Re: [pfSense Support] RE: Load Balancer Using TCP
On Thu, Apr 2, 2009 at 12:22 AM, Nathan Eisenberg nat...@atlasnetworks.us wrote: Here's what ends up in slbd.conf when I save my config: servicename:\ :poolname=poolname:\ :vip=x.x.x.x:\ :vip-port=80:\ :sitedown=x.x.x.x:\ :sitedown-port=80:\ :method=round-robin:\ :services=2:\ :service-port=80:\ :0=192.168.20.61:\ :1=192.168.20.62:\ :tcppoll:send=:expect=: Why is it using TCPPoll if I have it set to use ICMP in the gui? That was a bug, and strangely you're the first to notice. I've always used TCP for server load balancing configurations and suspect everyone else must as well (well, they are whether or not they realize it). I just committed a fix, it'll be in 1.2.3 snapshots built at least 2 hours from now or you can manually apply this diff. https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/d38805bc18a69dda3b33ca3a193420ff656d33dd There is another issue where TCP is always selected when you edit an existing pool, haven't fixed that yet but will. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] RE: Load Balancer Using TCP
On Sat, Apr 4, 2009 at 9:06 PM, Chris Buechler c...@pfsense.org wrote: There is another issue where TCP is always selected when you edit an existing pool, haven't fixed that yet but will. Just fixed, diff here. https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/fe4df9b7b635cea04eb409a328f0a44c43768b0a - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] MultiWan , not quite sure whats wrong
On Tue, Apr 7, 2009 at 8:34 AM, Chris Flugstad ch...@cascadelink.com wrote: So i have 2 WANS 100.100.100.4 DSL 216.127.123.4 Wireless back to Colo When the Wireless backhaul is disconnected or down, anything else on its subnet is not accessible over the other WAN. It's as if it only things it can access it through that wan and not through the other. Maybe this isnt the case. I noticed this when I was using the wireless for something else and our phones went down. Service is provider to them on the same subnet as the backhaul, and although they CAN get to there server via the dsl, they werent for some reason. Even after adding a firewall rule to send ANY packet on IP of phone to GW dsl line, it still wouldnt. Creepy? I'll play more with it tomorrow. Not a problem,, as I can just plug back in the wireless, but just a thought as to why this was happening, and to avoid it in the situation the wireless goes down, God forbid. Probably one of two things: 1) Existing state out the wireless that doesn't get closed when it fails and no new connection is attempted. 2) Traffic proxied through something on the firewall (ex: siproxd), which will always obey the system routing table. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Possible Outbound NAT Bug in 1.2.3 Snapshot?
On Wed, Apr 8, 2009 at 11:12 PM, Dimitri Rodis dimit...@integritasystems.com wrote: Currently running: 1.2.3-RC1 built on Wed Apr 1 16:59:10 EDT 2009 In addition to a fiber connection at this particular location, there is also a second connection brought in via a cable modem. The fiber connection is intended to serve the incoming connections to web servers, mail servers, etc. The second cablemodem connection is intended for web browsing and other misc traffic, as to not bog down the fiber so much. So, I added an outbound NAT so that traffic originating from the LAN side destined to port 80 would use the interface address of the cable connection. Initially, this did not work as expected-- until I rebooted pfSense. Web traffic did pass, but it was not NATTing to the correct address--I verified by browsing to http://www.whatismyip.com, and until I rebooted pfSense, it did not report the correct address. So, I tried it again with port 443 (whatismyip supports SSL :). Sure enough, it reported the old IP address until I rebooted pfSense again. I don't remember having this problem before--why would I need to reboot for this to take effect? And yes, I did completely close the browser so that an existing state wouldn't be reused. Bug? Unlikely, Outbound NAT hasn't changed in a long time. Any packages installed? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP Bug in 1.2.3
On Thu, Apr 9, 2009 at 7:00 PM, Dimitri Rodis dimit...@integritasystems.com wrote: Good deal. I'll go to a later snapshot then. Are upgrades between snapshots on embedded working at the moment, or should I just reflash? Yeah you got hit with the xmlparse.inc issue that was in snapshots for a couple days. I know CARP is fine in 1.2.3 outside of those couple days, I've setup 3 CARP pairs on 1.2.3 in the past 2 weeks. Reflash, and either redo your config from scratch or manually remove anything that's out of whack. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] upgrading a certain snapshot
On Fri, Apr 10, 2009 at 2:47 PM, Atkins, Dwane P atki...@uthscsa.edu wrote: We are trying to do a test upgrade using the snapshot, pfSense-1.2.3-20090407-1035.img.gz. It took over 1 hour and 10 minutes and the upgrade still had not completed. The current version of the device is 1.2-RELEASE built on Thu Apr 10 21:08:03 EDT 2008. You need to use the full update file. You can go straight from 1.2 to 1.2.3. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] feature request: VPNC
On Sat, Apr 11, 2009 at 6:53 AM, Mikel Jimenez Fernandez mi...@irontec.com wrote: Hello I found that is a port for freebsd of vpnc cisco client. http://www.freebsdsoftware.org/security/vpnc.html http://www.unix-ag.uni-kl.de/~massar/vpnc/ This is usefull when you want to connect your firewall in client mode. I install vpnc in pfsense 1.2.2 with pkg:add -r vpnc. I don't test it but I think that it works OK. Last I looked at it (though it's been years) it didn't work at all unless you used a kernel with no in-kernel IPsec, meaning the only way it would work is to break all other IPsec capabilities of the system. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] First Embedded System
On Sun, Apr 12, 2009 at 4:12 PM, Rainer Duffner rai...@ultra-secure.de wrote: That's a bit of a problem. I always re-flash to update. That won't be necessary for much longer. The next generation of embedded (based on nanobsd) will be available in 1.2.x and 2.0 releases sometime in the next couple months. Primarily for two reasons - fixing upgrades for good, and cross-architecture compatibility. Details to come. But most security-vulnerabilities in FreeBSD don't concern parts that are in pfSense. E.g. all the local exploits don't really apply. Yeah there haven't been any FreeBSD issues in the history of this project that necessitated a security update release. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't get more than 15kpps.
On Mon, Apr 13, 2009 at 6:13 AM, Lenny five2one.le...@gmail.com wrote: Hi guys, first of all, thanks for all the support! Anyway, unfortunately, after all the hell I've been through with this, our CEO is not interested in buying a new server:( heh.. How about sorry, but there is no other option? Maybe quote some big commercial firewalls adequately sized to handle that traffic. They'll come in at 10* or more the cost of a new server box and see if that changes his tune. But let's put all the smart decisions aside as I have to figure out what can I replace it with. The first thing I thought about was m0n0wall, as I want to stay as close to pfSense and FreeBSD as possible. So the question is: will the x335 server with 2x3.06GHZ Xeons be enough for my traffic? To remind you, I have to handle around 150kpps, which is about 300Mb. From my first look at this distro I saw that it doesn't have SMP, shell access and it defaults to 3 states, which is impossible to change unless you rebuild the whole thing from scratch. Yeah that's going to be the primary issue there. I was looking at 1.25, because as I understand it's built on FreeBSD 4, which should be faster. And even if you went as far as recompiling the kernel and making a custom image, I suspect you're not going to get that kind of traffic through it still. On the high end hardware, the newer FreeBSD versions are as fast or possibly faster in some scenarios. On low end, single proc hardware, 4.x is considerably faster. If I stand no chance with dealing with such traffic via m0n0wall, is there anything you could advise that would actually run on this old machine? It's more of a hardware limit than a software limit. If you disable the packet filter I'm sure you can push your traffic load through the hardware you have. Probably defeats the purpose though. Been a couple years since I've tested, but last I ran any tests, there was minimal difference between FreeBSD 7.x and Linux 2.6.x. OpenBSD is considerably slower than FreeBSD. Bottom line - it's highly unlikely you're going to push the kind of load you need through that box no matter what you're running on it. PCI-e or 10 Gb NICs would perform better, but in the former case I'm pretty sure your server doesn't have PCI-e slots, and in the latter, it would be cheaper to buy a new server than 10 Gb NICs. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Dell PRO/1000VT Quad port NIC
On Mon, Apr 13, 2009 at 11:35 AM, Mikel Jimenez Fernandez mi...@irontec.com wrote: Hello TIm I have not good experiences good igb driver... My experience was with http://www.intel.com/Products/Server/Adapters/Gb-ET-Dual-Port/Gb-ET-Dual-Port-overview.htm that uses 82576. IMHO better choose one taht is supported by Freebsd 7.0 and uses em driver I don't have any of the cards myself, but the igb cards should perform considerably better than em cards. Whether the driver is unstable in combination with one specific piece of hardware (most likely), or one particular NIC, or unstable in general I don't know. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] upgrading a certain snapshot
On Mon, Apr 13, 2009 at 12:16 PM, Atkins, Dwane P atki...@uthscsa.edu wrote: I am guessing I can do this with a firmware upgrade? I am not going on about 10 minutes. Can someone please give me an idea of how long this upgrade should take? Depends on the specifics of your hardware, shouldn't take more than 10-20 minutes at most on a hard drive install. I am using the following to upgrade per our latest conversation. pfSense-Full-Update-1.2.3-20090407-1323.tgz. If I click on anything, I get a display of a hard drive stating that an upgrade is in progress and the system will reboot once completed. That's the correct file. Try the console upgrade via SSH, pasting in the snapshot URL. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] RE: [SPAM] Re: [pfSense Support] website browsing
On Mon, Apr 13, 2009 at 1:28 PM, Gary Buckmaster g...@centipedenetworks.com wrote: This is not the way to do this as the configuration will not survive reboots. You can set the MTU on the interface configuration page for your WAN interface in the webGUI. I would encourage you to check that out. In addition, it won't affect traffic through the firewall if you set it via ifconfig. Setting it on the WAN page as Gary instructed will enable MSS clamping for traffic through the firewall. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] RE: [SPAM] [pfSense Support] RE: [SPAM] RE: [pfSense Support] RE: [SPAM] RE: [pfSense Support] RE: [SPAM] Re: [pfSense Support] RE: [SPAM] Re: [pfSense Support] website browsin
On Thu, Apr 16, 2009 at 7:50 AM, Juan Rivera jriv...@americancableco.com wrote: hey this is getting worse we can't even get to the home page now we have to hit refresh over and over so we can get to the home page its running really slow I think just like dial up lol well I don't know what else to do I called our provider and they said everything seems to be good I connected a lap straight on the router and it loaded in 17 milliseconds any setting on the fire wall could be wrong or you think the computer where pfsence is installed it's not good enough the specs are 700 mhz 512 of ram and 100 mb/s nick cards let me know what you guys think That's adequate unless you have a 50+ Mb Internet connection. (depends on the NICs, with good NICs you can push 100 Mb wire speed through a box of that spec). Your state table exhausted? With that much RAM you can easily bump it to 10 (under System -Advanced) - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Reboot on virtual IP
On Fri, Apr 17, 2009 at 12:42 AM, Tim Dressel tjdres...@gmail.com wrote: Hi folks, We've been playing around at work with binding multiple IP's to the WAN interface so that we can port forward the same ports from different IP's to different services on the LAN side. Has anyone ever seen when you add a second virtual IP, and then create the NAT on the second (also creating the rule at the same time) for PFSense to hard crash and reboot? Using CARP VIPs? CARP can be finicky, if you don't do things exactly a certain way, it'll panic. The system should prevent all of those things though, most were fixed in 1.2 RCs and earlier, though if you're using VLANs there's another fix in 1.2.1 for some scenarios. Should be impossible to panic with CARP on the latest version if you're doing everything through the GUI. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Firewall rules keep failing
On Fri, Apr 17, 2009 at 4:15 AM, Graeme Evans graeme.ev...@kcssolutions.co.uk wrote: Situation: I have a simple PFSense setup with a single PFsense 1.2.2 computer, 1 WAN interface, and 2 Local interfaces - one named LAN (10.0.0.0/24), and the other is Workshop (10.0.1.0/24). We have allsorts of computers including infected PC’s connected to our Workshop interface so there are firewall rules setup only to allow internet access from both Local interfaces and on the workshop interface a some simple rules allowing things like FTP access to our fileserver on the LAN interface. We want no other access between subnets. We also have squid installed in transparent mode listening on the Workshop interface only, lightsquid, If you uninstall squid does it change? If traffic isn't getting logged and you have logging on all your firewall rules, squid has to be picking it up. There are a number of potential consequences of the squid packages, this may be one. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Firewall rules keep failing
On Fri, Apr 17, 2009 at 4:15 AM, Graeme Evans graeme.ev...@kcssolutions.co.uk wrote: PS: anyone know why the registration system on the pfsense forum won’t send activation emails – so I can’t register? Oh, and I looked for your email address on the forum and it isn't there. If you let me know offlist what you registered under I can manually activate you. Between the mailing lists and forum email, our mail server sends out a ton of mail, we tend to get wrongly blocked as spammers quite a bit. Unfortunately backscatter is an issue, with people trying to spam the mailing list from spoofed addresses which then get the you are not subscribed and cannot post bounce back, which I'm sure contributes to the occasional blocking. There isn't a good alternative. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Reboot on virtual IP
On Sat, Apr 18, 2009 at 1:07 PM, Tim Dressel tjdres...@gmail.com wrote: I had zero luck with this in the last few days. Here are some more details: Internet -- PFSense -- procurve managed switch I have tried three different computers, an old P3 based IBM desktop with 512MB on a flash disk and a hard disk, a newer P4 2.8 IBM thinkstation with 1gb ram and a hard disk, and an older IBM @server dual P3 1.13 with 2gb ram and 6 disks in a raid 5 array. I have tried Intel Pro 100's, and Intel Pro 1000 (fx and em), and 3COM 3c905b's. After I wiped and reloaded, at least I didn't get the reboot anymore, but on all the pieces of hardware with no difference in nic's, I can add the Virtual IP's, create the NAT and the rules, but the only port forwards that work are on the main WAN IP. I've tried rebooting firewall, rebooting devices that are being pointed to on the LAN side, but no joy. I ended up giving up last night and put up a linux firewall, did the exact same thing using the same hardware, and it just worked. I've got 1 IP on the outside, and two virtuals, port forwards all over the place, and its happy. I would prefer to use PFsense because I am convinced its a better firewall that just about anything out there, but I can't seem to get around this issue. Its easily repeatable, so if someone wants to help me I can do any sort of troublshooting you suggest. tcpdump on WAN to see what's really happening. My first guess is an upstream ARP cache causing difficulties. Reboot any upstream modems/routers/etc. that you can get your hands on. If you're using proxy ARP VIPs, try CARP instead. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Attention Firebox X Series Users - Testing Needed
On Sat, Apr 18, 2009 at 2:17 PM, Dimitri Rodis dimit...@integritasystems.com wrote: Attention Firebox X500/700/1000 Users using pfSense: Glad to hear that looks like it fixes it. There's at least one thread on the forum reporting this issue as well, might want to post to those threads too to give those folks a heads up. Watchdog timeouts getting’ you down? Thinkin’ about throwin’ that old Firebox in to the fireplace? Don’t do that just yet! J Thanks to the pfSense devs, along with Pyun YongHyeon, the maintainer for the FreeBSD Realtek network driver, it appears that we may have solved the issue with the watchdog timeouts on the Realtek 8139C+ chips that are used in these units. For the past couple of days, I have worked with Pyun, and yesterday Pyun sent me a patch, and that patch was committed to the 1.2.3 snapshot builds, as well as to the 2.0 alpha snapshot builds by the pfSense devs, and is part of any snapshot build as of yesterday (4/17) at 2pm Eastern time, or later. Snapshot builds can be downloaded from http://snapshots.pfsense.org/FreeBSD7/RELENG_1_2/ or http://snapshots.pfsense.org/FreeBSD7/HEAD/ I have been testing a build with this patch since yesterday, and have yet to see a single watchdog timeout on my interfaces—and no modifications to loader.conf have been made. This is a default install—no special options have been set anywhere. If at all possible, please try to install a recent snapshot build on your firebox units (those of you that have them) and test this patch. If you do still receive watchdog timeouts, please let me know either on this list, or off-list. Either way, please try to detail what you were doing when the watchdog timeout occurred so that we can try to reproduce it, and Pyun can fix it. Thanks to all that have helped, and thanks to those that are willing to test! Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Reboot on virtual IP
On Sat, Apr 18, 2009 at 2:33 PM, Tim Dressel tjdres...@gmail.com wrote: There is definitely an upstream router, and I have physical access to it but not console. I can power it off and on again, but it tends to make the service provider unhappy. I do have a good working relationship with the service provider though. Is there something I can ask him to change on the router (it's a brand new cisco) so that I sound intelligent when I speak to him? Run clear arp Can I use the fact that my linux firewall works properly to defend PFsense by pointing the finger at a config issue on that upstream router? It's not config, it's ARP cache. When you swap it out, you have to wait 4 hours on a Cisco, clear ARP, or reboot the router. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Can captive portal authenticate based on windows login
On Tue, Apr 21, 2009 at 1:27 PM, Ryan L. Rodrigue radiote...@aaremail.com wrote: First. Thanks for making the best rouster software in the world. Second. I'v searched, but i cant quite figure it out. I would like to use captive portal. What I want is to have certain users based on windows username and passwords automatically autenticate without seeing the captive portal screen. If the user is unknow, then have them redirected to supply alternate credentials. I was hoping maybe I could do this with a radius server. Any help or sugestions are greatly appreciated. I hope I am clean in what I am asking for. I am not very familiar with radius and captive portal. Thank you. Without seeing the CP screen, automatically logging them in with Windows credentials, no. You can authenticate them on the CP screen with RADIUS using their Windows credentials to IAS on a Windows Server DC (if you're using AD). - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Can captive portal authenticate based on windows login
On Tue, Apr 21, 2009 at 3:46 PM, Dimitri Rodis dimit...@integritasystems.com wrote: Microsoft Internet Security and Acceleration Server (ISA Server), and you need to have AD. I've used it, but only in this particular case. I do not know of anything in the open source world that works reliably specifically the way you want it to. (That is not to say that nothing exists, I just may not know about it). With respect to ISA, there is a client installation (aka Firewall Client) that is required to make the authentication transparent--without it, it would work just like pfSense would-- with RADIUS against AD, and the user would have to enter credentials manually. Not exactly, so long as you're using IE it'll pass through credentials automatically. The firewall client is so you don't have to configure all your applications to use a proxy, it automatically picks up any traffic not destined to your internal networks (as defined in ISA) and pushes it through the proxy. Works well in the environments I use it. ISA is a good proxy. I personally don't like it as a perimeter firewall, and it can be buggy (2006 is much better than 2004 and 2000, though still quirky at times), but its proxy functionality in a Windows environment is great. The reverse proxy is also nice if you use OWA and/or OMA with Exchange. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] 1.2.3-RC1 released!
Info here: http://blog.pfsense.org/?p=428 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] bridging 2 networks with pfsense+openvpn
You don't *have* to have two subnets, you can bridge OpenVPN, but it's a bit convoluted, not documented well (yet), and generally I don't recommend it. You rarely want broadcast traffic traversing a VPN. On Wed, Apr 22, 2009 at 6:22 PM, Brian Josefsen josef...@sjovedyr.dk wrote: Hi I have 2 pfsense boxes, one embedded on each side of the atlantic ocean. They connect fine, but i can't contact any of the other side, both side have the pfsense as a primary gw. network 192.168.1.0/24 Box local is 192.168.1.241 Box remote is 192.168.1.242 I can only reach the other box with a ssh login to one of the boxes and use ssh to the other box's ipaddress on the tun adapter. Do I need fw rules, or am I missing some commands? -- Med venlig hilsen / Best regards Brian Josefsen - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Attention Firebox X Series Users - Testing Needed
On Fri, Apr 24, 2009 at 10:32 AM, Andrew Cotter andrew.cot...@somersetcapital.com wrote: Is there an update path from 1.2.2 to 1.2.3-RC1 embedded? Not a guaranteed reliable one. You can grab an embedded update file off the snapshot server but it may blow up. That'll be resolved with the new embedded that's on the way, including a 1.2.x release, though post-1.2.3. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PPTP Hangs at Verifying Username and Password
On Fri, May 1, 2009 at 5:16 PM, Marty Nelson mnel...@transdyn.com wrote: I'm sitting behind another pfSense box version 1.2.2 If you have the PPTP server enabled, you need to either: 1) disable it 2) http://doc.pfsense.org/index.php/Connect_to_a_remote_PPTP_server_when_you_have_the_pfSense_PPTP_server_enabled - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] draft 802.11n and pfsense
On Tue, May 5, 2009 at 2:22 PM, Markus Golser elmar...@googlemail.com wrote: Hi I'm wondering if there is a draft 802.11n mini pciE card that works nice on pfsense 1.2.2 http://doc.pfsense.org/index.php/Is_802.11n_wireless_supported - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] gre tunnel support
On Thu, May 7, 2009 at 5:21 AM, Mikel Jimenez mi...@irontec.com wrote: Hi Is possible to make a GRE tunel between two Pfsenses without using IPsec? Not with nor without, until 2.0. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] network interface mismatch
On Mon, May 11, 2009 at 10:19 AM, Pete Boyd petes-li...@thegoldenear.org wrote: Is there anything that can be done instead of replacing one of the 3Com cards? Sounds like a driver issue of some sort, trying 1.2.3 which has a newer FreeBSD base may make it work. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Problem with pftpx - device busy
On Tue, Apr 21, 2009 at 7:43 AM, Peter Allgeyer allge...@web.de wrote: Hi, I just encountered a problem with pftpx. We have a FTP-Server in the DMZ-Zone. Entering ftp://ftp.server.ip from inside in the browser (for example, command line ftp is the same) shows no listing. Reloading the website several times and when suddenly the listing appears. Testing the same from outside works just fine. I've found the following lines in /var/log/system.log (there are many of them): Apr 21 13:34:36 pf01 pftpx[5446]: #23 pf operation failed: Device busy Apr 21 13:34:36 pf01 pftpx[5446]: #23 pf operation failed: Device busy And sometimes even: Apr 21 13:41:51 pf01 ftpsesame[4680]: #60 filter_allow failed: Device busy Apr 21 13:41:51 pf01 ftpsesame[4680]: #60 filter_allow failed: Device busy Apr 21 13:41:51 pf01 ftpsesame[4680]: #60 filter_allow failed: Device busy Apr 21 13:41:51 pf01 ftpsesame[4680]: #60 filter_allow failed: Device busy Manually stopping/starting of pftpx doesn't help. One of our developers is seeing this too now, though I haven't and this list post is the only Google hit on that error message (don't you hate seeing that...). Not sure of the issue yet, we're looking at it. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] RE: T1 Saturating - Windows update kills the connection... ??
On Wed, May 13, 2009 at 2:47 AM, Chuck Mariotti cmario...@xunity.com wrote: To clarify further... In this situation, we are downgrading to a T1 (1.5Mbit/1.5Mbit) connection from a new service provider. The current connection is 3Mbit/3Mbit, works, but is insanely expensive (way more than twice the price). Locked into a service agreement. Switching will basically save enough money to not have to lay a person off... So it's pretty important than this works acceptably. During this new firewall installation, someone decided to run Windows Updates on a four computers. Previously, this would not have choked the network, but with the new firewall (and new T1), it is choking it. Choking it dead. The four machines appear to contend for connectivity but after a few minutes, a couple of them just stall, one slows way down to a crawl and another stills keeps going (slower). Trying to browse the web on another computer is pretty much impossible. It's all bogged down. I have removed the dual WAN situation from the puzzle. Restored Factory Defaults and set up pfSense with a single IP and default rules. It is still doing this. Unfortunately, I'm really not sure if this saturation is exactly what I should be expecting... I've never really had this slow a network nor have I had the need to bog it down, so I've never run into this. Unfortunately, this isn't acceptable so I need to find a solution. I would have throught that pfSense would be able to evenly distribute the requests an dataflow. I did replace the pfSense box with a cheapo DD-wrt router, just to see if the same results happen. And they did... 1.5Mbit cap maxed out... crawling updates, unable to browse the web. Slowing down considerably when under full load is normal, slowing to the point that sites don't load anymore when you're just running a few Windows updates is definitely not. Sounds like there's something wrong with the T1, or the CPE it's plugged into, whatever has your CSU/DSU. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] bsnmpd eating cpu
On Fri, May 15, 2009 at 9:53 AM, Jure Pečar pega...@nerv.eu.org wrote: On Mon, 9 Feb 2009 13:41:30 +0100 Jure Pečar pega...@nerv.eu.org wrote: On Mon, 9 Feb 2009 10:37:27 +0100 Jure Pečar pega...@nerv.eu.org wrote: Hello, On 1.2-release running on two machines in carp failover mode, we notice bsnmpd eating all available cpu all the time. I found out that if I disable MibII snmp module, bsnmpd stops consuming CPU resources. Does this give any ideas? Interesting, no reply to this. Let me ask differently: does any of you who use snmp to get info from pfsense notice increase in cpu usage when bsnmpd is started? Never seen anything like that. Sounds like some sort of bsnmpd or FreeBSD problem. If you find a solution, let us know. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense 1.2-Release - 1.2.3-RC1 upgrade, FTP problem
On Mon, May 18, 2009 at 6:01 AM, Android Andrew[:] andr...@oberon.pfi.lt wrote: Sorry for previous letter with bad subject.. Hello all! We have faced the following problem: after the upgrade of pfSense from 1.2-Release to 1.2.3-RC1, the access from the internal LAN1 network to FTP-server, located in DMZ, seized functioning (in both modes: active/passive) (via the LAN2 network). The scheme of access: LAN1 -- Router (pfSense-box) --LAN2 -- NAT (black-box) -- FTP-server. We are allowed to authorise on ftp-server, but fail to get the directory listing. Turning on/off of the FTP-helper does not solve the problem. After downgrade to 1.2-Release, the access to the same FTP functions successfully. What is the difference between the pfSense releases (1.2-Release vs. 1.2.3-RC1) when working with FTP? There aren't any that I'm aware of. Can you send me a backup of your configuration offlist? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Pfsense + Postfix (Relay)
On Tue, May 19, 2009 at 10:56 AM, Jean Carlos Coelho jean.lis...@gmail.com wrote: Hi all.. a question.. It is possible to install postfix in pfsense 1.2.2 only for mail relay ? Not easily, I've tried before, there are a ton of libraries and other misc. things not included in pfSense that it wants. It was way more trouble than it was worth. I posted here asking about a light weight daemon, other than a full blown MTA, to use as a simple relay and no one knew of anything. OpenSMTPD may be a solution for this in the future. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Pfsense + Postfix (Relay)
On Wed, May 20, 2009 at 5:02 AM, Paul Mansfield it-admin-pfse...@taptu.com wrote: has anyone considered a transparent redirection of SMTP to a specific SMTP relay, so that (e.g.) captive portal clients on wifi hotspot can't send email without some level of control. You can do that now with a port forward on any address on LAN for TCP 25. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] wrong boot device after generic install
On Wed, May 20, 2009 at 8:54 PM, David Burgess apt@gmail.com wrote: Hi all, I'm new to pfsense and a real novice with FreeBSD, so go easy on me ;) I used the live CD of pfsense 1.2.3-RC1 to install to a hard drive for use in a soekris net5501. When I boot while attached to the serial console it appears that it can't find the root filesystem, and I'm left with something like this (reconstructed from dmesg): Trying to mount root from ufs:/dev/ad10s1a Trying to mount root from ufs:/dev/ad10s1a Manual root filesystem specification: fstype:device Mount device using filesystem fstype eg. ufs:da0s1a ? List valid disk boot devices empty line Abort manual input mountroot ufs:ad1s1a Trying to mount root from ufs:ad1s1a So after entering the correct device it continues to boot properly. I guess the device has changed names between install in one machine and boot in another. After some searching I see that the time to edit /etc/fstab would have been during the install, but that's water under the bridge. I tried editing /etc/fstab at the console with vi but it's telling me it's a read-only file. I don't want to mess things up too badly, so I'm wondering where to go from here. Is there a quick fix for this or am I better off reinstalling and making the change from the installer? Just edit it with vi and exit with :x! to override the ro. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Which pfSense version should I install?
On Wed, May 20, 2009 at 9:45 PM, Jonathan Wanak jlwa...@yahoo.com wrote: Hi everyone, I'm about to update a remote pfSense installation I last worked on back in version 1.0.2. I'm using a PII desktop with 128MB RAM and 3 NICs. The box runs 2 LANs (public and private), utilizes Captive Portal, connects to the Internet through HoughesNet satellite, and uses VPN to provide private network access to certain machines on the public side. My question is: Assuming it will be a year before I can update this installation again, which is the best version to install, version 1.2.2 or 1.2.3 RC1? Should I upgrade or perform a fresh install? Upgrade is fine. For what you're doing, version shouldn't really matter, either/or is fine. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] openssh flaw
On Thu, May 21, 2009 at 3:37 PM, David Burgess apt@gmail.com wrote: http://linux.slashdot.org/article.pl?sid=09/05/21/1824220from=rss What versions run in pfsense? Is this something we should be concerned about? This is 6+ month old news, and it's lame, not sure why it's getting so much attention. It's basically impossible to exploit in the real world, aside from scenarios where you have an automatic reconnect on a scripted session, or something of that nature, that will reconnect a few hundred thousand times. It'll take 11,000+ connection killing attempts to get 14 bits, and requires MITM which further greatly reduces the possibility of exploit. info here: http://www.openssh.com/txt/cbc.adv FreeBSD may put out a security advisory, though I suspect if it hasn't been done yet it won't be. This isn't some OMG the sky is falling!!1!1 issue. To mitigate: if your SSH sessions are getting dropped, don't reconnect over 11,000 times. Don't think anyone's going to do that. With that said, Scott just committed a change to disable CBC. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] dyndns on multiWAN
On Tue, May 26, 2009 at 12:29 AM, David Burgess apt@gmail.com wrote: Hi, I see the question in the archives, but no answer. What would be the correct way to set up dynamic DNS on a multiwan setup? You can't until 2.0. Only WAN is supported. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] arm arch?
On Thu, May 28, 2009 at 1:40 PM, Tim Nelson tnel...@rockbochs.com wrote: In regards to alternate arch's, wouldn't something like ARM or MIPS provider better PPS rates than x86(_64)? No difference due to the architecture. There are some higher end MIPS platforms that are equivalent to big $ gear from Cisco, Juniper, et. al. but they're also considerably more expensive than your typical x86 server class box, and it's more about ASICs than being a MIPS platform. We may see support for hardware along those lines at some point in the future. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Snort running and update problem
On Sat, May 30, 2009 at 7:30 AM, ozan ucar m...@ozanucar.com wrote: Hello All, I have pfsense 1.2.2 and install snort.Snort success installation but dont update. Oinkmaster code have, i go to snort update page an error Snort success installation but dont update. Snort changed around their website earlier this week and broke some things, now it's fixed but it changed how we have to pull the rules. We're working on a package update, in the mean time you can't update rules. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiwan suggestions before v. 2.0 ...
On Sun, May 31, 2009 at 7:03 AM, Tebano epaminonda l_epa_m_ino...@hotmail.com wrote: Hi all. I've read that complete multiwan support will be available only with 2.0 version of pfsense, but I'd like to know if You've some suggestion for doing something similar, also using many pfsense instead of single one, or something else. I have no idea what you're talking about. There is complete multi-WAN support in 1.2.x. What are you wanting to accomplish? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Can I install packages if my Pfsense is offline
On Mon, Jun 1, 2009 at 10:24 PM, Rakthum_NetworkTelecom_IP#1 rakthu...@advanceagro.com wrote: Hello all My Pfsense is offline but I want install some packages .How can I do? You can't. It has to download the package list and the packages themselves. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiwan suggestions before v. 2.0 ...
On Mon, Jun 1, 2009 at 3:59 AM, Tebano epaminonda l_epa_m_ino...@hotmail.com wrote: Sorry, Guys. I where discussing of limitation reported into the features of: Inbound Load Balancing What exactly are you referring to? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Does it matter which interface I specify for static routes?
On Tue, Jun 2, 2009 at 5:54 AM, Steve Harman steve.har...@envisional.com wrote: Hi! We have four internal NICs on our pfSense box; “LAN” , “LAN2”, “LAN3” and “LAN4”. I need to setup a static route for a remotely hosted network at our parent company’s office so any traffic destined for that network is directed towards our site-to-site VPN concentrator / gateway box sitting on “LAN3”. My question is this; when creating static routes for a remote network, say 10.0.19.0 in System Static Routes I’m asked to specify the “Interface” from a pulldown menu. If I specify “LAN” as my Interface does that mean the static route is only in effect for traffic on the LAN interface? (and not LAN2, LAN3 and LAN4). No, only use one route, the interface is where that router and subnet are reachable and applies to everything. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Does it matter which interface I specify for static routes?
On Tue, Jun 2, 2009 at 4:24 PM, Evgeny Yurchenko evgeny.yurche...@frontline.ca wrote: May I ask why pfSense web-interface has this option? It needs to know for NAT rule generation and other purposes. It's a hold over from m0n0wall, it could figure it out without specifying. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] running pfsense on soekris net5501
On Tue, Jun 2, 2009 at 5:50 PM, Joseph Wagner lawn.dart.de...@gmail.com wrote: Has anyone been able to get pfsense to run properly on a Soekris net5501 embedded pc? Lots of people. I've installed the embedded image into my board and everything work fine except I can't get any traffic to go through the WAN port. I am able to access the webconfigurator from the LAN port and ping things from the LAN port fine. I've tried switching which ports pfsense uses, different network setups, firewall rules, changing cables, you name it. I still can't get the WAN port to ping my DSL gateway or contact anything else. Power cycle your DSL modem. And/or try MAC spoofing whatever you had plugged in before. Sounds like an ISP issue, one or both of those may resolve it. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] running pfsense on soekris net5501
On Tue, Jun 2, 2009 at 6:01 PM, Victor Padro vpa...@gmail.com wrote: Sometimes you have to uncheck the Block private networks and the Block bogon networks boxes on the WAN interface page, have you alredy done that? You never have to uncheck that for access out to the Internet. Those only affect traffic initiated from the WAN side, not egress from internal networks. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] running pfsense on soekris net5501
On Tue, Jun 2, 2009 at 7:02 PM, Tim Nelson tnel...@rockbochs.com wrote: Quickly looking at the previous posts, I don't see where you've specified what type of connection you're setting your WAN to. Is it PPPoE? Static? DHCP? Etc? And also, is it on a private subnet? Same subnet as your LAN? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] keep alive
On Wed, Jun 3, 2009 at 12:00 PM, Paul Cockings p...@cytringan.co.uk wrote: Hello list, I have an annoyance that is driving me bonkers. I have a Windows XP client, a pfsense 1.2.2 configured as a transparent firewall, development webserver (FreeBSD 7.2) When I using SSH (Putty) or MySQL (SQLyog) to the webserver after a short time the connection 'freezes'/'drops'. In putty i can cure this by adding keep alive = 5 seconds. In SQLyog i'm not sure the option exists. I think the problem is caused the pfsense box. I'd be grateful of any ideas on how I might cure the 'dropped sessions' preferably by changing something with the pfsense box rather then finding way to do more keep alives. Increase state timeouts, either per-rule or globally, but don't go overboard. You shouldn't rely on inactive TCP connections staying open for a long period ( 1 day at most) regardless of what's between the hosts. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Does it matter which interface I specify forstatic routes?
On Wed, Jun 3, 2009 at 9:29 AM, Evgeny Yurchenko evgeny.yurche...@frontline.ca wrote: from my experience failover takes has higher priority than static route as it is implemented by means of pf rules. Yes, that is true. Static routes direct traffic initiated by the firewall to the appropriate WAN, and direct traffic that does not specify a gateway, but other than that they have no impact on load balancing or failover. If you specify a pool in your rules, that overrides any routing configuration. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Feature Requests
On Fri, Jun 5, 2009 at 4:33 PM, Curtis Maurand cmaur...@xyonet.com wrote: Where can we make feature requests? http://redmine.pfsense.org with many still at http://cvstrac.pfsense.org as we haven't converted everything over yet. I also can't seem to find any decent documentation on the atrocious way it handles virtual IP addresses. What I would rather see is virtual interfaces. http://doc.pfsense.org/index.php?title=What_are_Virtual_IP_Addresses%3F The way they're handled is perfectly fine. We're open to suggestions, or better yet, your code that does it better. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Recommended pfSense Hardware ( UK ~£100) ?
On Sun, Jun 7, 2009 at 2:00 AM, Volker Kuhlmannhid...@paradise.net.nz wrote: On Tue 02 Jun 2009 02:35:55 NZST +1200, David Burgess wrote: Have a look at these. http://www.soekris.com/lan16x1.htm The 2-port card is low profile Yes, sure. But how do you connect one of those to an ALIX board? You can't on the ALIX.2, but the ALIX.1 will work. Only one onboard NIC on the ALIX.1 but with a 4 port NIC it gives you an option for 5. Yawarra sells them that way. http://www.yawarra.com.au/hw-alix1.php - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] LAN Drivers RTL8111D on INTEL
On Mon, Jun 8, 2009 at 8:34 PM, Federico Castro A.fcastro1...@racsa.co.cr wrote: Hi everyone. I´m trying to setup an INTEL DG41TY board with 3 LAN cards. One integrated RTL8111D and two D-Link 520 TX PCI. The D-Links are setup without a problem but the Realtek doesn´t come up when I boot with the CD ver 1.2.2 Is there a way to add the driver for that card? No. Try 1.2.3, the newer FreeBSD might include the driver. http://snapshots.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiwan suggestions before v. 2.0 ...
On Wed, Jun 10, 2009 at 10:03 AM, Tebano epaminondal_epa_m_ino...@hotmail.com wrote: I've 2 isp with 2 different IP and routers. So I've configured 2 pfsense in load balance and with carp between them (internal and external, so I always has a single IP to manage with routes and nats). All works perfectly, if all ISP are working, or if I detach the WAN2-isp connection. But if I try to detach the first one, no-one is able to connect to the external of pfsense; the same pfsenses aren't able to connect to the internet. I see (correctly!), into the load balance status that only half of monitored IP are reachble, but if I try to traceroute them, or something else, connection fails. You have something wrong with your policy routing rules, or something. Traffic from the firewall itself will not follow those rules, and will be down when your WAN is down. Generally that's no big deal as nothing is initiated from the firewall other than traffic that you direct appropriately via static routes (DNS servers). - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiwan suggestions before v. 2.0 ...
On Thu, Jun 11, 2009 at 2:34 AM, Webmaster Megastarwebmas...@megastar.fr wrote: There is a bug when you want to setup multiwan + load balancing + carp. The development team is aware of this. Ermal committed a kernel patch to pf that should resolve this. It's only in 8 builds at the moment, it will make its way into 1.2.3. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiwan suggestions before v. 2.0 ...
2009/6/11 Webmaster Megastar webmas...@megastar.fr: Can you give us an idea of when it will be available in snapshots released to public ? Anything from 20090612 and newer should work (there aren't any yet, they'll be there eventually). Please test and report back. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] blocking RFC1918 and bogons on 2nd WAN
On Fri, Jun 12, 2009 at 9:10 AM, Paul Mansfieldit-admin-pfse...@taptu.com wrote: suppose we have two WAN ports and have turned on the automatic RFC1918 and bogon blocking; you can see the grey-ed out rules on WAN1 interface. what's the best way to also do this on WAN2? in particular, how to put the list of RFC1918 and bogons into the rule so that their values are updated automatically? you can't for bogons until 2.0. for RFC1918 you can create an alias and add the rule manually. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Inbound load balancer performance under heavy load.
On Fri, Jun 12, 2009 at 5:29 AM, Jose Hernandezj...@vidzone.tv wrote: Hi, Yesterday we had a service launch, and pfSense inbound load balancer let me down big time… We have been using pfSense 1.2-release version installed on Dell PowerEdge R200 and CARP for redundancy for around a year now, it probed to work although we never have had a very high load. For reasons outside our code base, your FreeBSD 6.2-based version is better for server load balancing than anything based on newer FreeBSD versions. There are regressions we found recently in 7.0 through 7.2, though Ermal may have fixed those, they are not issues in 6.2 to begin with so I would recommend against upgrading especially since Ermal's changes haven't been widely tested yet and this is a production system. It's very hard to say what might be impacting you here, without getting into the system. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Outbound mail multi-wan
On Sat, Jun 13, 2009 at 3:07 PM, JJBonephat...@earthlink.net wrote: Hello, pfsense 1.22 we have a mail server: mail.domain.com We have two wan links WAN_ATT (T1) and WAN (covad DSL) reverse DNS is configured for the ATT link for mail.domain.com and for the covad link as mail01.domain.com is there some way to enable the mail server to open smtp connections over either link as mail.domain.com without failing reverse and or forward lookups? (some more strict email servers do both now). Reverse DNS can be the same on both. For forward lookups that's not possible, and there isn't any way for your mail server to know which pipe it's going out to be able to change its hostname. Very few servers check that forward and reverse matches, most just check for existence of PTR or that PTR matches EHLO. I'd keep it on one WAN, but have PTR on the second so you can fail over. That'll suffice for nearly all mail servers. Also, is there a way to force the server to always use either the ATT or Covad link to send mail? Yes, setup your rules on the interface with the mail server accordingly. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Outbound mail multi-wan
On Tue, Jun 16, 2009 at 1:37 PM, JJBonephat...@earthlink.net wrote: Yes, setup your rules on the interface with the mail server accordingly. I don't know how to set up pfsense to bind the mail server to the ATT network interface instead of the Covad, can someone provide me with details of how this would be done? It doesn't look like static routes would work since the mail server needs to talk to an unlimited # of machines on the internet. Just add a firewall rule matching traffic from the mail server and select the appropriate gateway or failover pool. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] forum vs mailing list
On Wed, Jun 17, 2009 at 1:38 PM, JJBonephat...@earthlink.net wrote: Hello, I didn't realize there is also a pfsense forum and that they are not connected. Which is the best place to post technical questions about configuration? Which ever you prefer. Some people like the forum format better, others mailing lists. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Outbound mail multi-wan
On Wed, Jun 17, 2009 at 2:47 PM, JJBonephat...@earthlink.net wrote: We've tried this 10 different ways, so far it has not worked. Current Config is two pfsense 1.22 firewalls with CARP two WAN connections (not load balanced or failover) (covad att), with a DMZ interface where our mail and other internet servers live. I want the mail server to only make SMTP connections using the ATT interface, but it defaults to using the WAN interface (on the Covad). We route all generic traffic over the covad 10mb wan link (the default) and for server-to-server traffic (such as Iron Mountain backups we route to a specific ip block or address over the ATT interface. It is obvious how to do this with a static route when you have a specific address or block to communicate with, but to say all traffic 'from this DMZ address to anywhere' should be transmitted via the ATT link is not working. You should really never use static routes with multi-WAN, other than directing traffic initiated by the firewall (which should only be your DNS servers). Make sure your rules are in the right order, first match wins. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Nfsen - Netflow: 2 new possibly packages for pfsense?
On Fri, Jun 19, 2009 at 1:00 PM, Tebano epaminondal_epa_m_ino...@hotmail.com wrote: Hi all. I'm exploring features embedded into pfsense, and I was looking to interesting features as RRD graphics of system activityes. I've read on RRD also improvements introduced from the use of packages: NfSen - Netflow. Do You think will be this packages ported in pfsense in the future? Never in the base system as it requires Perl. If there are any NetFlow tools that don't require Perl, we would like to have something of that nature in the base system, but I've looked and come up empty. It's a possibility for a package in the future. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Interface stops routing to WAN
On Mon, Jun 22, 2009 at 1:42 PM, Joe Laffeyj...@laffey.tv wrote: While I forgot to look when it happened, this was one of my thoughts, as well. But then I thought to myself, wouldn't this cause connections from the LAN to the WAN to fail as well? Or is the state table subdivided equally between the interfaces, and not shared, or something? That was the first thing that came to mind for me as well, but if new connections on other interfaces work, and connections from that interface to LAN work, that isn't it. Existing connections would continue to function. You can check state history under Status - RRD graphs. If it recurs, time to break out tcpdump and see what's really happening. There are any number of possibilities. If the traffic is getting NATed to a VIP, it could be related to that. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Dynamic DNS won't update
On Mon, Jun 22, 2009 at 5:33 PM, Bjoern Hellermailingli...@hellercom.de wrote: Hello, Im running pfSense 1.2.3 RC1 on standard PC hardware, and everything runs perfect exept the DynDNS updater. The new IP isnt sent to dyndns.org... If I manually click on the Save button in the Dynamic DNS menu the IP is updated. When I click on Monitor it give the following error: There were error(s) loading the rules: /tmp/rules.debug:134: syntax error/tmp/rules.debug:135: syntax error pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [134]: rdr on proto tcp from any to any port = 1723 - 127.0.0.1... You have a broken package of some sort installed. Frickin PPTP maybe? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Appliance support
On Tue, Jun 23, 2009 at 9:38 AM, Vick Kheravi...@khera.org wrote: Last time I set up an embedded (1.2.2 on my home router) I booted the device, reset the DHCP lease on my desktop and connected to 192.168.1.1 and configured it by reloading the config file. No serial port required, even though I do have one hooked up. Depends on what hardware you're using. Up to 1.2.2, the default was for WRAP/4801, with sis0 as LAN and sis1 as WAN in the default config. That's changed to vr0/vr1 in 1.2.3. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] vpn pass thru problem
On Thu, Jun 25, 2009 at 1:39 AM, Guruprasad-Baysoftg...@baysoft.in wrote: i had pfsense 1.2.2 and vpn not configured. I was connecting outside vpn servers from my laptop thru vpn client and no issues. After upgrading pfsense to 1.2.3RC1, i am unable to connect to outside vpn servers from my laptop vpn client which is behind the pfsense box. What kind of VPN? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Cvstrac-Bug 1932 patch
On Wed, Jun 24, 2009 at 8:22 AM, Aarno Aukiaaarnoau...@gmail.com wrote: Hi, Attached a patch against 1.2.3-rc1 fixing http://cvstrac.pfsense.com/tktview?tn=1932, which was opened by a co-worker of mine while I was on vacation. Let me know if de patch fails against cvs/git. I'll have to update my test box to rc2 now anyway... It did apply cleanly to RELENG_1_2 and was committed. Thanks! https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/991ad577d6f9fa48268c0d3a13912cc8714a0b70 Have you tested 2.0 to see if this is also an issue there? That code is considerably different. IMHO there should be a link from cvstrac to redmine to facilitate the migration/adoption of redmine ;) Yeah...we're getting there. ;) We're getting some other things out of the way before focusing on that effort in the near future. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] vpn pass thru problem
On Thu, Jun 25, 2009 at 1:59 AM, Guruprasad-Baysoftg...@baysoft.in wrote: I am using safenet softremote LT client software. My customer sent the security policy editor config file. So i just imported that in my safenet vpn client software and using. Hence i donot know what is the remote vpn server i am connecting to. My doubt is whether i need to explicitly configure anything in my pfsense firewall to allow the outgoing ipsec traffic? That depends. Usually, yes, just add appropriate rules (the default LAN rule suffices). By default we don't rewrite the source port on UDP 500 traffic because it frequently breaks IPsec, but that can cause other difficulties in less common scenarios. If it's using NAT-T that won't be related. Hard to say what you might be seeing, the NAT behavior hasn't changed since the original 1.2 release so I doubt if it's related to what version you're running, maybe a change was made to the remote end. What is the error you're seeing, or the exact problem? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PFSense 1.2.3RC1 / Problems with IPSEC and AES256
On Tue, May 26, 2009 at 5:42 AM, Benjamin Frommebenjamin.fro...@login-online.de wrote: Hi List, we have several tunnels between some pfsense 1.2.2 boxes. For phase 2 we have configured AES256 as the only encryption algorithm and everything works fine. Now we upgrade one of the boxes to pfsense 1.2.3RC1 and all tunnels on this box are broken. The 1.2.2 boxes show the tunnel as working, on the 1.2.3RC1 box we see the following in the logs: The newer ipsec-tools doesn't like the syntax that used to work, I committed a fix a couple days ago for this. Any snapshots with today's date or newer should work. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiple WANs on a Single Bridge
On Thu, Jun 25, 2009 at 3:43 PM, Joseph Hardemanjharde...@colocube.com wrote: Hi Everyone, I have been trying to figure out how to setup multiple wan networks on a single bridge. For instance: 111.111.111.111/25 - em0/bridge0/opt1 - internal servers 222.222.222.222/25 - em0/bridge0/opt1 - internal servers Nothing to it, if what you really need is a bridge. If the gateway IP is outside the firewall, it's no different to use two subnets than it is one. If the gateway IP isn't outside the firewall, you don't need bridging, you need a routed public IP subnet on an OPT interface. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PFSense 1.2.3RC1 / Problems with IPSEC and AES256
On Thu, Jun 25, 2009 at 6:27 AM, Ho Sy Tanhosy...@gmail.com wrote: I run pfSense-1.2.3-RC1 (FreeBSD 7.1), IPSec with IKE P2 AES 256, it work fine. That's with the older ipsec-tools version. The latest one wants different syntax. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Traffic Shapping : High priority on particular port
On Mon, Jun 29, 2009 at 1:58 PM, Bastien DARMONbdar...@horus-df.com wrote: Hello, Is there a way, in pfsense, to give the highest priority over the rest of the traffic to an application running on a particular port? You can shape this just like anything else, with the caveat that it falls into the group of all traffic between LAN and WAN. Sounds like that's fine for this purpose. Just setup the queues as desired and add a rule to put that traffic into the appropriate queue. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Statically-defined DHCP clients with dynamic addressing not entered into DNS
On Mon, Jun 29, 2009 at 3:57 PM, Ian Levesquei...@crystal.harvard.edu wrote: On Jun 26, 2009, at 2:00 PM, Ian Levesque wrote: We're running DHCP and DNS on a pair of CARPed pfSense 1.2.1 boxen. Other than the fact that they don't sync DCHP entries, it's been working OK for us. However, we've currently got them configured to assign static IPs to specific MACs, and that's becoming difficult to manage. We'd prefer to add an entry for each host's MAC and a hostname, but omit the IP address assignment. While we can do this currently - said hosts do receive an IP address is the dynamic pool - the hosts' hostname fails to be assigned in DNS. Remember, statically-assigned IP hosts (hence, hosts added to /etc/hosts) DO get added to DNS. I'm surprised that nobody seems to have DHCP/DNS configured with your clients allocated IP addresses from a dynamic pool. This seems like a pretty simple use case. Not sure of the cause, but you can probably find the answer by looking into dnsmasq and dhcpd. Those configs are in /var/etc/ - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] NAT+IPsec
On Thu, Jul 2, 2009 at 10:36 AM, Evgeny Yurchenkoevgeny.yurche...@frontline.ca wrote: Hello. setup: my LAN---192.168.8.0/24 pfSense 1.1.1.1/242.2.2.2/24 FW 198.x.x.0/24---remote LAN I am asked to create Ipsec tunnel between 'my LAN' and 'remote LAN' but these remote guys say that they can not accept local 192.168.x.x net, they need public . Is it possible to make this NAT happen at pfSense: 1) when packet comes to LAN destined to 198.x.x.0/24 the source IP 192.168.8.x to be modified to 172.20.y.y and forwarded to this tunnel. 2) when traffic comes from the tunnel destined to 172.20.y.y its destination IP to be modified to 192.168.8.x No, because unfortunately it's not possible to do that in FreeBSD. It's possible with OpenVPN, but not likely something the remote end supports. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: Patch and ISO: New Feature -- Auto Configuring Interfaces
On Sun, Jul 5, 2009 at 4:23 PM, Tim A.pfse...@lists.goldenpath.org wrote: Attached a patch against 1.2.3-rc2 adding support for auto configuring interfaces. That's definitely a nice feature, though only suitable for addition to 2.0, so we'll need a patch for 2.0. The only thing from your description that needs to change is the auto-assignment with one interface, 2.0 will let you assign only WAN and treat it basically like LAN with a default gateway for appliance purposes, so if there is only one interface it needs to only assign WAN. Thanks! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Patch and ISO: New Feature -- Auto Configuring Interfaces
On Mon, Jul 6, 2009 at 8:47 AM, Ermal Luçiermal.l...@gmail.com wrote: To me this is a hack and not a feature. There is a better way to do this things than kludge things here and there in the code. The right fix was proposed once and not everybody liked the POLA breaking. I don't recall that discussion (and I'll admit I didn't have time to read the patch before I replied). What do you consider the right fix, Ermal? POLA = http://en.wikipedia.org/wiki/Principle_of_least_astonishment - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Patch and ISO: New Feature -- Auto Configuring Interfaces
On Tue, Jul 7, 2009 at 4:26 AM, Ermal Luçiermal.l...@gmail.com wrote: On Mon, Jul 6, 2009 at 8:39 PM, Chris Buechlerc...@pfsense.org wrote: On Mon, Jul 6, 2009 at 8:47 AM, Ermal Luçiermal.l...@gmail.com wrote: To me this is a hack and not a feature. There is a better way to do this things than kludge things here and there in the code. The right fix was proposed once and not everybody liked the POLA breaking. I don't recall that discussion (and I'll admit I didn't have time to read the patch before I replied). What do you consider the right fix, Ermal? It was the proposal to name all the interfaces with a common name and not following the FreeBSD by product naming(at least in embedded). This would give a uniform interface name on different products and would make at least embedded a no pain installing/running since it would just boot into the webgui! Oh, I don't know if that's a good approach, that definitely changes to something that people aren't accustomed to. I don't have any objection to the approach Tim has mentioned here, auto-assigning if the assignment prompt times out. The challenge is doing it in a predictable manner so you don't have to guess what to plug in where. Maybe it auto-assigns the interface with link as LAN, and we instruct users to boot up when using auto-assignment with only LAN plugged in. Then it's easy to know what WAN is if you only have two NICs. If you have more than that, you can check the assignments after getting into the GUI on LAN. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PPTP erro 619
On Fri, Jul 10, 2009 at 8:13 PM, Chris Flugstadch...@cascadelink.com wrote: False alarm Still broken :( Reset the state table on the firewall the client is behind and try again. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.3RC1 embedded: wireless communication with Nokia N97 stops after a few KB but the connection desn't drop
On Sun, Jul 12, 2009 at 1:21 PM, Angelonglrossi...@gmail.com wrote: Hi, I have a weird wireless connection issue with my new Nokia N97, hope someone can help me. You won't find a solution here, it's a wireless driver issue of some sort and that would have to get fixed upstream in FreeBSD. There aren't any FreeBSD developers interested in fixing wireless issues in 7.x, but once we get wireless working on 8 we hope to be able to get the attention of the appropriate FreeBSD developers to get the wireless issues resolved (if they aren't already). We'll post here, and to the blog when that's available, we'd appreciate the help of those who can replicate problems at that point. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Fwd: [FreeBSD-Announce] Announcing EuroBSCon 2009
I will be presenting on pfSense at EuroBSDCon. info here: http://blog.pfsense.org/?p=481 and below -- Forwarded message -- From: Robert Watson rwat...@freebsd.org Date: Mon, Jul 13, 2009 at 9:18 AM Subject: [FreeBSD-Announce] Announcing EuroBSCon 2009 To: annou...@freebsd.org EuroBSDcon 2009 Friday 18th - Sunday 20th September, University of Cambridge, UK A day of tutorials followed by 2 days of conference talks covering a wide variety of BSD related topics. This is the European BSD Community's annual event to meet, share and interact across the projects and between friends. This year's line up features... * ISC and *BSD * OpenBSD malloc * How FreeBSD finds oil * NetBSD's LVM * faster packets in OpenBSD * Wireless Mesh networks * Kirk McKusick's FreeBSD Guide * and more, The full talk list and schedule: http://2009.euroBSDcon.org Discounted Early Bird registration runs until 2nd September. Book your place now at http://2009.euroBSDcon.org Final programme may be subject to alteration. EuroBSDcon is a not for profit event open to everyone so please help spread the word online and offline. Thanks for reading! If you're interested to read this far, you can sign up for future announcements about EuroBSDcons by sending an email to eurobsdcon-announce-subscr...@lists.ukuug.org . Your address will only be used to contact you about European BSD events. EuroBSDcon 2009 : September 18-20th, Cambridge, England. http://www.ukuug.org/events/eurobsdcon2009/ EuroBSDcon is grateful to our sponsors; Premier Sponsor iXsystems.com, and The FreeBSD Foundation, NetApp and Google. ___ freebsd-annou...@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to freebsd-announce-unsubscr...@freebsd.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IGMP packet out of WAN
On Mon, Jul 13, 2009 at 9:43 AM, Evgeny Yurchenkoevgeny.yurche...@frontline.ca wrote: Hi All! should the rule pass out quick on bge1 all flags S/SA keep state label let out anything from firewall host itself allow IGMP packets out of WAN interface? Packets are generated by igmpproxy running at pfSense. Not sure what Ermal is referring to, that should pass multicast too. Are you seeing it blocked in the firewall logs? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Patch and ISO: New Feature -- Auto Configuring Interfaces
On Tue, Jul 14, 2009 at 6:08 PM, Tim A.pfse...@lists.goldenpath.org wrote: I tried to push this to the repo but it keeps saying not allowed. Are you guys only using that internally? You can only push to your own clones unless you're an authorized committer, we don't let just anybody push changes into official repos (and other branches like RELENG_1_2 for 1.2.3 are much more restricted than mainline/2.0). Scott will get you setup so you can push this to mainline. Thanks! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Next generation of pfSense embedded now available
For those who don't follow the blog: http://blog.pfsense.org/?p=472 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Next generation of pfSense embedded now available
On Tue, Jul 14, 2009 at 9:51 PM, Nenhum_de_Nosmatheus...@gmail.com wrote: great news. just one question though. I use tinybsd for this embedded stuff, is there any way to shrink this image (any way I can do myself, not the project do for me) to fit 128MB cf I already have ? Not easily. You can't fit it twice into 128 MB, you'd have to do some serious hacking on the build tools to remove the second partition. A 512 MB CF is under $20 USD, vs. countless hours of effort to create something that fits on a smaller card. Save yourself a ton of headaches and get a new card. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Filtering streaming - peer to peer - instant messaging
On Wed, Jul 15, 2009 at 8:48 AM, bsdb...@todoo.biz wrote: Hello, I am about to answer a public tender and am looking for a reliable open-source filtering solution. I need to filter layer 3 and 4 of TCP/IP stack (TCP and Application layer) specially for stream such as Peer to Peer - IM - Streaming - Virus. You have your layers wrong. L3 (IPs) and L4 (protocol, TCP, UDP, GRE, ESP, etc.) are fully supported. I presume you mean higher layers, identifying what traffic is based on the actual payload rather than L3/4 header. 2.0 does have some application intelligence but that's not an option for immediate use. There aren't any similar open source options that do have that kind of functionality unless you build it yourself. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Patch and ISO: New Feature -- Auto Configuring Interfaces
On Wed, Jul 15, 2009 at 3:39 AM, Ermal Luçiermal.l...@gmail.com wrote: Please pretty please do not make distinctions on lan/wan/optif i have invested too much time to clean this! I don't see anything that treats LAN/WAN/OPT improperly. When auto-assigning interfaces, you don't have a choice but to assign first to WAN, then to LAN, then to OPT. I agree we need to stay away from treating interfaces differently, but I don't see anything here that's improper, there is no other way to assign interfaces. If you have 1 interface, it must be WAN, if you have two, they must be LAN and WAN. You can do whatever you want with those two interfaces once you're in the GUI, but there are no other options in the interface assignment. It functions no differently from the console interface assignment. If I'm missing something else in the code let me know. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Web Interface Pages - Save Button
On Wed, Jul 15, 2009 at 11:15 PM, Tim Nelsontnel...@fudnet.net wrote: Hello fellow pfSensers! I've been quietly annoyed with a minor 'issue' in pfSense for some time now and finally thought I'd bring it to light to see if it's just me or if anyone else has the same problem. I love my keyboard. It's one of those nice old IBM 'clickey' units that just feels great to type on. I find I rarely use my mouse unless absolutely required. When I'm using the pfSense web interface, to add/modify a firewall rule for example, I can tab my way around the page adding details where appropriate. Yay. UNTIL, I want to save the page. I tab over to the 'Save' button, hit enter, and NOTHING HAPPENS. You can use the usual way to click a selected button with the keyboard - space bar. Or create a clone at rcs.pfsense.org and change every single page to save on enter and request a merge. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Web Interface Pages - Save Button
On Wed, Jul 15, 2009 at 11:25 PM, Tim Nelsontnel...@fudnet.net wrote: Chris Buechler wrote: On Wed, Jul 15, 2009 at 11:15 PM, Tim Nelsontnel...@fudnet.net wrote: Hello fellow pfSensers! I've been quietly annoyed with a minor 'issue' in pfSense for some time now and finally thought I'd bring it to light to see if it's just me or if anyone else has the same problem. I love my keyboard. It's one of those nice old IBM 'clickey' units that just feels great to type on. I find I rarely use my mouse unless absolutely required. When I'm using the pfSense web interface, to add/modify a firewall rule for example, I can tab my way around the page adding details where appropriate. Yay. UNTIL, I want to save the page. I tab over to the 'Save' button, hit enter, and NOTHING HAPPENS. You can use the usual way to click a selected button with the keyboard - space bar. Or create a clone at rcs.pfsense.org and change every single page to save on enter and request a merge. Space bar eh? Boy that sounds counter intuitive... :-) Not specific to anything we do, that's been the standard for pressing a highlighted button for a very long time. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.3RC1 embedded: wireless communication with Nokia N97 stops after a few KB but the connection desn't drop
On Thu, Jul 16, 2009 at 4:26 AM, Paul Mit-admin-pfse...@taptu.com wrote: Angelo wrote: I have a weird wireless connection issue with my new Nokia N97, hope ... Yesterday I bought a Nokia N97 and as soon as I came back home I started playing with it. I joined my wireless network and typed the PSK and the Hi Angelo, there's definitely something odd in the latest Nokias; my sister-in-law has a Nokia N96 and a Netgear DG834GT wireless/router/adsl. the wireless router works with every other device I have - dual-boot winXP linux laptop, nokia tablet, nokia e65, but I get exactly the same problem as you described with the N96, it's been reported by many http://www.google.co.uk/search?q=n96+wireless+dg834gt I tried reflashing the nokia with the latest *generic* firmware instead of the slightly crippled and dated T-Mobile version, but it didn't work. Ah, maybe I was quick on the trigger to blame FreeBSD, sounds like it's just a buggy device in general since there are widespread problems with other APs as well. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IGMP packet out of WAN
On Mon, Jul 13, 2009 at 6:59 PM, Evgeny Yurchenkoevgeny.yurche...@frontline.ca wrote: No, I can not see in logs. But on LAN I have 18:55:24.602839 IP 192.168.1.2 224.0.0.22: igmp v2 report 239.142.1.1 It does not go out of WAN. And when I disable packet filtering it does go out of WAN. You're using the IGMP proxy package on 1.2.x I presume? It's not blocking it if it isn't getting logged (unless you disabled logging on the default rules), but it sounds like it has some sort of impact on the traffic. I spent some time working with that package and never could get it to pass the traffic as it should, though the code it came from in 2.0 did work for me. Haven't had time to go back and look at it further. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Hardware Configuration
On Mon, Jul 20, 2009 at 4:47 AM, Caroline Stekkecaroline.ste...@univ-rennes1.fr wrote: Hi ! I have installed PfSense on two servers DELL. I have on this servers a network card of 4 ports GBE. I have a problem with this card, because FreeBSD or PfSense, I don't know where is the problem can't recognize this ports. So my servers don't have ports. This is my network card configuration : dual embedded broadcom 5709 4 ports GBE I have learnt on a forum, that I have to install a driver bge? But, in FreeBSD it's not really easy to install. So, I just want to know if you have already meet this problem ? And of course, if you have perhaps a solution for me. If it's a newer card it may only be supported in 1.2.3-RC1 (FreeBSD 7.1), or possibly only in FreeBSD 7.2, which you can find in 1.2.3 snapshots at http://snapshots.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Hardware Configuration
On Mon, Jul 20, 2009 at 5:09 AM, Caroline Stekkecaroline.ste...@univ-rennes1.fr wrote: Thank you for you attention But I have installed this version : 1.2.3-RC1 with FreeBSD 7.1 So for you my newer card, just can work with FreeBSD 7.2 ? I don't know, but it's possible. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Hardware Configuration
On Mon, Jul 20, 2009 at 5:17 AM, Caroline Stekkecaroline.ste...@univ-rennes1.fr wrote: Ok, And did you know what is the procedure to compile the driver bge myself. The bge driver is there already. If the NICs aren't detected, they aren't supported by the bge driver in that particular FreeBSD version. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: odd sip firewall issue
On Tue, Jul 21, 2009 at 11:25 AM, R. Th. Bootsvand...@gmail.com wrote: Chris Buechler wrote: On Sun, Jul 19, 2009 at 5:44 PM, R. Th. Bootsvand...@gmail.com wrote: Hello All, I have an asterisk server which is hooked up to 3 providers. With all 3 of them I have no problems connecting to my numbers, however only with 2 of them I am able to receive calls on the numbers. I suspect #2 here. http://doc.pfsense.org/index.php/VoIP_Configuration - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Hello Chris, I have upgraded to 1.2.3-RC1 and set the state table optimization to conservative, but I am still seeing the the same things happening. Any other ideas on this? Tried option #1 in that doc? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IGMP packet out of WAN
On Wed, Jul 22, 2009 at 9:37 PM, Evgeny Yurchenkoevgeny.yurche...@frontline.ca wrote: Suddenly I discovered pfSense-development distribution which has compiler (yes, I was that stupid thad had not paid attention that there wer such thing). Now I'd like to play with igmpproxy package. Where do I download source code from? I tried to pick it up from ftp.freebsd.org/pub/FreeBSD/ports/igmpproxy-src-0.1-beta2.tar.gz and it gives me tons of erros when make. Any hint on reading about approach I should take or brief advice would be greatly appreciated. Clone the tools repo at rcs.pfsense.org and see pfPorts/igmpproxy/ Build it just like any port, just need to run 'make' in that directory. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IGMP packet out of WAN
On Thu, Jul 23, 2009 at 11:29 AM, Chris Buechlerc...@pfsense.org wrote: On Thu, Jul 23, 2009 at 10:02 AM, Evgeny Yurchenkoevgeny.yurche...@frontline.ca wrote: Thanks for quick report Chris. I am completely new to this stuff please bear with me. Trying to accoomplish 'Clone the tools repo at rcs.pfsense.org' I came to conclusion I need git installed on my pfSense-dev system. Reading several documents I tried the following procedure: echo WITHOUT_X11=yo /etc/make.conf portsnap fetch extract - Success cd /usr/ports/devel/git make BATCH=yo make install BATCH=yo make clean - Failure after the next: No idea. Try to pkg_add -r git, or you may have to clone it on another system and copy over the port. or fetch http://cvs.pfsense.org/~cmb/igmpproxy-port.tgz - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IGMP packet out of WAN
On Thu, Jul 23, 2009 at 12:32 PM, Evgeny Yurchenkoevgeny.yurche...@frontline.ca wrote: Well.. I installed http://files.pfsense.org/mirror/downloads/pfSense-Developers-1.2.2.iso.g z and it gave me 7.0. My systems run 1.2-RELEASE as I have some issues with 1.2.2 So you've been testing the package on 1.2-release? That's definitely not going to work. What issues do you have with 1.2.2? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IGMP packet out of WAN
On Thu, Jul 23, 2009 at 12:49 PM, Evgeny Yurchenkoevgeny.yurche...@frontline.ca wrote: No, I've been testing igmpproxy on 1.2.2 and if it will work I'll have to build one FW on 1.2.2. Oh, that binary I put up a URL for was built on 7.1, you should be trying at least 1.2.3-RC1 for that. One big issue with 1.2.2 at some point it just hangs on our HP DL380 G3. Hangs means it is routing/firewalling but I can not manage it neither using ssh nor http. It accepts connections but no login prompt or http answer. Remote syslog does not show anything. 1.2 works perfectly on the same (literally) hardware. Hardware-specific FreeBSD issue. Might want to try 1.2.3-RC1 (7.1) or current 1.2.3 snapshots (7.2) as they seem to fix a number of hardware-specific regressions that existed in 7.0. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Version Clarification and Routing Issue
On Thu, Jul 23, 2009 at 1:24 PM, bsd...@gmail.combsd...@gmail.com wrote: hi, first, i am a little confused at the versions of pfsense. currently i'm running pfsense 1.2.3-RC1 built back in April of 09. it's not clear to me where the 1.2.3 branch stands or what is the latest version of 1.2.3 that i should be running. Stick with RC1 until there's an official RC2. secondly, my pfsense(1.2.3-RC1) has RIP enabled and has several routers behind it also using RIP. all network traffic works correctly on the LAN but i'm not able to ping out to the internet from the routers unless i add static routes on pfsense. it appears that pfsense is getting the advertised routes via RIP as i can see them in the routing table. When you add static routes it adjusts the auto generated NAT rules. You need to manually defined outbound NAT with dynamic routing. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org