There was just now a sudden spike in states, ~100x the normal number,
maxing out the system max in just an hour, and causing the system to fail.
With a maxed out state table, of course the system fails to process
traffic. Has anyone seen something like this before, or have any ideas
what
You might try...
(Wait for it)
...AES.
On 12/9/2017 4:02 AM, Eero Volotinen wrote:
Hi,
What is the best ipsec ciphers for aes-ni ipsec acceleration?
Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project
I just applied the newly available 10/9 build. It seems to have fixed
my broken install, by rolling forward.
On 10/9/2017 2:21 PM, Karl Fife wrote:
FYI: Clearly caused by this:
https://forum.pfsense.org/index.php?topic=137682.msg752988#msg752988
--- Snip ---
...we'll get a fix out
l have you back up with less effort than
other solutions.
--- ---
ZFS boot environments could contain this (or any) unforseen
update/upgrade impact. That's why we run/ran Nano for so long.
On 10/8/2017 1:57 PM, Karl Fife wrote:
Actually, I noticed that resetting to factory defaults, an
Actually, I noticed that resetting to factory defaults, and creating a
simple test config also results in DHCP not starting. Sounds like
something more fundamental was broken in RC. I also notice that my old
Sep 29 image is no longer being offered an update ('on the latest
version') making me
Post update, DHCP service appears to die post update. Is anyone else
seeing this?
I'm seeing it on two separate install locations, both running 2.4RC
*2.4.0-RC* (amd64) built on Sun Oct 08 06:40:54 CDT 2017
both on pcEngines APU2.
Logs say:
rc.bootup: The command '/usr/local/sbin/dhcpd
Someone feel free to challenge me here, or give a +1
In summary: The pfSense UI should not allow users to delete certificates
because admins may be unaware of the implications.
In detail: In OpenVPN, certificates are trusted by way of them being
signed by the CA (i.e. pfSense), that is,
I'm having trouble with NAT'ed traffic through a GRE interface that is
going over an IPSEC connection. Pfsense itself can get ping replies
from the remote end, but the hosts on the LAN can not. NAT is enabled,
so the source IP for LAN hosts is the local /30 tunnel address. The
irony is that
Is setting the copies=2 option slated to be part of the regular
installer? I recall copies=2 must enabled after-the-fact from the CLI.
Enabling after-the-fact is slightly problematic, because ZFS will only
make multiple copies of NEW blocks written, so in effect the system has
is without
2.1 won't offer an upgrade if the SSD is too small. If you have a 1GB
CF, you will have flash a larger one.
On 6/7/2017 9:16 PM, Alexandre Paradis wrote:
2.3 support 32 bits, 2.4 doesn't.
Tomer, you should upgrade to the latest version.
On Wed, Jun 7, 2017 at 10:01 PM, Ryan Coleman
Does anyone have experience with the Chelsio T520 series of cards
specifically as it relates to transceiver compatibility?
SFP & SFP+:
We have several applications where we could use these well-supported
cards, some require use of SFP transceivers (not SFP+) such as
1000BASE-LX transceivers.
Can anyone recommend a good mSATA drive (i.e. controller chip) that
supports a full suite of smartctl commands, such as an ATA (hdparm)
secure erase, and self-test? Many have parital support, and it's really
hard to find out what support exists short of bench testing.
Time to do a pcap, and see what's actually happening. Look in the SIP
session description (SDP) and see what IP addresses the client is
telling the other side to communicate with. Divide and conquer.
On 3/21/2017 5:42 AM, Martin Fuchs wrote:
what really irritates me is the fact (tried it
I'm in the needless complexity is insecurity camp. Your other
speculations are baseless.
On 2/11/2017 10:18 AM, Matthew Pounsett wrote:
I see that you're in the "NAT is security" camp, which is unfortunately a
misinformed way to approach network security.
I presume your ISP gave you a tunnel network and a public /28, and
you're trying to use the IP's in the /28. Until recently, you had been
binding the tunnel network interfaces directly to your 'wan'.
You should probably be running a second router. The rationale is trust
levels. The first
the config, and restored it to a clean
64-bit image of 2.3.2, and as expected, it 'just worked' with no sysctrl
modifications. The upgrade to 2.3.2_1 was also flawless because the old
upgrade URL had been removed from the config.
On 1/25/2017 4:01 PM, Karl Fife wrote:
This is a good theory, becaus
Would you mind sharing a snapshot of your Rangeley-optimized tunables?
IIRC there are un-editable tunables that show on your tunables page that
are not called out in the XML config.
Thanks Vick
On 1/26/2017 9:47 AM, Vick Khera wrote:
On Wed, Jan 25, 2017 at 4:01 PM, Karl Fife <ka
, or is it a community edition installation? If the latter,
Full or Nano?
On 1/25/2017 3:49 PM, Jim Pingle wrote:
On 01/25/2017 01:10 PM, Karl Fife wrote:
The piece that's still missing for me is that there must have been some
change in default system setting for FreeBSD, or some other change
between
the
full version. We will also begin running the full version with 2.4,
(ZFS copies = 2) :-)
On 1/25/2017 1:15 PM, Vick Khera wrote:
On Wed, Jan 25, 2017 at 1:10 PM, Karl Fife <karlf...@gmail.com> wrote:
pfsense 2.2.6 was running without issue on our Supermicro A1SRi-2758F
rangeley
There were changes in the defaults from FreeBSD 9 to 10.
https://pleiades.ucsc.edu/hyades/FreeBSD_Network_Tuning
Could that be it? Old config overwriting new defaults?
-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Karl Fife
Sent: Wednesday, January 25, 2
pfsense 2.2.6 was running without issue on our Supermicro A1SRi-2758F
rangeley board (Intel Atom C2758)
When we upgraded to 2.3.2, the new system failed to boot due to having
insufficient RAM allocated to network memory buffers. We had to
interrupt the boot process increase the value of
Can anyone give a philosophical/design purpose why the general OpenVPN
rules are processed before the interface-specific OpenVPN rules (i.e. an
OpenVPN server bound to an interface). Processing rules from
most-specific to least-specific seems like a more intuitive design
guideline, but I'm
FYI, same circumstances, update is no longer choking on that step.
Thanks
On 10/6/2016 5:16 PM, Karl Fife wrote:
Update is failing over here. Is there perhaps a file missing from a
repo? This is what I'm seeing when I update from the CLI:
...etc...
Fetching php56-5.6.26.txz
Update is failing over here. Is there perhaps a file missing from a
repo? This is what I'm seeing when I update from the CLI:
...etc...
Fetching php56-5.6.26.txz: .. done
Fetching pfSense-rc-2.3.2_1.txz: . done
Fetching pfSense-kernel-pfSense_wrap-2.3.2_1.txz: . done
pkg:
On 9/8/2016 9:14 PM, Jim Thompson wrote:
On Thu, Sep 8, 2016 at 7:36 PM, Karl Fife <karlf...@gmail.com> wrote:
There is a brand new feature/option in ISC dhcpd 4.3.0 (the DHCP server
version in pfSense 2.3+).
you could say, "Thank you". I drove the old crud out.
I woul
.
Is this in the pipeline? Before making a formal feature request I
thought I'd bounce it off my peers here on the mailing list.
Cheers.
-Karl Fife
https://www.freebsd.org/cgi/man.cgi?query=dhcpd.conf
" ignore-client-uids flag;
If the ignore-client-uids statement is present and has a value of
Functionally related to the implicit auto-lockout rule. Makes sense.
Thanks.
On 8/31/2016 9:49 PM, Jim Pingle wrote:
On 8/31/2016 9:30 PM, Karl Fife wrote:
This suggests the implicit rules are evaluated BEFORE the explicit
rules. Is there a good reason they're evaluated first? I'd expect
If I understand correctly, the actual interface to which the DHCP
service is bound gets an IMPLICIT (hidden) pass rule.
HOWEVER, I have a log rule defined during DHCP activity. I see the
states, and see the LOGS for the DHCP conversations, (wireshark etc),
but the pass rule is not being hit.
It appears that some of the automatic aliases offered via the GUI when
creating firewall rules can be misleading or incorrect under certain
circumstances.
For example:
If I create an OpenVPN server (say, a remote access type), and assign it
to an interface called, say, VPN_BYOD, I'll see (as
/16/2016 2:19 PM, Karl Fife wrote:
Hey all. I'm trying to get to the bottom of an Ethernet concept:
If an Ethernet switch has no switching/forwarding table entry for a
given MAC, does it flood/broadcast BY DESIGN (e.g. to behave like a
good old-fashioned Ethenet HUB) or is unicast flooding
Makes sense. I was confused, seeing it in the context of analyzing
secure connections to Google subnets. Apparently I'm not "QUIC" enough
on the uptake of the Google's experimental transport layers. :-)
On 8/5/2016 5:41 PM, Jim Pingle wrote:
On 8/5/2016 3:13 PM, Karl Fife w
All of the states in the pfsense states display make sense to me:
e.g. http://www.cs.hofstra.edu/~cscccl/c333/tcp.gif
Maybe I'm having a brain fart, but I'm not finding a good treatise on
the "multiple:multiple" state?
Anyone?
___
pfSense mailing
to start
deploying it at customer sites over NetGate hardware.
On Aug 3, 2016, at 10:58 AM, Karl Fife <karlf...@gmail.com> wrote:
+1
You can buy the 'blessed' hardware alone (e.g. CentOS) from netgate for $300
(2-port) and $350 (4-port). Cheaper than if you buy a preconfigured p
+1
You can buy the 'blessed' hardware alone (e.g. CentOS) from netgate for
$300 (2-port) and $350 (4-port). Cheaper than if you buy a
preconfigured pfSense appliance with support. Seems like REALLY
inexpensive insurance to be using vetted hardware that others are also
using. In general,
On 8/1/2016 4:20 PM, Moshe Katz wrote:
You could also use a set of USB over twisted pair adapters, but those
aren't necessarily the most dependable pieces of hardware over long
distances.
Indeed. When something goes wrong, cognitive loads are high, and you
don't want to be dickign around
USB HOST to RS232 adapter
It appears that the new rangely-based pfSense certified hardware (2440,
4860) has a mini-USB (client) port for console access.
This "convenience" is ironic for us because I actually prefer RS232,
(because that's the interface everything else uses). As far as I
Over the weekend I did some 32-to-64 bit architecture upgrades on
NanoBSD systems with 64-bit hardware.
The migrations were seamless EXCEPT that in every case, the DNS
forwarder [sic] would fail to work unless selectively un-bound from IPv6
interfaces.
On all of the systems, there was at
On 7/26/2016 8:40 PM, Chris Buechler wrote:
On Tue, Jul 26, 2016 at 7:43 PM, Volker Kuhlmann <hid...@paradise.net.nz> wrote:
On Tue 26 Jul 2016 09:41:37 NZST +1200, Karl Fife wrote:
Interesting how it failed: The fried port 'simply' broke
connectivity for the interface's LAN s
The 6th Ethernet port (em5) on my Lanner fw-7541D died Saturday night
during the electrical storm. Just the one port.
Apparently fried, apparently by an electrical anomaly.
Now, the link light is always on (dimly lit), whether populated or not,
and neither the POST, nor the OS detects the
. Good luck.
-K
On 7/25/2016 2:22 PM, Chris wrote:
Karl Fife wrote:
Are you sure that CIFS is slow because of PPTP? All but the latest
CIFS/SMB protocols are poorly suited for high-latency connections such
as the public Internet (e.g. where you might use VPN). Even under the
best
Are you sure that CIFS is slow because of PPTP? All but the latest
CIFS/SMB protocols are poorly suited for high-latency connections such
as the public Internet (e.g. where you might use VPN). Even under the
best circumstances, many applications don't tolerate it well
DNS Forwarder had a domain override *exception* feature that I don't see in
DNS Resolver. I'm looking for a equivalent/workaround.
Obviously, In both dnsmasq and unbound, I can create a domain override, e.g.
DomainIP
example.com10.243.0.1
However, I Don't want the
Ever since upgrading to 2.3, I notice that the CPU utilization is
uncommonly high when a browser is pointed at the Status / Dashboard.
Naturally, this is the php-fpm process. Each instance of php-fpm runs
at between 8 and 40% of my 1.8ghz Atom (dual core, HT). With four or
five dasbord
interface being used, and
if it permanently changes it. I ran into an issue where an application
would randomly quit working. After doing some digging I found that Cisco
AnyConnect had reconfigured the MTU on my wired NIC to 1300, even when the
tunnel was disabled.
On Wed, Jun 15, 2016 at 1:46 PM, Karl
Has anyone had success adjusting MTU on OpenVPN tunnel adapters to deal
with loss amplification across tunnel networks?
By default the MTU on an openVPN adapter(s) are set to 1500, but it
seems that performance in lossy conditions might be dramatically
improved by changing the MTU to
With as many rules as an IDS/IPS would evaluate for each packet, it
seems that a multi-threaded option would be an obvious choice,
especially on modern multi-core quasi-embedded systems (e.g.
Rangely/Atom) with lower absolute clock speeds. Otherwise it seems you
might become effectively CPU
I just upgraded pfSense community edition from 2.2.6 to 2.3 on two
different Lanner FW-7541D's
In both cases the UI reported "Firmware Installation Failed"
thusly: https://imagebin.ca/v/2hkICOAnJnbs
however the unit rebooted, correctly showing the updated version.
The install logs didn't
Of Karl Fife
Sent: Wednesday, May 18, 2016 1:18 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] Soeckris Net5501 SSD
Ed, you said it well here: "wear leveling work is in SATA and DOM"
I think this is an important point, because
devices. I’m generally a fan of
the SSDs with metal cases for heat dissipation.
ED.
On 2016, May 17, at 6:09 PM, Karl Fife <karlf...@gmail.com> wrote:
I have about 15 Net5501's OR Lanner FW-7541D's in the field running
embedded/Nano on CF cards. There's not enough
I have about 15 Net5501's OR Lanner FW-7541D's in the field running
embedded/Nano on CF cards. There's not enough space on a 1GB CF to
upgrade to v2.3. Of course I can upgrade to larger CF cards, however
the eventual phase-out of NanoBSD makes me wonder if it's better to
install a SATA SSD
I envision the ideal design to be one in which I can have five or six
(customized) graphs in one view (rather than having only one single
customizable 'default' view). Ideally all of the saved graphs would
visible/rendered together when I go that page, but even if I had some
presets (like an
On 5/2/2016 10:24 AM, Vick Khera wrote:
On Sun, May 1, 2016 at 8:18 PM, Dane Reugger wrote:
I've seen this done with Aruba but not sure it's possible with PfSense but
if it is I would love a guide to get it going.
Use OpenVPN. It doesn't care at all about the NAT.
I've been 'subdividing' some growing networks into multi-lan; guest,
management networks etc.
On every occasion I've observed that it has taken considerable time
(perhaps 10 to 20 minutes) after the DHCP server begins issuing new
leases (to hosts moved from the other interface) before they
I've done this. IIRC It was a PITA.
I'm having trouble finding my notes but my recollection is that the
Cisco nomenclature is different.
Also, the only cyphers and keys I could make work were as follows:
Key exchange v1
Phase 1 Auth
Auth: Mutual PSK
Nego: Main
Phase 1 Prop
AES 128
Sha 1
DH
It appears that pfSense 2.3 and earlier on nanoBSD does not retain its
system clock calibration between reboots.
On certain (certified) systems, this appears to trigger a sequence in
which the offset gets further and further behind, and NTPD tries in vain
to slew the clock, increasing the
6 at 12:31 PM, Karl Fife <karlf...@gmail.com> wrote:
I'm bringing this up in the off chance that it is a bug. I think it might
be expected behavior but want to bounce it off a few others.
I have an installation with two fiber uplinks. Each uplink has an IP on the
ISP's single WAN subnet
I'm bringing this up in the off chance that it is a bug. I think it
might be expected behavior but want to bounce it off a few others.
I have an installation with two fiber uplinks. Each uplink has an IP on
the ISP's single WAN subnet (e.g. one single subnet, not a pair of
tunnels). This is
Your point about having a one-off solution is a great one. Installing a
single UniFi AP would be unnecessarily complex.
The TP-Link TL-WA801nd is a BGN-only device. Do you (or anyone) have a
preferred stand-alone AC access point?
On 7/22/2015 8:10 PM, Adrian Zaugg wrote:
TP-Link
My specific hardware recommendations are below:
I suspect Geoff's PoE switches did not meet the published requirement
for 802.3at (i.e. more than 15 watts of PoE) rather than being an
idiosyncratic incompatibility.
The irony is that the AVERAGE wattage for AP-AC is actually LESS THAN 15
We've gone all-in with AC in challenging environments (crowded,
congested etc). UniFi AP-AC to be exact. It's awesome.
One trick with UniFi AP-AC (vs AP-PRO) is that UniFi AP-AC *needs*
802.3at PoE PSE. It will APPEAR to work with 802.3af PoE PSE, but it
will choke under even light load.
not, thus it
is good practice to use the smaller netblock to reduce the risk of
conflict when multi-homing, whether it be via VPN or MNO.
On 12/10/2014 12:36 AM, Chris L wrote:
On Dec 9, 2014, at 8:53 PM, Karl Fife karlf...@gmail.com wrote:
In the wild, I'm seeing a an increasing number
I agree with you Chris. That's an excellent choice for someone building
out a new network assuming you don't peer with other networks/systems in
that space. Ultimately, it's a crap shoot, and the solution is to use
IPV6 and 6:4 NAT for legacy. Still, if there were a way to easily
invoke
In the wild, I'm seeing a an increasing number of crappy consumer/ISP
routers with subnets that conflict with ours (10../8). Comcast appears
to be a common offender, curiously allocating the largest private subnet
to their smallest customers. Of course this breaks VPN due to address
Somehow I overlooked that option. Needless fussing.
Enabling the OpenVPNManager by default seems like it could be a
reasonable option considering that all supported versions of Windows
(Vista/7/8/[10]) require users (even admins) to elevate the OpenVPN
client (and/or create an elevated
I'd like to poll how others have dealt with the issue of non-admin
Windows users running OpenVPN (TUN) for remote access.
If you recall, non-admin users don't have the privileged of inserting a
routes, so even though the tunnel is is established, it won't be used
without an explicit route.
end users to be able to bring up/down the tunnel, and so auto-starting
as a service proved not workable.
Gordon Russell
Clarke County IT
540 955 5135
- Original Message -
From: Karl Fife karlf...@gmail.com
To: ESF - Electric Sheep Fencing pfSense Support list@lists.pfsense.org
Sent
to me on the 2.1.4 - 2.1.5 upgrade.
On Tue, Sep 9, 2014 at 8:20 AM, Vick Khera vi...@khera.org wrote:
On Mon, Sep 8, 2014 at 8:05 PM, Karl Fife karlf...@gmail.com wrote:
Has anyone else observed that the serial console stops working after a
WebGUI update?
On my ALIX home office router
Has anyone else observed that the serial console stops working after a
WebGUI update?
This has happened consistently with our Lannder FW-5741D's
I can not definitely exclude all other causes, but I observe that all
six have had their console type changed to VGA from Serial, presumably
during
] On Behalf Of Karl Fife
Sent: 16 May 2014 07:55
To: pfSense Support and Discussion Mailing List
Subject: Re: [pfSense] pfSense Routing - VPN's
This is exactly what we do.
We make the hub the OpenVPN server, and the spokes the clients because
the hub IP is static, and we can manage all of the OpenVPN
This is exactly what we do.
We make the hub the OpenVPN server, and the spokes the clients because
the hub IP is static, and we can manage all of the OpenVPN listeners on
one instance.
If your whole network is a /16, and each spoke is a /24, all you need is
a route directive on each of the
The two ends of your MPLS link are on different subnets, so your MPLS
provider will have to route for you. You have to coordinate with them
on that (OR create your own point-to-point tunnel)
For example, YOUR site1 router needs to know that site2's 172.16.11.0/24
subnet is reachable via
What I observe:
When a static mapping is created for a DHCP client, the DNS forwarder
appears to NOT register the mapping (i.e. does not allow DNS resolution)
unless the client is also manually assigned an IP address.
It is my understanding that if the address value is left blank (i.e. if
I'm not quite sure where to start with this one, but ever since we
migrated from version 1.2.3 to 2.0.1, our traffic shaping seems to fail
under many conditions where 1.2.3 'just worked'. The endgame is that
it's fouling up our VoIP telephony.
Essentially, everything's exactly the same as it
If I have a production system running on hardware X, and I want to move
it to hardware Y, is there a way to do so by exporting the configuration
and re-importing it on the other box? It would appear that the answer
is YES and it works 100% perfectly UNLESS the hardware interfaces are
not
... At one
point we did look at making the web interface theme for mobile browsers
a lot more finger-friendly, not sure what happened to that. We had a
mock-up screen with some large icons, one per section, and some JS that
would let you pick the menu entries using those.
I think that's all
Are there any TCP/IP Offload Engine nic's that pfSense can leverage?
A TOE in pfSense could function somewhat like the hardware
packet-forwarding ASICs in the likes of Csco/Juniper etc, No? If
supported, it seems that a TOE could be an enabling factor for pfSense
in some applications where
...@lists.pfsense.org] *Im Auftrag von *Karl Fife
*Gesendet:* Mittwoch, 22. Februar 2012 06:12
*An:* list@lists.pfsense.org
*Betreff:* [pfSense] Dynamic DNS force update?
Is there a way to force the Dynamic DNS client to post an update?
It would appear that the only way to do this is to change the IP
My question is of course, HOW. How does one change the cached number
without releasing the address on the monitored interface?
-K
On 2/22/2012 11:47 AM, Bob Gustafson wrote:
Change the cached number, then do as Martin Fuchs suggested.
On Wed, 2012-02-22 at 10:02 -0600, Karl Fife wrote:
Hi
1:28 PM, newsgroups.ma...@stefanbaur.de wrote:
Am 22.02.2012 19:06, schrieb Karl Fife:
My question is of course, HOW. How does one change the cached number
without releasing the address on the monitored interface?
-K
Have a look at the files matching /conf/dyndns* and try editing those.
-Stefan
Is there a way to force the Dynamic DNS client to post an update?
It would appear that the only way to do this is to change the IP address
bound to the montored interface.
My question very specifically is, is it possible to force an update
WITHOUT changing the interface address?
I have a
80 matches
Mail list logo