Re: [pfSense Support] Nat traversal and Asterisk

[Chris Buechler]

On Mon, Mar 16, 2009 at 7:52 PM, Scott Ullrich  wrote:
>
>  Static port needs to be disabled

Correct, but that's a typo - needs to be enabled.
http://doc.pfsense.org/index.php/Static_Port

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] sip nat

[Chris Buechler]

Nearly always, rewriting source port on SIP breaks it so it's not done
by default. Enable AON and it will be.


On Wed, Mar 18, 2009 at 6:11 AM,   wrote:
>
> Hi
>
> I know this issue have been raised before, but I haven't really found a
> satisfying answer, so here I go again...
>
> My problem is related to sip-nat.
>
> I'm running a network with approximately 2000 home users.
> I have choosen pfsense back in the 1.0.1 days, and is still very satisfied
> with it's performance and stability.
> At the moment I have four machines running pfsense.
> One working as router only (disabled the firewall under advanced). - pfsense
> v. 1.2
> Two working as nat-routers for Internet-access. - pfsense v. 1.2
> One working as a nat-router for Audiocodes MP124 sip boxes. - pfsense v.
> 1.0.1
>
> When pfsense 1.2 came out, I upgraded every machine. But quickly I had to
> roll the "sip-router" back to 1.0.1, since it
> stopped rewriting the source port for the MP124 boxes.
>
> My problem is that many costumers choose to set up there own sip-boxes on
> the internet-connection, and therefore get connected with one of the routers
> thats running pfsense 1.2. And it just does not rewrite the source port, and
> as a result of that only one sip-box per provider gets connected. As soon as
> I throw them on another vlan, so they get connected to the machine running
> pfsense 1.0.1, it rewrites the ports just fine, and I can have as many boxes
> from the same provider behind one single public ip.
>
> Does anyone have an explanation to this behavior, or even better, a
> solution!?
>
> Kind regards
>
> Anders Dahl
>
>
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] RE: 1:1 NAT - Outbound source IP?

[Chris Buechler]

On Wed, Mar 18, 2009 at 4:25 PM, Nathan Eisenberg
 wrote:
> Just bumping this question up.
>

Gary answered it yesterday. The only way it doesn't work that way is
if you have some sort of proxy running on the firewall.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] CARP over Serial?

[Chris Buechler]

On Wed, Mar 18, 2009 at 7:55 PM, Nathan Eisenberg
 wrote:
>
> Is there any provision for doing CARP over serial/SLIP, or do I have to have 
> a third Ethernet interface?

No, because it wouldn't work unless you have a 512 Kb Internet pipe or
slower. Serial is *way* too slow to sync states with any modern
broadband connection.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: SV: [pfSense Support] sip nat

[Chris Buechler]

On Wed, Mar 18, 2009 at 9:44 PM, Chris Flugstad  wrote:
> Also forgot to note, that most phones will register on port 5060.  This
> however behind a NAT wont work if you have more than 1 phone.  You will have
> to statically configure the port different on each port OR someone phone
> will have a "random" port selection OR sometimes you can select 5061 and it
> will pick a random port.

Or this is what the siproxd package is for, to be able to track
connections on SIP where you can't rewrite the source port. That's
almost always, but evidently there are some scenarios where that works
fine, given the report of the initiator of this thread.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Fw: About bridge network interface and rc.conf

[Chris Buechler]

Did you not see my previous reply?  Here:
http://thread.gmane.org/gmane.comp.security.firewalls.pfsense.support/16723/focus=16726

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Nat traversal and Asterisk

[Chris Buechler]

On Thu, Mar 19, 2009 at 7:51 AM, k_o_l  wrote:
> Actually I just noticed, it fixed the problem for the asterisk clients but
> broke my Vonage service
>

Doesn't surprise me, you'll need to modify your outbound NAT to not
rewrite source port for traffic going to Vonage.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Declined:

[Chris Buechler]

What, nobody wanted to attend Bill's meeting he sent to the mailing
list?  :)  We gave him some grief about it last night, he said he got
click happy in gmail.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] packet loss question

[Chris Buechler]

On Thu, Mar 19, 2009 at 7:17 PM, Mikel Jimenez Fernandez
 wrote:
> Oh yeah!! thanks
>
> Is this  normal?
>

yes.  google checksum offloading.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Re: Can't get more than 15kpps.

[Chris Buechler]

On Sun, Mar 22, 2009 at 5:33 PM, Bill Marquette
 wrote:
> I believe so.  The newer "Core" designs have lower Ghz ratings.  Any
> chance you know the models?  I'm not seeing the VTX feature in your
> dmesg, which makes me think it's not a 5xxx series CPU (which would
> get you more throughput).
>

He said it's an IBM x336 server, which would make it an old 800 FSB
Xeon with HT, not even dual core. Roughly a 4-5 year old box.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] ACPI/APIC in loader.conf - watchdog timeouts

[Chris Buechler]

On Mon, Mar 23, 2009 at 12:38 AM, Dimitri Rodis
 wrote:
>
> hint.apic.0.disabled=1? I thought it was hint.acpi.0.disabled=1 (see
> http://doc.pfsense.org/index.php/Booting_Options, and also the forum posts
> regarding firebox installs)
>

APIC and ACPI are entirely different things. APIC is another one that
can cause problems on some systems.

http://en.wikipedia.org/wiki/Advanced_Programmable_Interrupt_Controller
http://en.wikipedia.org/wiki/Advanced_Configuration_and_Power_Interface

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Multi-WAN with Fail Over

[Chris Buechler]

On Mon, Mar 23, 2009 at 11:04 AM, Alexsander Loula  wrote:
> This is my current setup:
>
> I'm not using CARP, only the Load Balance service (pools).
>

Are the gateways the same?  If so, that won't work as it balances by
gateway IP, you need an intermediate NAT device on one.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] ACPI/APIC in loader.conf - watchdog timeouts

[Chris Buechler]

On Mon, Mar 23, 2009 at 1:02 AM, Dimitri Rodis
 wrote:
> Do you think this has any potential relevance to the firebox watchdog
> timeouts? Obviously I am going to test it and simply observe the results--
> not too hard to reproduce the issue.
>

It could.


> Also, there was a suggestion that using an SMP kernel would alleviate the
> issue also. Given that this is a single core P3, I don't know what
> difference it will make (obviously the kernel locking mechanisms are
> different), but is there a way to easily swap the kernel on embedded with an
> SMP version (if it isn't already--I don't know what the default is for an
> embedded image since there isn't an "installer")?

Mount it rw (run /etc/rc.conf_mount_rw) and copy over the kernel from
a full install. Then switch back to ro with /etc/rc.conf_mount_ro and
reboot.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Multi-WAN with Fail Over

[Chris Buechler]

On Mon, Mar 23, 2009 at 10:13 PM, Chuck Mariotti  wrote:
> Alex, I share your pain. I’m not a pf guru, but I can’t seem to get this
> working either…
>
>
>
> I have managed to get the Load Balancer Status to turn Green/Yellow/Red as
> expected when I unplug a connection. But the internet get’s all wonky… as if
> DNS isn’t working, old records seem to work, some pages take forever, etc...
>

You have to add a static route to push one of the DNS servers over the
second WAN.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Multi-WAN with Fail Over

[Chris Buechler]

On Wed, Mar 25, 2009 at 5:26 AM, Veiko Kukk  wrote:
>
> No, with two identical machines, using CARP for hardware failover, the dual
> WAN failover does not work with pfsense.
>

Works fine, I've setup a number of boxes like that.  You have
something setup wrong.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] WAN, VLANS on WAN, and RRD Graph Behavior Graph or Feature?

[Chris Buechler]

On Wed, Mar 25, 2009 at 9:16 AM, Vaughn L. Reid III
 wrote:
> I have a pfsense router configured with the following WAN setup.  It's
> running 1.2.2.
>
> Wan Physical Interface Contains:
> WAN is mapped to the default untagged interface (I know this isn't a
> completely normal setup with VLAN's also on the interface too, but it's a
> legacy setup I've inherited and am not currently able to change)
> WAN2 through WAN5 are mapped to 802.1q VLANS on this same physical interface
>
> With this configuration, I have noticed the following behavior when viewing
> traffic RRD graphs:
> The WAN interface in the RRD page shows the sum of all traffic on the actual
> physical interface, including the VLAN traffic.
> Each WAN interface VLAN shows only the traffic on that VLAN.
>
> Is this a bug, or is this expected behavior?
>

Expected, there is no way to differentiate between tagged and untagged
traffic. It's showing you the traffic that's passing over that
interface, which includes the VLANs assigned as other interfaces. You
shouldn't use the parent interface with VLANs (for reasons completely
unrelated to this, and not product/vendor specific). I would plan to
change that, or just live with the understanding that the parent
interface will always have the sum of all VLAN traffic and that your
network is possibly open to VLAN hopping from tagged to parent
interface.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Multi-WAN with Fail Over

[Chris Buechler]

On Wed, Mar 25, 2009 at 4:15 PM, Alexsander Loula  wrote:
>
> Could you please share your XML config?
>

The boxes don't belong to me, they're those of various support
customers, so no I can't. If you post yours maybe someone will tell
you what's wrong.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Internet at the lake? Rogers Mobile Internet Stick (Rocket) with pfSense?

[Chris Buechler]

On Thu, Mar 26, 2009 at 10:09 AM, Vick Khera  wrote:
>
> When we were at BSDCon in DC last month, the local wifi provided was
> over a shared connection built this way by hand using an OpenBSD
> laptop as the gateway to the verizon network via usb stick.  It worked
> quite well for the first day :-)
>

The "first day" part is key there.  :)  It fell apart after that.

pfSense doesn't support any 3G devices. The driver support on FreeBSD
in our experience is somewhere between poor and non-existent depending
on the card. The cards with driver support tend to be old ones you
can't get new anymore.

3G requires PPP support as it's functionally virtually identical to a
POTS dial up modem. PPP dial up support may appear in 2.0. 3G drivers
is a bigger problem.

There are some boxes that'll output 3G to Ethernet in some fashion
(router generally), but they aren't cheap.  $200-300 USD if I recall.
That may be the best bet. One caveat though - don't know how it is in
.ca but most providers here in the US will limit you to 5 GB and
charge an exorbitant amount per MB above that.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Multi-WAN with Fail Over

[Chris Buechler]

On Wed, Mar 25, 2009 at 10:07 PM, Alexsander Loula  wrote:
> This is my config:
>

You're missing a static route for a DNS server on your second WAN,
assuming you use the DNS forwarder on pfSense. You may be using a
monitor IP that doesn't reliably respond to pings when the connection
is up. Your LAN rules route all TCP to the load balancing pool and
every other protocol out WAN2, which may not be your intention. Your
last LAN rule doesn't do anything because it'll never be hit. Your
balance and failover pools are fine.

I don't see any issues other than that. If you're more specific about
how you're testing and what you're seeing, maybe something will be
apparent.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] OT: PCI Slot Adapter for 2.5" HDD?

[Chris Buechler]

On Sun, Mar 29, 2009 at 10:24 AM, Tim Nelson  wrote:
> Greetings pfSense list! I do apologize in advance for the OT nature of this 
> post. Since many of you have great experience with
> different hardware platforms, embedded systems, etc I'm hoping someone can 
> help me out. I have a 1U server for a personal project > with only two hard 
> drive bays in front. However, I have two PCI-E slots in the back that are 
> unpopulated and two free SATA ports on > the motherboard. I'd really like to 
> find PCI slot bracket for mounting a 2.5" laptop HDD or something similar.
>

I haven't done anything exactly like this, but my recipe for things of
this nature on personal projects is misc. spare metal pieces from old
scrap PCs, Dremel to cut up as needed, and JB Weld to slap it all
together. I'd take a piece of metal or something that fits the drive,
cut up and drill in screw holes as needed, and JB Weld it to a slot
cover.

For those who haven't heard of JB Weld, this is what I'm talking about:
http://jbweld.net/index.php
Shockingly they don't mention computer hardware hacking amongst its uses.  :)

I inadvertently bought a half height PCI-e PRO/1000 card for my home
office ESX server (picture showed full height and I didn't read the
details). Rather than going through the hassle of returning it and
waiting, I chopped off part of the slot with the Dremel, cut up a slot
cover to make up the difference, JB Welded the slot cover to the
remaining bit of slot cover on the NIC, and voila - full height NIC in
no time.  :)  That's just one example of my hardware hackery with
scrap parts, a Dremel, and JB Weld. Some of the gear in my home racks
have generic brackets JB Welded to the sides of the equipment rather
than paying an exorbitant amount for the "real" brackets, and has been
holding considerable weight for years. The stuff is indestructible.

Maybe not the prettiest solution, but I personally enjoy hardware
hacks like that and they've stood the test of time.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] multiWAN connection / BGP

[Chris Buechler]

On Sun, Mar 29, 2009 at 10:38 PM, Glenn Kelley  wrote:
> I am wondering if there is a way to load balance / and provide connectivity
> via 2 or 3 ethernet connections using BGP with PFSense.
>

Sure, if your ISP allows it. Presuming you mean 2 or 3 Internet connections.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Question about traffic graphing

[Chris Buechler]

On Mon, Mar 30, 2009 at 11:07 AM, Borowicz, Paul
 wrote:
> I using Cacti to graph the interfaces on my Pfsense box.  Before I replaced
> the PIX I was graphing, LAN, DMZ, and WAN.  WAN showed all traffic, so I
> used that to estimate my 95th percentile cost.
>
> Now I am graphing, LAN, DMZ, enc0 (ipsec VPN's), and tun0 (openVPN
> clients).  I like the ability to see these granular views.  I assumed that
> WAN would still show all traffic, since it is really the only externally
> accessible interface.  Is this the case, or does the VPN traffic not show up
> on the WAN interface?

That is the case, everything traversing the wire is shown on that
particular interface including your VPNs.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] FW: Help with dynamic routing configuration

[Chris Buechler]

2009/3/30 Elvis Palombizio :
>
> Bottom line is I need to modify the RIP engine to allow it to advertise the
> tunnel interface. Any idea on how to do this?
>

You'll have to modify the source code.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Intel Atom Install Trouble

[Chris Buechler]

On Mon, Mar 30, 2009 at 4:58 PM, Vaughn L. Reid III
 wrote:
> I have a Intel Atom based board that I'm trying to get pfsense to install
> on.  I can boot fine into safe mode but I get a panic message when I try the
> default boot config.  I can reproduce this from both the pfsense ISO and
> after an actual install onto the hard drive.

Sounds like you've tried the usual. You'll probably have to report it
to a FreeBSD list. See:
http://doc.pfsense.org/index.php/Policy_on_FreeBSD_issues

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] FW: Help with dynamic routing configuration

[Chris Buechler]

On Mon, Mar 30, 2009 at 2:26 PM, Elvis Palombizio
 wrote:
> Ok. I assume that the modifications would need to be in the routed.inc file 
> somehow so it could generate the correct GATEWAYS
> file or is it more involved than that?
>

That should be it, but I haven't actually checked the code to verify.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Template to connect a Cisco router to PFSense using IPSec

[Chris Buechler]

On Tue, Mar 31, 2009 at 10:43 PM, Borowicz, Paul
 wrote:
> I was just collaborating on this for the wiki, here is the link.
> http://doc.pfsense.org/index.php/IPSec_between_pfSense_and_a_Cisco_PIX
>

He's running IOS though, which is different from PIX OS. (Luis is a
support customer who opened a ticket on this with more info)

I'm going to write instructions on IPsec with IOS tomorrow.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] AW: Firebox X series w/ 1.2 and 1.2.2 issue

[Chris Buechler]

On Tue, Mar 31, 2009 at 11:37 PM, Tim Nelson  wrote:
> I've just acquired an X500 unit and after throwing boatloads of traffic 
> through it, I haven't seen a single watchdog timeout. Two ports are connected 
> to a switch and a third port to a workstation. I can send you any information 
> on my config if you'd like for testing/comparison.
>

What version are you running on it?  1.2.3 snapshots as of this past
Sunday have re(4) and rl(4) from FreeBSD 8-CURRENT per recommendations
of the FreeBSD developer who maintains that code. It may not be an
issue with snapshots since Sunday.

Those who are seeing watchdog timeouts on re or rl cards should try a
1.2.3 snapshot.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] AW: Firebox X series w/ 1.2 and 1.2.2 issue

[Chris Buechler]

On Wed, Apr 1, 2009 at 12:17 AM, Tim Nelson  wrote:
>
> D'oh! I performed my testing with (oddly enough) the latest 2.0-ALPHA-ALPHA 
> snapshot. For some reason I don't have the current
> 1.2.2
> available. Well, that makes my previous post a bit useless...
>

Oh, 2.0 has the same patches, so the same comment applies. Right now
they're both using the exact same OS base.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Template to connect a Cisco router to PFSense using IPSec

[Chris Buechler]

On Wed, Apr 1, 2009 at 8:11 AM, luismi  wrote:
> We have PIX too, but the configuration we received from previous team
> is well, I don't have words to tell you how bad is. :P
>

Hah.  I can imagine. I've cleaned up some unbelievable messes when
converting PIX configs to pfSense for customers.


On Wed, Apr 1, 2009 at 9:33 AM, Borowicz, Paul
 wrote:
> Different PIX versions have different configs.  This worked fine for a 515e.
>

You know which PIX OS version it's running? Be good to add a note to
that wiki page. Looks like 6.x, though 7.x and 8.x IPsec is very close
to the same if not identical.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Wireless segregation and integration question

[Chris Buechler]

On Mon, Mar 30, 2009 at 11:32 PM, Tim Dressel  wrote:
> Hi folks,
>
> I have inherited about a dozen schools with internet connections
> between 2Mbit and 10Mbit. Each school has a PFSense box (standard PC,
> hard disk, 1GB ram, 3 nics).
>
> Each PFSense is configured as WAN, LAN, and OPT1 where OPT1 has
> connected several unsecured access points to provide wireless service.
> OPT1 is configured with the Captive Portal which authenticates to a
> school specific radius server hosting account information just for
> that school's users. Most resources are located on the LAN (a handful
> of printers, a few NAS boxes, etc), and for devices that regularly
> need wireless access, a MAC address entry is entered on the Captive
> Portal so those users can bypass it on a regular basis (say a teacher
> who lives in a laptop). For students who need wireless, we force them
> to authenticate to the Captive Portal. OPT1 (once authenticated or has
> MAC entry) has access to LAN and to WAN over those wide open access
> points.
>
> I need to deploy a network operating system, so need to tie together
> all schools with site to site VPN. No big deal, I've already put a few
> together on the bench.
>
> What I would like to have is centralized control of wireless at each
> site, and for wireless entering the wired network I would like at
> least some VPN functionality. Because there are several teachers and
> administrators that on a regular basis move from school to school, the
> way we are set up right now is to have to make individual MAC entries
> on each of the Captive Portals on each of the schools that they might
> visit. This is labor intensive and seems kind of lame.
>
> I tried setting up an entire second parallel set of PFSense boxes, and
> did a site to site for all the wireless traffic, and then have a
> single captive portal at one end of the chain of PFSense boxen. This
> addressed the single point to control the MAC entries over the entire
> district. But then to VPN across to the wired network, I will need to
> set up OpenVPN connections on every device that is wireless. Using
> OpenVPN is a bit of a pain (say 100+ devices). I was thinking about
> using PPTP and doing authentication against AD using IAS, which would
> make it easier (i.e. no vpn client install, just use the build in
> windows VPN dialer), but then all traffic would have to be routed
> across those site to site links to the point where the actual VPN
> connection was physically being made. Keeping in mind some schools are
> only 2Mbit circuits, this could be a pretty terrible end user
> experience depending on which school you were physically located in.
>
> Tonight I was thinking about the possibility of leaving the MAC
> address entries at each schools firewall, and then scripting a MAC
> address entry out to each firewall. This way the clients could VPN in
> at the school they were physically located in, and access the local
> network resources at close to native wireless speed.
>
> So my questions are:
>
> 1. Can you script copying the MAC's across multiple PFSense boxes from
> any location (assuming doing from the wired side of any of the site to
> site vpn'd links).
>

Should be able to do so with curl.


> 2. Is there a better way for me to achieve a uniform wireless
> experience with centralized administrative control?
>

Not really, there may be some sort of centralized management interface
in the future that will accommodate things of this nature, but there
are no definite plans for that.


> 3. The only reason I'm considering PPTP is because of the pain it is
> to generate OpenVPN keys,,, is there an easier way to deal with road
> warriors (like Zerina for IPCop)?
>

In 2.0 yes, in 1.2.x easyrsa is the way to go. Some info here on how
to run it on your firewall, though that's not necessarily the best
place to put it.
http://doc.pfsense.org/index.php/Easyrsa_for_pfSense


> 4. I've read a bit about CARP, but seems to be mostly related to
> multi-wan,,, any chance CARP might fit into this solution?
>

It's for hardware redundancy, and will sync the config to the backup
firewall, but not in the manner you desire.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Template to connect a Cisco router to PFSense using IPSec

[Chris Buechler]

On Mon, Mar 30, 2009 at 4:05 PM, luismi  wrote:
> Is there anyone here, in the list, with a template to configure a Cisco
> router against a pfsense firewall using ipsec?
>

For anyone who runs across this in the archives, here are the instructions:
http://doc.pfsense.org/index.php/IPsec_between_pfSense_and_Cisco_IOS

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Inbound Source IP Busted

[Chris Buechler]

On Fri, Apr 3, 2009 at 12:39 PM, pfsense  wrote:
> I am using 1.2.2 on a box with only a few inbound NATs for
> our mail system. The problem is (this is the case using
> regular port forwarding or 1:1), the source IP shows up at
> the mail system as the LAN IP of the PFSense server instead
> of the actual IP of the sender.
>
> Obviously, our mail system thinks every email message is
> coming from the LAN interface and permits it so it is
> breaking all of our filtering. Any ideas of what I have done
> wrong here? I enabled advanced outbound NAT so I could
> direct traffic to another local subnet but thats pretty much
> it. 3 inbound port forwards, 2 advanced outbound nats.
>

Has to be your NAT config, exactly how is it setup?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] IPsec VPN times out requires ping to restart

[Chris Buechler]

On Fri, Apr 3, 2009 at 3:29 PM, Borowicz, Paul
 wrote:
> I have a problem with a vpn between my pfsense box and an ASA box.  I've
> noticed the same problem between PIX and pfsense.  The VPN works fine, but
> when there is no traffic for awhile it will stop receiving connections.  The
> ASA side will try to send, but the pfsense side will not respond.  If I ping
> across the VPN from the pfsense side the VPN comes back up instantly.
>

What do the logs show on both ends when this happens?  Especially the
pfSense side as it seems the Cisco is sending something it doesn't
like when initiating the connections.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] RE: Load Balancer Using TCP

[Chris Buechler]

On Thu, Apr 2, 2009 at 12:22 AM, Nathan Eisenberg
 wrote:
> Here's what ends up in slbd.conf when I save my config:
>
>
>
> servicename:\
>
>     :poolname=poolname:\
>
>     :vip=x.x.x.x:\
>
>     :vip-port=80:\
>
>     :sitedown=x.x.x.x:\
>
>     :sitedown-port=80:\
>
>     :method=round-robin:\
>
>     :services=2:\
>
>     :service-port=80:\
>
>     :0=192.168.20.61:\
>
>     :1=192.168.20.62:\
>
>     :tcppoll:send=:expect=:
>
>
>
> Why is it using TCPPoll if I have it set to use ICMP in the gui?
>

That was a bug, and strangely you're the first to notice. I've always
used TCP for server load balancing configurations and suspect everyone
else must as well (well, they are whether or not they realize it).

I just committed a fix, it'll be in 1.2.3 snapshots built at least 2
hours from now or you can manually apply this diff.
https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/d38805bc18a69dda3b33ca3a193420ff656d33dd

There is another issue where TCP is always selected when you edit an
existing pool, haven't fixed that yet but will.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] RE: Load Balancer Using TCP

[Chris Buechler]

On Sat, Apr 4, 2009 at 9:06 PM, Chris Buechler  wrote:
>
> There is another issue where TCP is always selected when you edit an
> existing pool, haven't fixed that yet but will.
>

Just fixed, diff here.
https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/fe4df9b7b635cea04eb409a328f0a44c43768b0a

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] MultiWan , not quite sure whats wrong

[Chris Buechler]

On Tue, Apr 7, 2009 at 8:34 AM, Chris Flugstad  wrote:
> So i have 2 WANS
> 100.100.100.4   DSL
> 216.127.123.4   Wireless back to Colo
>
> When the Wireless backhaul is disconnected or "down", anything else on its
> subnet is not accessible over the other WAN.  It's as if it only things it
> can access it through that wan and not through the other.  Maybe this isnt
> the case.  I noticed this when I was using the wireless for something else
> and our phones went down.  Service is provider to them on the same subnet as
> the backhaul, and although they CAN get to there server via the dsl, they
> werent for some reason.  Even after adding a firewall rule to send ANY
> packet on IP of phone to GW dsl line, it still wouldnt.  Creepy?  I'll play
> more with it tomorrow.  Not a problem,, as I can just plug back in the
> wireless, but just a thought as to why this was happening, and to avoid it
> in the situation the wireless goes down, God forbid.
>

Probably one of two things:
1) Existing state out the wireless that doesn't get closed when it
fails and no new connection is attempted.
2) Traffic proxied through something on the firewall (ex: siproxd),
which will always obey the system routing table.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Possible Outbound NAT Bug in 1.2.3 Snapshot?

[Chris Buechler]

On Wed, Apr 8, 2009 at 11:12 PM, Dimitri Rodis
 wrote:
> Currently running:
>
> 1.2.3-RC1
> built on Wed Apr 1 16:59:10 EDT 2009
>
>
>
>
>
> In addition to a fiber connection at this particular location, there is also
> a second connection brought in via a cable modem. The fiber connection is
> intended to serve the incoming connections to web servers, mail servers,
> etc. The second cablemodem connection is intended for web browsing and other
> misc traffic, as to not bog down the fiber so much.
>
>
>
> So, I added an outbound NAT so that traffic originating from the LAN side
> destined to port 80 would use the interface address of the cable connection.
> Initially, this did not work as expected-- until I rebooted pfSense. Web
> traffic did pass, but it was not NATTing to the correct address--I verified
> by browsing to http://www.whatismyip.com, and until I rebooted pfSense, it
> did not report the correct address. So, I tried it again with port 443
> (whatismyip supports SSL :). Sure enough, it reported the old IP address
> until I rebooted pfSense again.
>
>
>
> I don't remember having this problem before--why would I need to reboot for
> this to take effect? And yes, I did completely close the browser so that an
> existing state wouldn't be reused.
>
>
>
> Bug?

Unlikely, Outbound NAT hasn't changed in a long time.

Any packages installed?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] CARP Bug in 1.2.3

[Chris Buechler]

On Thu, Apr 9, 2009 at 7:00 PM, Dimitri Rodis
 wrote:
> Good deal. I'll go to a later snapshot then.
>
> Are upgrades between snapshots on embedded working at the moment, or should
> I just reflash?
>

Yeah you got hit with the xmlparse.inc issue that was in snapshots for
a couple days. I know CARP is fine in 1.2.3 outside of those couple
days, I've setup 3 CARP pairs on 1.2.3 in the past 2 weeks.

Reflash, and either redo your config from scratch or manually remove
anything that's out of whack.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] upgrading a certain snapshot

[Chris Buechler]

On Fri, Apr 10, 2009 at 2:47 PM, Atkins, Dwane P  wrote:
> We are trying to do a test upgrade using the snapshot,
> pfSense-1.2.3-20090407-1035.img.gz.  It took over 1 hour and 10 minutes and
> the upgrade still had not completed.  The current version of the device is
> 1.2-RELEASE
> built on Thu Apr 10 21:08:03 EDT 2008.
>

You need to use the full update file. You can go straight from 1.2 to 1.2.3.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] feature request: VPNC

[Chris Buechler]

On Sat, Apr 11, 2009 at 6:53 AM, Mikel Jimenez Fernandez
 wrote:
> Hello
>
> I found that is a port for freebsd of vpnc cisco client.
>
> http://www.freebsdsoftware.org/security/vpnc.html
> http://www.unix-ag.uni-kl.de/~massar/vpnc/
>
> This is usefull when you want to connect your firewall in client mode.
>
> I install vpnc in pfsense 1.2.2 with pkg:add -r vpnc. I don't test it but I
> think that it works OK.
>

Last I looked at it (though it's been years) it didn't work at all
unless you used a kernel with no in-kernel IPsec, meaning the only way
it would work is to break all other IPsec capabilities of the system.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] First Embedded System

[Chris Buechler]

On Sun, Apr 12, 2009 at 4:12 PM, Rainer Duffner  wrote:
>
> That's a bit of a problem. I always re-flash to update.

That won't be necessary for much longer. The next generation of
embedded (based on nanobsd) will be available in 1.2.x and 2.0
releases sometime in the next couple months. Primarily for two reasons
- fixing upgrades for good, and cross-architecture compatibility.
Details to come.


> But most security-vulnerabilities in FreeBSD don't concern parts that are in
> pfSense.
> E.g. all the local exploits don't really apply.
>

Yeah there haven't been any FreeBSD issues in the history of this
project that necessitated a security update release.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Re: Can't get more than 15kpps.

[Chris Buechler]

On Mon, Apr 13, 2009 at 6:13 AM, Lenny  wrote:
> Hi guys,
> first of all, thanks for all the support!
>
> Anyway, unfortunately, after all the hell I've been through with this, our
> CEO is not interested in buying a new server:(

heh..  How about "sorry, but there is no other option"?  Maybe quote
some big commercial firewalls adequately sized to handle that traffic.
They'll come in at 10* or more the cost of a new server box and see if
that changes his tune.


> But let's put all the "smart" decisions aside as I have to figure out what
> can I replace it with.
> The first thing I thought about was m0n0wall, as I want to stay as close to
> pfSense and FreeBSD as possible.
> So the question is: will the x335 server with 2x3.06GHZ Xeons be enough for
> my traffic? To remind you, I have to handle around 150kpps, which is about
> 300Mb.
>
> From my first look at this distro I saw that it doesn't have SMP, shell
> access and it defaults to 3 states, which is impossible to change unless
> you rebuild the whole thing from scratch.

Yeah that's going to be the primary issue there.


> I was looking at 1.25, because as I understand it's built on FreeBSD 4,
> which should be faster.

And even if you went as far as recompiling the kernel and making a
custom image, I suspect you're not going to get that kind of traffic
through it still. On the high end hardware, the newer FreeBSD versions
are as fast or possibly faster in some scenarios. On low end, single
proc hardware, 4.x is considerably faster.


> If I stand no chance with dealing with such traffic via m0n0wall, is there
> anything you could advise that would actually run on this old machine?
>

It's more of a hardware limit than a software limit.

If you disable the packet filter I'm sure you can push your traffic
load through the hardware you have. Probably defeats the purpose
though.

Been a couple years since I've tested, but last I ran any tests, there
was minimal difference between FreeBSD 7.x and Linux 2.6.x. OpenBSD is
considerably slower than FreeBSD. Bottom line - it's highly unlikely
you're going to push the kind of load you need through that box no
matter what you're running on it.

PCI-e or 10 Gb NICs would perform better, but in the former case I'm
pretty sure your server doesn't have PCI-e slots, and in the latter,
it would be cheaper to buy a new server than 10 Gb NICs.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Dell PRO/1000VT Quad port NIC

[Chris Buechler]

On Mon, Apr 13, 2009 at 11:35 AM, Mikel Jimenez Fernandez
 wrote:
> Hello TIm
>
> I have not good experiences good igb driver...
> My experience was with
> http://www.intel.com/Products/Server/Adapters/Gb-ET-Dual-Port/Gb-ET-Dual-Port-overview.htm
> that uses 82576.
>
> IMHO better choose one taht is supported by Freebsd 7.0 and uses em driver
>

I don't have any of the cards myself, but the igb cards should perform
considerably better than em cards. Whether the driver is unstable in
combination with one specific piece of hardware (most likely), or one
particular NIC, or unstable in general I don't know.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] upgrading a certain snapshot

[Chris Buechler]

On Mon, Apr 13, 2009 at 12:16 PM, Atkins, Dwane P  wrote:
> I am guessing I can do this with a firmware upgrade?  I am not going on about 
> 10 minutes.  Can someone please give me an idea of how long this upgrade 
> should take?
>

Depends on the specifics of your hardware, shouldn't take more than
10-20 minutes at most on a hard drive install.

> I am using the following to upgrade per our latest conversation.  
> pfSense-Full-Update-1.2.3-20090407-1323.tgz.  If I click on anything, I get a 
> display of a hard drive stating that an upgrade is in progress and the system 
> will reboot once completed.
>

That's the correct file. Try the console upgrade via SSH, pasting in
the snapshot URL.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] RE: [SPAM] Re: [pfSense Support] website browsing

[Chris Buechler]

On Mon, Apr 13, 2009 at 1:28 PM, Gary Buckmaster
 wrote:
> This is not the way to do this as the configuration will not survive
> reboots.  You can set the MTU on the interface configuration page for your
> WAN interface in the webGUI.  I would encourage you to check that out.

In addition, it won't affect traffic through the firewall if you set
it via ifconfig. Setting it on the WAN page as Gary instructed will
enable MSS clamping for traffic through the firewall.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] RE: [SPAM] [pfSense Support] RE: [SPAM] RE: [pfSense Support] RE: [SPAM] RE: [pfSense Support] RE: [SPAM] Re: [pfSense Support] RE: [SPAM] Re: [pfSense Support] website browsin

[Chris Buechler]

On Thu, Apr 16, 2009 at 7:50 AM, Juan Rivera
 wrote:
> hey this is getting worse we can't even get to the home page now we have
> to hit refresh over and over so we can get to the home page its running
> really slow I think just like dial up lol well I don't know what else to
> do I called our provider and they said everything seems to be good I
> connected a lap straight on the router and it loaded in 17 milliseconds
> any setting on the fire wall could be wrong or you think the computer
> where pfsence is installed it's not good enough the specs are  700 mhz
> 512 of ram and 100 mb/s nick cards let me know what you guys think
>

That's adequate unless you have a 50+ Mb Internet connection. (depends
on the NICs, with good NICs you can push 100 Mb wire speed through a
box of that spec).

Your state table exhausted?  With that much RAM you can easily bump it
to 10 (under System ->Advanced)

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Reboot on virtual IP

[Chris Buechler]

On Fri, Apr 17, 2009 at 12:42 AM, Tim Dressel  wrote:
> Hi folks,
>
> We've been playing around at work with binding multiple IP's to the
> WAN interface so that we can port forward the same ports from
> different IP's to different services on the LAN side.
>
> Has anyone ever seen when you add a second virtual IP, and then create
> the NAT on the second (also creating the rule at the same time) for
> PFSense to hard crash and reboot?

Using CARP VIPs?  CARP can be finicky, if you don't do things exactly
a certain way, it'll panic. The system should prevent all of those
things though, most were fixed in 1.2 RCs and earlier, though if
you're using VLANs there's another fix in 1.2.1 for some scenarios.
Should be impossible to panic with CARP on the latest version if
you're doing everything through the GUI.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Firewall rules keep failing

[Chris Buechler]

On Fri, Apr 17, 2009 at 4:15 AM, Graeme Evans
 wrote:
>
>
> Situation:
>
> I have a simple PFSense setup with a single PFsense 1.2.2 computer, 1 WAN
> interface, and 2 Local interfaces - one named LAN (10.0.0.0/24), and the
> other is Workshop (10.0.1.0/24).  We have allsorts of computers including
> infected PC’s connected to our Workshop interface so there are firewall
> rules setup only to allow internet access from both Local interfaces and on
> the workshop interface a some simple rules allowing things like FTP access
> to our fileserver on the LAN interface. We want no other access between
> subnets. We also have squid installed in transparent mode listening on the
> Workshop interface only, lightsquid,

If you uninstall squid does it change?  If traffic isn't getting
logged and you have logging on all your firewall rules, squid has to
be picking it up. There are a number of potential consequences of the
squid packages, this may be one.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Firewall rules keep failing

[Chris Buechler]

On Fri, Apr 17, 2009 at 4:15 AM, Graeme Evans
 wrote:
>
> PS: anyone know why the registration system on the pfsense forum won’t send
> activation emails – so I can’t register?
>

Oh, and I looked for your email address on the forum and it isn't
there. If you let me know offlist what you registered under I can
manually activate you. Between the mailing lists and forum email, our
mail server sends out a ton of mail, we tend to get wrongly blocked as
spammers quite a bit. Unfortunately backscatter is an issue, with
people trying to spam the mailing list from spoofed addresses which
then get the "you are not subscribed and cannot post" bounce back,
which I'm sure contributes to the occasional blocking. There isn't a
good alternative.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Reboot on virtual IP

[Chris Buechler]

On Sat, Apr 18, 2009 at 1:07 PM, Tim Dressel  wrote:
> I had zero luck with this in the last few days. Here are some more details:
>
> Internet <--> PFSense <--> procurve managed switch
>
> I have tried three different computers, an old P3 based IBM desktop
> with 512MB on a flash disk and a hard disk, a newer P4 2.8 IBM
> thinkstation with 1gb ram and a hard disk, and an older IBM @server
> dual P3 1.13 with 2gb ram and 6 disks in a raid 5 array.
>
> I have tried Intel Pro 100's, and Intel Pro 1000 (fx and em), and 3COM 
> 3c905b's.
>
> After I wiped and reloaded, at least I didn't get the reboot anymore,
> but on all the pieces of hardware with no difference in nic's, I can
> add the Virtual IP's, create the NAT and the rules, but the only port
> forwards that work are on the main WAN IP. I've tried rebooting
> firewall, rebooting devices that are being pointed to on the LAN side,
> but no joy.
>
> I ended up giving up last night and put up a linux firewall, did the
> exact same thing using the same hardware, and it just worked. I've got
> 1 IP on the outside, and two virtuals, port forwards all over the
> place, and its happy.
>
> I would prefer to use PFsense because I am convinced its a better
> firewall that just about anything out there, but I can't seem to get
> around this issue.
>
> Its easily repeatable, so if someone wants to help me I can do any
> sort of troublshooting you suggest.
>

tcpdump on WAN to see what's really happening.

My first guess is an upstream ARP cache causing difficulties. Reboot
any upstream modems/routers/etc. that you can get your hands on. If
you're using proxy ARP VIPs, try CARP instead.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Attention Firebox X Series Users - Testing Needed

[Chris Buechler]

On Sat, Apr 18, 2009 at 2:17 PM, Dimitri Rodis
 wrote:
> Attention Firebox X500/700/1000 Users using pfSense:
>

Glad to hear that looks like it fixes it. There's at least one thread
on the forum reporting this issue as well, might want to post to those
threads too to give those folks a heads up.


>
>
> Watchdog timeouts getting’ you down? Thinkin’ about throwin’ that old
> Firebox in to the fireplace? Don’t do that just yet! J
>
>
>
> Thanks to the pfSense devs, along with Pyun YongHyeon, the maintainer for
> the FreeBSD Realtek network driver, it appears that we may have solved the
> issue with the watchdog timeouts on the Realtek 8139C+ chips that are used
> in these units. For the past couple of days, I have worked with Pyun, and
> yesterday Pyun sent me a patch, and that patch was committed to the 1.2.3
> snapshot builds, as well as to the 2.0 alpha snapshot builds by the pfSense
> devs, and is part of any snapshot build as of yesterday (4/17) at 2pm
> Eastern time, or later.
>
>
>
> Snapshot builds can be downloaded from
>
> http://snapshots.pfsense.org/FreeBSD7/RELENG_1_2/
>
> or
>
> http://snapshots.pfsense.org/FreeBSD7/HEAD/
>
>
>
> I have been testing a build with this patch since yesterday, and have yet to
> see a single watchdog timeout on my interfaces—and no modifications to
> loader.conf have been made. This is a default install—no special options
> have been set anywhere.
>
>
>
> If at all possible, please try to install a recent snapshot build on your
> firebox units (those of you that have them) and test this patch.  If you do
> still receive watchdog timeouts, please let me know either on this list, or
> off-list. Either way, please try to detail what you were doing when the
> watchdog timeout occurred so that we can try to reproduce it, and Pyun can
> fix it.
>
>
>
> Thanks to all that have helped, and thanks to those that are willing to
> test!
>
>
>
> Dimitri Rodis
>
> Integrita Systems LLC
>
> http://www.integritasystems.com
>
>

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Reboot on virtual IP

[Chris Buechler]

On Sat, Apr 18, 2009 at 2:33 PM, Tim Dressel  wrote:
>
>
> There is definitely an upstream router, and I have physical access to
> it but not console. I can power it off and on again, but it tends to
> make the service provider unhappy. I do have a good working
> relationship with the service provider though. Is there something I
> can ask him to change on the router (it's a brand new cisco) so that I
> sound intelligent when I speak to him?
>

Run "clear arp"


> Can I use the fact that my linux firewall works properly to defend
> PFsense by pointing the finger at a config issue on that upstream
> router?
>

It's not config, it's ARP cache. When you swap it out, you have to
wait 4 hours on a Cisco, clear ARP, or reboot the router.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Can captive portal authenticate based on windows login

[Chris Buechler]

On Tue, Apr 21, 2009 at 1:27 PM, Ryan L. Rodrigue
 wrote:
> First.  Thanks for making the best rouster software in the world.
>
> Second.   I'v searched, but i cant quite figure it out.  I would like to use
> captive portal.  What I want is to have certain users based on windows
> username and passwords automatically autenticate without seeing the captive
> portal screen.  If the user is unknow, then have them redirected to supply
> alternate credentials.  I was hoping maybe I could do this with a radius
> server.  Any help or sugestions are greatly appreciated.  I hope I am clean
> in what I am asking for.  I am not very familiar with radius and captive
> portal.  Thank you.
>

Without seeing the CP screen, automatically logging them in with
Windows credentials, no. You can authenticate them on the CP screen
with RADIUS using their Windows credentials to IAS on a Windows Server
DC (if you're using AD).

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Can captive portal authenticate based on windows login

[Chris Buechler]

On Tue, Apr 21, 2009 at 3:46 PM, Dimitri Rodis
 wrote:
> Microsoft Internet Security and Acceleration Server (ISA Server), and you
> need to have AD.
>
> I've used it, but only in this particular case. I do not know of anything in
> the open source world that works reliably specifically the way you want it
> to. (That is not to say that nothing exists, I just may not know about it).
> With respect to ISA, there is a client installation (aka Firewall Client)
> that is required to make the authentication transparent--without it, it
> would work just like pfSense would-- with RADIUS against AD, and the user
> would have to enter credentials manually.
>

Not exactly, so long as you're using IE it'll pass through credentials
automatically. The firewall client is so you don't have to configure
all your applications to use a proxy, it automatically picks up any
traffic not destined to your internal networks (as defined in ISA) and
pushes it through the proxy. Works well in the environments I use it.

ISA is a good proxy. I personally don't like it as a perimeter
firewall, and it can be buggy (2006 is much better than 2004 and 2000,
though still quirky at times), but its proxy functionality in a
Windows environment is great. The reverse proxy is also nice if you
use OWA and/or OMA with Exchange.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] sipproxd with pfSense on EMBEDDED.

[Chris Buechler]

On Wed, Apr 22, 2009 at 4:31 PM, Karl Fife  wrote:
> Has anyone here successfully run sipproxd on embedded pfSense?

It's built into 1.2.3.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] 1.2.3-RC1 released!

[Chris Buechler]

Info here: http://blog.pfsense.org/?p=428

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] bridging 2 networks with pfsense+openvpn

[Chris Buechler]

You don't *have* to have two subnets, you can bridge OpenVPN, but it's
a bit convoluted, not documented well (yet), and generally I don't
recommend it. You rarely want broadcast traffic traversing a VPN.

On Wed, Apr 22, 2009 at 6:22 PM, Brian Josefsen  wrote:
> Hi
>
> I have 2 pfsense boxes, one embedded on each side of the atlantic
> ocean. They connect fine, but i can't contact any of the other side,
> both side have the pfsense as a primary gw.
>
> network 192.168.1.0/24
> Box local is 192.168.1.241
> Box remote is 192.168.1.242
>
> I can only reach the other box with a ssh login to one of the boxes
> and use ssh to the other box's ipaddress on the tun adapter.
>
> Do I need fw rules, or am I missing some commands?
>
> --
> Med venlig hilsen / Best regards
> Brian Josefsen
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Attention Firebox X Series Users - Testing Needed

[Chris Buechler]

On Fri, Apr 24, 2009 at 10:32 AM, Andrew Cotter
 wrote:
> Is there an update path from 1.2.2 to 1.2.3-RC1 embedded?

Not a guaranteed reliable one. You can grab an embedded update file
off the snapshot server but it may blow up.

That'll be resolved with the new embedded that's on the way, including
a 1.2.x release, though post-1.2.3.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Temporarily blocking hosts

[Chris Buechler]

On Sat, Apr 25, 2009 at 5:04 PM, Joshua Schmidlkofer  wrote:
> Support,
>
>  I want to integrate pfSense, or rather, a series of pfSense boxen with
> something like fail2ban.   Is there an interface for temporary rules?   Are
> there faculties for timed operations?   I am thinking of getting a python
> packages for my pfSense box and just making a fail2ban server for this
> purpose.  I would look at libssh, make it push keys, etc.   However, is
> there a more structured way to temporarily block hosts besides using pf
> directly?  Mostly, I am lazy, and don't really want to extend the management
> interface, but I do want to add some features.
>

Nothing existing along those lines.

>  I was headed to look up things at the website, but it's down.

Scott and I were at the colo earlier upgrading RAM in the hosting
servers, go figure somebody caught it in the 10 minutes it was down.
:)

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense based on -STABLE or -CURRENT

[Chris Buechler]

On Sun, Apr 26, 2009 at 1:11 PM, Nenhum_de_Nos  wrote:
>
> On Wed, April 22, 2009 13:02, Scott Ullrich wrote:
>> On Wed, Apr 22, 2009 at 9:42 AM, Cristiano Deana
>>  wrote:
>>> Hi,
>>>
>>> i need a pfSense based on 7-STABLE (better) or -CURRENT, to have
>>> working usb support for apple usb2ethernet device.
>>> Is it possible to do? Or can i make a patchetd and personalized kernel
>>> on pfSense?
>>
>> I will email you off list a link to a FreeBSD 8 version.
>>
>> Scott
>
> no problem to broadcast to me also :)
>

They'll be available soon at http://snapshots.pfsense.org

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] udp load balancing

[Chris Buechler]

On Mon, Apr 27, 2009 at 11:55 AM, Paul Mansfield
 wrote:
> is this going to be feature of 1.2.3 or do we need to wait for 1.3?
>

No new features in 1.2.x releases (though a couple came by association
with bug fixes). There isn't a 1.3 anymore, that's 2.0. At a glance,
it doesn't seem to support UDP at the moment, but work on the load
balancer isn't finished yet.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] PPTP Hangs at "Verifying Username and Password"

[Chris Buechler]

On Fri, May 1, 2009 at 5:16 PM, Marty Nelson  wrote:
> I'm sitting behind another pfSense box version 1.2.2
>

If you have the PPTP server enabled, you need to either:
1) disable it
2) 
http://doc.pfsense.org/index.php/Connect_to_a_remote_PPTP_server_when_you_have_the_pfSense_PPTP_server_enabled

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] draft 802.11n and pfsense

[Chris Buechler]

On Tue, May 5, 2009 at 2:22 PM, Markus Golser  wrote:
> Hi I'm wondering if there is a draft 802.11n mini pciE card that works
> nice on pfsense 1.2.2

http://doc.pfsense.org/index.php/Is_802.11n_wireless_supported

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] gre tunnel support

[Chris Buechler]

On Thu, May 7, 2009 at 5:21 AM, Mikel Jimenez  wrote:
> Hi
>
> Is possible to make a GRE tunel between two Pfsenses without using IPsec?
>

Not with nor without, until 2.0.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] network interface mismatch

[Chris Buechler]

On Mon, May 11, 2009 at 10:19 AM, Pete Boyd
 wrote:
> Is there anything that can be done instead of replacing one of the 3Com
> cards?
>

Sounds like a driver issue of some sort, trying 1.2.3 which has a
newer FreeBSD base may make it work.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Problem with pftpx - device busy

[Chris Buechler]

On Tue, Apr 21, 2009 at 7:43 AM, Peter Allgeyer  wrote:
> Hi,
>
> I just encountered a problem with pftpx. We have a FTP-Server in the
> DMZ-Zone. Entering ftp://ftp.server.ip from inside in the browser (for
> example, command line ftp is the same) shows no listing. Reloading the
> website several times and when suddenly the listing appears. Testing the
> same from outside works just fine.
>
> I've found the following lines in /var/log/system.log
> (there are many of them):
> Apr 21 13:34:36 pf01 pftpx[5446]: #23 pf operation failed: Device busy
> Apr 21 13:34:36 pf01 pftpx[5446]: #23 pf operation failed: Device busy
>
> And sometimes even:
> Apr 21 13:41:51 pf01 ftpsesame[4680]: #60 filter_allow failed: Device
> busy
> Apr 21 13:41:51 pf01 ftpsesame[4680]: #60 filter_allow failed: Device
> busy
> Apr 21 13:41:51 pf01 ftpsesame[4680]: #60 filter_allow failed: Device
> busy
> Apr 21 13:41:51 pf01 ftpsesame[4680]: #60 filter_allow failed: Device
> busy
>
>
> Manually stopping/starting of pftpx doesn't help.
>

One of our developers is seeing this too now, though I haven't and
this list post is the only Google hit on that error message (don't you
hate seeing that...). Not sure of the issue yet, we're looking at it.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] RE: T1 Saturating - Windows update kills the connection... ??

[Chris Buechler]

On Wed, May 13, 2009 at 2:47 AM, Chuck Mariotti  wrote:
> To clarify further...
>
> In this situation, we are downgrading to a T1 (1.5Mbit/1.5Mbit) connection 
> from a new service provider. The current connection is 3Mbit/3Mbit, works, 
> but is insanely expensive (way more than twice the price). Locked into a 
> service agreement. Switching will basically save enough money to not have to 
> lay a person off... So it's pretty important than this works acceptably.
>
> During this new firewall installation, someone decided to run Windows Updates 
> on a four computers. Previously, this would not have choked the network, but 
> with the new firewall (and new T1), it is choking it. Choking it dead. The 
> four machines appear to contend for connectivity but after a few minutes, a 
> couple of them just stall, one slows way down to a crawl and another stills 
> keeps going (slower). Trying to browse the web on another computer is pretty 
> much impossible. It's all bogged down.
>
> I have removed the dual WAN situation from the puzzle. Restored Factory 
> Defaults and set up pfSense with a single IP and default rules. It is still 
> doing this.
>
> Unfortunately, I'm really not sure if this saturation is exactly what I 
> should be expecting... I've never really had this slow a network nor have I 
> had the need to bog it down, so I've never run into this. Unfortunately, this 
> isn't acceptable so I need to find a solution. I would have throught that 
> pfSense would be able to evenly distribute the requests an dataflow.
>
> I did replace the pfSense box with a cheapo DD-wrt router, just to see if the 
> same results happen. And they did... 1.5Mbit cap maxed out... crawling 
> updates, unable to browse the web.
>

Slowing down considerably when under full load is normal, slowing to
the point that sites don't load anymore when you're just running a few
Windows updates is definitely not. Sounds like there's something wrong
with the T1, or the CPE it's plugged into, whatever has your CSU/DSU.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] bsnmpd eating cpu

[Chris Buechler]

On Fri, May 15, 2009 at 9:53 AM, Jure Pečar  wrote:
> On Mon, 9 Feb 2009 13:41:30 +0100
> Jure Pečar  wrote:
>
>> On Mon, 9 Feb 2009 10:37:27 +0100
>> Jure Pečar  wrote:
>>
>> >
>> > Hello,
>> >
>> > On 1.2-release running on two machines in carp failover mode, we notice 
>> > bsnmpd eating all available cpu all the time.
>>
>> I found out that if I disable MibII snmp module, bsnmpd stops consuming CPU 
>> resources. Does this give any ideas?
>
> Interesting, no reply to this.
>
> Let me ask differently: does any of you who use snmp to get info from pfsense 
> notice increase in cpu usage when bsnmpd is
> started?

Never seen anything like that. Sounds like some sort of bsnmpd or
FreeBSD problem. If you find a solution, let us know.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfSense 1.2-Release -> 1.2.3-RC1 upgrade, FTP problem

[Chris Buechler]

On Mon, May 18, 2009 at 6:01 AM, Android Andrew[:]
 wrote:
> Sorry for previous letter with bad subject..
>
> Hello all!
>
> We have faced the following problem:
> after the upgrade of pfSense from 1.2-Release to 1.2.3-RC1, the access from
> the
> internal LAN1 network to FTP-server, located in DMZ, seized functioning (in
> both
> modes: active/passive) (via the LAN2 network).
>
> The scheme of access:
> LAN1 --> Router (pfSense-box) -->LAN2 --> NAT (black-box) --> FTP-server.
>
> We are allowed to authorise on ftp-server, but fail to get the directory
> listing.
>
> Turning on/off of the FTP-helper does not solve the problem.
> After downgrade to 1.2-Release, the access to the same FTP functions
> successfully.
>
> What is the difference between the pfSense releases (1.2-Release vs.
> 1.2.3-RC1)
> when working with FTP?
>

There aren't any that I'm aware of.

Can you send me a backup of your configuration offlist?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Pfsense + Postfix (Relay)

[Chris Buechler]

On Tue, May 19, 2009 at 10:56 AM, Jean Carlos Coelho
 wrote:
> Hi all.. a question..
>
>
>   It is possible to install postfix in pfsense 1.2.2 only for mail relay ?
>

Not easily, I've tried before, there are a ton of libraries and other
misc. things not included in pfSense that it wants. It was way more
trouble than it was worth. I posted here asking about a light weight
daemon, other than a full blown MTA, to use as a simple relay and no
one knew of anything.  OpenSMTPD may be a solution for this in the
future.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Pfsense + Postfix (Relay)

[Chris Buechler]

On Wed, May 20, 2009 at 5:02 AM, Paul Mansfield
 wrote:
> has anyone considered a transparent redirection of SMTP to a specific
> SMTP relay, so that (e.g.) captive portal clients on wifi hotspot can't
> send email without some level of control.
>

You can do that now with a port forward on any address on LAN for TCP 25.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] wrong boot device after generic install

[Chris Buechler]

On Wed, May 20, 2009 at 8:54 PM, David Burgess  wrote:
> Hi all,
>
> I'm new to pfsense and a real novice with FreeBSD, so go easy on me ;)
>
> I used the live CD of pfsense 1.2.3-RC1 to install to a hard drive for
> use in a soekris net5501. When I boot while attached to the serial
> console it appears that it can't find the root filesystem, and I'm
> left with something like this (reconstructed from dmesg):
>
> Trying to mount root from ufs:/dev/ad10s1a
> Trying to mount root from ufs:/dev/ad10s1a
>
>
> Manual root filesystem specification:
>  :  Mount  using filesystem 
>
>                       eg. ufs:da0s1a
>  ?                  List valid disk boot devices
>         Abort manual input
>
> mountroot> ufs:ad1s1a
> Trying to mount root from ufs:ad1s1a
>
> So after entering the correct device it continues to boot properly. I
> guess the device has changed names between install in one machine and
> boot in another. After some searching I see that the time to edit
> /etc/fstab would have been during the install, but that's water under
> the bridge.
>
> I tried editing /etc/fstab at the console with vi but it's telling me
> it's a read-only file. I don't want to mess things up too badly, so
> I'm wondering where to go from here. Is there a quick fix for this or
> am I better off reinstalling and making the change from the installer?
>

Just edit it with vi and exit with :x! to override the ro.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Which pfSense version should I install?

[Chris Buechler]

On Wed, May 20, 2009 at 9:45 PM, Jonathan Wanak  wrote:
>
> Hi everyone,
>
> I'm about to update a remote pfSense installation I last worked on back in 
> version 1.0.2.  I'm using a PII desktop with 128MB RAM and 3 NICs.  The box 
> runs 2 LANs (public and private), utilizes Captive Portal, connects to the 
> Internet through HoughesNet satellite, and uses VPN to provide private 
> network access to certain machines on the public side.
>
> My question is:  Assuming it will be a year before I can update this 
> installation again, which is the best version to install, version 1.2.2 or 
> 1.2.3 RC1?  Should I upgrade or perform a fresh install?
>

Upgrade is fine. For what you're doing, version shouldn't really
matter, either/or is fine.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] openssh flaw

[Chris Buechler]

On Thu, May 21, 2009 at 3:37 PM, David Burgess  wrote:
> http://linux.slashdot.org/article.pl?sid=09/05/21/1824220&from=rss
>
> What versions run in pfsense? Is this something we should be concerned about?
>

This is 6+ month old news, and it's lame, not sure why it's getting so
much attention. It's basically impossible to exploit in the real
world, aside from scenarios where you have an automatic reconnect on a
scripted session, or something of that nature, that will reconnect a
few hundred thousand times. It'll take 11,000+ connection killing
attempts to get 14 bits, and requires MITM which further greatly
reduces the possibility of exploit.

info here:
http://www.openssh.com/txt/cbc.adv

FreeBSD may put out a security advisory, though I suspect if it hasn't
been done yet it won't be. This isn't some "OMG the sky is
falling!!1!1" issue.

To mitigate: if your SSH sessions are getting dropped, don't reconnect
over 11,000 times.  Don't think anyone's going to do that.

With that said, Scott just committed a change to disable CBC.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] dyndns on multiWAN

[Chris Buechler]

On Tue, May 26, 2009 at 12:29 AM, David Burgess  wrote:
> Hi,
>
> I see the question in the archives, but no answer. What would be the
> correct way to set up dynamic DNS on a multiwan setup?

You can't until 2.0. Only WAN is supported.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] bsnmpd eating cpu

[Chris Buechler]

On Tue, May 26, 2009 at 4:34 AM, Jure Pečar  wrote:
> On Sat, 16 May 2009 21:20:13 -0400
> Chris Buechler  wrote:
>
>> Never seen anything like that. Sounds like some sort of bsnmpd or
>> FreeBSD problem. If you find a solution, let us know.
>
> Googling around reveals two possible problems.
>
> One is the emulation of 64bit counters on 32bit platform. People notice 
> exactly the same behaviour we do: 
> http://unix.derkeiler.com/Mailing-Lists/FreeBSD/current/2008-01/msg00982.html
>
> The other is combination of openbgpd and bsnmpd on the same machine, that 
> could take significant ammount of memory. We're not hitting that yet, but 
> it's something to watch for: 
> http://www.nabble.com/bsnmpd---BGP-full-view-td21169641.html
>
> Who's the proper person to bribe in order to get this fixed? ;)
>

The FreeBSD bsnmpd maintainer(s), though I'm not sure who that is.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] arm arch?

[Chris Buechler]

On Thu, May 28, 2009 at 1:40 PM, Tim Nelson  wrote:
>
> In regards to alternate arch's, wouldn't something like ARM or MIPS provider 
> better PPS rates than x86(_64)?

No difference due to the architecture. There are some higher end MIPS
platforms that are equivalent to big $ gear from Cisco, Juniper, et.
al. but they're also considerably more expensive than your typical x86
server class box, and it's more about ASICs than being a MIPS
platform.

We may see support for hardware along those lines at some point in the future.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Snort running and update problem

[Chris Buechler]

On Sat, May 30, 2009 at 7:30 AM, ozan ucar  wrote:
> Hello All,
>
> I have pfsense 1.2.2 and install snort.Snort success installation but dont
> update.
> Oinkmaster code have, i go to snort update page an error "Snort success
> installation but dont update."
>

Snort changed around their website earlier this week and broke some
things, now it's fixed but it changed how we have to pull the rules.
We're working on a package update, in the mean time you can't update
rules.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Multiwan suggestions before v. 2.0 ...

[Chris Buechler]

On Sun, May 31, 2009 at 7:03 AM, Tebano epaminonda
 wrote:
> Hi all.
> I've read that complete multiwan support will be available only with 2.0
> version of pfsense, but I'd like to know if You've some suggestion for doing
> something similar, also using many pfsense instead of single one, or
> something else.

I have no idea what you're talking about. There is "complete
multi-WAN" support in 1.2.x. What are you wanting to accomplish?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Can I install packages if my Pfsense is offline

[Chris Buechler]

On Mon, Jun 1, 2009 at 10:24 PM, Rakthum_Network&Telecom_IP#1
 wrote:
> Hello all
>
> My Pfsense is offline but I want install some packages .How can I
> do?

You can't. It has to download the package list and the packages themselves.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Multiwan suggestions before v. 2.0 ...

[Chris Buechler]

On Mon, Jun 1, 2009 at 3:59 AM, Tebano epaminonda
 wrote:
> Sorry, Guys.
> I where discussing of limitation reported into the features of:
>
> Inbound Load Balancing
>

What exactly are you referring to?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Does it matter which interface I specify for static routes?

[Chris Buechler]

On Tue, Jun 2, 2009 at 5:54 AM, Steve Harman
 wrote:
> Hi!
>
>
>
> We have four internal NICs on our pfSense box; “LAN” , “LAN2”, “LAN3” and
> “LAN4”.
>
>
>
> I need to setup a static route for a remotely hosted network at our parent
> company’s office so any traffic destined for that network is directed
> towards our site-to-site VPN concentrator / gateway box sitting on “LAN3”.
>
>
>
> My question is this; when creating static routes for a remote network, say
> 10.0.19.0 in System > Static Routes I’m asked to specify the “Interface”
> from a pulldown menu.  If I specify “LAN” as my Interface does that mean the
> static route is only in effect for traffic on the LAN interface?  (and not
> LAN2, LAN3 and LAN4).
>

No, only use one route, the interface is where that router and subnet
are reachable and applies to everything.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Does it matter which interface I specify for static routes?

[Chris Buechler]

On Tue, Jun 2, 2009 at 4:24 PM, Evgeny Yurchenko
 wrote:
> May I ask why pfSense web-interface has this option?

It needs to know for NAT rule generation and other purposes. It's a
hold over from m0n0wall, it could figure it out without specifying.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] running pfsense on soekris net5501

[Chris Buechler]

On Tue, Jun 2, 2009 at 5:50 PM, Joseph Wagner  wrote:
> Has anyone been able to get pfsense to run properly on a Soekris net5501
> embedded pc?
>

Lots of people.


> I've installed the embedded image into my board and everything work fine
> except I can't get any traffic to  go through the WAN port.  I am able to
> access the webconfigurator from the LAN port and ping things from the LAN
> port fine.  I've tried switching which ports pfsense uses, different network
> setups, firewall rules, changing cables, you name it.  I still can't get the
> WAN port to ping my DSL gateway or contact anything else.
>

Power cycle your DSL modem. And/or try MAC spoofing whatever you had
plugged in before. Sounds like an ISP issue, one or both of those may
resolve it.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] running pfsense on soekris net5501

[Chris Buechler]

On Tue, Jun 2, 2009 at 6:01 PM, Victor Padro  wrote:
>
> Sometimes you have to uncheck the Block private networks and the Block bogon
> networks boxes on the WAN interface page, have you alredy done that?
>

You never have to uncheck that for access out to the Internet. Those
only affect traffic initiated from the WAN side, not egress from
internal networks.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] running pfsense on soekris net5501

[Chris Buechler]

On Tue, Jun 2, 2009 at 7:02 PM, Tim Nelson  wrote:
>
> Quickly looking at the previous posts, I don't see where you've specified 
> what type of connection you're setting your WAN to. Is it PPPoE? Static? 
> DHCP? Etc?
>

And also, is it on a private subnet?  Same subnet as your LAN?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] keep alive

[Chris Buechler]

On Wed, Jun 3, 2009 at 12:00 PM, Paul Cockings  wrote:
> Hello list,
>
> I have an annoyance that is driving me bonkers.  I have a Windows XP client,
> a pfsense 1.2.2 configured as a transparent firewall, development webserver
> (FreeBSD 7.2)
>
> When I using SSH (Putty) or MySQL (SQLyog) to the webserver after a short
> time the connection 'freezes'/'drops'.  In putty i can cure this by adding
> keep alive = 5 seconds.  In SQLyog i'm not sure the option exists.
>
> I think the problem is caused the pfsense box.
>
> I'd be grateful of any ideas on how I might cure the 'dropped sessions'
> preferably by changing something with the pfsense box rather then finding
> way to do more keep alives.
>

Increase state timeouts, either per-rule or globally, but don't go
overboard. You shouldn't rely on inactive TCP connections staying open
for a long period ( > 1 day at most) regardless of what's between the
hosts.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Does it matter which interface I specify forstatic routes?

[Chris Buechler]

On Wed, Jun 3, 2009 at 9:29 AM, Evgeny Yurchenko
 wrote:
>
>  from my experience failover takes has higher
> priority than static route as it is implemented by means of pf rules.
>

Yes, that is true. Static routes direct traffic initiated by the
firewall to the appropriate WAN, and direct traffic that does not
specify a gateway, but other than that they have no impact on load
balancing or failover. If you specify a pool in your rules, that
overrides any routing configuration.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Feature Requests

[Chris Buechler]

On Fri, Jun 5, 2009 at 4:33 PM, Curtis Maurand  wrote:
> Where can we make feature requests?

http://redmine.pfsense.org

with many still at http://cvstrac.pfsense.org as we haven't converted
everything over yet.

> I also can't seem to find any decent documentation on the atrocious way it 
> handles virtual IP addresses.  What I would rather see is
> virtual interfaces.

http://doc.pfsense.org/index.php?title=What_are_Virtual_IP_Addresses%3F

The way they're handled is perfectly fine. We're open to suggestions,
or better yet, your code that does it better.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Recommended pfSense Hardware ( UK ~£100) ?

[Chris Buechler]

On Sun, Jun 7, 2009 at 2:00 AM, Volker Kuhlmann wrote:
> On Tue 02 Jun 2009 02:35:55 NZST +1200, David Burgess wrote:
>
>> Have a look at these.  The 2-port card
>> is low profile
>
> Yes, sure. But how do you connect one of those to an ALIX board?
>

You can't on the ALIX.2, but the ALIX.1 will work. Only one onboard
NIC on the ALIX.1 but with a 4 port NIC it gives you an option for 5.
Yawarra sells them that way. http://www.yawarra.com.au/hw-alix1.php

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] LAN Drivers RTL8111D on INTEL

[Chris Buechler]

On Mon, Jun 8, 2009 at 8:34 PM, Federico Castro
A. wrote:
>
> Hi everyone.
>
> I´m trying to setup an INTEL DG41TY board with 3 LAN cards.  One integrated
> RTL8111D and two D-Link 520 TX PCI.
>
> The D-Links are setup without a problem but the Realtek doesn´t come up when
> I boot with the CD ver 1.2.2
>
> Is there a way to add the driver for that card?

No.  Try 1.2.3, the newer FreeBSD might include the driver.
http://snapshots.pfsense.org

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Multiwan suggestions before v. 2.0 ...

[Chris Buechler]

On Wed, Jun 10, 2009 at 10:03 AM, Tebano
epaminonda wrote:
>
>
> I've 2 isp with 2 different IP and routers.
> So I've configured 2 pfsense in load balance and with carp between them
> (internal and external, so I always has a single IP to manage with routes
> and nats).
> All works perfectly, if all ISP are working, or if I detach the WAN2-isp
> connection.
>
> But if I try to detach the first one, no-one is able to connect to the
> external of pfsense;
> the same pfsenses aren't able to connect to the internet.
>
> I see (correctly!), into the "load balance" status that only half of
> monitored IP are reachble, but if I try to traceroute them, or something
> else, connection fails.
>

You have something wrong with your policy routing rules, or something.
Traffic from the firewall itself will not follow those rules, and will
be down when your WAN is down. Generally that's no big deal as nothing
is initiated from the firewall other than traffic that you direct
appropriately via static routes (DNS servers).

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] pfsense related problem

[Chris Buechler]

On Thu, Jun 11, 2009 at 2:14 AM, Guruprasad-Baysoft wrote:
> Hi
>
> I am using pfsense 1.2.2 version firewall connected to my broadband. I have
> 2 problems as follows
>
>
>
> 1.   Any mail with attachment or big mail size is not able to be sent
> from any system behind pfsense.
>
> 2.   Few websites are not able to be browsed like yahoo and some bank
> sites.
>
>
>
> Whereas when i connect the network directly to the ADSL modem removing
> pfsense system, everything above works fine.
>

Put a lower MTU in under Interfaces-> WAN. 1492 is default for PPPoE,
if your modem is doing the PPPoE you have to set it on the WAN page.
Some people seem to need it lower than that, if 1492 doesn't work
lower it to 1400 and see what happens.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Multiwan suggestions before v. 2.0 ...

[Chris Buechler]

On Thu, Jun 11, 2009 at 2:34 AM, Webmaster
Megastar wrote:
> There is a bug when you want to setup multiwan + load balancing + carp. The
> development team is aware of this.

Ermal committed a kernel patch to pf that should resolve this. It's
only in 8 builds at the moment, it will make its way into 1.2.3.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Multiwan suggestions before v. 2.0 ...

[Chris Buechler]

2009/6/11 Webmaster Megastar :
> Can you give us an idea of when it will be available in snapshots released
> to public ?
>

Anything from 20090612 and newer should work (there aren't any yet,
they'll be there eventually). Please test and report back.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] blocking RFC1918 and bogons on 2nd WAN

[Chris Buechler]

On Fri, Jun 12, 2009 at 9:10 AM, Paul
Mansfield wrote:
> suppose we have two WAN ports and have turned on the automatic RFC1918
> and bogon blocking; you can see the grey-ed out rules on WAN1 interface.
>
> what's the best way to also do this on WAN2? in particular, how to put
> the list of RFC1918 and bogons into the rule so that their values are
> updated automatically?
>

you can't for bogons until 2.0.  for RFC1918 you can create an alias
and add the rule manually.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Inbound load balancer performance under heavy load.

[Chris Buechler]

On Fri, Jun 12, 2009 at 5:29 AM, Jose Hernandez wrote:
> Hi,
>
>
>
> Yesterday we had a service launch, and pfSense inbound load balancer let me
> down big time… We have been using pfSense 1.2-release version installed on
> Dell PowerEdge R200 and CARP for redundancy for around a year now, it probed
> to work although we never have had a very high load.
>

For reasons outside our code base, your FreeBSD 6.2-based version is
better for server load balancing than anything based on newer FreeBSD
versions. There are regressions we found recently in 7.0 through 7.2,
though Ermal may have fixed those, they are not issues in 6.2 to begin
with so I would recommend against upgrading especially since Ermal's
changes haven't been widely tested yet and this is a production
system.

It's very hard to say what might be impacting you here, without
getting into the system.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Outbound mail & multi-wan

[Chris Buechler]

On Sat, Jun 13, 2009 at 3:07 PM, JJB wrote:
> Hello,
>
> pfsense 1.22
>
> we have a mail server:
>
> mail.domain.com
>
> We have two wan links
>
> WAN_ATT (T1) and WAN (covad DSL)
>
> reverse DNS is configured for the ATT link for mail.domain.com and for the
> covad link as mail01.domain.com
>
> is there some way to enable the mail server to open smtp connections over
> either link as mail.domain.com without failing  reverse and or forward
> lookups? (some more strict email servers do both now).
>

Reverse DNS can be the same on both. For forward lookups that's not
possible, and there isn't any way for your mail server to know which
pipe it's going out to be able to change its hostname. Very few
servers check that forward and reverse matches, most just check for
existence of PTR or that PTR matches EHLO.

I'd keep it on one WAN, but have PTR on the second so you can fail
over. That'll suffice for nearly all mail servers.

> Also, is there a way to force the server to always use either the ATT or
> Covad link to send mail?
>

Yes, setup your rules on the interface with the mail server accordingly.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Outbound mail & multi-wan

[Chris Buechler]

On Tue, Jun 16, 2009 at 1:37 PM, JJB wrote:
>> Yes, setup your rules on the interface with the mail server accordingly.
>
> I don't know how to set up pfsense to bind the mail server to the AT&T
> network interface instead of the Covad, can someone provide me with details
> of how this would be done? It doesn't look like static routes would work
> since the mail server needs to talk to an unlimited # of machines on the
> internet.
>

Just add a firewall rule matching traffic from the mail server and
select the appropriate gateway or failover pool.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] forum vs mailing list

[Chris Buechler]

On Wed, Jun 17, 2009 at 1:38 PM, JJB wrote:
> Hello,
>
> I didn't realize there is also a pfsense forum and that they are not
> connected. Which is the best place to post technical questions about
> configuration?

Which ever you prefer. Some people like the forum format better,
others mailing lists.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org