[pfSense Support] wireless card on lan
Seems that if you put a wireless card in the lan there is no option to make it a hostap only bss and ibss. Also other features that are available in opt wireless interfaces are missing.
[pfSense Support] wireless bridges
Just a not of thanks to the pfsense team. We deployed a test of a three way bridge the other day. Wan | | LAN OPT1 All bridged to WAN. Made allow all rules and then a few rules to minimise access to web interface and ssh All is roses 20 clients running on a test with two ATH radios. All looks great. Signal is excellent. Packet loss is less that 0.5% across the subnet. All running 802.11B on two channels. Clients can roam from channel to channel almost seamlessly with the clients we use. Max range on a client is 5 km with about 2.5 Mbit of throughput total throughput on the wrap board with multiple clients was close to its limit of about 20 Mbit s . just a note for anyone out there hoping to use this configuration as I know it is common in wireless circles. Look forward to some more tuning options for long range links and pfsense will have succeeded in all the goals I hoped that it could achieve. WELL DONE
Re: [pfSense Support] Virtual IPs not working
Bastian Schern, you probably already know this, but your email is busted. --Bill On 8/22/05, Mail Delivery System [EMAIL PROTECTED] wrote: This is the Postfix program at host server19.greatnet.de. I'm sorry to have to inform you that your message could not be be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster If you do so, please include this problem report. You can delete your own text from the attached returned message. The Postfix program [EMAIL PROTECTED] (expanded from [EMAIL PROTECTED]): delivery temporarily suspended: connect to kundt.homeip.net[213.191.40.68]: Connection timed out Final-Recipient: rfc822; [EMAIL PROTECTED] Original-Recipient: rfc822; [EMAIL PROTECTED] Action: failed Status: 4.0.0 Diagnostic-Code: X-Postfix; delivery temporarily suspended: connect to kundt.homeip.net[213.191.40.68]: Connection timed out -- Forwarded message -- From: Bill Marquette [EMAIL PROTECTED] To: Bastian Schern [EMAIL PROTECTED] Date: Mon, 22 Aug 2005 18:18:24 -0500 Subject: Re: [pfSense Support] Virtual IPs not working On 8/22/05, Bastian Schern [EMAIL PROTECTED] wrote: Okay I believe you, but what can I do to solve my Problem with my three LAN subnets: 192.168.0.0/24 (main), 192.168.3.0/24 and 192.168.101.0/24. All of them are located on the same physical interface and in this moment it is not possible to join the subnets. Is there a way to handle that configuration? If ping is a big issue (I can understand), use CARP instead of ProxyARP. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] .79 issues
There was a nasty bug in .79 that partially reverted the config file version. This left a config file that had newer syntax and an older version number. Upgrading past .79 w/out taking some corrective measure will break your system. Again, if you installed or upgraded to .79 and plan on using anything newer, please read. Two issues in particular affect those that are on .79 and plan to upgrade. During boot, we check to see if the config file version is older than what we claim is current. If it is, we upgrade it. One of the upgrade steps encrypts the (already encrypted) password in the xml file leaving you with a system you couldn't access (there are a couple workarounds that I'll mention shortly). The other somewhat damaging item I've had mixed reports on are irreversible issues with the DHCP config; if you don't use the dhcp server you will be fine. Disabling the server and re-enabling it is not enough to fix it if you are using DHCP. This issue _only_ affects people that upgraded/installed .79 and then upgraded to anything above it (.79.2 is currently the only thing above it). There was about a three hour window where .79 was the most recent version, so I expect very few people actually got affected. Workarounds: This is for those that upgraded to .79. We now version every change that happens on your pfSense box. They are available via the Diagnostics menu, choose Backup/Restore then click Remote. You'll see a list of all the times your configuration changed and at a minimum where in the firewall the change was made (still working on exact change details). You should the Current entry showing as Upgraded config version level from 1.9 to 1.1 or similar. Clicking on the + (plus) symbol on the line below will restore the previous configuration file. Then upgrade to .79.2 w/out rebooting. .79.2 will correctly upgrade your configuration file to version 2.0 w/out destroying anything. For those that installed .79 and wish to upgrade. If you aren't using the DHCP server, the only item that should affect you is the password. Upgrade to .79.2 and use menu option number 3 from the shell (Reset webGUI password). If you are using the DHCP server, be thankful this is a new install. Hopefully you've installed before and have an old config laying around. If not, you'll be reconfiguring from scratch, there's not much we can do. You can try disabling/reenabling the DHCP server after upgrading to .79.2. I've had one report of that works and one of that didn't work - if it doesn't work, reinstall. --Bill PS. For those wondering... 1.10 == 1.1 I apparently failed floating point 101! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Upgrade from m0n0 to pfSense?
Hi, is it possible to upgrade from a CF-Card Version of m0n0wall to pfSense? pfSense seems to be more reasonable to me, due to need of two PPPoE Connections... Regards, Tim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Upgrade from m0n0 to pfSense?
Hi Holger, I could not have multiwan work here. Tryed with OPT1 and OPT2 for wan, can you have some example of configuration? Thanks Moacyr - Original Message - From: Holger Bauer [EMAIL PROTECTED] To: support@pfsense.com; [EMAIL PROTECTED] Sent: Tuesday, August 23, 2005 9:15 AM Subject: AW: [pfSense Support] Upgrade from m0n0 to pfSense? Hi, first: pfSense isn't able to do 2 pppoe at the moment. A workaround is to use a router in front of the second wan of the pfsense and set the pfsense's second wan ip as dmz in this router. second: if you want to use loadbalancing I have to disappoint you too. It needs some work still but should be implemented soon. multiwan however works (sending out traffic type a via wan1 and type b via wan2). third: I think nobody has tested uploading a pfsense-image to the m0n0 webgui. It might be possible if you raise the php-upload-size of the m0n0 first to accept the larger image and if you have enough room to upload it. there will be a much smaller cf-image with one of the next versions, so you might just want to wait for that. Holger -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 23. August 2005 11:52 An: support@pfsense.com Betreff: [pfSense Support] Upgrade from m0n0 to pfSense? Hi, is it possible to upgrade from a CF-Card Version of m0n0wall to pfSense? pfSense seems to be more reasonable to me, due to need of two PPPoE Connections... Regards, Tim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] DNS Forwarder question
Currently you can only specify an IP address for entries. Some clients (such as my belkin network KVM) don't pass a client name. Others (such as my Series 2 TiVo) pass a less than useful one (in this case, the serial number.) Is there some reason this field couldn't take a name? Maybe generate a CNAME entry instead of an A entry? Or am I on drugs here? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Upgrade from m0n0 to pfSense?
I did this with 0.74 and 0.76 but no sucess. I have one LAN and three WAN. put gateway in the OPT1 and OPT2 interfaces created nat outbound for lan via WAN OPT1 and OPT2 created rules for http for each interface by now reading again the post of multi-wan in the blogspot I have doubt about the rules. I can have outgoing http for X machines via WAN and other rule for Y machines via OPT1? I will test this again. Thanks Moacyr - Original Message - From: Holger Bauer [EMAIL PROTECTED] To: Moacyr Leite da Silva [EMAIL PROTECTED]; support@pfsense.com Sent: Tuesday, August 23, 2005 10:11 AM Subject: AW: [pfSense Support] Upgrade from m0n0 to pfSense? http://pfsense.blogspot.com/2005/06/multi-wan.html -Ursprüngliche Nachricht- Von: Moacyr Leite da Silva [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 23. August 2005 14:30 An: support@pfsense.com Betreff: Re: [pfSense Support] Upgrade from m0n0 to pfSense? Hi Holger, I could not have multiwan work here. Tryed with OPT1 and OPT2 for wan, can you have some example of configuration? Thanks Moacyr - Original Message - From: Holger Bauer [EMAIL PROTECTED] To: support@pfsense.com; [EMAIL PROTECTED] Sent: Tuesday, August 23, 2005 9:15 AM Subject: AW: [pfSense Support] Upgrade from m0n0 to pfSense? Hi, first: pfSense isn't able to do 2 pppoe at the moment. A workaround is to use a router in front of the second wan of the pfsense and set the pfsense's second wan ip as dmz in this router. second: if you want to use loadbalancing I have to disappoint you too. It needs some work still but should be implemented soon. multiwan however works (sending out traffic type a via wan1 and type b via wan2). third: I think nobody has tested uploading a pfsense-image to the m0n0 webgui. It might be possible if you raise the php-upload-size of the m0n0 first to accept the larger image and if you have enough room to upload it. there will be a much smaller cf-image with one of the next versions, so you might just want to wait for that. Holger -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 23. August 2005 11:52 An: support@pfsense.com Betreff: [pfSense Support] Upgrade from m0n0 to pfSense? Hi, is it possible to upgrade from a CF-Card Version of m0n0wall to pfSense? pfSense seems to be more reasonable to me, due to need of two PPPoE Connections... Regards, Tim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ISO ?
Thanks for the input but one more ?When I kick off the installer from the console menu in the way you specify ... it looks like it is installing FreeBSD/DragonflyBSD and not pfSense, and also another point is that there is no provisioning for making a swap partition/slice as there had been in previous installs.Was the installer re-wrote? Do I have to setup a swap slice or is it done automatically now?Thanks !--David L. StroutEngineering Systems Plus, LLC- Original Message -Subject: AW: [pfSense Support] ISO ?From: [EMAIL PROTECTED]To: [EMAIL PROTECTED];support@pfsense.comD! ate: 08-23-2005 9:32 am I would suggest doing it the following way: 1. Boot the LiveCD 2. Assign Interfaces at bootup (you'll be asked) 3. Config your settings for basic connectivity from the WebGui and make your WAN work (the settings will be used for the installation and you'll be able to run the online-update at the end of the installationprocess) 4. Enter installer from the shellmenu (at the menuitemprompt, not going to shell) including the online-update if you wish to do so Holger -Ursprüngliche Nachricht-Von: David Strout [mailto:[EMAIL PROTECTED]Gesendet: Dienstag, 23. August 2005 15:25An: support@pfsense.comBetreff: [pfSense Support] ISO ?Everyone,On the newest version of the ISO (0.79.2) it produces the same error as I've been getting on previous ISOs ... (Waiting for Backend). But in doing as the pfSense website indicates Run 'installer' from the menu I get a new setup/install.My ? is: are we to run installer from the menu or are we to go into the shell and run the {/FreeSBIE/scripts/installer.sh} script? I'm a little confused, but it looks like the installer from the menu is for installi ng F-BSD/DF-BSD, and the {FreeSBIE/scripts/installer.sh} script is for installing pfSense . is this right?Just looking for some clarification on the PROPER procedure for installing pfSense to the HDD.Thanks all !!!--David L. StroutEngineering Systems Plus, LLC Virus checked by G DATA AntiVirusKit
Re: [pfSense Support] wireless card on lan
I'll check it out. I really need to rip out the interfaces crap and redo it completely. But no time and a feature freeze. GRR. On 8/23/05, alan walters [EMAIL PROTECTED] wrote: Seems that if you put a wireless card in the lan there is no option to make it a hostap only bss and ibss. Also other features that are available in opt wireless interfaces are missing. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] captive portal
On 8/23/05, Tobias Frank [EMAIL PROTECTED] wrote: Hello, when trying to use the captive portal on 0.79 there is a strange thing. Following ports work without authentication: MySQL, smtp, ping, ssh, name. Others I didn´t check. m0n0wall (1.2b9) doesn´t show this behaviour. Is this a bug or a feature? That's rather strange. It's not doing that here. Can you send me your config.xml to [EMAIL PROTECTED] (remove the passwrods). heres my configuration 212.x.x.x 192.168.0.x / 24192.168.1.x / 24 -- -- --- -| Router |--| FW |--| pfsense |- -- -- --- (WAN - 192.168.0.129) (LAN - 192.168.1.1) I didn´t check the checkbox block private networks because one of the Mail-Servers has a private ip-address (192.168.99.x) Another feature of m0n0wall which i think its very useful is the Reauthentication in current beta version. So accounting works good for our use. Is it planned to integrate this feature in a future pfsense version? I thought we where pretty much in sync. I'll take a look at it. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] wireless card on lan
On 8/23/05, Scott Ullrich [EMAIL PROTECTED] wrote: I'll check it out. I really need to rip out the interfaces crap and redo it completely. But no time and a feature freeze. GRR. Yeah, I think this work is slated for 2.x / next hackathon or something. The right way to do this requires a significant redesign for how interfaces work in pfSense. In the meantime it sounds like Scott will fix up the remaining screens to at least allow for the same info. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Upgrade from m0n0 to pfSense?
On 8/23/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: As a test, I tried to create a rule to send all VNC traffic over the OPT1 WAN interface, but it always used the default WAN interface. I must be missing something. How can this be done when the second WAN interface has a static IP? Possibly, possibly not.Check /tmp/rules.debug for the rule that your adding and please post it here to see if the gateway portion is being added correctly for the rule in question. # NAT Inbound Redircts ... rdr on xl2 proto tcp from any to port 5900 - 192.168.1.230 port 5900 rdr on xl1 proto tcp from any to port 5900 - 192.168.1.230 port 5900 # User-defined rules follow ... pass in quick on $WANII proto tcp from any to { 192.168.1.230 } port = 5900 keep state label USER_RULE: NAT Allow VNC to buzz via WAN2 ... That's inbound. The multi-wan code we're talking about is outbound. By default inbound traffic to an IP will return out the interface/gateway it came in on (as long as you have a gateway setup in the interface config). It's up to the user to get the inbound traffic on the right link, via DNS, or IP, or whatever other trick. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Upgrade from m0n0 to pfSense?
Crud, that explains a lot... I at least think that I have the outbound NAT entries setup for WAN and OPT1: nat on xl2 from 192.168.1.0/24 to any - (xl2) nat on xl1 from 192.168.1.0/24 to any - (xl1) I seem to be stuck trying to create an outbound rule. Everything I try says pass in in the User-defined rules section of rules.debug. :( On 8/23/05, Bill Marquette [EMAIL PROTECTED] wrote: On 8/23/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: As a test, I tried to create a rule to send all VNC traffic over the OPT1 WAN interface, but it always used the default WAN interface. I must be missing something. How can this be done when the second WAN interface has a static IP? Possibly, possibly not.Check /tmp/rules.debug for the rule that your adding and please post it here to see if the gateway portion is being added correctly for the rule in question. # NAT Inbound Redircts ... rdr on xl2 proto tcp from any to port 5900 - 192.168.1.230 port 5900 rdr on xl1 proto tcp from any to port 5900 - 192.168.1.230 port 5900 # User-defined rules follow ... pass in quick on $WANII proto tcp from any to { 192.168.1.230 } port = 5900 keep state label USER_RULE: NAT Allow VNC to buzz via WAN2 ... That's inbound. The multi-wan code we're talking about is outbound. By default inbound traffic to an IP will return out the interface/gateway it came in on (as long as you have a gateway setup in the interface config). It's up to the user to get the inbound traffic on the right link, via DNS, or IP, or whatever other trick. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Anyone using failover DHCP?
If so, you need to do an update for a file I just commited. From the shell type: update_file.sh /etc/inc/services.inc Now reboot each firewall. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: [pfSense Support] Multiple LAN Subnets on one Interface (was: Virtual IPs not working)
That config is a bit weired but doable with some changes. I would suggest making LAN1 and LAN2 seperate interfaces (if they are not already, from the line to the switch it seems to be one and virtual ips won't work for different subnets on the same nic) and different networks: Connect LAN1 to the one switch and LAN2 to the other one. Traffic between LAN1 and LAN2 will pass the firewall anyway, even if on the same switch with these subnets but you would get rid of some annoying Layer2-syslog-messages you should already see. Create Rules for LAN1 and LAN2 to allow traffic in any direction with any protocoll to make them able to talk to each other. Your Clients are all in LAN2 but some have as gateway the LAN1 IP of the pfsense. This won't work and I wonder if an OS is accepting that config anyway. Do we have a Typo here? Create virtual IPs on you WAN interface to accept the /28 subnet on the same nic. I would suggest doing it with CARP as you this way can add a failoversystem easily later. However, you'll see some broadcast traffic derived from that configuration but it won't hurt. Then use FirewallNATport forward to forward traffic from the different wan ips to the servers in LAN1. Use Advanced Outbound NAT at FirewallNATOutbound to make the servers map to the virtual IPs on the WAN-Interface. If you have further problems come to the irc-channel to ##pfsense at freenode. There are some people (includig me) that are able to help you. To clarify CARP/ProxyARP/Other: CARP are virtal IPs that can be shared between systems (it's a fake layer2 mac that can be handed over). You can build a failoversystem with that. ProxyARP is if you need fake mac-adress replys on an interface to make another networkdevice send traffic to a virtual ip to that interface. Other is meant for IPs that come to your interface without the need to do layer2-magic to make it come to you. Holger -Ursprüngliche Nachricht- Von: Bastian Schern [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 24. August 2005 00:10 An: support@pfsense.com Betreff: [pfSense Support] Multiple LAN Subnets on one Interface (was: Virtual IPs not working) Hello, in the meantime I already fixed some Problems around the old Topic (Virtual IPs not working). So I will describe my open Problem more detailed. This a draft of my network configuration: WAN: 213.xxx.xxx.64/28 LAN1: 192.168.0.0/24 LAN2: 192.168.3.0/24 | | WAN +#---+ | 213.xxx.xxx.66 | || || || | pfSense FW | || || || | 192.168.0.1 | | 192.168.3.1 | +#---+ | LAN1,LAN2 | ++ | | +-+ | | Switch | | +-#-#-#-#-#-#-#-#-+ | | | | | +---+ | | +-+ | +--+ | +--+ | | | | | +--#--+ | | +-+ | Mailserver | | | | Switch | | LAN: 192.168.0.2| | | +-#-#-#-#-#-#-#-#-+ | WAN: 213.xxx.xxx.68 | | || | | | +-+ | ++ | | | | | | | +-+ | | | | | | | +--#--+ | | | | SIP Server | | | | | LAN: 192.168.0.3| | | | | WAN: 213.xxx.xxx.67 | | | | +-+ | | | | | | +--+ | | | | | +--#--+ | | |PC 1 | | | | IP: 192.168.3.21 | | | | Mask: 255.255.255.0 | | | | GW: 192.168.0.1 | ++ | +-+ || +--#--+ | |PC 2 | | | IP: 192.168.3.22 | | | Mask: 255.255.255.0 | | | GW: 192.168.0.1 | +-+ +-+ | +--#--+ |PC 3 | | IP: 192.168.3.23 | | Mask: 255.255.255.0 | | GW: 192.168.3.1 | +-+ It is Important, that all PCs can connect to the Server and other way around. There are three types of virtual IPs: Proxy ARP, CARP, Other. Which one is the right for my configuration and where are the differences. Regards Bastian - To unsubscribe, e-mail: [EMAIL PROTECTED]
[pfSense Support] Attention users with ISO installation problems
Please try 0.79.4 and report back if you have had problems with previous LiveCD's. Thanks! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Attention users with ISO installation problems
Scott Ullrich wrote: Please try 0.79.4 and report back if you have had problems with previous LiveCD's. I have just done update (0.79.2 0.79.4), and the first thing I noticed is that you lose all states in the table after the update reboot (ie: all connections broken - http, IPSec, ect.). To get it running, I sinply disabled IPSec and re-enabled it again ... voila, all was well (tunnels, shaping, etc.). P.S. This is a many times updated 0.68.x install. I have not tried the 0.79.2.iso as of yet. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]