don’t
know, just tell us what kind of switch(es) are involved.
Lastly, what does your PBX have to do with any of this?
-Adam Thompson
<mailto:athom...@athompso.net> athom...@athompso.net
From: Austin G. Smith [mailto:aus...@digitalcompass.com]
Sent: Tuesday, September 06, 2011
. Most
likely, you’ll have to wait for pfSense 2.2, which might be based on FreeBSD
9.1 – whenever that happens. Since FreeBSD 9 is already in beta, I doubt
support for that chip will be added before release.
-Adam Thompson
athom...@athompso.net
(204) 291-7950 - direct
(204) 489-6515
“ipservices” you’re good to run OSPF. If it also says
in “k9” you’re able to use encryption (but you won’t want to, as the CPU is
very slow).
-Adam Thompson
<mailto:athom...@athompso.net> athom...@athompso.net
From: David Miller [mailto:davi...@gmail.com]
Sent: Thursday, Aug
to any other interpretation...
Regardless, you've clarified the situation now, thank you.
-Adam Thompson
athom...@athompso.net
"This Is Just A Test, Please Ignore The Peanut Panicking Over In The
Gallery. Thank You For Your Cooperation."
-
he CPU could be running slower, or IOAT could be disabled or something
like that in 32-bit mode. I'm only talking about a single data point
here.
Still hoping I misunderstood you anyway,
-Adam Thompson
athom...@athompso.net
---
n… not exactly suitable
for daily use! That means that during installation of pfSense 2.0, your SSD
should release all blocks, which will still help somewhat.
-Adam Thompson
<mailto:athom...@athompso.net> athom...@athompso.net
(204) 291-7950 - direct
(204) 489-6515 - fax
I've been accepting ~ 13k routes inbound advertising nothing. So that part
works, too.
Now you just need confirmation from someone who does both!
-Adam Thompson
Nathan Eisenberg wrote:
>> Does 2.x have BGP support ?
>> We have 2 providers that we wish to connect to via BG
speeds in
excess of 10MBps, it might work as is. No idea what magic AT command
would do so, however - I haven't used serial links (never mind Hayes
command-set modems!) in quite a long while now.
-Adam Thompson
athom...@athompso.net
(204) 291-7950 - dir
snapshot in the very
near future.
I don't think fixing mpd5 could fix the kernel overflow problem suggested
elsewhere, however, so I suggest you not try to use this in a multilink
setup for now.
-Adam Thompson
athom...@athompso.net
-
Although unlikely, that could be symptomatic of bad RAM. Still amazes me that
no-one seems to see the necessity for ECC RAM in networking gear.
It's unlikely that such a problem would cause such an isolated, specific
symptom, however.
-Adam
Volker Kuhlmann wrote:
>I've had this happen sev
, so allowing ESXi to split the VLANs into
multiple vNICs was much, much faster than allowing the VLAN tags to
propagate through to the VM.
-Adam Thompson
athom...@athompso.net
> -Original Message-
> From: David Burgess [mailto:apt@gmail.com]
> Sent: Thursday, July 14, 2011 0
; running 1.2.2 and 1.2.3. This may not work with the 2.x series. It
> is untested there... ***CAVEAT***
This has been discussed here before. Any 1.x scripts that require
authentication will not work with 2.x. For a simple example of exactly
this, see
http://doc.pfsens
t
>something like speedtest.speakeasy.net. Walk through the "traffic
>shaper wizard" specifiying that VoIP gets top priority, whether that's
>the internal IP address (or alias) of your VoIP ATA, Astrisk server or
>VoIP telephone.
>
>Good luck
>-Karl
>
>
>
, or PaloAlto.
Is there anything that simple that I can do under pfSense?
Thanks,
-Adam Thompson
athom...@athompso.net
t DHCP on a
separate server instead. (I spend about 20 minutes looking at the source
and decided I didn't feel like re-designing it from the ground up,
especially when so many other things make assumptions about the way DHCP
works now.)
Good lu
I'm wondering if I'm seeing something closely-related: I also have a VIP (CARP)
setup where IPSec will not work properly. I never thought to examine the
actual IPs that closely, though... I'll see off I can replicate the problem
tomorrow.
-Adam
Joshua Schmidlkofer wrote:
>Dear Support,
>
>
;other" network. I just make sure I never learn a default route
from the secondary network - if my primary GW goes down, I should retain
connectivity to the other ~13,000 subnets, but I should lose my route to
the commercial internet. So far, I think it works... not
> Has anyone had any success in setting up a wireless N AP? According to
> the 2.0-RC1 record of tests on wireless cards, only the Marvell 802.11n
> card works, but the only n card I could find of theirs is mini-PCIe.
> Does anyone have any success to report for other n cards, or any success
> in u
This is a frequently asked question both here and elsewhere, including
squid-specific forums.
The question arises from an imperfect understanding of IP networking. One of
the cornerstones of IP is the decoupling of data-link and network layers.
There is no inherent requirement in IP to even h
here?
(I’m trying to use GRE so I can run a routing protocol; apparently OSPF and
IPSec tunnels don’t really work together in pfSense.)
Thanks,
-Adam Thompson
athom...@athompso.net
up for static LAG and .1Q tagging, so would not normally have any
network connectivity until I configured pfSense to match.
-Adam Thompson
athom...@athompso.net
_itself_over
> _IPsec_VPN%3F
...I forgot to search the *website*. Duh.
That needs some updating for 2.0; who maintains the website? i.e. should
I use redmine for submitting updated docs, or is there a better process?
-Adam
something like this
before…
Could someone please jog my memory on exactly what I need to add?
(BTW: running 2.0RC1, where that makes a difference)
-Adam Thompson
athom...@athompso.net
installing the SNMPd package for pfSense.
-Adam Thompson
athom...@athompso.net
[Yes, I know I top-posted. Trying to figure out how to turn that off in
Outlook right now...]
-Original Message-
From: John Busch [mailto:jbusch...@gmail.com]
Sent: Friday, April 15, 2011 10:13
To: support
ore than one pfSense install, but this is the first time it’s taking _this_
long – typical is about 60-120 seconds of CPU processing while doing apparently
nothing.
Thoughts? Any way to debug what php is doing that takes so long?
Thanks,
-Adam Thompson
athom...@athompso.net
> -Original Message-
> From: Fuchs, Martin [mailto:martin.fu...@trendchiller.com]
> Sent: Tuesday, March 29, 2011 09:30
> To: support@pfsense.com
> Subject: AW: [pfSense Support] www.pfsense.org down?
>
> > FWIW, I used to sell a lot of HP ProCurve gear; the only switches
> of
> > theirs I
> The one that failed is a 1800-24G, cheapest managed 24 port gig
> switch
> they make. I bought a E2510G-24 to replace it, will use the 1800-
> 24G
> replacement somewhere less critical. Though I know our customers
> have
> at least 10 of those in production networks and this is the first
> one
>
> Was earlier, switch flaked out. Go figure we replace an ancient
> Cat2924 which are ticking timebombs to fail with a brand new HP
> managed gigabit switch and it flakes out within a month..
I'd really like to know, was this one of the old ProCurve models, or one
of the old 3Com/H3C models?
Th
t have not
reached their max lease time?
Thank you,
Dwane
From: Adam Thompson [mailto:athom...@athompso.net]
Sent: Wednesday, March 23, 2011 12:47 PM
To: support@pfsense.com
Subject: RE: [pfSense Support] RE: Release all unused DHCP leases.
Could you explain, please what you mean by ‘r
Could you explain, please what you mean by ‘release all unused DHCP addresses’?
Once you’ve changed DHCP server parameters, nothing actually changes until the
client next renews its lease, so what I think you’re after… is an automatic
process that takes up to 2*previous-max-lease-time. You cou
> The way those in general work (not sure on Fortigate specifically)
> is they MITM HTTPS as a proxy, you have to install a certificate
> on all the clients that it uses so they trust the forged certs
> it provides to the internal clients. There are two HTTPS
> connections, one from client to the f
> From: James Bensley [mailto:jwbens...@gmail.com]
> Sent: Tuesday, March 22, 2011 13:36
> To: support@pfsense.com
> Subject: Re: [pfSense Support] can't block https://facebook.com via
> firefox
>
> I don't believe you can filter https traffic can you?
> I know squid wont cache it, it can't, its en
I don't doubt that Seth _has_ had success using one technique and not
another, but I would also like to know what kind of "state" he's talking
about.
Using the curl functions from inside PHP _should_ be equivalent to
invoking curl(1) from the command-line. There may be some difference in
defau
Yes. Many clients will automatically ask for longer lease times than your
default.
-Adam
From: Atkins, Dwane P [mailto:atki...@uthscsa.edu]
Sent: Tuesday, March 15, 2011 10:36
To: 'support@pfsense.com'
Subject: [pfSense Support] RE: DHCP server settings
I am not trying to spam mail,
DHCP lease as long
as they keep getting DHCPACKs – it sounds like this might be what you’re
experiencing. The only solution is – usually – to reboot the device. If you
have Win95/98 clients, you may have to use regedit to make it forget its old
lease.
-Adam Thompson
athom...@athompso.net
I don't know
if this is still a problem for them. OTOH, Meru networks tend to be
faster than usual; I remember reading somewhere that these two aspects
were directly linked.
-Adam Thompson
athom...@athompso.net
-
To unsu
> > Am I missing something obvious?
>
> http://doc.pfsense.org/index.php/Why_can't_I_query_SNMP,_use_syslog
> ,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPse
> c_VPN%3F
OK, it was pretty obvious :-)
Does OpenVPN have any similar issues? If not, this might be a reason to
fina
communicate with the remote firewall and servers behind it.
Am I missing something obvious?
I assumed IPSec was set up correctly since every host *behind* the pfSense
boxen works fine…
Thanks,
-Adam Thompson
athom...@athompso.net
ios where
fast convergence is required, but it can be tweaked for that purpose if
needed.
4) Redundant tunnels - see comments re IPSec above. Other tunnel
protocols still need a routing protocol to handle the equal-cost paths so
the kernel doesn't go insane... like OSPF or BGP.
As I sa
I think the OP was referring to running two subnets concurrently on the
same wire, something I often have to do for various reasons, sometimes to
solve co-existence issues while renumbering a network. I have no idea how
to accomplish this in pfSense; apparently I haven't had to do this since I
Thank you for the suggestion, but none of those packages work as-is.
The “simplest” solution would appear to be: include ipmi(4) in the kernel… I’m
quite familiar with OpenBSD, but not so much with FreeBSD – and definitely not
familiar enough with it to want to attempt recompiling my own kernel
ect: Re: [pfSense Support] Swap
>
> If I understood correctly James tried to expand existing swap and
> somehow he can not do it by merging existing and new partitions.
>
> On 10.11.2010 19:47, Adam Thompson wrote:
> > Why not just add the necessary line to /etc/fstab, and le
Why not just add the necessary line to /etc/fstab, and let the boot-time
rc scripts mount it like usual?
(Note: I _am_ running 2.0, this might be a useless suggestion under 1.x, I
don't know.)
The discussion of adding swap in the FreeBSD docs mentioned only covers
adding auxiliary swap *files*,
Ermal/Jim/Chris,
Please note that bug #958 is still an issue for me, it does _not_ appear
to be resolved according to my testing. (Sorry to say...)
http://redmine.pfsense.org/issues/958
Thanks,
-Adam
-
To unsubscribe, e-ma
apparently optional).
I just can't _find_ the XML and PHP code in question right now...
(And yes, I know, I should post a patch for the OpenBGPD mods I did - I
will, Real Soon Now.)
-Adam Thompson
athom...@c3a.ca
<>
*bump*
Ermal, this still doesn't work for me.
How should I setup the rule?
(I need to force all inbound-NAT'd connections to reply via the NAT
session, *not* via the system routing table.)
On Tue, 2010-10-19 at 21:43 +0100, Ermal Luçi wrote:
> On Tue, Oct 19, 2010 at 9:28 PM,
at least the block allocation... iSCSI hides all of those
details, as it merely exposes one large chunk of disk blocks to the
client.
-Adam Thompson
athom...@c3a.ca
<>-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
?
(I tried, the gui complains that the local port is already in use. Which is
true, but – I think – shouldn’t matter if it’s bound to specific interfaces.)
Thanks,
-Adam Thompson
athom...@c3a.ca
(204) 291-7950
1372 but any packets with payload larger than 1368 don’t make it through.
(Using “ping –f –l 1368 192.168.232.1” works, 1369-1372 doesn’t, 1373+
complains [correctly] about DF bit being set.)
Workarounds?
Am I doing something wrong?
Thanks,
-Adam Thompson
athom...@c3a.ca
all I've succeeded on doing so far is breaking ALL smtp
connections...
Can anyone explain how I use this new feature in 2.0?
Thanks,
-Adam Thompson
athom...@c3a.ca
(204) 291-7950
<>-
To unsubscribe, e-mail: sup
Chris/anyone,
Does the TinyDNS package work correctly under 2.0BETA4?
Thanks,
-Adam Thompson
athom...@c3a.ca
<>-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsen
It’s perhaps overkill for many scenarios, but if you’re truly trying for
no-single-point-of-failure, buy UPSes from two different vendors, ideally using
two different technologies. I’ve seen matched pairs of UPSes knocked out by
the same power event, and more commonly I’ve seen matched sets of
Yeah, oops. :-)
LOL - I'm sitting in a Microsoft conference geared to large telecom
operators providing HDTV programming, and they announced that IPv6 is
*not* on their roadmap because "we haven't heard from customers that
address exhaustion is a significant problem". Given that AT&T is the
as 10.10.9.0/24,
OPT2 as 10.10.10.0/24, and OPT3 as 10.10.11.0/24.
Not sure if that's the level of example you're looking for or not...
-Adam Thompson
athom...@c3a.ca
From: Chris Flugstad [ch...@cascadelink.com]
Sent: October-04-10 18:32
To: suppor
nding a truly random number, as
there are many real-world constraints, but I believe there are more constraints
on the 64-bit number than the 80-bit number, which would skew the model towards
being even easier to find the IPv4 address...
-Adam Thompson
Chief Architect, C3A Inc.
athom...@c3a.ca&
> The low-end Cisco ASA 5505 requires VLAN configuration since it is
> just a switch.
> The Cisco ASA 5510 has four Ethernet ports. If you need more, just
> use VLAN.
> Perhaps, Cisco is expecting a firewalled network to use managed
> switches. Is it best practice? Why is there a resistance to VLAN
the switch through a 4x V-in-LAG trunk. I
haven't had time to isolate the problem yet, although I observed slightly
better performance when I let VMWare handle the VLAN tagging instead of
pfSense (i.e. created 4 untagged virtual e1000 NICs instead of 1 tagged
vnic).
27;d probably see disk I/O in that case. You aren't in
the middle of re-mirroring a geom(8) RAID1 set, are you?
-Adam Thompson
athom...@athompso.net
> -Original Message-
> From: Fabian Abplanalp [mailto:fabian.abplan...@bug.ch]
> Sent: Saturday, July 31, 2010 15:55
> To
mbers: the dual-1GHz-PIII could sustain between 200-300Mbit/sec between
the two 1Gb ports (untagged). The VM can only sustain about 10-20Mbit/sec
between the same two VLANs.
I haven't yet attempted to dedicate one port in VMware to each VLAN in order to
completely remove tagging.
-
So... does that mean I can't accomplish this with 1.2.x at all? I tried 2.0 on
a spare server, but OpenBGPd didn't seem to inject routes into the kernel at
all so I didn't pursue it very far.
-Adam Thompson
Chief Technical Architect, C3A Inc.
athom...@c3a.ca
(204) 272-9628 /
Sorry, that looks like my fault - the patch I sent inline with my last message
accidentally included a change that I hadn't actually tested yet... and if Jim
applied it as-is, well, that's the error you get.
Oops.
-Adam Thompson
Chief Technical Architect, C3A Inc.
athom...@c3a.ca
_summary($rrd, $lastmonth, $start, 720*60);
+$lastmonth = fetch_rrd_summary($rrd, $lastmonth, $start, "86400");
-function fetch_rrd_summary($rrd, $start, $end, $resolution=(60*60)) {
+function fetch_rrd_summary($rrd, $start, $end, $resolution="3600") {
$traffic = array();
servations from July
5th (included below).
-Adam Thompson
Chief Technical Architect, C3A Inc.
athom...@c3a.ca
(204) 272-9628 / fax: (204) 272-8291
> -Original Message-
> From: David Burgess [mailto:apt@gmail.com]
> Sent: Monday, July 05, 2010 6:18 AM
> To: support@pfs
I realize this is a corner case that probably isn't (ever?) often tested. Is
there a way to limit binat to only affecting one public interface?
-Adam Thompson
Chief Technical Architect, C3A Inc.
athom...@c3a.ca
(204) 272-9628 / fax: (204) 272-8291
This sounds like a use for 1:1 NAT, instead of port forwarding.
-Adam Thompson
Chief Technical Architect, C3A Inc.
athom...@c3a.ca
(204) 272-9628 / fax: (204) 272-8291
> -Original Message-
> From: Lluis [mailto:ll...@jad.es]
> Sent: Tuesday, July 13, 2010 6:41 AM
>
utes to their mail servers pointing back out vlan1 (WAN), but obviously that
approach doesn’t scale (and I have to know in advance their outbound mail
relay’s IP address!).
Any assistance appreciated!
-Adam Thompson
Chief Technical Architect, C3A Inc.
athom...@c3a.ca<mailto:athom...@c3a.ca>
(204) 272-9628 / fax: (204) 272-8291
t; Give it a try and see if it's still accurate.
>
> Jim
Finally got back to the office and tried it - but the numbers do not seem to
match up. Don't know why yet, won't have time to diagnose until tomorrow or
the weekend. (In fact, the pkg, the command line, and my ISP'
is unhelpful on this
subject.)
-Adam Thompson
Chief Technical Architect, C3A Inc.
athom...@c3a.ca<mailto:athom...@c3a.ca>
(204) 272-9628 / fax: (204) 272-8291
UI if we can
> confirm
> that the results are indeed accurate.
Well, I can tell you that the numbers returned matched up exactly with what my
ISP wants to bill me for :-)
-Adam Thompson
Chief Technical Architect, C3A Inc.
athom...@c3a.ca
(204) 272-9628 / fax: (204) 272-8291
Thank you very much! I never know how to extract the raw data from rrdlogs,
now I know it's actually not that hard.
(BTW: the AWK is fine, although you can omit the cut(1) stage in the pipe
simply by having awk add up $2 and $3 instead of $1 and $2.)
-Adam Thompson
Chief Technical Arch
those
graphs but I can't find it now (and I might be remembering something else
altogether - who knows).
Is there a way to get this information?
Thanks,
-Adam Thompson
Chief Technical Architect, C3A Inc.
athom...@c3a.ca<mailto:athom...@c3a.ca>
(204) 272-9628 / fax: (204) 272-8291
This just keeps getting better :-)
Just after I sent the last message, I tried a traceroute that showed packets
going the wrong way. To my surprise (not) , the kernel routing table was once
again emptied of all BGP routes.
# netstat -rn | wc -l ; bgpctl show fib | wc -l
8
I added a simple "custom_options" field to /usr/local/pkg/openbgpd.xml and the
corresponding code to /usr/local/pkb/openbgpd.inc - although the modifications
are trivial, is there a correct way to submit a patch? (BTW: the $config
mechanism, coupled with the XML description files, looks quite s
Well, I'm seeing something similar but even odder.
The kernel route for the local subnet *appears* to be intact, but various
diagnostic tools seem to disagree on that.
The pfSense GUI page Diagnostics->Routes shows a fairly small IPv4 routing
table (20 routes including host routes for the LAN sub
Yes, it's the next-hop router on OPT1. It's also my BGP peer.
-Adam
--Original Message--
From: Chris Buechler
To: support list, pfSense
ReplyTo: support list, pfSense
Subject: Re: [pfSense Support] BGP & ARP problems
Sent: Jun 17, 2010 15:46
On Thu, Jun 17, 2010 at
to fix it? I probably won't be
able to reboot until several hours from now.
Thanks,
-Adam Thompson
Chief Technical Architect, C3A Inc.
athom...@c3a.ca<mailto:athom...@c3a.ca>
(204) 272-9628 / fax: (204) 272-8291
<>---
(Going from memory here...)
Check the "Block RFC1918 addresses" checkbox on the Interface configuration
pages. It should be set on WAN but not OPT1 or LAN.
-Adam Thompson
Sent from my BlackBerry device on the Rogers Wirele
in the rent. Obviously I'd rather divert traffic that way if
it's headed for an academic/research destination! (Yes, this is quite a
similar situation to the fellow from South Africa last week, but I already know
I can use BGP.)
Thank you,
-Adam Thompson
Chief Technical Architect, C3A Inc.
athom...@c3a.ca<mailto:athom...@c3a.ca>
(204) 272-9628 x6004 / fax: (204) 272-8291
78 matches
Mail list logo