AW: [pfSense Support] pfSense 2.0 IPSec-VPN with Certs

[Fuchs, Martin]

Hi !

ASN.1 and the remote CA Cert made it work :)

Thanks !

Von: Dan Candea [mailto:dan.can...@quah.ro]
Gesendet: Dienstag, 9. August 2011 14:21
An: support@pfsense.com
Betreff: Re: [pfSense Support] pfSense 2.0 IPSec-VPN with Certs

On 03.08.2011 14:46, Fuchs, Martin wrote:
Hi !

Does anyone have mutual-RSA-IPSec VPN working with 2.0 ?
All settings I tried do not work, I always get errors:

racoon: ERROR: failed to get subjectAltName
racoon: ERROR:
racoon: ERROR: no peer's CERT payload found.

These errors are away as soon as I use PSKs, so I think it hust have something 
to do with the generated certs...

Any ideas ?

Regards,

Martin

I've generated a CA and use it to make certificate for server and users.
software from shrew.net as a client

remote anonymous
{
ph1id 1;
exchange_mode aggressive;
my_identifier asn1dn ;
peers_identifier asn1dn ;
ike_frag on;
generate_policy = unique;
initial_contact = off;
nat_traversal = on;
certificate_type x509 "cert-1.crt" "cert-1.key";
ca_type x509 "ca-1.crt";
dpd_delay = 10;
dpd_maxfail = 5;
support_proxy on;
proposal_check claim;
passive on;

proposal
{
authentication_method xauth_rsa_server;
encryption_algorithm 3des;
hash_algorithm sha1;
dh_group 2;
lifetime time 28800 secs;
}
}

--

Dan Cândea

Does God Play Dice?

Re: [pfSense Support] pfSense 2.0 IPSec-VPN with Certs

[Dan Candea]

On 03.08.2011 14:46, Fuchs, Martin wrote:


Hi !

Does anyone have mutual-RSA-IPSec VPN working with 2.0 ?

All settings I tried do not work, I always get errors:

racoon: ERROR: failed to get subjectAltName

racoon: ERROR:

racoon: ERROR: no peer's CERT payload found.

These errors are away as soon as I use PSKs, so I think it hust have 
something to do with the generated certs...


Any ideas ?

Regards,

Martin



I've generated a CA and use it to make certificate for server and users.
software from shrew.net as a client

remote anonymous
{
ph1id 1;
exchange_mode aggressive;
my_identifier asn1dn ;
peers_identifier asn1dn ;
ike_frag on;
generate_policy = unique;
initial_contact = off;
nat_traversal = on;
certificate_type x509 "cert-1.crt" "cert-1.key";
ca_type x509 "ca-1.crt";
dpd_delay = 10;
dpd_maxfail = 5;
support_proxy on;
proposal_check claim;
passive on;

proposal
{
authentication_method xauth_rsa_server;
encryption_algorithm 3des;
hash_algorithm sha1;
dh_group 2;
lifetime time 28800 secs;
}
}


--
Dan Cândea
Does God Play Dice?

[pfSense Support] pfSense 2.0 IPSec-VPN with Certs

[Fuchs, Martin]

Hi !

Does anyone have mutual-RSA-IPSec VPN working with 2.0 ?
All settings I tried do not work, I always get errors:

racoon: ERROR: failed to get subjectAltName
racoon: ERROR:
racoon: ERROR: no peer's CERT payload found.

These errors are away as soon as I use PSKs, so I think it hust have something 
to do with the generated certs...

Any ideas ?

Regards,

Martin

[pfSense Support] pfSense 2.0 RC1 and igb0 LRO disabling

[Simon Dick]

>From a quick look the sysctls most people suggest disabling to fix the
slow LRO on igb cards isn't present in 2.0's igb driver, anyone got
the right options to use to get them working at a proper speed again?

Thanks

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] Pfsense 2.0 dyndns

[Fuchs, Martin]

Hi !
Do we know about any dyndns issues ?
I have some systems where sometimes dyndns does not update, the client shows it 
in red, but does not update ?
Shouldn't this be done when it's printed in red ?
Only manually saving or reconnect triggers the update of dyndns...
Any ideas ?

Regards,
Martin
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] pfSense 2.0 RC1 IPv6 build with DHCP-PD support

[Seth Mos]

Hi,

Here are prelimenary images that have IPv6 enabled and also support
DHCP-PD for the WAN.

I am in need of someone that has a DHCP WAN where they also provide
DHCP-PD for IPv6.

This is by no means a production image, my suggestion is to try this as
a LiveCD and get back to me if it works for your ISP if they provide
native IPv6.

Select the correct "Delegated Prefix Length" from the dropdown on the
WAN interface if it is set to DHCP. Select a network Prefix ID on the
LAN interface for automatic setup of the LAN interface.

If it doesn't work for native IPv6 with DHCP-PD I'd like to know.

http://iserv.nl/files/pfsense/ipv6/rc1/

These builds have a newer ISC DHCP server integrated that hopefully
doesn't implode with a leases database.

The kernel is patched to allow for Router advertisments on the WAN so
that a default route to the internet exists.

Kind regards,

Seth

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] pfSense 2.0-RC1 installation problem

[Adam Van Ornum]

From: madhu_sek...@mahindrasatyam.com
To: support@pfsense.com
Date: Fri, 29 Apr 2011 05:02:12 +
Subject: [pfSense Support] pfSense 2.0-RC1 installation problem










Dear Support Team
 
Greetings.
 
I have downloaded pfSense-2.0-RC1-i386-20110226-1530.iso and tried to install 
it in Virtual PC. After selecting LAN and WAN interfaces and while formatting 
the hard drive it is giving the following error.
And installation is not completing properly. Can you help me in this regard.
 
 
 
   

 
 
Regards
Madhu Sekhar
 
 






DISCLAIMER:

This email (including any attachments) is intended for the sole use of the 
intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE 
COMPANY INFORMATION. Any review or reliance by others or copying or 
distribution or forwarding of any or
 all of the contents in this message is STRICTLY PROHIBITED. If you are not the 
intended recipient, please contact the sender by email and delete all copies; 
your cooperation in this regard is appreciated.





I don't know anything specific about this problem, but I have always had lots 
of problems running *BSD or Linux in Virtual PC, especially *BSDs.  I would 
recommend trying Virtual Box...it seems to work much better with *nix-like 
systems.
  <><>

[pfSense Support] pfSense 2.0-RC1 installation problem

[Madhu_Sekhar]

Dear Support Team

Greetings.

I have downloaded pfSense-2.0-RC1-i386-20110226-1530.iso and tried to install 
it in Virtual PC. After selecting LAN and WAN interfaces and while formatting 
the hard drive it is giving the following error.
And installation is not completing properly. Can you help me in this regard.



[cid:image003.jpg@01CC035F.BFF6F0F0][cid:image004.jpg@01CC035F.BFF6F0F0]


Regards
Madhu Sekhar





DISCLAIMER:
This email (including any attachments) is intended for the sole use of the 
intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE 
COMPANY INFORMATION. Any review or reliance by others or copying or 
distribution or forwarding of any or all of the contents in this message is 
STRICTLY PROHIBITED. If you are not the intended recipient, please contact the 
sender by email and delete all copies; your cooperation in this regard is 
appreciated.
<><>

Re: [pfSense Support] pfSense 2.0 IPsec on Mac OS X 10.6

[Fuchs, Martin]

That's strange, my config works with NAT-T too, but i never had problems with 
non-natted, natted or any other  network. 

Am 12.04.2011 um 21:46 schrieb "Paul Mather" :

> On Apr 12, 2011, at 3:17 PM, Vick Khera wrote:
> 
>> On Tue, Apr 12, 2011 at 2:04 PM, Fuchs, Martin 
>>  wrote:
>> I have IPSec from my iPhone To pfsense here...
>> Have a look at the Forums. It took some Time but now it works...
>> 
>> I found in the forum that it requires pfSense 2.0.  Does that still stand 
>> true?
>> 
>> And do you configure it via pfSense GUI or a manual hack to the racoon 
>> config file?
>> 
>> I don't find a definitive answer on the forum at all, just a bunch of try 
>> this try that and speculation followed by a bunch of "doesn't work for me" 
>> and "works for me, sorta".
>> 
>> The closest I've found is 
>> http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558
>> 
>> Is that the current "state of the art" for iPhone -> pfSense VPN?  It seems 
>> to be in conflict with how I want mobile client settings for my "road 
>> warrior" network VPNs, such as my home office.  Ie, I do not want to have a 
>> virtual address pool for those connections.
> 
> 
> I have used pfSense 2.0 to set up up an IPsec VPN usable from an iPod Touch, 
> which I believe uses the same client as the iPhone and iPad.  I used pretty 
> much the setup from the link you give above.  In my case, my Phase 2 has 
> "Local Network" of type "Network" and the address is that of my pfSense LAN 
> (whereas the forum post uses Local Network Type "None").  (I actually have 
> two Phase 2 entries, the one just described and another that is the same 
> except the address is 10.0.0.0/24, to allow VPN access to that private 
> network reachable from the pfSense LAN.)
> 
> I did all configuration via the pfSense GUI.  The setup routes all traffic 
> for the network behind the pfSense gateway (172.23.23.0/24 and 10.0.0.0/24) 
> over the IPsec VPN; other traffic goes out as per normal.  Split DNS works, 
> and private DNS hostnames are resolved correctly.
> 
> The VPN works fine when NAT-T is in use.  (The same config doesn't work for 
> my office Mac, which is not behind a NAT.)
> 
> I also tried the L2TP server in pfSense 2.0 today with the Mac OS X L2TP VPN 
> client but couldn't even get it to connect. :-(
> 
> Cheers,
> 
> Paul.
> 
> 
> 
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
> 
> Commercial support available - https://portal.pfsense.org
> 
> 

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 IPsec on Mac OS X 10.6

[Fuchs, Martin]

I use 2.0 and configure via GUI only, no hacks.
The only Problem is the users privilege  as a local user - Admin works for me 
so far, but a ticket is already opened. The local user is for xauth.

Am 12.04.2011 um 21:18 schrieb "Vick Khera" 
mailto:vi...@khera.org>>:

On Tue, Apr 12, 2011 at 2:04 PM, Fuchs, Martin 
<martin.fu...@trendchiller.com>
 wrote:
I have IPSec from my iPhone To pfsense here...
Have a look at the Forums. It took some Time but now it works...

I found in the forum that it requires pfSense 2.0.  Does that still stand true?

And do you configure it via pfSense GUI or a manual hack to the racoon config 
file?

I don't find a definitive answer on the forum at all, just a bunch of try this 
try that and speculation followed by a bunch of "doesn't work for me" and 
"works for me, sorta".

The closest I've found is 

 
http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558

Is that the current "state of the art" for iPhone -> pfSense VPN?  It seems to 
be in conflict with how I want mobile client settings for my "road warrior" 
network VPNs, such as my home office.  Ie, I do not want to have a virtual 
address pool for those connections.

Re: [pfSense Support] pfSense 2.0 IPsec on Mac OS X 10.6

[Paul Mather]

On Apr 12, 2011, at 3:17 PM, Vick Khera wrote:

> On Tue, Apr 12, 2011 at 2:04 PM, Fuchs, Martin 
>  wrote:
> I have IPSec from my iPhone To pfsense here...
> Have a look at the Forums. It took some Time but now it works...
> 
> I found in the forum that it requires pfSense 2.0.  Does that still stand 
> true?
> 
> And do you configure it via pfSense GUI or a manual hack to the racoon config 
> file?
> 
> I don't find a definitive answer on the forum at all, just a bunch of try 
> this try that and speculation followed by a bunch of "doesn't work for me" 
> and "works for me, sorta".
> 
> The closest I've found is 
> http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558
> 
> Is that the current "state of the art" for iPhone -> pfSense VPN?  It seems 
> to be in conflict with how I want mobile client settings for my "road 
> warrior" network VPNs, such as my home office.  Ie, I do not want to have a 
> virtual address pool for those connections.


I have used pfSense 2.0 to set up up an IPsec VPN usable from an iPod Touch, 
which I believe uses the same client as the iPhone and iPad.  I used pretty 
much the setup from the link you give above.  In my case, my Phase 2 has "Local 
Network" of type "Network" and the address is that of my pfSense LAN (whereas 
the forum post uses Local Network Type "None").  (I actually have two Phase 2 
entries, the one just described and another that is the same except the address 
is 10.0.0.0/24, to allow VPN access to that private network reachable from the 
pfSense LAN.)

I did all configuration via the pfSense GUI.  The setup routes all traffic for 
the network behind the pfSense gateway (172.23.23.0/24 and 10.0.0.0/24) over 
the IPsec VPN; other traffic goes out as per normal.  Split DNS works, and 
private DNS hostnames are resolved correctly.

The VPN works fine when NAT-T is in use.  (The same config doesn't work for my 
office Mac, which is not behind a NAT.)

I also tried the L2TP server in pfSense 2.0 today with the Mac OS X L2TP VPN 
client but couldn't even get it to connect. :-(

Cheers,

Paul.



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 IPsec on Mac OS X 10.6

[Vick Khera]

On Tue, Apr 12, 2011 at 2:04 PM, Fuchs, Martin <
martin.fu...@trendchiller.com> wrote:

> I have IPSec from my iPhone To pfsense here...
> Have a look at the Forums. It took some Time but now it works...
>

I found in the forum that it requires pfSense 2.0.  Does that still stand
true?

And do you configure it via pfSense GUI or a manual hack to the racoon
config file?

I don't find a definitive answer on the forum at all, just a bunch of try
this try that and speculation followed by a bunch of "doesn't work for me"
and "works for me, sorta".

The closest I've found is
http://forum.pfsense.org/index.php/topic,24752.msg130558/topicseen.html#msg130558

Is that the current "state of the art" for iPhone -> pfSense VPN?  It seems
to be in conflict with how I want mobile client settings for my "road
warrior" network VPNs, such as my home office.  Ie, I do not want to have a
virtual address pool for those connections.

Re: [pfSense Support] pfSense 2.0 IPsec on Mac OS X 10.6

[Fuchs, Martin]

I have IPSec from my iPhone To pfsense here...
Have a look at the Forums. It took some Time but now it works...

Am 12.04.2011 um 17:24 schrieb "Vick Khera" 
mailto:vi...@khera.org>>:

On Tue, Apr 12, 2011 at 11:21 AM, Vick Khera 
<vi...@khera.org> wrote:
iOS does not have OpenVPN built in. I never looked to see if some app provides 
it, but I highly doubt it.

one more point... the only VPN we've ever succeeded with iOS devices is the 
PPTP client, but that's just not a very secure thing.  I don't think the Cisco 
client works with pfSense IPSec server.

Re: [pfSense Support] pfSense 2.0 IPsec on Mac OS X 10.6

[J. Echter]

Am 12.04.2011 17:21, schrieb Vick Khera:
> On Mon, Apr 11, 2011 at 4:46 PM, Paul Mather wrote:
>
>> Plus, I don't know how well-supported OpenVPN is on devices such as the
>> iPad and iPhone.  But, in the absence of "it works for me" responses for
>> IPsec on Mac OS X, I may just have to try it. :-)
>
> iOS does not have OpenVPN built in. I never looked to see if some app
> provides it, but I highly doubt it.
>
> IPsec has been known to work with IPsecuritas.  It is just hit-or miss.  For
> us, it worked for some people but not others, and pretty much everyone here
> was using Comcast as their ISP (including the main office).  I think we
> determined that consumer-grade Verizon DSL was blocking IPsec for some
> bizarre reason, but my memory is fuzzy on the specifics.
>
for a jailbreaked iPhone you can have a OpenVPN client. i don't know if
there's one for a non jailbreaked.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 IPsec on Mac OS X 10.6

[Tom Müller-Kortkamp]

Am 12.04.2011 um 17:21 schrieb Vick Khera:

> On Mon, Apr 11, 2011 at 4:46 PM, Paul Mather  wrote:
> Plus, I don't know how well-supported OpenVPN is on devices such as the iPad 
> and iPhone.  But, in the absence of "it works for me" responses for IPsec on 
> Mac OS X, I may just have to try it. :-)
> 
> iOS does not have OpenVPN built in. I never looked to see if some app 
> provides it, but I highly doubt it.
> 
> IPsec has been known to work with IPsecuritas.  It is just hit-or miss.  For 
> us, it worked for some people but not others, and pretty much everyone here 
> was using Comcast as their ISP (including the main office).  I think we 
> determined that consumer-grade Verizon DSL was blocking IPsec for some 
> bizarre reason, but my memory is fuzzy on the specifics.

OpenVPN will not be available in appstore as it is GPL and this licence is not 
compatible with iOS (see the discussion about vlc in iOS). So maybe thats why 
nobody is willing to migrate it to iOS.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 IPsec on Mac OS X 10.6

[Vick Khera]

On Tue, Apr 12, 2011 at 11:21 AM, Vick Khera  wrote:

> iOS does not have OpenVPN built in. I never looked to see if some app
> provides it, but I highly doubt it.
>

one more point... the only VPN we've ever succeeded with iOS devices is the
PPTP client, but that's just not a very secure thing.  I don't think the
Cisco client works with pfSense IPSec server.

Re: [pfSense Support] pfSense 2.0 IPsec on Mac OS X 10.6

[Vick Khera]

On Mon, Apr 11, 2011 at 4:46 PM, Paul Mather wrote:

> Plus, I don't know how well-supported OpenVPN is on devices such as the
> iPad and iPhone.  But, in the absence of "it works for me" responses for
> IPsec on Mac OS X, I may just have to try it. :-)


iOS does not have OpenVPN built in. I never looked to see if some app
provides it, but I highly doubt it.

IPsec has been known to work with IPsecuritas.  It is just hit-or miss.  For
us, it worked for some people but not others, and pretty much everyone here
was using Comcast as their ISP (including the main office).  I think we
determined that consumer-grade Verizon DSL was blocking IPsec for some
bizarre reason, but my memory is fuzzy on the specifics.

Re: [pfSense Support] pfSense 2.0 IPsec on Mac OS X 10.6

[Paul Mather]

On Apr 11, 2011, at 4:07 PM, RB wrote:

> I'm actually pretty interested in the fact that on the surface it
> looks like 2.0 can support the OS X 10.6 native Cisco VPN client out
> of the box.  Has anyone had any success doing so?  OpenVPN and
> Viscosity/Tunnelblick are nice, but not having to pay $9/client and
> not installing additional software is even more so.


The latter aspect is what motivates me to try and get IPsec working fully. :-)

I have had some success with the built-in Cisco IPSec client, with problems 
documented here: http://www.mail-archive.com/support@pfsense.com/msg21912.html. 
 I am using Mutual PSK + Xauth with AES-256 and SHA-1 in my Phase 1 proposal.  
I have two Phase 2 entries: one for each private network behind the pfSense 
gateway.  In the mode-cfg section of the Mobile Clients section I provide a 
private DNS default domain and DNS server to clients.  This split DNS appears 
to work well.  I've been able to connect from Mac OS X 10.6 systems and 
iPhones/iPod Touches.

Unfortunately, the setup only appears to work properly when clients are 
connecting from behind a NAT (i.e., when IPsec NAT-T is being used).  I'm new 
to pfSense, so I'm not sure whether the problem lies with my configuration or 
with the Mac OS X client side. :-(

> Going to try testing this week.

I'd be very interested in hearing if you manage to get non NAT-T connections 
working.

Cheers,

Paul.



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 IPsec on Mac OS X 10.6

[Seth Mos]

Op 11-4-2011 22:46, Paul Mather schreef:
> On Apr 11, 2011, at 12:19 PM, Vick Khera wrote:
> 
> Funnily enough, I had tried OpenVPN in this environment quite a while
> ago (not with pfSense, though) but gave up because I couldn't get
> Tunnelblick working smoothly.  I don't remember exactly what problems I
> was having, but I think routing and private DNS resolution seem to ring
> a bell.  Has the Tunnelblick client improved in the last two years or so?

Viscosity works really well for me. No issues resuming from sleeping or
hibernating either. Split DNS works fine too.

> I figured folks would suggest using OpenVPN instead of IPsec. :-)  I had
> hoped to avoid doing that because I want to minimise the amount of
> third-party client software I need to deploy.  Plus, I don't know how
> well-supported OpenVPN is on devices such as the iPad and iPhone.  But,

There is no support for OpenVPN on the idevices. Blame apple for not
including tun tap support in their ios. My suggestion would be to
contact Apple on getting that supported.

Regards,

Seth

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 IPsec on Mac OS X 10.6

[RB]

I'm actually pretty interested in the fact that on the surface it
looks like 2.0 can support the OS X 10.6 native Cisco VPN client out
of the box.  Has anyone had any success doing so?  OpenVPN and
Viscosity/Tunnelblick are nice, but not having to pay $9/client and
not installing additional software is even more so.

Going to try testing this week.


RB

On Mon, Apr 11, 2011 at 14:02, bsd  wrote:
> Install the open VPN client package on 2.0 - two clicks and you're done !
> Viscosity is your best bet.
>
> So straightforward, your grandma could do It.
>
> ;-)
>
>
> Le 11 avr. 2011 à 18:19, Vick Khera a écrit :
>
>> On Mon, Apr 11, 2011 at 11:19 AM, Paul Mather  
>> wrote:
>> Has anyone managed to get IPsec for mobile clients working with pfSense 2.0 
>> and Mac OS X 10.6?  If so, which client are you using on the Mac OS X side?  
>> Is anything special needed on the pfSense side?
>>
>> I *used* to use IPsecuritas but it was alway finicky.  I finally made the 
>> switch for all of the roaming clients to OpenVPN using Tunnelblick and 
>> everything has been much, much more stable.  I still use IPsec for my fixed 
>> end-point tunnels between offices, and that works solidly.  All such 
>> endpoints are pfSense.
>>
>> Unless you have some hard requirement to use IPSec for your mobile clients, 
>> give OpenVPN a try.
>>
>>
>
>
> ––
> -> Grégory Bernard Director <-
> ---> www.osnet.eu <---
> --> Your provider of OpenSource appliances <--
> ––
> OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO
>
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 IPsec on Mac OS X 10.6

[Paul Mather]

On Apr 11, 2011, at 12:19 PM, Vick Khera wrote:

> On Mon, Apr 11, 2011 at 11:19 AM, Paul Mather  wrote:
> Has anyone managed to get IPsec for mobile clients working with pfSense 2.0 
> and Mac OS X 10.6?  If so, which client are you using on the Mac OS X side?  
> Is anything special needed on the pfSense side?
> 
> I *used* to use IPsecuritas but it was alway finicky.  I finally made the 
> switch for all of the roaming clients to OpenVPN using Tunnelblick and 
> everything has been much, much more stable.  I still use IPsec for my fixed 
> end-point tunnels between offices, and that works solidly.  All such 
> endpoints are pfSense.
> 
> Unless you have some hard requirement to use IPSec for your mobile clients, 
> give OpenVPN a try.


Funnily enough, I had tried OpenVPN in this environment quite a while ago (not 
with pfSense, though) but gave up because I couldn't get Tunnelblick working 
smoothly.  I don't remember exactly what problems I was having, but I think 
routing and private DNS resolution seem to ring a bell.  Has the Tunnelblick 
client improved in the last two years or so?

I figured folks would suggest using OpenVPN instead of IPsec. :-)  I had hoped 
to avoid doing that because I want to minimise the amount of third-party client 
software I need to deploy.  Plus, I don't know how well-supported OpenVPN is on 
devices such as the iPad and iPhone.  But, in the absence of "it works for me" 
responses for IPsec on Mac OS X, I may just have to try it. :-)

Cheers,

Paul.

Re: [pfSense Support] pfSense 2.0 IPsec on Mac OS X 10.6

[bsd]

Install the open VPN client package on 2.0 - two clicks and you're done ! 
Viscosity is your best bet. 

So straightforward, your grandma could do It. 

;-)


Le 11 avr. 2011 à 18:19, Vick Khera a écrit :

> On Mon, Apr 11, 2011 at 11:19 AM, Paul Mather  wrote:
> Has anyone managed to get IPsec for mobile clients working with pfSense 2.0 
> and Mac OS X 10.6?  If so, which client are you using on the Mac OS X side?  
> Is anything special needed on the pfSense side?
> 
> I *used* to use IPsecuritas but it was alway finicky.  I finally made the 
> switch for all of the roaming clients to OpenVPN using Tunnelblick and 
> everything has been much, much more stable.  I still use IPsec for my fixed 
> end-point tunnels between offices, and that works solidly.  All such 
> endpoints are pfSense.
> 
> Unless you have some hard requirement to use IPSec for your mobile clients, 
> give OpenVPN a try.
> 
> 


––
-> Grégory Bernard Director <-
---> www.osnet.eu <---
--> Your provider of OpenSource appliances <--
––
OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 IPsec on Mac OS X 10.6

[Vick Khera]

On Mon, Apr 11, 2011 at 11:19 AM, Paul Mather wrote:

> Has anyone managed to get IPsec for mobile clients working with pfSense 2.0
> and Mac OS X 10.6?  If so, which client are you using on the Mac OS X side?
>  Is anything special needed on the pfSense side?
>

I *used* to use IPsecuritas but it was alway finicky.  I finally made the
switch for all of the roaming clients to OpenVPN using Tunnelblick and
everything has been much, much more stable.  I still use IPsec for my fixed
end-point tunnels between offices, and that works solidly.  All such
endpoints are pfSense.

Unless you have some hard requirement to use IPSec for your mobile clients,
give OpenVPN a try.

Re: [pfSense Support] pfSense 2.0 IPsec on Mac OS X 10.6

[Mike McLaughlin]

I'm very happily using OpenVPN with Viscosity and TunnelBlick (clients) on
many Mac 10.5-10.7 machines. I'm currently using 1.2.3 at the perimeter and
a 2.0 box to manage my certs (which I hope to roll over to the perimeter box
once we upgrade for the sake of being able to download the pre-loaded
installers in 2.0). The only issues I've hit at all are related to the
crappy Samba implementation in 10.6 and below. The test 10.7 machines are a
dream.

The users love how transparent and easy the VPN is.

Mike McLaughlin


On Mon, Apr 11, 2011 at 8:19 AM, Paul Mather wrote:

> I believe my previous message on this topic (
> http://www.mail-archive.com/support@pfsense.com/msg21912.html) may have
> been a victim of tl;dr.  So, in hope of better success, I will restate my
> problem in a more positive light:
>
> Has anyone managed to get IPsec for mobile clients working with pfSense 2.0
> and Mac OS X 10.6?  If so, which client are you using on the Mac OS X side?
>  Is anything special needed on the pfSense side?
>
> I have tried both the built-in Cisco IPSec client and also IPSecuritas on
> Mac OS X, with mixed results.  Usually the IPsec VPN will only work via
> NAT-T.  For the non-NAT-T case, the VPN doesn't appear to be able to route
> traffic, and just keeps accumulating SAD entries and losing SPD entries on
> the pfSense side.
>
> I haven't tried L2TP---can anyone report success using the built-in L2TP
> client in Mac OS X 10.5 onwards?
>
> (I have tried updating my pfSense installation via the 2.0 nightly builds,
> but to no avail.  It still doesn't work.)
>
> Any help is gratefully appreciated.
>
> Cheers,
>
> Paul.
>
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>

[pfSense Support] pfSense 2.0 IPsec on Mac OS X 10.6

[Paul Mather]

I believe my previous message on this topic 
(http://www.mail-archive.com/support@pfsense.com/msg21912.html) may have been a 
victim of tl;dr.  So, in hope of better success, I will restate my problem in a 
more positive light:

Has anyone managed to get IPsec for mobile clients working with pfSense 2.0 and 
Mac OS X 10.6?  If so, which client are you using on the Mac OS X side?  Is 
anything special needed on the pfSense side?

I have tried both the built-in Cisco IPSec client and also IPSecuritas on Mac 
OS X, with mixed results.  Usually the IPsec VPN will only work via NAT-T.  For 
the non-NAT-T case, the VPN doesn't appear to be able to route traffic, and 
just keeps accumulating SAD entries and losing SPD entries on the pfSense side.

I haven't tried L2TP---can anyone report success using the built-in L2TP client 
in Mac OS X 10.5 onwards?

(I have tried updating my pfSense installation via the 2.0 nightly builds, but 
to no avail.  It still doesn't work.)

Any help is gratefully appreciated.

Cheers,

Paul.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] PfSense 2.0 multi-wan : pb with locally initiated connexions

[Fred]

Hello,

  I use PfSense 1.2 since 2-3 years with good results on 2 WAN access,
and I recently tried to use the 2.0beta5 image to be able to use
Multi-WAN setup with PPPOE modems (starting with 2), following
"Multi-Wan on a Stick" model described in the book.
  I had some difficulties as load balancing/failover setup has changed
between 1.2 version and new 2.0 (but I need 2.0 for multi-PPPOE WAN),
but it almost works. I've noticed 2 problems I can't find solution on
the web :


* local services, as ntpd daemon, but also a ping initiated from
PfSense's console, don't work : for example :

[2.0-BETA5][root@alix.mynet]/root(1): ping www.pfsense.org
PING pfsense.org (69.64.6.21): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host

There is no default gateway, and I din't found a way to set it up in a
multi-wan configuration : how can I do this ?


* most LAN to Internet connexions work (http, pop, smtp, ssh,
  openvpn...), but I've noticed a very strange problem : I can't use
  X11-forward ssh connection, it blocks :

$ ssh -vv -Y  rxvt
...
debug1: Sending command: rxvt
debug1: client_input_channel_open: ctype x11 rchan 4 win 65536 max 16384
debug1: client_request_x11: request from 127.0.0.1 54400
debug1: channel 1: new [x11]
debug1: confirm x11

And then the connection is blocked. If I use a path through another WAN
(with "classical" PfSense 1.2 mono-WAN), it works well.
  I'm puzzled, I don't understand what can do this ?!


  Thanks for your help,
Fred.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 RC1 Nanobsd Problem

[Vick Khera]

On Sun, Mar 6, 2011 at 5:05 PM, Bao Ha  wrote:
> Something happened in BETA5 and it was carried into RC1, up to today
> snapshot: 20110306-0859.
>

I see this in my embedded BETA5 install at home (I should upgrade soon
to RC1 I suppose...)

I see no significant amount of writing to it.  There are no extra
packages installed and all it does is basic NAT + firewall + IPsec
VPN.  It is a fairly generic CF card too.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 RC1 Nanobsd Problem

[Bao Ha]

Hi Seth,

On Mon, Mar 7, 2011 at 12:05 AM, Seth Mos  wrote:

> Op 6-3-2011 23:26, Bao Ha schreef:
>
>  Hi Bart,
>>
>> Thanks for the note.
>>
>> According to the forum, it should not be a problem. :-(
>>
>
> It is not.


I have had three systems with corrupted flash memory: two with the Kingston
4GB Elite Pro, one with a 4GB flash drive.

>
>
>  When we first got the reports of corrupted CFs, we just overnighted new
>> ones. Then, those died shortly, within a week or two. We replaced a
>> complete system: systemboard, memory and CF.
>>
>
> Why are you shipping cheap CF cards without wear levelling?
>

We used to offer a choice of CF or DOM.The DOM has industrial-strength
wear-leveling. It was also better since in the early days, our systemboards
choked on DMA with faster CF cards. Nobody wants DOM!

I did not rule out that Kingston's quality may have dropped significantly.
If that is the case, I'll switch to a different brand name.

I have run a full install on a Lexar 1GB CF for over 4 years before the CF
> card died.
>
> I've also run into the "CF without wear levelling" issue. Get a proper CF
> card.
>

We have been shipping more than a thousand systems with Kingston CF since
2006 with no corrupted flash memory.

What ever killed the two Kingston Elite pro 4GB CFs within two weeks will
also kill a DOM or industrial CF, maybe not in weeks or months, but probably
within a year.

Bao



> Regards,
> Seth
>
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>


-- 
Best Regards.
Bao C. Ha
Hacom - Embedded Systems and Appliances
http://www.hacom.net
voice: (714) 564-9932

Re: [pfSense Support] pfSense 2.0 RC1 Nanobsd Problem

[Seth Mos]

Op 6-3-2011 23:26, Bao Ha schreef:

Hi Bart,

Thanks for the note.

According to the forum, it should not be a problem. :-(


It is not.


When we first got the reports of corrupted CFs, we just overnighted new
ones. Then, those died shortly, within a week or two. We replaced a
complete system: systemboard, memory and CF.


Why are you shipping cheap CF cards without wear levelling?

I have run a full install on a Lexar 1GB CF for over 4 years before the 
CF card died.


I've also run into the "CF without wear levelling" issue. Get a proper 
CF card.


Regards,
Seth

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 RC1 Nanobsd Problem

[Nenhum_de_Nos]

On Sun, March 6, 2011 19:26, Bao Ha wrote:
> Hi Bart,
>
> Thanks for the note.
>
> According to the forum, it should not be a problem. :-(
>
> Unfortunately, mounting RW without NOATIME will pounce on the compact
> flash
> everytime a READ is made. It will kill the CF sooner or later.
>
> When we first got the reports of corrupted CFs, we just overnighted new
> ones. Then, those died shortly, within a week or two. We replaced a
> complete
> system: systemboard, memory and CF.
>
> I am loosing my hair and sleeps, thinking one of our most reliable systems
> being shipped since 2006 is having compatibility issues with pfSense 2.0.
>
> I am hoping that this is the real cause. And I can stop a flood of support
> issues.

I see this in a 4g nano image, but is no problem as I use microdrive. so,
in case when this be corrected, how can I make it this way ?

is the nano image the best for a microdrive soekris ? I want the full pc
install just using serial instead of vga.

thanks,

matheus

-- 
We will call you cygnus,
The God of balance you shall be

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

http://en.wikipedia.org/wiki/Posting_style

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] pfSense 2.0 RC1 Nanobsd Problem

[Bart Grefte]

Hi Bao,

 

You're welcome :)

 

I've read that, but not sure if that is actually true in all cases.

 

Wow, that is fast! I doubt pfSense writes so much in that time the CF-cards
start dieing, although I might be wrong.

Could be the (lack of?) quality of the CF-cards combined with that problem
that is causing them to fail so fast. (This is just me thinking out loud.)

 

Out of curiosity, why ship systems with an OS that is still beta? Well, RC1
now, but still

 

Not sure if this will help, but maybe adding /etc/rc.conf_mount_ro to a
script that runs during boot-up will do some good. It's the command to mount
read-only.

I still have to add that one and /etc/rc.conf_mount_rw to the script that
makes an IPv6 tunnel on my pfSense v1.2.3 system, since the script needs to
write something during the boot of pfSense when the script is started but
can't do that because of RO filesystem

 

Hope this problem will be solved soon!

 

With regards,

 

Bart

 

 

  _  

Van: Bao Ha [mailto:b...@hacom.net] 
Verzonden: zondag 6 maart 2011 23:26
Aan: support@pfsense.com
Onderwerp: Re: [pfSense Support] pfSense 2.0 RC1 Nanobsd Problem

 

Hi Bart,

 

Thanks for the note.

 

According to the forum, it should not be a problem. :-(

 

Unfortunately, mounting RW without NOATIME will pounce on the compact flash
everytime a READ is made. It will kill the CF sooner or later.

 

When we first got the reports of corrupted CFs, we just overnighted new
ones. Then, those died shortly, within a week or two. We replaced a complete
system: systemboard, memory and CF.

 

I am loosing my hair and sleeps, thinking one of our most reliable systems
being shipped since 2006 is having compatibility issues with pfSense 2.0.

 

I am hoping that this is the real cause. And I can stop a flood of support
issues.

 

Bao

On Sun, Mar 6, 2011 at 2:12 PM, Bart Grefte  wrote:

Someone already made a bugreport  <http://redmine.pfsense.org/issues/1279>
http://redmine.pfsense.org/issues/1279  ;)

 

 

  _  

Van: Bao Ha [mailto:b...@hacom.net] 
Verzonden: zondag 6 maart 2011 23:06
Aan: customersupp...@pfsense.org
CC: support@pfsense.com
Onderwerp: [pfSense Support] pfSense 2.0 RC1 Nanobsd Problem

 

Something happened in BETA5 and it was carried into RC1, up to today
snapshot: 20110306-0859.


The file system in nanobsd version is now mounted fully RW, see the
following "mount" command:

...

[2.0-RC1][admin@pfHacom.localdomain]/root(1): mount

/dev/ufs/pfsense0 on / (ufs, local)


devfs on /dev (devfs, local)


/dev/md0 on /tmp (ufs, local)


/dev/md1 on /var (ufs, local)


/dev/ufs/cf on /cf (ufs, local)


devfs on /var/dhcpd/dev (devfs, local)

...

 

I believe they are supposed to be mounted read-only or at least RW with
NOATIME.

 

We have had at least two systems running pfSense 2.0 BETA5 and RC1 RMAed
back with suspected hardware problems, causing corruption of compact flash
memory. We think the "root" cause of this problem is due to the filesystems
mounted fully RW in the compact flash.

 

We plan to distribute the following temporary fix to our custmers who want
to run pfSense 2.0:

...

[2.0-RC1][admin@pfHacom.localdomain]/root(1): cat
/usr/local/etc/rc.d/hacom.sh

#!/bin/sh


 


# hacom.sh - BCH 3/6/2011


#   Temprorary fix to mount the filesystem Read-Only to avoid destroying
flash memory 

 


PLATFORM=`/bin/cat /etc/platform`


 


if [ "$PLATFORM" = "nanobsd" ]; then


/sbin/mount -u -oro /; /sbin/mount -u -onoatime /cf


fi


...

 

Appreciate if someone look into this problem.

 

I have also CCed this message to support@pfsense.com to notify others
currently using pfSense 2.0 RC1 nanobsd version of the danger to flash
memory.

 

Thanks.

Bao

-- 
Best Regards.
Bao C. Ha
Hacom - Embedded Systems and Appliances
http://www.hacom.net 
voice: (714) 564-9932




-- 
Best Regards.
Bao C. Ha
Hacom - Embedded Systems and Appliances
http://www.hacom.net 
voice: (714) 564-9932

Re: [pfSense Support] pfSense 2.0 RC1 Nanobsd Problem

[Bao Ha]

Hi Bart,

Thanks for the note.

According to the forum, it should not be a problem. :-(

Unfortunately, mounting RW without NOATIME will pounce on the compact flash
everytime a READ is made. It will kill the CF sooner or later.

When we first got the reports of corrupted CFs, we just overnighted new
ones. Then, those died shortly, within a week or two. We replaced a complete
system: systemboard, memory and CF.

I am loosing my hair and sleeps, thinking one of our most reliable systems
being shipped since 2006 is having compatibility issues with pfSense 2.0.

I am hoping that this is the real cause. And I can stop a flood of support
issues.

Bao

On Sun, Mar 6, 2011 at 2:12 PM, Bart Grefte  wrote:

>  Someone already made a bugreport http://redmine.pfsense.org/issues/1279
>  ;)
>
>
>
>
>  --
>
> *Van:* Bao Ha [mailto:b...@hacom.net]
> *Verzonden:* zondag 6 maart 2011 23:06
> *Aan:* customersupp...@pfsense.org
> *CC:* support@pfsense.com
> *Onderwerp:* [pfSense Support] pfSense 2.0 RC1 Nanobsd Problem
>
>
>
> Something happened in BETA5 and it was carried into RC1, up to today
> snapshot: 20110306-0859.
>
> The file system in nanobsd version is now mounted fully RW, see the
> following "mount" command:
>
> ...
>
> [2.0-RC1][admin@pfHacom.localdomain]/root(1): mount
>
> /dev/ufs/pfsense0 on / (ufs, local)
>
>
> devfs on /dev (devfs, local)
>
>
> /dev/md0 on /tmp (ufs, local)
>
>
> /dev/md1 on /var (ufs, local)
>
>
> /dev/ufs/cf on /cf (ufs, local)
>
>
> devfs on /var/dhcpd/dev (devfs, local)
>
> ...
>
>
>
> I believe they are supposed to be mounted read-only or at least RW with
> NOATIME.
>
>
>
> We have had at least two systems running pfSense 2.0 BETA5 and RC1 RMAed
> back with suspected hardware problems, causing corruption of compact flash
> memory. We think the "root" cause of this problem is due to the filesystems
> mounted fully RW in the compact flash.
>
>
>
> We plan to distribute the following temporary fix to our custmers who want
> to run pfSense 2.0:
>
> ...
>
> [2.0-RC1][admin@pfHacom.localdomain]/root(1): cat
> /usr/local/etc/rc.d/hacom.sh
>
> #!/bin/sh
>
>
>
>
>
> # hacom.sh - BCH 3/6/2011
>
>
> #   Temprorary fix to mount the filesystem Read-Only to avoid destroying
> flash memory
>
>
>
>
> PLATFORM=`/bin/cat /etc/platform`
>
>
>
>
>
> if [ "$PLATFORM" = "nanobsd" ]; then
>
>
> /sbin/mount -u -oro /; /sbin/mount -u -onoatime /cf
>
>
> fi
>
>
> ...
>
>
>
> Appreciate if someone look into this problem.
>
>
>
> I have also CCed this message to support@pfsense.com to notify others
> currently using pfSense 2.0 RC1 nanobsd version of the danger to flash
> memory.
>
>
>
> Thanks.
>
> Bao
>
> --
> Best Regards.
> Bao C. Ha
> Hacom - Embedded Systems and Appliances
> http://www.hacom.net
> voice: (714) 564-9932
>



-- 
Best Regards.
Bao C. Ha
Hacom - Embedded Systems and Appliances
http://www.hacom.net
voice: (714) 564-9932

RE: [pfSense Support] pfSense 2.0 RC1 Nanobsd Problem

[Bart Grefte]

Someone already made a bugreport  <http://redmine.pfsense.org/issues/1279>
http://redmine.pfsense.org/issues/1279  ;)

 

 

  _  

Van: Bao Ha [mailto:b...@hacom.net] 
Verzonden: zondag 6 maart 2011 23:06
Aan: customersupp...@pfsense.org
CC: support@pfsense.com
Onderwerp: [pfSense Support] pfSense 2.0 RC1 Nanobsd Problem

 

Something happened in BETA5 and it was carried into RC1, up to today
snapshot: 20110306-0859.


The file system in nanobsd version is now mounted fully RW, see the
following "mount" command:

...

[2.0-RC1][admin@pfHacom.localdomain]/root(1): mount

/dev/ufs/pfsense0 on / (ufs, local)


devfs on /dev (devfs, local)


/dev/md0 on /tmp (ufs, local)


/dev/md1 on /var (ufs, local)


/dev/ufs/cf on /cf (ufs, local)


devfs on /var/dhcpd/dev (devfs, local)

...

 

I believe they are supposed to be mounted read-only or at least RW with
NOATIME.

 

We have had at least two systems running pfSense 2.0 BETA5 and RC1 RMAed
back with suspected hardware problems, causing corruption of compact flash
memory. We think the "root" cause of this problem is due to the filesystems
mounted fully RW in the compact flash.

 

We plan to distribute the following temporary fix to our custmers who want
to run pfSense 2.0:

...

[2.0-RC1][admin@pfHacom.localdomain]/root(1): cat
/usr/local/etc/rc.d/hacom.sh

#!/bin/sh


 


# hacom.sh - BCH 3/6/2011


#   Temprorary fix to mount the filesystem Read-Only to avoid destroying
flash memory 

 


PLATFORM=`/bin/cat /etc/platform`


 


if [ "$PLATFORM" = "nanobsd" ]; then


/sbin/mount -u -oro /; /sbin/mount -u -onoatime /cf


fi


...

 

Appreciate if someone look into this problem.

 

I have also CCed this message to support@pfsense.com to notify others
currently using pfSense 2.0 RC1 nanobsd version of the danger to flash
memory.

 

Thanks.

Bao

-- 
Best Regards.
Bao C. Ha
Hacom - Embedded Systems and Appliances
http://www.hacom.net 
voice: (714) 564-9932

[pfSense Support] pfSense 2.0 RC1 Nanobsd Problem

[Bao Ha]

Something happened in BETA5 and it was carried into RC1, up to today
snapshot: 20110306-0859.

The file system in nanobsd version is now mounted fully RW, see the
following "mount" command:
...
[2.0-RC1][admin@pfHacom.localdomain]/root(1): mount
/dev/ufs/pfsense0 on / (ufs, local)

devfs on /dev (devfs, local)

/dev/md0 on /tmp (ufs, local)

/dev/md1 on /var (ufs, local)

/dev/ufs/cf on /cf (ufs, local)

devfs on /var/dhcpd/dev (devfs, local)
...

I believe they are supposed to be mounted read-only or at least RW with
NOATIME.

We have had at least two systems running pfSense 2.0 BETA5 and RC1 RMAed
back with suspected hardware problems, causing corruption of compact flash
memory. We think the "root" cause of this problem is due to the filesystems
mounted fully RW in the compact flash.

We plan to distribute the following temporary fix to our custmers who want
to run pfSense 2.0:
...
[2.0-RC1][admin@pfHacom.localdomain]/root(1): cat
/usr/local/etc/rc.d/hacom.sh
#!/bin/sh



# hacom.sh - BCH 3/6/2011

#   Temprorary fix to mount the filesystem Read-Only to avoid destroying
flash memory


PLATFORM=`/bin/cat /etc/platform`



if [ "$PLATFORM" = "nanobsd" ]; then

/sbin/mount -u -oro /; /sbin/mount -u -onoatime /cf

fi

...

Appreciate if someone look into this problem.

I have also CCed this message to support@pfsense.com to notify others
currently using pfSense 2.0 RC1 nanobsd version of the danger to flash
memory.

Thanks.
Bao
-- 
Best Regards.
Bao C. Ha
Hacom - Embedded Systems and Appliances
http://www.hacom.net
voice: (714) 564-9932

[pfSense Support] pfSense 2.0 & Dashboard-Widgets (CPU)

[Fuchs, Martin]

Hi !

After an upgrade from 1.2.3 to 2.0 RC1 i'm missing the 
dashboard-cpu-usage-widget...
I have an error in my Dashboard which tells me that the files are missing :(

Will this widget be updated or is it suspended ?

Regards,

martin

[pfSense Support] pfSense 2.0 free radius command line

[- Dickie Bradford -]

I am looking to upgrade to 2.0 soon and wanted to find out if there is a 
way to add / remove users to captive portal / free radius via command 
line so that I can automate this task?


Thnx in advance :-)

--
Dickie Bradford
Never-Enuff Internet
D12 Networks
P.O.Box 426
Colver, Pa 15927-0426
http://www.Never-Enuff.net
http://www.D12Networks.com
Toll Free: 1-800-647-3145
Local: 814-569-1934

The man who sais it cannot be done, should not interupt
the man who is trying to do it!


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 : 512MB images have no use anymore ?

[Chris Buechler]

On Sun, Feb 6, 2011 at 2:19 PM, Michel Servaes  wrote:
> Hi,
>
> Have posted it on the forum too, I think that the 512MB images have no use
> anymore.
> Yesterday I tried to update to the latest snapshot, but it told me that the
> file was corrupted.
>
> When checking into SSH, I saw that only 43MB was free on the CF card. (this
> can't store a 63MB image obviously). I have not a single package installed.
>

The image sizes are fluctuating quite a bit while debug options are
added/removed, etc. The final release should be small enough to
function on 512 MB.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] pfSense 2.0 : 512MB images have no use anymore ?

[Michel Servaes]

Hi,

Have posted it on the forum too, I think that the 512MB images have no 
use anymore.
Yesterday I tried to update to the latest snapshot, but it told me that 
the file was corrupted.


When checking into SSH, I saw that only 43MB was free on the CF card. 
(this can't store a 63MB image obviously). I have not a single package 
installed.


Today, I reflashed a 4GB cf-card with a 1GB image - this seems to give 
me enough space for the near future :) (I now have 217MB free on one 
slice of the CF card).



Kind regards,
Michel



ps. I have a question about the Slices... how does it perform a choice 
to the other slice, if one of the parts is not working... let's say 
slice1 does not respond, or reboots for an unknown reason, will it 
automatically choose slice2 ?? (or does on have to be on the console to 
make that choice ?)



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] pfSense 2.0, upgrade to this morning's snap problem

[Dimitri Rodis]

On Mon, Jan 24, 2011 at 7:42 PM, Dimitri Rodis  
wrote:
> After an upgrade to this morning's snap, I received the following
> after the upgrade/reboot (it's what's on my PuTTY atm):
>
>
>
> Syncing OpenVPN settings...done.
>
> Starting syslog...done.
>
> Configuring firewall..done.
>
> Starting PFLOG...done.
>
> Setting up gateway monitors...done.
>
> Synchronizing user settings...done.
>
> Starting webConfigurator...done.
>
> Configuring CRON...done.
>
> Starting OpenNTP time client...done.
>
> Starting DHCP service...done.
>
> Starting DNS forwarder...done.
>
> Configuring firewall..done.
>
> kernel trap 12 with interrupts disabled
>
>
>
>
>
> Fatal trap 12: page fault while in kernel mode
>
> cpuid = 0; apic id = 00
>
> fault virtual address   = 0x8
>
> fault code  = supervisor read, page not present
>
> instruction pointer = 0x20:0xc094d130
>
> stack pointer   = 0x28:0xc27d1b84
>
> frame pointer   = 0x28:0xc27d1ba4
>
> code segment= base 0x0, limit 0xf, type 0x1b
>
> = DPL 0, pres 1, def32 1, gran 1
>
> processor eflags= resume, IOPL = 0
>
> current process = 11 (swi4: clock)
>
> trap number = 12
>
> panic: page fault
>
> cpuid = 0
>
> Uptime: 25s
>
> Cannot dump. Device not defined or unavailable.
>
> Automatic reboot in 15 seconds - press a key on the console to abort
>
> --> Press a key on the console to reboot,
>
> --> or switch off the system now.
>
>
>If you have a bridge setup please upgrade to the 2nd next snapshot.
>
>
>--
>Ermal

I did have ports bridged on this device, yes. For some reason, the device would 
still not boot even if I booted back to the original slice using the boot menu 
on the console---I ended up having to reflash my CF card and then it booted 
(but the config is still default). Then again, I don't know that I rebooted 
ever since I configured the bridge

Thanks Ermal.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0, upgrade to this morning's snap problem

[Ermal Luçi]

On Mon, Jan 24, 2011 at 7:42 PM, Dimitri Rodis
 wrote:
> After an upgrade to this morning’s snap, I received the following after the
> upgrade/reboot (it’s what’s on my PuTTY atm):
>
>
>
> Syncing OpenVPN settings...done.
>
> Starting syslog...done.
>
> Configuring firewall..done.
>
> Starting PFLOG...done.
>
> Setting up gateway monitors...done.
>
> Synchronizing user settings...done.
>
> Starting webConfigurator...done.
>
> Configuring CRON...done.
>
> Starting OpenNTP time client...done.
>
> Starting DHCP service...done.
>
> Starting DNS forwarder...done.
>
> Configuring firewall..done.
>
> kernel trap 12 with interrupts disabled
>
>
>
>
>
> Fatal trap 12: page fault while in kernel mode
>
> cpuid = 0; apic id = 00
>
> fault virtual address   = 0x8
>
> fault code  = supervisor read, page not present
>
> instruction pointer = 0x20:0xc094d130
>
> stack pointer   = 0x28:0xc27d1b84
>
> frame pointer   = 0x28:0xc27d1ba4
>
> code segment    = base 0x0, limit 0xf, type 0x1b
>
>     = DPL 0, pres 1, def32 1, gran 1
>
> processor eflags    = resume, IOPL = 0
>
> current process = 11 (swi4: clock)
>
> trap number = 12
>
> panic: page fault
>
> cpuid = 0
>
> Uptime: 25s
>
> Cannot dump. Device not defined or unavailable.
>
> Automatic reboot in 15 seconds - press a key on the console to abort
>
> --> Press a key on the console to reboot,
>
> --> or switch off the system now.
>
>
If you have a bridge setup please upgrade to the 2nd next snapshot.


-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0, upgrade to this morning's snap problem

[David Burgess]

On Mon, Jan 24, 2011 at 11:42 AM, Dimitri Rodis
 wrote:
> After an upgrade to this morning’s snap, I received the following after the
> upgrade/reboot (it’s what’s on my PuTTY atm):

This looks a lot like what's being discussed here, although I don't
see the em driver implicated in your output:

http://forum.pfsense.org/index.php/topic,31721.0.html

db

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] pfSense 2.0, upgrade to this morning's snap problem

[Dimitri Rodis]

After an upgrade to this morning's snap, I received the following after the 
upgrade/reboot (it's what's on my PuTTY atm):

Syncing OpenVPN settings...done.
Starting syslog...done.
Configuring firewall..done.
Starting PFLOG...done.
Setting up gateway monitors...done.
Synchronizing user settings...done.
Starting webConfigurator...done.
Configuring CRON...done.
Starting OpenNTP time client...done.
Starting DHCP service...done.
Starting DNS forwarder...done.
Configuring firewall..done.
kernel trap 12 with interrupts disabled


Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x8
fault code  = supervisor read, page not present
instruction pointer = 0x20:0xc094d130
stack pointer   = 0x28:0xc27d1b84
frame pointer   = 0x28:0xc27d1ba4
code segment= base 0x0, limit 0xf, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags= resume, IOPL = 0
current process = 11 (swi4: clock)
trap number = 12
panic: page fault
cpuid = 0
Uptime: 25s
Cannot dump. Device not defined or unavailable.
Automatic reboot in 15 seconds - press a key on the console to abort
--> Press a key on the console to reboot,
--> or switch off the system now.

Re: [pfSense Support] pfsense 2.0 BETA5 Can't get PPPoE working!

[Maik Heinelt]

On 2011/01/14 2:50, Chris Buechler wrote:

On Wed, Jan 12, 2011 at 8:07 PM, Maik Heinelt  wrote:

Well, if I can help
We have a PPPoE line for developing&  tests.
I could setup a pfsense 2.0 Beta5 box and make you ssh login to it.
Then you, or other pfsense developer can debug it.


That would be ideal, was going to ask for that but generally you can't
get Internet access to a box that can't connect to the Internet. :) If
you have another means of getting it on the Internet, that'd be great.
Contact Ermal off list with info.

Alternatively, for others who can't provide such access, getting a
pcap of the PPPoE attempts would be helpful, the logs aren't showing
much in this case. Running:
tcpdump -i xx0 -s 0 -w /tmp/pppoe.pcap

where xx0 is your physical WAN interface (em0, re0, whatever it may
be). Let that run for a few minutes and hit ctrl-c to break out, then
go to Diagnostics>Command and paste /tmp/pppoe.pcap in the file
download box, and email that file to me and/or Ermal off list.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org


Chris,
I will prepare a pfsense box, today and if you would like to debug it, I 
would appreciate it.
We have more than one Internet lines, here, so I'm able to share the box 
one one Internet connection via SSH

and connect it to our spare one.
But I would like to be in the office, while you are on that machine. 
Just to be sure, weird things are going on, there! ;)


If you are interest, I will send you the connecting data on your 
personal email account.


Maik
<>-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfsense 2.0 BETA5 Can't get PPPoE working!

[Chris Buechler]

On Wed, Jan 12, 2011 at 8:07 PM, Maik Heinelt  wrote:
>
> Well, if I can help
> We have a PPPoE line for developing & tests.
> I could setup a pfsense 2.0 Beta5 box and make you ssh login to it.
> Then you, or other pfsense developer can debug it.
>

That would be ideal, was going to ask for that but generally you can't
get Internet access to a box that can't connect to the Internet. :) If
you have another means of getting it on the Internet, that'd be great.
Contact Ermal off list with info.

Alternatively, for others who can't provide such access, getting a
pcap of the PPPoE attempts would be helpful, the logs aren't showing
much in this case. Running:
tcpdump -i xx0 -s 0 -w /tmp/pppoe.pcap

where xx0 is your physical WAN interface (em0, re0, whatever it may
be). Let that run for a few minutes and hit ctrl-c to break out, then
go to Diagnostics>Command and paste /tmp/pppoe.pcap in the file
download box, and email that file to me and/or Ermal off list.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfsense 2.0 BETA5 Can't get PPPoE working!

[Ermal Luçi]

On Thu, Jan 13, 2011 at 2:07 AM, Maik Heinelt  wrote:
> On 2011/01/13 9:20, Chris Buechler wrote:
>>
>> On Wed, Jan 12, 2011 at 1:43 PM, Charles N Wyble
>>   wrote:
>>>
>>> Same here. No PPPOE support.
>>>
>> It works fine for the vast majority, there are some edge cases that
>> don't work and we don't know why yet at this point. Send logs, "it
>> doesn't work" isn't helpful.
>>
>> -
>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
>> For additional commands, e-mail: support-h...@pfsense.com
>>
>> Commercial support available - https://portal.pfsense.org
>>
> Well, if I can help
> We have a PPPoE line for developing & tests.
> I could setup a pfsense 2.0 Beta5 box and make you ssh login to it.
> Then you, or other pfsense developer can debug it.
>
> I just would like to make it working!
>
> How about that idea?
>
> Maik
>

That can be helpful too.
Please provide the setup and details to me privately so i can give a look.

> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>



-- 
Ermal

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfsense 2.0 BETA5 Can't get PPPoE working!

[Maik Heinelt]

On 2011/01/13 9:20, Chris Buechler wrote:

On Wed, Jan 12, 2011 at 1:43 PM, Charles N Wyble
  wrote:

Same here. No PPPOE support.


It works fine for the vast majority, there are some edge cases that
don't work and we don't know why yet at this point. Send logs, "it
doesn't work" isn't helpful.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org


Well, if I can help
We have a PPPoE line for developing & tests.
I could setup a pfsense 2.0 Beta5 box and make you ssh login to it.
Then you, or other pfsense developer can debug it.

I just would like to make it working!

How about that idea?

Maik
<>-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfsense 2.0 BETA5 Can't get PPPoE working!

[Maik Heinelt]

On 2011/01/13 9:20, Chris Buechler wrote:

On Wed, Jan 12, 2011 at 1:43 PM, Charles N Wyble
  wrote:

Same here. No PPPOE support.


It works fine for the vast majority, there are some edge cases that
don't work and we don't know why yet at this point. Send logs, "it
doesn't work" isn't helpful.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org


You might didn't notice, but I already send logs in my second mail!

Maik
<>-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfsense 2.0 BETA5 Can't get PPPoE working!

[Chris Buechler]

On Wed, Jan 12, 2011 at 1:43 PM, Charles N Wyble
 wrote:
>
> Same here. No PPPOE support.
>

It works fine for the vast majority, there are some edge cases that
don't work and we don't know why yet at this point. Send logs, "it
doesn't work" isn't helpful.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfsense 2.0 BETA5 Can't get PPPoE working!

[Maik Heinelt]

On 2011/01/13 3:43, Charles N Wyble wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/12/2011 12:30 AM, Maik Heinelt wrote:

On 2011/01/12 17:22, Chris Buechler wrote:

On Wed, Jan 12, 2011 at 3:18 AM, Maik Heinelt
wrote:

These days, I want to give verson 2.0 a try, but it doesn't really
work for
me.

Same here. No PPPOE support.


Till now, we used pfsense 1.2.3 and our PPPoE configuration worked
without
any trouble.

Same here.


But if I setup pfsense 2.0 Beta 5 with exact the same settings, I'm
always
not able to reach internet.

Yep.



The interface page in pfsense always show   "down" mark for both,
Status and
PPPoE.

Same here.


Also if I click the "Connect" button, short time later, it shows "up"
and
after reload the page, it change back to "down".

Same.


- -- 
Charles N Wyble (char...@knownelement.com)

Systems craftsman for the stars
http://www.knownelement.com
Mobile: 626 539 4344
Office: 310 929 8793
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNLfZTAAoJEMvvG/TyLEAt6MoQAMUaBpcEgj9CKSMOT9oBuVXE
2V1CZ76O3WwodxMZ0Q1XlJWT/1C9t3NCSOvcZftseoiB+wUOiSP3EGf3rL4UBUxp
nthORfvyf+AR1Fb/QLQ79DEdJQuPqT5STlKGXYW11sw93XQqqWhHT70lozCHVBGY
iBUEeVDSzA0Ce0S7sd/VY37r9U4yFAO+ChQc9NkDLLqglbah8XOVrwcLzekf5pGx
MjKQ94/2XvoIzNz4nhc7SxdNpwyNS5v+/eAOa3uhr9ubnwzJFjVGUlQ4jNkTBCLY
mJGKNZwZxuH6D2DU2DqNHF2KZsJFOvTsDSOBAW9BjrJ08MKKVOymSBx/mppPpNkE
IBQ0AyzMtx/jVae6RPaoGg+ZCagGOEvwL8afkA8Ou8ImnuHmyX0u5d6R0qVIt8h0
+hHF/vk6D3NyyE2jM+f53BTgrpuzO561iBvcvfFTCdhxGnmUF3KIKSd5ky+nJ066
6L0DNcu2z/tDMLhAzICBVqEhAs1u4Ez6ZTP98p3IFZAMsqozMijXtUtGjd/LJ/AC
vHOCfpG6SC7NWl5bmqxNUnjbu4CRFU4DkZqblRv4shvsBvizjSBesYXpJKlSBoOy
UZO3t8aWPALwiLGgx0XcFr+5jfsPIXBJSHXn46TDJORyRskdCjghoqlS6zohHLEU
KShiab3cKXtpsgg+bwn+
=GsBm
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org


Good to hear, I'm not the only one with this problem.
But better would be, if someone could help to solve this problem.
We would like to use pfsense 2.0 for VPN usage, but without a working 
PPPoE functionality,

pfsense is not usable for us and any other person with PPPoE connection.

Maik
<>-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfsense 2.0 BETA5 Can't get PPPoE working!

[Charles N Wyble]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/12/2011 12:30 AM, Maik Heinelt wrote:
> On 2011/01/12 17:22, Chris Buechler wrote:
>> On Wed, Jan 12, 2011 at 3:18 AM, Maik Heinelt 
>> wrote:
>>> These days, I want to give verson 2.0 a try, but it doesn't really
>>> work for
>>> me.

Same here. No PPPOE support.

>>>
>>> Till now, we used pfsense 1.2.3 and our PPPoE configuration worked
>>> without
>>> any trouble.

Same here.

>>> But if I setup pfsense 2.0 Beta 5 with exact the same settings, I'm
>>> always
>>> not able to reach internet.

Yep.


>>>
>>> The interface page in pfsense always show   "down" mark for both,
>>> Status and
>>> PPPoE.

Same here.

>>> Also if I click the "Connect" button, short time later, it shows "up"
>>> and
>>> after reload the page, it change back to "down".

Same.


- -- 
Charles N Wyble (char...@knownelement.com)
Systems craftsman for the stars
http://www.knownelement.com
Mobile: 626 539 4344
Office: 310 929 8793
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNLfZTAAoJEMvvG/TyLEAt6MoQAMUaBpcEgj9CKSMOT9oBuVXE
2V1CZ76O3WwodxMZ0Q1XlJWT/1C9t3NCSOvcZftseoiB+wUOiSP3EGf3rL4UBUxp
nthORfvyf+AR1Fb/QLQ79DEdJQuPqT5STlKGXYW11sw93XQqqWhHT70lozCHVBGY
iBUEeVDSzA0Ce0S7sd/VY37r9U4yFAO+ChQc9NkDLLqglbah8XOVrwcLzekf5pGx
MjKQ94/2XvoIzNz4nhc7SxdNpwyNS5v+/eAOa3uhr9ubnwzJFjVGUlQ4jNkTBCLY
mJGKNZwZxuH6D2DU2DqNHF2KZsJFOvTsDSOBAW9BjrJ08MKKVOymSBx/mppPpNkE
IBQ0AyzMtx/jVae6RPaoGg+ZCagGOEvwL8afkA8Ou8ImnuHmyX0u5d6R0qVIt8h0
+hHF/vk6D3NyyE2jM+f53BTgrpuzO561iBvcvfFTCdhxGnmUF3KIKSd5ky+nJ066
6L0DNcu2z/tDMLhAzICBVqEhAs1u4Ez6ZTP98p3IFZAMsqozMijXtUtGjd/LJ/AC
vHOCfpG6SC7NWl5bmqxNUnjbu4CRFU4DkZqblRv4shvsBvizjSBesYXpJKlSBoOy
UZO3t8aWPALwiLGgx0XcFr+5jfsPIXBJSHXn46TDJORyRskdCjghoqlS6zohHLEU
KShiab3cKXtpsgg+bwn+
=GsBm
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfsense 2.0 BETA5 Can't get PPPoE working!

[Maik Heinelt]

On 2011/01/12 17:22, Chris Buechler wrote:

On Wed, Jan 12, 2011 at 3:18 AM, Maik Heinelt  wrote:

These days, I want to give verson 2.0 a try, but it doesn't really work for
me.

Till now, we used pfsense 1.2.3 and our PPPoE configuration worked without
any trouble.
But if I setup pfsense 2.0 Beta 5 with exact the same settings, I'm always
not able to reach internet.

The interface page in pfsense always show   "down" mark for both, Status and
PPPoE.
Also if I click the "Connect" button, short time later, it shows "up" and
after reload the page, it change back to "down".

I'm sure, I use correct configuration for our ISP.

Any hint?


What do your mpd logs show?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org


Here are my PPP logs:

Jan 1 09:13:56 ppp: [wan_link0] LCP: Down event
Jan 1 09:13:56 ppp: [wan_link0] Link: reconnection attempt 50 in 3 
seconds

Jan 1 09:13:59 ppp: [wan_link0] Link: reconnection attempt 50
Jan 1 09:13:59 ppp: [wan_link0] PPPoE: Connecting to 'OCN'
Jan 1 09:14:08 ppp: [wan_link0] PPPoE connection timeout after 9 seconds
Jan 1 09:14:08 ppp: [wan_link0] Link: DOWN event
Jan 1 09:14:08 ppp: [wan_link0] LCP: Down event
Jan 1 09:14:08 ppp: [wan_link0] Link: reconnection attempt 51 in 1 
seconds

Jan 1 09:14:09 ppp: [wan_link0] Link: reconnection attempt 51
Jan 1 09:14:09 ppp: [wan_link0] PPPoE: Connecting to 'OCN'
Jan 1 09:14:18 ppp: [wan_link0] PPPoE connection timeout after 9 seconds
Jan 1 09:14:18 ppp: [wan_link0] Link: DOWN event
Jan 1 09:14:18 ppp: [wan_link0] LCP: Down event
Jan 1 09:14:18 ppp: [wan_link0] Link: reconnection attempt 52 in 2 
seconds

Jan 1 09:14:20 ppp: [wan_link0] Link: reconnection attempt 52
Jan 1 09:14:20 ppp: [wan_link0] PPPoE: Connecting to 'OCN'
Jan 1 09:14:29 ppp: [wan_link0] PPPoE connection timeout after 9 seconds
Jan 1 09:14:29 ppp: [wan_link0] Link: DOWN event
Jan 1 09:14:29 ppp: [wan_link0] LCP: Down event
Jan 1 09:14:29 ppp: [wan_link0] Link: reconnection attempt 53 in 1 
seconds

Jan 1 09:14:30 ppp: [wan_link0] Link: reconnection attempt 53

Cable is connected (I just plugged the cable out of the other router and 
plugged into the WAN Port of pfsense 2.0)

WAN port is configured on VR1 and this is on our alix board the middle port.

Thanks

Maik
<>-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfsense 2.0 BETA5 Can't get PPPoE working!

[Chris Buechler]

On Wed, Jan 12, 2011 at 3:18 AM, Maik Heinelt  wrote:
> These days, I want to give verson 2.0 a try, but it doesn't really work for
> me.
>
> Till now, we used pfsense 1.2.3 and our PPPoE configuration worked without
> any trouble.
> But if I setup pfsense 2.0 Beta 5 with exact the same settings, I'm always
> not able to reach internet.
>
> The interface page in pfsense always show   "down" mark for both, Status and
> PPPoE.
> Also if I click the "Connect" button, short time later, it shows "up" and
> after reload the page, it change back to "down".
>
> I'm sure, I use correct configuration for our ISP.
>
> Any hint?
>

What do your mpd logs show?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] pfsense 2.0 BETA5 Can't get PPPoE working!

[Maik Heinelt]

These days, I want to give verson 2.0 a try, but it doesn't really work 
for me.


Till now, we used pfsense 1.2.3 and our PPPoE configuration worked 
without any trouble.
But if I setup pfsense 2.0 Beta 5 with exact the same settings, I'm 
always not able to reach internet.


The interface page in pfsense always show   "down" mark for both, Status 
and PPPoE.
Also if I click the "Connect" button, short time later, it shows "up" 
and after reload the page, it change back to "down".


I'm sure, I use correct configuration for our ISP.

Any hint?


Thanks

Maik

<>-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

[Sean Cavanaugh]

?Update::

I have IPv6 successfully running up to the pfsense box and I can ping out as 
far as the Server IPv6 address but cannot get anything beyond that.


"Destination Net Unreachable"

I will dig deeper into it this afternoon . 



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

[Sean Cavanaugh]

?-Original Message- 
From: Seth Mos

Sent: Thursday, December 23, 2010 8:13 AM
To: support@pfsense.com
Subject: Re: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

Hi Sean,

Op 23-12-2010 14:01, Sean Cavanaugh schreef:

?>-Original Message-

From: Sean Cavanaugh Sent: Wednesday, December 22, 2010 7:39 PM To:
support@pfsense.com Subject: Re: [pfSense Support] pfSense 2.0 BETA4 :
IPv6?



Verified with wireshark that the DHCPv6 requests are going out but I am
not seeing any response from pfsense for them. DHCP Log shows (blanked
out part of address):

Dec 23 07:18:36 dhcpd: Listening on Socket/14/em1/2001:470:7:XXXx::/64
Dec 23 07:18:36 dhcpd: Sending on Socket/14/em1/2001:470:7:::/64


Thanks for helping out with this, I've had a heck of a time
troubleshooting this in my test setup and had been unable to verify it's
operation.

I do have rtadvd configured to tell the hosts to use "managed" e.g. dhcp
for ipv6 configuration, but it always falls back to autoconfig.


and no other DHCPv6 entries


I think I need to add other firewall rules for traffic to leave the
pfsense box, specifically for dhcp v6.

I am not sure what rules I exactly need for that. What I have not tried
yet is disabling pf using "pf -d". Maybe that dhcp succeeds without pf
in between.

I think that dhcp v6 uses port 567 but I'm unsure.

Your help in troubleshooting is greatly appreciated.

Regards,

Seth

--
--

I did realize that by default there is a LAN rule to allow all IPv4 out.
I created an equivalent IPv6 rule and BAM I got DHCP to work. now I am just 
verifying the rest of the setup.



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

[Seth Mos]

Hi Sean,

Op 23-12-2010 14:01, Sean Cavanaugh schreef:

?>-Original Message-

From: Sean Cavanaugh Sent: Wednesday, December 22, 2010 7:39 PM To:
support@pfsense.com Subject: Re: [pfSense Support] pfSense 2.0 BETA4 :
IPv6?



Verified with wireshark that the DHCPv6 requests are going out but I am
not seeing any response from pfsense for them. DHCP Log shows (blanked
out part of address):

Dec 23 07:18:36 dhcpd: Listening on Socket/14/em1/2001:470:7:XXXx::/64
Dec 23 07:18:36 dhcpd: Sending on Socket/14/em1/2001:470:7:::/64


Thanks for helping out with this, I've had a heck of a time 
troubleshooting this in my test setup and had been unable to verify it's 
operation.


I do have rtadvd configured to tell the hosts to use "managed" e.g. dhcp 
for ipv6 configuration, but it always falls back to autoconfig.



and no other DHCPv6 entries


I think I need to add other firewall rules for traffic to leave the 
pfsense box, specifically for dhcp v6.


I am not sure what rules I exactly need for that. What I have not tried 
yet is disabling pf using "pf -d". Maybe that dhcp succeeds without pf 
in between.


I think that dhcp v6 uses port 567 but I'm unsure.

Your help in troubleshooting is greatly appreciated.

Regards,

Seth

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

[Sean Cavanaugh]

?>-Original Message- 
From: Sean Cavanaugh Sent: Wednesday, December 22, 2010 7:39 PM To: 
support@pfsense.com Subject: Re: [pfSense Support] pfSense 2.0 BETA4 : 
IPv6?
?that helped out a lot. now I at the point of where it is fully set up but 
I cannot seem to get any response from the DHCPv6 server. I am installing 
wireshark on another comp to make sure my desktop is even sending out the 
requests.


Verified with wireshark that the DHCPv6 requests are going out but I am not 
seeing any response from pfsense for them. DHCP Log shows (blanked out part 
of address):


Dec 23 07:18:36 dhcpd: Listening on Socket/14/em1/2001:470:7:XXXx::/64
Dec 23 07:18:36 dhcpd: Sending on Socket/14/em1/2001:470:7:::/64

and no other DHCPv6 entries

em1 is my LAN connection 



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

[Sean Cavanaugh]

?that helped out a lot. now I at the point of where it is fully set up but I 
cannot seem to get any response from the DHCPv6 server. I am installing 
wireshark on another comp to make sure my desktop is even sending out the 
requests.





-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

[Seth Mos]

Op 21-12-2010 22:50, Sean Cavanaugh schreef:

?ok. I got past the gitsync by hitting enter and letting it actually
continue.

now after the sync I get the nice error
"Parse error: syntax error, unexpected T_SL in /etc/inc/vslb.inc on line
291 "


Oops my bad. I merged up with the current 2.0 code and I butched the 
merge. Fixed.



this shows up in both console mode and in the web interface as well as
shuts down all firewall services.


I also noticed that lighty and apinger are still the wrong versions and 
don't include ipv6.


To replace lighty and apinger.
cd /usr/local/sbin
fetch http://iserv.nl/files/pfsense/apinger
fetch http://iserv.nl/files/pfsense/lighttpd
cd /usr/local/lib/lighttpd
fetch http://iserv.nl/files/pfsense/lighty.so.tgz
tar -xzf lighty.so.tgz

restart webconfigurator using option 11.

Regards,

Seth

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

[Sean Cavanaugh]

?ok. I got past the gitsync by hitting enter and letting it actually 
continue.


now after the sync I get the nice error
"Parse error: syntax error, unexpected T_SL in /etc/inc/vslb.inc on line 291 
"


this shows up in both console mode and in the web interface as well as shuts 
down all firewall services.


completed on snapshot of 2.0-BETA4 from yesterday 



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

[Sean Cavanaugh]

?to me it looks like I never download the git repository info to begin with

-
Or alternatively you may enter a custom RCS branch URL (HTTP).


http://gitweb.pfsense.org/pfsense/pfSense-smos.git



NOTE: http://gitweb.pfsense.org/pfsense/pfSense-smos.git was not found.




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

[Sean Cavanaugh]

>-Original Message- 
From: Seth Mos Sent: Tuesday, December 21, 2010 3:02 AM To: 
support@pfsense.com Subject: Re: [pfSense Support] pfSense 2.0 BETA4 : 
IPv6?

Op 21-12-2010 1:52, Sean Cavanaugh schreef:


after that, it asks if I want to sync with master which doesn’t do
anything.


It says press enter if done. Press enter. ;-)

The procedure for entering custom urls is that you enter it the 1st time, 
accept and then press enter to signal it to start.


After that it should promptly start syncing.

Regards,

Seth



that’s my point. It doesn’t look like it does a sync at all as I am missing 
some of the pages like DHCPv6.
when I hit enter, it is done immediately with what looks like no attempt at 
all to sync.



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

[Seth Mos]

Op 21-12-2010 1:52, Sean Cavanaugh schreef:


after that, it asks if I want to sync with master which doesn’t do
anything.


It says press enter if done. Press enter. ;-)

The procedure for entering custom urls is that you enter it the 1st 
time, accept and then press enter to signal it to start.


After that it should promptly start syncing.

Regards,

Seth

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

[Sean Cavanaugh]


That's just telling you it's not one of the official URLs, just tell it 
yes.


after that, it asks if I want to sync with master which doesn’t do anything.

-
Or alternatively you may enter a custom RCS branch URL (HTTP).


http://gitweb.pfsense.org/pfsense/pfSense-smos.git



NOTE: http://gitweb.pfsense.org/pfsense/pfSense-smos.git was not found.

Is this a custom GIT URL? [y]? y
Checkout which branch [master]?

Add a custom RCS branch URL (HTTP) to merge in or press enter if done.




--


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

[Chris Buechler]

On Mon, Dec 20, 2010 at 6:53 PM, Sean Cavanaugh
 wrote:
> ?>-Original Message-
>>
>> From: Seth Mos
>> Sent: Monday, December 20, 2010 2:37 PM
>> To: support@pfsense.com
>> Subject: Re: [pfSense Support] pfSense 2.0 BETA4 : IPv6?
>>
>> There is a post in the forum, to my git branch and instructions for
>> support on 2.0 BETA
>>
>> http://iserv.nl/files/pfsense/ipv6/
>
>
> following these instructions, I am unable to download the .git file to start
> the sync.
>
> 
> Current repository is http://gitweb.pfsense.org/pfsense/mainline.git
>
> Please select which branch you would like to sync against:
>
> master   2.0 development branch
> RELENG_1_2       1.2* release branch
> build_commit     The commit originally used to build the image
>
> Or alternatively you may enter a custom RCS branch URL (HTTP).
>
>> http://gitweb.pfsense.org/pfsense/pfSense-smos.git
>
>
> NOTE: http://gitweb.pfsense.org/pfsense/pfSense-smos.git was not found.
>
> Is this a custom GIT URL? [y]?

That's just telling you it's not one of the official URLs, just tell it yes.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

[Sean Cavanaugh]

?>-Original Message- 

From: Seth Mos
Sent: Monday, December 20, 2010 2:37 PM
To: support@pfsense.com
Subject: Re: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

There is a post in the forum, to my git branch and instructions for support 
on 2.0 BETA


http://iserv.nl/files/pfsense/ipv6/



following these instructions, I am unable to download the .git file to start 
the sync.



Current repository is http://gitweb.pfsense.org/pfsense/mainline.git

Please select which branch you would like to sync against:

master   2.0 development branch
RELENG_1_2   1.2* release branch
build_commit The commit originally used to build the image

Or alternatively you may enter a custom RCS branch URL (HTTP).


http://gitweb.pfsense.org/pfsense/pfSense-smos.git



NOTE: http://gitweb.pfsense.org/pfsense/pfSense-smos.git was not found.

Is this a custom GIT URL? [y]?
--- 



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

[Seth Mos]

There is a post in the forum, to my git branch and instructions for support on 
2.0 BETA

http://iserv.nl/files/pfsense/ipv6/

I'm currently using it in production on a carp cluster and appears to work fine 
for basic firewalling.

Regards,

Seth

Op 20 dec 2010, om 20:19 heeft Bart Grefte het volgende geschreven:

> IPv6 support does not get in pfSense till v2.1
> pfSense itself does not offer support (yet), the underlying OS (FreeBSD 7.2
> in my case) does :) ->
> I managed to get an IPv6 tunnel working in pfSense 1.2.3, while the clients
> hooked up to my network can use that tunnel.
> 
> 
> Bart
> 
> -Oorspronkelijk bericht-
> Van: Xavier Beaudouin [mailto:k...@oav.net] 
> Verzonden: maandag 20 december 2010 18:45
> Aan: support
> Onderwerp: [pfSense Support] pfSense 2.0 BETA4 : IPv6?
> 
> Hi there,
> 
> I have update my gateway from m0n0wall to pfSense 2.0 BETA4 to make a better
> and faster gateway (moved from a wrap to a amd 4020e)... But I have saw that
> Beta 2.0 should have IPv6 support but no luck I didn't found it... 
> 
> Cheers and happy xmas.
> 
> Xavier
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
> 
> Commercial support available - https://portal.pfsense.org
> 
> __ NOD32 5718 (20101220) Informatie __
> 
> Dit bericht is gecontroleerd door het NOD32 Antivirus Systeem.
> http://www.nod32.nl
> 
> 
> 
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
> 
> Commercial support available - https://portal.pfsense.org
> 


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

[Bart Grefte]

IPv6 support does not get in pfSense till v2.1
pfSense itself does not offer support (yet), the underlying OS (FreeBSD 7.2
in my case) does :) ->
I managed to get an IPv6 tunnel working in pfSense 1.2.3, while the clients
hooked up to my network can use that tunnel.


Bart

-Oorspronkelijk bericht-
Van: Xavier Beaudouin [mailto:k...@oav.net] 
Verzonden: maandag 20 december 2010 18:45
Aan: support
Onderwerp: [pfSense Support] pfSense 2.0 BETA4 : IPv6?

Hi there,

I have update my gateway from m0n0wall to pfSense 2.0 BETA4 to make a better
and faster gateway (moved from a wrap to a amd 4020e)... But I have saw that
Beta 2.0 should have IPv6 support but no luck I didn't found it... 

Cheers and happy xmas.

Xavier
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

__ NOD32 5718 (20101220) Informatie __

Dit bericht is gecontroleerd door het NOD32 Antivirus Systeem.
http://www.nod32.nl



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] pfSense 2.0 BETA4 : IPv6?

[Xavier Beaudouin]

Hi there,

I have update my gateway from m0n0wall to pfSense 2.0 BETA4 to make a better 
and faster gateway (moved from a wrap to a amd 4020e)... But I have saw that 
Beta 2.0 should have IPv6 support but no luck I didn't found it... 

Cheers and happy xmas.

Xavier
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] Pfsense 2.0 beta 4 + open vpn client export ulity TAB missing

[justino garcia]

I don't see the client export ulity tab, I installed package, but don't see
tab??

Any ideas

-- 
Justin
IT-TECH

Re: [pfSense Support] Pfsense 2.0 - WAN_PPPoE_static ?

[Kevin Tollison]

Not sure what you are requesting. I do static PPPoE all the time. The carrier 
assigns a static to your login.  It has nothing to do with a router function 
unless I am missing something. 
--Original Message--
From: drova...@kaluga-gov.ru
To: support@pfsense.com
ReplyTo: support@pfsense.com
Subject: [pfSense Support] Pfsense 2.0 - WAN_PPPoE_static ?
Sent: Dec 3, 2010 4:26 AM


 WAN_PPPoE static ip address it is planned in the new version?

Please, make it!



Roman.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



--
Kevin Tollison

Sent from my Blackberry

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] Pfsense 2.0 - WAN_PPPoE_static ?

[drovalev]

 WAN_PPPoE static ip address it is planned in the new version?

Please, make it!



Roman.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] PFSENSE 2.0

[Jeppe Øland]

Resurrecting an old thread.

I just tried installing pfSense 2.0 embedded on a new box. It's not
working and of course I don't have a serial port on any PC around me.
Guess what I DO have ... VGA and a keyboard.

Are there any plans to get VGA support added soon-ish?

Regards,
-Jeppe

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] [pfSense 2.0] Queue not available in rules editor

[Cyril Jaquier]

I'm playing a bit with the traffic shaper and noticed that if I edit a
firewall rule, only "none" is available for "Ackqueue/Queue". In the
rule summary, the queues are displayed (e.g. "qACK/qOthersLow"). Thus if
I try to edit a rule generated by the traffic shaper wizard, the queues
are lost.



Fixed on:

2.0-BETA4 (i386)
built on Wed Nov 10 00:37:42 EST 2010
FreeBSD 8.1-RELEASE-p1

Thank you :-)

Regards,
Cyril

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] [pfSense 2.0] Queue not available in rules editor

[Kevin Tollison]

I noticed that a week or so ago and posted it in the forums with no response. I 
know it worked correctly 2-3 weeks ago. All the queues seem to get built, but 
nothing shows in the Queue view in the shaper or firewall rules. It also seems 
traffic only makes it to the default queue when you look at Queue Status. 

I also found an error in my system logs related to it. Look for my post in 2.0 
Feedback called Traffic Shaper Broken IIRC. 


--Original Message--
From: Cyril Jaquier
To: support@pfsense.com
ReplyTo: support@pfsense.com
Subject: [pfSense Support] [pfSense 2.0] Queue not available in rules editor
Sent: Nov 6, 2010 1:36 PM

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi all,

First of all, I'm a new pfSense user since Friday and really like it so
far :-) Thanks to all developers and contributors.

I'm playing a bit with the traffic shaper and noticed that if I edit a
firewall rule, only "none" is available for "Ackqueue/Queue". In the
rule summary, the queues are displayed (e.g. "qACK/qOthersLow"). Thus if
I try to edit a rule generated by the traffic shaper wizard, the queues
are lost.

Am I doing something wrong? Should I report this bug?

Version: 2.0-BETA4 (i386) built on Thu Nov 4 18:55:36 EDT 2010
System: Alix board
Scheduler type for the queues: PRIQ

Thank you.

Cyril Jaquier


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkzVkiUACgkQlYy8cEwUMaQ7agCgggvSJrh5JLmX9uYM6kE8wXfp
CdUAn3ynGFQyYhX+ypIXPWeNVSnshZwy
=m08T
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



--
Kevin Tollison

Sent from my Blackberry

[pfSense Support] [pfSense 2.0] Queue not available in rules editor

[Cyril Jaquier]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi all,

First of all, I'm a new pfSense user since Friday and really like it so
far :-) Thanks to all developers and contributors.

I'm playing a bit with the traffic shaper and noticed that if I edit a
firewall rule, only "none" is available for "Ackqueue/Queue". In the
rule summary, the queues are displayed (e.g. "qACK/qOthersLow"). Thus if
I try to edit a rule generated by the traffic shaper wizard, the queues
are lost.

Am I doing something wrong? Should I report this bug?

Version: 2.0-BETA4 (i386) built on Thu Nov 4 18:55:36 EDT 2010
System: Alix board
Scheduler type for the queues: PRIQ

Thank you.

Cyril Jaquier


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkzVkiUACgkQlYy8cEwUMaQ7agCgggvSJrh5JLmX9uYM6kE8wXfp
CdUAn3ynGFQyYhX+ypIXPWeNVSnshZwy
=m08T
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] pfsense 2.0 beta4 ntop help

[Gokhan Mollamehmetoglu]

Hi,
I have installed ntop on my pfsense 2.0-beta4. pfsense can not start 
ntop service after installation.I try start ntop service on command 
prompt ,It give me following error.


/libexec/ld-elf.so.1: Shared object "libGeoIP.so.5" not found, required 
by "ntop"


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 and SpamAssassin

[James Bensley]

On 21 October 2010 15:07, Paul Mansfield  wrote:
>
> argh, sorry, I didn't see the "2.0" bit... don't know which version it
> uses, but the same would apply, use pkg_add and if needed set the env
> var so it can find the package repository.
>
> but I would advise grabbing the appropriate version of freebsd and using
> that as a build platform rather than kludging pfsense install?

Sadly, no SA build available in the repo's (well, no spamd & spamc
anyway, I think the perl scrips where there though)

-- 
Regards,
James.

http://www.jamesbensley.co.cc/

There are 10 kinds of people in the world; Those who understand
Vigesimal, and J others...?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 and SpamAssassin

[Paul Mansfield]

argh, sorry, I didn't see the "2.0" bit... don't know which version it
uses, but the same would apply, use pkg_add and if needed set the env
var so it can find the package repository.

but I would advise grabbing the appropriate version of freebsd and using
that as a build platform rather than kludging pfsense install?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 and SpamAssassin

[Paul Mansfield]

On 21/10/10 14:23, James Bensley wrote:
> If anyone comes across this on the archives, due to the lack of a
> compiler et all I found no way to achieve compiling SA on pfSense

pfsense is based on freebsd 7.2, get a copy here...

ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/7.2-RELEASE/


you can, if you're masochistic, use "pkg_add -r" to download and install
packages, having set your environment appropriately, e.g. in tcsh

setenv PACKAGESITE
ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/i386/7.2-RELEASE/packages/Latest/



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 and SpamAssassin

[James Bensley]

If anyone comes across this on the archives, due to the lack of a
compiler et all I found no way to achieve compiling SA on pfSense
(probably could have compiled in on a FreeBSD box and moved everything
over but that seems too arse-about-tit to me). I have virtualized
pfSense on a CentOS box and run Exim and SA on the host machine, I
didn't find a way around this but I'm all ears for future reference if
anyone does find a way to achieve this :)

-- 
Regards,
James.

http://www.jamesbensley.co.cc/

There are 10 kinds of people in the world; Those who understand
Vigesimal, and J others...?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 and SpamAssassin

[James Bensley]

So, one step at a time is always a good approach, and I am falling
down at the first step ;)

Its proving awkward to even compile Spam Assassin so I can try it in a
jail as pfSense doesn't have the 'make' command in it, it shows up in
the the FreeBSD ports but I can't compile the source without 'make'
its self (which seems silly including a command which requires you to
have it already built before you can build it? And also why not
include 'make' anyway, it seems like such a trivial command to have?)

So, has any one got any pointers as to how I can tackle this?

-- 
Regards,
James.

http://www.jamesbensley.co.cc/

There are 10 kinds of people in the world; Those who understand
Vigesimal, and J others...?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 and SpamAssassin

[Seth Mos]

Op 13-10-2010 23:55, James Bensley schreef:

Thank you too all for your input.

I think running two VMs on top of the host OS (although it would be
nice) is too much overhead for my liking given the spec of the box. I
like the sound of jailctl, I will give this a go and report back my
findings ;)


Approach it not from the overhead part, but from the flexible part.

If, at some point, they require another server solution that wasn't 
available before you can setup a new VM instead.


Since your budget is 0 to begin with that might not be such a bad 
starting point.


VMs also allow for easy updates, upgrades and snapshots. That is, a 
firmware/software update gone wrong can easily rolled back.


I've had a few awful experiences with home built all in one linux 
machines. And upgrades then tended to break everything at once. Joy.


Depends on the person, skills and luck involved ofcourse.

My all in one wonder is a Dell Optiplex 755 with a C2D 2.33Ghz and 8GB 
ram. A rather modest ESX machine if I say so myself. It runs ESXi 3.5 still.


Regards,

Seth

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 and SpamAssassin

[Seth Mos]

Hi,


Yeah if you can run VMware ESXi on the box and then run whatever VMs you
need, that's a good solution. Or you can look at the jailctl package and
run a full jail for spamassassin and whatever else you want to throw on it.


This is in production at one site atleast, a all in one wonder with VMs.

The ESX box has just 1 network plug to the outside network, it runs 2 
VMs for a carp setup and a virtual switch network where the server VMs run.


It's done so perfectly well for over a year now. The carp is there so 
that firmware upgrades don't break connectivity.


Regards,

Seth

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 and SpamAssassin

[Chris Buechler]

On Wed, Oct 13, 2010 at 10:41 PM, Gordon Russell
 wrote:
>
> Why cobble together a VM scenario to do that, when there is packaged, simple, 
> free software achieve his ends? I don't know that a VM'ed scenario would > be 
> any less resource intensive than untangle. It would certainly be a more 
> challenging "learning experience" for one to set up though.

Yes it would definitely require a lot more expertise, but it is a way
to get more out of the same hardware if it's not a screaming fast box
and that hardware is the only option. You can scale down the resources
Untangle can have at the ESX level and if you're only pushing mail
through it that won't have any noticeable performance impact on the
environment. If you don't have that expertise or the time to get it,
getting that expertise at the $0 budget likely isn't going to happen.

Jails are a much faster, lower overhead, means of virtualization if
you want to go the DIY route to build the anti-spam setup yourself.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 and SpamAssassin

[James Bensley]

Thank you too all for your input.

I think running two VMs on top of the host OS (although it would be
nice) is too much overhead for my liking given the spec of the box. I
like the sound of jailctl, I will give this a go and report back my
findings ;)

-- 
Regards,
James.

http://www.jamesbensley.co.cc/

There are 10 kinds of people in the world; Those who understand
Vigesimal, and J others...?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 and SpamAssassin

[Gordon Russell]

- "Chris Buechler"  wrote:

> On Wed, Oct 13, 2010 at 9:20 PM, Gordon Russell
>  wrote:
> >
> > The base version of untangle is free
> 
> Aside from the hardware, with its considerable bloat, the hardware
> available may not be able to accommodate that scenario. Though if the
> hardware can run ESXi, putting it on a VM to do only spam (assuming
> that's possible, I'm not entirely sure), and only directing mail
> through it without putting it inline, should make that a non-factor.
> Then even if it is extremely slow it won't really matter.
> 

 I was just suggesting to the OP that there is free software out there to 
achieve his goals -- which is more of a UTM than pure firewall scenario. In the 
OP's words he needs to:
 
 "run pfSense, SpamAssassin, ClamAV, Squid and Squidgaurd to filter all traffic 
in and out bound"

Why cobble together a VM scenario to do that, when there is packaged, simple, 
free software achieve his ends? I don't know that a VM'ed scenario would be any 
less resource intensive than untangle. It would certainly be a more challenging 
"learning experience" for one to set up though.
PFsense is a great firewall platform, and Chris you do a great job with it.. 
I'm not knocking it in any way, just suggesting to the OP that another platform 
may be better suited to his needs (and experience level).

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 and SpamAssassin

[Chris Buechler]

On Wed, Oct 13, 2010 at 9:20 PM, Gordon Russell
 wrote:
>
> The base version of untangle is free

Aside from the hardware, with its considerable bloat, the hardware
available may not be able to accommodate that scenario. Though if the
hardware can run ESXi, putting it on a VM to do only spam (assuming
that's possible, I'm not entirely sure), and only directing mail
through it without putting it inline, should make that a non-factor.
Then even if it is extremely slow it won't really matter.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 and SpamAssassin

[Gordon Russell]

- Original Message -
From: "James Bensley" 
To: support@pfsense.com
Sent: Wednesday, October 13, 2010 3:10:00 PM
Subject: Re: [pfSense Support] pfSense 2.0 and SpamAssassin

On 13 October 2010 19:30, Gordon Russell  wrote:
> You may want to look at untangle then.
>
> http://www.untangle.com

I have seen that before but sadly this isn't an option either, we are
a non-profit and although they do discounted prices my budget is
£0.00.. Thats why I previously mentioned that I didn't have another
box I could separate these services over, the box we are running
pfSense on was a greatly appreciated donation.

The base version of untangle is free and will do everything you are looking for.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 and SpamAssassin

[Scott Lambert]

On Wed, Oct 13, 2010 at 08:38:38PM +0200, Chris Buechler wrote:
> 
> On Oct 13, 2010, at 7:37 PM, James Bensley wrote:
> 
> >Hi List,
> >
> >I would like to put Spam Assassin on a pfSense 2.0 box and I see that
> >here (http://www.pfsense.com/packages/pkg_config.xml) it is listed as
> >a package to install but doesn't show up in my package list on my 2.0
> >box, is this the package list for 1.2.3 perhaps?
> 
> LONG before that (that's the 6.x package list, about 5-6 years ago).  
> That package never worked, was started and not even remotely close to  
> functional. You're in for a whole lot of work if you want to finish  
> that. The code is still in git though, knock yourself out.
> 
> But I would never run that on a firewall regardless with its security  
> track record.

How about putting that stuff in a jail on the pfSense box?

-- 
Scott LambertKC5MLE   Unix SysAdmin
lamb...@lambertfam.org


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 and SpamAssassin

[Chris Buechler]

On Oct 13, 2010, at 9:10 PM, James Bensley wrote:



*scratches head* I could virtualise /both/ pfSense and SA on the same
box as separate VMs??!?...again I'd rather not...or would I? Noodle
baker!



Yeah if you can run VMware ESXi on the box and then run whatever VMs  
you need, that's a good solution. Or you can look at the jailctl  
package and run a full jail for spamassassin and whatever else you  
want to throw on it.



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 and SpamAssassin

[James Bensley]

On 13 October 2010 19:30, Gordon Russell  wrote:
> You may want to look at untangle then.
>
> http://www.untangle.com

I have seen that before but sadly this isn't an option either, we are
a non-profit and although they do discounted prices my budget is
£0.00.. Thats why I previously mentioned that I didn't have another
box I could separate these services over, the box we are running
pfSense on was a greatly appreciated donation.

On 13 October 2010 19:38, Chris Buechler  wrote:
> But I would never run that on a firewall regardless with its security track
> record.

I see, this wasn't something I was aware off, I had contemplated
running it as a virtual machine on the pfSense box and given your
comments on security this might possibly elude such security flaws
however I am unaware of any security flaws (because I'm new to  spam
assassin and need to do some homework first!) but I don't think I like
the idea of running a VM on top of pfSense I would rather run SA along
side it on the same box.

*scratches head* I could virtualise /both/ pfSense and SA on the same
box as separate VMs??!?...again I'd rather not...or would I? Noodle
baker!

-- 
Regards,
James.

http://www.jamesbensley.co.cc/

There are 10 kinds of people in the world; Those who understand
Vigesimal, and J others...?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 and SpamAssassin

[Chris Buechler]

On Oct 13, 2010, at 7:37 PM, James Bensley wrote:


Hi List,

I would like to put Spam Assassin on a pfSense 2.0 box and I see that
here (http://www.pfsense.com/packages/pkg_config.xml) it is listed as
a package to install but doesn't show up in my package list on my 2.0
box, is this the package list for 1.2.3 perhaps?


LONG before that (that's the 6.x package list, about 5-6 years ago).  
That package never worked, was started and not even remotely close to  
functional. You're in for a whole lot of work if you want to finish  
that. The code is still in git though, knock yourself out.


But I would never run that on a firewall regardless with its security  
track record.



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 and SpamAssassin

[Gordon Russell]

- Original Message -
From: "James Bensley" 
To: support@pfsense.com
Sent: Wednesday, October 13, 2010 2:22:00 PM
Subject: Re: [pfSense Support] pfSense 2.0 and SpamAssassin

On 13 October 2010 19:00, Jim Pingle  wrote:
> You'd be better of installing SpamAssassin on a box that isn't a secure
> firewall. :-)

Sadly the isn't an option for me, I'm setting up a network edge box to
run pfSense, SpamAssassin, ClamAV, Squid and Squidgaurd to filter all
traffic in and out bound and I have no other boxes to achieve this
with so I'm going for an all in wonder :)

-- 
Regards,
James.

http://www.jamesbensley.co.cc/

There are 10 kinds of people in the world; Those who understand
Vigesimal, and J others...?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

You may want to look at untangle then.

http://www.untangle.com

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 and SpamAssassin

[James Bensley]

On 13 October 2010 19:00, Jim Pingle  wrote:
> You'd be better of installing SpamAssassin on a box that isn't a secure
> firewall. :-)

Sadly the isn't an option for me, I'm setting up a network edge box to
run pfSense, SpamAssassin, ClamAV, Squid and Squidgaurd to filter all
traffic in and out bound and I have no other boxes to achieve this
with so I'm going for an all in wonder :)

-- 
Regards,
James.

http://www.jamesbensley.co.cc/

There are 10 kinds of people in the world; Those who understand
Vigesimal, and J others...?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0 and SpamAssassin

[Jim Pingle]

On 10/13/2010 1:37 PM, James Bensley wrote:
> Hi List,
> 
> I would like to put Spam Assassin on a pfSense 2.0 box and I see that
> here (http://www.pfsense.com/packages/pkg_config.xml) it is listed as
> a package to install but doesn't show up in my package list on my 2.0
> box, is this the package list for 1.2.3 perhaps? If so, is there any
> intention of making a package for it or am I better off just
> installing Spam Assassin onto my pfSense box manually?
> 
> Any tips or points would be greatly appreciated :)

You'd be better of installing SpamAssassin on a box that isn't a secure
firewall. :-)

Jim

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] pfSense 2.0 and SpamAssassin

[James Bensley]

Hi List,

I would like to put Spam Assassin on a pfSense 2.0 box and I see that
here (http://www.pfsense.com/packages/pkg_config.xml) it is listed as
a package to install but doesn't show up in my package list on my 2.0
box, is this the package list for 1.2.3 perhaps? If so, is there any
intention of making a package for it or am I better off just
installing Spam Assassin onto my pfSense box manually?

Any tips or points would be greatly appreciated :)

-- 
Regards,
James.

http://www.jamesbensley.co.cc/

There are 10 kinds of people in the world; Those who understand
Vigesimal, and J others...?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 2.0: L7 container and floating rules

[Tonix (Antonio Nati)]

 Is there another place where to ask such questions?

Regards,

Tonino

Il 09/09/2010 11:20, Tonix (Antonio Nati) ha scritto:

I'm trying to understand better these two new features:

L7 layer

I cannot see where these container can be created, and if they
apply only to shaping or if they can be used for rules.
Apart the entry in Rules -> Advanced features, I do not see any
other menu where create/modify/delete L7 containers.
Is it possible to have a better understanding of this feature?

Floating rules.

As far as I understand, potentially this is very useful, but with
a lot of limits.
From my point of view, having more "public" sublans on different
interfaces, this is the place where to place rules for permitting
POP. SMTP, HTTP, etc, going to a single sublan, permitting WAN and
all other public sublan to access those services (and writing each
rule once only, instead of one time for each interface).
But, in this way, I cannot give customers control of floating IP,
as these rules are not binded to a specific interface.
Am I missing something?

Thinking loud... Would have been better to have a different way to
implement such feature?

For each interface (from the FW point of view):

* zone for outgoing rules (what it is permitted from the
  rest of the world)
* zone for incoming rules (what is permitted from this sublan)

All "outgoing" zones should be evaluated before "incoming" zones.
For a total control, before the "outgoing" zone, there could
be another "deny" zone, where to deny "only" incoming packets,
despite of other interfaces permissions.

Thanks for any help/consideration.

Tonino

--

 in...@zioniInterazioni di Antonio Nati
http://www.interazioni.it   to...@interazioni.it




--

in...@zioniInterazioni di Antonio Nati
   http://www.interazioni.it  to...@interazioni.it

[pfSense Support] pfSense 2.0: L7 container and floating rules

[Tonix (Antonio Nati)]

 I'm trying to understand better these two new features:

L7 layer

   I cannot see where these container can be created, and if they apply
   only to shaping or if they can be used for rules.
   Apart the entry in Rules -> Advanced features, I do not see any
   other menu where create/modify/delete L7 containers.
   Is it possible to have a better understanding of this feature?

Floating rules.

   As far as I understand, potentially this is very useful, but with a
   lot of limits.
From my point of view, having more "public" sublans on different
   interfaces, this is the place where to place rules for permitting
   POP. SMTP, HTTP, etc, going to a single sublan, permitting WAN and
   all other public sublan to access those services (and writing each
   rule once only, instead of one time for each interface).
   But, in this way, I cannot give customers control of floating IP, as
   these rules are not binded to a specific interface.
   Am I missing something?

   Thinking loud... Would have been better to have a different way to
   implement such feature?

   For each interface (from the FW point of view):

   * zone for outgoing rules (what it is permitted from the
 rest of the world)
   * zone for incoming rules (what is permitted from this sublan)

   All "outgoing" zones should be evaluated before "incoming" zones.
   For a total control, before the "outgoing" zone, there could be
   another "deny" zone, where to deny "only" incoming packets,
   despite of other interfaces permissions.

Thanks for any help/consideration.

Tonino

--

in...@zioniInterazioni di Antonio Nati
   http://www.interazioni.it  to...@interazioni.it

Re: [pfSense Support] PFsense 2.0 roadmap

[Jim Pingle]

On 9/8/2010 1:42 PM, Tonix (Antonio Nati) wrote:
>> http://redmine.pfsense.org/projects/pfsense/roadmap
>  Thanks... I see no dates at all.

Correct. No dates. It will be ready when it's ready. :)

> About 2.0, I see no documentation around. Is there a list where to ask
> for 2.0 features explained?
> I see a lot of new things, sometimes hard to understand.

The doc wiki has a lot of information, but I do need to update some of
the articles.

On every screen in 2.0 there is a help link (?). It takes you to the
wiki page that has information about the feature or section you are using.

You can get a list of 2.0-specific articles here:
http://doc.pfsense.org/index.php/Category:2.0

There is info on 2.0 in more pages than that, but those tend to be for
the new features or things that didn't exist yet in 1.2.x.

Jim

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org