgrade script. It ran out of disk space and destroyed some key files so it was basically bricked ;-( I flashed the firmware to the July 29 snapshot and went on my business... Then last night I decided to upgrade this box to RC2. The web-based upgrade seemed to do nothing -- the browser kept timing out or getting network disconnects. It was strange. So I uploaded the firmware to the /tmp MFS partition. About 80% into the upload, the console showed a kmem_malloc panic and rebooted. So then I uploaded the firmware to the /root directory. I ran the command line upgrade from the main menu, but after a while started getting disk full errors again. Since I was still up and running, I tried to move the firmware file to /tmp and re-run it, but after the move when I did an ls -l the system again rebooted on kmem_malloc panic. Unfortunately it scrolled off the history buffer of my console window so I don't have the exact message. Once again, I had to flash the firmware and restore. Last week I upgraded another WRAP which was a late June snapshot to bring it to the RC2. The web-based upgrade seemed to do nothing. I got the this is not signed warning, clicked upgrade, and then a few minutes later it rebooted with no changes to the system (still reported old version.) So then I tried the manual route of uploading the file and running the rc.firmware script. Again, it gave disk full errors, and destroyed the system (the elf loader was corrupted, so there was no recovering...) Anyhow, I know others have successfully upgraded embedded versions, but I have not been able to do so for at least the last 4 upgrades I've attempted. Has anyone else experienced similar troubles upgrading embedded pfsense? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] LAN / WAN Disconnections continue in 1.2-RC1, Intel Pro/1000GT NICs with 370M
On Aug 23, 2007, at 3:15 PM, Tortise wrote: Why would rebooting pfsense fix that? Perhaps cause the modem to re-negotiate its connection? Cause the ISP end to wake up? what if you just force pfsense to bring down and back up your WAN port? ifconfig XXX down; ifconfig XXX up where XXX is your wan ethernet device name, such as em1 or fxp1.
Re: [pfSense Support] LAN / WAN Disconnections continue in 1.2-RC1, Intel Pro/1000GT NICs with 370M
On Aug 21, 2007, at 7:31 AM, Tortise wrote: I am running wireshark - however the connection has yet to misbehave whilst doing so. (Now I know why I kept those old 100M hubs!) Well, perhaps your switch and your NIC don't agree with each other? I've had that problem before...
Re: [pfSense Support] 3DES accelerator cards?
On Aug 15, 2007, at 8:15 AM, RB wrote: That said, if you really want to try it you could always go for a Soekris 1401 - relatively cheap ($73 apiece for two). They're about the cheapest crypto acceleration cards I've seen that were worth trying. Then again, unless you're doing bulk crypto (many large packets) you'll likely see no improvement whatsoever. I have one sitting here collecting dust. It caused my Dell box running pfsense to lock up regularly (anywhere from 2 to 14 days) until we removed it. However, their miniPCI versions in our WRAP boxes have been rock solid. No idea why it won't work well on the dell with exact same software. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] performance on a PE860
On Aug 10, 2007, at 11:29 AM, jamona perez wrote: Also, there was a long thread about pfsense on PE 860, how did the test finally came up ? and finally which version would be best (was planning to get 1.2RC1) I've not run pfSense on my 860's but freebsd 6.1 runs just wonderfully. we shove a lot of email through those particular boxes with no problems. the network seems sufficient. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Programming pfSense to Reboot and Dump LAN / WAN traffic
On Jul 20, 2007, at 3:23 PM, Tortise wrote: Yes they are already on a LAN with a switch. I didn't realise TCPDump could be run from another machine other than the one being dumped from. From what you suggest it can. I'll study it up and see if I can get it to! (Unless someone here knows the syntax for this well and can just roll it off?) I said *hub* not switch. The switch will isolate the traffic. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Beta2
On Jul 23, 2007, at 9:04 PM, Anil garg wrote: Thanks a ton for taking a moment to respond. I am just not the HDD guy. I feel besides being silent, flash will perhaps save some energy too but I am not that sure. why not just boot from CD and use a USB stick to save the config?
Re: [pfSense Support] Programming pfSense to Reboot and Dump LAN / WAN traffic
On Jul 19, 2007, at 7:41 PM, Tortise wrote: 1) LAN and WAN traffic dumps to a Centos HDD on the LAN, in an attempt to catch the traffic that may be causing pf Sense to intermittently hang and require rebooting. connect both systems to a hub and run tcpdump on the other machine logging all traffic some place. 2) Somehow setup a cron job to ping the ISP every minute - and reboot pfSense if the pings fail for 20 mins. Buy hardware that's not faulty. pfsense is *way* more robust than what it seems to be for you. what network interfaces do you have? if other than broadcom or intel, switch to intel. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Reset Webadmin GUI passwd from ssh command line
On Jul 16, 2007, at 10:30 AM, Lee J. Imber wrote: Any ideas on how I can reset the webadmin passwd from the command line? when you ssh in, the menu has an option 3. select that and follow the prompts. don't expect the shell's passwd command to update the webgui password. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] FTP and PFsense
On Jul 10, 2007, at 9:47 AM, The Wells Family wrote: According to what I have read, setting up a NAT rule to forward the ftp port (21) from the WAN to the internal server and then letting pfsense create the firewall rules (it created two) and then turning on the ftp helper (un-checking it I believe) should get it done. But no luck. I have even tried creating NAT and firewall rules for the dynamic ports. My WAN IP is public and my ISP is very good at not blocking anything so I am pretty sure it is not my ISP. That's how I do it (and how I updated the wiki to do it). It does work. Try changing your client from passive to active mode or vice versa and see if that works any better. Also, sometimes depending on your pfsense version, you may need to reboot to make the ftp proxy settings take effect.
Re: [pfSense Support] Re: RAID monitoring
On Jun 28, 2007, at 1:49 PM, Ugo Bellavance wrote: About SMS, how would you send it? We usually send an email as per our cell phone service provider's instructions. In my case [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Pfsense 1.01 - Dell PowerEdge 860
On Jun 29, 2007, at 8:53 AM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I'll second this. I tested last week on an 860 just prior to ordering two more. Everything came up nice and clean. While I can't speak to what it will do under load, it does at least install and not fall over on I have a pair of 860's in production running FreeBSD 6.1/amd64 as high-volume mail servers. Never a problem, even though they use the bge ethernet driver which is known to be less than optimal in that release. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] RAID monitoring
On Jun 28, 2007, at 8:03 AM, Ugo Bellavance wrote: 2- Use a script, using amrstat. But I'd need a direct ssh access and from what I've seen, when I login using ssh, there is a menu before having shell access. Could I create another user that wouldn't have a menu? write a script that runs amrstat, compares to known good output, and if not good, sends an SMS to you, or raises an SNMP trap or some kind of notification. set up the script to run hourly (or daily) via cron. or you can script it in php and make it a web-loadable page which is pulled on a regular basis from some other host. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense Firewall Logs: no ports listed !?
On Jun 17, 2007, at 4:15 PM, Bill Marquette wrote: Good...I guess :-/ that patch is eliminated then. So we're down to 6 days, the 5th - 11th of June. I'll keep digging, there was a change on the 9th that looked somewhat suspicious to me earlier. Sorry for jumping in late... catching up on email today. I have one install with build time: built on Tue Jun 5 14:45:52 EDT 2007 That shows the port numbers in the firewall log just fine. Not sure if you've narrowed it down further yet. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] VPN through pfSense
On May 14, 2007, at 11:55 PM, Adam Van Ornum wrote: After monkeying with things for a while this evening I was finally able to get things working by unchecking the Block private networks and Block bogon networks boxes on the WAN settings. After rechecking those checkboxes it is still working, so it seems that something must have gotten messed up when upgrading at some point. my vote is that this was coincidental. for me, the only thing that seems to clear up the failed vpn connect from the 1.2beta line is just waiting for time to pass.
[pfSense Support] adventures in upgrading.
Last week I upgraded from a 1.0.1 snapshot release (embedded) to 1.2beta1 5/9/2007 snapshot using the rc.firmware script. The upgrade installed nicely and everything seemed to work well (aside from having to manually fix gettytab and put the ttys_wrap file in place of ttys). However, for some reason after a couple of days, my vpn tunnels back to the office running the same snapshot on a full install wouldn't stay up nor connect for long without continual rebooting of my home firewall. Another curious thing was that the VPN to my data center was working as I could ping, login, etc., but the associations did not show up on the GUI nor via setkey -D on the console. It was most peculiar... So I decided last night to install snapshot 5/11 (built 5/13 it seems). I tried the new upgrade menu option from the ssh login after uploading the firmware to the home directory. The router continued to run for the whole time routing, but the upgrade never seemed to complete. After a while DNS stopped being resolved, and my ssh connection was closed, and I couldn't connect to the web interface. So I ran downstairs, hooked up a serial cable and found that there was nothing to see on the console. Hitting 'ctrl-t' just said not a controlling terminal and reported a load average of 2.00. Since it had been over 20 minutes by this time, I pulled the plug and rebooted the WRAP box. On reboot, I could see that it had the absolute latest kernel, so the upgrade did apply at least some of it. However, the console menu never showed up. Luckily I was able to connect via ssh and restore the ttys_wrap file into /etc/ttys and 'kill -1 1' to restore that. To be safe, I used the rc.firmware script to re-install the upgrade. It finished in a few seconds and rebooted. This time, the ttys file was right, and everything seems to be going at 100%. The VPN to the office is still up. So I'm not sure if the 5/9 snapshot has issues that caused this upgrade problem or the VPN problem, but the 5/11 snap seems pretty stable so far on my embedded WRAP. The 5/9 snapshot has been pretty stable on the full install at the office, too. I'm not upgrading the data center and remote offices until I'm 100% safe with 1.2 release ;-) since I can't go fix them as easily. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] VPN through pfSense
On May 12, 2007, at 4:38 PM, Adam Van Ornum wrote: I'm running pfSense as my home firewall and I'm having problems connecting to my company VPN from my computers at home behind pfSense. The company VPN product is a SonicWall box and I'm using the SonicWall VPN Client software. Anyone have any ideas on how to fix this? A packet capture on the WAN interface on the pfSense box sees this: Given that you're trying to connect to port 500 on the remote, I'll guess it is just using IPsec, in which case just configure your pfSense to be a mobile IPsec client to the sonicwall and let it do all the work for you :-) Just put in your ID/password and tell it to connect your LAN to the remote LAN and see if it works. But in either case, IPsec passthru should just work with pfSense. I used to do it that way from home too :-)
Re: [pfSense Support] IPSEC Mobile Client
On May 7, 2007, at 5:50 PM, Tim Nelson wrote: That tutorial is aimed at a site to site link although I used it as a basis to configure my pfSense box... The configuration on the pfsense server is identical for site-to- site with non-fixed endpoint of remote, and for site-to-pc with a non- fixed pc IP address. That is, if you get one to work, the other will work, presuming your remote IPsec client is not busted. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] High ping times over IPSec tunnels
On Apr 21, 2007, at 3:27 PM, Mike Lee wrote: I recently discovered that when my internet pipe (either upload or download (2Mb-down/1Mb-Up)) is saturated with traffic, the ping time to my remote site pfSense boxes is really high (sometimes 800-1000ms). My office uses pfSense (full) and all of my remote offices are connected via IPSec VPNs and use pfsense (embedded) with WRAP boards. However, when the internet pipe is saturated and the ping times get high to the remote sites, I get average ping times when pining sites that are not on our VPNs (i.e. pinging www.google.com I get ~80-100ms ping times). what's the CPU load on the WRAP boards when this happens? We have an identical situation: full install at main office, and remote locations (data centers, home offices, etc.) on WRAPs. However, I put the soekris crypto accelerators into the WRAPs and we never see more than about 20ms ping times, even under heavy network loads. Our office system is a P4 with hyperthreading enabled.
Re: [pfSense Support] Recent snapshot on a DELL PowerEdge SC 1425
On Mar 6, 2007, at 3:12 AM, Christian Krützfeldt wrote: Strange thing is, Monowall has no problem with it. FreeBSD 4's drivers for NICs are wy different the bge driver in 6.x seems to have more timing issues, but then it supports way more chipsets. smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] Recent snapshot on a DELL PowerEdge SC 1425
On Mar 5, 2007, at 11:05 AM, Dan Farrell wrote: Possible tangent (apologies)- I haven't tried any BSD variants on the current Dell PowerEdge series, but I have tried Fedora, CentOS, and Suse, and had problems with the built-in NIC on all of them. Are you using this built-in NIC in your bridge? Are you able to have it work alright in pfSense or Monowall at all? The SC1425's I have use intel NIC's which are extremely well supported (by Intel engineers). A couple of the SC1425's I have are under pretty hefty load sending and receiving email on both NIC's. Never a problem. I run FreeBSD 6.1 on them. What are your two additional NICs? Are they broadcom? If so, replace with Intel and your problems might just magically go away. The SC1425's are otherwise very stable on FreeBSD 6.1 running the amd64 version. I can't imagine the i386 version to be less stable. smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] DST 2007-ready?
On Mar 1, 2007, at 11:03 PM, stephan peterson wrote: Vivek, Here are my results: # date -r 1175386460 ; date -r 1175486460 Sat Mar 31 19:14:20 CDT 2007 Sun Apr 1 23:01:00 CDT 2007 If it said CST on the first line, you'd have a problem :-) smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] DST 2007-ready?
On Feb 28, 2007, at 11:44 PM, stephan peterson wrote: What can I do to make sure the new zoneinfo file(s) are being used? I'm not sure from LJ's message what to look for. in the USA, run this command line: date -r 1175386460 ; date -r 1175486460 you should get something like this on a corrected system: Sat Mar 31 20:14:20 EDT 2007 Mon Apr 2 00:01:00 EDT 2007 Whereas on an incorrect (ie, older zone file) system you would get: Sat Mar 31 19:14:20 EST 2007 Mon Apr 2 00:01:00 EDT 2007 If you have any other freebsd system, you can simply copy a working / etc/localtime file onto the one on your pfsense box. my understanding is that any unix system using the same zone info compiler (pretty much any unix in existence) should produce working zone files. smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] DST 2007-ready?
On Feb 23, 2007, at 4:33 PM, Scott Ullrich wrote: If you are in doubt, update to this months snapshot which is based on 6.2 and definitely has support for congresses half-brained decision. When you upgrade an existing system, you still need to ensure /etc/ localtime is updated by setting your timezone. The system upgrade will only update the /usr/share/zoneinfo zone file data. I'm not sure how to force the pfSense GUI to update that aside from changing the zone to something else, then back. Or does pfSense not use /etc/localtime? smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] supported Hardware?
On Feb 20, 2007, at 11:20 AM, Tim Dickson wrote: Unless I’ve missed an update along the way… 64bit is not supported. unless the system in question is an Itanium, the 64-bitness of the normal intel systems (Pentium + EM64T, or amd64) are 32-bit back compatible and will boot and run a 32-bit OS just fine. Chances are there is some issue with the controller chips, and that has not much to do with 64-bit capability of said system. smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] PPTP Drops constantly.
On Feb 9, 2007, at 8:17 AM, Andrew Kemp wrote: I've been experiencing an issue where my connection via PPTP drops unexpectedly. The connection can't seem to stay connected for more than one of my engineers cannot stay connected to PPTP for more than a few minutes at a time. his home connection is a consumer-level verizon DSL line. IPSec is actively blocked by verizon DSL, it seems. customer support tells him to upgrade to a business level service! our staff on comcast have no issues staying connected with pptp or IPsec. check your ISP... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] PPTP Drops constantly.
On Feb 9, 2007, at 10:26 AM, Vivek Khera wrote: one of my engineers cannot stay connected to PPTP for more than a few minutes at a time. his home connection is a consumer-level verizon DSL line. IPSec is actively blocked by verizon DSL, it seems. customer support tells him to upgrade to a business level service! minor correction: the PPTP times out rapidly for him only when we have traffic shaping turned. if we disable traffic shaper, his PPTP stays up. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ftp forwarding
On Jan 3, 2007, at 8:57 PM, nix4me wrote: I have pfsense setup and i have a ftp server on 192.168.1.102. I set up NAT inbound for the ftp port (2121) and also the passive ports (4-40100) to go to 192.168.1.102. I let the firewall rules autogenerate. http://wiki.pfsense.com/wikka.php?wakka=IncomingFTPHowTo smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] pfsense load balancing question
On Dec 5, 2006, at 4:08 PM, Holger Bauer wrote: That's the feature that pfSense doesn't have (yet): Authoritative DNS Inbound Load Balance * A built-in authoritative DNS server supports MX, NS, A, CNAME, and TXT records. (Screenshot...) * DNS resolution balances inbound requests among available links. However you might be able to achieve this with pfSense and an additional DNS Server doing this for you. It also detects when one link is down, and makes the DNS server respond with the IP of the other line, effecting a failover. On the inside, all boxes see just the primary IP address. The peplink NAT's the other WAN addresses into the WAN addresses of the primary. It is an incredibly clever set of features. Pretty much all of the features this box has can be implemented into pfSense I'm sure, it is just a SMOP... smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] Installation problem on DELL PowerEdge SC440
On Dec 4, 2006, at 8:48 AM, Christian Krützfeldt wrote: First part of the boot is fine, then the option is displayed 0 Default, 1 ... And shortly after that. It happens: Fatal trap 19: non-maskable interrupt while in kernel mode Have you run Dell diagnostics on it? I run pfSense on an SC400, and also have FreeBSD running on an SC430 and about two dozen other Dell boxes with no problems. smime.p7s Description: S/MIME cryptographic signature
[pfSense Support] vpn over multiple public IP paths?
We have a VPN using pfsense from our co-lo facility to our main office. The co-lo is at a tier-1 data center and the connection there is rock solid. The office, however, is another story. We have a comcast link and a DSL link, both of which are less reliable than we'd like. We have a load balancer connected to the two, and it both balances and fails over the connections as needed which works well for things like surfing the web, sending out mail, etc. However, the VPN is tied to one of the public IP's (currently the comcast one). The pfSense box at the office always sees the same public IP as the load balancer uses NAT to translate the other IP's from the DSL service. Is there some way to configure the remote pfSense (at my colo) to either use both public IP's at my office as endpoints to the same remote network or to failover if one IP is not responding? Something like this: colo -- +-- office IP-1 --+ | |--- load balancer -- pfSense (sees IP1) +-- office IP-2 --+ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Vivek Khera, Ph.D.MailerMailer, LLC Rockville, MD http://www.MailerMailer.com/ +1-301-869-4449 x806 smime.p7s Description: S/MIME cryptographic signature
[pfSense Support] conflicting documentation on embedded flash card size
I'm preparing to do my first flash-based embedded install of pfsense, and my recollection from this list is that I need a 128Mb CF card to enable it to do updates from the GUI without having to re-flash. I hit the wiki and FAQ's to verify this, and came across some conflicting information. In the http://wiki.pfsense.com/wikka.php? wakka=WhichVersionIsRightForMe page, it claims the embedded version requires re-flash. Also, nowhere did I actually find that I need 128Mb, other than being hinted to in the title of this article: http://faq.pfsense.org/ index.php?action=artikelcat=4id=76artlang=enhighlight=embedded This page indicates the flash size should be 64Mb: http:// wiki.pfsense.com/wikka.php?wakka=FlashHowTo I'll probably just buy a 256Mb CF card since they're under $20 (unless you want to buy the official Cisco cards which can be had at 64Mb for a mere $280 !!!) and finding smaller cards is non-trivial at this point, but I think the docs should be made consistent and accurate. Thanks! =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Vivek Khera, Ph.D.Khera Communications, Inc. Internet: khera@kciLink.com Rockville, MD +1-301-869-4449 x806 smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] pfsense, core-duo support?
On Sep 9, 2006, at 3:47 PM, Robert Carr wrote: I realize pfsense isn't SMP-capable, but would it run on a core-duo (or core-solo processor)? Or are these processors totally unsupported for now? pfSense surely is SMP capable... it definitely recognizes a P4 with hyperthreading and runs in multi-user mode if you enable that via a / boot/loader.conf tunable machdep.hyperthreading_allowed=1 I know from personal experience that FreeBSD 6.1 runs extremely well on Pentium-D dual core (it is frighteningly fast) in SMP mode but that wasn't for pfSense. With the current bleeding edge new machines, you have to watch out for the ethernet controllers built-in to the motherboards. some of the latest broadcom chipsets are not completely supported or may be sub optimal. the intel NICs do tend to work much more reliably. also, if you're looking for some of the new SAS controllers for your disk, they may not be 100% either. smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] Reset rules after firmware update?
On Jul 20, 2006, at 1:56 PM, Bill Marquette wrote: I've never seen this on my full installs either (although admittedly lately my only full installs run HEAD). Firmware upgrades reboot the machine on completion and config.xml is read on boot, I can't see any reason for rules to not load on boot. We've not lost any configs either, and we've been running pfSense since last october or so, and have upgraded every release. smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] denial of service attack
On Jul 6, 2006, at 2:23 PM, Jeremy Rempel wrote: Is there a feature or add-on module that can recognize and protect our site from aggressive attacks? I'd like to see something like this too. I'm not clueful enough to build it myself. I've seen DOS "lockouts" on other firewalls, particularly the FireBox line. smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] PFSense + Poweredge
On Jun 27, 2006, at 5:22 AM, Lee Hetherington wrote: Im tempted to buy 2x Poweredge 850's with SATA, are their any known issues installing onto this, im not sure if SATA on these is supported under FreeBSD... so driving 200 miles is cheaper for you than buying a $150 UPS?!?!? man, you must be underpaid. anyhow, to answer your question, I run Pfsense on a PE SC 400 with a Dell SATA RAID card (which is basically adaptec) with no problems. I've never had problems with FreeBSD not recognizing devices on a Dell box. You should be safe. I know for sure FreeBSD 6.1 recognizes the SATA RAID on a PE800. smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] CARP NIC overhead?
On Jun 21, 2006, at 12:08 PM, Steve Harman wrote:Sorry to bother the list again – Martin; are you able to post the model number of the Intel multiport NICs you’re using please? Just to improve my chances of success.get the Intel *server* NICs. These are awesome. I've had dual-port ones (no idea the model number) which are extremely fast and stable in freebsd 6.x
Re: [pfSense Support] Dell 1850 Kernel Panic?
On May 30, 2006, at 12:35 PM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Server is a Dell 1850 1u, 2GB RAM, 2x146GB scsi in mirror off Perc 4 card, single 3GHz proc. No bios options nor boot time options off the CD appear to have any effect of import. FWIW, I have pretty much the idential box, but only 1GB ram running a production FreeBSD 6.0/amd64 environment for some web and database services. Never an issue. Try running Dell's diagnostics on it. smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] Suggested mini-itx solutions?
On May 10, 2006, at 1:48 PM, Paul Haddad wrote: 2k+ connections and 15Mbps down at the same time. these boxes have been clocked at 30Mbps and have 128MB of RAM, so should be able to handle that many connection states. smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] Serial console on PC?
On May 10, 2006, at 4:26 PM, Brian Neufeld wrote: Does the serial port console functionality of pfSense work on the standard PC platform or is this an embedded platform only (i.e. wrap/soekris) feature? I tried with a null modem cable and couldn't get it to work... did you enable the option on the gui and reboot, and did you connect at 9600 baud? if so, please better define couldn't get it to work in terms of what happened and how that differed from what you expected to happen, and what exactly you did. smime.p7s Description: S/MIME cryptographic signature
Re: [pfSense Support] Serial console on PC?
On May 10, 2006, at 4:56 PM, Brian Neufeld wrote: Sorry I was not more clear... What I wanted to know is if it is even possible on the PC platform? I don't want to bang my head against a wall trying to get something to work that never will... yes it is. did you do what I stated originally? smime.p7s Description: S/MIME cryptographic signature
[pfSense Support] strange problem with ssh
I have three offices connected via combinations of pfsense and m0n0wall. These all do their IPsec tunnels flawlessly and I've never had any errors or problems with those. I can copy files all day long without fail. However things go south when I hook up my powerbook running OS X 10.4 into the IPsec using mobile user. Basically, connected to the pfsense remote endpoint everything works. I can copy large files via ssh no problem. Normal ftp/http file transfer to all three works fine too. The thing that breaks is ssh data transfer from one of the m0n0 remotes (both via scp and rsync over ssh). The remote end just closes the connection after some timeout and locally I get a protocol failure from rsync. Even doing an ls -lR on a big directory can lock up the ssh terminal session. Does anyone know of issues that are different with pfSense than m0n0 regarding the IPsec handling of ssh? Is it just luck or is something explicitly fixed in pfSense. I'd like to know before I trek out to the remote facility to upgrade the server from m0n0 to pfSense. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Raid disks
On Apr 13, 2006, at 9:59 AM, Guilherme Oliveira wrote: Well, I'll do it but I don't know how can pfSense be used in corporate environments if it can't do RAID. And I don't know a better place of a firewall other than a corporation. Hardware RAID is your friend. If you're corporate the cost shouldn't be a significant factor. The 3ware RAID cards are well supported in FreeBSD and are known to work well. Check the freebsd mailing lists for more recommendations. My pfSense runs on a Dell SC400 with a SATA RAID card from Dell in mirror configuration. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Raid disks
On Apr 13, 2006, at 10:33 AM, Guilherme Oliveira wrote: I think this is a major problem for companies that want a reliable firewall and is my opinion that pfSense must have gmirror or vinum in their core. Even if is by a package. setting up gmirror is not trivial, especially with a simple installer like pfSense has. is suspect you could copy /boot/kernel/ geom_gmirror.ko and /sbin/gmirror from a FreeBSD 6.1 CD and get it to work, though. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] boot problems after upgrade, part 2.
On Apr 5, 2006, at 8:35 PM, Scott Ullrich wrote: Not really. It almost sounds like RELENG_6 is not in sync with RELENG_6_0 but my understanding is that RELENG_6_0 is the FreeBSD 6 release tree so thats what we really need to track. RELENG_6_0 is only gonna get you security fixes over 6.0-RELEASE. RELENG_6 is currently what is becoming 6.1-RELEASE and has a *lot* of changes relative to 6.0. They are not in sync at all as they are divergent branches of development, and only selected changes are ported back over to the RELENG_6_0 branch. Hopefully they'll tag RELENG_6_1 really soon now... but for less of a moving target 6.0 release is the way to go. Perhaps the goal for pfSense 1.1 should be to use RELENG_6_1. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Re: ntp startup question
On Apr 5, 2006, at 4:01 PM, Randy B wrote: OpenNTP's only redeeming factors ATM seem to be it's size and simplicity; I'm not an NTP hero either, but in my short experiments today, I find it only good enough as far as time quality. You can't One of the most important things in forensic analysis of break-ins or other security breaches is accurate time-stamping of logs. Don't fool around with the time syncrhonization -- the size of the program matters not, the accuracy is the key. ISC's ntp is well known and understood and considered very accurate. I see no other choice. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] hifn errors on console
On Apr 3, 2006, at 12:34 PM, Scott Ullrich wrote: Sam suggestede adding kern.rdntest.verbose=0 to /etc/sysctl.conf. I've added it to our file so it should show up on the next snapshot. It just seems curious to me that the FreeBSD driver for hifn would be testing randomness of the chip's source, yet doesn't actually make use of it via /dev/random I guess that's something to take up with the FreeBSD developers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] hifn errors on console
On Apr 3, 2006, at 10:54 AM, Eric W. Bates wrote: hifn0: rndtest: zeros interval 4 failed (243, 251-373) hifn0: rndtest: zeros interval 3 failed (717, 542-708) This started on Pfsense 0.92 and persists after upgrading to BETA-2. I had no luck with Google. Can anyone enlighten me? I see this all the time with a VPN1401 PCI card on my primary office firewall running pfsense. I don't see it at all on a WRAP box with a VPN1411 mini-PCI at a remote location running m0n0wall, but I'm not sure if that would show up in the logs. My guess is that the driver in 6.0 is just reporting some issues with the randomness of the random number generator in the hifn chip... but it seems very odd that would be the problem considering freebsd doesn't take advantage of the RNG on that chip. Do you see random lockups of your pfsense box? Today I pulled the soekris card from my main office pfsense box (a Dell PE400SC) since we would get random lockups (total hardware freeze) anywhere from 3 days to 14 days apart ever since I installed the card. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive ftp out of my DMZ is not working
On Mar 2, 2006, at 2:12 PM, Derrick MacPherson wrote: Like I said, works fine on the LAN interface, not the DMZ interface. Perhaps there's something else in the pfsense config i'm missing. do I have to set a 1:1 NAT for the machines in my non-routable DMZ? with snapshot 02-20-06 I have found that some remote sites work to fetch via ftp (passive or otherwise) while others do not, from my 1:1 NATted host on my LAN (no DMZ here). ftp to all hosts works flawlessly for other clients that are just normal NATs. I haven't figured out a pattern yet as to when it works and when it doesn't. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
