Re: [pfSense Support] Sudden WAN failure/Direct SSH command execution
On Sun 07 Aug 2011 00:37:55 NZST +1200, Arquivos wrote: I'm having a problem almost like this. My pf box is running in a VirtualBox VM hosted by Ubuntu Server 10.04 (Lucid). If i start the pfSense VM automatically in Lucid startup, the WAN don't talk to the modem. So i have to kill the pfSense VM and start Virtal Box by hand to have communication between WAN and modem. Again, nothing in the logs. If someone could help me too, i'll be pleased. That looks like a buntu problem to me, where services depending on other services being up get started too early. My guess would e you are parallel-starting all services at boot. Delay the VB service. Something crude and effective is to add some code to the start script which runs a sleep if the box was up for less than X seconds. choose appropriate numbers. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] squid corrupts content
I've had this happen several times now. Large files end up having single-byte corruptions spread through the file. The problem is related to squid - turning it off makes the corruptions disappear. squid configured as transparent proxy, no user authentication. maximum_object_size_in_memory 32 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA cache_dir ufs /local/squid/var/squid/cache 3000 32 256 minimum_object_size 0 KB maximum_object_size 25 KB offline_mode off cache_swap_low 90 cache_swap_high 95 The disk has no reallocated or pending bad sectors and passes smart selftests. This makes the web cache kind of not very useful :-(( Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] virtualbox ova fails to import
On Thu 14 Jul 2011 01:12:13 NZST +1200, e...@tm-k.com wrote: $ md5 pfSense.ova MD5 (pfSense.ova) = ff549e509339e8e8316770bc4a47958f Thanks! Loads fine into virtualbox now. Turns out I had to turn off the transparent proxy in squid to make the download error disappear. Otherwise each 220MB of pfSense.ova differed by about 6 bytes from the previous. Disk has no pending or reallocated sectors. Not my understanding of transparent cache... :-(( Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] virtualbox ova fails to import
The dev builder image mentioned on http://devwiki.pfsense.org/DevelopersBootStrapAndDevIso http://cvs.pfsense.org/~sullrich/pfSenseDevBuilder/pfSense.ova fails to import into virtualbox. Error is: Failed to import appliance /local/pfSense/pfSense.ova. Could not create the clone medium '/local/VirtualBoxVMs/pfSense/pfSense-disk1.vmdk' (VERR_GENERAL_FAILURE). Result Code: VBOX_E_FILE_ERROR (0x80BB0004) Component: Appliance Interface: IAppliance {7b148032-4124-4f46-b56a-b48ac1273f5a} I have tried with virtualbox 4.0.4 from openSUSE 11.4 on openSUSE 11.4 virtualbox 4.0.10 from openSUSE tumbleweed on openSUSE 11.4 virtualbox 4.0.10 from oracle on openSUSE 11.4 The result is always the same. After some time the import blows up. Booting a pfSense-2.0-RC1-i386-20110226-1530.iso works fine. There appears to be nothing wrong with my virtualbox, it runs other jobs too. This gives an access denied: http://cvs.pfsense.org/~sullrich/pfSenseDevBuilder/pfSenseDevBuilder.ova This imports just fine: http://cvs.pfsense.org/~sullrich/pfSense.ova but doesn't help me. I'm trying to compile a trivial program for pfsense, and I'd also like to recompile the NUT package for pfsense because the current released version has some driver bit missing for me. What is the best way to compile freebsd software for pfsense? The virtual appliance sounds ideal but has no practical use. It would probably be wise if you published an MD5 of the file so one could check for download errors. Thanks for any help, Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] virtualbox ova fails to import
On Wed 13 Jul 2011 01:28:11 NZST +1200, e...@tm-k.com wrote: http://cvs.pfsense.org/~sullrich/pfSenseDevBuilder/pfSense.ova fails to import into virtualbox. Just tried, works well on VirtualBox for Mac. Thanks. There are suggestions of potential problems depending on VB capabilities. What version of virtualbox is this appliance for? Open source or the binary one? Which number? I downloaded the file 3 times and got 3 different ones. Could someone please post MD5 sums for all those ova files? Thanks. Then I downloaded the RC3 release ISO for the sole purpose of it having an MD5 sum published, and that didn't match. So some network segment is seriously screwy here. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Update hang with packages
On Thu 30 Jun 2011 12:12:55 NZST +1200, Volker Kuhlmann wrote: A reboot cleared the packages are being updated in thebackground status, all packages have been installed and I haven't detected any other misbehaviour. So only a minor glitch in the updater. Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Update hang with packages
Tried to update a pfsense box from RC1 to RC3, but the mirror I looked at only had pfSense-Full-Update-2.0-RC3-i386-20110627-2101.tgz (for some reason, it was a pfsense.org/ URL) so I manually installed that because the firmware updater only wanted to upgrade to either nothing or the latest snapshot. It seems I might have accidentally grabbed the snapshot though. After automatic reboot the GUI sits at packages are reinstalled in the background forever. How can I recover from that? The GUI package manager is inaccessible. I noticed ntop now fails with Thu Jun 30 11:55:11 2011 NOTE: Interface merge enabled by default Thu Jun 30 11:55:11 2011 Initializing gdbm databases Thu Jun 30 11:55:11 2011 **ERROR** open of /var/db/ntop/prefsCache.db failed: Can't be writer pkg_delete ntop says not installed because it's a pfsense package, not a freebsd one. I installed pfsense packages ntop, squid, squidguard, vnstat2, bandwidthd, nut, darkstat and a few others, but none noted as problematic in the pfsense forum. I installed some freebsd packages as well but don't expect any of them to interfere with pfsense: joe, rsync and their dependencies. pkg_info gives a long list but it looks like it's from pfsense packages. System log gives nothing. Accessing darkstat gives no response now. Re-installation is an option, but I wanted to report the problem and I'm interested to learn if this is fixable. Thanks for any suggestions, Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Current Production Version
On Sun 19 Jun 2011 14:35:56 NZST +1200, David Burgess wrote: The images are labelled RC1, but if you install them they will show up in your dashboard and console as RC2, for several weeks now. Thanks. Who would have thought that pfSense-2.0-RC1-i386-20110226-1530.iso.gz is RC2 7Jun and not RC1 26Feb... That is one WEIRD versioning scheme. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Current Production Version
On Sun 19 Jun 2011 09:17:40 NZST +1200, Chris Buechler wrote: Strange, my 2.0-RC1-IPv6 (i386) is still at RC1. You haven't synced in weeks then. Well, this is a little annoying. I have RC1 too, and I had checked only about a week ago, and there is no newer than RC1 on the servers, apart from daily snapshots. Daily snapshots built unconditionally are not RC (release candidates). I had to set the auto-updater to stable because of lack of a better option, or it would bother me every day with a new release. While running RC1 (installed from scratch) I was kind of assuming stable is defined of RCx before the final release. http://pfsense.org/ informs everyone 2.0RC1 now available, so one naturally assumes that is the latest RC. Just in case I checked the servers too, but there was never a RCN with N 1 there. There still isn't. I am using RC1 in production, and I am really impressed! Wouldn't want to go back to 1.2.3. The problems I had were mainly with packages, and I submitted bug reports where possible. Thanks everyone! Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] 2.0 restore config partially?
When restoring the config on 2.0RC1 only partially from a full config backup nothing is restored. I tried with dhcp - select dhcp from the restore drop-down, give it a full config backup previously created (of which I want to restore only the dhcp server part). Is this expected behaviour? Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Enclosure recommendations for a Mini ITX Motherboard
On Wed 17 Nov 2010 22:53:11 NZDT +1300, mehma sarja wrote: Disable the fan? How? I'm just curious. You use a screwdriver to take the case lid off, and if the fan doesn't have a 2- or 3-pin plug to pull off you use a pair of sidecutters to deal with the situation. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] /boot/loader.conf.local
I have an AMD K6 mobo which requires ACPI to be off, or network interfaces don't work. (Which I had to find out again a few weeks ago upgrading to 1.2.3, having to take the box out to connect monitor and keyboard.) /boot/loader.conf was overwritten by 1.2.3. Searching for this I found to put hint.acpi.0.disabled=1 into /boot/loader.conf.local, which shouldn't be overwritten by system upgrades, and it works as expected. Without a permanent setting like this I can't upgrade pfsense, because after the automatic reboot at the end of the upgrade the box's interfaces won't work. The really good pfsense book says (p. 70) to put this line into /boot/device.hints, and that this is also not permanent. It does not mention /boot/device.hints.local, if there is such a thing. What is the recommended way to turn off acpi permanently with pfsense, and is there a reason why /boot/loader.conf.local isn't mentioned in the book? Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Microsoft Server 2008 DHCP relay
On Mon 19 Apr 2010 05:17:59 NZST +1200, Tim Dressel wrote: Can anyone say from experience whether it's 'within scope' to keep pfSense as the DHCP/DNS? In other words, is it feasible to have 2K8 server turn to pfSense via something like DHCP relay? Never played with DHCP relay. Hi Tim, We are doing exactly this. I have my Win2008 server acting as DHCP and DNS. I have multiple scopes for each of the connected adapters (pfSense DHCP disabled on all interfaces). Thanks, obviously letting the 2008box do it all always works (the first law of Microsoft) but that was precisely not the point. The question was explicitly how to keep pfsense as authoritative DNS and DHCP server and how to make the Win2008 use the pfsense master. According to the OP MS is unwilling to cooperate (the second law of Microsoft). I'd be interested as well in how to keep pfsense authoritative in later MS server OSes. It works with SBS2003. Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Recom mended pfSense Hardware (UK ~£100) ?
On Tue 02 Jun 2009 02:35:55 NZST +1200, David Burgess wrote: Have a look at these. http://www.soekris.com/lan16x1.htm The 2-port card is low profile Yes, sure. But how do you connect one of those to an ALIX board? Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Recom mended pfSense Hardware (UK ~£100) ?
On Mon 01 Jun 2009 14:06:46 NZST +1200, David Burgess wrote: soekris.com comes to mind. I use a net5501, but I think some of their less expensive boards might have 4 nics. Thanks. The 5501 seems to be the only model with 4 NICs. And it's a lot more than the ALIX boards. :( Of course there is a variety of pci cards available that provide 2 or 4 nics as well. Do you mean standard size PCI or mini-PCI? Does anyone have experience with adapters to plug a standard PCI card into a mini-PCI slot, if this direction exists? I have some 4-port PCI cards around. Thanks for your thoughts, Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Recom mended pfSense Hardware (UK ~£100) ?
On Sat 14 Feb 2009 02:14:35 NZDT +1300, Gavin Spurgeon wrote: These are the units I have had as my 1st choice:- http://linitx.com/viewproduct.php?prodid=12346 ALIX 2C3 + case. What are my options if I need 4 NICs (not UK, but the options so far have been international)? Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] 1.2.2 upgrade signature issue
On Sun 28 Dec 2008 15:35:47 NZDT +1300, Chris Buechler wrote: http://blog.pfsense.org/?p=284 I added that info to the 1.2.1 release announcement as well. Maybe it would be a good idea to also add that to the 1.2.2 release announcement. As 1.2.1 had a life time of 3 weeks, 1.2 stable is still sort of the last stable release, and one gets this nasty warning. The easiest is to install the pubkey package first, then upload the 1.2.2 upgrade. Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Arrgh, zoneinfo no good
On Thu 02 Oct 2008 13:46:55 NZDT +1300, Scott Ullrich wrote: fetch -o /usr/share/zoneinfo.tgz http://cvs.pfsense.com/~sullrich/zoneinfo.tgz; Thanks for the new zones Scott! As a dirty fix I had transplanted the file from the nearest Linux box because it seemed binary compatible. Might be a good idea to update the zoneinfo file just before each pfsense release. Greetings, Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Arrgh, zoneinfo no good
On Thu 02 Oct 2008 13:46:55 NZDT +1300, Scott Ullrich wrote: fetch -o /usr/share/zoneinfo.tgz http://cvs.pfsense.com/~sullrich/zoneinfo.tgz; There appears to be a problem with this tar file on some pfsense 1.2-RELEASE boxes (or at least on one of mine). The tar file was created by packing ., not *, and so contains paths with a leading ./. One pfsense here is unable to unpack that and installs an empty /etc/localtime. Repacking the tar with the leading ./ removed fixes the problem. Greetings, Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Arrgh, zoneinfo no good
New Zealand, like several other countries and several more countries since, has changed daylight savings rules earlier last year. pfsense's zoneinfo is dated Jan 2007 and out of date by a long shot - I remember Linux distros updating their zoneinfo about mid last year. This means times are now incorrect for the remote syslog (daylight saving started last weekend). What is the recommended way to update the zone file? There is no system upgrade for 1.2-release that I can see. Thanks for pointers, Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Failover problem
On Wed 30 Apr 2008 17:30:59 NZST +1200, Martin Kruse Jensen wrote: BTW a nice-to-have feature: NAT rules that apply to multiple interfaces OR en easy way to copy all NAT rules from one IF to another (creating the nessecary firewall rules) Semi-easy workaround: backup the pfsense configuration. Load the XML file into $EDITOR, then restore. Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Split DNS LAN/DMZ
On Thu 22 Nov 2007 17:04:02 NZDT +1300, Jaye Mathisen wrote: Use split-horizon DNS, Sure, how do I do this with pfsense? I can't find any docs about it and the DNS forwarder config page doesn't mention any interfaces (1.2RC3). and different DNS servers for the LAn/DMZ hosts? Hm, setting up a separate DNS server for just 1 or 2 hosts in the DMZ is probably a bit over the top. Thanks for your help. Volker -- Volker Kuhlmann http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Split DNS LAN/DMZ
When using the DNS forwarder with LAN hosts added, it would be desirable to not make all the same information available to the DMZ hosts. In case of using pfsense as an NTP source, LAN and DMZ hosts would need to see a different IP address for time.localnet.site. I don't see how that can be done atm. Is it a desirable feature? I would find it useful. Thanks, Volker -- Volker Kuhlmann http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] More fine-grained DHCP control for PXE booting
On Fri 09 Nov 2007 10:30:39 NZDT +1300, Fuchs, Martin wrote: Did you take a look at pfsense.trendchiller.com ? Theres something i did for dhcp, too... Try those and report ;-) There is nothing I can see which deals with the issue I raised, i.e. being able to control PXE boot parameters on a per-host basis. Currently this is only possible on a per-pfsense-interface basis. Or did I miss it? Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] 1.2RC2 + 3
Thanks for the great work - 1.2RC2 installed flawlessly in the wee hours for me[1] and the update to RC3 worked fine. Restoring the 1.0.1 config file into RC2 worked fine too. Volker [1] Installing more RAM somehow caused various users like pf and ssh being unknown afterwards, necessitating a re-install. Perhaps I shut the 1.0.1 release down while the config was still reloading? -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] More fine-grained DHCP control for PXE booting
I have the case where I need to give detailed PXE booting parameters for some LAN hosts identified primarily by their MAC address. The web GUI doesn't allow this, so I hacked up the php code as below. Is this the best way to go about it? Can it be generalised sufficiently to include something like this in the web interface? Thanks, Volker --- /etc/inc/services.inc.orig 2007-04-09 12:01:57.0 +1200 +++ /etc/inc/services.inc 2007-08-07 17:13:12.0 +1200 @@ -285,6 +285,45 @@ if ($sm['ipaddr']) $dhcpdconf .= fixed-address {$sm['ipaddr']};\n; + +// Set up special extended entries for hosts which boot from the network. +// This needs to be manually maintained, and re-patched when pfSense is updated. +// Check that these additional settings are written to the file +// /var/dhcpd/etc/dhcpd.conf +// Note that basic entries for these IP addresses must already exist in the +// DHCP server config. +if ($sm['ipaddr'] == 192.168.1.1 or $sm['ipaddr'] == host1) { + $dhcpdconf .= EOD + option host-name host1; + next-server bootserver; + filename /pxelinux.0; + option root-path /srv/nfsroot,rsize=8192,wsize=8192,acregmin=1800,acregmax=1800,acdirmin=1800,acdirmax=1800; + +EOD; +} +if ($sm['ipaddr'] == 192.168.1.2 or $sm['ipaddr'] == host2) { + $dhcpdconf .= EOD + option host-name host2; + next-server bootserver; + filename /pxelinux.0; + option root-path /srv/nfsroot,rsize=8192,wsize=8192,acregmin=1800,acregmax=1800,acdirmin=1800,acdirmax=1800; + +EOD; +} + + + $dhcpdconf .= }\n; $i++; } -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DNS Issues with 1.2 RC2
On Sat 27 Oct 2007 05:00:21 NZDT +1300, Paul M wrote: surely it's easier to simply run your own caching resolvers? that way you can force a cache flush if you're changing your own DNS. Nope, not enough. I run pfsense in 2 places (1.0.1 and 1.2beta-some), with caching dns enabled. Several times a day browsers just give a bogus domain doesn't exist. With a particular banking website I have yet to see a name resolution first time; as it's blowing up in 1s I conclude something, somewhere, doesn't even *try* to resolve. An immediate browser reload is always successful. This with various ISPs' nameservers. Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] LAN / WAN Disconnections continue in 1.2-RC1, Intel Pro/1000GT NICs with 370M
On Sat 06 Oct 2007 00:09:12 NZDT +1300, Tortise wrote: re Who else would find a cron script useful which checks the connection regularly and takes remedial action (e.g. ifconfig down/up) when necessary? See my earlier post where I have detailed one and Chris has pointed out to preserve the cron settings in the xml. Yes, saw those, thanks. I have put a script here: http://volker.top.geek.nz/soft/script/pfsense-ifc-check So far it's only tested on pfSense 1.0.1. I would like to log the script activity with the pf activity to a remote syslog server, but don't see what mechanism to use for pfSense. Would a guru be so kind and point me in the right direction? Using logger only writes to the system.log ringbuffer. Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] LAN / WAN Disconnections continue in 1.2-RC1, Intel Pro/1000GT NICs with 370M
Sorry for not joining this discussion earlier. I can confirm I am still every so often having the same issue as tortoise. [ifconfig down; ifconfig up] That restores the connection. (I initially did it on the LAN, but reconnected the LAN and did the same with the WAN, as soon as ifconfig XXX up was run it was up again.) What does that tell us? Damn good question! the NIC's don't like each other. replace one or both of the NICs for your pfsense box or your cable modem. i'd vote to replace the cable modem. Hold it. Packets from the ISP to the pfsense WAN interface may stop, however during these lockups LAN machines can browse the modem's web pages perfectly. If the pfsense WAN and modem Ethernet interfaces don't like each other somewhere close to the hardware level, how come pfsense can communicate with the modem both ways, but not beyond the modem? I have observed random deadlock problems (packets stop in one direction) between cheap Ethernet cards (think RTL8039 etc) and a lousy Nokia MW1122 adsl modem Ethernet implementation. However, then *all* traffic over that particular cable was dead in one direction, not just some of it. Other points: Replacing the modem is out of the question. It's owned by the ISP and user-supplied anything isn't supported. The ISP upgraded my older surfboard to a newer model (I'd need to dig out the exact model numbers to be specific). This had no influence on the problem at hand, i.e. problem persists with both models. The ISP is running some kind of NAT scheme between its routers and the cable modem. The Internet global static IP is then on the pfsense WAN interface. Another layer of NAT is done by pfsense. I talked to someone much more knowledgable about BSD than me. He suggested the WAN interface down/up approach too, and suggested as cause of the problem outages in the modem/ISP area which are short enough for some interface state to go down, but not long enough for the interface to cause a full re-initialisation. That would be a BSD kernel driver problem to me - bad incoming data shouldn't mean going belly-up. I can't say this with certainty, but sometimes the problem seems to fix itself again after some minutes, or some hours. That statement is based on LAN hosts having no Internet connection and an assumption that the ISP did not take me offline. Who else would find a cron script useful which checks the connection regularly and takes remedial action (e.g. ifconfig down/up) when necessary? Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DNS forwarder timeouts/failures
On Fri 20 Jul 2007 22:59:12 NZST +1200, Igor Parsadanov wrote: If this is a domain environment this will likely slow down domain functions as the XP machines will be asking the ISP server for domain information. I think a better way is to have MS DNS have a forwarder for external lookups setup (right click on dns server in mmc, and select the forwarder tab there you can specify your ISP's dns or even better yet use OPENDNS 208.67.222.222. Then have DHCP assign the MS DNS as the only DNS server. Thanks Igor. The problem with that setup is that some host names are defined by pfsense, some via dhcp and split dns, some for DMZ hosts. I need the XP machines to have those resolved as well, and that resolution should work for both qualified and unqualified host names. That means pfsense has to be the LAN's name server. Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Programming pfSense to Reboot and Dump LAN / WAN traffic
On Fri 20 Jul 2007 11:41:05 NZST +1200, Tortise wrote: 2) Somehow setup a cron job to ping the ISP every minute - and reboot pfSense if the pings fail for 20 mins. I'll do one of those as soon as I get a spare minute. I'll send you a copy. Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] DNS forwarder timeouts/failures
I have installed pfsense 1.2beta1 built on Mon Apr 30 10:47:18 EDT 2007, LAN with half a dozen XP and a few Linux machines. ADSL. Primary name server on the general setup tab is fixed to the ISP's name server, secondary name server is set to the MS business server 2003. DHCP server and DNS forwarder are used on pfsense. Client machines are set to use the pfsense firewall as name server. Frequently name lookups in browsers fail. On page reload in the browser they are always fine. The problem is more pronounced on the XP clients but also exists on the Linux clients. To check that it isn't the ISP's name server (which has a bad reputation), I configured a name server of another ISP instead. Timeouts occur as frequently. My analysis of the problem is that pfsense's DNS forwarder's timeouts are too short. How can I increase those? Thanks for any tips. Volker - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense Hanging...
On Tue 05 Jun 2007 14:10:14 NZST +1200, Chris Buechler wrote: I'm going to assume cable service in .nz works the same as it does in .us, though that could be a wildly incorrect assumption. If it does, your modem does nothing but bridge between your cable provider's network and whatever you have plugged into the Ethernet port. There is no connection like PPPoE, no username or password, etc. As long as you have sync, it's good. This is the case. If your cable Internet service uses the DOCSIS standard, it's the same as here, and as I describe. Can't confirm DOCSIS, but chances are yes. Thanks for your many suggestions, Chris! Next time this occurs I'll go through your list. One other thing to try after getting the tcpdump - if you unplug the WAN NIC from the cable modem and plug it back in, without rebooting, does that bring it up? Is this different to powering down the cablemodem for 20s? If not, it does not bring the WAN connection back to life. Powering down the modem (as in pull the power plug) is the first thing I tried. Turns out both of us with this problem are in the same country, so same Telco + ISP. Btw there was a scheduled outage in Christchurch last night - for that one half the modem lights were off and it's not the problem this thread is about. The Telco is about as you describe with zero customer support, but I have to say that the ISP's technical help has always been very good (and they know about Linux). Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense Hanging...
On Tue 05 Jun 2007 13:10:21 NZST +1200, Scott Ullrich wrote: Visit status - Interfaces when this happens. Do you have an IP address assigned? I would assume so as the WAN interface is configured with a static IP address, but I'll check next time. Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense Hanging...
On Tue 05 Jun 2007 12:51:04 NZST +1200, Volker Kuhlmann wrote: [..] When the packets stop going to the ISP there is no indication with the modem lights that anything is wrong. Curiously the RRD graphs keep showing unabated traffic on the WAN interface. There is nothing I can see the new modem's web pages how the connection to the ISP is made. I'd also be interested in a solution to this. Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] NTP server on multiple interfaces
Is there a reason not to have the NTP daemon running on more than one interface? On Service-OpenNTPD I can select both LAN and DMZ interfaces, although the text says Select the interface the NTP server will listen on (singular). But it doesn't seem to cause the ntpd to listen on all the selected ones. Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] DNS forwarder override
I am using the DHCP server and DNS forwarder for the LAN interface. LAN and DMZ are NATed. To be able to access the domains on the DMZ's server from the LAN, I have put in DNS forwarder overrides for the domains in question, with the local/private IP address of the DMZ server. Register DHCP leases and static mappings are both ticked.The overrides appear to be ignored - dig domain.net @pfsense from a box on the LAN returns nxdomain after a long wait. I think it works with 1.0.1 (can't check right now), is this a bug in 1.2beta1? My ISO file is pfSense-1.2-BETA-1-LiveCD-Installer.iso with file date 18May07. Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DNS forwarder override
On Fri 01 Jun 2007 18:49:56 NZST +1200, Volker Kuhlmann wrote: The overrides appear to be ignored - dig domain.net @pfsense from a box on the LAN returns nxdomain after a long wait. Oops my bad, I entered 2 hosts in the domain override section... All working now. Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Rules based on hostname/dynamic IP address
On Wed 02 May 2007 01:03:20 NZST +1200, sai wrote: Everytime a packet comes in that might match the rule, you would have to do a DNS lookup. Not a good idea, as this would REALLY screw up the latency on your firewall. No, you misunderstood. The rules are static, but one of them is the result of a DNS lookup. The lookup happens once when the rules are loaded. After that a periodic lookup would do me perfectly (independent cron script?), with a rule reload if the IP address changed. I could code this in Linux with little trouble, but am not up to scratch with pf or the pfsense php framework. Obviously if the IP address changes there is a time delay for the rule to catch up. I don't care in this case. My security can't be worse either: worst case the DNS gets hijacked and some port is open for the wrong IP address (ok it's a DoS, but the system is no worse off). Still better than opening the port for the correct IP, the wrong IP, and everything else in the /8 or /16. Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Rules based on hostname/dynamic IP address
Thanks for your answers everyone. On Mon 23 Apr 2007 03:59:00 NZST +1200, Rob Terhaar wrote: don't think this is possible, or a good idea ether. Whether it's a good idea or not depends on what it's being used for. Authentication by IP is a bad idea, restricting who can connect in the first place and proceed to authentication stage is a further line of defence, and in any case no worse than allowing the whole Internet - except for a DoS condition in case of DNS poisoning. That's a tradeoff decision though, and either direction is valid. Or what am I missing? The DNS answer could also be sanity-checked (though not with pfsense) if the possible IP range is known. Using a VPN effectively integrates the client into the server's network - do I really want that? And is the whole Internet allowed to attempt to be a VPN client? That would be no better than the starting position. Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Rules based on hostname/dynamic IP address
What options are there for creating rules with a hostname which resolves to a dynamic IP address? I'd like to allow one host access inbound access on a tcp port, but that host doesn't have a static IP. Unless there's a magic mechanism I don't know about, at least part of the rules would have to be reloaded when the host's IP address changes. Doing that wouldn't be a problem, nor would it be a problem if there was a 2h blackout period when the IP changed but the rules weren't reloaded yet. How could this be achieved with pfsense? I'm not averse to a bit of shell scripting if necessary. Thanks, Volker -- Volker Kuhlmann http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] APIC problems
I've put pfsense 1.0.1 on a box with K6-2 CPU and 3 NICs. Hardware is nothing special, should work out of the box, but I find that all the network interfaces are dead after boot, and there are watchdog timeouts on the network interfaces. NICs/drivers are rl and vr. When I select disable APIC from the bsd boot menu all networking works fine. How can I make no APIC permanent? I didn't find a file to edit for this. What am I missing out on without APIC? There is no APIC-related BIOS setting I could find. Is there something specific I should look for and change? Thanks for any pointers! Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 1.0 RC2
It is my great pleasure to announce pfSense 1.0-RC2! Thanks Scott, it goes really well. Some small points: Something creates /root/.tcshrc (time stamp of about install time). This file contains one byte of white space, and its existance effectively disables /root/.cshrc, which has real content (tcsh reads either .tcshrc or .cshrc). System-Advanced mentions a firmware updates check under systems-firmware, however that check seems to have disappeared. Remove the comment? I didn't yet test, but does the shaper wizzard now check the correct interfaces for SQF(?) capability? There was no code change there. Regards, Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] favicon
I would find it a good idea to copy http://pfsense.com/favicon.ico to /usr/local/www of the pfsense install image. Makes it much easier to see the bookmark for the local pfsense box in the browser. Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] favicon
It does so already? # find /usr/local/www/ -name favicon.ico /usr/local/www/favicon.ico /usr/local/www/themes/metallic/favicon.ico Hm - whether it's new since 1.0beta4 or not, it's there now. Thanks Scott! Volker Oh and I'd appreciate if From: Joham, David J (HP-Boise RD) [EMAIL PROTECTED] Subject: Out of Office AutoReply: [Bug 131049] New: new favicon never updated by update favicon Date: Tue, 18 Jul 2006 19:41:39 -0600 I'm out of the office until July 19th refrained from filling my inbox with uninvited rubbish, thanks. -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] RRD graph 48h is 30h
The graph Analysis for wan - 48h traffic only covers 30h. Well the axis labelling does, but the plot does seem to match the labelling. Whether the intention was for a 30h or 48h graph, I'd prefer a 48h one. Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] port forwarding
Sure :) I want port 443 from my work address to redirect to port 22 on my internal host, but for everyone else I want it to go to 443 on my webserver. I've been meaning to change that behavior for some time now, but it's never annoyed me enough as I've got 5 statics to play with and can work around it. Or I want port 443 to redirect to my honeypot by default except for my friends which can legitimately get there. Yes, thanks Bill. Enforcing site policy. Enforcing that some clients use port X, when the rest uses whatever. Why have more ports open than necessary - not necessarily a security issue, but a question of avoiding unnecessary support issues. I can live with the current situation, but that's not saying I like it. Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] port forwarding
Still prefer PFSense to doing it all by hand tho :D Ack! The total number of available firewall applications to bang on a retired PC is pfsense, ipcop, and endian (not counting embedded system stuff). While I reserve judgement on endian, pfsense is a professional construction that beats ipcop hobby-level cr*pola any second[1] - and it's faster than beating $LINUXDISTRO into shape (well after getting used to it). I would much prefer though if it was Linux kernel based - no doubt the BSD folk will disagree ;-)) Volker [1] ipcop does deal with adsl modem firmware uploads though. -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] port forwarding
And now only 192.168.40.5 can use that port forward. Am I misunderstanding what you were saying? I understand how it isn't possible to restrict based on the original destination port Yes that's what I meant - you can't restrict source IPs in connection with original destination port. As soon as a source IP is allowed, it can access on any WAN port for which there is a NAT rule, so you can't force certain source IPs to use certain WAN ports only. Perhaps not major, but I don't like it. Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] port forwarding
you can limit that by source IP's on the WAN side. The only thing you need to keep in mind is that NAT applies first, so you're permitting traffic to the private IP and internal port. Yes, that's exactly what I pointed out to the person trying to set up NAT rules: the NAT is first, so the filter rules have to match the *target* of the NAT, not the source of the NAT (which I was expecting to at first too). A quick hint in the small text of the NAT page would be good, otherwise there is an explicit assumption that the pfsense operator knows internal details of BSD packet routing and filtering. As a side effect of the NAT-first, you can *NOT* limit access based on the dest port of the incoming packet, as that has already been NATed into oblivion by the time the packet reaches the filter rules. (It's possible to do this with iptables.) If I am wrong, I don't mind being told how to set it up otherwise. Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] port forwarding
I seem to be having difficulty adding a port forward :( from WAN -lan(192.168.1.3) port 80 The macmini can get to the outside world is there any other debugging I can look at? I had some trouble to, coming from Linux. The thing to keep in mind is that the port forwarding happens before(!) the firewall rules are applied. So, apart from wanting a port forward/NAT rule WAN port X - lan(192.168.1.3) port 80 You also need to insert a firewall rule WAN any - LAN port 80 In this context it is impossible to restrict access to the port forwarding depending on e.g. source IP, because the port forwarding applies unconditionally to everything, and with the firewall rules you have to match against LAN port 80, and can no longer use the WAN port the packet was originally addressed to. Lousy IMHO, but that's how it is. HTH, Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Proper log files?
Thats why you should go for Kiwi (Google it) if you don't have any Linux/BSD hosts present... It will handle all your needs - up to emergency mail if 'things go wrong'... Yep but it's for winders, no good, no such thing here. For security: take the log out of the Gateway/Firewall (pfSense) - when it goes down - you'll know WHY. All very well, but the choice is a Linux desktop, which when turned off is even less likely to tell me why pfsense went down, and a play web server (also Linux), which doesn't look like a great choice to me either. But the pfsense box has 2GB disk space, 1.93GB free - disk space is a non-issue. Regards, Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Proper log files?
How do I get proper log files? The GUI only displays the last screenful of lines (and not even as many as I've told it to, doesn't seem to want to show more than about 15). Is it possible to save, say the last month, to a file? The hardware requirements say a big disk and =128MB RAM. Why? There's never more than 70MB disk used, and it runs fine in 64MB. Ok not lightning fast, but perfectly adequate. Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Proper log files?
Our logging system uses clog which never goes over X size. In order to maintain full logs, etc you need to enable remote syslogging and find an appropriate client to receive the syslogs. Thanks Scott! Any Linux will do this, and while I agree that for top security a remote syslog setup is necessary, for SOHO setups it's quite overkill. Is there a BSD package that can easily be installed to listen on localhost? Is X configurable upwards by editing some file? Thanks, Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]