[pfSense Support] Asked, but never answered - IPSec / VPN ??
Probably answered, but can't locate the specifics .. 1. can you run 3DES/MD5 tunnels wo/ hardware crypto accelerators? 2. can you build a tunnel on two different phase12 encryption/hash(s) ... or do they have to match? eg: I build tunnel this way ... phase1 Blowfish / SHA1 / PSK phase2 ESP / Blowfish / SHA1 Could I built it this way ... phase1 Blowfish / SHA1 / PSK phase2 ESP / 3DES / MD5 Please excuse my ignorance ... ! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] ipsec more info
Ok I have made a bit of progress with this one. I have setup a vpn by editing the xml file in the vpn section The local vpn is configured like so The remote subnet becomes 0.0.0.0/0. At the remote end I made a outbout nat rule for my local subnet And added firewall rules to allow those out my remote LAN. the traceroute to www.google.ie completes in a lot less hops than it would via our route 14 instead of 22. I checks the firewall on the remote end and it seems to be gatewaying the traffic as well. The problem seems to now be that out of the fourteen hops on the new route 9 of them seem to time out. Would love some insight into this. I am now going to look into the static route bit as well. And see if trying to tie the gateway down better helps. I believe one of two issues would now apply. Either the nat on the far end is causing a problem. Or something that I just don't understand Regards alan I think there's somebody doing this with m0n0wall. I recall it being discussed on the list in the past. I believe how they accomplished it was adding a site to site VPN, then adding a static route on the LAN for 0.0.0.0/0 (i.e. everything; this route wasn't possible in the GUI without changing the code, not sure if that's been changed here or not) pointing to the other end LAN side of the VPN tunnel. I could be way off on that though, it's been a while. Worth a shot at least, might also want to google with site:m0n0.ch to see if you come up with anything. Is it possible to route all traffic from opt1 across an ipsec vpn. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ipsec more info
I would to help with this but I have to admit that this is a new prospect for me. Let me know how it turns out and it would be nice if we could document this behavior. On 8/3/05, alan walters [EMAIL PROTECTED] wrote: Ok I have made a bit of progress with this one. I have setup a vpn by editing the xml file in the vpn section The local vpn is configured like so The remote subnet becomes 0.0.0.0/0. At the remote end I made a outbout nat rule for my local subnet And added firewall rules to allow those out my remote LAN. the traceroute to www.google.ie completes in a lot less hops than it would via our route 14 instead of 22. I checks the firewall on the remote end and it seems to be gatewaying the traffic as well. The problem seems to now be that out of the fourteen hops on the new route 9 of them seem to time out. Would love some insight into this. I am now going to look into the static route bit as well. And see if trying to tie the gateway down better helps. I believe one of two issues would now apply. Either the nat on the far end is causing a problem. Or something that I just don't understand Regards alan I think there's somebody doing this with m0n0wall. I recall it being discussed on the list in the past. I believe how they accomplished it was adding a site to site VPN, then adding a static route on the LAN for 0.0.0.0/0 (i.e. everything; this route wasn't possible in the GUI without changing the code, not sure if that's been changed here or not) pointing to the other end LAN side of the VPN tunnel. I could be way off on that though, it's been a while. Worth a shot at least, might also want to google with site:m0n0.ch to see if you come up with anything. Is it possible to route all traffic from opt1 across an ipsec vpn. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Problem with pfSense on EPIA with DiskOnModule
Hi all, I'm trying to get pfSense working on my EPIA setup with the following configuration: * EPIA PD1 (C3 1Ghz Nehemiah, dual LAN connection, Mini-ITX) * 512MB DDR SDRAM (KingMax) * PQI DiskOnModule (256MB Capacity) * Morex Procase/Cubid 2677 Mini-ITX case with 60W PSU * Intel i82559 NIC (PCI card) I used this image = pfSense-Embedded-0.73-megs.bin.gz (Dated : 04-Aug-2005 00:31, 28.2MB) And used Manuel Kasper's physdiskwrite tool to write the image onto the 256MB DOM in Win2k Pro SP4. That was OK, until when I tried to boot with it... The following is what appears : FreeBSD/i386 bootstrap loader, Revision 1.1 ([EMAIL PROTECTED], Sun Jul 31 22:20:50 UTC 2005) Loading /boot/defaults/loader.conf /boot/kernel/kernel text=0x523f93 data=0x7f48c+0x43c20 \ \ Hit [Enter] to boot immediately, or any other key for command prompt. Booting [/boot/kernel/kernel]... /boot/kernel/acpi.ko text=0x409fc data=0x2060+0x1090 syms=[0x4+0x7680+0x4+0x9ddd] \ At this point, it just hangs. I previously used the same system for M0n0Wall ver 1.1, and it worked fine. I currently have two Cable ISP connections which I want to use pfSense on. (consolidate two routers into one with pfSense's multi-WAN capability). Can anyone help or explain what the above means? Regards -Stmok - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Multi-WAN capabilities...
Ive seen somewhere the multi-WAN works with DHCP on both WANs now, but will it work with PPPoe on one interface and DHCP on the other? If so, is this a failover situation by default (where one interface can be designated as a primary), or for load balancing only? At home I have both cable (DHCP) and DSL (PPPoe) My DSL is actually DSL Lite (256 down, 128 up) and really only there for backup purposes Paul
Re: [pfSense Support] Multi-WAN capabilities...
On 8/3/05, Paul Taylor [EMAIL PROTECTED] wrote: I've seen somewhere the multi-WAN works with DHCP on both WANs now, but will it work with PPPoe on one interface and DHCP on the other? If so, is this a failover situation by default (where one interface can be designated as a primary), or for load balancing only? Use the PPPoE connection on the wan interface and the other dhcp connection on a optional interface. Load balancing wont be done until after this weekend. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Problem with pfSense on EPIA with DiskOnModule
The embedded images do not have VGA :) Install from the ISO to the DoC. Scott On 8/3/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi all, I'm trying to get pfSense working on my EPIA setup with the following configuration: * EPIA PD1 (C3 1Ghz Nehemiah, dual LAN connection, Mini-ITX) * 512MB DDR SDRAM (KingMax) * PQI DiskOnModule (256MB Capacity) * Morex Procase/Cubid 2677 Mini-ITX case with 60W PSU * Intel i82559 NIC (PCI card) I used this image = pfSense-Embedded-0.73-megs.bin.gz (Dated : 04-Aug-2005 00:31, 28.2MB) And used Manuel Kasper's physdiskwrite tool to write the image onto the 256MB DOM in Win2k Pro SP4. That was OK, until when I tried to boot with it... The following is what appears : FreeBSD/i386 bootstrap loader, Revision 1.1 ([EMAIL PROTECTED], Sun Jul 31 22:20:50 UTC 2005) Loading /boot/defaults/loader.conf /boot/kernel/kernel text=0x523f93 data=0x7f48c+0x43c20 \ \ Hit [Enter] to boot immediately, or any other key for command prompt. Booting [/boot/kernel/kernel]... /boot/kernel/acpi.ko text=0x409fc data=0x2060+0x1090 syms=[0x4+0x7680+0x4+0x9ddd] \ At this point, it just hangs. I previously used the same system for M0n0Wall ver 1.1, and it worked fine. I currently have two Cable ISP connections which I want to use pfSense on. (consolidate two routers into one with pfSense's multi-WAN capability). Can anyone help or explain what the above means? Regards -Stmok - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Two ISP configuration
Hi I havetwo Internet connections from two different ISPs. Connection "A" is ADSL, connection "B" is another kind of broadband connection (LMDS). In the ADSL link I have1 public ip which changes dynamically, and in the "B" connection I have 28 fixed public IP'sthat I can use. Each of them come into my network through a standard Ethernet 10BaseT connection. I would like to have the following configuration: 1. A few users will be assigned public IPs (belonging to the "B" connection). 2. The rest of the users will be assigned private IPs, and their traffic will go out using NAT 3. I want to route some of the users which have private IPs through conection "A" (ADSL) and other users having private IPs through the "B" connection (kind of static balance of the traffic). 4. If there is no Internet connectivity through the "B" connection, I want that all the users with private IPs, be automatically routed through the "A" (ADSL) link. Is it possible to carry out this configuration usingpfSense ? Thanks and best regards, Andrés
Re: [pfSense Support] Two ISP configuration
On 8/3/05, Charrua [EMAIL PROTECTED] wrote: Hi I have two Internet connections from two different ISPs. Connection A is ADSL, connection B is another kind of broadband connection (LMDS). In the ADSL link I have 1 public ip which changes dynamically, and in the B connection I have 28 fixed public IP's that I can use. Each of them come into my network through a standard Ethernet 10BaseT connection. I would like to have the following configuration: 1. A few users will be assigned public IPs (belonging to the B connection). This is doable. 2. The rest of the users will be assigned private IPs, and their traffic will go out using NAT Should be ok. 3. I want to route some of the users which have private IPs through conection A (ADSL) and other users having private IPs through the B connection (kind of static balance of the traffic). No load balancing available yet. Its scheduled for the weekend. 4. If there is no Internet connectivity through the B connection, I want that all the users with private IPs, be automatically routed through the A (ADSL) link. Not doable until after this weekend. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] USB Keyboard on 73.2
On 8/2/05, Paul Taylor [EMAIL PROTECTED] wrote: I'm still getting the same problem with the USB keyboard on the GX280 with the new build 73.2 from last night… I verified with Scott this afternoon that I'm seeing the same thing on a GX280. I'm even using a USB - PS/2 adapter with a PS/2 keyboard because I couldn't find a USB keyboard anywhere. I'm downloading the iso of FreeBSD 6.0 beta 1 to see if it exhibits the same behavior. Will find out more tomorrow. -cmb
RE: [pfSense Support] USB Keyboard on 73.2
Chris, Thanks for looking into this for me! Since this has been slowing us down, I went back to our desktop support group and asked if they had any GX270s left. They had one, so we swapped our GX280 for it... Unfortunately, we now know why they still had it.. Looks like the floppy drive doesn't work and the hard drive is dead. So, we may be swapping this back for the GX280 soon if we can't get a new drive tomorrow. Paul -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 03, 2005 5:46 PM To: Paul Taylor Cc: support@pfsense.com Subject: Re: [pfSense Support] USB Keyboard on 73.2 On 8/2/05, Paul Taylor [EMAIL PROTECTED] wrote: I'm still getting the same problem with the USB keyboard on the GX280 with the new build 73.2 from last night... I verified with Scott this afternoon that I'm seeing the same thing on a GX280. I'm even using a USB - PS/2 adapter with a PS/2 keyboard because I couldn't find a USB keyboard anywhere. I'm downloading the iso of FreeBSD 6.0 beta 1 to see if it exhibits the same behavior. Will find out more tomorrow. -cmb - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Two ISP configuration
It sure does :) I had an ISP failure last night, quite annoying :) I've now got a duplicate of all my rules with different gateways setup. I enable/disable the rules depending on which ISP I need/want the traffic to head out at that time. Can't wait 'til this weekend so we can make all that automatic instead of manually doing it :) So, yes to answer the unasked question...the people that know how to fix this are getting annoyed by it too so it _will_ be fixed. It's not just a feature that we think would be cool so we're putting it in, it's going to work because we want it to work for ourselves too :) --Bill On 8/3/05, alan walters [EMAIL PROTECTED] wrote: Configure opt 1 with publicips and set gateway to (LMDS). Configure wan the same way with yourdchp setting. Now on the lan use advanced outbound nat and 1 to nat to configure the clients to there respective gateway. Nofailover but dual WAN works -Original Message- From: Charrua [mailto:[EMAIL PROTECTED] Sent: 03 August 2005 21:45 To: Scott Ullrich Cc: support@pfsense.com Subject: Re: [pfSense Support] Two ISP configuration Great ! Thanks for your prompt reply. Right now I'm trying version 0.73.2. Could you please give me a hint on how to accomplish each point ? Thanks in advance, Andrés - Original Message - From: Scott Ullrich [EMAIL PROTECTED] To: Charrua [EMAIL PROTECTED] Cc: support@pfsense.com Sent: Wednesday, August 03, 2005 5:36 PM Subject: Re: [pfSense Support] Two ISP configuration On 8/3/05, Charrua [EMAIL PROTECTED] wrote: Hi I have two Internet connections from two different ISPs. Connection A is ADSL, connection B is another kind of broadband connection (LMDS). In the ADSL link I have 1 public ip which changes dynamically, and in the B connection I have 28 fixed public IP's that I can use. Each of them come into my network through a standard Ethernet 10BaseT connection. I would like to have the following configuration: 1. A few users will be assigned public IPs (belonging to the B connection). This is doable. 2. The rest of the users will be assigned private IPs, and their traffic will go out using NAT Should be ok. 3. I want to route some of the users which have private IPs through conection A (ADSL) and other users having private IPs through the B connection (kind of static balance of the traffic). No load balancing available yet. Its scheduled for the weekend. 4. If there is no Internet connectivity through the B connection, I want that all the users with private IPs, be automatically routed through the A (ADSL) link. Not doable until after this weekend. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Internal Virus Database is out-of-date. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.9.2/52 - Release Date: 19/07/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] NATed interface to bridged interface
On 8/3/05, Simon SZE-To [EMAIL PROTECTED] wrote: Hello, I'm using m0n0wall and due to the issue between ipnat and bridging ( http://www.m0n0.ch/wall/docbook/faq-bridge.html ), I can't access servers under bridged OPT1 from LAN. I would like to know is this issue on pfSense too? hard telling. might be, might not be. at this stage of the game, best we can offer is try it, and let us know. -cmb - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] vpn ipsec
On 8/1/05, Scott Ullrich [EMAIL PROTECTED] wrote: [kernel: tl0: tx underrun -- increasing tx threshold to 512 bytes] [kernel: tl0: tx underrun -- increasing tx threshold to 768 bytes] [kernel: tl0: tx underrun -- increasing tx threshold to 1024 bytes] [kernel: xl0: transmission error: 90] [kernel: xl0: tx underrun, increasing tx start threshold to 120 bytes] I get these as well. Its something since the interface changes in FreeBSD behind the scenes. This is on my list of things to ping the FreeBSD lists with closer to final 6 release if it persists. It doesn't seem to harm anything, however. these underruns are normal on many NIC drivers, since 5.x IIRC, maybe 4.x did it too, I don't recall for sure. The tx threshold starts low, and as traffic increases, the threshold is increased if need be. The transmission errors are caused by the tx underruns. It's perfectly normal, and will happen after every reboot. dug that info up on google quite a while ago. found this explanation with a quick search today. -- The NIC starts transmitting a packet before the whole packet has been copied to the NIC's memory. If it takes too long for the rest of the packet to get onto the NIC, a bit won't be there when its time for transmission comes. This is called an underrun. The driver then raises the threshold for how much of the packet has to be on the NIC before transmission starts. -- -cmb - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] vpn ipsec
Or you could think of this as self tuning. From everything I can gather it seems normal. Scott On 8/4/05, Chris Buechler [EMAIL PROTECTED] wrote: On 8/1/05, Scott Ullrich [EMAIL PROTECTED] wrote: [kernel: tl0: tx underrun -- increasing tx threshold to 512 bytes] [kernel: tl0: tx underrun -- increasing tx threshold to 768 bytes] [kernel: tl0: tx underrun -- increasing tx threshold to 1024 bytes] [kernel: xl0: transmission error: 90] [kernel: xl0: tx underrun, increasing tx start threshold to 120 bytes] I get these as well. Its something since the interface changes in FreeBSD behind the scenes. This is on my list of things to ping the FreeBSD lists with closer to final 6 release if it persists. It doesn't seem to harm anything, however. these underruns are normal on many NIC drivers, since 5.x IIRC, maybe 4.x did it too, I don't recall for sure. The tx threshold starts low, and as traffic increases, the threshold is increased if need be. The transmission errors are caused by the tx underruns. It's perfectly normal, and will happen after every reboot. dug that info up on google quite a while ago. found this explanation with a quick search today. -- The NIC starts transmitting a packet before the whole packet has been copied to the NIC's memory. If it takes too long for the rest of the packet to get onto the NIC, a bit won't be there when its time for transmission comes. This is called an underrun. The driver then raises the threshold for how much of the packet has to be on the NIC before transmission starts. -- -cmb - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]