Re: [pfSense Support] pfSense 0.76.2: No rdr rule for Squid Transparent Proxy
I think it is actually a BUG in the script /etc/inc/filter.inc that checks for the squid process at boot time which will return FALSE because no package is loaded during this time yet. See the /etc/rc script for the loading sequence. The /etc/rc.bootup script that initializes the pf rules is called before executing rc.d items. Please see the /etc/rc script. As a solution, the if(is_process_running(squid)) at line no. 1134 of the file /etc/inc/filter.inc must be commented out. Cheers! --- Bachman Kharazmi [EMAIL PROTECTED] wrote: When the squid package has installed properly without any errors type: # pfctl -sr | grep rdr if that returns a rule and trans.proxy still doesn't work (make sure the squid process is running) then I would suggest you read the squid logs to findout why it doesn't cache. /bkw On 8/16/05, Albert Miles Enabe [EMAIL PROTECTED] wrote: Hi! The rdr (nat) rule for squid transparent proxy is missing on pfsense 0.76.2 which causes transparent proxying NOT to function properly. The corresponding pass rules are present however. The problem is corrected by commenting out line# 1134 of /etc/inc/filter.inc: if (is_package_installed(squid) == 1) //if (is_process_running(squid)) Could it be because this function was called at the time when squid has not fully loaded itself? If this is the case, then it would be better if the rc loader for squid be given enough time to sleep for a while before exiting. Thanks. Miles __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- ## BKW - Bachman Kharazmi bahkha AT gmail DOT com uin: #24089491 SWEDEN ## - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense on complex Network
No. Use the new Virtual IP screen to create virtual IPs that are
either proxy arp or other depending on whether those IPs are routed
to the physical subnet the box is on or to it directly.
--Bill
On 8/15/05, Paulus Edwin Prasetya [EMAIL PROTECTED] wrote:
So, it is really because of realtek, so I cannot NAT using
xxx.xxx.148.11 or other on the wan with IP xxx.xxx.148.10?
Ted Crow wrote:
For my production unit, I have a SuperMicro 5013 server with 2 LOB
Intel Gigabit LAN/WAN interfaces and a PCI/64 Intel Quad Fast
Ethernet for my OPT interfaces. Works great with top notch throughput.
(IIRC, I've been using this hw since 0.49)
I pretty much gave up on Realtek a couple years ago, and now avoid
systems with built in Realtek NICs. A while back I did a test with 11
Intel NICs in one pfSense box and it worked /flawlessly/. So, probably
needless to say, I highly recommend Intel NICs. In general practice, I
put 3Com NICs third on my list right behind Broadcom.
*Ted Crow*
/MCP/W2K/
Information Technology Manager
*Tuttle Services, Inc.*
(419) 228-6262 x 247
*From:* David Strout [mailto:[EMAIL PROTECTED]
*Sent:* Monday, August 15, 2005 1:54 PM
*To:* [EMAIL PROTECTED]; [EMAIL PROTECTED]
*Cc:* [EMAIL PROTECTED]; support@pfsense.com
*Subject:* Re: Re: [pfSense Support] pfSense on complex Network
I have an old Dell Precission w/ PCI-X slots and use the Intel
(PCI/PCI-X) quad 10/100/1000 card (I have two working flawlessly w/
0.74.8) that's my reccomendation - stick w/ intel on many/multi homed
(more than 2-3 NICs) boxes.
--
David L. Strout
Engineering Systems Plus, LLC
- Original Message -
*Subject: *Re: [pfSense Support] pfSense on complex Network
*From: [EMAIL PROTECTED]
*To: [EMAIL PROTECTED]
*Date: *08-15-2005 1:43 pm
On 8/15/05, Scott Ullrich [EMAIL PROTECTED] wrote:
On 8/15/05, Paulus Edwin Prasetya [EMAIL PROTECTED] wrote:
Hi,
! I'm new to this list, any one can help me?
I am setup a quite complex gateway using pfSense
the box contain 6 NIC all using RealTek (rl0-rl5)
Are you sure that all 6 Realtek NICS function correctly in the
machine? That's a lot of NICS and RealTeks at that (read: I would
use better nics such as intel/3com).
I wouldn't even recommend 3Com - I've had more tons of problems with
them. Absolutely agreed though that Realtek suck *ss. Expect poor
performance.
--Bill
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
javascript:popup('/webapps/groupoffice_205/modules/email/[EMAIL
PROTECTED]','650','500')
For additional commands, e-mail: [EMAIL PROTECTED]
javascript:popup('/webapps/groupoffice_205/modules/email/[EMAIL
PROTECTED]','650','500')
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense 0.76.2: No rdr rule for Squid Transparent Proxy
The solution here is to set the filter dirty flag in the squid startup script. This will force the rules to be reloaded and then squid will be running. I'll take care of it shortly. Scott On 8/16/05, Bill Marquette [EMAIL PROTECTED] wrote: Albert, can you file a ticket on this at http://cvstrac.pfsense.com/ ? I'd rather not delay boot until squid is up, but I suppose that's open for debate. Without looking at the code, I'm wondering if we're even starting up squid before the filter. Can you insert a sleep(); statement before the is_process_running statement and tell us how long you have to sleep for to get reliable results? Also, what speed hardware is this on? Thanks --Bill On 8/16/05, Albert Miles Enabe [EMAIL PROTECTED] wrote: I think it is actually a BUG in the script /etc/inc/filter.inc that checks for the squid process at boot time which will return FALSE because no package is loaded during this time yet. See the /etc/rc script for the loading sequence. The /etc/rc.bootup script that initializes the pf rules is called before executing rc.d items. Please see the /etc/rc script. As a solution, the if(is_process_running(squid)) at line no. 1134 of the file /etc/inc/filter.inc must be commented out. Cheers! --- Bachman Kharazmi [EMAIL PROTECTED] wrote: When the squid package has installed properly without any errors type: # pfctl -sr | grep rdr if that returns a rule and trans.proxy still doesn't work (make sure the squid process is running) then I would suggest you read the squid logs to findout why it doesn't cache. /bkw On 8/16/05, Albert Miles Enabe [EMAIL PROTECTED] wrote: Hi! The rdr (nat) rule for squid transparent proxy is missing on pfsense 0.76.2 which causes transparent proxying NOT to function properly. The corresponding pass rules are present however. The problem is corrected by commenting out line# 1134 of /etc/inc/filter.inc: if (is_package_installed(squid) == 1) //if (is_process_running(squid)) Could it be because this function was called at the time when squid has not fully loaded itself? If this is the case, then it would be better if the rc loader for squid be given enough time to sleep for a while before exiting. Thanks. Miles __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- ## BKW - Bachman Kharazmi bahkha AT gmail DOT com uin: #24089491 SWEDEN ## - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Port Forward failing
On 8/16/05, Howard Virag [EMAIL PROTECTED] wrote: Hello, This is likely not strictly (or loosely) a pfSense problem. Can someone venture a guess as to why simple port forwarding is failing for me? In short, It works to my Linux PC, an older AMD 800 MHz machine, but port forwards to my Sun Sparc Ultra 2 fail regardless of port. Interesting...hows routing on the U2 set up? Is the default gateway the same as the AMD? Hows the ARP table look - is it similar to the AMD box? I'm kind of assuming that the AMD and U2 are on the same network ;) I am using pfSense, 0.74.4, behind an Actiontec GT704 set up as a transparent bridge after having used a simpler DSL Paradyne modem weeks ago successfully with IPCop. I recall that all worked nicely before. PPPOE on the pfSense? I'm not completely following your network setup here. Any suggestions on what to look at? With previous posts in mind, I do have a mix of 3Com and a cheap new Realtek card. Will using these cards make any difference for a small home network? Performance issues mainly. The NICs work, just don't expect 100Mbit out of them (with exception to 3com which can just have wierd issues), --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] wondering ipsec
0.77 is up and both IPSEC and PPTP VPN is working. I am not having any problems with external access through the rules or NAT. Roy -Original Message- From: alan walters [mailto:[EMAIL PROTECTED] Sent: Tue 8/16/2005 4:55 PM To: Scott Ullrich Cc: support@pfsense.com Subject: RE: [pfSense Support] wondering ipsec Just a note had major trouble with state table on 0.76.8 Imcp worked but tcp and udp failed to go out the firewall Back on 0.74.xx for a while I think -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: 16 August 2005 20:40 To: alan walters Cc: support@pfsense.com Subject: Re: [pfSense Support] wondering ipsec It should be gone on 0.76.8. Scott On 8/16/05, alan walters [EMAIL PROTECTED] wrote: Just wondering if we think we have hit the ipsec bug off - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense 0.76.2: No rdr rule for Squid Transparent Proxy
No need to file a ticket. Thanks for the swift action. I'll wait till next release then. Also, I am concerned of the Squid process dying for any reason and the rdr rule for transparent proxying is still in effect. This will block http traffic to the internet. Any solution for this? Thanks again. Miles --- Scott Ullrich [EMAIL PROTECTED] wrote: The solution here is to set the filter dirty flag in the squid startup script. This will force the rules to be reloaded and then squid will be running. I'll take care of it shortly. Scott On 8/16/05, Bill Marquette [EMAIL PROTECTED] wrote: Albert, can you file a ticket on this at http://cvstrac.pfsense.com/ ? I'd rather not delay boot until squid is up, but I suppose that's open for debate. Without looking at the code, I'm wondering if we're even starting up squid before the filter. Can you insert a sleep(); statement before the is_process_running statement and tell us how long you have to sleep for to get reliable results? Also, what speed hardware is this on? Thanks --Bill On 8/16/05, Albert Miles Enabe [EMAIL PROTECTED] wrote: I think it is actually a BUG in the script /etc/inc/filter.inc that checks for the squid process at boot time which will return FALSE because no package is loaded during this time yet. See the /etc/rc script for the loading sequence. The /etc/rc.bootup script that initializes the pf rules is called before executing rc.d items. Please see the /etc/rc script. As a solution, the if(is_process_running(squid)) at line no. 1134 of the file /etc/inc/filter.inc must be commented out. Cheers! --- Bachman Kharazmi [EMAIL PROTECTED] wrote: When the squid package has installed properly without any errors type: # pfctl -sr | grep rdr if that returns a rule and trans.proxy still doesn't work (make sure the squid process is running) then I would suggest you read the squid logs to findout why it doesn't cache. /bkw On 8/16/05, Albert Miles Enabe [EMAIL PROTECTED] wrote: Hi! The rdr (nat) rule for squid transparent proxy is missing on pfsense 0.76.2 which causes transparent proxying NOT to function properly. The corresponding pass rules are present however. The problem is corrected by commenting out line# 1134 of /etc/inc/filter.inc: if (is_package_installed(squid) == 1) //if (is_process_running(squid)) Could it be because this function was called at the time when squid has not fully loaded itself? If this is the case, then it would be better if the rc loader for squid be given enough time to sleep for a while before exiting. Thanks. Miles __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- ## BKW - Bachman Kharazmi bahkha AT gmail DOT com uin: #24089491 SWEDEN ## - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] ISO problems ... still
Nope, still a no go unless the CDROM is on the same channel... Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 9:12 AM To: Dimitri Rodis Cc: Wesley Joyce; support@pfsense.com Subject: Re: [pfSense Support] ISO problems ... still Try the latest version that I posted last night. On 8/16/05, Dimitri Rodis [EMAIL PROTECTED] wrote: Any news on the issue with the installer? (Moving the CDROM to be on the same channel as the hard drive, etc.) Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Thursday, August 11, 2005 3:05 PM To: Dimitri Rodis Cc: Wesley Joyce; support@pfsense.com Subject: Re: [pfSense Support] ISO problems ... still On 8/11/05, Dimitri Rodis [EMAIL PROTECTED] wrote: Yup, that did it. All I did was move the CDROM from Secondary Master to Primary Slave and the install went right thru. This was on 0.73.8. Okay thanks. Let me see if this can help us narrow down the problem. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Alert about pf rules syntax errors... again...
Scott Ullrich wrote: I just tested the latest vpn.inc with my home firewall that has 4+ ipsec links and it works fine.I'll be releasing a new version soon. Please be on the lookout for it and give it a try. Scott I'm still showing this issue in 0.77. My last fix was to comment out a large swath of /etc/inc/filter.inc, but I tried to be a bit more pragmatic about it this time, and realized that I came to the precise same conclusions that M. Kohn came to. There needs to be some catch, some hook in vpn_ipsec.php (line 36 where the empty definition is created), filter.inc (see previously submitted patch), or vpn.inc. Something somewhere either has to stop making the empty tunnel or everything else has to be changed to be able to deal with it. Scott - you said a change to filter.inc is not the correct fix, and to make it in /etc/inc/vpn.inc. Why would that be? AFAICT, vpn.inc just sets up defined tunnels - very little error control in it. The specified code chunk in filter.inc (starting ~2093) seems to be the flawed one - it just happily chews right over definitions, uncaring whether they're empty or not. Shouldn't a process that's generating system commands be a bit more concerned about whether or not it's putting out proper syntax? RB - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
