Re: [pfSense Support] Error in cvstrac when trying to display filter.inc
On 7/4/06, Angelo Turetta <[EMAIL PROTECTED]> wrote: I get an error viewing this page http://cvstrac.pfsense.com/rlog?f=pfSense/etc/inc/filter.inc Note that replacing 'filter.inc' with any other file (e.g. system.inc) works as expected. Thanks, looking into it now. That's certainly a wierd one! --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] RE: Static DHCP Mapping - am I missing something?
On 7/6/06, Steve Harman <[EMAIL PROTECTED]> wrote: Hi Holger. It's a shame if this isn't how pfSense handles static mapping of DHCP-assigned IPs. IPCop (and DHCPd AFAIK) allows IPs within the DHCP range to be statically assigned to specific H/W addresses. Moving an IP out of the DHCP range to provide "static" service would of course solve the problem, but then we'd lose the benefits of having it dynamically allocated in the first place! (gateway & DNS details etc) Steve You aren't moving it out of the DHCP range, you're moving it out of the DYNAMIC range. FWIW, I don't think ISC DHCPD (which is what we use) actually appreciates having static leases in the dynamic range. given this subnet statement: subnet 192.168.1.0 netmask 255.255.255.0 { pool { range 192.168.1.128 192.168.1.191; } option routers 192.168.1.1; option domain-name-servers 192.168.1.1; } and I have three statics at .1.10, .1.11, and .1.15. The file parses fine and loads w/out errors. If I add a static at .1.129, dhcpd gives me grief about .1.11 and .1.15 (why not .1.10 I dunno) dhcpd: lease 192.168.1.15: no subnet. dhcpd: lease 192.168.1.11: no subnet. Give us a config that does what you want and ISC DHCPD v3 doesn't bitch about and we can consider this. Until then, my preliminary tests make me believe that the daemon won't do it. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] How to install upnp in pfsense
On 7/6/06, Scott Ullrich <[EMAIL PROTECTED]> wrote: On 7/6/06, Pedro Paulo de Magalhaes Oliveira Junior <[EMAIL PROTECTED]> wrote: > Is there interest that we make a UPnP? I have 0 interest in it but if someone wants to do the work, go for it. I'd like to see someone do it...I think at least two of us have looked at it and produced packages that didn't quite work. So there's some amount of work already done on this if someone wishes to pick it up. There was a bounty for this at one point, dunno if it's still valid. http://forum.pfsense.org/index.php?topic=551.0 --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] denial of service attack
On 7/6/06, Jeremy Rempel <[EMAIL PROTECTED]> wrote: I work for a school division and our portal is being hosted behind a pfsense box. Over the holiday weekend we were bombarded by a denial of service attack from all over the world, mostly asia and russia. To get our portal up and reliable again, I blocked access to most of Asia, Russia, and other networks that were agressively attacking our site. Is there a feature or add-on module that can recognize and protect our site from aggressive attacks? Depends on what you're trying to protect against. Care to describe the attack in more detail? --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] denial of service attack
A DoS attack is anything which denies service. This could be as simple as a backhoe going through your fiber drop :) Or it could be as nasty as someone knowing that a single CGI query will eat 30 seconds of CPU on your web server, sending that every couple of seconds would effectively deny service to others attempting to use your site. What you describe is just one type of DoS attack. --Bill On 7/6/06, Ryan L. Rodrigue <[EMAIL PROTECTED]> wrote: Just trying to clarify what a DOS (Denial of Service) Attack is. A DOS attack is a flood of malicious TCP packets, such as SYN or ACK Floods, usually with a spoofed (fake) ip address. When the router tries to reply, it times out eventually, but many more have come in in the mean time. It is a means of eating up all of the resources within a router rendering it basically useless. [It is very difficult to stop due to the fact the packets are intended for the router, not requiring to be passed.][I think] I think this is what you are talking about. If not, please feel free to correct me. >Ryan "Even a stopped clock is right twice a day." -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Thursday, July 06, 2006 3:47 PM To: support@pfsense.com Subject: Re: [pfSense Support] denial of service attack Jeremy Rempel wrote: > We were getting thousands of requests per second from various hosts > for files that didn't exist on the apache webserver. I will try > setting up the synproxy and see if that helps. Can someone point me > to info on setting up synproxy? If it's legit HTTP requests, your firewall can't further differentiate between the "good" and the "bad". It isn't at all aware of your web server, other than it knows to let TCP 80 to it. You could (I believe, no pfS GUI handy ATM and I don't recall 100% for sure) limit the number of states per source IP in your firewall rules, if you're getting thousands from a single host. if it's just a few requests from many thousands of hosts, you're out of luck there. For an attack like this, you really need either something on the web server itself, or a reverse proxy between your firewall and web server. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Advice on multi-port Gig ITX or ATX system?
On 7/7/06, Robert Carr <[EMAIL PROTECTED]> wrote: I don't know how much better the performance will be, but OpenBSD developers have repeatedly suggested using Gig-E interfaces. Larger on card buffers means less interrupts. Less interrupts means more work done handling packets. Obviously you'll have bus limitations, you've acknowledged that, but gig cards will increase the PPS rates on slower systems due to their buffers - that may or may not actually improve performance ;) --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Second Annual pfSense Hackathon - Call for Donations
One of our newer servers also takes PC3200 ECC memory. I believe these work: http://www.newegg.com/Product/ProductList.asp?N=2010170147+1052308477+1052407862+1052507867+1052607868&Submit=ENE&SubCategory=147 or two of "KTH-DL385 1G" kits would bring this box up to 3G (and allow us to make some pretty decent use of the faster proc). Contact Chris and myself if theres interest in providing this. Thanks --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] WAN failover - under consideration?
On 7/10/06, Alastair Stevens <[EMAIL PROTECTED]> wrote: Dear Scott (and other developers) As I mentioned the other day, we're very interested in WAN failover capability, and it appears that there are others who would also like this functionality. I'm interested to know whether this feature is under consideration for future releases of pfSense, or how hard it would be to implement. It would seem to be within reach, given the existing WAN load balancing feature. Would this feature be a candidate for a 'bounty'? The company I'm working for is very open to exploring this possibility, and would likely be willing to offer payment in order to accelerate the development of the WAN failover feature. We're purely exploring possibilities here, so I'd be interested in your thoughts. It's certainly of interest and something I've spent some amount of time working on. With Holger being at the upcoming hackathon, I'm hoping he'll setup an environment for us to do this work on (I certainly don't have a setup for it at home). As I'm already interested in doing it and waiting on the hackathon to work on it, I don't know that a bounty per se is necessary, but a donation to the cause in the name of WAN Failover would be useful. Holger and I have numerous travel expenses (he's coming over to the States from Germany) that we'd love to offset. At some point in the next few days I'll put up a blog entry as to what I'm planning on working on if anyone is interested in donating to a specific item. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] WAN failover - under consideration?
On 7/10/06, Bill Marquette <[EMAIL PROTECTED]> wrote: At some point in the next few days I'll put up a blog entry as to what I'm planning on working on if anyone is interested in donating to a specific item. http://hitormiss.ucsecurity.com/index.php/2006/07/10/pfsense-hackathon-2006-plans/ --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ftpsesame
http://www.google.com/search?q=ftpsesame&start=0&ie=utf-8&oe=utf-8&client=firefox-a&rls=org.mozilla:en-US:official --Bill On 7/12/06, Tunge2 <[EMAIL PROTECTED]> wrote: What is ftpsesame for process/application? And why is it showing up in our log files? Our rl2 interface is disabled so why is the process listing on that interface? Is it possible to disable/remove it, what is the purpose of the process? 2006-07-11 12:38:00 Daemon.Notice Jul 11 12:37:50 ftpsesame[869]: listening on rl2, filter 'tcp and port 21', snaplen 500 1.0-RC1 built on Fri Jun 16 01:10:36 UTC 2006 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Fwd: pppoe on OPT port
On 7/12/06, Tunge2 <[EMAIL PROTECTED]> wrote: Ive download the cvs files, and upload them to our (test) PFsense machine and select PPPOe on the OPT port. I know the files are still under development. The error that we are getting if we select PPPOE on the OPT port are: The following input errors were detected: The field 'IP address' is required. The field 'Subnet bit count' is required. And by the option "PPPoE configuration" it goes automatically to PPPOA? And with that act, you've just entered the realm of unsupported. We do NOT support anything in HEAD, it's a completely self-supported branch (and running a hodge podge of HEAD/RELENG_1 is just going to get you chasing your tail). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC questions
On 7/12/06, Quirino Santilli <[EMAIL PROTECTED]> wrote: Hi guys, my head is crashing again with the connection problem between my pfSense branch office firewall and my main Microsoft ISA 2004 trough IPSEC. Yesterday in the microsoft docs i found informations about establishing an IPSEC connection between ISA 2004 and smoothwall, a linux based firewall with a Freeswan implementation. The first thing i noticed in this howto is that on the smoothwall side the 'Compression' checkbox in the IPSEC policies is not flagged. In pfSense there are no settings regarding the 3des compression, but debugging pfSense's SA Proposal I noticed the '3des-cbc' value. So the questions are: 1) does pfSense use a compressed 3des ipsec policy? Looks like this is in my racoon.conf: compression_algorithm deflate; 2) is it possible it deactivate it? Not at this time. 3) does pfSense automatically understand that the other side is offering a non compressed 3des policy? Not sure, I think so. You can try removing the compression line from /var/etc/racoon.conf and rerunning racoon with this command pkill - 9 racoon && /usr/local/sbin/racoon -f /var/etc/racoon.conf Use Diagnostics->Edit File and Diagnostics->Command if you aren't comfortable with a unix shell. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP - battle of the firewalls
Spanning tree port lockout will nail you pretty hard with CARP. Make sure your switch ports (if managed switches) are in port fast. Also, make sure that you haven't inadvertantly turned on port security and limited the port to a single MAC (each CARP VHID uses a MAC along with the physical interfaces MAC). --Bill On 7/14/06, Royce Mitchell III <[EMAIL PROTECTED]> wrote: Alastair Stevens wrote: > Hi again > > We're gradually getting closer to our desired setup: 2 pfSense boxes > with CARP failover, each with multiple LAN interfaces and > load-balanced dual WANs. This is obviously quite a complex setup, and > getting it all working at once seems elusive - but we're almost there! > > At the moment, the biggest problem is still CARP. When firewall B is > brought up, it tries to become "master" for both LAN interfaces, > whilst remaining "backup" for the WANS. This is at the same time that > firewall A is "master" for everything, as it should be. So the CARP > failover just isn't working - the machines seem to be fighting each > other to become master, which breaks things. > > I have checked the settings, and consulted the list, multiple times, > but can't get to the bottom of this. Any more ideas on why CARP is > behaving so erratically? > > The machines are both running RC1 + SNAPSHOT_07_06_2006, as suggested > by Scott earlier, and they have a dedicated crossover link for the > pfsync traffic. > > Regards > Alastair > I have an almost identical setup, except I'm not carping my WAN2, only WAN and LAN. When firewall A reboots it many times will only get one of the carps. When I reboot B that clears it up for me. However, I have only rarely experienced a problem with B taking over upon boot up. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] load balancer
Fails in what way? You mean, when a WAN goes down you get disconnected (to be expected)? --Bill On 7/14/06, Tunge2 <[EMAIL PROTECTED]> wrote: hello, We installed the load balancer on our PFsense RELENG_1_SNAPSHOT-07-09-2006 machine. The load balance seams to work great at web traffic (if we shutdown the WAN connection, OPT takes it over nicely:) that's a fantastic function, keep up the great work) But if i try to build up any SSH or telnet connection, to internal or an external connection it fails. The log files are not showing any thing uses full Greetings - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP - battle of the firewalls
On 7/14/06, Royce Mitchell III <[EMAIL PROTECTED]> wrote: ever see any of the packets in question ), would it be advisable to give each carp interface a dedicated switch, or is it safe for example, to hook both LAN interfaces to the aforementioned D-Link, which is a 24-port gigabit unmanaged switch which all my servers are plugged into? Given your setup and the fact that you still have a single point of failure on the WAN side of your firewall, I'd probably plug both firewalls into your most reliable switch. Trying to split them may end up in some rather goofy network issues anyway in failover scenarios. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: FW: [pfSense Support] load balancer
I'll need to see your rules before too much more. For the SSH to 192.168.1.1, it sounds like you need a non-load balanced rule to handle that in front of your (guessing here) from LAN to world use load balancer rule. --Bill On 7/17/06, Tunge2 <[EMAIL PROTECTED]> wrote: It is not possible to build up any connection (except web traffic) even when the WAN and OPT connection are connected to the Internet When i start for example the program Putty i get the message "unable to open connection to 192.168.1.1 (i try ed several different ip address) Network error connection refused. If i remove the load balance option from PFsense all traffic goes well (SSH, telnet) I don't get any messages in the log file > -Oorspronkelijk bericht----- > Van: Bill Marquette [mailto: [EMAIL PROTECTED] > Verzonden: zaterdag 15 juli 2006 0:36 > Aan: support@pfsense.com > Onderwerp: Re: [pfSense Support] load balancer Fails in what way? You mean, when a WAN goes down you get disconnected (to be expected)? --Bill On 7/14/06, Tunge2 <[EMAIL PROTECTED]> wrote: > > hello, > > We installed the load balancer on our PFsense > RELENG_1_SNAPSHOT-07-09-2006 machine. The load balance seams to work > great at web traffic (if we shutdown the WAN connection, OPT takes it > over nicely:) that's a fantastic function, keep up the great work) But > if i try to build up any SSH or telnet connection, to internal or an > external connection it fails. The log files are not showing any thing uses full > > Greetings > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP - battle of the firewalls
On 7/17/06, Alastair Stevens <[EMAIL PROTECTED]> wrote: Hi - well this sounds interesting, though not very encouraging! The whole thing is set up on a test bench at the moment, and as it happens, we are using *different* types of switches on different interfaces. The LANs are using 24-port Netgears, and the WANs are using cheapo D-Link consumer switches temporarily. All but one are unmanaged, though I think we'll be using the managed ones in the production setup. This looks like a tricky one to diagnose - maybe it will all 'just work' in production? :-) CARP is a multicast protocol and uses a multicast MAC address. The cheap switches _should_ handle it fine, with that said, I've only run it on high end Cisco's, Nortels, a netgear (consumer grade) and whatever is built into my cable modem and when I had it dsl modem. One the Ciscos and Nortels, I've certainly run it 'cross switch where each firewall interface was on a different interface, it works (be careful with the Nortels, we ran into code bugs with them). Not sure what more I can suggest, it sounds like you've got a pretty basic setup and it's still not working properly :-/ --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] USB Cdrom install is not working
On 7/17/06, Charles Sprickman <[EMAIL PROTECTED]> wrote: On Mon, 17 Jul 2006, Chris Buechler wrote: > I have a couple, but no USB CD-ROM drives. :/ Last I checked, they cost way > more than I'd be willing to spend on one. Unless I'm confused, you can make any old CD-ROM a USB CD-ROM by purchasing a 5 1/4" case with a USB->IDE adapter. You can find them for under $40 on Newegg... yep, that's how I got mine (and then I flashed it and killed it) :) --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: FW: [pfSense Support] load balancer
On 7/18/06, Tunge2 <[EMAIL PROTECTED]> wrote: The Lan interface rules are: TCP/UDP LAN net 22 (SSH) * * * SSH LAN * LAN net * * *Load Balance Default LAN -> any Ive tryed to add rules to the WAN and OPT interfaces also but that didn't work. It is not only the 192.168.1.1 that doesn't work but 194.109.21.4 also doesn't work What version are you running? Also in System->Advanced, is NAT Reflection checked or unchecked? Also, do you allow SSH in to the firewall from the WAN? This sounds suspiciously like the NAT Reflection bug I fixed before RC1. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] SSH direct shell access
On 7/18/06, Alastair Stevens <[EMAIL PROTECTED]> wrote: Hi - I've seen that you can disable the *console* menu, but is it possible to disable the menu for remote SSH connections, so that we get straight to a shell? We'd like to be able to run a remote command from a script, for testing and failure simulation purposes. Or does anyone know another trick for getting through the menu and reaching a shell automagically? Use authorized keys and forced commands (the forced command could be a script that evaluates $SSH_COMMAND and runs it). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Multiple Admins
On 7/19/06, Raja Subramanian <[EMAIL PROTECTED]> wrote: Is there some place where we can peek at the new/exciting features in the dev tree that are yet to make their way into public releases? Are the official features webpage http://www.pfsense.com/index.php?id=26 and the wiki http://wiki.pfsense.com/wikka.php?wakka=IdeasThatAreGoodButNotReadyQuiteYet http://wiki.pfsense.com/wikka.php?wakka=RequestedFeatures where I should be looking? It's a bit of a cop-out, but cvstrac is a good place to keep on top of changes. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Reset rules after firmware update?
On 7/20/06, Tim Dickson <[EMAIL PROTECTED]> wrote: It may not be... All I was saying is if you back up your config before hand, after your update it, if your rules are deleted you can upload your config and all is back to normal. Except now you are on the newer firmware. ( I would actually redownload a new ISO and do a fresh install... (verifying the ISO) I have yet to experience this on a full PFSENSE install, maybe someone else here has more info) My 2 cents -Tim I've never seen this on my full installs either (although admittedly lately my only full installs run HEAD). Firmware upgrades reboot the machine on completion and config.xml is read on boot, I can't see any reason for rules to not load on boot. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] BigPond WAN - bpalogin not starting
Fixed, thanks for the tip! I've requested an MFC on this, so it should show up in RELENG_1 shortly. --Bill On 7/20/06, Günter Müller <[EMAIL PROTECTED]> wrote: Reply to myself ... After further digging around and getting a better understanding of the code I now realise that interfaces.inc is not the right file to patch as suggested in my previous post below. This problem is related to Bug Ticket #702, which is flagged as fixed, but appears to be still broken or again. I have followed the instructions in Forum Topic 181 and FAQ 1089 http://forum.pfsense.org/index.php?topic=181.0 http://faq.pfsense.org/index.php?sid=10900&lang=en&action=artikel&cat=10&id=100&artlang=en Still no luck! I had a look at /etc/inc/interfaces.inc and can confirm that the code to create the bpalogin.conf file and start bpalogin is there in the function interfaces_wan_bigpond_configure. I found that this function should be called from /etc/rc.newwanip. After studing the syslog messages closely, I found that $interface is not set correctly in rc.newwanip. An examination of the code has revealed the following bug: Lines 40-48: if($argument <> "") { $curwanip = find_interface_ip($$argument); $interface = convert_real_interface_to_friendly_interface_name($$argument); if($curwanip == "") $curwanip = get_current_wan_address(); } else { $curwanip = get_current_wan_address(); $interface = "wan"; } Note the $$argument on lines 41 & 42! Changing these to $argument has fixed the problem!! BPAlogin starts up correctly now. Regards, Günter. From: Günter Müller [mailto:[EMAIL PROTECTED] Sent: Thursday, 20 July 2006 15:27 To: support@pfsense.com Subject: [pfSense Support] BigPond WAN - bpalogin not starting Hi, I'm a newbie to pfSense (using 1.0rc1) and am trying to get a BigPond Cable WAN connection working. If have selected BigPond for the WAN connection and entered the username, password, etc. correctly. I successfully get a Bigpond DHCP address, but bpalogin does not fire up! I have checked in /var/etc, /etc and /usr/local/etc, but have not found an bpalogin.conf file that should have been created by the webConfigurator. Hence I have manually created the file in /var/etc (and /usr/local/etc) and started bpalogin from the shell prompt, which worked and I now can get out to the 'Net. A search on of the mail-archives for "BigPond" pointed me to the file /etc/inc/interfaces.inc. I managed to debug the file and found that the code for Bigpond was incomplete. I added a couple of lines and it is working for me now. Below is a diff of interfaces.inc and interfaces.inc.bak: 808,809d807 < $curwanip = get_current_wan_address(); < interfaces_wan_bigpond_configure($curwanip); I hope this fix can make its way into future releases of pfsense and be of help to other BigPond users with the same problem. Regards, Günter Müller - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] BigPond WAN - bpalogin not starting
Merge From Current :) --BIll On 7/20/06, Günter Müller <[EMAIL PROTECTED]> wrote: Bill, This issue has been logged as bug ticket #1047 too ... I assume MFC means Main Feature Change?! I don't know too much about PHP code but from the debug messages to syslog I could see that $$argument was not recognised as valid syntax for variable references. That is why I logged it as a bug instead of a feature request. Just my 2 cents ... Günter. -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Friday, 21 July 2006 10:51 To: support@pfsense.com Subject: Re: [pfSense Support] BigPond WAN - bpalogin not starting Fixed, thanks for the tip! I've requested an MFC on this, so it should show up in RELENG_1 shortly. --Bill On 7/20/06, Günter Müller <[EMAIL PROTECTED]> wrote: > > > Reply to myself ... > > After further digging around and getting a better understanding of the > code I now realise that interfaces.inc is not the right file to patch > as suggested in my previous post below. > > This problem is related to Bug Ticket #702, which is flagged as fixed, > but appears to be still broken or again. > > I have followed the instructions in Forum Topic 181 and FAQ 1089 > http://forum.pfsense.org/index.php?topic=181.0 > http://faq.pfsense.org/index.php?sid=10900&lang=en&action=artikel&cat= > 10&id=100&artlang=en > > Still no luck! I had a look at /etc/inc/interfaces.inc and can > confirm that the code to create the bpalogin.conf file and start > bpalogin is there in the function interfaces_wan_bigpond_configure. I > found that this function should be called from /etc/rc.newwanip. > After studing the syslog messages closely, I found that $interface is > not set correctly in rc.newwanip. An examination of the code has revealed the following bug: > Lines 40-48: > if($argument <> "") { > $curwanip = find_interface_ip($$argument); > $interface = > convert_real_interface_to_friendly_interface_name($$argument); > if($curwanip == "") > > $curwanip = get_current_wan_address(); > > } else { > > $curwanip = get_current_wan_address(); > $interface = "wan"; > } > > Note the $$argument on lines 41 & 42! Changing these to $argument has > fixed the problem!! BPAlogin starts up correctly now. > > Regards, > > Günter. > > > From: Günter Müller [mailto:[EMAIL PROTECTED] > Sent: Thursday, 20 July 2006 15:27 > To: support@pfsense.com > Subject: [pfSense Support] BigPond WAN - bpalogin not starting > > > > Hi, > > I'm a newbie to pfSense (using 1.0rc1) and am trying to get a BigPond > Cable WAN connection working. If have selected BigPond for the WAN > connection and entered the username, password, etc. correctly. I > successfully get a Bigpond DHCP address, but bpalogin does not fire up! > > I have checked in /var/etc, /etc and /usr/local/etc, but have not > found an bpalogin.conf file that should have been created by the webConfigurator. > > Hence I have manually created the file in /var/etc (and > /usr/local/etc) and started bpalogin from the shell prompt, which > worked and I now can get out to the 'Net. > > A search on of the mail-archives for "BigPond" pointed me to the file > /etc/inc/interfaces.inc. I managed to debug the file and found that > the code for Bigpond was incomplete. I added a couple of lines and it > is working for me now. > > Below is a diff of interfaces.inc and interfaces.inc.bak: > 808,809d807 > < $curwanip = get_current_wan_address(); > < > interfaces_wan_bigpond_configure($curwanip); > > I hope this fix can make its way into future releases of pfsense and > be of help to other BigPond users with the same problem. > > Regards, > > Günter Müller > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Question
On 7/24/06, Stéphane Karges <[EMAIL PROTECTED]> wrote: Hello All, Any known a solution for use the outgoing loadbalancer only in case off one connexion is down, I want use connexion WAN and if this connexion is down redirect all on OPT and reverse. Is it possible ? Not yet, that's work in progress as we speak. I expect that work to be complete today actually - but it won't show up in an official release for some time. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Question
On 7/24/06, Stéphane Karges <[EMAIL PROTECTED]> wrote: Thanks bill, Tell me when it's ok in test version, I can make a test for you if you want ! And tell how to ? It's not going to be in a release version (in any format) for some time. It's in our CVS tree however, so anyone willing to sync to HEAD (and deal with that minefield) is welcome to test it out, although you need to be able to fix any problems that arise yourself, HEAD is self-supported. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfsense 1.0!!??!?!?!?
When we've confirmed that it works. You will want to install the full update or reinstall (in fact, anyone that's used cvs_sync.sh should). --Bill On 7/26/06, Tunge2 <[EMAIL PROTECTED]> wrote: When is RC2 available? if i run the cvs update, the version number chance to RC2? 2006/7/25, Rob Terhaar <[EMAIL PROTECTED]>: > > cvs_sync.sh on RELENG_1 now says > This utility is no longer supported. > > http://cvstrac.pfsense.com/chngview?cn=13445 > > > Does this mean that 1.0 is here!!! > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfsense 1.0!!??!?!?!?
On 7/26/06, Scott Ullrich <[EMAIL PROTECTED]> wrote: On 7/26/06, Rob Terhaar <[EMAIL PROTECTED]> wrote: > i'm curious, what sort of things have been found wrong with cvs_sync.sh in > RELENG_1? Personally, I've been doing cvs_sync.sh on one of my routers at > the office here for a couple months with no issues. But i'd like to know > what to watch out for? > > ...but I'll defiantly be installing the full RC2 update when it's released > :D #1. Numerous people claiming to cvs_sync.sh releng_1 but end up on -HEAD #2. If we commit something to the cvs repo to build a iso and test and someone syncs in between, etc... We commit a bad patch and a dozen people get it and break their systems. Also, cvs_sync.sh doesn't sync FreeBSD, so you're left with systems that claim they're running current code, but aren't. Nope, cvs_sync.sh is gone for now, we've got new build servers that have disk space and capacity to release snapshots more frequently. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Pfsense and Netbios problem
RFC1918 or bogon filter on wan most likely.--BillOn 7/26/06, Pedro Paulo de Magalhaes Oliveira Junior < [EMAIL PROTECTED]> wrote:VITBOX is a equipment of the ISP that provides NAT The PPTP server is outside DSL in other cityThe firewall is full OPEN-Mensagem original-De: Holger Bauer [mailto:[EMAIL PROTECTED]] Enviada em: quarta-feira, 26 de julho de 2006 15:27Para: support@pfsense.comAssunto: RE: [pfSense Support] Pfsense and Netbios problemWhere does the client connect to? To the VTIBOX? and why do you have this kind of setup? This is most likely a firewallrules issue. Checkfirewall-logs for blocks and what rule is causing them.Holger-Original Message-From: Pedro Paulo de Magalhaes Oliveira Junior [mailto: [EMAIL PROTECTED]]Sent: Wednesday, July 26, 2006 8:18 PMTo: support@pfsense.comSubject: [pfSense Support] Pfsense and Netbios problem ADSLVTIBOX (wan DHCP -- lan192.168.3.10)---PFSENSE (Wan 192.168.3.11lan 192.168.1.10) CLIENTS (192.168.1.X)The clients connect in a PPTP Server ( 201.134.218.98) in order to useNETBIOS resourcesWhen the client type \\192.168.2.25There was no connectionIf we remove pfsense all goes fine Virus checked by G DATA AntiVirusKit-To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]--No virus found in this incoming message.Checked by AVG Free Edition.Version: 7.1.394 / Virus Database: 268.10.4/396 - Release Date: 24/7/2006-To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Problem with Intel PRO/100 82562GT Network Adapter
Post full dmesg please. Thanks--BillOn 7/27/06, Carlos Silva <[EMAIL PROTECTED]> wrote: Hi Scott.Doesn't have Sound device on my machine.And not find pnp or Plug and Play entries on Bios Setup.I have two onboard network adapters.1) Intel PRO/100 82562GT.2) Broadcom Gigabit BCM5721KFBG. freebsd# ifconfig -lbge0 lo0I don't have PS2 port. Only USB.freebsd# dmesg | grep -E "USB|hub"uhci0: port0x1800-0x181f at device 29.0 on pci0usb0: on uhci0uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1uhci1: port 0x3000-0x301f irq 19 at device 29.1 on pci0usb1: on uhci1uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1uhci2: port 0x3020-0x303f irq 18 at device 29.2 on pci0usb2: on uhci2uhub2: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1uhci3: port 0x3040-0x305f irq 16 at device 29.3 on pci0usb3: on uhci3uhub3: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1ehci0: mem 0xd04c-0xd04c03ffirq 23 at device 29.7 on pci0usb4: on ehci0uhub4: Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1Any ideas? I want to push server for the window. :-)LOLThanks,Carlos SilvaMAIL: casmedia at gmail dot comMSN: casmedia at terra dot com dot br-Mensagem original-De: Scott Ullrich [mailto: [EMAIL PROTECTED]]Enviada em: quinta-feira, 27 de julho de 2006 12:47Para: support@pfsense.comAssunto: Re: [pfSense Support] Problem with Intel PRO/100 82562GT Network AdapterOn 7/27/06, Carlos Silva <[EMAIL PROTECTED]> wrote:> Helo All.>> A have problem with pfsense and Intel Pro/100 Network Adapter (82562GT). >> Pfsense does not find device, and not up fxp(4) driver.>> I make tests with Other system (Linux) with success at same NetworkAdapter.>> How to use pfsense with Intel PRO/100 adapter? >> Thanks,>> Carlos Silva>> MAIL: casmedia at gmail dot com>> MSN: casmedia at terra dot com dot brSounds like hardware issues. Not sure exactly what but I would try out all of the A+ stuff such as disabling pnp, etc.FWIW my firewall uses fxp and they work fine:# ifconfig -lfxp0 xl0 fxp1Scott- To unsubscribe, e-mail: [EMAIL PROTECTED] For additionalcommands, e-mail: [EMAIL PROTECTED] -To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Max. outbound PPTP sessions currently limited to 1
On 7/27/06, David Strout <[EMAIL PROTECTED]> wrote: http://forum.pfsense.org/index.php/topic,1383.0.htmlI am baffled by the above post on the forum. Likeit or not pfS devs ... PPTP is here to stay and has it place in networking. I am not a bigsupporter of it personally and I am fully aware ofits inherent risks and vulnerabilities. But Ifind it very unprofessional to state (paraphrasefrom SUllrich), "I think it should go away, I don't like it and therefore I will not make itwork right on pfSense". I realize that you arehard at work on other things and most likely havea full plate with hackathon, but it seem you mightfind a more constructive method of addressing this ISSUE. I can't name ONE "enterprise" FW that doesnot support multiple PPTP sessions outbound (if sodesired), and since one of the goals of pfS that Ihave read many times on the board and lists is to make an enterprise class FW ... maybe someonecould start addressing the issue with someconstructive dialogue or maybe a few pointers onwhere someone from outside the core dev team mightstart in getting this to work w/ OpenBSD's PF. This is one of the only downfalls of this project... the hollier-than-thogh attitude from the coredev team. This is a GREAT product of many hoursof arduous labor from ALL, dev team and projectcontributors alike ... but open-source also means open to suggestions and other lines of thinking.With that said .. where would someone start ongetting multiple PPTP sessions working???Step 1: Find someone that caresStep 2: Convince them to do your bidding Step 3: Convince Theo that PPTP support needs to be in the kernel (actually...that should be step one cause you'll never find someone to do it otherwise)Step 4: Since 3 will never actually happen, find someone that can figure out how to do this in userland Step 5: Wait for it to be ported to FreeBSDStep 6: Wait for us to bring it into a releaseTalk to you in never years.--Bill
Re: [pfSense Support] jitter? ... it's the fiber again!
On 7/28/06, Jure Pečar <[EMAIL PROTECTED]> wrote: On Fri, 28 Jul 2006 16:08:51 +0200"Espen Johansen" <[EMAIL PROTECTED]> wrote:> The only time I have seen behaviour like this is when either the nic > or the cable has issue, when everything stopped it was the card> trying to autosense half duplex because of a bad cable. Maybe you> should have a look at your nics, and possibly the cable and or> switch. Another example is the 3c905B that drops to half duplex when > loaded with 70mbit + over a period (30sec or more).Yup, you are right.We have a primary pfsense (dual xeon, gbit fiber intel nics) and a secondary one (p4, 100mbit copper intel nics) and when I failed over the traffic to the second one, it started to work as it should. When was the last time those fiber ends were cleaned? :) For that matter, was it unplugged to replace the linux install? If so, it probably got dirty at that point - fiber is extremely touchy (and I've troubleshot more than my fair share of dirty fiber issues). --Bill
Re: [pfSense Support] 64 MB Warning!!! Don't use systems with less than 128 MB RAM !
On 7/27/06, Tim Roberts <[EMAIL PROTECTED]> wrote: Amen. found out only after buying 10 wrap 2cs with 64mb :) now their justoffce aps :(Life is moderately better with the changes we made in CVS - it'll be in RC2. _BUT_ I think it's safe to say that 64M machines are last on our list for getting attention. I have two that were donated so I have incentive to make it work - but frankly if it becomes too difficult I'll drop OpenBSD on them (I use them as pure APs only anyway - the end goal to get roaming working in FreeBSDs hostapd). --Bill
Re: [pfSense Support] 1.0 RC2
Works here on 6.0.2800.1106.xpsp2.050301-1526CO SP1; Q822925; Q837009; Q867801; Q903235 --Bill On 8/1/06, macafee <[EMAIL PROTECTED]> wrote: My IE Browse version is 6.0.2900.2180.xpsp_sp2_rtm.040803-2158 The IE ERROR IS "Line:324 Char:1 Error:Object expected Code:0 URL:http://mypfsenseip/firewall_rules_edit.php?if=wan"; Maybe the php web has some problem! [EMAIL PROTECTED] 2006-08-02 - Original Message - From: Scott Ullrich To: support Sent: 2006-08-01, 21:07:13 Subject: Re: [pfSense Support] 1.0 RC2 >On 8/1/06, macafee wrote: >> >> >> I tested the 1.0RC2 just now! I found the advance button in the >> "firewall->rules" is error! I can't open the advance option! Why? BTW:I use >> IE6 Browse! > >Try using FireFox. Report back if they work. Also, if FireFox >works and IE doesn't please report the error IE is reporting to you. > >Scott > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] cant reset password
On 8/2/06, Nick Smith <[EMAIL PROTECTED]> wrote: Im getting this error when trying to reset the admin password via the console: Error: cannon determine root pwd in sync_webgui_passwords(). Effectively locking me out of the firewall. Is there anyway to correct this? I was hoping to upgrade to RC2, but need to get this fixed first, I am running RC1. Not with that error message you aren't. That came from HEAD. Please reinstall. Thanks --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] cant reset password
On 8/2/06, Bill Marquette <[EMAIL PROTECTED]> wrote: Not with that error message you aren't. That came from HEAD. Please reinstall. Thanks PS. for those still wondering why cvs_sync.sh is gone...here you go. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] cant reset password
On 8/2/06, Nick Smith <[EMAIL PROTECTED]> wrote: Bill Marquette wrote: > On 8/2/06, Bill Marquette <[EMAIL PROTECTED]> wrote: >> Not with that error message you aren't. That came from HEAD. Please >> reinstall. Thanks > > PS. for those still wondering why cvs_sync.sh is gone...here you go. > > --Bill > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > Guess I'll get to try out RC2 anyway ;-) :) Sorry for the bad news...but really, it's good news anyway. A clean install of RC2 is likely to be more stable than an upgrade from RC1 (not that this should be unstable in any way - we haven't made any config file changes). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Trouble accessing console via serial connection
On 8/3/06, Jonathan Wanak <[EMAIL PROTECTED]> wrote: Hi, I'm trying to get the serial console to work. I'm running pfSense RC2, on the hard drive on a PII Dell Optiplex, connected to my Windows XP machine with a null modem cable. Connection settings are 9600/8/N/1/HW handshaking. I have verified 2-way communication between the firewall box and the XP machine ('echo "xx" > ttyxx' appears in HT; 'more ttyxx' displays text typed into HT), and disconnected the keyboard, mouse, and monitor from the router. Here's my problem: I see the pfSense boot-up and shut-down messages in HyperTerminal. However, once I get to the line "Bootup complete" I can't seem to do anything. I was expecting to see the main console screen at this point, but nothing further appears. When I reboot via the web configurator, I see the shutdown messages in HyperTerminal. I've tried TTY, VT100, ANSI, and auto emulation modes. I've also tried playing around with the flow control settings, but haven't seen any difference. I'm guessing I have some kind of terminal misconfiguration, but don't know where to go from here. Any help would be greatly appreciated. Interesting, didn't know the PC image would display anything on serial during boot. In the System->Advanced menu, there's an option to spawn the console on serial. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Bridged Multi-Wan Load Balancing Failover
On 8/4/06, Nick Smith <[EMAIL PROTECTED]> wrote: Gary Buckmaster wrote: > Scott Ullrich wrote: >> On 8/3/06, Gary Buckmaster <[EMAIL PROTECTED]> wrote: >>> Aren't those Opteron based? If so, then you're out of luck, because >>> pfSense is currently not an x64 platform. >> >> Opterons will run just fine on 32 bit as well as 64 bit. One of our >> builder servers is a dual Opteron. >> >> Scott >> >> - >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> > My mistake. String me up. > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > What about a sparc64? like a sun u2? will it run on that? Wrong architecture. FreeBSD does run on these machines though, feel free to attempt to bootstrap our build (you'll need to recompile the binaries we have in our CVS tree for sparc64 of course). No reason it can't run on there, we're just not going to provide a build for it. Besides, you'll save enough in power costs by not running that Ultra2 in a year or two to buy a decent low VIA based machine. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Can't get basic routing to work.
On 8/4/06, A. Jones <[EMAIL PROTECTED]> wrote: I have a whole subnet, routing is what I need. The computers also MUST have public IP addresses assigned to their interfaces. That will also screw me over when one of the subnets needs to talk to the other subnet using public IPs http://faq.pfsense.com/index.php?action=artikel&cat=8&id=29&artlang=en I also would have to get my ISP to change the routing to my network as the routing currently is xxx.xxx.xx1.001 modem xxx.xxx.xx1.002 WAN xxx.xxx.xx2.001 LAN xxx.xxx.xx2.002 Computer xxx.xxx.xx2.003 Computer xxx.xxx.xx2.004 Computer xxx.xxx.xx2.005 Computer and the static route is xxx.xxx.xx2.xxx/26 xxx.xxx.xx1.002 so there are no "extra" IPs on the outside with which to do 1:1 to begin with. Actually, for this you use the "other" virtual IP type. But that's beside the point since you have a requirement for public IPs on the actual machines. Enabling advanced outbound nat, then deleting the rules _should_ be the way you need this to work. I assume you put rules in on the WAN interface to allow the traffic?? :) --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Can't get basic routing to work.
Not for inbound traffic it isn't. --Bill On 8/4/06, A. Jones <[EMAIL PROTECTED]> wrote: The original rule on the firewall is already good for that. >From: "Bill Marquette" <[EMAIL PROTECTED]> >Reply-To: support@pfsense.com >To: support@pfsense.com >Subject: Re: [pfSense Support] Can't get basic routing to work. >Date: Fri, 4 Aug 2006 16:32:28 -0500 > >On 8/4/06, A. Jones <[EMAIL PROTECTED]> wrote: >>I have a whole subnet, routing is what I need. >>The computers also MUST have public IP addresses assigned to their >>interfaces. >>That will also screw me over when one of the subnets needs to talk to the >>other subnet using public IPs >>http://faq.pfsense.com/index.php?action=artikel&cat=8&id=29&artlang=en >> >>I also would have to get my ISP to change the routing to my network as the >>routing currently is >> >>xxx.xxx.xx1.001 modem >>xxx.xxx.xx1.002 WAN >> >>xxx.xxx.xx2.001 LAN >>xxx.xxx.xx2.002 Computer >>xxx.xxx.xx2.003 Computer >>xxx.xxx.xx2.004 Computer >>xxx.xxx.xx2.005 Computer >> >>and the static route is xxx.xxx.xx2.xxx/26 xxx.xxx.xx1.002 >>so there are no "extra" IPs on the outside with which to do 1:1 to begin >>with. > >Actually, for this you use the "other" virtual IP type. But that's >beside the point since you have a requirement for public IPs on the >actual machines. Enabling advanced outbound nat, then deleting the >rules _should_ be the way you need this to work. I assume you put >rules in on the WAN interface to allow the traffic?? :) > >--Bill > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Can't get basic routing to work.
On 8/4/06, A. Jones <[EMAIL PROTECTED]> wrote: When you send (initiate) a packet out on port abc, and it is allowed through, the firewall opens up a "hole" (which is stored in the state table) that allows a response from the IP the packet was sent to on the return port specified in the packet. You use inbound rules (WAN->LAN) when you want to allow sessions to be initiated from the internet/untrusted interface. As long as the default "allow all" outbound rule is in place, you can do things like ping and browse the web with no problem from the LAN side. Considering I'm one of the developers, I certainly hope I understand the concepts of a stateful inspection firewall. :) The only example I saw of what was broken was an outside in traceroute. I think it's fair for me to assume that you may not have had rules allowing it into your network. But when I turn off NAT, the packets originate from my LAN subnet and the packets go for a wild ride into nothingness AIYA Hopefully, I'll have this fixed by tomorrow morning Thanks for everyone's help!!! It was much appreciated!!! Glad to hear it was upstream. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] If ISC DHCP is not providing RFC 2136 updates what is?
On 8/9/06, Scott Ullrich <[EMAIL PROTECTED]> wrote: On 8/9/06, Robert Mortimer <[EMAIL PROTECTED]> wrote: > Flash of understanding > > Updates are tied into DHCP CLIENT to update changes to pfsense's interfaces > Updates are not tried into DHCPD to update information on leases issued > > Sorry for the confusion. I may have a look at the php to see if I can add > the required DHCPD config options. Well, that is not good to hear as FreeBSD switched away from ISC's dhcp client recently to OpenBSD's. So if this feature is tied to that paticular binary then I hate to say we are going to need to axe this feature for 1.0. We use nsupdate to update the upstream dns server when our WAN IP changes. Nothing to worry about here. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] L2TP VPN?
On 8/10/06, Tommaso Di Donato <[EMAIL PROTECTED]> wrote: Hi all! I've just installed RC2, and I've seen there is the demon l2tpd.. is it working? I know there is not a menu section, but is it possible to use it? Thank you! Tom The code for that is only in HEAD. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] If ISC DHCP is not providing RFC 2136 updates what is?
On 8/10/06, Robert Mortimer <[EMAIL PROTECTED]> wrote: I've had a quick look at the OpenBSD docs and they indicate it runs dhclient-script in the same way as ISC's dhc client so all should be OK can anyone tell me where the file containing the function services_dhcpd_configure() and it's friends lives? I have greped /usr/local/www with no luck. I must admit I am more used to finding php/httpd files under Linux/apache. I think it's in /etc/inc/services.inc - most of our non-GUI related code is in /etc/inc. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] If ISC DHCP is not providing RFC 2136 updates what is?
On 8/10/06, Reuel ben Yisrael <[EMAIL PROTECTED]> wrote: Bill Marquette wrote: > > I think it's in /etc/inc/services.inc - most of our non-GUI related > code is in /etc/inc. > > --Bill Where is the code that generates /tmp/rules.debug? I want to help find the alias bug. "the alias bug" ? I didn't see any alias bugs in this thread, what are you talking about? --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] If ISC DHCP is not providing RFC 2136 updates what is?
On 8/10/06, Reuel ben Yisrael <[EMAIL PROTECTED]> wrote: Bill Marquette wrote: > On 8/10/06, Reuel ben Yisrael <[EMAIL PROTECTED]> wrote: > >> Bill Marquette wrote: >> >> > >> > I think it's in /etc/inc/services.inc - most of our non-GUI related >> > code is in /etc/inc. >> > >> > --Bill >> >> Where is the code that generates /tmp/rules.debug? I want to help find >> the alias bug. > > > "the alias bug" ? I didn't see any alias bugs in this thread, what > are you talking about? > > --Bill Sorry, something I discovered working with hoba last night. I have narrowed down where the bug is now, and should have a patch today hopefully - basically if you use aliases for port #'s and the internal port != external port on an inbound port forward, the generated rule is missing the internal port #. Here's the problematic code in filter.inc: /* if item is an alias, expand */ if(alias_expand($rule['local-port'])) $localport = ""; else $localport = " port {$rule['local-port']}"; Like I said I will attempt to fix it and submit a patch - hopefully today. Thanks, please don't hijack threads, it's confusing. Also, please create a ticket on cvstrac for this so we can track it there. Thanks. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] alias bug
On 8/10/06, Reuel ben Yisrael <[EMAIL PROTECTED]> wrote: On 8/10/06, Reuel ben Yisrael <[EMAIL PROTECTED]> wrote: > Bill Marquette wrote: > > > On 8/10/06, Reuel ben Yisrael <[EMAIL PROTECTED]> wrote: > > > >> Bill Marquette wrote: > >> > >> > > >> > I think it's in /etc/inc/services.inc - most of our non-GUI related > >> > code is in /etc/inc. > >> > > >> > --Bill > >> > >> Where is the code that generates /tmp/rules.debug? I want to help find > >> the alias bug. > > > > > > "the alias bug" ? I didn't see any alias bugs in this thread, what > > are you talking about? > > > > --Bill > > Sorry, something I discovered working with hoba last night. I have > narrowed down where the bug is now, and should have a patch today > hopefully - basically if you use aliases for port #'s and the internal > port != external port on an inbound port forward, the generated rule is > missing the internal port #. > > Here's the problematic code in filter.inc: > > /* if item is an alias, expand */ > if(alias_expand($rule['local-port'])) > $localport = ""; > else > $localport = " port {$rule['local-port']}"; > > Like I said I will attempt to fix it and submit a patch - hopefully > today. > Thanks, please don't hijack threads, it's confusing. Also, please > create a ticket on cvstrac for this so we can track it there. Thanks. > > --Bill hoba created ticket # 1066 for me. I created 1068 without realizing it. My patch on 1068 adds some missing port #'s, but doesn't fix the broken reflection. 1066 is for reflection. These are related issues, but I'm less concerned about reflection than about port aliases working properly in port forwards. Creating a ticket to address this issue specifically is fine. Thanks --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Updateing to HEAD
On 8/11/06, Robert Mortimer <[EMAIL PROTECTED]> wrote: I want to check my changes against a running version of HEAD. I have a running RC2 for development. What is the best way to update to HEAD now cvs_sync.sh is no more? Should I just nuke the box and install the developer edition? If so is cvs_sync still on the developer CD? Best is to install dev edition. cvs_sync isn't disabled in HEAD, only in RELENG_1 --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] install PFsense on USB keydrive
On 8/12/06, Samer Chaer <[EMAIL PROTECTED]> wrote: Dear Sirs, I want to install PFsense 1RC2 on a 256MB USB KEYDRIVE is that possible? Shall I use the same menu option 98 from the LiveCD? Thanks, Samer Why don't you try it and report back? --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Squid package
On 8/12/06, Samer Chaer <[EMAIL PROTECTED]> wrote: Dear Sirs, Where to download the squid package for PFsense, is there any documentation about installing it and running it? As you've been told on IRC, you need to be running a Full Install. The LiveCD is basically for demo purposes. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DNS - Problems
The DNS override only works for items querying pfsense, not for pfsense itself. It and the daemon that does the DNS overriding (dnsmasq) use resolv.conf which should be populated with your ISPs DNS servers. You appear to have a bit of a catch-22. Since you have a FULL resolver internal to your network, let it do the internet resolving and point the pfsense box at it for DNS. --Bill On 8/16/06, Fuchs, Martin <[EMAIL PROTECTED]> wrote: Hi all ! Im at the end of my DNS-understanding of pfSense ;-) Ok, not that bad, but: I got a Domain-Controller that hosts a DNS-Server in my LAN for my local domain. This DC forwards unknown DNS-requests to my pfSense, which gets the DNS from my ISP. In pfSense I have configured the DNS-Forwarder so that it resolves DNS-requests from the DC. In General-Setup I have set my internal DNS and activated the option "Allow DNS server list to be overridden by DHCP/PPP on WAN" Now when I look at ARP-tables or Routing table pfSense does not resolve my hostnames (which are hosted on my DC) but shows "localhost" for all hosts except some ISPs adresses. Seems logical to me at all, but at another location it works without these localhost-problems, it is resolved correctly... I also would like to have my IPs / localhosts ;-) resolved correctly and for that already entered an override domain in pfSenses DNS-forwarder for my local domain by domainname (xyz.xyz). It does not work... even if I ping my DC from pfSenses shell with the fqdn it tells me "ping: cannot resolve server.xyz.xyz: Unknown host" (btw. how can I nslookup under BSD ? [command unknown]). When I disable the checkbox "Allow DNS server list to be overridden..." it works well, it resolves my hosts and everything, but what happens with the DNS-forwarder in the pfsense ? Does it redirect all DNS-requests to my DC by now ? How is DNS-traffic handled then ? I want to resolve DNS-traffic over my ISPs DNS-servers, not the root DNS servers as I support it happens when I disable this option ? I'm a bit ittitated because at another location it works, but not at mine... What's the clue ? Looking forward to some hints ! Thanks in advance... Martin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] port forwarding problem while using dual-wan with same ISP/gateway
No reason this shouldn't work. --Bill On 8/17/06, Raja Subramanian <[EMAIL PROTECTED]> wrote: I'm sorry if this is common knowledge, I did not get anywhere by trawling the forum and mailing list archives. I have a dual wan setup (WAN, OPT1), my ISP has provided me two public IP addresses in the same subnet and both have the same ISP gateway. I have an internal web server on my LAN that needs to be accessible through both the wan links. I have setup the WAN and OPT1 interfaces in pfSense. WAN contains the default route. Port forwarding is working perfectly on WAN, but OPT1 stops forwarding packets after a few minutes. Tcpdump shows the packets entering OPT1, but the corresponding packets are not leaving the LAN interface. Before I start spending more time on troubleshooting this, I would like to know if dual wan with same isp gateway for port forwarding is a workable setup. Or should I put nat routers infront of pfSense and provide each wan link a different gateway? Please note that I'm not running outgoing load balancing on this setup. Thanks for any help! - Raja - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Developer CD
On 8/18/06, Scott Ullrich <[EMAIL PROTECTED]> wrote: On 8/18/06, Robert Mortimer <[EMAIL PROTECTED]> wrote: > Developer CD Questions > > Is there fuller documentation on the use of the pfSense or similar > development setups around? > > More specifically > > 1) Is the developer CD supposed to provide a jail for development or is > development done on a base install with the jail/change root used to rebuild > the CD? No, there are no jails or chroots on the development iso. > 2) I am having no luck with exporting variables - do I need to install bash? > > I'm afraid I am used to web development or application development so the > distro development is a bit of a learning curve. You should use the standard shell... sh, tcsh, etc.. Bash will not work with FreeBSD's builder system. tcsh is probably the friendliest shell. setenv FOO myvalue to set an environment variable in tcsh. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Help with openbgpd 3.9 installation
On 8/23/06, bablam <[EMAIL PROTECTED]> wrote: Good afternoon all, I have just removed openbgpd 3.7_2 from my pfsense box and installed 3.9. When I attempt to run bgpd I get the following error; /libexec/ld-elf.so.1: Shared object "libc.so.7" not found, required by "bgpd" How can I install that object? Thanks all. If I had to guess, I'd say that you installed a FreeBSD 7 package...just a wild ass guess, I don't plan on logging into any of my machines to check libc versions, sorry. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] BGP troubleshooting with Openbgp
I'd post this on freebsd-net or an openbgp mailing list (is there one?)...OpenBSD which develops openbgp has fixed numerous bugs since OpenBSD 3.7 released, I'd be willing to bet that OpenBSD 3.9 w/ OpenBGP 3.9 (if we consider the version of OpenBGP to be the same as the OS it was developed on) works "better" (for some definition of better which may or may not be yours). --Bill On 8/23/06, bablam <[EMAIL PROTECTED]> wrote: Good afternoon, The issues is dropped neighborships between IBGP peers every 1-2 minutes. One host is a PFsense (FC1) firewall running openbgp package version 3.7_2(not sure what the actual version is) and the other a Fedora Core 5 box running Quagga 0.98.6. The configs and debugs are below, anyone seen wierdness like this before? This is not a complex config, looks like an undocumented feature. Thanks all. Wade B openbgp config -- #macros peer2="192.168.12.130" myip="192.168.12.129" neighbor $peer2 { remote-as 65001 announce all holdtime 6 } # networks we announce network 192.168.15.0/30 network 0.0.0.0/0 --- bgpd config --- router bgp 65001 bgp router-id 192.168.12.130 bgp log-neighbor-changes network 192.168.11.0/25 network 192.168.11.128/25 network 192.168.12.0/25 network 192.168.12.128/25 <--this prefix has been removed and the issue remains timers bgp 2 6 neighbor 192.168.12.129 remote-as 65001 --- openbgp debug bgpd -dv peer2 = "192.168.12.130" myip = "192.168.12.129" startup route decision engine ready listening on 192.168.12.129 session engine ready neighbor 192.168.12.130: state change None -> Idle, reason: None neighbor 192.168.12.130: state change Idle -> Connect, reason: Start neighbor 192.168.12.130: state change Connect -> OpenSent, reason: Connection opened neighbor 192.168.12.130: state change OpenSent -> Active, reason: Connection closed neighbor 192.168.12.130: state change Active -> OpenSent, reason: Connection opened neighbor 192.168.12.130: state change OpenSent -> OpenConfirm, reason: OPEN message received neighbor 192.168.12.130: state change OpenConfirm -> Established, reason: KEEPALIVE message received neighbor 192.168.12.130 (AS65001) update 192.168.11.0/25/134726144 192.168.12.130 neighbor 192.168.12.130 (AS65001) update 192.168.12.128/25/134726272 192.168.12.130 neighbor 192.168.12.130 (AS65001) update 192.168.12.0/25/134726272 192.168.12.130 neighbor 192.168.12.130 (AS65001) update 192.168.11.128/25/134726272 192.168.12.130 nexthop 192.168.12.130 now valid: directly connected neighbor 192.168.12.130: state change Established -> Idle, reason: HoldTimer expired Connection attempt from neighbor 192.168.12.130 while session is in state Idle neighbor 192.168.12.130: state change Idle -> Connect, reason: Start neighbor 192.168.12.130: state change Connect -> OpenSent, reason: Connection opened neighbor 192.168.12.130: state change OpenSent -> OpenConfirm, reason: OPEN message received neighbor 192.168.12.130: state change OpenConfirm -> Established, reason: KEEPALIVE message received neighbor 192.168.12.130 (AS65001) update 192.168.11.0/25/134726144 192.168.12.130 neighbor 192.168.12.130 (AS65001) update 192.168.12.128/25/134726272 192.168.12.130 neighbor 192.168.12.130 (AS65001) update 192.168.12.0/25/134726272 192.168.12.130 neighbor 192.168.12.130 (AS65001) update 192.168.11.128/25/134726272 192.168.12.130 nexthop 192.168.12.130 now valid: directly connected neighbor 192.168.12.130: state change Established -> Idle, reason: ConnectRetryTimer expired Connection attempt from neighbor 192.168.12.130 while session is in state Idle neighbor 192.168.12.130: state change Idle -> Connect, reason: Start neighbor 192.168.12.130: state change Connect -> OpenSent, reason: Connection opened neighbor 192.168.12.130: state change OpenSent -> OpenConfirm, reason: OPEN message received neighbor 192.168.12.130: state change OpenConfirm -> Established, reason: KEEPALIVE message received neighbor 192.168.12.130 (AS65001) update 192.168.11.0/25/134726144 192.168.12.130 neighbor 192.168.12.130 (AS65001) update 192.168.12.128/25/134726272 192.168.12.130 neighbor 192.168.12.130 (AS65001) update 192.168.12.0/25/134726272 192.168.12.130 neighbor 192.168.12.130 (AS65001) update 192.168.11.128/25/134726272 192.168.12.130 nexthop 192.168.12.130 now valid: directly connected neighbor 192.168.12.130: state change Established -> Idle, reason: ConnectRetryTimer expired Connection attempt from neighbor 192.168.12.130 while session is in state Idle neighbor 192.168.12.130: state change Idle -> Connect, reason: Start neighbor 192.168.12.130: state c
Re: [pfSense Support] CARP Load balance
On 8/24/06, Robert Mortimer <[EMAIL PROTECTED]> wrote: > On 8/24/06, Robert Mortimer <[EMAIL PROTECTED]> wrote: > > I have 2 ADSL lines each with it's own pfsense box. > > > > I have set up CARP to provide a common LAN address shared > between the two > > boxes > > > > Should this configuration load balance? At the moment the traffic graphs > > seem to have all traffic going out of the master address until fail over > > CARP load balancing is not supported in 1.0. No problem. Is it in Head or are you looking for volunteers? I'm still Nope, we removed that functionality because it doesn't work worth a damn. I don't expect to see it in the tree again. You might be better served with a carp cluster with TWO wans, not a carp cluster with one wan on each node. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP Load balance
On 8/25/06, Robert Mortimer <[EMAIL PROTECTED]> wrote: Carp is the simple way to balance across this setup. Is there a way to use the load balancer on the CAP NIC instead. All examples seem to have a 1 box solution Is the ADSL PPPOE? If so, does the PPPOE terminate on the DSL modem, or the pfSense box? If the modem, you might be in luck. The next question is, do you have one IP or multiple on the WANs? You may have stumbled on the single legitimate use of carp load balancing... We've only disabled the ability to turn on arpbalancing from the GUI. If you really need it, in the backend you can edit /conf/config.xml and add on to the block You'll want to reboot after making that change. This naturally isn't supported, but if you understand how carp balancing works, it's still configurable. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP Load balance
On 8/25/06, Robert Mortimer <[EMAIL PROTECTED]> wrote: > You'll want to reboot after making that change. This naturally isn't > supported, but if you understand how carp balancing works, it's still > configurable. This is the case outlined in the Docs Yeah, see, the problem is that most people would (and do) configure it w/out understanding what it does and then complain that they randomly have packet or connection loss. Most people would and have tried to use it to load balance FIREWALLS, not network connections. If you have any suggestions on how to reenable this w/out also making the support of it's incorrect usage a nightmare, we're all ears (hint: putting a description next to the checkbox won't cut it ;)) --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] vpnc - client for cisco3000 VPN Concentrator
Not sure how FAST_IPSEC solves this problem, but FWIW it's already enabled in the pfSense kernel. Why doesn't the builtin IPSec work for you (if it's due to the Cisco proprietary goo on the other end then no need to answer)? --Bill On 8/30/06, Alvaro Pietrobono <[EMAIL PROTECTED]> wrote: Hi, I compile VPNC on a running freebsd 6.0 and than copy to pfsense. Binary and libraries are ok, but than I run vpnc this error occurred: socket(SOCK_RAW): Protocol not supported In google search I founded this: "The problem lies in that vpnc is opening a raw socket to get it's ESP packets. However when you enable esp in the kernel, the kernel already is taking those packets, so you get the SOCK_RAW error as vpnc cannot get ESP packets because the kernel is handling them. FAST_IPSEC will solve the problem." It is possible in pFsense? thankx ~Alvaro - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Oddness
Where's this log coming from? The NLB boxes, or the pfSense box? --Bill On 8/30/06, Scott Williamson <[EMAIL PROTECTED]> wrote: Example of the log: Aug 30 14:19:16 Grey_Skull 172.16.50.102:3292 172.16.50.109:443 TCP - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Intel PWLA8494MT support with latest update of RC2
On 9/1/06, Pierre Frisch <[EMAIL PROTECTED]> wrote: What is the status support of the Intel PWLA8494MT. I had it working with a special build sent by Bill Marquette including Intel driver 6.0.5. However this has disappeared from the latest update. Is it going to come back with the next one? The driver had to be manually backported and kept up to date. As there was a bounty for this and I had a few minutes spare I created the patch. However, the bounty was never paid and I don't have the time to keep this updated (particularly when someone reported issues with it), so we removed the patch. I also have a problem with interface numbering. The system board has two interface that are numbered em0 and em1 the PWLA8494MT has four. when the PWLA8494MT is recognized it becomes em0-em3 and the on-board ones become em4-em5. This is quite annoying as it destroy the setup each time. Is there a way to fix those? i.e. keep the numbering stable. PCI bus ordering, nothing we can do about it, sorry. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Intel PWLA8494MT support with latest update of RC2
On 9/1/06, Pierre Frisch <[EMAIL PROTECTED]> wrote: Hi Bill, How much was the bounty? Not sure...probably only $50 or so. The thread was removed from the forum at some point. I guess I don't understand the problem. Why had the driver got to be backported for each version? How is pfsense built? Is this a problem with FreeBSD or with pfsense? The issue is that the driver I imported was from Intel's website - it had "issues" although appeared to work...mostly. For whatever reason (I didn't look), on the last build we did, the patch no longer cleanly applied and I didn't really have much interest in making it continue to work. FreeBSD has officially imported this driver into RELENG_6, however pfSense runs on RELENG_6_1 and there's been significant enough changes to FreeBSD RELENG_6 that the backport will take some time. I'm still willing to work on this - outside of pfSense (ie. it won't make it into 1.0 at this point..we haven't had any official release candidates with it in) if theres someone willing to pay me something for the time spent on it (and maintaining it). Else, it'll be in our next major release when we've upgraded our tree to the latest FreeBSD builds (don't expect 1.1 to release for 6-12 months as we get HEAD stable again) --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Intel PWLA8494MT support with latest update of RC2
On 9/1/06, Pierre Frisch <[EMAIL PROTECTED]> wrote: If all it takes is $50 I would be happy to oblige the board did cost me $500 and it is worthless without a driver. Understood, they aren't cheap boards. To be clear, what I'm offering is to provide a replacement kernel (that can be uploaded as a firmware image) for 1.0 and any major future RCs (such as RC3) that we release for 1.0. At the point where we release an official version all personal support for this kernel will be ceased. As I haven't looked at the amount of work required to backport the imported driver I can't make a guarantee on it just yet, but I do happen to have a relatively open evening tonight. That being said there very few 4 port cards and I could not get hold of one of the "old" ones that are supported so this may become a Understood here also, I can no longer get the older MT boards myself, only the newer boards. Caused me quite a bit of pain as I had to backport the driver in OpenBSD also or be hosed until my next upgrade cycle in 9 months. problem very rapidly well before the 12 month time frame of 1.1. It may be necessary to reconsider the problem but I do not now the issue so it is hard for me to contribute on that topic. I understand the problem of RELENG_6_1 and RELENG_6 apparently FreeBSD is releasing RELENG_6_2 in October may be we should consider a 1.0.1 with an updated kernel? That might happen, we'll see. There are no firm plans for post 1.0 at this point. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfsense snapshot 09-03-06 embedded
On 9/4/06, Craig FALCONER <[EMAIL PROTECTED]> wrote: Why not call them 1.0-SNAPSHOT-2006-09-03? At least they'll sort correctly in a listing. Or are we really talking about the 8th and 9th of march 2006? It proves that pfSense is a global programme, when date representation issues arise :) And when people spell program wrong ;-P *ducks* --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP Load balance
Robert has about the _only_ legitimate use for this feature. And an interesting network layout to boot. I suspect we don't allow for duplicate VHIDs though which would be required to make this work. Other than that, in his case, I'd expect that this should more or less "do the right thing" - as long as he isn't planning on handling inbound traffic :) --Bill On 9/5/06, Holger Bauer <[EMAIL PROTECTED]> wrote: We already had this feature in earlier releases but dropped it due to not working correctly and machines crashing. Maybe things have changed a bit since we were running something between alpha and beta of freebsd these days. However, it's not considered a good solution even from the developers of CARP. I think the carp tutorial at pfsense.com even explains this option still as it was not updated after that item had gone. Holger > -Original Message- > From: Robert Mortimer [mailto:[EMAIL PROTECTED] > Sent: Tuesday, September 05, 2006 11:14 AM > To: support@pfsense.com > Subject: RE: [pfSense Support] CARP Load balance > > > > On 8/25/06, Robert Mortimer > <[EMAIL PROTECTED]> wrote: > > > > You'll want to reboot after making that change. This > naturally isn't > > > > supported, but if you understand how carp balancing > works, it's still > > > > configurable. > > > > > > This is the case outlined in the Docs > > > > Yeah, see, the problem is that most people would (and do) > configure it > > w/out understanding what it does and then complain that > they randomly > > have packet or connection loss. Most people would and have tried to > > use it to load balance FIREWALLS, not network connections. If you > > have any suggestions on how to reenable this w/out also making the > > support of it's incorrect usage a nightmare, we're all ears (hint: > > putting a description next to the checkbox won't cut it ;)) > > > > --Bill > > Had a further look at the docs. To load balance across 2 > machines requires > 2 pairs of carp interfaces each pair skewed to a different > box. Further > pfsense > hacking will be required to get this going > > From Man page -- > > In order to set up an ARP balanced virtual host, it is > necessary to con- > figure one virtual host for each physical host which would > respond to ARP > requests and thus handle the traffic. In the following > example, two vir- > tual hosts are configured on two hosts to provide balancing > and failover > for the IP address 192.168.1.10. > > First the carp interfaces on Host A are configured. The > advskew of 100 > on the second virtual host means that its advertisements will > be sent out > slightly less frequently. > > # ifconfig carp0 create > # ifconfig carp0 vhid 1 pass mekmitasdigoat 192.168.1.10 \ > netmask 255.255.255.0 > # ifconfig carp1 create > # ifconfig carp1 vhid 2 advskew 100 pass mekmitasdigoat \ > 192.168.1.10 netmask 255.255.255.0 > > The configuration for host B is identical, except the skew is > on virtual > host 1 rather than virtual host 2. > > # ifconfig carp0 create > # ifconfig carp0 vhid 1 advskew 100 pass mekmitasdigoat \ > 192.168.1.10 netmask 255.255.255.0 > # ifconfig carp1 create > # ifconfig carp1 vhid 2 pass mekmitasdigoat 192.168.1.10 \ > netmask 255.255.255.0 > > Finally, the ARP balancing feature must be enabled on both hosts: > > # sysctl net.inet.carp.arpbalance=1 > > - > > I will let you know how I get on > > Rob > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Intel PWLA8494MT support with latest update of RC2
I'm currently working on updating our patches against RELENG_6. That branch should be locked shortly pending the tagging of RELENG_6_2 - we'd like to be able to start building that branch shortly after release (there are no plans to delay 1.0 release for this). It shouldn't take me more than a day or two (work is eating up a lot of my hacking time right now) to retool our build/patch system - at that point I can send a test kernel your way. --Bill On 9/1/06, Pierre Frisch <[EMAIL PROTECTED]> wrote: Let me know your conclusions and will talk. Pierre On 1-Sep-06, at 4:17 PM, Bill Marquette wrote: If all it takes is $50 I would be happy to oblige the board did cost me $500 and it is worthless without a driver. Understood, they aren't cheap boards. To be clear, what I'm offering is to provide a replacement kernel (that can be uploaded as a firmware image) for 1.0 and any major future RCs (such as RC3) that we release for 1.0. At the point where we release an official version all personal support for this kernel will be ceased. As I haven't looked at the amount of work required to backport the imported driver I can't make a guarantee on it just yet, but I do happen to have a relatively open evening tonight. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP Load balance
On 9/6/06, Robert Mortimer <[EMAIL PROTECTED]> wrote: I accept that I have an unusual layout. In some ways it was based on the CARP documentation so it is not a great surprise that it includes "about the _only_ legitimate use for this feature". I am OK with the fact that what I am doing is unsupported and my require me to do the odd hack each time I upgrade. I'd like to see that your change doesn't adversely affect the more normal use case for CARP and we can consider importing it. Obviously we've added measures to prevent duplicate VHIDs in the system - it's needed for arpbalance to work. If you can come up with a way to keep the two mutually exclusive (ie, allow multiple VHIDs if arpbalance is enabled and the carp IP is the same on both VHIDs) and test the hell out of it to ensure than you don't run into any carp related kernel panics I'd be interested in considering it's integration. If you wish I can do the following:- Document the setup including the hack to get it to work (in case anyone else wants to achieve the same) The documentation would be good if you are interested in making this a little more bulletproof so people can't easily shoot themselves in the foot. PS I am already trying to find time to submit my changes for local RFC 2136 updates from the pfsense DHCP server to HEAD (the changes I did against RC2 failed miserably when applied to HEAD and as you know the window is closed for inclusion in 1.0). lol, yeah, it's a right pain to backport from HEAD to RELENG_1 these days. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Intel PWLA8494MT support with latest update of RC2
On 9/6/06, Pierre Frisch <[EMAIL PROTECTED]> wrote: So if I understand correctly you are porting pfsense to 6.2 instead of back porting the driver? That looks like a fabulous solution and quite a bit more sustainable for the future. Exactly. And takes the risk out of a backport (which looked like it may end up being rather tedious). It also means that anyone can build a RELENG_6 based image for any and all new hardware in RELENG_6 that isn't in the branch we're tracking for 1.0. There is some risk of stuff not working quite right of course, but that's why we're not changing to RELENG_6_2 this late in the release cycle. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfsense, core-duo support?
On 9/9/06, Robert Carr <[EMAIL PROTECTED]> wrote: I realize pfsense isn't SMP-capable, but would it run on a core-duo (or core-solo processor)? Or are these processors totally unsupported for now? If FreeBSD 6.1 runs on it, pfSense should be able to. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Editing firewall rules outside of the GUI
On 9/12/06, Doug Poland <[EMAIL PROTECTED]> wrote: On Tue, September 12, 2006 13:20, Scott Ullrich wrote: > On 9/12/06, Doug Poland <[EMAIL PROTECTED]> wrote: >> >> Can I edit the firewall rules outside the GUI? If so, what are the >> implications? Am I missing something? > > Considering that the proxy servers and such live on the LAN, you need > to create a rule on the LAN interface. All traffic is processed > incoming to the interface. > > For example, at work we block a lot of media sites and such (itunes > streaming) so we create our block rules on the LAN interface. > Hi Scott, thx for the response. My rule is on the LAN interface, but the rule I created still comes after the default rule to "let out anything from firewall host itself". I can supply a rule list to clarify if necessary. We filter inbound to the firewall. You really want your rules where the packet is first seen (in your case, it sounds like that is on your LAN interface), not where they exit your network. The default allow out policy assumes that whatever has made it into the firewall is good to go (which is why we don't have directions on rules). Does the fact that I'm running on Beta 4 have anything to do with this? Probably not, but it's ancient and you'll regret not upgrading :) --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Editing firewall rules outside of the GUI
On 9/12/06, Fuchs, Martin <[EMAIL PROTECTED]> wrote: But nevertheless, you can filter packets outgoing to the internet... Uhhh, no you can't. pfSense filters inbound only. Bill, is there a consideration to make rules for packets going into the firewall ? This is the behaviour we follow already. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] PPTP password check too strict
On 9/13/06, Jesse Peterson <[EMAIL PROTECTED]> wrote: On line 67 of vpn_pptp_users_edit.php of pfSense RC2 the preg_match() to check for a valid password is too strict for my use. I circumvented it by backup/manual edit of config/restoring the config. Specifically I needed an exclamation point in a password that was disallowed by that line. Any chance of that getting changed? It would appear since the /var/ etc/mpd-vpn/mpd.secret has the password in quotes the password field should be quite flexible? Care to give us a valid regexp? --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Interface ip alias
For now use one of the virtual IP types in the Firewall menu. --Bill On 9/15/06, Augusto Jobim Badaraco <[EMAIL PROTECTED]> wrote: How i can create a alias ip like i have in my actual servers like = ifconfig_vr0_alias.. ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Firewall on WRAP
On 9/16/06, BW <[EMAIL PROTECTED]> wrote: Hi all, I have a WRAP 2C with 1 ethernet port and 1 wireless card. I have it set with WAN on ethernet port and LAN on wireless and configured it with transparent firewall. I have one computer connected to the WAN port then wireless serial servers connected to the LAN. Now i can ping from the PFSENSE box to all clients on both WAN and LAN and can ping from all client to the PF box but i can not get any client to ping through to the WAN port from LAN and vice versa. I have rules on both WAN and LAN to pass from any to any. But as soon as i disable the firewall everything works. Can some one please help me set these rules properly? I and running RC2a. Do you have Filtering Bridge checked in System->Advanced? Also, if you are just bridging, I think (not positive, my machine is still running B4 and there were known bugs with this in it) you have to turn off NAT in Firewall->NAT->Outbound NAT. Enable advanced nat, click save, delete the rule that gets auto created, save again and apply. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 1.0 RC2
On 9/18/06, Volker Kuhlmann <[EMAIL PROTECTED]> wrote: I didn't yet test, but does the shaper wizzard now check the correct interfaces for SQF(?) capability? There was no code change there. SQF? --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Dynamic Rule
On 9/18/06, Heath Henderson <[EMAIL PROTECTED]> wrote: I have a user who sits outside of our Office network. I need to open up a port for them to access Filemaker Through. I want to eventually get a VPN setup, but he has a Mac and I am not certain of how well the VPN will work with X.4 right now. I don't really have time to get this setup. I thought I would see about opening the ports up for him. He is on a Dynamic DSL connection. He travels frequently. What is involved in setting up a script which can be run every minute which will check a dynDNS name and insert the correct IP # in to the rule I have setup for him to access this port through the firewall? I have this successfully working on a linux box with a hosts.allow script running and inserting the correct IP# so he can ssh into a server remotely. Thanks -- Heath Henderson -- You could always try OpenVPN. I know of at least one person using pfSense using it with OSX. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Dynamic Rule
On 9/18/06, Heath Henderson <[EMAIL PROTECTED]> wrote: Thanks, I am going to go the SSH route first. I will have access to setup VPN in about 2 months. I just don't have the time currently, and this person's system is in California and I am not. I haven't setup the ssh tunnel before, so if anyone has any pointers. I want to make this as secure as possible on my end. He only has to get into our Filemaker server so limited remote access is where I will be going. Hence the suggestion to use OpenVPN. It's a simple setup on the pfSense side and I don't think on the OSX side it get's much easier than using the OSX client at http://www.tunnelblick.net/ --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load balancer problem
On 9/19/06, Heath Henderson <[EMAIL PROTECTED]> wrote: This is probably a question which doesn't require an answer, but I am a little leary about updating to the http://www.pfsense.com/~sullrich/1.0-SNAPSHOT-09-18-06/ I was curious of how to go about the udpate. I see two files which look like they might be the update files. One is Pfsense.img and the other is fullupdate. Please advise. I haven't done any updates yet. We have RC2 built Aug1 of 2006. No updates have yet been applied. Hmm, there is a README in the same directory that explains quite a bit. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] net to net
On 9/21/06, Rob Terhaar <[EMAIL PROTECTED]> wrote: Yes, pfsense can do dual WAN. No, you can not add the bandwidth from two ISPs to increase your total bandwidth. Correct, not for a single transfer. Use a multi-threaded download manager and you might actually get load balanced across both links, thus doubling your download. --Bill Dual WANs are for load-balance and fail-over for internal users. On 9/21/06, Gerente Técnico ERP <[EMAIL PROTECTED]> wrote: > Thank You, help. I not write English perfect. Excuseme. > > > I have Ipcop 1.4.11, is tool excellent, I need change for pfsense. > > I have two site in two city different. > > City one the red LAN is Windows Xp,2000P, and one Ipcop connecto to city two > vpn, the LAn two Windows Xp and server 2003, > > > The computers Lan sitie one is connect to server Windows 2003 in Red sitie > two in windows Terminal servers. > > > reasons so that I must change > > > The computer not view in the Mi site the red. > The terminal servers no runnig correct in remote printer > The Ipcop not running wan dual. > > The need install in sites install two access ADSL different ISP. To improve > the communication channel and to have greater speed > > > Please, help me the manual step a step for configuration this scenary. > > > > > > > > José Alirio Yepes Molina. > Dist-Plex S.A. C. I. > Gerente Técnico ERP > Calle 122 # 9 – 35 Piso 5 > Tel: (571)6122888 ext. 301 > Fax: (571)6122217 > [EMAIL PROTECTED] > www.moduart.com > http://connector.moduart.com > > > > > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 1.0 RC2
On 9/22/06, Volker Kuhlmann <[EMAIL PROTECTED]> wrote: > >I didn't yet test, but does the shaper wizzard now check the correct > >interfaces for SQF(?) capability? There was no code change there. > > SQF? Yep, spelt "A L T Q" :) In beta4 I had to comment this out in traffic_shaper_wizard.xml /* Check to see if ALTQ can even be used */ /* This check checks the wrong interfaces. if(!is_altq_capable($config['interfaces']['wan']['if']) or !is_altq_capable($config['interfaces']['lan']['if'])) { $message="Either your LAN or WAN interface doesn't support ALTQ. The wizard cannot continue."; header("Location: /wizard.php?xml=traffic_shaper_wizard.xml&stepid=7&message={$message}"); } */ A check like this is in the wrong place here - it must be after the interfaces for shaping have been selected. If it is before, one can't select interfaces other than LAN and WAN for shaping - e.g. DMZ. That check still exists. Please submit a patch. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] OpenVPN Clients and FW ACL's
I think you misread. --Bill On 9/24/06, Rob Terhaar <[EMAIL PROTECTED]> wrote: so just to make sure i understand what's going on... there was vpn firewall controls in pfsense for a bit, but now after 9-21 snapshots this ability is out? On 9/24/06, Scott Ullrich <[EMAIL PROTECTED]> wrote: > Same situation with IPSEC, there is not fine control of traffic yet. > We cannot give you everything in one release, what else would we have > to look forward to releasing in the future? :) > > Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Office hours type setup.
no. The OpenBSD pf list (don't recall if it's on misc@ or the pf list) has some comments on how to implement this. --Bill On 9/24/06, SDamron <[EMAIL PROTECTED]> wrote: Just out of curiousity, would this be the place to start to implement something like this? DIOCXCOMMIT struct pfioc_trans *io Atomically switch a vector of inactive rulesets to the active rulesets. This call is implemented as a standard two-phase com- mit, which will either fail for all rulesets or completely suc- ceed. All tickets need to be valid. This ioctl returns EBUSY if another process is concurrently updating some of the same rule- sets. Thanks. On 9/24/06, SDamron <[EMAIL PROTECTED]> wrote: > That would be nice. I am a user of CheckPoint at work, and the > ability to do that type of thing is there. It would be a very nice > addition to pfsense. > > On 9/24/06, Fuchs, Martin <[EMAIL PROTECTED]> wrote: > > Not until now... > > > > Perhaps in a future release... > > > > -Ursprüngliche Nachricht- > > Von: SDamron [mailto:[EMAIL PROTECTED] > > Gesendet: Sonntag, 24. September 2006 02:22 > > An: support@pfsense.com > > Betreff: [pfSense Support] Office hours type setup. > > > > I would like to do an "Office Hours" type setup on pfsense. Is this type of fucntionality available? That is to say, I want to be able to limit certain computers ability to surf based on a 8am to 3pm type of limit. > > > > Thanks. > > > > Scott > > > > -- > > --- > > A morning without coffee is like something without something else. > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > -- > --- > A morning without coffee is like something without something else. > -- --- A morning without coffee is like something without something else. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] file server
On 9/25/06, Marc Boisis-Delavaud <[EMAIL PROTECTED]> wrote: Günter Müller a écrit : > Enable SSH (System->Advanced) on pfSense and you will have scp and sftp > access ... > > > I'm sorry but scp and sftp does'nt work. Did you turn it on? --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Developer Edition bootstrap error
http://www.freesbie.org/cvs.html might be of help. --Bill On 9/25/06, Fuchs, Martin <[EMAIL PROTECTED]> wrote: After pressing "enter" it shows: cvs [login aborted]: connect to cvs.freesbie.org(83.149.156.188):2401 failed: Operation timed out any idea ? Martin Von: Gertjan Kroeb Gesendet: Fr 22.09.2006 08:21 An: support@pfsense.com Betreff: Re: [pfSense Support] Developer Edition bootstrap error When building, the /home/pfsense/tools/builder_scripts/cvsup_current synchronises the freesbie files first. call cvsup_current manualy to see what happens. Check disk size ... Gertjan - Original Message - From: "Fuchs, Martin" <[EMAIL PROTECTED]> To: Sent: Thursday, September 21, 2006 11:46 PM Subject: [pfSense Support] Developer Edition bootstrap error Hi all ! What can I do if my developer editions tells me that the image cannot be build and it cannot "cd to /home/pfsense/freesbie2" ? Thanks in advance... MArtin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- Orange vous informe que cet e-mail a ete controle par l'anti-virus mail. Aucun virus connu a ce jour par nos services n'a ete detecte. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] OpenVPN Clients and FW ACL's
On 9/25/06, Rob Terhaar <[EMAIL PROTECTED]> wrote: not sure if this is going to be helpful- but after an update to 9-22-snapshot and a reboot this morning on our pfsense, users were complaining that they were able to do anything on the vpn connection after they were authenticated via openvpn. I setup a allow-all rule on the TUN interface, then disabled it, and everything worked fine. Just a guess...probably related to: http://cvstrac.pfsense.com/chngview?cn=14456 --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] OpenVPN Clients and FW ACL's
On 9/25/06, Rob Terhaar <[EMAIL PROTECTED]> wrote: actually i saw this just after i installed the 9-6 snapshot that included the openvpn/openssl security fix. same symptoms, and same fix. at the time i figured i was just being retarded about something, or that the problem was exacerbated by the fact that my pfsense had been upgraded repeatedly since beta 3. Since then, i've done a fresh install to the 9-4 snapshot, and am now running the 9-22 snapshot. so ether i'm retarded- or there's an issue somewhere ;) On 9/25/06, Bill Marquette <[EMAIL PROTECTED]> wrote: > Just a guess...probably related to: > http://cvstrac.pfsense.com/chngview?cn=14456 > > --Bill So, it's working now? What did you do to fix it? FYI, the change I posted was marked Sept 22. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Kaiomy ethernet board
On 9/25/06, Roberto Greiner <[EMAIL PROTECTED]> wrote: Hi, I'm trying to install pfSense (1.0rc2) on a machine, but one of the boards, despite being identified during installation, does not seem to work. The leds show no signal of traffic, and a ping to the gateway gets no answer, neither from other machines on the same network (it's not a firewall issue, I've checked). All I know about the board is that it's from a brand named 'Kaiomy', and pfSense labeled it as fwe0. Does somebody know if this board can be brought to work? That's the Firewire network driver. The BUGS section of it's man page is kind of interesting. BUGS This driver emulates Ethernet in a very adhoc way and it does not reserve a stream channel using an isochronous manager. Note that this driver uses a protocol which is very different from RFC 2734 (IPv4 over IEEE 1394). I wouldn't be the least bit surprised if this card doesn't work all that well. BTW, are you sure that the Kaiomy really is the fwe interface? :) Seems like it's probably your firewire card (assuming you have one) not the Kaiomy NIC. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] YAOI (yet another openvpn issue)
On 9/26/06, Jonathan Horne <[EMAIL PROTECTED]> wrote: > On 9/26/06, Rob Terhaar <[EMAIL PROTECTED]> wrote: >> On 9/26/06, Jonathan Horne <[EMAIL PROTECTED]> wrote: >> > i know there has been a million threads about openvpn lately, so its >> time >> > to throw mine into the mix too. >> > >> > i have 2 sites, with an ipsec tunnel between them. site 1 is >> > 192.168.125.0/26 and site 2 is 192.168.125.64/26. both sites are >> just a >> > simple single pfsense box (no carp or redundants or anything fancy. >> the >> > ipsec vpn works great, and any host at any site can connect to any >> other >> > host. >> > >> > site 2 has the openvpn on it, and i can connect in fine with windows >> xp >> > from the internet. once connected, i can connect to any host at site2 >> > with no problems. my issue, is that i cannot traverse the ipsec vpn >> to >> > hosts at site1. >> > >> > anyone have any ideas where i can begin to troubleshoot this issue? >> > >> >> are you pushing the additional ipsec routes to your openvpn clients >> via the pfsense custom options field? (see the note in the wiki docs >> on how to do this) > > And is the OpenVPN range part of the IPSec tunnel? > > --Bill if i understand your question correctly, no sir, my openvpn range is seperate. 192.168.125.128/26. thank you, jonathan Then the IPSec definition doesn't match and the traffic won't be forwarded over the tunnel. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Correct rules for DMZ? opt1
Does your DMZ interface actually have an address? The destination field is curiously empty in your screenshot. --Bill On 9/26/06, Michael Schuh <[EMAIL PROTECTED]> wrote: Hi, i again, now i have an complete other error, if it is an. i configure the rules for DMZ interface (opt1) so that the DMZ-Subnet is allowed to access the DMZ-Address any ports, the result show me the image in attachement. an equivalent config for lan does the rightlan_image... thanks for your help. regards michael - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Routing and VPN tunnels
On 9/26/06, Rob Evers <[EMAIL PROTECTED]> wrote: Hi All, I have a problem with routing and IPSEC VPN tunnels, attached is a picture of the setup. There is a firewall cluster in the main office, the firewalls in the branch offices all connect through IPSEC with the main office. So A <-> B is a IPSEC tunnel and A <-> C is a IPSEC tunnel, this all works, I can reach the LAN of the main firewall from the clients and the other way around, so far no surprises. What I want is that clients from the branches can reach each other, so communication between the LAN from B to C. What routing enties should I setup to make this happen ? And is this possible at all ? Create more tunnel definitions containing the other office networks or do a full mesh and allow B and C to talk direct. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] YAOI (yet another openvpn issue)
On 9/26/06, Rob Terhaar <[EMAIL PROTECTED]> wrote: On 9/26/06, Jonathan Horne <[EMAIL PROTECTED]> wrote: > i know there has been a million threads about openvpn lately, so its time > to throw mine into the mix too. > > i have 2 sites, with an ipsec tunnel between them. site 1 is > 192.168.125.0/26 and site 2 is 192.168.125.64/26. both sites are just a > simple single pfsense box (no carp or redundants or anything fancy. the > ipsec vpn works great, and any host at any site can connect to any other > host. > > site 2 has the openvpn on it, and i can connect in fine with windows xp > from the internet. once connected, i can connect to any host at site2 > with no problems. my issue, is that i cannot traverse the ipsec vpn to > hosts at site1. > > anyone have any ideas where i can begin to troubleshoot this issue? > are you pushing the additional ipsec routes to your openvpn clients via the pfsense custom options field? (see the note in the wiki docs on how to do this) And is the OpenVPN range part of the IPSec tunnel? --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] YAOI (yet another openvpn issue)
On 9/26/06, Jonathan Horne <[EMAIL PROTECTED]> wrote: > On 9/26/06, Jonathan Horne <[EMAIL PROTECTED]> wrote: >> > On 9/26/06, Rob Terhaar <[EMAIL PROTECTED]> wrote: >> >> On 9/26/06, Jonathan Horne <[EMAIL PROTECTED]> wrote: >> >> > i know there has been a million threads about openvpn lately, so >> its >> >> time >> >> > to throw mine into the mix too. >> >> > >> >> > i have 2 sites, with an ipsec tunnel between them. site 1 is >> >> > 192.168.125.0/26 and site 2 is 192.168.125.64/26. both sites are >> >> just a >> >> > simple single pfsense box (no carp or redundants or anything fancy. >> >> the >> >> > ipsec vpn works great, and any host at any site can connect to any >> >> other >> >> > host. >> >> > >> >> > site 2 has the openvpn on it, and i can connect in fine with >> windows >> >> xp >> >> > from the internet. once connected, i can connect to any host at >> site2 >> >> > with no problems. my issue, is that i cannot traverse the ipsec >> vpn >> >> to >> >> > hosts at site1. >> >> > >> >> > anyone have any ideas where i can begin to troubleshoot this issue? >> >> > >> >> >> >> are you pushing the additional ipsec routes to your openvpn clients >> >> via the pfsense custom options field? (see the note in the wiki docs >> >> on how to do this) >> > >> > And is the OpenVPN range part of the IPSec tunnel? >> > >> > --Bill >> >> if i understand your question correctly, no sir, my openvpn range is >> seperate. 192.168.125.128/26. >> >> thank you, >> jonathan > > Then the IPSec definition doesn't match and the traffic won't be > forwarded over the tunnel. > > --Bill ah, i can see how that would be a problem. where do i need to go in the gui to ix this? We don't have an obvious way to add another network to a tunnel. However, you can create another tunnel with the same endpoints and the new network in it. It's a little duplication, but it does work. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] YAOI (yet another openvpn issue) [Resolved]
On 9/26/06, Jonathan Horne <[EMAIL PROTECTED]> wrote: thank you bill. rather than creating a new vpn tunnel, i just changed the vpn subnet to 192.168.125.112/28 (techically within the 192.168.125.64/26 footprint). this has caused vpn clients to be able to traverse to my 192.168.125.0/26 site1 now. my only inconvenience was that i had to move my site2 dhcp scope a bit, which really isnt a big deal at all. That would certainly be the other way of doing it :) --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Re: Solved :howt to remove access Controls from squid?
What does that have to do with the topic of this thread? --Bill On 9/27/06, Augusto Jobim Badaraco <[EMAIL PROTECTED]> wrote: Hi ... How can i use the spamassassin solution of Pfsense with my actual Postfix Server? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Alert! Virus spreading through pfSense-support list
Maybe gmail is the virus ;-P --Bill On 9/26/06, Scott Ullrich <[EMAIL PROTECTED]> wrote: On 9/26/06, SDamron <[EMAIL PROTECTED]> wrote: > I really don't care...I do not use that OS that they are written > for...and I use GMail :o) Ditto here on gmail. Not only that I deinstalled that VML exploit weeks ago and scanned my computers and no viruses exist. I would say your ISP's virus checker is acting up? Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] User management
On 9/27/06, Roberto Greiner <[EMAIL PROTECTED]> wrote: There is a feature in monowall that I can't seem to locate in pfSense, which is 'User Management'. Is it not available? (I'm using 1.0rc2). That didn't appear in m0n0 until after we'd branched for 1.0. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pf optimisation
Yep. The good news is that we already bind rules to interfaces so skip steps should work pretty darn good :) We may consider doing the -oo optimization when FreeBSD imports a newer version of PF. --Bill On 9/27/06, Peter Curran <[EMAIL PROTECTED]> wrote: Guys Interesting article (1st of 3) by Daniel Hartmeier (developer of pf) on undeadly today. see http://www.undeadly.org/cgi?action=article&sid=20060927091645&mode=flat Not suggesting there is a problem with pfsense, but it makes an interesting read and may offer some potential things to think about in future work on pfsense. Cheers Peter -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfsense on a PowerEdge 850?
On 9/27/06, Oscar Rylin <[EMAIL PROTECTED]> wrote: We've got it running on a 1850 at the office (gigabit pipe; we've been able to push about 600Mbps, but that's probably because we can't find anything better to push against! ;-) ) What type of CPU load while hitting 600Mbit? Using the builtin broadcom cards, or something else? Also, what version of pfSense (I assume pfSense ;-P)? Have you done any iperf style testing to see how hard you can drive the box? Thanks --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC Client Gateway Support
On 9/28/06, Matthew Grooms <[EMAIL PROTECTED]> wrote: All, I had recently been contacted by a user that was attempting to use my free 2K/XP IPSEC client with pfsense. The racoon key daemon was tripping up over a modecfg exchange that wasn't supported by the version of ipsec-tools installed. My reference gateway platform is FreeBSD so I think he assumed that most options supported by ipsec-tools and FreeBSD would be available in pfsense. I wasn't sure, so I thought I would post a question to the list. I think we pretty much support everything that FreeBSD 6.1 supports. It'd be interesting to know what mode(s) were being requested that we don't allow though. What IPSEC features does pfsense support via its web config interface and are there plans to support the more advanced IPSEC client access feature of racoon? The ipsec-tools project is about to branch for a 0.7 release which contains a lot of new stuff. Mostly, the changes are related to dynamic client configuration and enhanced user authentication support. There is also an updated NAT Traversal patch available for FreeBSD that works with FAST_IPSEC as well as the KAME IPSEC stack. Yep, Scott has been somewhat involved in recent threads regarding NAT-T. We don't currently support it and it's yet to be determined if that patch will make it into our 1.0 release as we had some reports of IPSEC issues after applying the patch (which may or may not have been related to the patch unfortunately). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]