Re: [pfSense Support] Happy Birthday Chris
Joyeux anniversaire M. Chris ! De Paris, France !! ;-) A bit late, but better late than never ! Le 18 août 2011 à 07:18, Glenn Kelley a écrit : > Happy Birthday Chris > > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > –– -> Grégory Bernard Director <- ---> www.osnet.eu <--- --> Your provider of OpenSource appliances <-- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Using Limiters for Bandwidth Guarantees
You should use / have a look at QoS (aka Traffic Shaper) This is how you'll achieve such a task. Le 8 août 2011 à 02:45, Joseph Rotan a écrit : > Hi, > > I have a pfsense 2.0 machine with 3 NIC ports a WAN interface, LAN inteface > and OPT1 interface and would like to configure it so the bandwidth coming > from my WAN interface is shared equally on the LAN and OPT1 interface like > for example 2M coming in to my WAN I would like to split it up into 1M to my > LAN and the other 1M to my OPT1 interface. > > At the moment doing a speed test from the LAN interface i'm getting 1.84M > download speed and 1.96M upload speed as from the OPT1 interface i'm getting > 1.82M download speed and 1.39M upload speed. > > Appreciate any assistance to achieve the above bandwidth limit guaranteed. > > > Thanks > > > Joseph. –– -> Grégory Bernard Director <- ---> www.osnet.eu <--- --> Your provider of OpenSource appliances <-- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] install headaches
Le 1 août 2011 à 14:54, Bart Grefte a écrit : > Weird... > > What about http://forum.pfsense.org/index.php?topic=25413.0;prev_next=prev > --> “Whew, got it to work now, by not choosing "Packet Mode" during the > bootblock creation part of the installation.“ > > Van: Nick Upson [mailto:n...@telensa.com] > Verzonden: maandag 1 augustus 2011 14:50 > Aan: support@pfsense.com > Onderwerp: Re: [pfSense Support] install headaches > > > > On 1 August 2011 13:37, Bart Grefte wrote: > Okay. > > Which type of install did you do, quick/easy or custom? If the 1st, try the > 2nd and see how far it gets then. > > > I've tried both, they run ok and say that it's all installed > > -- > Nick Upson (01799 533252) I would suggest that you use dd to remove whatever is on the first block of your disk. such as : # dd if=/dev/zero of=/dev/disk1 count=60 or equivalent for your OS. after try agin the install –– -> Grégory Bernard Director <- ---> www.osnet.eu <--- --> Your provider of OpenSource appliances <-- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Intermitten Wireless
Le 26 juil. 2011 à 19:48, Chris Brennan a écrit : > Greetings! I've got a Netgate m1n1-2d13 firewall device[1] and for the most > part, it works great (wired that is.) Wireless on the other hand is > questionable at best. Sometimes it works, sometimes it doesn't. The > wireless kit is [2]. pfSense 1.2.3-RELEASE sees the card just fine > >ath0: flags=8943 metric 0 > mtu 1500 >ether 90:a4:de:2f:1d:bb >inet6 fe80::92a4:deff:fe2f:1dbb%ath0 prefixlen 64 scopeid 0x4 >media: IEEE 802.11 Wireless Ethernet autoselect mode 11g >status: associated >ssid "The Realm" channel 1 (2412 Mhz 11g) bssid 90:a4:de:2f:1d:bb >authmode WPA privacy MIXED deftxkey 3 AES-CCM 2:128-bit >AES-CCM 3:128-bit txpower 31.5 scanvalid 60 bgscan bgscanintvl 300 >bgscanidle 250 roam:rssi11g 7 roam:rate11g 5 protmode OFF burst >-apbridge dtimperiod 1 > > and an pciconf -lv >ath0@pci0:0:12:0: class=0x02 card=0x1012185f chip=0x0013168c rev=0x01 > hdr=0x00 >class = network >subclass = ethernet > > I had my wireless working, my Sony TV was streaming Netflix for days, my > iPod was able to browse the internet as well as my android phone and > even my Debian laptop was working. Now, my TV can't associate, if it > does, it refuses to get an IP address from the DHCP server (which is > running) > >[ad...@router.xaerolimit.net]/root(7): ps auxf | grep dhcpd >dhcpd 24379 0.0 0.8 3156 2040 ?? Is Sun05AM 0:01.56 >/usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd >-cf /var/dhcpd/etc/dhcpd.conf vr0 >root 60213 0.0 0.1 376 256 p0 R+ 10:32PM 0:00.00 grep >dhcpd >[1.2.3-RELEASE] > > >[ad...@router.xaerolimit.net]/root(8): > > My iPod Touch and my Android phone are able to associate and get an IP > without any issues, but they cannot browse, I've confirmed this by being > able to browse my LAN from both devices but I am unable to get to > google.com for example, or anywhere else. I've also confirmed that my TV > never does get an IP as when trying to connect Wirelessly, it is unable > to get to my local webserver running on the same subnet as the DHCP > daemon. > > So I am unsure what I missed, I'm pretty sure this is a configuration > issue with the firewall (basic details are below, if more is needed, by > all means ask). > > Interfaces -> OPT2 (Wireless) >Check box checked to enable device >Description: Wireless >Type: DHCP >Bridge with: LAN >Standard: 802.11g >Mode: Access Point >802.11g OFDM Protection Mode: Protection mode off >SSID: The Realm >Transmit Power: 99 >Channel: Auto (usually ch1 is used) >WPA: Enable WPA check box checked >PSK: SoMe ReAlLy LoNg PaSs WoRd >WPA Mode: Both >WPA Key Management Mode: Pre Shared Key >Authentication: Open System Authentication >WPA Pairwise: AES >Key Rotation: 60 >Master Key Regeneration: 3600 > > Firewall -> Rules -> Lan >Action: Pass >Interface: LAN >Protocol: Any >Source: LAN Subnet >Destination: Any >Gateway: Default (192.168.0.1) >Description: Default LAN -> any > > Firewall -> Rules -> Wireless >Action: Pass >Interface: Wireless >Protocol: Any >Source: LAN subnet (was any but someone on IRC recommended the >change to 'LAN subnet') >Destination: Any >Gateway: Default (192.168.0.1) >Description: Wi-Fi Out > > > If any other configuration details are required, please let me know and > I will provide them, but bear in mind, I don't know where/how pfSense > stores it's configuration files, The above data was typed manually from > the web interface. Adding a rule such as this one will do you no harm and might help you solve your problem (at least for DHCP): <> Proto Source PortDestination PortGateway Queue UDP 0.0.0.0 68 255.255.255.255 67 * none Thanks > > [1] http://store.netgate.com/Netgate-m1n1wall-2D3-2D13-Black-P216.aspx > [2] http://store.netgate.com/KIT-ALIX-5004MP-DUAL-P190C34.aspx > -- >> Chris Brennan >> -- >> A: Yes. >>> Q: Are you sure? A: Because it reverses the logical flow of conversation. > Q: Why is top posting frowned upon? >> http://xkcd.com/84/ | http://xkcd.com/149/ | http://xkcd.com/549/ >> GPG: D5B20C0C (6741 8EE4 6C7D 11FB 8DA8 9E4A EECD 9A84 D5B2 0C0C) > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > «?»¥«?»§«?»¥«
Re: [pfSense Support] Wireless Mini PCIe NIC's with multiple SSID support
Le 26 juil. 2011 à 21:26, Jostein Elvaker Haande a écrit : > Hello everyone, > > As the subject implies, I'm looking for a Mini PCIe based network card > that is supported in pfSense 2.x that also supports multiple SSID's. > Are there cards readily available, and if so, are there any > recommandations? > > Thanks in advance. Hello, You can use the very good Wistron CM9 from Wistron NeWeb Corp : http://www.wnc.com.tw/Networking/MP.htm Generally speaking any card compatible with the FBSD ath driver will support this feature : • http://www.freebsd.org/cgi/man.cgi?query=ath&sektion=4 If you are interested, I am reselling It here : http://www.osnet.eu/fr/content/firewall-alix-2d13 Embedded as an Option for an Alix box… Sincerely yours. > > -- > Yours sincerely Jostein Elvaker Haande > "A free society is a place where it is safe to be unpopular" > - Adlai Stevenson > > http://tolecnal.net -- tolecnal at tolecnal dot net > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > –– -> Grégory Bernard Director <- ---> www.osnet.eu <--- --> Your provider of OpenSource appliances <-- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] ESS configuration with pfSense
Hello, I am planning to build a multi AP's WLAN (ESS). Can this be achieved easily with pfSense ? Knowing that we are looking at the classic features of such network: 1. Couple of AP's configured with the same SSID 2. Authentication 3. Security 4. Roaming between AP's 5. Communication between stations in the same ESS The main problem to solve seems to be related to IAPP (Inter Access Point Protocol) aka 802.11f or equivalent feature. It is not very clear to me in which stage we are with this protocol and It's implementation in FBSD / pfSense… and what is actually replacing It… What would you advice ? How would you proceed ? Thanks for your support. –– -> Grégory Bernard Director <- ---> www.osnet.eu <--- --> Your provider of OpenSource appliances <-- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Traffic shaping for specific file type
Le 16 mai 2011 à 08:58, A Mohan Rao a écrit : > u can come on chat Google chat) i will help u my best.. . > > mohanra...@gmail.com > > > On Mon, May 16, 2011 at 11:33 AM, Shibashish wrote: > > On Mon, May 16, 2011 at 10:56 AM, A Mohan Rao wrote: > yes very easy u can use acl its working fine with groups and individual.. > > > Thanks > > A Mohan Rao > indore > india > > On Mon, May 16, 2011 at 10:53 AM, Shibashish wrote: > I'm on pfSense 2.0-RC1 (i386) and have been using it as a > firewall+load-balancer. > > Can i do Traffic Shaping for certain file type... like flv and mpg? > > I have to serve big sized (~50Mb each) flv and mpg videos but i have a > limited bandwidth... can i allocate a specific bandwidth like 5Mbps only for > flv/mpg requests so that rest of my sites do not get choked. > > Thanks. > > ShiB. > while ( ! ( succeed = try() ) ); > > > Can you please provide some more (technical) details, steps how to do it, etc. > > Thanks. > > > ShiB. > while ( ! ( succeed = try() ) ); > > Though this answer might be interesting for the person who has asked It. It is totally useless to the mailing list. If everybody acted the same, mailing list would be filled with 0 answer… Please post your answer on the mailing list. Thanks. –– -> Grégory Bernard Director <- ---> www.osnet.eu <--- --> Your provider of OpenSource appliances <-- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] L7 queue seems not to work
Le 29 avr. 2011 à 19:08, bsd a écrit : > Le 29 avr. 2011 à 09:37, bsd a écrit : > >> Hi, >> >> I have created a simple L7 container where I have put SIP and SkypeOut >> traffic. >> >> Then created a Queue called VoIP where this traffic is supposed to end (HFSC >> with 10% reserved). >> >> Then two floating rule to put all traffic (TCP and UDP) in and selected the >> VoIP L7 container I have created. >> >> >> No traffic seems to go in that queue ?? >> >> Any hints ? >> Is L7 traffic shapping Out of order for the time beeing ? >> >> >> Thanks. > > May I had that my WLAN and LAN are bridged … > If this has any impact on the L7 Queuing. > > … and that my other queue (non L7) are also working very correctly. > > > Thx. And the system tunables have been set correctly… net.link.bridge.pfil_member Set to 0 to disable filtering on the incoming and outgoing member interfaces. 0 net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge interface1 No one has any feedback on L7 that and v.2.0.RC1 ? –– -> Grégory Bernard Director <- ---> www.osnet.eu <--- --> Your provider of OpenSource appliances <-- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] L7 queue seems not to work
Le 29 avr. 2011 à 09:37, bsd a écrit : > Hi, > > I have created a simple L7 container where I have put SIP and SkypeOut > traffic. > > Then created a Queue called VoIP where this traffic is supposed to end (HFSC > with 10% reserved). > > Then two floating rule to put all traffic (TCP and UDP) in and selected the > VoIP L7 container I have created. > > > No traffic seems to go in that queue ?? > > Any hints ? > Is L7 traffic shapping Out of order for the time beeing ? > > > Thanks. May I had that my WLAN and LAN are bridged … If this has any impact on the L7 Queuing. … and that my other queue (non L7) are also working very correctly. Thx. –– -> Grégory Bernard Director <- ---> www.osnet.eu <--- --> Your provider of OpenSource appliances <-- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] L7 queue seems not to work
Hi, I have created a simple L7 container where I have put SIP and SkypeOut traffic. Then created a Queue called VoIP where this traffic is supposed to end (HFSC with 10% reserved). Then two floating rule to put all traffic (TCP and UDP) in and selected the VoIP L7 container I have created. No traffic seems to go in that queue ?? Any hints ? Is L7 traffic shapping Out of order for the time beeing ? Thanks. –– -> Grégory Bernard Director <- ---> www.osnet.eu <--- --> Your provider of OpenSource appliances <-- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Wireless roaming between AP
Hello, At some point there were indication that Wireless AP roaming could be achieved - at least It is achievable in FreeBSD - how about setting It up in pfSense ? --> http://blog.pfsense.org/?p=174 Has anyone got any hints on this ? Thanks. –– -> Grégory Bernard Director <- ---> www.osnet.eu <--- --> Your provider of OpenSource appliances <-- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense 2.0 IPsec on Mac OS X 10.6
Install the open VPN client package on 2.0 - two clicks and you're done ! Viscosity is your best bet. So straightforward, your grandma could do It. ;-) Le 11 avr. 2011 à 18:19, Vick Khera a écrit : > On Mon, Apr 11, 2011 at 11:19 AM, Paul Mather wrote: > Has anyone managed to get IPsec for mobile clients working with pfSense 2.0 > and Mac OS X 10.6? If so, which client are you using on the Mac OS X side? > Is anything special needed on the pfSense side? > > I *used* to use IPsecuritas but it was alway finicky. I finally made the > switch for all of the roaming clients to OpenVPN using Tunnelblick and > everything has been much, much more stable. I still use IPsec for my fixed > end-point tunnels between offices, and that works solidly. All such > endpoints are pfSense. > > Unless you have some hard requirement to use IPSec for your mobile clients, > give OpenVPN a try. > > –– -> Grégory Bernard Director <- ---> www.osnet.eu <--- --> Your provider of OpenSource appliances <-- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Problem with update 1.2.3 to 2.0-RC1 Alix
Le 31 mars 2011 à 19:55, Vick Khera a écrit : > On Thu, Mar 31, 2011 at 12:56 PM, bsd wrote: >> I am kind of stuck with a 1.2.3 to 2.0 upgrade on a 1Gb Alix CF card. >> I wanted to know how long the upgrade process is supposed to last ? >> … And if there is a way to import a 1.2.3 config in 2.0 ? >> > > How are you running an upgrade? I am specifying the path (either using the tar.gz file I have downloaded or using command line upgrade). > I have not been able to make 1.2.x > self upgrade on my WRAP boards. When I moved to 2.0 I upgraded to the > Alix and just re-wrote the CF card. It is totally a different on-disk > layout anyhow, so that you can easily self upgrade and revert if > necessary by choosing the older version to boot. No problem with 2.0 - I am simply trying to upgrade a 1.2.3 version. > >> I have had no success importing the conf (simple install : LAN, WAN, WLAN, >> couple of filtering rules, OpenVPN client)… >> >> Should I recreate everything from scratch directly in 2.0 ? > > I manually edited my 1.2.3 config file from the WRAP to change the > interface names Ok… Why did you do so ? Do interface name get handled differently in 2.0 than in 1.2.3 ? > and uploaded it into a 2.0 on Alix and was up and > running as soon as it rebooted (and Comcast decided to let my new MAC > address get a DHCP public IP). Everything worked just fine, including > the IPsec tunnels to the offices. Well I didn't had that luck… Uploading config from 1.2.3 to 2.0 simply failed. I guess I might have smthg with my xml file. Sincerely yours. –– -> Grégory Bernard Director <- ---> www.osnet.eu <--- --> Your provider of OpenSource appliances <-- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Problem with update 1.2.3 to 2.0-RC1 Alix
Hi, I am kind of stuck with a 1.2.3 to 2.0 upgrade on a 1Gb Alix CF card. I wanted to know how long the upgrade process is supposed to last ? … And if there is a way to import a 1.2.3 config in 2.0 ? I have had no success importing the conf (simple install : LAN, WAN, WLAN, couple of filtering rules, OpenVPN client)… Should I recreate everything from scratch directly in 2.0 ? So far I have been able to : > File size: 66404492 > > Fetching file... > looking up mirror.qubenet.net > connecting to mirror.qubenet.net:80 > requesting > http://mirror.qubenet.net/mirror/pfsense/updates/pfSense-2.0-RC1-1g-i386-20110226-1633-nanobsd-upgrade.img.gz > remote size / mtime: 66404492 / 1298915320 > /root/firmware.tgz100% of 63 MB 1113 kBps 00m00s > > Fetching MD5... > looking up mirror.qubenet.net > connecting to mirror.qubenet.net:80 > requesting > http://mirror.qubenet.net/mirror/pfsense/updates/pfSense-2.0-RC1-1g-i386-20110226-1633-nanobsd-upgrade.img.gz.md5 > remote size / mtime: 102 / 1298915320 > /root/firmware.tgz.md5100% of 102 B 41 kBps > URL MD5: 8f5a35a4a0dcf01130507b0e3968f895 > > Downloaded file MD5: 8f5a35a4a0dcf01130507b0e3968f895 > > > MD5 checksum matches. > NanoBSD upgrade file detected... > > > One moment please... > Invoking firmware > upgrade.
[pfSense Support] 3G NIC compatible with pfSense ?
Hi, I wanted to know if you had any idea about 3G / GSM NIC that would be compatible with pfSense ? How is 3G supposed to work with pfSense ? Any pointer / study / comments will be welcome. Thanks. –– -> Grégory Bernard Director <- ---> www.osnet.eu <--- --> Your provider of OpenSource appliances <-- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Difference between IP Alias and Other for VIPs
I have created a table that synthesize the various possibilities offered by the various types of VIPs… "VIPs dans même sous réseau que l’interface" means VIPs in the same subnet as interface. Do you have any comment on this table ? Type Services Forward Traf. L2 Clustering VIPs dans même sous réseau que l’interface ICMP CARP Oui Oui Oui Oui Nécessaire Oui Proxy ARP Non Oui Oui Non Pas nécessaire Non Other Non Oui Non Non Pas nécessaire Non IP Alias Oui Oui Non Non Pas nécessaire Oui Le 17 mars 2011 à 13:34, Jim Pingle a écrit : > On 3/17/2011 8:29 AM, bsd wrote: >> I wanted to know what was the difference between IP Alias and Other in VIPs >> ? >> What does IP Alias do technically speaking ? >> >> It is not very clear to me. > > IP Alias is just that, an IP Alias in FreeBSD. It is an actual > additional IP address defined directly on the network card. It can be > used for anything -- listening for services, port forwards, outbound > nat, 1:1 nat, etc. It lets you actually address and talk to multiple > subnets on a single card if the Alias is in a different subnet. > > "Other" type VIPs are just placeholders. The work for those is done by > the upstream gear routing a subnet to an IP on your firewall, and the > "Other" type VIPs just let you use those IPs for NAT. > > Jim > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > –– -> Grégory Bernard Director <- ---> www.osnet.eu <--- --> Your provider of OpenSource appliances <-- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO
Re: [pfSense Support] Difference between IP Alias and Other for VIPs[solved]
Ooops sorry, http://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F Le 17 mars 2011 à 13:29, bsd a écrit : > Hi, > > I wanted to know what was the difference between IP Alias and Other in VIPs ? > What does IP Alias do technically speaking ? > > It is not very clear to me. > > > Thanks. > > G.B. > > –– > -> Grégory Bernard Director <- > ---> www.osnet.eu <--- > --> Your provider of OpenSource appliances <-- > –– > OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > –– -> Grégory Bernard Director <- ---> www.osnet.eu <--- --> Your provider of OpenSource appliances <-- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Difference between IP Alias and Other for VIPs
Hi, I wanted to know what was the difference between IP Alias and Other in VIPs ? What does IP Alias do technically speaking ? It is not very clear to me. Thanks. G.B. –– -> Grégory Bernard Director <- ---> www.osnet.eu <--- --> Your provider of OpenSource appliances <-- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] System tunables optimization with V.2.0 for Squid
Hello, I have Squid / Squid Guard installed with version 2.0 of pfSense. There are various post about "system optimization" for these packages. Most of them are quoted here: --> kern.ipc.nmbclusters=32768 --> vm.kmem_size="435544320" --> vm.kmem_size_max="535544320" --> kern.maxfiles="65536" --> kern.maxfilesperproc="32768" --> net.inet.ip.portrange.last="65535" --> net.inet.tcp.inflight.enable=0 --> net.inet.tcp.hostcache.expire=1 Does these setting looks ok ? Most of these parameters used to be set in /boot/loader.conf With version 2.0 we have access to System >> Advanced >> System Tunables Should these parameters be set in here ? or Should they be set in loader.conf ? Thanks for your answer. –– -> Grégory Bernard Director <- ---> www.osnet.eu <--- --> Your provider of OpenSource appliances <-- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Import shared key from XML
Le 12 janv. 2011 à 16:39, Jim Pingle a écrit : > [please don't top post] > On 1/12/2011 10:13 AM, bsd wrote: >> Le 12 janv. 2011 à 13:53, Jim Pingle a écrit : >> >>> On 1/12/2011 5:48 AM, bsd wrote: >>>> Hello, >>>> >>>> I am trying to import a Shared Key from a previous XML file, It looks like >>>> the key found in the XML file can not be directly copy / pasted in the >>>> shared key box. >>>> >>>> Do you know what I have to "cut out" to make It work ? >>>> >>>> The key looks similar as this one : >>>> >>>> LS0tLS1CRUdJTiBPcGVuVlBOIFN0YXRpYyBrZXkgVjEtLS0tLQ0KNDNjNGZhODgyMjI0ZDI5NmFjNGQ1YjIzOTM5MGI4MjMNCmIwZGMxODc4NzEwZWFhMzRkNWU1MWE5YTJkY2ExYjc5DQpiYjQ4OTEwZmMwMTg3NzM3YmI1YmFkYTNhZTQzMjRkYQ0KZTI4Zjg3NDJiNDJkMzRlZDBiZTBjOTMxYTBkM2NkMjANCjRkNWUyOWM2ZTA5MzQ0NTU2NDBhNjI4YWNmMmNlNDRiDQpmYjUyMGQ1NmZiNmExZjA4ZmQwMTQ2YjRmZmY0ZmFiNA0KNTdjODgwNTQ0NzY0ZjdjZjJlYWJlYWYxZmEwY2JmMDMNCjY1ZjIzMzkzNDA4YmIyZThhZGU3MzA3Zjg5ZWE0MDUwDQoxyTkwYjczYzZiNWI1NmQ2NzZiMGUzMjUwYTMyNWMzNA0KNDA5ZTY5NzdmYzI2NmM1Y2FiYzg3YmY5ZjMwYzg0NmQNCjg4OTIwNTAzMGEyNzRkYTdiM2M1ZjJjMTU1MzNiNjk3DQo4NzM0ZjJhMzFhMTFhYzAyYzM0ZTMyNDE0xyFmNmNhMg0KZWU1Y2Y3OTllMTkxMmNkODUxMjY0MWI3OTI2M2MyMTMNCjllMjE1MWJlY2FhMzM5MjJmNDc0ZWFiNGIxY2FiZjgxDQpjYmY5NDUwYWEwOWVmOTk3YmVkM2QzMThiYjRlMDY2Yw0KNDMzYzc4NWMzYzNjOGRmMGQ2NWM0MTlhYTEzODQzOGENCi0tLS0tRU5EIE9wZW5WUE4gU3RhdGljIGtleSBWMS0tLS0t >>> >>> It's base64 encoded inside of the XML. You could copy/paste it into a >>> backup of the target router, or if you want the decoded version, go to >>> Diagnostics > Command, and type in: >>> >>> echo base64_decode("LSOtLS[...]"); >>> >>> Put the contents of the tag inside the quote >>> marks, not the tags itself. When you press Execute, it should give you >>> the plain text version you can then copy/paste. >>> >> Ok, >> >> Thanks very much. >> I didn't manage to get It working with the provided command line, got a >> >> Badly placed ()'s. >> >> … Anyway I have managed to get It decoded and working ok. > > It should have gone in the PHP execute code box, not the command line. > Sorry for that. > > You also should probably generate a new key, seeing as everyone on the > list (and those that can read the archive) now have a copy of your > shared key. :-) > > If you're on 1.2.3 it's easy to make a new key, just go to Diagnostics > > Command, and in the shell execute box, type: > openvpn --genkey --secret /dev/stdout > > Then copy/paste that to both boxes. It's probably better from a security > standpoint to make new shared keys in most cases than to keep importing > them over and over. > > Jim Don't worry about that, unless you find out which part of the key I have modified before posting It, you have very very little chance to find out my key… ;-) –– -> Grégory Bernard Director <- ---> www.osnet.eu <--- --> Your provider of OpenSource appliances <-- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Import shared key from XML
Ok, Thanks very much. I didn't manage to get It working with the provided command line, got a Badly placed ()'s. … Anyway I have managed to get It decoded and working ok. Thanks. Le 12 janv. 2011 à 13:53, Jim Pingle a écrit : > On 1/12/2011 5:48 AM, bsd wrote: >> Hello, >> >> I am trying to import a Shared Key from a previous XML file, It looks like >> the key found in the XML file can not be directly copy / pasted in the >> shared key box. >> >> Do you know what I have to "cut out" to make It work ? >> >> The key looks similar as this one : >> >> LS0tLS1CRUdJTiBPcGVuVlBOIFN0YXRpYyBrZXkgVjEtLS0tLQ0KNDNjNGZhODgyMjI0ZDI5NmFjNGQ1YjIzOTM5MGI4MjMNCmIwZGMxODc4NzEwZWFhMzRkNWU1MWE5YTJkY2ExYjc5DQpiYjQ4OTEwZmMwMTg3NzM3YmI1YmFkYTNhZTQzMjRkYQ0KZTI4Zjg3NDJiNDJkMzRlZDBiZTBjOTMxYTBkM2NkMjANCjRkNWUyOWM2ZTA5MzQ0NTU2NDBhNjI4YWNmMmNlNDRiDQpmYjUyMGQ1NmZiNmExZjA4ZmQwMTQ2YjRmZmY0ZmFiNA0KNTdjODgwNTQ0NzY0ZjdjZjJlYWJlYWYxZmEwY2JmMDMNCjY1ZjIzMzkzNDA4YmIyZThhZGU3MzA3Zjg5ZWE0MDUwDQoxyTkwYjczYzZiNWI1NmQ2NzZiMGUzMjUwYTMyNWMzNA0KNDA5ZTY5NzdmYzI2NmM1Y2FiYzg3YmY5ZjMwYzg0NmQNCjg4OTIwNTAzMGEyNzRkYTdiM2M1ZjJjMTU1MzNiNjk3DQo4NzM0ZjJhMzFhMTFhYzAyYzM0ZTMyNDE0xyFmNmNhMg0KZWU1Y2Y3OTllMTkxMmNkODUxMjY0MWI3OTI2M2MyMTMNCjllMjE1MWJlY2FhMzM5MjJmNDc0ZWFiNGIxY2FiZjgxDQpjYmY5NDUwYWEwOWVmOTk3YmVkM2QzMThiYjRlMDY2Yw0KNDMzYzc4NWMzYzNjOGRmMGQ2NWM0MTlhYTEzODQzOGENCi0tLS0tRU5EIE9wZW5WUE4gU3RhdGljIGtleSBWMS0tLS0t > > It's base64 encoded inside of the XML. You could copy/paste it into a > backup of the target router, or if you want the decoded version, go to > Diagnostics > Command, and type in: > > echo base64_decode("LSOtLS[...]"); > > Put the contents of the tag inside the quote > marks, not the tags itself. When you press Execute, it should give you > the plain text version you can then copy/paste. > > Jim > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > –– -> Grégory Bernard Director <- ---> www.osnet.eu <--- --> Your provider of OpenSource appliances <-- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Import shared key from XML
Hello, I am trying to import a Shared Key from a previous XML file, It looks like the key found in the XML file can not be directly copy / pasted in the shared key box. Do you know what I have to "cut out" to make It work ? The key looks similar as this one : LS0tLS1CRUdJTiBPcGVuVlBOIFN0YXRpYyBrZXkgVjEtLS0tLQ0KNDNjNGZhODgyMjI0ZDI5NmFjNGQ1YjIzOTM5MGI4MjMNCmIwZGMxODc4NzEwZWFhMzRkNWU1MWE5YTJkY2ExYjc5DQpiYjQ4OTEwZmMwMTg3NzM3YmI1YmFkYTNhZTQzMjRkYQ0KZTI4Zjg3NDJiNDJkMzRlZDBiZTBjOTMxYTBkM2NkMjANCjRkNWUyOWM2ZTA5MzQ0NTU2NDBhNjI4YWNmMmNlNDRiDQpmYjUyMGQ1NmZiNmExZjA4ZmQwMTQ2YjRmZmY0ZmFiNA0KNTdjODgwNTQ0NzY0ZjdjZjJlYWJlYWYxZmEwY2JmMDMNCjY1ZjIzMzkzNDA4YmIyZThhZGU3MzA3Zjg5ZWE0MDUwDQoxyTkwYjczYzZiNWI1NmQ2NzZiMGUzMjUwYTMyNWMzNA0KNDA5ZTY5NzdmYzI2NmM1Y2FiYzg3YmY5ZjMwYzg0NmQNCjg4OTIwNTAzMGEyNzRkYTdiM2M1ZjJjMTU1MzNiNjk3DQo4NzM0ZjJhMzFhMTFhYzAyYzM0ZTMyNDE0xyFmNmNhMg0KZWU1Y2Y3OTllMTkxMmNkODUxMjY0MWI3OTI2M2MyMTMNCjllMjE1MWJlY2FhMzM5MjJmNDc0ZWFiNGIxY2FiZjgxDQpjYmY5NDUwYWEwOWVmOTk3YmVkM2QzMThiYjRlMDY2Yw0KNDMzYzc4NWMzYzNjOGRmMGQ2NWM0MTlhYTEzODQzOGENCi0tLS0tRU5EIE9wZW5WUE4gU3RhdGljIGtleSBWMS0tLS0t Thanks for your answer. Sincerely yours. G.B. «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ Grégory Bernard www.OsNet.eu «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ PGP ID --> 0x1BA3C2FD - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Best way of bridging with 2.0
Hello, I have found this useful post about setting up a bridge in pfSense and have translated It in French : http://forum.pfsense.org/index.php/topic,20917.0.html http://www.osnet.eu/fr/content/pfsense-v20-dhcp-et-bridge I have one more question regarding the way things "should be done" in a specific scenario. I have a two port alix box + 1 WLAN Here is how things are setup actually : WAN [82.66.xx.yy : vr1] <---> LAN [192.168.2.1 : vr0] WLAN [192.168.2.2 : ath0] –– | | Bridged OPT2 [no IP : Bridge0] I would like to bridge LAN and WLAN on an OPT interface and still be able to have DHCP working. I would also like to have filtering (firewalling) happening at one point only (for outgoing trafic - internal trafic won't be filtered) ? Is this schema ok ? Or should I attribute vr0 interface to the bridge instead ? Thanks. –– -> Grégory Bernard Director <- ---> www.osnet.eu <--- --> Your provider of OpenSource appliances <-- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] LCD driver for TEAK 3035S
I think we are getting closer to solving this issue… I am putting pressure on the manufacturer of these devices so they can give us more info. I've copied recent messages from the list, hopping this could help them. But at this stage I don't really know what would really help us solve the issue we are facing so any help from knowledgeable persons would be appreciated. I can then try to pressure them to provide us with the needed infos… Thanks. Le 22 nov. 2010 à 23:46, Gavin Spurgeon a écrit : > >> Try to find out what sort of emulation the screen uses, most likely it >> will use one of the existing drivers for output. > > I have found on the back of the LCDs PCB 'SC2002D rev1' so then found > (via Google) that it is probably a 'Sunlike Display Tech. Corp' LCD. > that lead me to find this URL @ > http://lists.omnipotent.net/pipermail/lcdproc/2006-August/011029.html > > That says:- >>> According to the SPECs I found google'ing it is driven by a >>> controller that is compatible to a KS0066, which -anoother >>> google'ing round - should be HD44780 compatible. >>> The hd44780 is supported by LCDproc using various wiring schemes. > > I confirmed that the SC2002D is indeed KS0066 compatible via this URL @ > http://www.datasheetarchive.com/SC2002-datasheet.html > ---> > http://www.datasheetarchive.com/pdf-datasheets/Datasheets-29/DSA-566292.html > > The .pdf (Attached) says... > "BUILT-IN CONTROLLER (KS0066 OR EQUIVALENT)" > >> Each driver is specific to a display, most communicate via serial, usb >> serial or parallel port interfaces. > > The LCD on the TEAK3035 is Serial, Detected by pfSense as /dev/cuad1 > not /dev/cua1 as the LCDproc Package assumes. :-( > >> You will need to find out if it uses a existing signaling method via the >> supplier. If it does not use some sort of existing signaling I would >> press the vendor for providing a lcdproc driver. > > I have no idea where to even start with this > > But maybe with the info above, Seth are you able to help and point me in > any other direction that might get this display working ? > i.e. the /dev/cuad1 != /dev/cua1 and so on > > -- > > Gavin Spurgeon. > AKA Da Geek > > -- > "The happiest of people don't necessarily have the best of everything, > they just make the most of everything that comes along their way.." > –– -> Grégory Bernard Director <- ---> www.osnet.eu <--- --> Your provider of OpenSource appliances <-- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] LCD driver for TEAK 3035S
Hello Gavin, From my point of view (and as far as I am informed) you will have to build your own LCD driver. As a reseller of this hardware, I was in touch with the manufacturer, and I think you will have to use the provided C program and example (provided with the driver CD) in order to build your own drivers (unless you know the LCD chipset and ref they are using, but It looks like they might be using some not so common HW)… If you want we can try to sponsor something in order to have It work… ? I'll try to get in touch again with the manufacturer to try to have precise info about the LCD model they are using. Bye. Le 21 nov. 2010 à 17:15, Gavin Spurgeon a écrit : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > Hi List, > >>> The Teak 3035 uses the serial port 1 to communicate with the LCM. > > I have now got a Teak 3035S from :- > http://linitx.com/viewproduct.php?prodid=12711 > > The unit is brilliant, but I have the issue with the LCD panel as well. > I have PF v1.2.3 installed and working brilliantly and I also installed > the lcpproc package, but this is where the issues started. > > The Serial Port detected but PF is /dev/caud1 and the lcdproc package > expects the port to be /dev/cau1 > I changed all references in all the files to /dev/caud1 and left the > driver as pyramid, this got me to a stage where teh LCD now just cycles > with the word 'Initializing...' and then goes blank and restarts the LCD > and show 'Initializing...' again and again... but never shows any real info. > The LCD is a 2 row x 20 column display, but I have no way to find out > what driver it needs from the list in the lcdproc package... > > Can anyone point me in the correct direction, otherwise this is a >£600 > unit that i could replace with a ~£300 (like these units :- > http://linitx.com/viewproduct.php?prodid=12508 > or this unit that has *2* alix 3 NIC units in a 1U chassis for £312.42 > http://linitx.com/viewproduct.php?prodid=12915 > ) > > I have also tried to contact the manufacturers of the Teak unit @ > http://www.arinfotek.com/product.php?gid=1&pid=52 with no success. > > - -- > > Gavin Spurgeon. > AKA Da Geek > > - -- > "The happiest of people don't necessarily have the best of everything, > they just make the most of everything that comes along their way.." > -BEGIN PGP SIGNATURE- > Version: GnuPG/MacGPG2 v2.0.12 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkzpRZ8ACgkQvp6arS3vDir4fwCfd/bOXDsCDeFWFfJOs3LB2tHP > /psAnjpAqMNqUWLr0ijuSEUplaGjVn3w > =Fioj > -END PGP SIGNATURE- > > -- > This message was scanned by DaGeek Spam Filter and is believed to be clean. > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > –– -> Grégory Bernard Director <- ---> www.osnet.eu <--- --> Your provider of OpenSource appliances <-- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] LCD driver for TEAK 3035S
But how can It be detected if it hasn't got the right drivers ? Aren't the drivers included in the package I have sent as an attachment ? Is only being able to communicate with this serial port enough ? Le 10 nov. 2010 à 11:31, Seth Mos a écrit : > Op 10-11-2010 10:39, bsd schreef: >> Hello, >> >> >> I am reselling hardwawre on my website http://www.osnet.eu/ >> >> One of my client has requested to have the ability to use the LCD display >> for this device. >> >> Hardware manufacturer has provided me an application in C which allows >> communication with the LCD and has added the following informations: >> >> "About the application, I have attached an application code for your >> reference. The Teak 3035 uses the serial port 1 to communicate with the >> LCM. So, there is no need of extra driver, just use the built-in driver. >> Modify this application to meet your customer's application OR use this code >> to test the LCM." > > There is a LCD proc package, if the serial port is detected by pfSense you > can succesfully configure it by installing the lcdproc package. > > Kind regards, > > Seth > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > –– -> Grégory Bernard Director <- ---> www.osnet.eu <--- --> Your provider of OpenSource appliances <-- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Teak 3035S as a pfSense Unit ?
Hello, I am reselling the same unit on my website. I am an official pfSense reseller and have tested and validate this unit… http://www.osnet.eu/en/content/firewall-fwa-3035s There is also the very good : http://www.osnet.eu/en/content/firewall-fwa-3035l You can use both embedded or full install. Sincerely yours. Le 15 oct. 2010 à 00:31, Gavin Spurgeon a écrit : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > Hi All, > > I have a new project coming on-line in the next week or so that will > require some new pfSense Hardware going into some DCs here in London. > > I have used all sorts of units in the past as pfSense Hardware, but this > job wants the hardware to "Look The Part" in the words of the customer... > > I was thinking of using something like 'Teak 3035S' from LinITX.com > (http://linitx.com/viewproduct.php?prodid=12711) > > Dose anyone have any experience of pfSense on the 'Teak 3035S' unit > or comments about it, Good, Bad, Ugly... and so on ? > > Any other suggestions for pfSense compatible Rack Mount Hardware (within > the UK) that "Looks The Part" would also be welcomed... > > Thanks all. > > - -- > > Gavin Spurgeon. > AKA Da Geek > > - -- > "The happiest of people don't necessarily have the best of everything, > they just make the most of everything that comes along their way.." > -BEGIN PGP SIGNATURE- > Version: GnuPG/MacGPG2 v2.0.12 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAky3hM8ACgkQvp6arS3vDip5aQCgxr6c6Mj6kscuHFX40mAzDvWG > 4boAnR7nZfPha36MaEdb8ThhMjhxAJRI > =TR9i > -END PGP SIGNATURE- > > -- > This message was scanned by DaGeek Spam Filter and is believed to be clean. > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > –– -> Grégory Bernard Director <- ---> www.osnet.eu <--- --> Your provider of OpenSource appliances <-- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] power-out and Alix-boards
Hi, I am a reseller of Alix boxes and one of my client has also complained about problem with Power Outage and Alix not rebooting. When you talk about power outage and Alix board, I think all kind of weird thing can happen… If you want a more secure environment, don't buy Alix board, buy higher end products with a better power supply. That being said, I have sold more than one hundred Alix boards and had no more than one problem related to Power Outage. So I guess that even though Power Outage can and will happen, most of the time you'll reboot without problem. My advice : buy a second CF card ready to be plugged in. Bye // Le 10 sept. 2010 à 04:07, Chris Buechler a écrit : > On Thu, Sep 9, 2010 at 1:28 PM, Michel Servaes wrote: >> >> PC Engines ALIX.2 v0.99h >> 640 KB Base Memory >> 261120 KB Extended Memory >> >> No boot device available, press Enter to continue. >> > > That's a new one. The very few scenarios I've heard of in the past > were filesystem corruption that it fails to repair with fsck, leaving > the system unbootable, but it gets well past that, and that's far > different since it's the boot sector. I can't think of anything but > hardware problems that could possibly cause that. That makes me wonder > if you have bad blocks on the CF that hosed your previous boot sector, > and when you rewrite it, the wear leveling writes to unaffected > blocks. I really doubt if that's anything other than the CF, maybe a > few bad cards in the batch you got. With at least tens of thousands of > ALIX systems out there running pfSense, to be the first to run into > something is highly unusual. > > >> I am using the "embedded" version on a 4GB Kingston CF card... (it's >> not an industrial one...). > > That sounds like the same CF cards we use (and seriously abuse) quite > a bit, we've never had a problem with those. Personally, I wouldn't > trust either of the cards this happened to, for running in remote > locations at least. > > Most of my systems in production in the field have SanDisk cards in > them, and most of our resellers ship with SanDisk. My testing and > development systems get infinitely more abuse than any production > system though, and they almost all run Kingston cards. There are a few > different Kingston models though, maybe you have something different > from the ones we have. > > >> But when using embedded - I guess I am >> using read-only, no ? >> > > Unless you got in under the hood and changed how things work, yes, > you're read only. Besides, the boot sector has nothing to do with how > your partitions are mounted. It could result in partition corruption, > but that's not what you're seeing. > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > Gregober ---> PGP ID --> 0x1BA3C2FD bsd @at@ todoo.biz - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Benchmark tool
Le 7 sept. 2010 à 22:14, Chris Buechler a écrit : > On Tue, Sep 7, 2010 at 3:24 PM, bsd wrote: >> >> My main question is why when filtering is enabled do we loose 75% of the >> throughput… >> >> Is this normal figures or not ? >> > > Filtering has vastly more overhead than routing, that's normal. Ok, So I guess the topic is closed… I'll still analyze things in depth to figure out how to optimize this… If possible. Thanks for your support. > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > ¯¯¯¯ Gregober ---> PGP ID --> 0x1BA3C2FD bsd @at@ todoo.biz - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Benchmark tool
Here are the results of the test you have asked : gregober 21:15:31 ~ -> iperf -c 1.2.3.5 Client connecting to 1.2.3.5, TCP port 5001 TCP window size: 129 KByte (default) [ 3] local 192.168.10.2 port 60681 connected with 1.2.3.5 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 1.07 GBytes 919 Mbits/sec Ubuntu 10.04 LTS freshly baked. I think this has to be compared to this test : > WITHOUT PACKET FILTERING ENABLED > gregober 18:40:12 ~ -> iperf -c 1.2.3.4 > > Client connecting to 1.2.3.4, TCP port 5001 > TCP window size: 129 KByte (default) > > [ 3] local 192.168.1.199 port 53391 connected with 1.2.3.4 port 5001 > [ ID] Interval Transfer Bandwidth > [ 3] 0.0-10.0 sec 1.03 GBytes 882 Mbits/sec Results are somewhat similar… My main question is why when filtering is enabled do we loose 75% of the throughput… Is this normal figures or not ? Thank you. Le 7 sept. 2010 à 11:15, Paul Mansfield a écrit : > On 06/09/10 21:58, bsd wrote: >> I have made a simple configuration which looks like that : >> >> Station_1 <<< WAN >>> pfSense_FW <<< LAN >>> Station_2 > > it'd be interesting to compare the same hardware running linux; if you > don't feel like installing, boot a live CD; just ifconfig the > interfaces, and turn on IP routing and disable any filtering thus: > > ifconfig eth0 $WANADDRESS > ifconfig eth1 $LANADDRESS > echo 1 > /proc/sys/net/ipv4/ip_forward > iptables -I FORWARD -j ACCEPT > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > Gregober ---> PGP ID --> 0x1BA3C2FD bsd @at@ todoo.biz - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Benchmark tool
Ok, I have followed couple of advises found on the forum. I have made a simple configuration which looks like that : Station_1 <<< WAN >>> pfSense_FW <<< LAN >>> Station_2 1.2.3.4 <> 1.2.3.5/24 192.168.1.1 <> DHCP I have been conducting these tests with pfSense 1.2.3 The hardware I have been testing the solution on is the following : • Intel® Atom N270 1.6 GHz • Intel® 945GSE North & ICH7- M South Bridge Chipset • 512MB DDR2 RAM on board + 1 SODIMM 1024MB Slot • 5 LAN Ports (4 Gigabit Intel 82574L + 1 FE Intel 82551ER) I have tried all sort of things to optimize the settings on the firewall, all in all I have obtained the following results: WITH PACKET FILTERING ENABLED gregober 18:24:15 ~ -> iperf -c 1.2.3.4 Client connecting to 1.2.3.4, TCP port 5001 TCP window size: 129 KByte (default) [ 3] local 192.168.1.199 port 53298 connected with 1.2.3.4 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 257 MBytes 216 Mbits/sec WITHOUT PACKET FILTERING ENABLED gregober 18:40:12 ~ -> iperf -c 1.2.3.4 Client connecting to 1.2.3.4, TCP port 5001 TCP window size: 129 KByte (default) [ 3] local 192.168.1.199 port 53391 connected with 1.2.3.4 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 1.03 GBytes 882 Mbits/sec This means that when firewall is enabled, performances of the firewall are reduced by 75% I found this quite surprising because my hardware is very far from beeing saturated, It is in fact not impacted at all by these tests. I was wondering if this is normal ? Is there any settings I might optimize somewhere ? Le 4 sept. 2010 à 18:27, Chris Buechler a écrit : > On Sat, Sep 4, 2010 at 5:58 AM, bsd wrote: >> Hi, >> >> I am looking for a tool (or a configuration setup) that will allow me to >> benchmark (performance test) couple of firewall based on pfSense, and >> eventualy to compare them with other software / hard solution. >> >> Any idea, clue, link will be highly appreciated. >> > > It depends on what you'll be sending through the firewall in > production. There's a big difference between different types of > traffic. Basic test tools include iperf, netperf, and many others. > That type of test only tells you the maximum achievable single stream > throughput, though you can customize to some extent. Better to > replicate an environment similar to what you'll have in production, > whether web serving, VoIP, web browsing, whatever. There are specific > tools for most protocols. > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > Gregober ---> PGP ID --> 0x1BA3C2FD bsd @at@ todoo.biz - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Benchmark tool
Hi, I am looking for a tool (or a configuration setup) that will allow me to benchmark (performance test) couple of firewall based on pfSense, and eventualy to compare them with other software / hard solution. Any idea, clue, link will be highly appreciated. Thanks Gregober ---> PGP ID --> 0x1BA3C2FD bsd @at@ todoo.biz - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Appliance Recommendation for 100 Mbps (DOCSIS 3.0) Service
You can check this : http://www.osnet.eu/en/content/firewall-fwa-3035s Actually there is a fwa-3035l (not yet sold), which might interest you… I'll send you off list the specs, It runs on low voltage and might suite your needs. Thanks. Le 1 sept. 2010 à 17:00, Michael Riglin a écrit : > Christmas came early this year, and I am moving to the new DOCSIS 3.0 service > that is available from my ISP. This new service will provide a 100/5 Mbps > service which is a nice upgrade from the 15/1 Mbps service that I currently > have in place. Unfortunately, the reliable ALIX appliances I have used to run > pfSense will not support the full downstream bandwidth of this new service. > The ALIX model I have currently use is the ALIX2D3 which use the AMD Geode > LX800 500 MHz chip and is not quite beefy enough for the full 100 Mbps > unfortunately. > > So, I need to seek out a new ALIX-like appliance to purchase, or I have to > build a new mini-ITX box to get the full capabilities of the connection. > Before I research the best custom mini-ITX system build options, I wanted to > ask the list for any experience-based recommendations on low power > consumption appliances for purchase that have enough CPU power to support 100 > Mbps and above. (Quality and future-proofing is more important than cost.) > > Thanks in advance to anyone who replies. > > Best regards, > Michael > > > Service link, in case there is an interest: > http://www.shaw.ca/en-ca/ProductsServices/Internet/Nitro/ > > ¯¯¯¯¯¯¯¯ Gregober ---> PGP ID --> 0x1BA3C2FD bsd @at@ todoo.biz - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Larger log files
Hello, I have configured couple of devices for clients based on large disk size (160 Go or 250Go) - I would like to know if It is possible to increase the size of the "clog" limit for log rotation… or if it is possible to entirely remove the clog system and get back to newsyslog log rotation principle… I am asking that because for legal purposes some of these clients have to keep a minimum of 1 or 2 years of log archive. Thanks for your support. Gregober ---> PGP ID --> 0x1BA3C2FD bsd @at@ todoo.biz - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Problem with install (size of partition)
Looks like the problem was related to BIOS setting. I have changed the setting of disk detection from "AUTO" to "LBA" and this has allowed me to boot on the disk. One more question: With the disk I am using FBSD seems to have two possibility for the partition table size (or at least depending on different boot, It is offering me sometimes the 1st option and other time the second one): 1. 30401 cylinders | 255 heads | 63 sectors 2. 484521 cylinders | 16 heads | 63 sectors Global disk size is 250GB (LBA 488397168) Can I use any of the above ? What will be the consequences ? Thanks. Le 24 juin 2010 à 22:42, bsd a écrit : > Hi, > > I am trying to install pfSense on a new device with a SATA disk. > > I am trying to install a toshiba HD on an appliance, the Toshiba is a > MK2565GSX of 250GB described > here:http://www3.toshiba.co.jp/storage/english/spec/hdd25/65.htm#spec02 > > Disk geometry is detected by FBSD as 484 521 cylinder / 16 heads / 63 sectors. > > If I use a FBSD installer, the proposed init is as follow : > > > OffsetSizeEnd NamePType > DescSubtype Flags > > 0 63 62 - 12 > unused 0 > 63488397105 488397167 ad1s1 8 > freebsd 165 > > > Or from what I am seeing from pfSense install is that he wishes to install : > > < 1: 232.88G (63-488397168) id=165 > > > If I follow this path, I end up with the following error : > > > ad1: FAILURE - READ_DMA48 status=51 error=10 > LBA=18446744073709551553 > > > The problem is that FBSD offers to stop at 488397167 not 488397168 !! > > I am afraid this might be the source of my problem… > > Isn't there a calculation problem somewhere in pfSense installer ? > Or am I wrong somewhere ? > > What would be your advise? > Is there any way for me to correct the 488397168 into 488397167 > > Any idea what is precisely going wrong? > > > Thank you very much. > > > > > > > Gregober ---> PGP ID --> 0x1BA3C2FD > bsd @at@ todoo.biz > > > > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > Gregober ---> PGP ID --> 0x1BA3C2FD bsd @at@ todoo.biz - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Problem with install (size of partition)
Hi, I am trying to install pfSense on a new device with a SATA disk. I am trying to install a toshiba HD on an appliance, the Toshiba is a MK2565GSX of 250GB described here:http://www3.toshiba.co.jp/storage/english/spec/hdd25/65.htm#spec02 Disk geometry is detected by FBSD as 484 521 cylinder / 16 heads / 63 sectors. If I use a FBSD installer, the proposed init is as follow : Offset SizeEnd NamePType DescSubtype Flags 0 63 62 - 12 unused 0 63 488397105 488397167 ad1s1 8 freebsd 165 Or from what I am seeing from pfSense install is that he wishes to install : < 1: 232.88G (63-488397168) id=165 > If I follow this path, I end up with the following error : ad1: FAILURE - READ_DMA48 status=51 error=10 LBA=18446744073709551553 The problem is that FBSD offers to stop at 488397167 not 488397168 !! I am afraid this might be the source of my problem… Isn't there a calculation problem somewhere in pfSense installer ? Or am I wrong somewhere ? What would be your advise? Is there any way for me to correct the 488397168 into 488397167 Any idea what is precisely going wrong? Thank you very much. Gregober ---> PGP ID --> 0x1BA3C2FD bsd @at@ todoo.biz - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Guide for package deployment | architecture of pfSense
Thank you very much for these answers, The book is great, and I use It on regular basis. Would be nice to include a little section in future release of the book that will describe the architecture of pfSense related to FBSD. Thanks. Le 2 juin 2010 à 06:45, Chris Buechler a écrit : > On Mon, May 31, 2010 at 3:23 AM, bsd wrote: >> Hello, >> >> >> I am looking for a guide or an answer that could help me to understand how >> pfSense is architectured in term of directory (FreeBSD level)… >> >> The goal of this question is to be able to solve various problems related to >> the deployment of a package on a pfSense box. >> >> - rc.conf equivalent on pfSense (with implementation examples) > > There isn't one. > >> - guidelines of the architecture (for embedded and Live install) >> - specification related to the architecture (specific mechanism) >> - highlight of differences between 1.2.3 and 2.0 architecture >> > > And there really isn't anything on the above either, short of reading > the source. > > The dev info that is available is here: > http://doc.pfsense.org/index.php/Category:Development > http://devwiki.pfsense.org - though there is a lot of outdated info > there, check the last revision, if it's 2 years or more ago it's > probably not accurate > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > Gregober ---> PGP ID --> 0x1BA3C2FD bsd @at@ todoo.biz - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Guide for package deployment | architecture of pfSense
Hello, I am looking for a guide or an answer that could help me to understand how pfSense is architectured in term of directory (FreeBSD level)… The goal of this question is to be able to solve various problems related to the deployment of a package on a pfSense box. - rc.conf equivalent on pfSense (with implementation examples) - guidelines of the architecture (for embedded and Live install) - specification related to the architecture (specific mechanism) - highlight of differences between 1.2.3 and 2.0 architecture Thank you very much. Gregober ---> PGP ID --> 0x1BA3C2FD bsd @at@ todoo.biz - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Shell escape during LiveCD install
For anyone that might be interested: The problem turned out to be an initialization problem related to FreeBSD not beeing able to wipe out partition created with a mac (EFI). This is really a macintosh problem Solution is: 1. Use Disk Utility and erase the disk 2. Format a "free space" partition using DOS Label Once you have done that you can then start using your disk properly and install whatever you want on It. Thx. Le 19 mars 2010 à 15:29, bsd a écrit : > Hello, > > I am bumping into an install problem due to bsdlabel command not beeing able > to be completed during the install. > One solution might be to change the bsdlabel command… > > My question is: > > - Is there a way to escape the install procedure to issue a shell command and > get back to the install? > - If so what am I supposed to do? > > If not, > > - Where are the install script located on the LiveCD? specially the one > containing the > >> # bsdlabel -B -r -w ad0s1 auto > > that I would like to change to > > # bsdlabel - ¯¯¯¯¯¯¯¯ Gregober ---> PGP ID --> 0x1BA3C2FD bsd @at@ todoo.biz - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Shell escape during LiveCD install
Hello, I am bumping into an install problem due to bsdlabel command not beeing able to be completed during the install. One solution might be to change the bsdlabel command… My question is: - Is there a way to escape the install procedure to issue a shell command and get back to the install? - If so what am I supposed to do? If not, - Where are the install script located on the LiveCD? specially the one containing the > # bsdlabel -B -r -w ad0s1 auto that I would like to change to # bsdlabel -Bw ad0s1 Thanks for your support. Gregober ---> PGP ID --> 0x1BA3C2FD bsd @at@ todoo.biz - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Parameter to modify PPTP inactivity timeout
Hello, Can someone let me know if there is a way to reset the default timeout for PPTP timeout on pfSense. It looks like the default timeout is set to something like 5min and I'd like to a much longer period. Which file / config parameter should I modify ? Thanks. Gregober ---> PGP ID --> 0x1BA3C2FD bsd @at@ todoo.biz P "Please consider your environmental responsibility before printing this e-mail" - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Squid Guard with Alix box 1.2.3 embedded
Hello, I wanted to know if It was Ok to install SquidGuard package with an embedded version of pfSense working on NanoBSD ? I plan to deploy It on Alix board… As the system is mounted RO… I am not certain this will be the best settings. Will this still be ok - or do you have any other suggestion ? What are your advise ? Thanks. Gregober ---> PGP ID --> 0x1BA3C2FD bsd @at@ todoo.biz P "Please consider your environmental responsibility before printing this e-mail" - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] How to set timeout option in PPTP
Hello, One of my client is asking me how to tune the timeout parameters in PPTP. When client stays idle for a certain amount of time, the server disconnects automatically… He would like to be able to tune that parameter… Any idea ?? Thanks. Gregober ---> PGP ID --> 0x1BA3C2FD bsd @at@ todoo.biz P "Please consider your environmental responsibility before printing this e-mail" - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Support for EP80579 Intel Tolapai proc
Hello, We have been provided with an embedded appliance that includes the latest EP80579 (Tolapai) and the default tests we have made showed that the processor is not recognized yet by default kernel. Do you know if there is any plan to add this proc to the list of supported HW ? From my various reading there is a good support Howto for this proc provided by Intel here: http://downloadmirror.intel.com/17283/eng/320152.pdf How and when will pfSense allow support for this hardware? It really looks promising. Thanks for your info / support. More info here about that proc: http://www.intel.com/design/intarch/ep80579/index.htm?iid=ipp_embed+proc_EP80579_proc Gregober ---> PGP ID --> 0x1BA3C2FD bsd @at@ todoo.biz P "Please consider your environmental responsibility before printing this e-mail" - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Switching to serial console during the boot
Hello, I am working on setting up couple of high end firewall based on Advantech Hardware. http://www.osnet.eu/en/content/opensource-firewall-fwa-3140 Everything goes well if we use the embedded version of the OS = infos are displayed correctly on the console during the boot, and after when the pfSense menu is displayed, User can input data at any stage. If I install a full version, then I only have infos up to a certain point (early boot of the OS) after that, nothing is displayed on the console port… but everything is mapped to the VGA port which is located inside the firewall on these device… I have to completely open the box to access the VGA port. Furthermore, It is very annoying for customers not to have a full console access as this is the best emergency solution to use. Would you please let me know which file(s) I have to copy from the embedded version to the full version in order to have the same console behavior on full install? Thank you very much. Gregober ---> PGP ID --> 0x1BA3C2FD bsd @at@ todoo.biz P "Please consider your environmental responsibility before printing this e-mail" - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Pfsense 1.2.3 alix 2d13 IDE disk installation problem
This is really a weird setting! You are using a board that has been created and design to work with Compact Flash. I think It is a bit "strange" to try to use It with an IDE drive. I would suggest that you use an embedded image as described in here: http://blog.pfsense.org/?p=472 Then you can decompress the image (make sure you grab an image with the right size (1Go - 2Go - 4Go) and simply use dd to grave the image on your CF card. # gunzip pfSense-1.2.3-1g-20090928-1005-nanobsd.img.gz # cat pfSense-1.2.3-1g-20090928-1005-nanobsd.img | dd of=/dev/disk1 bs=16k After that all you have to do is put the card in your Alix 2d13 and boot… If you want to see the output, just connect to the card using the serial port. And that's It. I don't see why you are trying to use an IDE drive with this kind of hardware… ? Bye Le 4 oct. 2009 à 18:36, ozan ucar a écrit : Hi everyone, I have a alix 2d13 onboard.I need installation pfsense 1.2.3 on ide disk. http://forum.pfsense.org/index.php/topic,13509.0.html I'm installation change config.xml for nic lan wan and edit /etc/fstap and replace all disk name ad0 . system when booting an error message ; - http://www.cehturkiye.com/hpdiskerror.bmp - http://www.cehturkiye.com/hperrordisk2.bmp - http://www.cehturkiye.com/error.txt What should I do ? «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ Grégory Bernard www.OsNet.eu «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ PGP ID --> 0x1BA3C2FD - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Version Clarification and Routing Issue
Thanks that worked. Is the OAN preferred over static routes because either way i have to add a manual entry. Do you also happen to know why all my external trace routes resolve to the firewall and not the host? -Phil On Jul 23, 2009, at 12:34 PM, Chris Buechler wrote: On Thu, Jul 23, 2009 at 1:24 PM, bsd...@gmail.com wrote: hi, first, i am a little confused at the versions of pfsense. currently i'm running pfsense 1.2.3-RC1 built back in April of 09. it's not clear to me where the 1.2.3 branch stands or what is the latest version of 1.2.3 that i should be running. Stick with RC1 until there's an official RC2. secondly, my pfsense(1.2.3-RC1) has RIP enabled and has several routers behind it also using RIP. all network traffic works correctly on the LAN but i'm not able to ping out to the internet from the routers unless i add static routes on pfsense. it appears that pfsense is getting the advertised routes via RIP as i can see them in the routing table. When you add static routes it adjusts the auto generated NAT rules. You need to manually defined outbound NAT with dynamic routing. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Version Clarification and Routing Issue
hi, first, i am a little confused at the versions of pfsense. currently i'm running pfsense 1.2.3-RC1 built back in April of 09. it's not clear to me where the 1.2.3 branch stands or what is the latest version of 1.2.3 that i should be running. secondly, my pfsense(1.2.3-RC1) has RIP enabled and has several routers behind it also using RIP. all network traffic works correctly on the LAN but i'm not able to ping out to the internet from the routers unless i add static routes on pfsense. it appears that pfsense is getting the advertised routes via RIP as i can see them in the routing table. any information is greatly appreciated. thanks, phil
[pfSense Support] Filtering streaming - peer to peer - instant messaging
Hello, I am about to answer a public tender and am looking for a reliable open-source filtering solution. I need to filter layer 3 and 4 of TCP/IP stack (TCP and Application layer) specially for stream such as Peer to Peer - IM - Streaming - Virus. I was wondering if PFSense could do this kind of packet inspection work and how (from my reading It looks like the answer is "no"). Maybe there are some third party solution that could be incorporated and used… If not I would be interested in a pointer to another OpenSource project with similar facilities. Any experience feed-back is also very welcome. Thanks for your support. Gregober ---> PGP ID --> 0x1BA3C2FD bsd @at@ todoo.biz P "Please consider your environmental responsibility before printing this e-mail" - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Zabbix Agent package on 1.2.1
Last minute update! Since yesterday and the release of zabbix-1.6_1,1 the problems described here under have been patched and corrected. Only problem is if you activate the "jabber media type" in the options. So this is quite good news. Le 7 janv. 09 à 12:12, bsd a écrit : Hi folks, Still one day behind (jet lag from Paris, France)… Anyway I am using Zabbix in production on FreeBSD Servers (6.3p7 - 6.4p1 - 7.0p7) since a couple of month… and I have a very precise overview of what's working and what's broken. The main problem with zabbix (server and client) is that the startup script does not work correctly, in fact the process stays in memory (shared memory) without beeing removed on "stop". This can be easily seen using command such as these: # /usr/local/etc/rc.d/zabbix_agentd start # /usr/local/etc/rc.d/zabbix_agentd status # /usr/local/etc/rc.d/zabbix_agentd stop # /usr/local/etc/rc.d/zabbix_agentd status This will quite obviously start and stop zabbix with a little check between the two to see if everything is ok. The second status will show no processes but if you try to start It again, well, It simply won't!! Took me a while to realize why, in fact the process is still loaded in shared memory. You can check that with this command: # ipcs Message Queues: T ID KEY MODEOWNERGROUP Shared Memory: T ID KEY MODEOWNERGROUP m 131073 2052509788 --rw-rw-rw- zabbix zabbix Semaphores: T ID KEY MODEOWNERGROUP s 196611 2052509788 --rw-rw-rw- zabbix zabbix To make a clean "stop" just issue these commands: # ipcrm -S 2052509788 # ipcrm -M 2052509788 # ipcs The numbers following the -S and -M have to be taken from the output of the "ipcs" command. "ipcs" should show you no process at all now. You will then be able to start It properly. A bit of tuning then to increase the shared memory (generaly needed in the first place)… # sysctl -w kern.ipc.shmall=16384 This is the unfortunate way of running zabbix (client & server) on FreeBSD. Beside these startup / memory related problem, I have had no particular problem with any aspect of the product… Tunning is needed to suit your precise need, but this is done in a much easier way than on any other products I have tested (including: Nagios, Hobbit)… The details / analysis obtained with zabbix are quite impressive. I would really love to see hobbit on PFSense… I don't know if this will be corrected anytime soon, I have warned the person in charge of the port, but so far nothing has been done (I am unfortunately not good enough to dig in the code and correct these problems)… Sincerly yours. Le 6 janv. 09 à 20:20, Gary Buckmaster a écrit : Is there anyone here who is actually using Zabbix in production and monitoring FreeBSD boxes with it? I know it looks like a shiny toy, but I'm telling you that the reality is far less. The monitoring is limited at best for linux, and almost completely unusable without major customization for FreeBSD. I agree that having a nice centralized monitoring system to use with pfSense would be nice, but our extensive experience evaluating Zabbix led us to the conclusion that it's not ready for prime time. ¯¯¯¯ Gregober ---> PGP ID --> 0x1BA3C2FD bsd @at@ todoo.biz P "Please consider your environmental responsibility before printing this e-mail" - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Gregober ---> PGP ID --> 0x1BA3C2FD bsd @at@ todoo.biz P "Please consider your environmental responsibility before printing this e-mail" - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Secondary IP range for WAN & LAN
Hello, I have requested and obtained from my hosting company an new range of public IPs. How can I configure PFSense to use these knowing that they will be routed on the same physical cable as my previous IPs (WAN if) ? In other word the WAN Interface will have to have two IPs… and my firewall is configured as a "transparent" filtering bridge. This means that the IPs will also have to be available on the LAN if. Any clue on how to realize that will be welcome. Thanks for your support. Gregober ---> PGP ID --> 0x1BA3C2FD bsd @at@ todoo.biz P "Please consider your environmental responsibility before printing this e-mail" - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Zabbix Agent package on 1.2.1
Hi folks, Still one day behind (jet lag from Paris, France)… Anyway I am using Zabbix in production on FreeBSD Servers (6.3p7 - 6.4p1 - 7.0p7) since a couple of month… and I have a very precise overview of what's working and what's broken. The main problem with zabbix (server and client) is that the startup script does not work correctly, in fact the process stays in memory (shared memory) without beeing removed on "stop". This can be easily seen using command such as these: # /usr/local/etc/rc.d/zabbix_agentd start # /usr/local/etc/rc.d/zabbix_agentd status # /usr/local/etc/rc.d/zabbix_agentd stop # /usr/local/etc/rc.d/zabbix_agentd status This will quite obviously start and stop zabbix with a little check between the two to see if everything is ok. The second status will show no processes but if you try to start It again, well, It simply won't!! Took me a while to realize why, in fact the process is still loaded in shared memory. You can check that with this command: # ipcs Message Queues: T ID KEY MODEOWNERGROUP Shared Memory: T ID KEY MODEOWNERGROUP m 131073 2052509788 --rw-rw-rw- zabbix zabbix Semaphores: T ID KEY MODEOWNERGROUP s 196611 2052509788 --rw-rw-rw- zabbix zabbix To make a clean "stop" just issue these commands: # ipcrm -S 2052509788 # ipcrm -M 2052509788 # ipcs The numbers following the -S and -M have to be taken from the output of the "ipcs" command. "ipcs" should show you no process at all now. You will then be able to start It properly. A bit of tuning then to increase the shared memory (generaly needed in the first place)… # sysctl -w kern.ipc.shmall=16384 This is the unfortunate way of running zabbix (client & server) on FreeBSD. Beside these startup / memory related problem, I have had no particular problem with any aspect of the product… Tunning is needed to suit your precise need, but this is done in a much easier way than on any other products I have tested (including: Nagios, Hobbit)… The details / analysis obtained with zabbix are quite impressive. I would really love to see hobbit on PFSense… I don't know if this will be corrected anytime soon, I have warned the person in charge of the port, but so far nothing has been done (I am unfortunately not good enough to dig in the code and correct these problems)… Sincerly yours. Le 6 janv. 09 à 20:20, Gary Buckmaster a écrit : Is there anyone here who is actually using Zabbix in production and monitoring FreeBSD boxes with it? I know it looks like a shiny toy, but I'm telling you that the reality is far less. The monitoring is limited at best for linux, and almost completely unusable without major customization for FreeBSD. I agree that having a nice centralized monitoring system to use with pfSense would be nice, but our extensive experience evaluating Zabbix led us to the conclusion that it's not ready for prime time. ¯¯¯¯¯¯¯¯ Gregober ---> PGP ID --> 0x1BA3C2FD bsd @at@ todoo.biz P "Please consider your environmental responsibility before printing this e-mail" - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] NAT Reflection States
ahh, i see now. On Nov 18, 2008, at 5:35 PM, Scott Ullrich wrote: On Tue, Nov 18, 2008 at 6:32 PM, Dimitri Rodis <[EMAIL PROTECTED]> wrote: How long will pfSense hold onto the states required to maintain a tcp connection/udp "session", and can this be changed? It seems like connections on my network that are utilizing NAT reflection are timing out extremely fast (like 20 seconds or less). The firewall optimization is set to "conservative." This is only a guess, but it's the only thing that I can think of that makes sense based on the behavior I'm experiencing. (RDP sessions timing out and constantly reconnecting, and uploading changes to websites via sharepoint server extensions are all timing out, long transfers between mail servers as well). From /etfc/inc/filter.inc: if($config['system']['reflectiontimeout']) $reflectiontimeout = $config['system']['reflectiontimeout']; else $reflectiontimeout = "2000"; You can set an override with Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] NAT Reflection States
go to 'systems' , 'advanced functions', and check out: Firewall Optimization Options. you can change the timing there. i'm not sure as to the exact timing. i believe this has to do with freebsd's implementation of tcp/ip?? -phil On Nov 18, 2008, at 5:32 PM, Dimitri Rodis wrote: How long will pfSense hold onto the states required to maintain a tcp connection/udp "session", and can this be changed? It seems like connections on my network that are utilizing NAT reflection are timing out extremely fast (like 20 seconds or less). The firewall optimization is set to "conservative." This is only a guess, but it's the only thing that I can think of that makes sense based on the behavior I'm experiencing. (RDP sessions timing out and constantly reconnecting, and uploading changes to websites via sharepoint server extensions are all timing out, long transfers between mail servers as well). Dimitri Rodis Integrita Systems LLC
[pfSense Support] WAN / LAN configuration public IPs no NAT
Hello folks, I plan to use PFSense as a firewall on my hosting facility and maybe use some advance functions later on. For the moment my concern is to get things up and working. I have a /28 network that has been given to me and another one on a different class of IPs. Today It is working with a Sonicwall that I am planning to replace with a PFSense device. My concern is to configure the interfaces correctly to filter and have the best performance possible. My network is as follow: .network: 87.89.20.96/28 .netmask: 255.255.255.240 .broadcast: 87.89.20.111 .gateway: 87.89.20.110 or 109 On the same ethernet link (from my ISP) a new range of IPs has been attributed to me: 212.211.152.0/28 .network: 212.211.152.0 .netmask: 255.255.255.240 .broadcast: 212.211.152.15 .gateway: 212.211.152.1 My question is how should I configure my PFSense device to use that properly - I don't want to NAT anything just filter packets to my server that will be using "public IPs". Thanks for your support. Gregober ---> PGP ID --> 0x1BA3C2FD bsd @at@ todoo.biz P "Please consider your environmental responsibility before printing this e-mail" - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] syslogd stuck at 100% cpu
Which is probably why I haven't seen it since upgrading :) -Phil G On Oct 28, 2008, at 11:03 AM, "Scott Ullrich" <[EMAIL PROTECTED]> wrote: On 10/28/08, Ian Levesque <[EMAIL PROTECTED]> wrote: Hello, I'm running 1.2.1-RC1 (built on Sat Sep 13 03:53:42 EDT 2008). After about 10 days of uptime, I noticed that logs were becoming stale. It turns out that all logging functionality stopped yesterday evening. In dmesg, the last messages are: pid 20276 (clog), uid 0: exited on signal 11 (core dumped) pid 20281 (clog), uid 0: exited on signal 11 (core dumped) I then noticed that the syslogd process is using 100% CPU: USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 217 100.0 0.1 3236 1096 ?? Rs 16Oct08 1083:50.92 /usr/sbin/syslogd -ss -f /var/etc/syslog.conf I tried to hup the proc but it wouldn't die, so I had to kill it and restart syslogd by hand. Any ideas on how to troubleshoot the cause of this further? Cheers, Ian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This is fixed in 1.2.1. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] syslogd stuck at 100% cpu
Not that this helps but I have seen what you describe only while running in a VM Ware environment. -Phil G On Oct 28, 2008, at 10:45 AM, Ian Levesque <[EMAIL PROTECTED]> wrote: Hello, I'm running 1.2.1-RC1 (built on Sat Sep 13 03:53:42 EDT 2008). After about 10 days of uptime, I noticed that logs were becoming stale. It turns out that all logging functionality stopped yesterday evening. In dmesg, the last messages are: pid 20276 (clog), uid 0: exited on signal 11 (core dumped) pid 20281 (clog), uid 0: exited on signal 11 (core dumped) I then noticed that the syslogd process is using 100% CPU: USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 217 100.0 0.1 3236 1096 ?? Rs 16Oct08 1083:50.92 / usr/sbin/syslogd -ss -f /var/etc/syslog.conf I tried to hup the proc but it wouldn't die, so I had to kill it and restart syslogd by hand. Any ideas on how to troubleshoot the cause of this further? Cheers, Ian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] OpenVPN super-slow upload speeds
To bad it's for v10.5 only. -Phil G On Oct 25, 2008, at 3:41 PM, Paul M <[EMAIL PROTECTED]> wrote: on OpenVPN from home - using Tunnelblick on my DSL (6mbit down 768 up). OT: we've started switching Mac OSX users to viscosity, much nicer/easier to use - a proper OSX application instead of a simple GUI to openvpn executable. It will also import tunnelblick settings too. It does have a programming error whereby if you entered anything into X509 settings for CA use, it doesn't disable them if you switch to a shared key. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] OpenVPN super-slow upload speeds
here's a thought, you could setup iperf on your src machine and pfsense. then ssh into the pfsense box and see what speeds your actually getting. that way you will at least know if it's openvpn or not. -phil On Oct 24, 2008, at 4:29 PM, JJB wrote: Your architecture is somewhat unclear - do I correctly surmise that you have a pfSense server *somewhere* on a 3/3 connection, and that several users connect to it via OpenVPN? two pfsense servers using CARP for failover with a shared vip connected to 3/3 pipe (two t1 lines bonded) Also a 10/1 dsl line. We have about 20 OpenVpn users, but rarely are all 20 connected, usually more like 3 -5. I don't believe it is related to our ISP (AT&T managed internet services), or to my ISP at home (ATT DSL) or to the other complaining users ISP (Comcast Business Class 2.5mbit upstream supposedly). Does anyone here know what Paul was talking about with PMTU in pfsense and where the setting is? Is this just an "allow ICMP on this interface" setting? - Joel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Ipsec over LAN
yes, there are reasons and it must be encrypted. thanks, -phil On Oct 14, 2008, at 5:11 PM, Gary Buckmaster wrote: Is there a particular reason you need this traffic to be encapsulated? At first blush, this would seem to be a pretty standard routing problem, easily solvable with static routes. Unless there's some very specific reason for needing the encryption. -Gary BSD Wiz wrote: it's on my corporate network, both wan interfaces of the pfsense box are on the same private ip subnet. we built 2 labs using pfsense and now we want to connect the two labs. i haven't had any luck getting them to work yet... the reason i've asked the question is because i have several site to site vpn's over the internet up and running and never had any problems with them but i can't get this lan setup to work. so if i know it's should work i'll keep playing with it. thanks, -phil On Oct 14, 2008, at 4:30 PM, Chris Buechler wrote: On Tue, Oct 14, 2008 at 2:59 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: To be clear, both boxes lans are different subnet of course but the WANs are on the same subnets. If they're on the same ISP with privately addressed WANs that will work, if they allow routing between customers. If it's two different ISPs you aren't going to be able to connect them with private WAN IPs since they aren't routable across the Internet. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Ipsec over LAN
it's on my corporate network, both wan interfaces of the pfsense box are on the same private ip subnet. we built 2 labs using pfsense and now we want to connect the two labs. i haven't had any luck getting them to work yet... the reason i've asked the question is because i have several site to site vpn's over the internet up and running and never had any problems with them but i can't get this lan setup to work. so if i know it's should work i'll keep playing with it. thanks, -phil On Oct 14, 2008, at 4:30 PM, Chris Buechler wrote: On Tue, Oct 14, 2008 at 2:59 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: To be clear, both boxes lans are different subnet of course but the WANs are on the same subnets. If they're on the same ISP with privately addressed WANs that will work, if they allow routing between customers. If it's two different ISPs you aren't going to be able to connect them with private WAN IPs since they aren't routable across the Internet. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Ipsec over LAN
So your saying that the wan interfaces on the boxes need diff subnets? -Phil G On Oct 14, 2008, at 1:49 PM, "Scott Ullrich" <[EMAIL PROTECTED]> wrote: On Tue, Oct 14, 2008 at 2:46 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: With 1.2 is it possible to connect to pfsense boxes on the same subnet via an ipsec tunnel? Both boxes wan interfaces are private ip's. No, need different subnets. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Ipsec over LAN
To be clear, both boxes lans are different subnet of course but the WANs are on the same subnets. -Phil G On Oct 14, 2008, at 1:49 PM, "Scott Ullrich" <[EMAIL PROTECTED]> wrote: On Tue, Oct 14, 2008 at 2:46 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: With 1.2 is it possible to connect to pfsense boxes on the same subnet via an ipsec tunnel? Both boxes wan interfaces are private ip's. No, need different subnets. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Ipsec over LAN
With 1.2 is it possible to connect to pfsense boxes on the same subnet via an ipsec tunnel? Both boxes wan interfaces are private ip's. Thanks -Phil - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] can't get to specific site(subaru.com)
i really appreciate your willingness to help me resolve this issue. i just found the culprit. it is the wireless access point that these machines are connecting to. it's netgear wpn824(rangemax). when i plug directly into the router or another switch on my network i can access the sites with no problems. thanks, -phil On Oct 9, 2008, at 8:03 PM, Chris Buechler wrote: On Thu, Oct 9, 2008 at 8:44 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: so your telling me that 3 hosts machines on my network running mac OS 10.4 and 10.5 tcp/ip stack is messed up? That would appear to be the case, yes. You have to have some sort of non-default settings on those hosts, most of our developers are Mac users and would have run into this long ago. If you can send me some capture files I'll take a look at what's happening on the wire. I'll need one for your inside interface and one for outside. Open two SSH sessions and run: tcpdump -ni fxp0 -s 0 -w /tmp/wan.pcap host 1.2.3.4 replacing fxp0 with your real WAN interface, and 1.2.3.4 with the public IP of the website you're having issues reaching. cisco.com is probably a better one as it has a 1 day TTL and subaru.com has a 5 minute TTL, at least on the responses I'm getting. Hence there's a chance subaru.com will resolve to a different IP at some point during the capture where as cisco.com won't. second tcpdump is the same as above, substituting fxp0 with your LAN interface, and call that file lan.pcap. Then try to access the site from a couple problem machines about 5 times or so, waiting about 30 seconds between. When done, ctrl-c on both the tcpdumps. Then download both those files on the Diagnostics -> Command page and email to me offlist. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] can't get to specific site(subaru.com)
so your telling me that 3 hosts machines on my network running mac OS 10.4 and 10.5 tcp/ip stack is messed up? On Oct 9, 2008, at 7:26 PM, Ermal Luçi wrote: On Fri, Oct 10, 2008 at 2:01 AM, BSD Wiz <[EMAIL PROTECTED]> wrote: going back a few weeks ago when i posted my issues getting to subaru.com.. i came across another site that i could not get to behind pfsense (cisco.com). i installed squid proxy and then i was able to get to subaru.com and cisco.com to refresh your memory, there are no rules blocking traffic on port 80, i'm on a cable modem, when on a shell on the firewall i can always telnet over port 80 to subaru.com but i cannot from my client machines. the client sends a syn but never receives the syn/ack from the firewall. however, the firewall does in fact get the syn/ack back from the webserver. finally to my question, what are you thoughts as to why the proxy being installed solved my issue? Its simple as i said in a previous post problems might arise: 1- tcp mss 2- timestamps not handled correctly 3- sacks not handled propperly by the reciveing host 4- tcp options not correctly set by your host ... Basically any part of a tcp header the pf checks for a state. Now with squid that works cause the connection to the site is made directly from pfSense which does know how to handle its own packets. Mostly you seem to need more elaborate scrub rules for your hosts which i suspect are having problmes with path mtu discovery(a guess). best, -phil - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Ermal - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] can't get to specific site(subaru.com)
going back a few weeks ago when i posted my issues getting to subaru.com.. i came across another site that i could not get to behind pfsense(cisco.com). i installed squid proxy and then i was able to get to subaru.com and cisco.com to refresh your memory, there are no rules blocking traffic on port 80, i'm on a cable modem, when on a shell on the firewall i can always telnet over port 80 to subaru.com but i cannot from my client machines. the client sends a syn but never receives the syn/ack from the firewall. however, the firewall does in fact get the syn/ack back from the webserver. finally to my question, what are you thoughts as to why the proxy being installed solved my issue? best, -phil - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] multipe remote desktop connections/nat
That is the approach I will take. Thanks -Phil G On Oct 8, 2008, at 3:01 PM, "Michael Schuh" <[EMAIL PROTECTED]> wrote: If you can use different ports your chances are good. say User A Connects to ExternalIP:3389 -> forwarded to Host A:3389 say User B Connects to ExternalIP:13389 -> forwarded to Host B:3389 Ist possible through the port-forward tab in NAT Rules cheers michael 2008/10/8 BSD Wiz <[EMAIL PROTECTED]> Damn, I was afraid of that. -Phil G On Oct 8, 2008, at 2:36 PM, RB <[EMAIL PROTECTED]> wrote: so user A can connect to host A behind pfsense box via port 3389 and user B can connect to host B via port 3389 behind the pfsense firewall and so on and so forth. what should be my approach? Install a Terminal Services Gateway. pfSense does not do policy-NAT, i.e. port-forwarding based on external source address. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 ===
Re: [pfSense Support] multipe remote desktop connections/nat
Damn, I was afraid of that. -Phil G On Oct 8, 2008, at 2:36 PM, RB <[EMAIL PROTECTED]> wrote: so user A can connect to host A behind pfsense box via port 3389 and user B can connect to host B via port 3389 behind the pfsense firewall and so on and so forth. what should be my approach? Install a Terminal Services Gateway. pfSense does not do policy-NAT, i.e. port-forwarding based on external source address. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] any comment or need to worry about the recent TCP/IP DoS found by Outpost24?
Sorry, didn't mean to come off like an a-hole. -Phil G On Oct 3, 2008, at 10:43 AM, "Vivek Khera" <[EMAIL PROTECTED]> wrote: On Fri, Oct 3, 2008 at 11:06 AM, BSD Wiz <[EMAIL PROTECTED]> wrote: And how could the dev team implement a fix if we don't know the specifics of the exploit? This will be something that the freebsd dev team will need to fix and I'm sure they will asap. So, I need to know everything you know or don't know to ask if you might know something? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] any comment or need to worry about the recent TCP/IP DoS found by Outpost24?
And how could the dev team implement a fix if we don't know the specifics of the exploit? This will be something that the freebsd dev team will need to fix and I'm sure they will asap. -Phil G On Oct 3, 2008, at 9:57 AM, "Vivek Khera" <[EMAIL PROTECTED]> wrote: I've read a lot about how windows and linux are vulnerable, but not much info regarding FreeBSD. Does anyone know how worried we should be? Any comment on possible corrective measures being implemented by the dev team? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] any comment or need to worry about the recent TCP/IP DoS found by Outpost24?
Yes, according to Robert Lee all versions of BSD including freebsd are affected. And they say going to ipv6 makes it even more vulnerable. -Phil G On Oct 3, 2008, at 9:57 AM, "Vivek Khera" <[EMAIL PROTECTED]> wrote: I've read a lot about how windows and linux are vulnerable, but not much info regarding FreeBSD. Does anyone know how worried we should be? Any comment on possible corrective measures being implemented by the dev team? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Can't connect to subaru.com on port 80
The traffic is passed in from the wan but the LAN interface never sends it out to my host. -Phil G On Oct 2, 2008, at 12:13 PM, Tim Nelson <[EMAIL PROTECTED]> wrote: Also, I assume your tcpdump was on the LAN interface, aka the network your client box is connected to? Run a tcpdump on the WAN and see what hits it... Tim Nelson Systems/Network Engineer Rockbochs Inc. (218)727-4332 x105 - "Paul Mansfield" <[EMAIL PROTECTED]> wrote: BSD Wiz wrote: Yep. Tcpdump. Traffic doesn't come back from fw. -Phil G so, the firewall is passing the traffic, web server responds but the originating computer never sees that response??!! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Can't connect to subaru.com on port 80
No, the firewall does not pass the traffic. -Phil G On Oct 2, 2008, at 12:12 PM, Paul Mansfield [EMAIL PROTECTED]> wrote: BSD Wiz wrote: Yep. Tcpdump. Traffic doesn't come back from fw. -Phil G so, the firewall is passing the traffic, web server responds but the originating computer never sees that response??!! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Can't connect to subaru.com on port 80
Yep. Tcpdump. Traffic doesn't come back from fw. -Phil G On Oct 2, 2008, at 11:10 AM, Sean Cavanaugh <[EMAIL PROTECTED]> wrote: have you run wireshark between the firewall and the system to see if it is actually entering the LAN traffic and might just be the mac screwing up? > From: [EMAIL PROTECTED] > To: support@pfsense.com > Date: Thu, 2 Oct 2008 10:53:31 -0500 > Subject: Re: [pfSense Support] Can't connect to subaru.com on port 80 > > This is a cable modem, and it works if I directly connect to my modem. > > -Phil G > > > > > On Oct 2, 2008, at 10:45 AM, "Ermal Luçi" <[EMAIL PROTECTED]> w rote: > > > Open /etc/inc/filter.inc and search for pppoeclient: > > after 4 line of that enter this > > set iface enable tcpmssfix > > > > and retry connecting the pppoe and see if that fixes the problem. > > I was having the same problems with mail.yahoo/hotmail/msn messenger > > and some other sites on one installation and that fixed it. > > I think its worth a try. > > > > Other than that it might be a timestamp handling issue on the client > > stack that is failing to open the site. > > > > On Thu, Oct 2, 2008 at 6:38 AM, BSD Wiz <[EMAIL PROTECTED]> wrote: > >> i know, i just want to check out the new wrx's and sti!! > >> > >> tried messing with the mtu without any luck. > >> > >> ok, here is tcpdump running on my pfsense firewall(unixbox.gnet). > >> you can > >> see my request to subaru.com and then the reply comes to the > >> firewall but > >> never get's passed to my computer. what's weird is the reset. > >> > >> 23:30:04.664256 IP UNIXBOX.gnet.49796 > subaru.com.http: S > >> 1787975612:1787975612(0) win 65535 >> 0,nop,nop,timestamp > >> 2090781090 0,sackOK,eol> > >> 23:30:04.710299 IP subaru.com.http > UNIXBOX.gnet.49796: S > >> 2731372884:2731372884(0) ack 1787975613 win 4380 1460,nop,wscale > >> 0,nop,nop,timestamp 311872670 2090781090,sackOK,eol> > >> 23:30:05.321055 IP 12.120.5.14.http > UNIXBOX.gnet.49740: R > >> 2533320030:2533320030(0) ack 10685623 win 0 > >> 23:30:07.420107 IP UNIXBOX.gnet.49796 > subaru.com.http: S > >> 1787975612:1787975612(0) win 65535 >> 0,nop,nop,timestamp > >> 2090781095 0,sackOK,eol> > >> > >> > >> > >> so in search of what the ip of the reset flag is i pointed my > >> browser to it. > >> > >> > >> > >> > >> > >> > >> > >> > >> so they are behind some type of load balancer but wtf?? > >> > >> > >> > >> > >> On Oct 1, 2008, at 11:30 PM, Bill Marquette wrote: > >> > >>> On Wed, Oct 1, 2008 at 11:12 PM, Chris Buechler > >>> <[EMAIL PROTECTED]> > >>> wrote: > >>>> > >>>> On Wed, Oct 1, 2008 at 11:55 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: > >>>>> > >>>>> yep, i looked at it using tcpdump. i just see syn packets going > >>>>> out the > >>>>> door, i never get any syn-acks back. > >>>>> > >>>>> 22:50:47.417326 IP unixbox.gnet.49330 > subaru.com.http: S > >>>>> 3917131801:3917131801(0) win 65535 >>>>> 0,nop,nop,timestamp > >>>>> 2090776378 0,sackOK,eol> > >>>>> > >>>> > >>>> Have you tried lowering MTU on your WAN, or just on the problem > >>>> machine? Doing it on the WAN will MSS clamp everything, so if > >>>> this is > >>>> limited to one machine I wouldn't do that. With the 1460 MSS that > >>>> shows and likely 1500 MTU end to end, that should not be a problem. > >>>> It's worth a shot though. > >>> > >>> Wouldn't explain no syn/ack's coming back. This would seem more > >>> like > >>> an upstream routing (or firewalling) issue to me. That, or a > >>> conspiracy against BSD Wiz and his desire to look at new cars. > >>> > >>> --Bill > >>> > >>> --- > >>> -- > >>> To unsubscribe, e-mail: [EMAIL PROTECTED] > >>> For additional commands, e-mail: [EMAIL PROTECTED] > >>> > >> > >> > >> > >> - > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> For additional commands, e-mail: [EMAIL PROTECTED] > >> > > > > > > > > -- > > Ermal > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Can't connect to subaru.com on port 80
This is a cable modem, and it works if I directly connect to my modem. -Phil G On Oct 2, 2008, at 10:45 AM, "Ermal Luçi" <[EMAIL PROTECTED]> wrote: Open /etc/inc/filter.inc and search for pppoeclient: after 4 line of that enter this set iface enable tcpmssfix and retry connecting the pppoe and see if that fixes the problem. I was having the same problems with mail.yahoo/hotmail/msn messenger and some other sites on one installation and that fixed it. I think its worth a try. Other than that it might be a timestamp handling issue on the client stack that is failing to open the site. On Thu, Oct 2, 2008 at 6:38 AM, BSD Wiz <[EMAIL PROTECTED]> wrote: i know, i just want to check out the new wrx's and sti!! tried messing with the mtu without any luck. ok, here is tcpdump running on my pfsense firewall(unixbox.gnet). you can see my request to subaru.com and then the reply comes to the firewall but never get's passed to my computer. what's weird is the reset. 23:30:04.664256 IP UNIXBOX.gnet.49796 > subaru.com.http: S 1787975612:1787975612(0) win 65535 0,nop,nop,timestamp 2090781090 0,sackOK,eol> 23:30:04.710299 IP subaru.com.http > UNIXBOX.gnet.49796: S 2731372884:2731372884(0) ack 1787975613 win 4380 23:30:05.321055 IP 12.120.5.14.http > UNIXBOX.gnet.49740: R 2533320030:2533320030(0) ack 10685623 win 0 23:30:07.420107 IP UNIXBOX.gnet.49796 > subaru.com.http: S 1787975612:1787975612(0) win 65535 0,nop,nop,timestamp 2090781095 0,sackOK,eol> so in search of what the ip of the reset flag is i pointed my browser to it. so they are behind some type of load balancer but wtf?? On Oct 1, 2008, at 11:30 PM, Bill Marquette wrote: On Wed, Oct 1, 2008 at 11:12 PM, Chris Buechler <[EMAIL PROTECTED]> wrote: On Wed, Oct 1, 2008 at 11:55 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: yep, i looked at it using tcpdump. i just see syn packets going out the door, i never get any syn-acks back. 22:50:47.417326 IP unixbox.gnet.49330 > subaru.com.http: S 3917131801:3917131801(0) win 65535 Have you tried lowering MTU on your WAN, or just on the problem machine? Doing it on the WAN will MSS clamp everything, so if this is limited to one machine I wouldn't do that. With the 1460 MSS that shows and likely 1500 MTU end to end, that should not be a problem. It's worth a shot though. Wouldn't explain no syn/ack's coming back. This would seem more like an upstream routing (or firewalling) issue to me. That, or a conspiracy against BSD Wiz and his desire to look at new cars. --Bill --- -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Ermal - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Can't connect to subaru.com on port 80
I never get a response from the firewall therefore I cannot connect via telnet over port 80. Telneting to the site from the de works but not from the client machine. -Phil G On Oct 2, 2008, at 4:14 AM, Paul Mansfield [EMAIL PROTECTED]> wrote: try doing "telnet subaru.com 80", then "GET / HTTP1.0" and hit return a few times. if you get a partial response which hangs part way, MTU should be suspected. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Can't connect to subaru.com on port 80
No, there are not any drops in the logs. -Phil G On Oct 2, 2008, at 1:02 AM, "Chris Buechler" <[EMAIL PROTECTED]> wrote: On Thu, Oct 2, 2008 at 12:38 AM, BSD Wiz <[EMAIL PROTECTED]> wrote: i know, i just want to check out the new wrx's and sti!! tried messing with the mtu without any luck. ok, here is tcpdump running on my pfsense firewall(unixbox.gnet). you can see my request to subaru.com and then the reply comes to the firewall but never get's passed to my computer. what's weird is the reset. 23:30:04.664256 IP UNIXBOX.gnet.49796 > subaru.com.http: S 1787975612:1787975612(0) win 65535 0,nop,nop,timestamp 2090781090 0,sackOK,eol> 23:30:04.710299 IP subaru.com.http > UNIXBOX.gnet.49796: S 2731372884:2731372884(0) ack 1787975613 win 4380 There's your missing SYN ACK. (Bill was right btw, I overlooked the fact that there's no way this could be frame size related given you weren't getting the SYN ACK which will be small) Seeing drops in your firewall logs? 23:30:05.321055 IP 12.120.5.14.http > UNIXBOX.gnet.49740: R 2533320030:2533320030(0) ack 10685623 win 0 This is part of a different connection, without more context it's hard to say for sure what that is, but RST ACK should be a response to a SYN saying "port closed". Of course that port isn't really closed, so it makes me wonder if there's some TCP related bug or configuration issue on one or both ends making it reject the connection. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Can't connect to subaru.com on port 80
i know, i just want to check out the new wrx's and sti!! tried messing with the mtu without any luck. ok, here is tcpdump running on my pfsense firewall(unixbox.gnet). you can see my request to subaru.com and then the reply comes to the firewall but never get's passed to my computer. what's weird is the reset. 23:30:04.664256 IP UNIXBOX.gnet.49796 > subaru.com.http: S 1787975612:1787975612(0) win 65535 0,nop,nop,timestamp 2090781090 0,sackOK,eol> 23:30:04.710299 IP subaru.com.http > UNIXBOX.gnet.49796: S 2731372884:2731372884(0) ack 1787975613 win 4380 0,nop,nop,timestamp 311872670 2090781090,sackOK,eol> 23:30:05.321055 IP 12.120.5.14.http > UNIXBOX.gnet.49740: R 2533320030:2533320030(0) ack 10685623 win 0 23:30:07.420107 IP UNIXBOX.gnet.49796 > subaru.com.http: S 1787975612:1787975612(0) win 65535 0,nop,nop,timestamp 2090781095 0,sackOK,eol> so in search of what the ip of the reset flag is i pointed my browser to it. Picture 3.png Description: application/applefile <> so they are behind some type of load balancer but wtf?? On Oct 1, 2008, at 11:30 PM, Bill Marquette wrote: On Wed, Oct 1, 2008 at 11:12 PM, Chris Buechler <[EMAIL PROTECTED]> wrote: On Wed, Oct 1, 2008 at 11:55 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: yep, i looked at it using tcpdump. i just see syn packets going out the door, i never get any syn-acks back. 22:50:47.417326 IP unixbox.gnet.49330 > subaru.com.http: S 3917131801:3917131801(0) win 65535 0,nop,nop,timestamp 2090776378 0,sackOK,eol> Have you tried lowering MTU on your WAN, or just on the problem machine? Doing it on the WAN will MSS clamp everything, so if this is limited to one machine I wouldn't do that. With the 1460 MSS that shows and likely 1500 MTU end to end, that should not be a problem. It's worth a shot though. Wouldn't explain no syn/ack's coming back. This would seem more like an upstream routing (or firewalling) issue to me. That, or a conspiracy against BSD Wiz and his desire to look at new cars. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Can't connect to subaru.com on port 80
yep, i looked at it using tcpdump. i just see syn packets going out the door, i never get any syn-acks back. 22:50:47.417326 IP unixbox.gnet.49330 > subaru.com.http: S 3917131801:3917131801(0) win 65535 0,nop,nop,timestamp 2090776378 0,sackOK,eol> 22:50:50.029787 IP unixbox.gnet.49330 > subaru.com.http: S 3917131801:3917131801(0) win 65535 0,nop,nop,timestamp 2090776383 0,sackOK,eol> 22:50:53.030621 IP unixbox.gnet.49330 > subaru.com.http: S 3917131801:3917131801(0) win 65535 0,nop,nop,timestamp 2090776389 0,sackOK,eol> 22:50:56.031286 IP unixbox.gnet.49330 > subaru.com.http: S 3917131801:3917131801(0) win 65535 22:50:59.031963 IP unixbox.gnet.49330 > subaru.com.http: S 3917131801:3917131801(0) win 65535 22:51:02.032747 IP unixbox.gnet.49330 > subaru.com.http: S 3917131801:3917131801(0) win 65535 22:51:08.034028 IP unixbox.gnet.49330 > subaru.com.http: S 3917131801:3917131801(0) win 65535 22:51:20.036611 IP unixbox.gnet.49330 > subaru.com.http: S 3917131801:3917131801(0) win 65535 22:51:44.041918 IP unixbox.gnet.49330 > subaru.com.http: S 3917131801:3917131801(0) win 65535 On Oct 1, 2008, at 10:39 PM, Chris Buechler wrote: On Wed, Oct 1, 2008 at 11:18 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: yeah, 1.2 doesn't work either. the problem does in fact appear to only affect certain hosts as other machines on my network can reach the site. specifically, an iphone and freebsd server. time to break out Wireshark and/or tcpdump. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Can't connect to subaru.com on port 80
no, macs, 10.4 and 10.5 tried it on both, neither works. -phil On Oct 1, 2008, at 10:27 PM, Scott Ullrich wrote: On Wed, Oct 1, 2008 at 11:18 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: yeah, 1.2 doesn't work either. the problem does in fact appear to only affect certain hosts as other machines on my network can reach the site. specifically, an iphone and freebsd server. Is the client vista? If so, try disabling IPV6. Scott
Re: [pfSense Support] Can't connect to subaru.com on port 80
yeah, 1.2 doesn't work either. the problem does in fact appear to only affect certain hosts as other machines on my network can reach the site. specifically, an iphone and freebsd server. -phil On Oct 1, 2008, at 10:04 PM, Chris Buechler wrote: On Wed, Oct 1, 2008 at 9:23 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: do you guys think i should revert back to version 1.2 and test it? I would say there isn't a good chance that would change anything, but someone seems to be reporting a similar problem on the forum that reportedly didn't exist in 1.2. http://forum.pfsense.org/index.php/topic,11847.0.html Different symptom, it sounds like it could be the same cause though, blackholing packets > X bytes. It could also be entirely unrelated. You can downgrade to 1.2 using the full update file for 1.2 release. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Can't connect to subaru.com on port 80
do you guys think i should revert back to version 1.2 and test it? -phil On Oct 1, 2008, at 6:59 PM, Chris Buechler wrote: On Wed, Oct 1, 2008 at 7:00 PM, Tim Nelson <[EMAIL PROTECTED]> wrote: Are you blocking any ICMP traffic? PMTU (MTU path discovery) relies on ICMP to automagically determine the proper MTU... On nearly all of my installations, I'm blocking EVERYTHING including ICMP on the WAN and PMTU still works fine. Maybe you have it blocked elsewhere? pf's state keeping allows any associated reply traffic, which includes the requisite traffic for PMTUD. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Can't connect to subaru.com on port 80
no luck with the any any rule either. same thing. this is really strange. i'll keep poking around. thanks again gents. -phil On Oct 1, 2008, at 6:15 PM, Tim Nelson wrote: Turn logging on for your last rule on your LAN that drops all otherwise specified traffic. Your logs should show something useful... Or, for "gits and shiggles" put a nice big "Allow all traffic all protocols all ports from anywhere to anywhere" rule on your LAN to see if your connectivity to subaru.com changes... and of course don't forget to remove it when you're done... :-) Tim Nelson Systems/Network Engineer Rockbochs Inc. (218)727-4332 x105 - "BSD Wiz" wrote: > sure, but i'm not filtering traffic on port 80 by IP and all www traffic seems to work fine. please let me know if you prefer this an another format. > this has me stumped... > > thanks! > -phil > > here's the WAN Rules; > >
Re: [pfSense Support] Can't connect to subaru.com on port 80
looks normal. tcp 67.202.194.73:80 <- 172.16.0.25:49657 SYN_SENT:ESTABLISHED tcp 172.16.0.25:49657 -> 24.183.138.36:59156 -> 67.202.194.73:80 ESTABLISHED:SYN_SENT there, now you all know my public ip :) -phil On Oct 1, 2008, at 6:30 PM, Curtis LaMasters wrote: What happens in your state table when users on the lan try to go to the site? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Oct 1, 2008 at 6:29 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: i can only telnet to port 80 from the pfsense box. i cannot telnet from my machines on the lan. if i try and ping subaru.com it resolves to 67.202.194.73 but it seems that they drop ICMP traffic. thanks, -phil On Oct 1, 2008, at 6:24 PM, Curtis LaMasters wrote: Can you telnet to port 80 to subaru.com? What IP do you get if you ping it. I get 67.202.194.73. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Oct 1, 2008 at 6:19 PM, Tim Nelson <[EMAIL PROTECTED]> wrote: And a big 'Sorry' to the list for not removing that huge chunk of XML from my reply... :-( Tim Nelson Systems/Network Engineer Rockbochs Inc. (218)727-4332 x105 - "Tim Nelson" wrote: > Turn logging on for your last rule on your LAN that drops all otherwise specified traffic. Your logs should show something useful... > Or, for "gits and shiggles" put a nice big "Allow all traffic all protocols all ports from anywhere to anywhere" rule on your LAN to see if your connectivity to subaru.com changes... and of course don't forget to remove it when you're done... :-)
Re: [pfSense Support] Can't connect to subaru.com on port 80
already did. if i plug directly into my cable modem i can get there.. plus i can telnet from the pfsense box to subaru.com over port 80. -phil On Oct 1, 2008, at 6:30 PM, [EMAIL PROTECTED] wrote: Check with your upstream provider, to make sure they are not blocking it.. Or you can check yourself by bypassing the firewall. Adam BSD Wiz wrote: logging is already turned on for the drop all rule. it doesn't show anything getting blocked when i go to subaru.com. let me try the any to any rule. thanks! -phil On Oct 1, 2008, at 6:19 PM, Tim Nelson wrote: And a big 'Sorry' to the list for not removing that huge chunk of XML from my reply... :-( Tim Nelson Systems/Network Engineer Rockbochs Inc. (218)727-4332 x105 - "Tim Nelson" wrote: > Turn logging on for your last rule on your LAN that drops all otherwise specified traffic. Your logs should show something useful... > Or, for "gits and shiggles" put a nice big "Allow all traffic all protocols all ports from anywhere to anywhere" rule on your LAN to see if your connectivity to subaru.com changes... and of course don't forget to remove it when you're done... :-) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Can't connect to subaru.com on port 80
i can only telnet to port 80 from the pfsense box. i cannot telnet from my machines on the lan. if i try and ping subaru.com it resolves to 67.202.194.73 but it seems that they drop ICMP traffic. thanks, -phil On Oct 1, 2008, at 6:24 PM, Curtis LaMasters wrote: Can you telnet to port 80 to subaru.com? What IP do you get if you ping it. I get 67.202.194.73. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Oct 1, 2008 at 6:19 PM, Tim Nelson <[EMAIL PROTECTED]> wrote: And a big 'Sorry' to the list for not removing that huge chunk of XML from my reply... :-( Tim Nelson Systems/Network Engineer Rockbochs Inc. (218)727-4332 x105 - "Tim Nelson" wrote: > Turn logging on for your last rule on your LAN that drops all otherwise specified traffic. Your logs should show something useful... > Or, for "gits and shiggles" put a nice big "Allow all traffic all protocols all ports from anywhere to anywhere" rule on your LAN to see if your connectivity to subaru.com changes... and of course don't forget to remove it when you're done... :-)
Re: [pfSense Support] Can't connect to subaru.com on port 80
logging is already turned on for the drop all rule. it doesn't show anything getting blocked when i go to subaru.com. let me try the any to any rule. thanks! -phil On Oct 1, 2008, at 6:19 PM, Tim Nelson wrote: And a big 'Sorry' to the list for not removing that huge chunk of XML from my reply... :-( Tim Nelson Systems/Network Engineer Rockbochs Inc. (218)727-4332 x105 - "Tim Nelson" wrote: > Turn logging on for your last rule on your LAN that drops all otherwise specified traffic. Your logs should show something useful... > Or, for "gits and shiggles" put a nice big "Allow all traffic all protocols all ports from anywhere to anywhere" rule on your LAN to see if your connectivity to subaru.com changes... and of course don't forget to remove it when you're done... :-)
Re: [pfSense Support] Can't connect to subaru.com on port 80
yes, i block ICMP inbound at the WAN. -phil On Oct 1, 2008, at 6:00 PM, Tim Nelson wrote: Are you blocking any ICMP traffic? PMTU (MTU path discovery) relies on ICMP to automagically determine the proper MTU... On nearly all of my installations, I'm blocking EVERYTHING including ICMP on the WAN and PMTU still works fine. Maybe you have it blocked elsewhere? Just a thought... Tim Nelson Systems/Network Engineer Rockbochs Inc. (218)727-4332 x105 - "Tim Dickson" <[EMAIL PROTECTED]> wrote: I had this same issue with fedex.com a while back Adjusted mtu, did a fresh install, never could find a solution... one day it started working again. (weird thing was half our clients could connect and half could not.) -Tim -Original Message- From: Tim Nelson [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 01, 2008 3:46 PM To: support@pfsense.com Subject: Re: [pfSense Support] Can't connect to subaru.com on port 80 It may be helpful to see your rulesets on your LAN and WAN interfaces... or paste the pertinent XML from your config file.. Tim Nelson Systems/Network Engineer Rockbochs Inc. (218)727-4332 x105 - "BSD Wiz" <[EMAIL PROTECTED]> wrote: i'm connected via cable modem, mtu is set to 1500. thanks -phil On Oct 1, 2008, at 5:23 PM, Chris Buechler wrote: On Wed, Oct 1, 2008 at 6:18 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: pfSense 1.2.1 RC1 only add-on package installed is iperf. I have rules to allow allow traffic out on port 80 and 443. I have also(just to be sure) allowed *ALL* traffic out from my static ip on my macbook. Problem is I can't get to the site subaru.com. I don't see anything in the logs and I've never had a problem getting to any other site. If I telnet from the pfsense firewall to subaru.com on port 80 it get's connected. If i try that from my machine(laptop macbook) it times out. am i missing something or what? We don't like Subaru. ;) kidding sounds like a MTU issue, try lowering your MTU on WAN if you have PPPoE. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Can't connect to subaru.com on port 80
so i'm not the only one i tried fedex just for kicks and it works :) weird... -phil On Oct 1, 2008, at 5:56 PM, Tim Dickson wrote: I had this same issue with fedex.com a while back Adjusted mtu, did a fresh install, never could find a solution... one day it started working again. (weird thing was half our clients could connect and half could not.) -Tim -Original Message- From: Tim Nelson [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 01, 2008 3:46 PM To: support@pfsense.com Subject: Re: [pfSense Support] Can't connect to subaru.com on port 80 It may be helpful to see your rulesets on your LAN and WAN interfaces... or paste the pertinent XML from your config file.. Tim Nelson Systems/Network Engineer Rockbochs Inc. (218)727-4332 x105 - "BSD Wiz" <[EMAIL PROTECTED]> wrote: i'm connected via cable modem, mtu is set to 1500. thanks -phil On Oct 1, 2008, at 5:23 PM, Chris Buechler wrote: On Wed, Oct 1, 2008 at 6:18 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: pfSense 1.2.1 RC1 only add-on package installed is iperf. I have rules to allow allow traffic out on port 80 and 443. I have also(just to be sure) allowed *ALL* traffic out from my static ip on my macbook. Problem is I can't get to the site subaru.com. I don't see anything in the logs and I've never had a problem getting to any other site. If I telnet from the pfsense firewall to subaru.com on port 80 it get's connected. If i try that from my machine(laptop macbook) it times out. am i missing something or what? We don't like Subaru. ;) kidding sounds like a MTU issue, try lowering your MTU on WAN if you have PPPoE. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Can't connect to subaru.com on port 80
i'm connected via cable modem, mtu is set to 1500. thanks -phil On Oct 1, 2008, at 5:23 PM, Chris Buechler wrote: On Wed, Oct 1, 2008 at 6:18 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: pfSense 1.2.1 RC1 only add-on package installed is iperf. I have rules to allow allow traffic out on port 80 and 443. I have also(just to be sure) allowed *ALL* traffic out from my static ip on my macbook. Problem is I can't get to the site subaru.com. I don't see anything in the logs and I've never had a problem getting to any other site. If I telnet from the pfsense firewall to subaru.com on port 80 it get's connected. If i try that from my machine(laptop macbook) it times out. am i missing something or what? We don't like Subaru. ;) kidding sounds like a MTU issue, try lowering your MTU on WAN if you have PPPoE. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Can't connect to subaru.com on port 80
pfSense 1.2.1 RC1 only add-on package installed is iperf. I have rules to allow allow traffic out on port 80 and 443. I have also(just to be sure) allowed *ALL* traffic out from my static ip on my macbook. Problem is I can't get to the site subaru.com. I don't see anything in the logs and I've never had a problem getting to any other site. If I telnet from the pfsense firewall to subaru.com on port 80 it get's connected. If i try that from my machine(laptop macbook) it times out. am i missing something or what? thanks guys. -phil - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ipv6 possibility
Amen. -phil On Sep 24, 2008, at 5:22 PM, RB wrote: As Pfsense is derived from Monowall and monowall has recently, in the 1.3beta12, incorporated ipv6, I was wondering how difficult it is going to be to port the changes in monowall to pfsense? This question comes back up every few months, and every time I wonder: what is the justification case for IPv6? Aside from those home hackers that are desperate for a full 128 bits of addressing to route the twelve devices on their network (never mind my public wifi network that eats an entire /17 with all its churn), where are the potential users? Who has put off rolling out pfSense or a similar platform because it didn't implement IPv6? What about the fact that for the huge majority of users, the magical IPv6 land of ponies and sugar cakes will end at their border unless they tunnel it out to some 3rd-party provider? Yes, some ISPs are starting to offer v6 connectivity, but those are few and far between. I'm not against IPv6, I just disagree with the periodic Slashdot-induced handwaving 'emergency'. We've been "on the cusp" of "an addressing crisis" for years, and the fact that someone has slapped a ruler on the current allocation trend and come up with a number of days under 1000 doesn't really cause me concern. Who can present a reasonable case for adoption before the current 2-3 year timeline? RB - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
Yep, I see that. My bad. Thanks! -Phil G On Sep 8, 2008, at 9:56 AM, Angelo Turetta <[EMAIL PROTECTED] > wrote: BSD Wiz wrote: yep, that is how i created the rule, on the WAN interface and so far so good. i've made about 20 calls and none of them failed so we're looking good... thanks! Oh, yes. That was the advice I gave you in my message 4 days ago, but you instead chose 1:1 NAT. :) Angelo. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
yep, that is how i created the rule, on the WAN interface and so far so good. i've made about 20 calls and none of them failed so we're looking good... thanks! -phil On Sep 6, 2008, at 7:20 PM, Bill Marquette wrote: On Sat, Sep 6, 2008 at 3:52 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: i should enable static nat on the interface that my voip router is on, which is my dmz correct? Nope, on your WAN interface. You'll put in a rule that is specific to your VOIP provider and check the 'static nat' box. That will force a static translation for anything destined to your provider. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
i should enable static nat on the interface that my voip router is on, which is my dmz correct? thanks, On Sep 6, 2008, at 3:35 PM, Scott Ullrich wrote: On Sat, Sep 6, 2008 at 4:23 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: after doing considerable research with tcpdump on my WAN interface and DMZ interface i see that the traffic is indeed passing but my phone is not ringing sometimes. i have no idea why this is happening but it appears that pfsense is doing it's job correctly. so, lingo sucks and i'm looking for recommendations on a new VoIP provider for my home. Try enabling static port on advanced outbound NAT or your LAN interface. The forum has a lot of information regarding this. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
after doing considerable research with tcpdump on my WAN interface and DMZ interface i see that the traffic is indeed passing but my phone is not ringing sometimes. i have no idea why this is happening but it appears that pfsense is doing it's job correctly. so, lingo sucks and i'm looking for recommendations on a new VoIP provider for my home. Thanks! -phil On Sep 5, 2008, at 10:43 PM, Bill Marquette wrote: I think you're dancing all around the solution :) You need an inbound NAT or port forward for UDP ports 1-65535 pointing to 10.0.0.1. Alternately, a 1:1 NAT using YOUR external IP, not the IP of the service (ie. 216.181.136.7 in your example below should be whatever your external IP is, not that of Lingo). The internal is still 10.0.0.1 (assuming that's your internal machine doing Lingo VOIP). --Bill On Fri, Sep 5, 2008 at 9:17 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: man O man still getting blocked, tried calling my VoIP phone from my cell phone and the traffic was blocked again by the default drop all rule. below is the log entry of the blocked traffic. WAN 216.181.136.7:5065 xx.xx.xx.xx:63792 this after allowing source 216.181.136.7 through my WAN interface destined for any port and also creating a 1:1 entry as follows: Interface External IP Internal IP Description WAN 216.181.136.7/3210.0.0.1/32 Allow Incoming VoIP WTF, shouldn't that be allowed through? thanks gents. -phil On Sep 5, 2008, at 8:12 AM, Paul Mansfield wrote: BSD Wiz wrote: ah, i don't have any 1:1 nat entries, or static routes for this firewall issue. so when the traffic hits the WAN interface perhaps it's not always finding it's way to the voip box in the dmz? i have added a 1:1 mapping as follows: Interface External IP Internal IP Description WAN216.181.136.7/32 10.0.0.1/32 VoIP Box where 10.0.0.1/32 is the ip of the DMZ interface. should that be sufficient? i can see why some of the traffic was not making it through since i only had a rule to allow traffic from 216.181.136.7 but no port forwarding, static routes or 1:1 nat entries. seems reasonable to me, you should know if it's working by testing. use tcpdump on firewall, on each interface in turn to see traffic flow... use "tcpdump -ln port XXX" to limit the amount of traffic you sniff. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
even when i port forward ports 1024-65535 to my lingo device it still occasionally blocks the traffic. i have the rule setup on my WAN interface and also on the nat/portforward. i wonder if it is something specific to the voip traffic and the way pfsense is handling it?? -phil On Sep 5, 2008, at 10:43 PM, Bill Marquette wrote: I think you're dancing all around the solution :) You need an inbound NAT or port forward for UDP ports 1-65535 pointing to 10.0.0.1. Alternately, a 1:1 NAT using YOUR external IP, not the IP of the service (ie. 216.181.136.7 in your example below should be whatever your external IP is, not that of Lingo). The internal is still 10.0.0.1 (assuming that's your internal machine doing Lingo VOIP). --Bill On Fri, Sep 5, 2008 at 9:17 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: man O man still getting blocked, tried calling my VoIP phone from my cell phone and the traffic was blocked again by the default drop all rule. below is the log entry of the blocked traffic. WAN 216.181.136.7:5065 xx.xx.xx.xx:63792 this after allowing source 216.181.136.7 through my WAN interface destined for any port and also creating a 1:1 entry as follows: Interface External IP Internal IP Description WAN 216.181.136.7/3210.0.0.1/32 Allow Incoming VoIP WTF, shouldn't that be allowed through? thanks gents. -phil On Sep 5, 2008, at 8:12 AM, Paul Mansfield wrote: BSD Wiz wrote: ah, i don't have any 1:1 nat entries, or static routes for this firewall issue. so when the traffic hits the WAN interface perhaps it's not always finding it's way to the voip box in the dmz? i have added a 1:1 mapping as follows: Interface External IP Internal IP Description WAN216.181.136.7/32 10.0.0.1/32 VoIP Box where 10.0.0.1/32 is the ip of the DMZ interface. should that be sufficient? i can see why some of the traffic was not making it through since i only had a rule to allow traffic from 216.181.136.7 but no port forwarding, static routes or 1:1 nat entries. seems reasonable to me, you should know if it's working by testing. use tcpdump on firewall, on each interface in turn to see traffic flow... use "tcpdump -ln port XXX" to limit the amount of traffic you sniff. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
yeah, seems like the port forward option is working as it should. i don't know why i didn't set it up this way to begin with. + as you already pointed out i had the 1:1 rule messed up.. thanks, -phil On Sep 5, 2008, at 10:43 PM, Bill Marquette wrote: I think you're dancing all around the solution :) You need an inbound NAT or port forward for UDP ports 1-65535 pointing to 10.0.0.1. Alternately, a 1:1 NAT using YOUR external IP, not the IP of the service (ie. 216.181.136.7 in your example below should be whatever your external IP is, not that of Lingo). The internal is still 10.0.0.1 (assuming that's your internal machine doing Lingo VOIP). --Bill On Fri, Sep 5, 2008 at 9:17 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: man O man still getting blocked, tried calling my VoIP phone from my cell phone and the traffic was blocked again by the default drop all rule. below is the log entry of the blocked traffic. WAN 216.181.136.7:5065 xx.xx.xx.xx:63792 this after allowing source 216.181.136.7 through my WAN interface destined for any port and also creating a 1:1 entry as follows: Interface External IP Internal IP Description WAN 216.181.136.7/3210.0.0.1/32 Allow Incoming VoIP WTF, shouldn't that be allowed through? thanks gents. -phil On Sep 5, 2008, at 8:12 AM, Paul Mansfield wrote: BSD Wiz wrote: ah, i don't have any 1:1 nat entries, or static routes for this firewall issue. so when the traffic hits the WAN interface perhaps it's not always finding it's way to the voip box in the dmz? i have added a 1:1 mapping as follows: Interface External IP Internal IP Description WAN216.181.136.7/32 10.0.0.1/32 VoIP Box where 10.0.0.1/32 is the ip of the DMZ interface. should that be sufficient? i can see why some of the traffic was not making it through since i only had a rule to allow traffic from 216.181.136.7 but no port forwarding, static routes or 1:1 nat entries. seems reasonable to me, you should know if it's working by testing. use tcpdump on firewall, on each interface in turn to see traffic flow... use "tcpdump -ln port XXX" to limit the amount of traffic you sniff. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
sounds good. i'm going to give the port forward option a shot. thanks, -phil On Sep 5, 2008, at 10:43 PM, Bill Marquette wrote: I think you're dancing all around the solution :) You need an inbound NAT or port forward for UDP ports 1-65535 pointing to 10.0.0.1. Alternately, a 1:1 NAT using YOUR external IP, not the IP of the service (ie. 216.181.136.7 in your example below should be whatever your external IP is, not that of Lingo). The internal is still 10.0.0.1 (assuming that's your internal machine doing Lingo VOIP). --Bill On Fri, Sep 5, 2008 at 9:17 PM, BSD Wiz <[EMAIL PROTECTED]> wrote: man O man still getting blocked, tried calling my VoIP phone from my cell phone and the traffic was blocked again by the default drop all rule. below is the log entry of the blocked traffic. WAN 216.181.136.7:5065 xx.xx.xx.xx:63792 this after allowing source 216.181.136.7 through my WAN interface destined for any port and also creating a 1:1 entry as follows: Interface External IP Internal IP Description WAN 216.181.136.7/3210.0.0.1/32 Allow Incoming VoIP WTF, shouldn't that be allowed through? thanks gents. -phil On Sep 5, 2008, at 8:12 AM, Paul Mansfield wrote: BSD Wiz wrote: ah, i don't have any 1:1 nat entries, or static routes for this firewall issue. so when the traffic hits the WAN interface perhaps it's not always finding it's way to the voip box in the dmz? i have added a 1:1 mapping as follows: Interface External IP Internal IP Description WAN216.181.136.7/32 10.0.0.1/32 VoIP Box where 10.0.0.1/32 is the ip of the DMZ interface. should that be sufficient? i can see why some of the traffic was not making it through since i only had a rule to allow traffic from 216.181.136.7 but no port forwarding, static routes or 1:1 nat entries. seems reasonable to me, you should know if it's working by testing. use tcpdump on firewall, on each interface in turn to see traffic flow... use "tcpdump -ln port XXX" to limit the amount of traffic you sniff. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]