RE: [pfSense Support] CP Issue
Well I don't have squid running on the interface in question. Squid is running on LAN and I want CP on LAN2.. does that make a difference? Quick Drawing WAN DSL DSL2 || | PFSENSE | | SquidCP | | LAN LAN2 | | DefaultLoad Balancing? -Tim -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Monday, April 28, 2008 6:02 PM To: support@pfsense.com Subject: Re: [pfSense Support] CP Issue On Mon, Apr 28, 2008 at 12:48 PM, Tim Dickson [EMAIL PROTECTED] wrote: I did state Squid was in there ;) ... I have squid setup with defaults (non transparent) on LAN ONLY I have lightsquid installed for reporting So, anything else to try? I'm willing to help the cause if you have any ideas... Squid can only use the primary WAN at this time (services on localhost strictly obey the system routing table), so it won't load balance regardless. Though route-to rules should bypass Squid and let you load balance, they also bypass CP. Aside from manually hacking the pf and ipfw rules to figure out what's really going on with ipfw and pf route-to rules, I don't have any suggestions at this point. It is something I'm going to look into eventually. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CP Issue
On Tue, Apr 29, 2008 at 7:04 PM, Tim Dickson [EMAIL PROTECTED] wrote: Well I don't have squid running on the interface in question. Squid is running on LAN and I want CP on LAN2.. does that make a difference? No, Squid really isn't relevant here, it's the route-to rules and their interaction (or lack thereof) with ipfw. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] CP Issue
Thanks Chris and Team -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 29, 2008 4:07 PM To: support@pfsense.com Subject: Re: [pfSense Support] CP Issue On Tue, Apr 29, 2008 at 7:04 PM, Tim Dickson [EMAIL PROTECTED] wrote: Well I don't have squid running on the interface in question. Squid is running on LAN and I want CP on LAN2.. does that make a difference? No, Squid really isn't relevant here, it's the route-to rules and their interaction (or lack thereof) with ipfw. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] CP Issue
I did state Squid was in there ;) ... I have squid setup with defaults (non transparent) on LAN ONLY I have lightsquid installed for reporting So, anything else to try? I'm willing to help the cause if you have any ideas... -Timm -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Sunday, April 27, 2008 1:47 PM To: support@pfsense.com Subject: Re: [pfSense Support] CP Issue On Sat, Apr 26, 2008 at 3:51 AM, Tim Dickson [EMAIL PROTECTED] wrote: Setting up the Rule to put traffic to the interface address out the default gateway did not work Setting the gateway to JUST the second WAN (non-loadbalance) failed Setting the gateway to DEFAULT worked... (With Squid running) [snip] Squid is not compatible with CP. This would have been helpful if you told this up front :) Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CP Issue
On Mon, Apr 28, 2008 at 12:48 PM, Tim Dickson [EMAIL PROTECTED] wrote: I did state Squid was in there ;) ... I have squid setup with defaults (non transparent) on LAN ONLY I have lightsquid installed for reporting So, anything else to try? I'm willing to help the cause if you have any ideas... Squid can only use the primary WAN at this time (services on localhost strictly obey the system routing table), so it won't load balance regardless. Though route-to rules should bypass Squid and let you load balance, they also bypass CP. Aside from manually hacking the pf and ipfw rules to figure out what's really going on with ipfw and pf route-to rules, I don't have any suggestions at this point. It is something I'm going to look into eventually. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CP Issue
On Sat, Apr 26, 2008 at 3:51 AM, Tim Dickson [EMAIL PROTECTED] wrote: Setting up the Rule to put traffic to the interface address out the default gateway did not work Setting the gateway to JUST the second WAN (non-loadbalance) failed Setting the gateway to DEFAULT worked... (With Squid running) [snip] Squid is not compatible with CP. This would have been helpful if you told this up front :) Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CP Issue
On Sun, Apr 27, 2008 at 2:47 PM, Scott Ullrich [EMAIL PROTECTED] wrote: [snip] Squid is not compatible with CP. This would have been helpful if you told this up front :) That's odd, I've been running it in transparent mode for months, and it works just fine. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CP Issue
On Sun, Apr 27, 2008 at 5:45 PM, RB [EMAIL PROTECTED] wrote: On Sun, Apr 27, 2008 at 2:47 PM, Scott Ullrich [EMAIL PROTECTED] wrote: [snip] Squid is not compatible with CP. This would have been helpful if you told this up front :) That's odd, I've been running it in transparent mode for months, and it works just fine. I think it does work, there might be some caveats though. Does it cause the portal to be bypassed? I've never tried it myself. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CP Issue
I think it does work, there might be some caveats though. Does it cause the portal to be bypassed? I've never tried it myself. Nope - typical behavior. Clients DHCP, hit the captive portal on the CARP primary, and are allowed through. Post-auth, all port-80 traffic hits the local SQUID, which points at an upstream cache. The only things I've customized are the number of DNS subprocesses, the per-user shaping, and a manual parent cache entry to force _all_ traffic to it, not just what's faster. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CP Issue
On Sun, Apr 27, 2008 at 5:57 PM, RB [EMAIL PROTECTED] wrote: I think it does work, there might be some caveats though. Does it cause the portal to be bypassed? I've never tried it myself. Nope - typical behavior. Clients DHCP, hit the captive portal on the CARP primary, and are allowed through. Post-auth, all port-80 traffic hits the local SQUID, which points at an upstream cache. The only things I've customized are the number of DNS subprocesses, the per-user shaping, and a manual parent cache entry to force _all_ traffic to it, not just what's faster. Yeah thinking that through further, there shouldn't be any problem with squid and CP. Multi-WAN and CP is a different case since route-to rules cause the portal to be bypassed. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] CP Issue
Setting up the Rule to put traffic to the interface address out the default gateway did not work Setting the gateway to JUST the second WAN (non-loadbalance) failed Setting the gateway to DEFAULT worked... (With Squid running) Any more ideas? I'd love to keep Load-Balancing! (or is this another area where local services must always use the default route?) Thanks! -Tim PS... sorry about the html, the thread was plaintext until I responded to your email which was html so it carried over, and I forgot to reset :( -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Thursday, April 24, 2008 10:46 AM To: support@pfsense.com Subject: Re: [pfSense Support] CP Issue On 4/24/08, Tim Dickson [EMAIL PROTECTED] wrote: (I'll be back on site tomorrow and will test) So it would be on the GUEST LAN: Proto: TCP Source: GuestLan Destination: Interface Address ports 8000 and 8001 Gateway: Default Or are you saying SOURCE should be the Interface address and port? I'll test his tomorrow and post back thanks! Set the source to any, the interface would be the captive portal interface. Gateway default. Looks good. Scott PS: please do not send html emails to public lists. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] CP Issue
Ah, so I was wondering about that So do I have to send it out default? Or can I pick, say - DSL2? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Buechler Sent: Wednesday, April 23, 2008 6:09 PM To: support@pfsense.com Subject: Re: [pfSense Support] CP Issue On Wed, Apr 23, 2008 at 8:24 PM, Tim Dickson [EMAIL PROTECTED] wrote: Finally deploying captive portal at one of our new sites. But am coming across a redirect issue I'm hoping you can shed some light on. BACKGROUND: I have 3 Wans setup - WAN, DSL, DSL2 I have 3 Lans setup - LAN, GUEST, PHONE I have load balancing setup with DSL + DSL2 for the GUEST WAN I have Failover setup with WAN - DSL - DSL2 for the LAN I have squid setup with defaults (non transparent) on LAN ONLY I have lightsquid installed for reporting ISSUE: Clients accessing on the GUEST interface are bypassing the Captive Portal for the redirect ports. PORT 80,443 They are not able to access non-redirect ports (such as 25 etc) because of course they have not authenticated. Multi-WAN and CP have interoperability issues because any rule specifying a load balancing/failover pool or gateway will bypass CP. There may be a work around, there is a ticket open but I haven't had time to look into it yet. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CP Issue
On 4/24/08, Tim Dickson [EMAIL PROTECTED] wrote: Ah, so I was wondering about that So do I have to send it out default? Or can I pick, say - DSL2? You can add a rule forcing CP only out the default gateway prior to any load balancing rules which might fix this. Please try this and if it works we'll add these behind the scenes. I believe the ports used for CP are 8000 and 8001. Scott
RE: [pfSense Support] CP Issue
(I'll be back on site tomorrow and will test) So it would be on the GUEST LAN: Proto: TCP Source: GuestLan Destination: Interface Address ports 8000 and 8001 Gateway: Default Or are you saying SOURCE should be the Interface address and port? I'll test his tomorrow and post back thanks! -Tim From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Thursday, April 24, 2008 9:46 AM To: support@pfsense.com Subject: Re: [pfSense Support] CP Issue On 4/24/08, Tim Dickson [EMAIL PROTECTED] wrote: Ah, so I was wondering about that So do I have to send it out default? Or can I pick, say - DSL2? You can add a rule forcing CP only out the default gateway prior to any load balancing rules which might fix this. Please try this and if it works we'll add these behind the scenes. I believe the ports used for CP are 8000 and 8001. Scott
Re: [pfSense Support] CP Issue
On 4/24/08, Tim Dickson [EMAIL PROTECTED] wrote: (I'll be back on site tomorrow and will test) So it would be on the GUEST LAN: Proto: TCP Source: GuestLan Destination: Interface Address ports 8000 and 8001 Gateway: Default Or are you saying SOURCE should be the Interface address and port? I'll test his tomorrow and post back thanks! Set the source to any, the interface would be the captive portal interface. Gateway default. Looks good. Scott PS: please do not send html emails to public lists. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CP Issue
On Wed, Apr 23, 2008 at 8:24 PM, Tim Dickson [EMAIL PROTECTED] wrote: Finally deploying captive portal at one of our new sites. But am coming across a redirect issue I'm hoping you can shed some light on. BACKGROUND: I have 3 Wans setup - WAN, DSL, DSL2 I have 3 Lans setup - LAN, GUEST, PHONE I have load balancing setup with DSL + DSL2 for the GUEST WAN I have Failover setup with WAN - DSL - DSL2 for the LAN I have squid setup with defaults (non transparent) on LAN ONLY I have lightsquid installed for reporting ISSUE: Clients accessing on the GUEST interface are bypassing the Captive Portal for the redirect ports. PORT 80,443 They are not able to access non-redirect ports (such as 25 etc) because of course they have not authenticated. Multi-WAN and CP have interoperability issues because any rule specifying a load balancing/failover pool or gateway will bypass CP. There may be a work around, there is a ticket open but I haven't had time to look into it yet. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]