RE: [pfSense Support] Incorrect System Log Order/Logging Bug?
2011/7/13 Jim Pingle li...@pingle.orgmailto:li...@pingle.org On 7/9/2011 9:17 PM, Dimitri Rodis wrote: The system is and has been set to -8 (I am Pacific Daylight Time, USA), and hasn't been re/booted since the first boot on that build--and I have reported this issue back in RC1 and it still appears to be an issue. It almost looks as if the check_reload_status (among a couple of others that haven't shown up in the log yet) specifically always logs with the wrong timestamp. Are you actually using the GMT +/- zone or a named zone such as America/Los_Angeles? http://www.timeanddate.com/worldclock/ ;-) See screen snip below. [cid:image001.png@01CC4162.4D0586B0] inline: image001.png
[pfSense Support] Incorrect System Log Order/Logging Bug?
2.0-RC3 (i386) built on Mon Jun 27 13:31:27 EDT 2011 Can anyone else confirm what appears to be either a bug in the logging with respect to the timestamps or a bug in the sorting of the log entries? (I don't know which) I have my log set to show newest on top, and the log is mostly in order, but notice how there are some entries that are in the middle of this screenshot that are newer than everything else. (The problem is that Jul 8 15:12:29 has not yet happened in my time zone, it is only shortly after 10AM here..) [cid:image001.png@01CC3D56.B846EF00] Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com inline: image001.png
[pfSense Support] NAT Reflection Broken in recent builds
Just put a new FW in production a day and a half/two days ago (it was a few days old from a fresh flash to CF.. pfSense-2.0-RC1-2g-i386-20110519-1115-nanobsd.img) and I got the following message in a browser when folks were trying to hit sites hosted internally using NAT reflection: nc: getaddrinfo: hostname nor servname provided, or not known So yesterday I went ahead and told the thing to just upgrade to the latest build hoping that the problem would be resolved (the latest build showed RC2-yay), but it was not fixed, so I have reverted to my previous CF card which has the following build in which reflection seems to work properly for me (except for reflection on 1:1 which has always been flaky for me, but the websites/SMTP servers work flawlessly) 2.0-RC1 (i386) built on Mon Mar 14 17:33:11 EDT 2011 I can still potentially access anything on the newer build for debugging/troubleshooting purposes if someone needs it since I have a spare unit that I can boot the CF on.. Thanks, Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com
RE: [pfSense Support] COM-port Watchguard Firebox X500 with 2.0-RC1
Do you know if this is a special Firebox problem or a more general one? AFAIR FreeBSD supports the Realtek 8139C+ since version 5.2 or so. Should this driver still have problems with this chip or is this a problem only on this special machine? Thanks Markus The support has been present, but that doesn't mean the support is flawless. The problem is with the 8139C+ chip. I wouldn't be surprised if the problems with the re driver have something to do with the way the console is behaving. In my experience, the console once again begins to respond (for awhile anyway) if I get the re driver to watchdog timeout on the firebox (strange, right?). You wouldn't think they are related, but I have made this happen a number of times this way so it looks more like a correlation than a coincidence to me. I have resigned myself to putting it aside until I can get a hardware sample to Pyun. I don't think the support for 8139C+ will ever be 100% (I'd take 99%) until this happens. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] COM-port Watchguard Firebox X500 with 2.0-RC1
Executing rc.d items... Starting /usr/local/etc/rc.d/*.sh...done. Bootup complete ... and now we should see the login command shell. And what happens if you press return a couple of times at this point? -jim I hate to break it to you guys, but this has been an issue for quite a while in the 2.0 builds (8-9 months now). Not quite sure what started it happening, but I did experience this behavior way back then, and still do when I try the builds on it every now and then. Even if you get the console to work, you are still going to get watchdog timeouts on the NICs of this unit, which is something that I have been working with the driver maintainer on for quite some time in order to try and fix. Ideally, if someone in South Korea can donate a device (or someone that can send a device to South Korea) with a Realtek 8139C+ chip on it (like a Firebox X500, X700, X1000, or X2500) that is what it's going to take to fix the Realtek driver problem. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Incorrect Sort on 2.0-RC1
2.0-RC1 (i386) built on Mon Mar 14 17:33:11 EDT 2011 Log sorting is set to newest first, however, the log sort is randomly incorrect (see screen snippet). I didn't see anything in redmine, thought I would check here first.. [cid:image001.png@01CBF837.8BDBAAF0] Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com inline: image001.png
[pfSense Support] Traffic that is explicitly allowed occasionally blocked
2.0-BETA5 (i386) built on Mon Feb 21 15:43:32 EST 2011 I am seeing the above occur maybe once a day or once every other day, but the source IP address is in an alias that is a list of aliases (and that list contains my mail server aliases). Whenever I see this, I manually try to telnet to the same IP on port 25 and the traffic is passed, yet the mail server shows a failed connection attempt in the logs which coincides with the firewall log as above. I have a rule that explicitly allows port tcp/25 as a destination from my inbound mail servers alias group, and then there is a rule right beneath that rule that explicitly blocks outbound SMTP from all IP addresses on the subnet, and I have logging turned on for that rule. So, the rule beneath the one that should be triggered is being triggered instead. Is there a Bug/Race condition in rule evaluation?? Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com inline: image001.png
RE: [pfSense Support] Traffic that is explicitly allowed occasionally blocked
No, those are RSTs and FINs coming after the state is closed, expected behavior. http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F Ok, but unless I'm misunderstanding, I am not logging packets blocked by the default rule, so why would this be logged? And how do I know which rule was applied to this traffic like in the screenshot above? [cid:image001.png@01CBD738.2C9B5970] inline: image001.png
RE: [pfSense Support] pfSense 2.0, upgrade to this morning's snap problem
On Mon, Jan 24, 2011 at 7:42 PM, Dimitri Rodis dimit...@integritasystems.com wrote: After an upgrade to this morning's snap, I received the following after the upgrade/reboot (it's what's on my PuTTY atm): Syncing OpenVPN settings...done. Starting syslog...done. Configuring firewall..done. Starting PFLOG...done. Setting up gateway monitors...done. Synchronizing user settings...done. Starting webConfigurator...done. Configuring CRON...done. Starting OpenNTP time client...done. Starting DHCP service...done. Starting DNS forwarder...done. Configuring firewall..done. kernel trap 12 with interrupts disabled Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0x8 fault code = supervisor read, page not present instruction pointer = 0x20:0xc094d130 stack pointer = 0x28:0xc27d1b84 frame pointer = 0x28:0xc27d1ba4 code segment= base 0x0, limit 0xf, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags= resume, IOPL = 0 current process = 11 (swi4: clock) trap number = 12 panic: page fault cpuid = 0 Uptime: 25s Cannot dump. Device not defined or unavailable. Automatic reboot in 15 seconds - press a key on the console to abort -- Press a key on the console to reboot, -- or switch off the system now. If you have a bridge setup please upgrade to the 2nd next snapshot. -- Ermal I did have ports bridged on this device, yes. For some reason, the device would still not boot even if I booted back to the original slice using the boot menu on the console---I ended up having to reflash my CF card and then it booted (but the config is still default). Then again, I don't know that I rebooted ever since I configured the bridge Thanks Ermal. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Traffic Graph accurate--but not the host list
pfSense 2.0, most recent builds When I go to status/traffic graph, the graph is correct but the list of hosts is not. I don't know if there's something I'm not doing, but here's what I did to test it: Put a windows machine (my laptop) on the LAN interface, and plug the WAN into my internal network. I connected to my file server from the laptop, and copied 10 GB of data from the file server to the laptop. When I did, the graph showed 98Mb of traffic fairly consistently, but the host list never showed more than a few kb of traffic for my laptop, and on the WAN side it never showed the file server's ip address at all. It almost looks like the host list is only looking at traffic directed to pfSense itself as opposed to through that particular interface. Anyone else confirm? Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com
[pfSense Support] pfSense 2.0, upgrade to this morning's snap problem
After an upgrade to this morning's snap, I received the following after the upgrade/reboot (it's what's on my PuTTY atm): Syncing OpenVPN settings...done. Starting syslog...done. Configuring firewall..done. Starting PFLOG...done. Setting up gateway monitors...done. Synchronizing user settings...done. Starting webConfigurator...done. Configuring CRON...done. Starting OpenNTP time client...done. Starting DHCP service...done. Starting DNS forwarder...done. Configuring firewall..done. kernel trap 12 with interrupts disabled Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0x8 fault code = supervisor read, page not present instruction pointer = 0x20:0xc094d130 stack pointer = 0x28:0xc27d1b84 frame pointer = 0x28:0xc27d1ba4 code segment= base 0x0, limit 0xf, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags= resume, IOPL = 0 current process = 11 (swi4: clock) trap number = 12 panic: page fault cpuid = 0 Uptime: 25s Cannot dump. Device not defined or unavailable. Automatic reboot in 15 seconds - press a key on the console to abort -- Press a key on the console to reboot, -- or switch off the system now.
[pfSense Support] Bootup Complete - but no console
Running latest build of 2.0 on a Firebox x500 (just flashed 2 hours ago), totally clean. The box boots up and works fine-assigned LAN and WAN interfaces, no problem. The box responds to console input until you get to Bootup complete, and you never get the console menu. Webconfigurator works-- if you ssh in to the box and log in, you get the console menu-- but you never get it on the COM console, and the COM console does not respond to keyboard input of any kindbut that's the only thing that doesn't work, the box seems to be usable besides this. Odd... Any reasons why this might be? Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com
[pfSense Support] Alias Renaming Issue
pfSense 2.0-BETA5 (i386) built on Wed Jan 19 12:45:14 EST 2011 I created a NAT rule with a linked firewall rule using a port alias that I called OWA_PORTS. After creating the rule I decided to rename the port alias to PORTS_WEBSERVER. When I did, the alias was renamed in the NAT rule properly, but it was not updated in the linked firewall rule, and now in the log I see: php: : filter_generate_address: OWA_PORTS is not a valid source port. Opening up the NAT rule and just hitting save again did cause the firewall rule to update (as a workaround)--but you first have to notice that your stuff doesn't work ;) Anyone else see this? Dimitri Rodis http://www.integritasystems.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] 1:1 NAT Entry issue - Bug or mistake?
pfSense 2.0-BETA5 (i386) built on Wed Jan 19 12:45:14 EST 2011 When I try to use an alias in the Internal IP field (suppose the alias was ) I receive the following error upon saving (or trying to save): The following input errors were detected: is not a valid internal IP address I know in 2.0 you could not use aliases in the 1:1 fields, but in this version the boxes are RED, implying that aliases are allowed. I don't know if this is a bug or just a mistake (in formatting the fields RED) but in any event it looks like something needs to be fixed or changed. I did not try using an Alias in the External Subnet IP field, although it is RED also. Anyone else see this? Dimitri Rodis http://www.integritasystems.com
RE: [pfSense Support] 1:1 NAT Entry issue - Bug or mistake?
On Thu, Jan 20, 2011 at 9:28 PM, Dimitri Rodis dimit...@integritasystems.com wrote: pfSense 2.0-BETA5 (i386) built on Wed Jan 19 12:45:14 EST 2011 When I try to use an alias in the Internal IP field (suppose the alias was ) I receive the following error upon saving (or trying to save): The following input errors were detected: is not a valid internal IP address I know in 2.0 you could not use aliases in the 1:1 fields, but in this version the boxes are RED, implying that aliases are allowed. I don't know if this is a bug or just a mistake (in formatting the fields RED) but in any event it looks like something needs to be fixed or changed. I did not try using an Alias in the External Subnet IP field, although it is RED also. That's correct, the fields shouldn't be red though, I just fixed that. Aliases aren't supported in binat in pf. Even if binat doesn't support them, they could theoretically be resolved via code prior to updating the rulesin 2.1 :) - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Testing 2.0 - What is the upgrade and downgrade process for Daily snapshots?
Hi Everyone, Just loaded a nanobsd image of pfSense 2.0 onto a CF card for Alix board. I have only used v1.2.3 in the past and I never used the internet to upgrade it. In fact, I am under the impression that v1.2.3 is the latest and there are no upgrades to it. I am wondering if there is a nice and easy way of upgrading 2.0 to the new daily snapshots or to downgrade a day or two back? Thanks, When you flash an image appropriate to the size of the CF you are using, there are two partitions that are flashed (slices). When you upgrade, it upgrades the slice you aren't using with the new version, and if that doesn't work, you can use the gui to boot off of the old slice. Very nice and easy. Dimitri
RE: [pfSense Support] CARP IP/Hyper-V/Hyper-V R2
On Mon, Nov 15, 2010 at 9:57 PM, Evgeny Yurchenko evg.yu...@rogers.com wrote: I do not know a lot about Hyper-v but in VMWare for instance you can block frames with 'faked' mac-addresses. Probably you hit the same problem as CARP-packets have MAC-addresses 'not real' but specifically crafted. I'm sure that's exactly the problem, something in hyper-v changed to block/break that. Better to ask on a Microsoft forum why you can no longer use two MAC addresses on the same host. For what it's worth, I figured this out a few days back thanks to Evgeny's hint. On the virtual NICs on the Virtual Machine itself in Hyper-V R2, there is a checkbox labeled Allow MAC Address Spoofing (or something close to that). Checking that box allows the CARP addresses to work fine. smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] CARP IP/Hyper-V/Hyper-V R2
On 10-11-15 09:22 PM, Dimitri Rodis wrote: I recently migrated a pfSense virtual machine (version 1.2.2) that was running flawlessly on Hyper-V (first release) with 2 additional CARP IP addresses on the WAN interface for about 16 months. Over the weekend, I migrated that virtual machine over to a Hyper-V R2 machine, and all was well except that the 2 additional CARP IPs do not respond to traffic (although traffic to/from/in/out of the WAN's actual IP works fine). After rebooting nearly every piece of equipment between the servers and the ISP, the only thing that made the CARP IPs work again was migrating the virtual machine back to the original Hyper-V (non-R2) host. Any ideas on why CARP IPs wouldn't work on Hyper-V R2? Is there something since 1.2.2 that might change this? Thanks, Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com I do not know a lot about Hyper-v but in VMWare for instance you can block frames with 'faked' mac-addresses. Probably you hit the same problem as CARP-packets have MAC-addresses 'not real' but specifically crafted. Weird thing though in your e-mail is that you mention only one virtual machine... do you use CARP-IPs with one pfSense? if yes then why would you need such set up? Evgeny. I have several public IPs from the ISP, and need to use each of them for different purposes (SSL/TCP-443 for different sites services). I use CARP addresses for the rest of the IPs I've been given-then if I get the opportunity to add redundancy, they are already set up that way. Obviously the point is that the additional CARP addresses don't seem to function at all when pfSense is run under Hyper-V R2 as opposed to Hyper-V R1, and I am hoping to resolve that issue so that the old server can be formatted and upgraded and added to the cluster.. FWIW, both hosts are Dell PowerEdge 2900s *identically* configured, with the only exception currently being the of the amount of RAM, smime.p7s Description: S/MIME cryptographic signature
[pfSense Support] CARP IP/Hyper-V/Hyper-V R2
I recently migrated a pfSense virtual machine (version 1.2.2) that was running flawlessly on Hyper-V (first release) with 2 additional CARP IP addresses on the WAN interface for about 16 months. Over the weekend, I migrated that virtual machine over to a Hyper-V R2 machine, and all was well except that the 2 additional CARP IPs do not respond to traffic (although traffic to/from/in/out of the WAN's actual IP works fine). After rebooting nearly every piece of equipment between the servers and the ISP, the only thing that made the CARP IPs work again was migrating the virtual machine back to the original Hyper-V (non-R2) host. Any ideas on why CARP IPs wouldn't work on Hyper-V R2? Is there something since 1.2.2 that might change this? Thanks, Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] CARP and NAT problems
If the port forwards are on the WAN addresses themselves, to my knowledge they will not fail over. My understanding is that all addresses (and port forwards) that you intend to survive a failover must be on CARP addresses. Dimitri Rodis Integrita Systems LLC -Original Message- From: Justin The Cynical [mailto:cyni...@penguinness.org] Sent: Sunday, May 30, 2010 10:56 PM To: support@pfsense.com Subject: [pfSense Support] CARP and NAT problems Greetings. I finally set up a failover box for CARP. And so far, everything seems to be working fine, with one minor detail. WAN IP range: .65 - .96 .66 - .68 are setup as CARP .65 and .69 are the WAN interfaces Port forwards on .65 and .69 The problem: When this was a single machine, I had port forwards set up on all the IP's, and everything was peachy. However, now with multiple machines, the port forwards on the WAN interfaces will work, depending on the machine that is active. Take a port forward from .65 to internal address (master) Take a port forward from .69 to internal address (backup) The port forward to .65 works, but the .69 does not. If the machines failover (.69 becomes the active machine), the forward for .69 works, but the .65 does not. When .65 comes back up as the active box, the forward on .69 stops working. And since I don't have the WAN addresses as a VIP, this also breaks AON for the mentioned IP's. Last time I looked, I was told that the WAN addresses were useable for IB/OB NAT, but it appears this is not the case, or I'm missing something. Any suggestions on where to look or any words of wisdom? Thank you, Justin - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Wierd CARP problem
On Thu, Apr 22, 2010 at 7:51 PM, Dimitri Rodis dimit...@integritasystems.com wrote: I would really like to see this work reliably at some point. From what I can tell, this problem is not limited to just Fireboxes, it is on pretty much all NICs that have RTL8139C+ chips on them. There is something specific about the Fireboxes (and some other scenarios), but the re(4) driver isn't always that problematic. I have at least two boxes that function normally even under heavy load with such cards. Yes, the re(4) driver is considered stable-- but it depends on which Realtek chip you're talking about. The RTL8139C+ chip specifically has (and has had) this problem since 6.x from what I can tell, and there were/are apparently a number of things were causing timeouts. A good portion of those issues have been fixed by Pyun over the last couple of years, (which have reduced the occurence of timeouts with RTL8139C+ chips--this I can personally attest to), but there are some other undiscovered cases where they still occur. I am also willing to put more time into testing/fixing it, but when the maintainer of the driver itself cries uncle, I'm not going to twist his arm unless I have something that makes sense for him to change (and I am out of ideas). What he believes is that there is some undocumented change (or bug) in that chip that we wouldn't have any hope of fixing without an engineer from Realtek. So, if anyone has any connections, the entire FreeBSD-Realtek-RTL8139C+-using community would likely thank you.profusely even :)
RE: [pfSense Support] Wierd CARP problem
On Mon, Apr 19, 2010 at 6:56 PM, Hans Maes h...@bitnet.be wrote: Although it is definately related to the type of NIC's in the watchguard boards, I'm still not completely convinced this is 100% a hardware problem since the Watchguard Linux OS seems to work just fine on it. Sounds more like a FreeBSD driver problem to me, and therefore not directly related to pfsense. It's not a hardware problem any more than the countless workarounds already in the Realtek drivers for hardware bugs are hardware problems, it's likely just yet another quirk in a different implementation of the same chipset that isn't worked around in FreeBSD. It's most likely a hardware quirk with a software work around that doesn't exist in FreeBSD (7.2 at least). I have put in quite a bit of time into getting this to work, along with Pyun YongHyeon, the current maintainer of the Realtek driver(s) in FreeBSD. He has sent me several patches and has had me set several other options, and I repeatedly flashed new pfSense builds and tested the changes (he and I were at this for about a month). While his initial changes made a big difference and greatly reduced the watchdog timeouts, we could never completely eliminate them. Before I became involved, the problem was much, much worse than it is today. However, Pyun ran out of ideas and needed to move on to other things (understandably). We were working against 8 prior to its release. I would really like to see this work reliably at some point. From what I can tell, this problem is not limited to just Fireboxes, it is on pretty much all NICs that have RTL8139C+ chips on them. Has anyone tested pfsense 2.0 on these fireboxes ? Since it is based on a newer version of FreeBSD, maybe an updated NIC driver solves these issues ? If anyone has any interest in putting in the time to help get it fixed, that's where I would start, and post any problems to the freebsd-net list. 2.0 is based on RELENG_8, what will become 8.1. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Redirect to Captive Portal is not working
Stupid question--- the pfSense box is (still) the gateway address for your network, right? Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: apiase...@midatlanticbb.com [mailto:apiase...@midatlanticbb.com] Sent: Thursday, June 11, 2009 5:42 PM To: support@pfsense.com Subject: Re: [pfSense Support] Redirect to Captive Portal is not working Try another PC? I've seen issues where pop-up blockers, all kinds of Anti-whatever stuff, will prevent it. After all your being redirected to a page you didn't type in.. I would think a reinstall would have fixed any issue with the software being corrupt. Adam Atkins, Dwane P wrote: We are experiencing an issue where the redirection has stopped working for Captive Portal. WE have a series of pfsense devices set up the same way and this one just decided to stop. Yesterday, we upgraded to 1.2.3 RC1 to see if that corrected the issue. I also removed and reinstalled all the CP pages. Neither fixed the issue. Does anyone have anything we can look at on the device? We can http into both inside and outside interfaces with no issues. We do get an DHCP address served from the pfSense device. Any help would be appreciated. Dwane __ Information from ESET NOD32 Antivirus, version of virus signature database 4148 (20090611) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Re: Can't get more than 15kpps.
My understanding is that Giant lock is gone from the FreeBSD network stack in 8: http://unix.derkeiler.com/Mailing-Lists/FreeBSD/arch/2009-04/msg00075.html Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Bill Marquette [mailto:bill.marque...@gmail.com] Sent: Wednesday, May 13, 2009 4:13 PM To: support@pfsense.com Subject: Re: [pfSense Support] Re: Can't get more than 15kpps. On Wed, May 13, 2009 at 10:25 AM, Bill McIlhargey Jr b...@mcilhargey.com wrote: Sounds like over kill for pfsense! :D Message sent from my iPhone Bill McIlhargey Jr COMPUTERONIX, LLC 978.500.5936 supp...@compute-ronix.com www.compute-ronix.com It's only overkill if you don't need the horsepower...with that said, pfSense isn't going to scale anywhere near linearly given PF being under the Giant lock, although it will scale a bit with more cores. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Captive Portal Question
I'm drafting a reply. Be done shortly. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Tim Dressel [mailto:tjdres...@gmail.com] Sent: Friday, May 08, 2009 11:11 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal Question I agree completely. What we were using it for is all our wired clients and wireless *were* on the same internal lan. The captive portal was enabled on the LAN interface. All wired clients had mac-bypass entries, and the wireless clients had to get past the captive portal. What I'm thinking is that I will have to investigate some sort of rouge detection, or maybe network access protection for the wired clients, and then completely separate the wireless traffic on another interface. I'm still interested though in anyone out there with large numbers of mac-bypass entries. Any takers? Cheers, P.S. Chris/PFsense team, I am consistently impressed by this product. You guys do very good work, and my team and I appreciate your efforts immensely. The coding is important, but the community support is above and beyond! On Fri, May 8, 2009 at 10:25 PM, RB aoz@gmail.com wrote: On Fri, May 8, 2009 at 22:06, Tim Dressel tjdres...@gmail.com wrote: Finally, I'd appreciate any feedback out there on installs with counts on mac bypass entries topping a 1000 count. I am considering tying together several of my networks and would like to know what the upper end on the captive portal looks like. The captive portal's default configuration is to filter users by MAC address. The main difference between that and what you're doing is that the MAC entries are made dynamically each time a user logs in. That said, I have run a pair of Dell 2660s (dual 2GHz, 2GB) in that default configuration over a high-churn environment with several thousand unique clients per day with no ill effect. My concern was not whether pfSense could handle the number of entries, but mainly administrative overhead. Maintaining a list of even 100 MACs is terribly cumbersome, especially considering how trivial MAC-only authentication is to bypass. Additionally, some of pfSense's GUI components just don't scale well - there are some diagnostic pages (DHCP status, CP status, ARP tables, etc.) that I've just become accustomed to not using if the client count is over a couple hundred. Check your system's RRD graphs during the slowdown - if your states, queues, or CPU aren't pegged, pfSense is likely not the culprit. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Captive Portal Question
We use the switches in a client's executive office suite buildings. We needed a way to provide internet access on a per suite basis, and we needed to provide public addresses on an as-needed basis (if they had a mail server, for example). We had a previous solution in place, but it was about 8-9 years old, and required manual intervention when tenants move from suite to suite (which happens a lot in these buildings). So our new (15 month old at this point) setup has 3 vlans on the switches: private unauthenticated, private authenticated, and public authenticated. (private and public refer to the address spaces in use on the vlans). As part of that setup, we use mac-based authentication on the HP switches. So, a client (aka tenant) can be plugged into any port on the switch, and the FreeRADIUS package from pfSense can provide authentication and VLAN assignments to the switch, and the switch will use the RADIUS information to put them on the correct VLAN automatically. For any client that does not authenticate, the switch throws them on the private unauthenticated vlan, and then the client cannot get on the internet without authenticating with the pfsense captive portal (the custom captive portal page pretty much says hey, you aren't getting on the internet unless you pay the land lord more $$. If you want access, call up xxx and give them this mac address: xx:xx:xx:xx:xx:xx). If their mac address is present in FreeRADIUS, then they get put on whatever vlan is assigned them from the vlan box. The private authenticated vlan is a private address space vlan that is NATted to the internet, and the public authenticated vlan is directly on the internet. In order to keep clients from seeing each other on the private authenticated vlan (basically this vlan is for tenants that have a single pc with no router), we add the following to each client entry in the Additional RADIUS Options box: HP-Nas-Filter-Rule = permit in ip from any to 172.20.1.1, HP-Nas-Filter-Rule += deny in ip from any to 172.20.1.0/24, HP-Nas-Filter-Rule += permit in ip from any to 0.0.0.0/0 This permits the clients to talk to the gateway and the rest of the internet, but not to any other machine on the same subnet. I don't know how much of this applies to your setup, but to sum up this solution, unauthenticated clients get put on a vlan that can't get on the internet (they can, but are stopped by a custom captive portal page from pfSense that tells them what to do), and authenticated clients get put on vlans that can freely access the internet. In your case, you might just need to use FreeRADIUS along with some switch ACLs (in the Additional RADIUS Options box) to allow/limit/prevent internet access. Hopefully that made some sense. It's a bit tough to describe without seeing it! :) Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Tim Dressel [mailto:tjdres...@gmail.com] Sent: Friday, May 08, 2009 9:07 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal Question Hi folks, Just an update. I built a new machine from the ground up today. Took a backup from the old machine, and just copied and pasted the 300+ mac-bypass entries into the new config file. Everything is working well, and as expected. I'm interested though Dimitri on the switch issue. I'm connected entirely to new managed HP 2848's and 2510G-48's and I have great LAN performance. Are you doing something directly with your switches as far as authentication goes, or did you just include the switches for completeness? Finally, I'd appreciate any feedback out there on installs with counts on mac bypass entries topping a 1000 count. I am considering tying together several of my networks and would like to know what the upper end on the captive portal looks like. Thanks! On Fri, May 8, 2009 at 1:33 AM, Dimitri Rodis dimit...@integritasystems.com wrote: We have a pfSense setup with the FreeRADIUS package that authenticates folks that plug in to HP 3500yl and 2626 switches-- the set up is for a few executive office suite buildings that are linked together by fiber and all share a single 10Mb symmetric connection to the internet. 0 problems for about 15 months now--still running on 1.2-release. If you have some good managed switches, that's the way to do it IMHO. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: RB [mailto:aoz@gmail.com] Sent: Thursday, May 07, 2009 3:16 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal Question On Thu, May 7, 2009 at 15:55, Tim Dressel tjdres...@gmail.com wrote: 1. What is the limitation on the number of mac-bypass entries? And is what I am seeing expected with 300 entries? I'm sure someone will chime in with the precise ipfw limitation, but this is mostly going to be dependent on your system's performance specs - memory CPU. 2. If I
RE: [pfSense Support] Captive Portal Question
We have a pfSense setup with the FreeRADIUS package that authenticates folks that plug in to HP 3500yl and 2626 switches-- the set up is for a few executive office suite buildings that are linked together by fiber and all share a single 10Mb symmetric connection to the internet. 0 problems for about 15 months now--still running on 1.2-release. If you have some good managed switches, that's the way to do it IMHO. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: RB [mailto:aoz@gmail.com] Sent: Thursday, May 07, 2009 3:16 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal Question On Thu, May 7, 2009 at 15:55, Tim Dressel tjdres...@gmail.com wrote: 1. What is the limitation on the number of mac-bypass entries? And is what I am seeing expected with 300 entries? I'm sure someone will chime in with the precise ipfw limitation, but this is mostly going to be dependent on your system's performance specs - memory CPU. 2. If I should not be doing this with 300 clients, is anyone using another FOSS product to do MAC authenticated control outbound from their firewall? Possibly, but [as I hope you know] MAC filtering only keeps honest people honest, it is in no way any form of authentication. At that number of unique users, you may be better served by setting up an actual RADIUS server to do proper authentication and AAA instead of manually maintaining tables. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Attention Firebox X Series Users - Testing Needed
Currently, we have a couple of people (including myself just Monday) that were able to reproduce watchdog timeouts on these units, although they seem to be significantly reduced relative to previous builds. I am still working with Pyun to try and get the issue resolved. Of course, we won't know that it's fully resolved without people willing to beat these units up after patches make their way into builds, so the more people we have, the better. Folks interested in trying to narrow the remaining issues down should follow (and post) on the forum, here: http://forum.pfsense.org/index.php/topic,15669.0.html Thanks, Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Joshua Schmidlkofer [mailto:joshl...@gmail.com] Sent: Tuesday, April 28, 2009 8:23 PM To: support@pfsense.com; j...@pax2cargo.com Subject: Re: [pfSense Support] Attention Firebox X Series Users - Testing Needed On 4/18/09 11:17 AM, Dimitri Rodis wrote: Attention Firebox X500/700/1000 Users using pfSense: Watchdog timeouts getting' you down? Thinkin' about throwin' that old Firebox in to the fireplace? Don't do that just yet! J Thanks to the pfSense devs, along with Pyun YongHyeon, the maintainer for the FreeBSD Realtek network driver, it appears that we may have solved the issue with the watchdog timeouts on the Realtek 8139C+ chips that are used in these units. For the past couple of days, I have worked with Pyun, and yesterday Pyun sent me a patch, and that patch was committed to the 1.2.3 snapshot builds, as well as to the 2.0 alpha snapshot builds by the pfSense devs, and is part of any snapshot build as of yesterday (4/17) at 2pm Eastern time, or later. Snapshot builds can be downloaded from http://snapshots.pfsense.org/FreeBSD7/RELENG_1_2/ or http://snapshots.pfsense.org/FreeBSD7/HEAD/ I have been testing a build with this patch since yesterday, and have yet to see a single watchdog timeout on my interfaces-and no modifications to loader.conf have been made. This is a default install-no special options have been set anywhere. If at all possible, please try to install a recent snapshot build on your firebox units (those of you that have them) and test this patch. If you do still receive watchdog timeouts, please let me know either on this list, or off-list. Either way, please try to detail what you were doing when the watchdog timeout occurred so that we can try to reproduce it, and Pyun can fix it. Thanks to all that have helped, and thanks to those that are willing to test! Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com http://www.integritasystems.com HOT! We are so looking into this. We have 5 watchguards which we can use for this project, and I hate the idea of them collecting dust. Count us IN! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Attention Firebox X Series Users - Testing Needed
Unfortunately, they aren't completely gone. I've been able to consistently get watchdog timeouts on 1.2.3 since Monday (including the official RC1 released yesterday) by simply browsing the web interface on the LAN side (I usually use re2) using Internet Explorer 7 (All I ever do is just click between options in the GUI, and I get them after 10-15 clicks). The patch that was put in definitely helped, though (a lot). I'm still working with Pyun (the maintainer of the FreeBSD Realtek driver) on a solution. I do have yet to reproduce watchdog timeouts on 2.0, however, although one person has reported that 2.0 gives him timeouts (see http://forum.pfsense.org/index.php?topic=15669). I don't yet have an explanation as to why I get timeouts in 1.2.3 and not in 2.0, but I'm working on figuring out why. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Tim Nelson [mailto:tnel...@fudnet.net] Sent: Thursday, April 23, 2009 7:43 PM To: support@pfsense.com Subject: Re: [pfSense Support] Attention Firebox X Series Users - Testing Needed Well, I threw the latest 1.2.3-RC1 on a CF card and booted up my X500. I've been passing all sorts of traffic through it (WAN and OPT1 bridge) with no pauses in traffic or watchdog timeouts. My traffic has been anything from netperf tests TCP and UDP, raw FTP traffic, random web browsing, and some very heavy bittorrent traffic (Latest Ubuntu released today :-) ). In fact, I've run some of those tests concurrently. Thus far, after saturating the 100mbit link through the bridge for nearly 4 hours, I've yet to see a problem. I can post any additional information you need, just let me know. This X500 is 100% stock with the exception of the CF card. The 64MB CF was a bit small so it was replaced with a Sandisk 256MB I had lying around. Out of curiosity, what is the largest DIMM these units will accept? They come with 256MB which seems a bit light. I'd like to throw a 1GB stick in if possible. --Tim Dimitri Rodis wrote: Attention Firebox X500/700/1000 Users using pfSense: Watchdog timeouts getting' you down? Thinkin' about throwin' that old Firebox in to the fireplace? Don't do that just yet! J Thanks to the pfSense devs, along with Pyun YongHyeon, the maintainer for the FreeBSD Realtek network driver, it appears that we may have solved the issue with the watchdog timeouts on the Realtek 8139C+ chips that are used in these units. For the past couple of days, I have worked with Pyun, and yesterday Pyun sent me a patch, and that patch was committed to the 1.2.3 snapshot builds, as well as to the 2.0 alpha snapshot builds by the pfSense devs, and is part of any snapshot build as of yesterday (4/17) at 2pm Eastern time, or later. Snapshot builds can be downloaded from http://snapshots.pfsense.org/FreeBSD7/RELENG_1_2/ or http://snapshots.pfsense.org/FreeBSD7/HEAD/ I have been testing a build with this patch since yesterday, and have yet to see a single watchdog timeout on my interfaces-and no modifications to loader.conf have been made. This is a default install-no special options have been set anywhere. If at all possible, please try to install a recent snapshot build on your firebox units (those of you that have them) and test this patch. If you do still receive watchdog timeouts, please let me know either on this list, or off-list. Either way, please try to detail what you were doing when the watchdog timeout occurred so that we can try to reproduce it, and Pyun can fix it. Thanks to all that have helped, and thanks to those that are willing to test! Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] 1.2.3-RC1 released!
Tim, See http://forum.pfsense.org/index.php?topic=15669 if you have issues with the Firebox. I'm collecting as much data as I can from those that are having issues. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Tim Nelson [mailto:tnel...@fudnet.net] Sent: Wednesday, April 22, 2009 8:37 PM To: support@pfsense.com Subject: Re: [pfSense Support] 1.2.3-RC1 released! THANK YOU!!! Running to test on a system or two including my Firebox X500 --Tim Chris Buechler wrote: Info here: http://blog.pfsense.org/?p=428 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Can captive portal authenticate based on windows login
Microsoft Internet Security and Acceleration Server (ISA Server), and you need to have AD. I've used it, but only in this particular case. I do not know of anything in the open source world that works reliably specifically the way you want it to. (That is not to say that nothing exists, I just may not know about it). With respect to ISA, there is a client installation (aka Firewall Client) that is required to make the authentication transparent--without it, it would work just like pfSense would-- with RADIUS against AD, and the user would have to enter credentials manually. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Ryan [mailto:radiote...@aaremail.com] Sent: Tuesday, April 21, 2009 11:50 AM To: support@pfsense.com Subject: RE: [pfSense Support] Can captive portal authenticate based on windows login Without seeing the CP screen, automatically logging them in with Windows credentials, no. You can authenticate them on. the CP screen with RADIUS using their Windows credentials to IAS on a Windows Server DC (if you're using AD). I kinda thought that was the case. Thank you for your help Chris. Do you know of anything that might do this? __ NOD32 3834 (20090206) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Can captive portal authenticate based on windows login
Single Sign-on (aka one set of credentials) is one thing, the captive portal's ability to automatically _receive_ (and authenticate) the credentials from the requesting client/browser is another. Unless I'm misunderstanding, Ryan wants to get rid of the username/password prompt from the captive portal, and have the current windows logon credentials automatically pass to the captive portal, which is currently not possible with pfSense-- ISA Server is the only thing I know of that does this. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Jim Pingle [mailto:li...@pingle.org] Sent: Tuesday, April 21, 2009 1:18 PM To: support@pfsense.com Subject: Re: [pfSense Support] Can captive portal authenticate based on windows login Ryan wrote: Without seeing the CP screen, automatically logging them in with Windows credentials, no. You can authenticate them on. the CP screen with RADIUS using their Windows credentials to IAS on a Windows Server DC (if you're using AD). I kinda thought that was the case. Thank you for your help Chris. Do you know of anything that might do this? I don't know if the Captive Portal can be coerced to support LDAP or Kerberos, but I have heard of people achieving a single sign-on type setup with Squid that way. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Can captive portal authenticate based on windows login
Not to get too far OT, but whenever I have a machine that doesn't have the ISA firewall client, I get credential prompts with ISA (when it's configured for specific user/group access lists, etc). From the Firewall Client for ISA Server Download: http://www.microsoft.com/downloads/details.aspx?FamilyID=05C2C932-B15A-4990- B525-66380743DA89displaylang=en ...Firewall Client sends user information transparently with each request, enabling you to create a firewall policy on the ISA Server computer with rules that use the authentication credentials presented by the client. I'd use pfSense any day of the week over ISA, even if it meant they had to use credential prompts. Bottom line: if eliminating credential prompts is an absolute must, ISA can do it for sure. pfSense, not yet ;) Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Tuesday, April 21, 2009 3:35 PM To: support@pfsense.com Subject: Re: [pfSense Support] Can captive portal authenticate based on windows login On Tue, Apr 21, 2009 at 3:46 PM, Dimitri Rodis dimit...@integritasystems.com wrote: Microsoft Internet Security and Acceleration Server (ISA Server), and you need to have AD. I've used it, but only in this particular case. I do not know of anything in the open source world that works reliably specifically the way you want it to. (That is not to say that nothing exists, I just may not know about it). With respect to ISA, there is a client installation (aka Firewall Client) that is required to make the authentication transparent--without it, it would work just like pfSense would-- with RADIUS against AD, and the user would have to enter credentials manually. Not exactly, so long as you're using IE it'll pass through credentials automatically. The firewall client is so you don't have to configure all your applications to use a proxy, it automatically picks up any traffic not destined to your internal networks (as defined in ISA) and pushes it through the proxy. Works well in the environments I use it. ISA is a good proxy. I personally don't like it as a perimeter firewall, and it can be buggy (2006 is much better than 2004 and 2000, though still quirky at times), but its proxy functionality in a Windows environment is great. The reverse proxy is also nice if you use OWA and/or OMA with Exchange. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
[pfSense Support] Attention Firebox X Series Users - Testing Needed
Attention Firebox X500/700/1000 Users using pfSense: Watchdog timeouts getting' you down? Thinkin' about throwin' that old Firebox in to the fireplace? Don't do that just yet! J Thanks to the pfSense devs, along with Pyun YongHyeon, the maintainer for the FreeBSD Realtek network driver, it appears that we may have solved the issue with the watchdog timeouts on the Realtek 8139C+ chips that are used in these units. For the past couple of days, I have worked with Pyun, and yesterday Pyun sent me a patch, and that patch was committed to the 1.2.3 snapshot builds, as well as to the 2.0 alpha snapshot builds by the pfSense devs, and is part of any snapshot build as of yesterday (4/17) at 2pm Eastern time, or later. Snapshot builds can be downloaded from http://snapshots.pfsense.org/FreeBSD7/RELENG_1_2/ or http://snapshots.pfsense.org/FreeBSD7/HEAD/ I have been testing a build with this patch since yesterday, and have yet to see a single watchdog timeout on my interfaces-and no modifications to loader.conf have been made. This is a default install-no special options have been set anywhere. If at all possible, please try to install a recent snapshot build on your firebox units (those of you that have them) and test this patch. If you do still receive watchdog timeouts, please let me know either on this list, or off-list. Either way, please try to detail what you were doing when the watchdog timeout occurred so that we can try to reproduce it, and Pyun can fix it. Thanks to all that have helped, and thanks to those that are willing to test! Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com http://www.integritasystems.com smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Attention Firebox X Series Users - Testing Needed
Forum link: http://forum.pfsense.org/index.php/topic,15669.0.html Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Saturday, April 18, 2009 11:33 AM To: support@pfsense.com Subject: Re: [pfSense Support] Attention Firebox X Series Users - Testing Needed On Sat, Apr 18, 2009 at 2:17 PM, Dimitri Rodis dimit...@integritasystems.com wrote: Attention Firebox X500/700/1000 Users using pfSense: Glad to hear that looks like it fixes it. There's at least one thread on the forum reporting this issue as well, might want to post to those threads too to give those folks a heads up. Watchdog timeouts getting you down? Thinkin about throwin that old Firebox in to the fireplace? Dont do that just yet! J Thanks to the pfSense devs, along with Pyun YongHyeon, the maintainer for the FreeBSD Realtek network driver, it appears that we may have solved the issue with the watchdog timeouts on the Realtek 8139C+ chips that are used in these units. For the past couple of days, I have worked with Pyun, and yesterday Pyun sent me a patch, and that patch was committed to the 1.2.3 snapshot builds, as well as to the 2.0 alpha snapshot builds by the pfSense devs, and is part of any snapshot build as of yesterday (4/17) at 2pm Eastern time, or later. Snapshot builds can be downloaded from http://snapshots.pfsense.org/FreeBSD7/RELENG_1_2/ or http://snapshots.pfsense.org/FreeBSD7/HEAD/ I have been testing a build with this patch since yesterday, and have yet to see a single watchdog timeout on my interfacesand no modifications to loader.conf have been made. This is a default installno special options have been set anywhere. If at all possible, please try to install a recent snapshot build on your firebox units (those of you that have them) and test this patch. If you do still receive watchdog timeouts, please let me know either on this list, or off-list. Either way, please try to detail what you were doing when the watchdog timeout occurred so that we can try to reproduce it, and Pyun can fix it. Thanks to all that have helped, and thanks to those that are willing to test! Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] VMware ESXi - Protect all VM's with pfSense VM in Bridge Mode - HELP!
There is a promiscuous mode on the vSwitches. That setting might need to be adjusted. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Tim Nelson [mailto:tnel...@fudnet.net] Sent: Thursday, April 16, 2009 9:01 AM To: support@pfsense.com Subject: Re: [pfSense Support] VMware ESXi - Protect all VM's with pfSense VM in Bridge Mode - HELP! Apparently I wasn't missing anything. I rebooted the pfSense VM and walked a way for a while and now all is well. I suspect an ARP or other layer two issue after introducing the bridge and moving the VM nics over to vSwitch1. Thanks for all your help! :-) --Tim On Thu, 16 Apr 2009 10:42:24 -0500, Tim Nelson tnel...@fudnet.net wrote: Greetings all- I've got a beefy machine running VMware ESXi with a handful of hosts. I'd like to protect those hosts with a pfSense VM in bridge mode. Here is my vSwitch configuration: vSwitch0 -vmnic0 (Physical NIC 0) -OUTSIDE_FW (VM Port Group) *TBRIDGE (pfSense WAN) -VMkernel Port (Management Network) vSwitch1 -vmnic1 (Physical NIC 1 - Unplugged) -INSIDE_FW (VM Port Group) *TBRIDGE (pfSense LAN - Bridged to WAN) *VM_1 *VM_2 *VM_etc... I've setup ALLOW ALL from ALL to ALL protocol ALL rules on both interfaces and also enabled promiscuous mode on the vSwitches. However, I'm not getting any traffic flowing. It's incredibly bizarre. What am I missing? --Tim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Possible Outbound NAT Bug in 1.2.3 Snapshot?
I put that in also-- like I said it didn't take effect until I rebooted. If the rule wasn't there, it wouldn't matter how many times I rebooted :) Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Kimmo Paasiala [mailto:kpaas...@gmail.com] Sent: Friday, April 10, 2009 9:00 AM To: support@pfsense.com Subject: Re: [pfSense Support] Possible Outbound NAT Bug in 1.2.3 Snapshot? I think you're missing a firewall rule on LAN interface that would do the actual policy routing to the cable connection for http(s). Remember that outbound nat rules do not say where the traffic should go but rather how it should be natted when it goes out via the specified interface after routing decision is made. Hope this helps. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] CARP Bug in 1.2.3
I think this is more obscure than you think-- this is on a snapshot build, so how many people have 1) run a 1.2.3 snapshot, 2) _had_ a redundant CARP config, and then 3) removed the redundant member and 4) added some Outbound NAT rules and interface rules (which is what finally triggered the XMLRPC sync, and thus the error)? My guess is that people with redundant configs are probably not testing snapshot builds (or even production builds) in this manner. I don't know if this happens on previous builds, and you are probably going to say that the code hasn't changed, and that's very likely to be true if you say so--I'm just saying I think the bug is present, but obscure. Obviously if it happens it's easy enough to fix by downloading the config, deleting the duped sections and uploading the config again, but I would tend to think there's a bug in there somewhere, because like I said, I didn't dupe the section myself. Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:sullr...@gmail.com] Sent: Thursday, April 09, 2009 8:15 AM To: support@pfsense.com Subject: Re: [pfSense Support] CARP Bug in 1.2.3 On Wed, Apr 8, 2009 at 11:31 PM, Dimitri Rodis dimit...@integritasystems.com wrote: Currently running: 1.2.3-RC1 built on Wed Apr 1 16:59:10 EDT 2009 Changed the CARP config-- had a redundant member that I removed, so I shut pfsync off. However, I kept getting messages along the top that XMLRPC sync was failing. I checked, and it was disabled--so, I unchecked absolutely everything and saved and rebooted, but the errors persisted. I think I found the problem. I downloaded my config file and had a look. Check out the following section: installedpackages carpsettings config pfsyncenabled/ pfsyncinterfaceopt3/pfsyncinterface pfsyncpeerip/ synchronizerules/ synchronizeschedules/ synchronizealiases/ synchronizenat/ synchronizeipsec/ synchronizewol/ synchronizestaticroutes/ synchronizelb/ synchronizevirtualip/ synchronizetrafficshaper/ synchronizednsforwarder/ synchronizetoip/ password/ /config config pfsyncenabled/on/pfsyncenabled pfsyncinterfaceopt3/pfsyncinterface pfsyncpeerip/ synchronizeruleson/synchronizerules synchronizescheduleson/synchronizeschedules synchronizealiaseson/synchronizealiases synchronizenaton/synchronizenat synchronizeipsecon/synchronizeipsec synchronizewolon/synchronizewol synchronizestaticrouteson/synchronizestaticroutes synchronizelbon/synchronizelb synchronizevirtualipon/synchronizevirtualip synchronizetrafficshaperon/synchronizetrafficshaper synchronizednsforwarder/ synchronizetoip172.19.0.2/synchronizetoip passwordxx/password /config config pfsyncenabledon/pfsyncenabled pfsyncinterfaceopt3/pfsyncinterface pfsyncpeerip/ synchronizeruleson/synchronizerules synchronizescheduleson/synchronizeschedules synchronizealiaseson/synchronizealiases synchronizenaton/synchronizenat synchronizeipsecon/synchronizeipsec synchronizewolon/synchronizewol synchronizestaticrouteson/synchronizestaticroutes synchronizelbon/synchronizelb synchronizevirtualipon/synchronizevirtualip synchronizetrafficshaperon/synchronizetrafficshaper synchronizednsforwarderon/synchronizednsforwarder synchronizetoip172.19.0.3/synchronizetoip passwordx/password /config /carpsettings /installedpackages Shouldn't config/config only be in there once? Looks like it added another config/config section it each time I tried to change/save it, and it's only using the last one. Bug or user error? Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com Doubt its a bug or we would be seeing a lot more of this. Scott smime.p7s Description: S/MIME cryptographic
RE: [pfSense Support] CARP Bug in 1.2.3
The snapshot I'm using is dated April 1.. that's a couple of days after the hackathon, I believe. Any idea when the xmlparse.inc from HEAD was removed? Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Scott Ullrich [mailto:sullr...@gmail.com] Sent: Thursday, April 09, 2009 10:17 AM To: support@pfsense.com Subject: Re: [pfSense Support] CARP Bug in 1.2.3 On Thu, Apr 9, 2009 at 12:37 PM, Dimitri Rodis dimit...@integritasystems.com wrote: I think this is more obscure than you think-- this is on a snapshot build, so how many people have 1) run a 1.2.3 snapshot, 2) _had_ a redundant CARP config, and then 3) removed the redundant member and 4) added some Outbound NAT rules and interface rules (which is what finally triggered the XMLRPC sync, and thus the error)? My guess is that people with redundant configs are probably not testing snapshot builds (or even production builds) in this manner. I don't know if this happens on previous builds, and you are probably going to say that the code hasn't changed, and that's very likely to be true if you say so--I'm just saying I think the bug is present, but obscure. Obviously if it happens it's easy enough to fix by downloading the config, deleting the duped sections and uploading the config again, but I would tend to think there's a bug in there somewhere, because like I said, I didn't dupe the section myself. My guess would be that you installed a snapshot that contained xmlparse.inc from HEAD. Right around the hackathon time this was included but has since been removed. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] CARP Bug in 1.2.3
Good deal. I'll go to a later snapshot then. Are upgrades between snapshots on embedded working at the moment, or should I just reflash? Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Scott Ullrich [mailto:sullr...@gmail.com] Sent: Thursday, April 09, 2009 11:37 AM To: support@pfsense.com Subject: Re: [pfSense Support] CARP Bug in 1.2.3 On Thu, Apr 9, 2009 at 1:57 PM, Dimitri Rodis dimit...@integritasystems.com wrote: The snapshot I'm using is dated April 1.. that's a couple of days after the hackathon, I believe. Any idea when the xmlparse.inc from HEAD was removed? You where affected then. It was removed for causing various problems such as these. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
[pfSense Support] Possible Outbound NAT Bug in 1.2.3 Snapshot?
Currently running: 1.2.3-RC1 built on Wed Apr 1 16:59:10 EDT 2009 In addition to a fiber connection at this particular location, there is also a second connection brought in via a cable modem. The fiber connection is intended to serve the incoming connections to web servers, mail servers, etc. The second cablemodem connection is intended for web browsing and other misc traffic, as to not bog down the fiber so much. So, I added an outbound NAT so that traffic originating from the LAN side destined to port 80 would use the interface address of the cable connection. Initially, this did not work as expected-- until I rebooted pfSense. Web traffic did pass, but it was not NATTing to the correct address--I verified by browsing to http://www.whatismyip.com, and until I rebooted pfSense, it did not report the correct address. So, I tried it again with port 443 (whatismyip supports SSL :). Sure enough, it reported the old IP address until I rebooted pfSense again. I don't remember having this problem before--why would I need to reboot for this to take effect? And yes, I did completely close the browser so that an existing state wouldn't be reused. Bug or user error? Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com smime.p7s Description: S/MIME cryptographic signature
[pfSense Support] CARP Bug in 1.2.3
Currently running: 1.2.3-RC1 built on Wed Apr 1 16:59:10 EDT 2009 Changed the CARP config-- had a redundant member that I removed, so I shut pfsync off. However, I kept getting messages along the top that XMLRPC sync was failing. I checked, and it was disabled--so, I unchecked absolutely everything and saved and rebooted, but the errors persisted. I think I found the problem. I downloaded my config file and had a look. Check out the following section: installedpackages carpsettings config pfsyncenabled/ pfsyncinterfaceopt3/pfsyncinterface pfsyncpeerip/ synchronizerules/ synchronizeschedules/ synchronizealiases/ synchronizenat/ synchronizeipsec/ synchronizewol/ synchronizestaticroutes/ synchronizelb/ synchronizevirtualip/ synchronizetrafficshaper/ synchronizednsforwarder/ synchronizetoip/ password/ /config config pfsyncenabled/on/pfsyncenabled pfsyncinterfaceopt3/pfsyncinterface pfsyncpeerip/ synchronizeruleson/synchronizerules synchronizescheduleson/synchronizeschedules synchronizealiaseson/synchronizealiases synchronizenaton/synchronizenat synchronizeipsecon/synchronizeipsec synchronizewolon/synchronizewol synchronizestaticrouteson/synchronizestaticroutes synchronizelbon/synchronizelb synchronizevirtualipon/synchronizevirtualip synchronizetrafficshaperon/synchronizetrafficshaper synchronizednsforwarder/ synchronizetoip172.19.0.2/synchronizetoip passwordxx/password /config config pfsyncenabledon/pfsyncenabled pfsyncinterfaceopt3/pfsyncinterface pfsyncpeerip/ synchronizeruleson/synchronizerules synchronizescheduleson/synchronizeschedules synchronizealiaseson/synchronizealiases synchronizenaton/synchronizenat synchronizeipsecon/synchronizeipsec synchronizewolon/synchronizewol synchronizestaticrouteson/synchronizestaticroutes synchronizelbon/synchronizelb synchronizevirtualipon/synchronizevirtualip synchronizetrafficshaperon/synchronizetrafficshaper synchronizednsforwarderon/synchronizednsforwarder synchronizetoip172.19.0.3/synchronizetoip passwordx/password /config /carpsettings /installedpackages Shouldn't config/config only be in there once? Looks like it added another config/config section it each time I tried to change/save it, and it's only using the last one. Bug or user error? Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Possible Outbound NAT Bug in 1.2.3 Snapshot?
Nope, using embedded. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Wednesday, April 08, 2009 8:30 PM To: support@pfsense.com Subject: Re: [pfSense Support] Possible Outbound NAT Bug in 1.2.3 Snapshot? On Wed, Apr 8, 2009 at 11:12 PM, Dimitri Rodis dimit...@integritasystems.com wrote: Currently running: 1.2.3-RC1 built on Wed Apr 1 16:59:10 EDT 2009 In addition to a fiber connection at this particular location, there is also a second connection brought in via a cable modem. The fiber connection is intended to serve the incoming connections to web servers, mail servers, etc. The second cablemodem connection is intended for web browsing and other misc traffic, as to not bog down the fiber so much. So, I added an outbound NAT so that traffic originating from the LAN side destined to port 80 would use the interface address of the cable connection. Initially, this did not work as expected-- until I rebooted pfSense. Web traffic did pass, but it was not NATTing to the correct address--I verified by browsing to http://www.whatismyip.com, and until I rebooted pfSense, it did not report the correct address. So, I tried it again with port 443 (whatismyip supports SSL :). Sure enough, it reported the old IP address until I rebooted pfSense again. I don't remember having this problem before--why would I need to reboot for this to take effect? And yes, I did completely close the browser so that an existing state wouldn't be reused. Bug? Unlikely, Outbound NAT hasn't changed in a long time. Any packages installed? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] AW: Firebox X series w/ 1.2 and 1.2.2 issue
So I put on 1.2.3 snapshot from earlier today, and threw the box into production. Didn't see a single watchdog timeout... browsed around in the web interface with Firefox, no problem. Downloaded a few files, watched people hit websites, etc. No problem. Then I whip open Internet Explorer and navigate to carp_status.php and the very second I hit that page, wouldn't you know: 0) Logout (SSH only) 1) Assign Interfaces 2) Set LAN IP address 3) Reset webConfigurator password 4) Reset to factory defaults 5) Reboot system 6) Halt system 7) Ping host 8) Shell 9) PFtop 10) Filter Logs 11) Restart webConfigurator 12) pfSense PHP shell 13) Upgrade from console 14) Enable Secure Shell (sshd) Enter an option: re2: watchdog timeout re2: watchdog timeout re2: watchdog timeout re2: watchdog timeout re2: watchdog timeout re2: watchdog timeout re2: watchdog timeout DOH! Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Dimitri Rodis [mailto:dimit...@integritasystems.com] Sent: Tuesday, March 31, 2009 9:55 PM To: support@pfsense.com Subject: RE: [pfSense Support] AW: Firebox X series w/ 1.2 and 1.2.2 issue Woohoo! Didn't know you guys got this put in.. I'll test tomorrow or Thursday as time permits. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Tuesday, March 31, 2009 8:49 PM To: support@pfsense.com Subject: Re: [pfSense Support] AW: Firebox X series w/ 1.2 and 1.2.2 issue On Tue, Mar 31, 2009 at 11:37 PM, Tim Nelson tnel...@rockbochs.com wrote: I've just acquired an X500 unit and after throwing boatloads of traffic through it, I haven't seen a single watchdog timeout. Two ports are connected to a switch and a third port to a workstation. I can send you any information on my config if you'd like for testing/comparison. What version are you running on it? 1.2.3 snapshots as of this past Sunday have re(4) and rl(4) from FreeBSD 8-CURRENT per recommendations of the FreeBSD developer who maintains that code. It may not be an issue with snapshots since Sunday. Those who are seeing watchdog timeouts on re or rl cards should try a 1.2.3 snapshot. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
[pfSense Support] RE: Load Balancer Using TCP
Given the log, I would say that they are set for TCP and not ICMP. On some versions of pfSense, I have noticed that the option box reverts to TCP from ICMP when you edit the service a second (or subsequent) time. Have another look-betcha it's set to TCP. Also, you might want to post what version of pfSense you are using J Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com From: Nathan Eisenberg [mailto:nat...@atlasnetworks.us] Sent: Wednesday, April 01, 2009 9:10 PM To: support@pfsense.com Subject: [pfSense Support] Load Balancer Using TCP Hello, I have a load balancer with two web servers behind it. The web servers are to be monitored via ICMP. However, the servers frequently flap, and I see this message in the load balancer log: Apr 1 21:06:57 slbd[56826]: TCP poll succeeded for 192.168.20.61:80, marking service UP Apr 1 21:06:52 slbd[56826]: Service servicename changed status, reloading filter policy Apr 1 21:06:52 slbd[56826]: TCP poll failed for 192.168.20.61:80, marking service DOWN What's going on? :( Best Regards Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC supp...@atlasnetworks.us http://support.atlasnetworks.us/portal smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] AW: Firebox X series w/ 1.2 and 1.2.2 issue
What version are you currently running? I have seen watchdog timeouts with 1.2 and 1.2.2. I have 2 units in a CARP cluster, and 5 of the interfaces are being used (2 WANs, although 1 of the WANs was not configured for the test, 2 LANs, and 1 dedicated sync interface). I have made various modifications to /boot/loader.conf which have reduced the watchdog timeouts, but they still show up. The behavior gets really weird when I have both units operating in a cluster.. Anyway, I think it might show up when you use more than 2 interfaces. Initial testing with just a LAN/WAN setup didn't appear to really have any issues.. then I added a second LAN and a dedicated sync interface for CARP and threw it into production, and it lasted about 10 minutes before it melted down with watchdog timeouts. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Tim Nelson [mailto:tnel...@rockbochs.com] Sent: Tuesday, March 31, 2009 8:38 PM To: support@pfsense.com Subject: Re: [pfSense Support] AW: Firebox X series w/ 1.2 and 1.2.2 issue I've just acquired an X500 unit and after throwing boatloads of traffic through it, I haven't seen a single watchdog timeout. Two ports are connected to a switch and a third port to a workstation. I can send you any information on my config if you'd like for testing/comparison. Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 -Original Message- From: Andrew Cotter [mailto:andrew.cot...@somersetcapital.com] Sent: Friday, March 20, 2009 12:35 PM To: support@pfsense.com Subject: RE: [pfSense Support] AW: Firebox X series w/ 1.2 and 1.2.2 issue Von: Dimitri Rodis [mailto:dimit...@integritasystems.com] Gesendet: Freitag, 20. März 2009 18:27 An: support@pfsense.com Betreff: [pfSense Support] Firebox X series w/ 1.2 and 1.2.2 issue So, I have a pair of firebox x700 units that I have put new CF cards in. I have tried both 1.2-RELEASE and 1.2.2 (both embedded), and both behave the same way. On the serial console, I will see the following: re4: watchdog timeout re4: watchdog timeout etc If I change the LAN interface to re1, the same thing happens, except on the serial console I will see: re1: watchdog timeout re1: watchdog timeout ...etc I had a similar issue while I was working on a few X500/700 whatever boxes last week. I know people suggest that various low end switches produce this error, but I had no switch in the mix. I was going direct to a desktop and was getting it. It was a home made looking cable. As soon as I plugged in one of our prefab cables it went away. Try and switch out the ethernet cable. Let us know. I have 5 of these boxes in the corner of my office. 3 of which I am planning on deploying in the next two weeks. Andrew - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] AW: Firebox X series w/ 1.2 and 1.2.2 issue
Woohoo! Didn't know you guys got this put in.. I'll test tomorrow or Thursday as time permits. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Tuesday, March 31, 2009 8:49 PM To: support@pfsense.com Subject: Re: [pfSense Support] AW: Firebox X series w/ 1.2 and 1.2.2 issue On Tue, Mar 31, 2009 at 11:37 PM, Tim Nelson tnel...@rockbochs.com wrote: I've just acquired an X500 unit and after throwing boatloads of traffic through it, I haven't seen a single watchdog timeout. Two ports are connected to a switch and a third port to a workstation. I can send you any information on my config if you'd like for testing/comparison. What version are you running on it? 1.2.3 snapshots as of this past Sunday have re(4) and rl(4) from FreeBSD 8-CURRENT per recommendations of the FreeBSD developer who maintains that code. It may not be an issue with snapshots since Sunday. Those who are seeing watchdog timeouts on re or rl cards should try a 1.2.3 snapshot. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] ACPI/APIC in loader.conf - watchdog timeouts
So, the hint.apic.0.disabled=1 seems to have _significantly_ reduced the watchdog timeouts, but they are not completely gone, and the ones that are happening now seem to happen somewhat randomly. Browsing through the GUI does not seem to cause issues any more. I will continue with the SMP kernel testing tomorrow. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Monday, March 23, 2009 6:05 PM To: support@pfsense.com Subject: Re: [pfSense Support] ACPI/APIC in loader.conf - watchdog timeouts On Mon, Mar 23, 2009 at 1:02 AM, Dimitri Rodis dimit...@integritasystems.com wrote: Do you think this has any potential relevance to the firebox watchdog timeouts? Obviously I am going to test it and simply observe the results-- not too hard to reproduce the issue. It could. Also, there was a suggestion that using an SMP kernel would alleviate the issue also. Given that this is a single core P3, I don't know what difference it will make (obviously the kernel locking mechanisms are different), but is there a way to easily swap the kernel on embedded with an SMP version (if it isn't already--I don't know what the default is for an embedded image since there isn't an installer)? Mount it rw (run /etc/rc.conf_mount_rw) and copy over the kernel from a full install. Then switch back to ro with /etc/rc.conf_mount_ro and reboot. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
[pfSense Support] ACPI/APIC in loader.conf - watchdog timeouts
So I just came across this little tidbit while searching for potential solutions to the re: watchdog timeout issue on the firebox installs that I have pfSense running on. Some folks suggest that the problem is due to an interrupt storm which can result in a partial/total system hang. While doing further research, I found this: http://www.freebsd.org/doc/en/books/handbook/acpi-debug.html Specifically: -- 11.16.3.3 System Hangs (temporary or permanent) Most system hangs are a result of lost interrupts or an interrupt storm. Chipsets have a lot of problems based on how the BIOS configures interrupts before boot, correctness of the APIC (MADT) table, and routing of the System Control Interrupt (SCI). Interrupt storms can be distinguished from lost interrupts by checking the output of vmstat -i and looking at the line that has acpi0. If the counter is increasing at more than a couple per second, you have an interrupt storm. If the system appears hung, try breaking to DDB (CTRL+ALT+ESC on console) and type show interrupts. Your best hope when dealing with interrupt problems is to try disabling APIC support with hint.apic.0.disabled=1 in loader.conf. -- hint.apic.0.disabled=1? I thought it was hint.acpi.0.disabled=1 (see http://doc.pfsense.org/index.php/Booting_Options, and also the forum posts regarding firebox installs) Is there a typo here or are these two totally different things? I have not tried the hint.apic.0.disabled=1 yet, but I plan to tomorrow. Also, are the double quotes of particular importance? Some docs show them there, others don't. Any info appreciated.. I think these old end of life firebox x series units would be great for pfSense, provided we can get the watchdog timeouts to go away (and a specially sized sticker than can cover up the Firebox X logo J) Dimitri Rodis Integrita Systems LLC smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] ACPI/APIC in loader.conf - watchdog timeouts
Do you think this has any potential relevance to the firebox watchdog timeouts? Obviously I am going to test it and simply observe the results-- not too hard to reproduce the issue. Also, there was a suggestion that using an SMP kernel would alleviate the issue also. Given that this is a single core P3, I don't know what difference it will make (obviously the kernel locking mechanisms are different), but is there a way to easily swap the kernel on embedded with an SMP version (if it isn't already--I don't know what the default is for an embedded image since there isn't an installer)? Doing a full install on these fireboxes is pretty tough and requires some soldering (I believe) to get a keyboard header working, not to mention that you have to get the board completely out of the chassis to fit a video card on it. Thanks Chris.. Dimitri Rodis Integrita Systems LLC -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Sunday, March 22, 2009 9:44 PM To: support@pfsense.com Subject: Re: [pfSense Support] ACPI/APIC in loader.conf - watchdog timeouts On Mon, Mar 23, 2009 at 12:38 AM, Dimitri Rodis dimit...@integritasystems.com wrote: hint.apic.0.disabled=1? I thought it was hint.acpi.0.disabled=1 (see http://doc.pfsense.org/index.php/Booting_Options, and also the forum posts regarding firebox installs) APIC and ACPI are entirely different things. APIC is another one that can cause problems on some systems. http://en.wikipedia.org/wiki/Advanced_Programmable_Interrupt_Controller http://en.wikipedia.org/wiki/Advanced_Configuration_and_Power_Interface - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] AW: Firebox X series w/ 1.2 and 1.2.2 issue
Switched the cables a few times now. 3 different pre-fab cables (different colors even!). Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Andrew Cotter [mailto:andrew.cot...@somersetcapital.com] Sent: Friday, March 20, 2009 12:35 PM To: support@pfsense.com Subject: RE: [pfSense Support] AW: Firebox X series w/ 1.2 and 1.2.2 issue Von: Dimitri Rodis [mailto:dimit...@integritasystems.com] Gesendet: Freitag, 20. März 2009 18:27 An: support@pfsense.com Betreff: [pfSense Support] Firebox X series w/ 1.2 and 1.2.2 issue So, I have a pair of firebox x700 units that I have put new CF cards in. I have tried both 1.2-RELEASE and 1.2.2 (both embedded), and both behave the same way. On the serial console, I will see the following: re4: watchdog timeout re4: watchdog timeout etc If I change the LAN interface to re1, the same thing happens, except on the serial console I will see: re1: watchdog timeout re1: watchdog timeout ...etc I had a similar issue while I was working on a few X500/700 whatever boxes last week. I know people suggest that various low end switches produce this error, but I had no switch in the mix. I was going direct to a desktop and was getting it. It was a home made looking cable. As soon as I plugged in one of our prefab cables it went away. Try and switch out the ethernet cable. Let us know. I have 5 of these boxes in the corner of my office. 3 of which I am planning on deploying in the next two weeks. Andrew - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Existing pfSense 1.2.2, adding redundant member
It looked that easy-- just wanted to be sure before messing with a production set up! Thanks, Dimitri Rodis Integrita Systems LLC -Original Message- From: Paul Mansfield [mailto:it-admin-pfse...@taptu.com] Sent: Wednesday, March 18, 2009 4:45 AM To: support@pfsense.com Subject: Re: [pfSense Support] Existing pfSense 1.2.2, adding redundant member Dimitri Rodis wrote: So, what is the procedure for adding a redundant member to a single pfSense 1.2.2 install? All IPs used in the rules are already CARP addresses on all interfaces being used--WAN, LAN, and OPT1. There are another 3 interfaces-- one of them will be dedicated to sync (of course). I've seen the FAQs, and did some forum searches, but all of them discuss new installs, not adding redundancy down the line (at least I couldn't find it if so). if you already set up the IPs as carp, it should be fairly easy. just bring up another machine on unused IPs (wan and lan) and enable carp on it, will preferably want a spare interface for sync, then set up replication push on the master. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
[pfSense Support] LCDProc Package on Embedded
Just installed 1.2-RELEASE embedded on an old FireBox x500. I read in the forums that someone wrote an LCDProc package for this. Of course, you can't do packages on the embedded platform. I found this link in the forums http://forum.pfsense.org/index.php/topic,12995.0.html which tells you how to make pfsense think it's a full install, but my question is this: does anyone know if the LCDProc package really needs rw access once it's installed? In other words, can I reverse this safely after LCDProc installed? Or should I just leave it rw? echo /dev/ufs/pfSense / ufs rw 1 1 /etc/fstab; echo /dev/ufs/pfSenseCfg /cf ufs rw 1 1 /etc/fstab Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Exchange RPC/HTTPS outbound client
https://www.testexchangeconnectivity.com/ is your friend when it comes to troubleshooting RPC over HTTP(S) and ActiveSync issues. We are using RPC/HTTPS on a few pfSense setups. I have categorically never found pfSense to be the problem when troubleshooting issues with Exchange-- but I have also categorically never used squid in one of these setups either. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: RB [mailto:aoz@gmail.com] Sent: Monday, February 09, 2009 7:16 PM To: support@pfsense.com Subject: Re: [pfSense Support] Exchange RPC/HTTPS outbound client On Mon, Feb 9, 2009 at 19:46, Joseph L. Casale jcas...@activenetwerx.com wrote: I am using 1.2-RELEASE and have a client that needs to connect to an Exchange Server via RPC/HTTPS that I know to be in working order. This client cannot connect when behind pfsense but can access owa on this server. Are there any known issues, I couldn't find anything that suggested any additional config? pfSense by default does not employ any application-layer logic and would not interfere with typical HTTPS (tcp/443) traffic. If, however, you have installed the Squid package or have some other proxy intercepting the traffic, it's most likely silently dropping methods it's not configured for. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Packages with pfSense embedded not an option - very sad
Re-do what you did, but create a 2GB partition and try again. Leave the other 6GB unused. I had this problem with an older PC and an actual 20GB hard drive-- from what I understand, it has to do with the IDE--CF adapters and how well they support LBA/DMA modes, etc. Dimitri Rodis Integrita Systems LLC -Original Message- From: Chuck Mariotti [mailto:cmario...@xunity.com] Sent: Monday, January 26, 2009 9:40 AM To: support@pfsense.com Subject: RE: [pfSense Support] Packages with pfSense embedded not an option - very sad I have gone out and purchased a SanDisk 8GB CF Card. Using VMWare Workstation, mounted the CF as physical drive. Booted off CD, ran install to disk option, all defaults to install to CF (chose Embedded Kernel). Shut down, installed into ALIX, boot only comes up with the following: PfSense Default: F1 Can't do anything from there. Redid the above, followed the http://forum.pfsense.org/index.php?topic=12973.msg72095 (steps 1 to 14), this is of course for a CF HDD Microdrive. Specifically the da0s1a to ad0s1a entries in fstab. Still get the same thing: PfSense Default: F1 Any ideas on how to solve this? Regards, Chuck -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Thursday, January 22, 2009 10:30 PM To: support@pfsense.com Subject: Re: [pfSense Support] Packages with pfSense embedded not an option - very sad On Thu, Jan 22, 2009 at 10:18 PM, Morgan Reed morgan.s.r...@gmail.com wrote: Wear leveling is your friend. If your CF card is significantly larger than the data stored on it you'll get longer life out of it. Definitely seems to be the case, even when using half the CF. Catch is getting it installed on the 4GB CF first, I've done this once using a random CF-IDE adapter, disabling DMA in BIOS and from the loader prompt so that it'll actually work (most CF-IDE adapters aren't built in such a way that they allow the CF card to negotiate DMA like an HDD would), install ran fine, modified loader.conf to ensure DMA is turned off, it did seem to work but it took a good 20 mins to boot, so I'm not sure what the other differences are between a full and an embedded system. If you choose the embedded kernel during install, it should boot no problem. It includes disabling DMA, enabling serial console, etc. In the not too distant future we'll likely be distributing a new embedded 1.2.x, essentially a full install img for various size cards. It upgrades reliably (though pretty slowly, that doesn't really matter), and packages work fine. It'll be equivalent to installing it from iso yourself, just easier. It's easy to install to CF using a USB CF writer and VMware USB redirection. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Outbound NAT to Virt. IP issues. Maybe it's the config, maybe it's VMWare ESXi?
What kind of Virtual IP are you using? If you are using CARP addresses (which is what I'm using), make sure your subnet mask actually matches your WAN interface subnet mask. Dimitri Rodis Integrita Systems LLC -Original Message- From: Jason Lixfeld [mailto:jason-lists.pfse...@lixfeld.ca] Sent: Monday, December 22, 2008 8:04 AM To: support@pfsense.com Subject: [pfSense Support] Outbound NAT to Virt. IP issues. Maybe it's the config, maybe it's VMWare ESXi? Hello, and happy holidays! I have an ESXi server installed with the 1.2.1-RC2 VM upgraded to RC4 up and running. Everything has been working as expected, but then I tried to setup outbound NAT to a virtual IP and everything stopped: I've configured a Virtual IP on the WAN side which is on the same subnet as the WAN interface itself. I have an outbound NAT rule set up to nat all outbound connections to the Virtual IP. I also have the outbound NAT set for Manual Outbound NAT rule generation (Advanced Outbound NAT (AON)). From the WAN side, I see the MAC for both the virtual IP and the physical WAN interface IP but I can't ping the Virtual IP however I can ping the physical WAN interface IP, no problem. As soon as I set outbound NAT to Automatic Outbound NAT rule generation, traffic works again (albeit I still can't ping the virtual IP, but at that point, it's moot). I checked the pfSense firewall rules and verified that it's configured to pass ICMP from any to any on the WAN interface and the LAN interface has a rule to allow IP from any to any, so by all accounts this should be working. I'm not sure if it's something in pfSense that I'm doing wrong, or if it's a VMWare issue. The fact that I can see the MAC Address on the WAN side seems to indicate that ESXi is doing what it's supposed to. I haven't seen any indication that ESXi doesn't want to pass traffic for a virtual MAC address while I've been looking over it's configuration, so I'm at a loss and I'm wondering if anyone has any insight. Just for completeness, here's the ARP table from a 3550 I have on the WAN side to verify it sees the MAC address and ARP, etc. I've also included the ifconfig from the pfSense shell. switchshow arp | i Vlan5 Internet aaa.bbb.ccc.215 - 000b.5f33.6100 ARPA Vlan5 Internet aaa.bbb.ccc.209 0 0013.5f1e.93c0 ARPA Vlan5 Internet aaa.bbb.ccc.211 16 000c.291b.3c6f ARPA Vlan5 Internet aaa.bbb.ccc.210 17 .5e00.0101 ARPA Vlan5 switchshow mac-address-table | i Fa0/1 5.5e00.0101DYNAMIC Fa0/1 5000c.291b.3c6fDYNAMIC Fa0/1 .215 is the 3550 I'm using to verify the WAN side. .209 is the default gateway for the pfSense box that leads to the intermaweb. .210 is the virtual IP. .211 is the physical IP. switchping aaa.bbb.ccc.209 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to aaa.bbb.ccc.209, timeout is 2 seconds: ! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms switchping aaa.bbb.ccc.211 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to aaa.bbb.ccc.211, timeout is 2 seconds: ! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms switchping aaa.bbb.ccc.210 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to aaa.bbb.ccc.210, timeout is 2 seconds: . Success rate is 0 percent (0/5) switch # ifconfig le0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8VLAN_MTU ether 00:0c:29:1b:3c:65 inet 10.1.11.1 netmask 0xff00 broadcast 10.1.11.255 inet6 fe80::20c:29ff:fe1b:3c65%le0 prefixlen 64 scopeid 0x1 media: Ethernet autoselect status: active le1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8VLAN_MTU ether 00:0c:29:1b:3c:6f inet6 fe80::20c:29ff:fe1b:3c6f%le1 prefixlen 64 scopeid 0x2 inet aaa.bbb.ccc.211 netmask 0xfff0 broadcast aaa.bbb.ccc.223 media: Ethernet autoselect status: active le2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8VLAN_MTU ether 00:0c:29:1b:3c:79 inet 10.255.255.1 netmask 0xff00 broadcast 10.255.255.255 inet6 fe80::20c:29ff:fe1b:3c79%le2 prefixlen 64 scopeid 0x3 media: Ethernet autoselect status: active plip0: flags=108810POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT metric 0 mtu 1500 pfsync0: flags=41UP,RUNNING metric 0 mtu 1460 pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 enc0: flags=0 metric 0 mtu 1536 pflog0: flags=100PROMISC metric 0 mtu 33204 tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST metric 0 mtu 1500 inet6 fe80::20c:29ff:fe1b:3c65%tun0 prefixlen 64 scopeid 0x9 inet 192.0.2.1 -- 192.0.2.2 netmask 0x Opened
RE: [pfSense Support] Dell Hardware Monitoring - pfSense 1.2 Final
OpenManage Server Administrator is what you're looking for. Dimitri Rodis Integrita Systems LLC From: Curtis LaMasters [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2008 11:16 AM To: support@pfsense.com Subject: Re: [pfSense Support] Dell Hardware Monitoring - pfSense 1.2 Final No problem, I'm on the phone with Dell support now for which ISO/tool to download. Thanks. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Tue, Dec 9, 2008 at 1:12 PM, Chris Buechler [EMAIL PROTECTED] wrote: On Tue, Dec 9, 2008 at 2:05 PM, Curtis LaMasters [EMAIL PROTECTED] wrote: I'm just trying to minimize failover/failback and downtime. If I knew it was a memory module, hard drive or fan, I could have one ordered and ready to go all in one big swoop. You can tell if it's a hard drive by looking at the lights on the drive sleds, they'll go orange on a dead disk. Aside from that, it's probably a bad power supply, fan, or RAM, and you have to get into the diag software to tell unfortunately. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
[pfSense Support] DNS Forwarder/Authoritative DNS Server
On one of my networks, I have 4 Windows server domain controllers that run DNS for Active Directory on this network in particular. On the services_dnsmasq.php page in pfSense, the bottom section allows you to specify authoritative DNS servers for domains that are not part of the internet (or to override for the purpose of split-brain DNS). Let's say that this particular domain is internaldomain.local. There are 4 authoritative DNS servers for this zone-however, the interface on this page only allows you to add one: [cid:image001.gif@01C95461.5B11E4B0] The following input errors were detected: * A override already exists for this domain. Is there a way that I can specify multiple DNS servers for a particular domain suffix? You should be able to, IMO. Thanks, Dimitri Rodis Integrita Systems LLC inline: image001.gif
RE: [pfSense Support] Bridge + Captive Portal
The HP implementation on the procurve line places you on a temp vlan until you authenticate. Once you do, your port membership changes. Besides that, if you want to make use of the public IPs, why not set up 1:1 NAT mappings for all of your public IPs and then just set your DHCP pool on your LAN interface to use the corresponding private IPs? That way, you can use all your public IPs, and each client will have one-- I've never used 1:1 in conjunction with captive portal, though, so what I just said may or may not work. Dimitri Rodis Integrita Systems LLC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Buechler Sent: Wednesday, November 19, 2008 12:10 AM To: support@pfsense.com Subject: Re: [pfSense Support] Bridge + Captive Portal On Wed, Nov 19, 2008 at 1:58 AM, Olivier Nicole [EMAIL PROTECTED] wrote: Hi Dimitri, Thanks for the clues, i will look at what i can do with the switch. Is there a particular reason you are trying to do a captive portal using a bridge setup vs NAT? We have the right amount of public IP available (only a class C, but for around 150 users, that's plenty enough), so no reason to NAT. I have been running a bridged firewall (FreeBSD + ipf) for ages (since FreeBSD 4.0 maybe), it is working smoothly, it is invisible (obscurity is not security, but it contributes to security), it simplifies routing (one less hop) and in case of problem, it can be replaced with an Ethernet cable. That's among the reasons why I like bridged firewall. All valid, but a captive portal implementation by definition cannot be transparent. It has to redirect hosts to an IP on one of its interfaces to serve the portal content. I'd just use a /30 on the WAN, and your public IP block on the LAN, disable NAT, enable captive portal, and you're set. You can still have the remove the firewall option by adding your LAN IP on the upstream router if necessary, and removing the firewall. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
[pfSense Support] NAT Reflection States
How long will pfSense hold onto the states required to maintain a tcp connection/udp session, and can this be changed? It seems like connections on my network that are utilizing NAT reflection are timing out extremely fast (like 20 seconds or less). The firewall optimization is set to conservative. This is only a guess, but it's the only thing that I can think of that makes sense based on the behavior I'm experiencing. (RDP sessions timing out and constantly reconnecting, and uploading changes to websites via sharepoint server extensions are all timing out, long transfers between mail servers as well). Dimitri Rodis Integrita Systems LLC smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Bridge + Captive Portal
Olivier, Depending on the switches that you have, (like the HP procurves), you can make those switches serve up a captive portal before traffic can be sent to any other MAC address. I know that this isn't a pfSense answer, but depending on the equipment that you have, you may be able to accomplish it. Is there a particular reason you are trying to do a captive portal using a bridge setup vs NAT? Dimitri Rodis Integrita Systems LLC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Buechler Sent: Tuesday, November 18, 2008 12:34 AM To: support@pfsense.com Subject: Re: [pfSense Support] Bridge + Captive Portal On Mon, Nov 17, 2008 at 11:15 PM, Olivier Nicole [EMAIL PROTECTED] wrote: Hi, Sorry to bug, but the question is of some importance to me as I have to select and implement a solution. Is pfSense can use bridge and captive portal at the same time? No, at least not that I'm aware of. It needs an IP to serve the portal content, and accessing it could be problematic in a bridged environment. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] NAT Reflection States
Thanks, Scott. Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 3:36 PM To: support@pfsense.com Subject: Re: [pfSense Support] NAT Reflection States On Tue, Nov 18, 2008 at 6:32 PM, Dimitri Rodis [EMAIL PROTECTED] wrote: How long will pfSense hold onto the states required to maintain a tcp connection/udp session, and can this be changed? It seems like connections on my network that are utilizing NAT reflection are timing out extremely fast (like 20 seconds or less). The firewall optimization is set to conservative. This is only a guess, but it's the only thing that I can think of that makes sense based on the behavior I'm experiencing. (RDP sessions timing out and constantly reconnecting, and uploading changes to websites via sharepoint server extensions are all timing out, long transfers between mail servers as well). From /etfc/inc/filter.inc: if($config['system']['reflectiontimeout']) $reflectiontimeout = $config['system']['reflectiontimeout']; else $reflectiontimeout = 2000; You can set an override with systemreflectiontimeout Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] NAT Reflection States
That's milliseconds, correct? Dimitri Rodis Integrita Systems LLC -Original Message- From: Dimitri Rodis [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 3:38 PM To: support@pfsense.com Subject: RE: [pfSense Support] NAT Reflection States Thanks, Scott. Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 3:36 PM To: support@pfsense.com Subject: Re: [pfSense Support] NAT Reflection States On Tue, Nov 18, 2008 at 6:32 PM, Dimitri Rodis [EMAIL PROTECTED] wrote: How long will pfSense hold onto the states required to maintain a tcp connection/udp session, and can this be changed? It seems like connections on my network that are utilizing NAT reflection are timing out extremely fast (like 20 seconds or less). The firewall optimization is set to conservative. This is only a guess, but it's the only thing that I can think of that makes sense based on the behavior I'm experiencing. (RDP sessions timing out and constantly reconnecting, and uploading changes to websites via sharepoint server extensions are all timing out, long transfers between mail servers as well). From /etfc/inc/filter.inc: if($config['system']['reflectiontimeout']) $reflectiontimeout = $config['system']['reflectiontimeout']; else $reflectiontimeout = 2000; You can set an override with systemreflectiontimeout Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] NAT Reflection States
Check this out: http://cvstrac.pfsense.com/chngview?cn=18706 Comment: Default to nat-reflection inactivity of 2000 which is roughtly 33 minutes. lol, 2000=33 minutes? Can't be. I have an RDP session open to another server in the building here and it's timed out at least 6 times since you emailed me last. Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 3:44 PM To: support@pfsense.com Subject: Re: [pfSense Support] NAT Reflection States On Tue, Nov 18, 2008 at 6:40 PM, Dimitri Rodis [EMAIL PROTECTED] wrote: That's milliseconds, correct? I believe that is seconds, actually (whatever the default nc uses -- netcat). Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] NAT Reflection States
the -w param is in seconds according to http://www.securityforest.com/wiki/index.php/Netcat_-_Basic_Overview Any other ideas as to why connections would be dropping/timing out like this? Dimitri Rodis Integrita Systems LLC -Original Message- From: Dimitri Rodis [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 3:52 PM To: support@pfsense.com Subject: RE: [pfSense Support] NAT Reflection States Check this out: http://cvstrac.pfsense.com/chngview?cn=18706 Comment: Default to nat-reflection inactivity of 2000 which is roughtly 33 minutes. lol, 2000=33 minutes? Can't be. I have an RDP session open to another server in the building here and it's timed out at least 6 times since you emailed me last. Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 3:44 PM To: support@pfsense.com Subject: Re: [pfSense Support] NAT Reflection States On Tue, Nov 18, 2008 at 6:40 PM, Dimitri Rodis [EMAIL PROTECTED] wrote: That's milliseconds, correct? I believe that is seconds, actually (whatever the default nc uses -- netcat). Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] NAT Reflection States
I am using 1.2-RELEASE built on Sun Feb 24 17:04:58 EST 2008 so it isn't an RC thing. Dimitri Rodis Integrita Systems LLC -Original Message- From: digger [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 4:04 PM To: support@pfsense.com Subject: Re: [pfSense Support] NAT Reflection States I have the same issue with reflection and SSH. The session closes after about 20 seconds. I am using* *1.2.1-RC1 built on Thu Oct 16 07:20:59 EDT 2008 Not a huge issue as I can connect directly to the internal IP in the DMZ but it would be nice. Regards, Digger. Dimitri Rodis wrote: the -w param is in seconds according to http://www.securityforest.com/wiki/index.php/Netcat_-_Basic_Overview Any other ideas as to why connections would be dropping/timing out like this? Dimitri Rodis Integrita Systems LLC -Original Message- From: Dimitri Rodis [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 3:52 PM To: support@pfsense.com Subject: RE: [pfSense Support] NAT Reflection States Check this out: http://cvstrac.pfsense.com/chngview?cn=18706 Comment: Default to nat-reflection inactivity of 2000 which is roughtly 33 minutes. lol, 2000=33 minutes? Can't be. I have an RDP session open to another server in the building here and it's timed out at least 6 times since you emailed me last. Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 3:44 PM To: support@pfsense.com Subject: Re: [pfSense Support] NAT Reflection States On Tue, Nov 18, 2008 at 6:40 PM, Dimitri Rodis [EMAIL PROTECTED] wrote: That's milliseconds, correct? I believe that is seconds, actually (whatever the default nc uses -- netcat). Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] NAT Reflection States
There are a ton of lines that look like this: 19004 stream tcp nowait/0nobody /usr/bin/nc nc -w 20 I guess we found the culprit then? Why is it using 20 as opposed to 2000? Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 4:07 PM To: support@pfsense.com Subject: Re: [pfSense Support] NAT Reflection States On Tue, Nov 18, 2008 at 7:04 PM, digger [EMAIL PROTECTED] wrote: I have the same issue with reflection and SSH. The session closes after about 20 seconds. I am using* *1.2.1-RC1 built on Thu Oct 16 07:20:59 EDT 2008 Not a huge issue as I can connect directly to the internal IP in the DMZ but it would be nice. What does /var/etc/inetd.conf look like? Do you see the timeouts defined? Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
[pfSense Support] Force Speed/Duplex on NIC
What's the preferred method of forcing a NIC to 100Mb Full Duplex using pfSense? The only things I've managed to come across in my searches is why would you want to do that and your NIC is b0rk3d and switch the cable. The ISP (Cox) requires that interfaces plugged into their Atrica units be hard set to 100 Full (for good reason). And yes, personally I've seen Intel 1000T Server adapters auto negotiate with these Atrica units randomly to either 100 half or 10 half, so the standard auto-detect isn't going to cut it for this unit. (Cox uses these units in a metro SONET ring in Las Vegas). I would rather not have to go get some junk 8 port managed switch just to force a speed/duplex if it's possible to do in the pfSense config. Dimitri Rodis Integrita Systems LLC smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Captive Portal enabling Ethernet Port Traffic
If you want to authenticate machines connecting to switch ports, install the FreeRADIUS package. I added some interface options to the package earlier this year that should allow you to use it for mac-based authentication and vlan assignment for switches that support it. I use it in a couple different places and it works quite well for us. Dimitri Rodis Integrita Systems LLC -Original Message- From: Tim Nelson [mailto:[EMAIL PROTECTED] Sent: Thursday, September 11, 2008 3:43 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal enabling Ethernet Port Traffic If you want per port (on your switch) based authentication, you may want to look at 802.1x with RADIUS. If you'd like to do per IP authentication, pfSense will work nicely. Tim Nelson Systems/Network Engineer Rockbochs Inc. (218)727-4332 x105 - Chris Flugstad [EMAIL PROTECTED] wrote: So I have a need that I'm not sure if Pfsense is currently doing. I want to have a captive portal, but once auth'd that the ethernet port that was used to go through the captive portal, be enabled. well i guess it would already be enabled, since it got through, but more or less that the port had full access. Each port will go to different rooms in a hotel. Any ideas would be appreciated. -Topher - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] pfSense 1.2-RELEASE: Performance Issue?
Ted, I had a similar issue with 10Mb symmetric Cox fiber connection in Las Vegas. For some reason, their equipment didn't like the BroadCom NIC in the system I had. Fortunately, there was another NIC in the system (Intel) that worked just fine. When I performed a bandwidth test using the BroadCom, I got barely over 2Mb. Using the Intel, I got 9.5Mb. What kind of NICs are in your pfSense box? Dimitri Rodis Integrita Systems LLC -Original Message- From: Ted Crow [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2008 1:03 PM To: support@pfsense.com Subject: [pfSense Support] pfSense 1.2-RELEASE: Performance Issue? I'm running 1.2-RELEASE and we recently upgraded from 10mbps DSL to a metro fiber link and we were seeing a pretty significant performance hit across the firewall, especially outbound. In troubleshooting this, my provider has disabled all limiting on their end and the connection is basically a wide open FDX 100Mbps link. This *really* made the performance drop noticeable. Simple Diagram: -- | Fiber Switch |---| Cisco 2801 |---| Firewall |-- Multiple LANs -- | -- | DMZ Switch |-- DMZ Hosts -- A laptop directly connected to the fiber switch can pump 80Mbps to many points on the Internet. Behind my router it only hits 45-60Mbps probably because the router was never intended to be used at this speed (before the speed was bumped to 100mbps there was no significant performance drop). Behind the pfSense box, however, averages around 20-25Mbps to the Internet. LAN to DMZ Hosts are around 55-60Mbps. The box is pretty beefy - a SuperServer 5015M-MF+B, Xeon 3040 with 1GB DDR2 and six Intel 1Gbps ports. I'd be a little surprised if the hardware has anything to do with it. CPU and RAM usage have never exceeded 10%. I tried enabling polling but that made no difference. I've disabled the traffic shaper and removed most of my packages to get where I am now and I've run out of ideas. Anyone? Ted Crow Information Technology Manager Tuttle Services, Inc. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Intel Pro 1000 VT
Adam, This may sound strange, but you might want to load linux and vmware server on the machine, and run pfSense virtualized until the hardware support comes for your NICs. We run pfSense virtualized on Dell PE1800s, PE2900s, and PE2950 servers all the time. Dimitri Rodis Integrita Systems LLC From: Adam Costello [mailto:[EMAIL PROTECTED] Sent: Thursday, May 15, 2008 7:47 AM To: support@pfsense.com Subject: RE: [pfSense Support] Intel Pro 1000 VT Hi Sean, Sorry didn't put this in the message below, the Braodcom (NetXtreme BCM5722) is actually the embedded NIC so I can't replace :( Is my only option a custom build (if I can find the FreeBSD drivers for it)? Cheers Adam From: Sean Cavanaugh [mailto:[EMAIL PROTECTED] Sent: 15 May 2008 15:09 To: support@pfsense.com Subject: RE: [pfSense Support] Intel Pro 1000 VT From: [EMAIL PROTECTED] To: support@pfsense.com Date: Thu, 15 May 2008 09:50:17 +0100 Subject: RE: [pfSense Support] Intel Pro 1000 VT I originally thought the problem was that the Intel was not working and the Braodcom was, however with my recent findings have led me to believe neither were working originally :( I've had a look at the supported hardware list for FreeBSD 7 and it doesn't appear in there. I'm quite worried that there is no way round this problem. Cheers Adam If the hardware is not on the supported hardware list, they will NOT work with pfSense. You will have to get another NIC for the server. Windows Live SkyDrive lets you share files with faraway friends. Start sharing. http://www.windowslive.com/skydrive/overview.html?ocid=TXT_TAGLM_WL_Ref resh_skydrive_052008 __ This email has been scanned by the SecuraProtect Email Security System. For more information please visit http://www.securaprotect.com
RE: [pfSense Support] 1.2 package add-on missing
1. Did you install pfSense to the hard drive? (You need to for packages) 2. Yes.. Go to the interfaces page and add it. Dimitri Rodis Integrita Systems LLC From: Paul Peziol [mailto:[EMAIL PROTECTED] Sent: Monday, May 05, 2008 8:41 AM To: support@pfsense.com Subject: [pfSense Support] 1.2 package add-on missing Not sure if its a bug or something in my installation but the new version appears to not have a choice to add packages and the firmware update page seems to be out of line. If its a installation issue I will re-install it. 2nd question I have 3 NIC's. I only setup 2 of them on the initial setup. Is there a way to add the 2nd optional one after the fact. Paul
[pfSense Support] 3-way CARP
Is it possible to have a 3-way CARP setup? I can't seem to find mention of anyone having one up and running, so I just thought I would check to see if there was any reason it wouldn't work... I do see that you have to set up a peer IP, so in a 3 way setup what would you put there? Reason being-I have a site with 3 beefy physical machines running VMware, and I would like to have a pfSense node on each physical machine. Any special considerations? (other than the dedicated interface for pfsync?) If it's not possible, then I'll just stick with 2. Any comments/suggestions appreciated! Thanks, Dimitri Rodis Integrita Systems LLC
RE: [pfSense Support] 3-way CARP
So really the peer IP option is there for folks who don't have a dedicated interface, so that the pfsync traffic doesn't flood the network, is that right? So, in a 3-way config, do you always have to make configuration changes on the master? Or can they be made on any of them? Dimitri Rodis Integrita Systems LLC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Buechler Sent: Thursday, April 17, 2008 5:10 PM To: support@pfsense.com Subject: Re: [pfSense Support] 3-way CARP On Thu, Apr 17, 2008 at 7:46 PM, Dimitri Rodis [EMAIL PROTECTED] wrote: Is it possible to have a 3-way CARP setup? I can't seem to find mention of anyone having one up and running, so I just thought I would check to see if there was any reason it wouldn't work... Yeah, you can. The only catch is with config replication - the primary replicates to the secondary which has to replicate to the tertiary. That's something Scott has discussed changing for 1.3, but I'm not sure if that'll happen or not. I do see that you have to set up a peer IP, so in a 3 way setup what would you put there? That's only if you don't want to use multicast, that's an optional field. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] 3-way CARP
One last thing: Is there currently any way to *not* assign an IP directly to the WAN interface in a CARP config? Since the IPs assigned directly to the WAN can't be used in a failover situation (if I understand correctly), I would like to not have to use an extra public static IP to set up each CARP member. I was thinking that *maybe* if I just assigned an IP from a private address range to the WAN interface (obviously NOT an address I'm using internally on the LAN side), but actually used the correct subnet mask and gateway address for my public subnet, maybe it would work if I changed AON to NOT use the default IP on the WAN. Does that make sense? If there is currently no way, maybe a feature could be added such that you could choose one of the CARP IPs to be the default IP on the WAN interface to achieve this and have the rules work. Would that make sense? Of course, this might be moot if there's a way to do it already.. Thanks guys.. Dimitri Rodis Integrita Systems LLC -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Thursday, April 17, 2008 5:32 PM To: support@pfsense.com Subject: Re: [pfSense Support] 3-way CARP On Thu, Apr 17, 2008 at 8:24 PM, Dimitri Rodis [EMAIL PROTECTED] wrote: So really the peer IP option is there for folks who don't have a dedicated interface, so that the pfsync traffic doesn't flood the network, is that right? No, it's more for networks with switches that don't play nicely with multicast traffic. So, in a 3-way config, do you always have to make configuration changes on the master? Or can they be made on any of them? you always have to make changes on the master. any changes made on any other machine will be overwritten. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] pfsync/FreeRADIUS
Is there a way to make the FreeRADIUS (or just generally package) information sync between two pfSense boxes? I have 2 different customers that need radius-1 of them I can use CARP, but the other has 2 different sites. Scenario 1: Customer with 2 office buildings providing internet access to tenants. We currently have 2 pfSense boxes in place, 1 for NAT and FreeRADIUS (to mac authenticate tenants and auto-assign them to the appropriate VLANs), and 1 just as a filtering bridge between the public segment (where we assign people that need to have public static IP addresses) and the internet. I would like to set up a secondary pfSense NAT box, perhaps even in a CARP config, but I would very much like for the FreeRADIUS info to sync between them. Scenario 2: 2 real estate offices, VPN'd together. Each location has good wireless APs (proxim). We want to mac authenticate each of the agents laptops (so when they leave we can just deactivate their mac) against FreeRADIUS, and we would like to replicate the FreeRADIUS account information to the other office. Already have 2 pfsense boxes, but 1 is at 1 office and 1 is at the other. Is there currently a way to make either (or both) of the above scenarios work using pfSense? If not, if someone can give me a bump in the right direction, maybe I can add it to the FreeRADIUS package and send that change to coreteam also. Thanks, Dimitri Rodis Integrita Systems LLC
[pfSense Support] DHCP on WAN
Any workaround for getting DHCP to work on the WAN interface? Dimitri Rodis Integrita Systems LLC
[pfSense Support] WRAP Bandwidth
Would a WRAP board be capable of NATting and Shaping a 10 megabit symmetric connection without choking? Dimitri Rodis Integrita Systems LLC
RE: [pfSense Support] Captive Portal
If I made the modifications to display the mac/client IP on the default captive portal page, would you commit it and make it the default captive portal page? I would just throw a couple of lines right beneath the login button that say: Client MAC: xx:xx:xx:xx:xx:xx Client IP: xxx.xxx.xxx.xxx Dimitri Rodis Integrita Systems LLC -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Saturday, March 22, 2008 6:41 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal Dimitri Rodis wrote: If I wanted to display a user's IP address AND MAC address on the captive portal page, does anyone have a code snippet that would do that on the pfSense captive portal page? Is this possible? I suggest opening a feature request ticket on cvstrac.pfsense.org, and/or starting a bounty. Somebody would probably be willing to pick this up for relatively cheap. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Captive Portal
If I wanted to display a user's IP address AND MAC address on the captive portal page, does anyone have a code snippet that would do that on the pfSense captive portal page? Is this possible? Basically, I want to make it really easy for someone to call us and have us provision them for access, and if I am able to display that information on the Captive Portal, I can just have them read it to me as opposed to trying to step them through all of the hoops to get the mac address. Thanks, Dimitri Rodis Integrita Systems LLC
RE: [pfSense Support] DHCP Server Issues
Yes, when I disable OLSR the problem goes away because the subnet mask is no longer a dropdown when Enable OLSR is unchecked-- rather, it inherits the subnet mask from the interface that the server is bound to. In other words, when you enable OLSR, the subnet mask becomes a dropdown box (with 1-32 as options) and the setting does not stick, it always reverts to /32. Again, the only reason I even checked the box was to get a DHCP Server on the WAN (which doesn't appear to work anyway). So I guess there's a bug and a feature request both :) Any quick workarounds that I can use to get the WAN tab to show up (and DHCP to work) on the WAN side? I will submit the feature request shortly. Dimitri Rodis Integrita Systems LLC -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 19, 2008 10:42 AM To: support@pfsense.com Subject: Re: [pfSense Support] DHCP Server Issues Dimitri Rodis wrote: Two things I've noticed in pfSense 1.2 release: 1. The subnet mask in the scope settings for DHCP keeps reverting back to 32. At one point, the DHCP server would not start until I went through all of my DHCP scopes (3 interfaces) and reset the subnet masks appropriately. It seems to stick in the config file, but the GUI is not picking the setting back up out of the config-so if someone just goes to say, change the DNS server field and hits save, all of a sudden your mask gets changed to a /32. That must be OLSR related, I've never seen nor heard of that. I don't know that anybody is actually using OLSR. If you disable OLSR does that stop? 2. I enabled OLSR (but did not bind it to any of the interfaces because I don't actually **need** OLSR) because I need a DHCP Server on my WAN interface. I noticed in the php code for the DHCP pages that enabling OLSR would turn on DHCP for the WAN interface. However, DHCP is not binding to the WAN interface according to the DHCP log-it is only binding to my OPT1 and OPT2 interfaces. (There are 4 interfaces in the machine total). This might be related to other OLSR issues. We haven't had a DHCP server bug in years, so I can only assume that's likely the case. We don't let DHCP run on WAN for obvious reasons, though maybe we need a hidden config option to allow this since it is useful in some circumstances. Can you submit a feature request ticket at http://cvstrac.pfsense.org ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] DHCP Server Issues
The ticket is 1679. I don't know if I classified it correctly-- I don't know if you guys wanted to consider it a bug or a feature req, but really it's both. I wanted to point this out so one of the dev gods can look at it with this in mind and change it if necessary. I do need DHCP on the WAN so if there's a quick workaround that anyone knows of, that would be great. Thanks, Dimitri Rodis Integrita Systems LLC -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 19, 2008 10:42 AM To: support@pfsense.com Subject: Re: [pfSense Support] DHCP Server Issues Dimitri Rodis wrote: Two things I've noticed in pfSense 1.2 release: 1. The subnet mask in the scope settings for DHCP keeps reverting back to 32. At one point, the DHCP server would not start until I went through all of my DHCP scopes (3 interfaces) and reset the subnet masks appropriately. It seems to stick in the config file, but the GUI is not picking the setting back up out of the config-so if someone just goes to say, change the DNS server field and hits save, all of a sudden your mask gets changed to a /32. That must be OLSR related, I've never seen nor heard of that. I don't know that anybody is actually using OLSR. If you disable OLSR does that stop? 2. I enabled OLSR (but did not bind it to any of the interfaces because I don't actually **need** OLSR) because I need a DHCP Server on my WAN interface. I noticed in the php code for the DHCP pages that enabling OLSR would turn on DHCP for the WAN interface. However, DHCP is not binding to the WAN interface according to the DHCP log-it is only binding to my OPT1 and OPT2 interfaces. (There are 4 interfaces in the machine total). This might be related to other OLSR issues. We haven't had a DHCP server bug in years, so I can only assume that's likely the case. We don't let DHCP run on WAN for obvious reasons, though maybe we need a hidden config option to allow this since it is useful in some circumstances. Can you submit a feature request ticket at http://cvstrac.pfsense.org ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] FreeRADIUS Package
Is there a better place to post/email this stuff? I don't seem to be getting much in the way of responses. I have some nice additions to the FreeRADIUS package that I want to submit, but I would like to add the logging support before I do. Trying to contribute! Thanks, Dimitri Rodis Integrita Systems LLC -Original Message- From: Dimitri Rodis [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 04, 2008 2:55 PM To: support@pfsense.com Subject: RE: [pfSense Support] FreeRADIUS Package Any hints on how to add logging support? I would really like to add this feature to the package, but I haven't been able to find any information. I've looked at practically every .xml file in http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/ , and I haven't found a package with logging support yet. I've also looked at the CoreGUI docs at http://devwiki.pfsense.org/CoreGUI , but there is no mention of adding logging support anywhere. Can anyone provide some docs/input on how to do this? Having to ssh into the pfSense box and tail -f /var/log/radius.log is a pain, and I would rather just go to a web based log. Also, when using a textarea widget, is there a way to preserve the carriage returns in the data when it is subsequently received? It isn't affecting any of the functionality that I've added, it would just be nice if it would preserve the formatting so that when the data for that field is subsequently retrieved, it looks the same way it did when I put it in. Again, I didn't see anything in the CoreGUI docs that says whether or not this is possible. Thanks, Dimitri Rodis Integrita Systems LLC -Original Message- From: Dimitri Rodis Sent: Thursday, February 14, 2008 2:45 PM To: support@pfsense.com Subject: RE: [pfSense Support] FreeRADIUS Package I installed Squid (per Martin to see the syntax for some of the XML), but when I go to the Package Logs page, I get: No packages with logging facilities are currently installed. Also, would you happen to know the options you guys would want me to use with diff using cygwin so I can send up my changes so far? (I did the VLAN support already, figured I'd send that up now and then follow up with the logging stuff). Thanks, Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 10:24 AM To: support@pfsense.com Subject: Re: [pfSense Support] FreeRADIUS Package On 2/11/08, Dimitri Rodis [EMAIL PROTECTED] wrote: The FreeRadius log seems to be located at /var/log/radius.log. According to the current package, there is no logging set up in the package, so you basically have to ssh into pfSense to look at the log. What's involved in web enabling the FreeRADIUS log? (looked in the forums, didn't find much.) Does it take something more than just adding a reference to the location of the log in the .xml file somewhere? I believe the squid package makes usage of this. Cannot recall 100% but I do know one of our packages has this implemented that should be a good guide. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] FreeRADIUS Package
The pfSense log viewer is broken? Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Thursday, March 06, 2008 1:02 PM To: support@pfsense.com Subject: Re: [pfSense Support] FreeRADIUS Package On 3/6/08, Dimitri Rodis [EMAIL PROTECTED] wrote: Is there a better place to post/email this stuff? I don't seem to be getting much in the way of responses. I have some nice additions to the FreeRADIUS package that I want to submit, but I would like to add the logging support before I do. Trying to contribute! I would imagine that is broken and you will need to roll your own log viewer. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Dual-wan Setup issue (Yes, I've read a few Dual-Wan HOWTO docs AND I've rebuilt the router)
You need to use Manual Outbound NAT, and add a rule above the default rule that has the source address of your machine, destination * *, and then select the address of your WAN2 interface. Dimitri Rodis Integrita Systems LLC From: Michael Richardson [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 04, 2008 4:54 PM To: support@pfsense.com Subject: [pfSense Support] Dual-wan Setup issue (Yes, I've read a few Dual-Wan HOWTO docs AND I've rebuilt the router) First let me say that I love PF and am using it enough that I'm considering the standard support contract, but I'm not quite there yet so I still need community support. I've got a dual-wan setup and I want to cause traffic between an internal machine, and external machine to occur over WAN2 (I could use source or destination as criteria). Both public IPs would share a gateway so I've put a NAT device on WAN2 and connected the modem to it so now both WAN ports are on different subnets. (more) With the appropriate LAN rule in place, traffic doesn't flow UNLESS I start a packet capture on WAN2 (I found this while trying to troubleshoot). Why would this be? Anyone got the time and know-how to help me troubleshoot this? Here's my setup. Hope the art comes through decently. The reason for the SpeedStream device is because otherwise both WAN interfaces would have the same gateway IP and I read that is unacceptable for a dual-wan config. | WAN 67.x.x.12 | Cable Modem1 | | | pfSense 1.2| | LAN 192.168.1.0 | | | | SpeedStream 2601 for NAT | | WAN2 192.168.0.2 |-- | 192.168.0.1 |-- Cable Modem 2 I want to be sure that traffic FROM 192.168.1.22 or traffic TO 78.x.x.10 goes through WAN2 (I can use source, destination, or both). Outbound NAT is set to Automatic and has only the default LAN rule in place. I have added a LAN rule, but instead of trying to communicate what it is and confirm it's right, I think it would be faster if someone could tell me what it should be (at least one of the options), and I'll just use that. ANYthing else I haven't mentioned, I likely don't know about and need pointed out. Thanks in advance, and I'm loving 1.2. The upgrade was flawless. Mike
[pfSense Support] CARP Documentation
Several recent forum posts regarding CARP refer to the following page: http://doc.pfsense.org/index.php/Setting_up_CARP_with_pfSense When I go to that page, it says: There is currently no text in this page, you can search for this page title http://doc.pfsense.org/index.php/Special:Search/Setting_up_CARP_with_pf Sense in other pages or edit this page http://doc.pfsense.org/index.php?title=Setting_up_CARP_with_pfSenseact ion=edit . Where'd the CARP doc go? Dimitri Rodis Integrita Systems LLC
[pfSense Support] Outbound NAT Problem, 1.2-RELEASE
Got an issue with Outbound NAT. I have 2 interfaces, LAN and WAN. WAN has an IP assigned to its interface, as well as an additional 4 virtual IPs for a total of 5 IP addresses which are used in various inbound NAT rules. I have turned on manual outbound NAT, as I need my outgoing SMTP traffic to always come from a particular IP. My outbound NAT page looks like this (obviously with real IP addresses as opposed to .x.x.): Interface, Source, Source Port, Destination, Destination Port, NAT Address, NAT Port, Static Port WAN192.x.x.11/32 * * 25209.x.x.62 * NO WAN192.x.x.6/32 * * 25209.x.x.62 * NO WAN192.x.x.5/32 * * 25209.x.x.62 * NO WAN192.x.x.0/24 * * * * * NO The top 3 items are mail servers, and I want those to always use a particular IP address when communicating with the outside world (which seems to work just fine). The problem comes with rule #4-- none of my internal machines are able to communicate with the outside world (and #4 is the auto generated rule). I told the rule to use the interface address of the WAN for the NAT Address, but there doesn't seem to be any difference between interface address and any in the rule selection (which looks wrong to me), as the resulting rule looks exactly the same (bug?). When I specifically choose one of the virtual IPs, rule #4 THEN looks like this: WAN192.x.x.0/24 * * * 209.x.x.61 * NO ... and then my internal machines are able to communicate to the outside world. The interface address is 209.x.x.55-- so when I choose interface address, shouldn't the rule be: WAN192.x.x.0/24 * * * 209.x.x.55 * NO Or maybe WAN192.x.x.0/24 * * * (WAN) * NO ?? Or am I doing something wrong? Congrats on a great release, by the way. :) Dimitri Rodis Integrita Systems LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] FreeRADIUS Package
I installed Squid (per Martin to see the syntax for some of the XML), but when I go to the Package Logs page, I get: No packages with logging facilities are currently installed. Also, would you happen to know the options you guys would want me to use with diff using cygwin so I can send up my changes so far? (I did the VLAN support already, figured I'd send that up now and then follow up with the logging stuff). Thanks, Dimitri Rodis Integrita Systems LLC 2990 S Durango Drive Las Vegas, NV 89117 P: 702.896.7207 F: 702.228.0208 C: 702.296.4217 [EMAIL PROTECTED] -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 10:24 AM To: support@pfsense.com Subject: Re: [pfSense Support] FreeRADIUS Package On 2/11/08, Dimitri Rodis [EMAIL PROTECTED] wrote: The FreeRadius log seems to be located at /var/log/radius.log. According to the current package, there is no logging set up in the package, so you basically have to ssh into pfSense to look at the log. What's involved in web enabling the FreeRADIUS log? (looked in the forums, didn't find much.) Does it take something more than just adding a reference to the location of the log in the .xml file somewhere? I believe the squid package makes usage of this. Cannot recall 100% but I do know one of our packages has this implemented that should be a good guide. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] FreeRADIUS Package
Where would I go if I wanted to grab the source of the FreeRADIUS package and potentially add some features? I am looking to add some support for additional parameters to return to radius clients-for example, I am setting up a network for a couple of office buildings, and they purchased two HP 3500yl switches. I would like to be able to provision tenants for NATted internet access, or provision them for direct internet access based on the mac based authentication scheme that the hp switches have. It is possible to dynamically assign clients to a particular VLAN on those switches via a radius server based on the response from the radius server-so, since we are already using pfSense out there, I figure that maybe I can look into adding support for some of these additional radius user/client options in the FreeRADIUS package and contribute them back. Bill, I think you are the maintainer of that package? Dimitri Rodis Integrita Systems LLC [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
RE: [pfSense Support] FreeRADIUS Package
Once I have changes made, how should I go about getting these changes into a pfSense install to test before I send any patches up? Should I be using the dev iso? Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Monday, February 11, 2008 2:38 PM To: support@pfsense.com Subject: Re: [pfSense Support] FreeRADIUS Package On 2/11/08, Dimitri Rodis [EMAIL PROTECTED] wrote: Where would I go if I wanted to grab the source of the FreeRADIUS package and potentially add some features? http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/ I am looking to add some support for additional parameters to return to radius clients-for example, I am setting up a network for a couple of office buildings, and they purchased two HP 3500yl switches. I would like to be able to provision tenants for NATted internet access, or provision them for direct internet access based on the mac based authentication scheme that the hp switches have. It is possible to dynamically assign clients to a particular VLAN on those switches via a radius server based on the response from the radius server-so, since we are already using pfSense out there, I figure that maybe I can look into adding support for some of these additional radius user/client options in the FreeRADIUS package and contribute them back. http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/freeradius.inc http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/freeradius.xml http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/freeradiusclien ts.xml http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/freeradiussetti ngs.xml Looking forward to seeing your updates, Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] FreeRADIUS Package
The FreeRadius log seems to be located at /var/log/radius.log. According to the current package, there is no logging set up in the package, so you basically have to ssh into pfSense to look at the log. What's involved in web enabling the FreeRADIUS log? (looked in the forums, didn't find much.) Does it take something more than just adding a reference to the location of the log in the .xml file somewhere? Dimitri Rodis Integrita Systems LLC -Original Message- From: Dimitri Rodis [mailto:[EMAIL PROTECTED] Sent: Monday, February 11, 2008 4:29 PM To: support@pfsense.com Subject: RE: [pfSense Support] FreeRADIUS Package Yep, got it figured out. I just ssh'd into the pfSense install and ftp'd the files out, made the changes, and ftp'd them back into /usr/local/pkg... I just made what I think are the appropriate mods to the files, just need to test them with the switches and make sure everything works as expected. Once they do, I'll send them up. Thanks-- Dimitri Rodis Integrita Systems LLC -Original Message- From: Fuchs, Martin [mailto:[EMAIL PROTECTED] Sent: Monday, February 11, 2008 3:52 PM To: support@pfsense.com Subject: AW: [pfSense Support] FreeRADIUS Package Or just replace the chenged files in your pfsense-install (using putty or WinSCP when using windows) The files are mostly placed under /usr/local/xxx (have a look there) Try your changes and fix all errors... then send your patches using diff-rub to [EMAIL PROTECTED] :-) Martin -Ursprüngliche Nachricht- Von: Scott Ullrich [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 12. Februar 2008 00:26 An: support@pfsense.com Betreff: Re: [pfSense Support] FreeRADIUS Package On 2/11/08, Dimitri Rodis [EMAIL PROTECTED] wrote: Once I have changes made, how should I go about getting these changes into a pfSense install to test before I send any patches up? Should I be using the dev iso? Look in the packages are on the forum where there is a good howto. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] FreeRADIUS Package
Yep, got it figured out. I just ssh'd into the pfSense install and ftp'd the files out, made the changes, and ftp'd them back into /usr/local/pkg... I just made what I think are the appropriate mods to the files, just need to test them with the switches and make sure everything works as expected. Once they do, I'll send them up. Thanks-- Dimitri Rodis Integrita Systems LLC -Original Message- From: Fuchs, Martin [mailto:[EMAIL PROTECTED] Sent: Monday, February 11, 2008 3:52 PM To: support@pfsense.com Subject: AW: [pfSense Support] FreeRADIUS Package Or just replace the chenged files in your pfsense-install (using putty or WinSCP when using windows) The files are mostly placed under /usr/local/xxx (have a look there) Try your changes and fix all errors... then send your patches using diff-rub to [EMAIL PROTECTED] :-) Martin -Ursprüngliche Nachricht- Von: Scott Ullrich [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 12. Februar 2008 00:26 An: support@pfsense.com Betreff: Re: [pfSense Support] FreeRADIUS Package On 2/11/08, Dimitri Rodis [EMAIL PROTECTED] wrote: Once I have changes made, how should I go about getting these changes into a pfSense install to test before I send any patches up? Should I be using the dev iso? Look in the packages are on the forum where there is a good howto. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Multiple servers behind NAT'd firewall
Angelo, pfSense specifically has a feature known as NAT reflection which allows this to be possible, mainly because split horizon DNS is not always a reasonable solution. In the case of the person who started this thread, he has approx 700 email domains across various servers behind a NAT-- so when someone from one domain on one server tries to email another person within the same system (but on different servers), SMTP won't connect because the MX record resolves to a public IP (as it should). I have the exact same issue myself, with the exception that the number of domains I have to deal with is probably 30-40 somewhere. So in these cases, what would you choose? ;) Dimitri Rodis Integrita Systems LLC -Original Message- From: Angelo Turetta [mailto:[EMAIL PROTECTED] Sent: Thursday, February 07, 2008 1:09 AM To: support@pfsense.com Subject: Re: [pfSense Support] Multiple servers behind NAT'd firewall Trave Harmon wrote: Mine is on but it still doesn't work. Is there a way to verifiy at the command prompt level if it is working? -Original Message- From: Dimitri Rodis [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 06, 2008 8:10 PM Maybe I'm off the mark by saying this, but I think NAT reflection should be ON by default-- can't think of any security risks associated with it really, since the machine you are trying to hit is presumably already behind the same NAT as you are.. That would solve any future issues, anyway.. Wait a minute, historically the BSD stack (or at least the FreeBSD implementation) has always been unable to do NAT on a single interface. To be more clear, it's not possible to rewrite a packet and have it leave the stack back on the same interface from which it came on first hand. Please read http://www.openbsd.org/faq/pf/rdr.html#reflect (see: Redirection and Reflection ) So, reflection rules work great if the LAN hosts need to access the NAT-ed hosts on a DMZ, but not on single internal lan (or, in my example, for reciprocal access by the DMZ hosts). In your case the solution is 'Split-Horizon DNS'. Put the addresses of all the MX servers in a single dns zone, and configure the servers themselves to receive resolution for that zone from an internal DNS which will hand out internal IPs. Angelo Turetta - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Multiple servers behind NAT'd firewall
Maybe I'm off the mark by saying this, but I think NAT reflection should be ON by default-- can't think of any security risks associated with it really, since the machine you are trying to hit is presumably already behind the same NAT as you are.. That would solve any future issues, anyway.. Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 06, 2008 12:31 PM To: support@pfsense.com Subject: Re: [pfSense Support] Multiple servers behind NAT'd firewall On Feb 6, 2008 3:29 PM, Sean Cavanaugh [EMAIL PROTECTED] wrote: you have internal NAT reflection turned off? -Sean Toggle System - Advanced - Disable Reflection This question is coming up weekly now. How can we (the developers) make this situation more clear? Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Rule Question
In pfSense, is there a way to have a rule affect only those people in a certain range of IP addresses (as in, a range that you can't use a subnet mask to match)? For example, a typical setup of ours is to have an internal subnet of say, 192.168.99.0/24. The DHCP Range that we usually use (DHCP server isn't running on pfSense) is 192.168.99.100 thru 192.168.99.199. What I would like to do is block outbound SMTP on only the machines that have a dynamically assigned address. Is it possible to create a single rule in pfSense to accomplish this? Thanks-- Dimitri Rodis Integrita Systems LLC
RE: [pfSense Support] Rule Question
So in other words, add an alias that contains something like 192.168.99.100/32 192.168.99.101/32 ... 192.168.99.127/32 192.168.99.128/26 (this should handle 128--191) 192.168.99.192/32 192.168.99.193/32 .. 192.168.99.199/32 (or some variant of this if I get fancier with the subnet mask) Am I understanding correctly? Dimitri Rodis Integrita Systems LLC -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Thursday, November 29, 2007 3:14 PM To: support@pfsense.com Subject: Re: [pfSense Support] Rule Question Yes. You'll need to create a subnet alias - say dynamicip and populate it with the addresses (you can use cidr blocks here to reduce the number of entries you need in the alias) that are dynamic, then create a rule that uses the alias as the source address. --Bill On Nov 29, 2007 4:53 PM, Dimitri Rodis [EMAIL PROTECTED] wrote: In pfSense, is there a way to have a rule affect only those people in a certain range of IP addresses (as in, a range that you can't use a subnet mask to match)? For example, a typical setup of ours is to have an internal subnet of say, 192.168.99.0/24. The DHCP Range that we usually use (DHCP server isn't running on pfSense) is 192.168.99.100 thru 192.168.99.199. What I would like to do is block outbound SMTP on only the machines that have a dynamically assigned address. Is it possible to create a single rule in pfSense to accomplish this? Thanks-- Dimitri Rodis Integrita Systems LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Traffic shaper, asterisk and IAX (port 4569)
The *wizard* doesn't include IAX traffic, but pfSense will still do what you want. All that you have to do is add rules to put the traffic into the appropriate queues on the shaper rules page. Dimitri Rodis Integrita Systems LLC -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Ugo Bellavance Sent: Tuesday, October 30, 2007 7:55 PM To: support@pfsense.com Subject: [pfSense Support] Traffic shaper, asterisk and IAX (port 4569) Hi, I use asterisk behind PfSense, and I configured the traffic shaper accordingly. I can see that it prioritizes SIP and RTP traffic. Is there a reason why IAX traffic (UDP/4569) is not included in there? Regards, Ugo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Re: pfsense, procurve 2626 3 vlans
Glad to hear it's resolved. Just FYI, the Dell switches are a little weird with the VLAN configs-- they aren't as easy to configure for tagged/untagged VLANs as the Procurves are IMO. There is a setting on each port on the Dells called PVID (which stands for Primary VLAN ID), and basically that is how you change a port's untagged membership to a VLAN. Then on an entirely separate page, you can set up the tagged ports. Very unfriendly and confusing compared to the HPs. Dimitri Rodis Integrita Systems LLC -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Ugo Bellavance Sent: Wednesday, October 24, 2007 10:35 PM To: support@pfsense.com Subject: [pfSense Support] Re: pfsense, procurve 2626 3 vlans Ugo Bellavance wrote: Dimitri Rodis wrote: What device did you connect? If a machine (.120) is able to communicate with pfSense (.1), then I would say there is a problem with this mystery device, and not your setup. What IP address did you assign to your LAN interface on vlan#3? (You only mentioned LAN2). 192.168.2.1 is the LAN interface address. It's my usual setup at home, WAN - DHCP, LAN - 192.168.2.1. 192.168.2.120 was a laptop that I connected to port in vlan3. Thanks a lot Dimitri. Ok, nevermind, I got it working. I don't know exactly what was the problem, but it is all working now on the procurve switch and the crappy Dell is going back to Dell. I'll try to write an article in my blog about that to help other people. Thanks all for all your help! Regards, Ugo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] pfsense, procurve 2626 3 vlans
Don't tag the ports unless the NICs that are plugged into those ports actually support VLAN tagging, AND are configured to use the appropriate tags. For the regular PCs/devices (or any device which doesn't support tagging, or isn't configured for tagging) that are plugged into those ports, the ports should be members of the appropriate VLAN, but *untagged*. Dimitri Rodis Integrita Systems LLC -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Ugo Bellavance Sent: Tuesday, October 23, 2007 12:52 PM To: support@pfsense.com Subject: [pfSense Support] pfsense, procurve 2626 3 vlans Hi, We currently have a setup working, without vlans. In fact, I tried to make it work with vlans, w/o success. We decided to replace the Dell 2724 switch because it looks unreliable. I just received 2 HP Procurve 2626. They are managed 10/100 switches with 1000T ports. Why 2? To have a cold standby. http://www.tek-tips.com/viewthread.cfm?qid=1043852 Desired situation: The Pfsense has only 2 NICs and I can't fit more there. We want to have internet ports and firewalls WAN interfaces (we will have 2 PfSense, with CARP) connected to one VLAN (vlan2). We will connect LAN1 servers in vlan3 and Lan2 servers in vlan4. The goal is to prevent communication between Lan1 and Lan2, while still allowing connection from/to internet to those 2 Lans, individually. So the LAN NIC would be part of vlan3 and vlan4. Vlan1 is 10.100.0.0/24 and vlan2 is 192.168.100.0/24 Here is the current config of the new switch: vlan 1 name DEFAULT_VLAN untagged 4-5,7-26 ip address dhcp-bootp no untagged 1-3,6 exit vlan 2 name Inet_Ports untagged 1-3,6 exit vlan 3 name Lan1 tagged 4-5,7-14 exit vlan 4 name Lan2 tagged 18-23 exit I have configured vlans as such in pfsense: Interface Vlan Tag bge13 bge14 bge02 My Pfsense interface assignments are such: LAN: bge1 (connected in port 4) WAN: bge0 (conected in port 3) Lan2: Vlan4 on bge Right now this setup is working with the Dell switch, but lan2 is not accessible. One difference on the dell switch, on all vlans, I've set the member ports as 'tagged'. Where are my mistakes? According to this: http://www.boosten.org/content/view/52/34/, it may look as the LAN interface should be VLAN3 and LAN2 should be VLAN4, but I think that pfsense needs 2 real interfaces to work right? I'm looking forward for suggestions/corrections. The setup is in a datacenter and is currently running production servers, so I can't put everything down for a long time. My first aim will be to restore the working config (Inet/LAN1 only working) and then I'll try to make lan2 work too. I know that there are situations where a pfsense needs to be rebooted when we change something. Is it when we create a vlan in Interfaces:vlan or when we assign a vlan to an interface? Regards, Ugo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Re: pfsense, procurve 2626 3 vlans
The only ports that should be tagged are devices that are configured for tagging. Just so you understand what that means exactly, the Ethernet frame is actually modified by the switch, and a tag is added which actually increases the size of the Ethernet frame. If the device (be it a switch, network card in a PC, network printer, etc) isn't expecting this tag in the Ethernet frame, it thinks the packet is corrupt/malformed. If you want both switches to recognize the same VLANs, then you either have to configure the switches for GVRP, or you have to manually add the VLANs (and their appropriate tag numbers) to each switch and then designate a port which tags all the VLANS so that the switches are both able to determine which packets go to which VLANs on both switches. That being said, I would say that the pfSense box should probably be tagged (assuming it has been configured to do so, AND you have NICs that support it properly under FreeBSD), and all of the others should NOT be tagged (excluding any connections to VLAN capable switches). Dimitri Rodis Integrita Systems LLC -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Ugo Bellavance Sent: Tuesday, October 23, 2007 2:25 PM To: support@pfsense.com Subject: [pfSense Support] Re: pfsense, procurve 2626 3 vlans Dimitri Rodis wrote: Don't tag the ports unless the NICs that are plugged into those ports actually support VLAN tagging, AND are configured to use the appropriate tags. For the regular PCs/devices (or any device which doesn't support tagging, or isn't configured for tagging) that are plugged into those ports, the ports should be members of the appropriate VLAN, but *untagged*. Ok, so only the ports in which my pfsenses' LAN interface are connected should be tagged? Dimitri Rodis Integrita Systems LLC -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Ugo Bellavance Sent: Tuesday, October 23, 2007 12:52 PM To: support@pfsense.com Subject: [pfSense Support] pfsense, procurve 2626 3 vlans Hi, We currently have a setup working, without vlans. In fact, I tried to make it work with vlans, w/o success. We decided to replace the Dell 2724 switch because it looks unreliable. I just received 2 HP Procurve 2626. They are managed 10/100 switches with 1000T ports. Why 2? To have a cold standby. http://www.tek-tips.com/viewthread.cfm?qid=1043852 Desired situation: The Pfsense has only 2 NICs and I can't fit more there. We want to have internet ports and firewalls WAN interfaces (we will have 2 PfSense, with CARP) connected to one VLAN (vlan2). We will connect LAN1 servers in vlan3 and Lan2 servers in vlan4. The goal is to prevent communication between Lan1 and Lan2, while still allowing connection from/to internet to those 2 Lans, individually. So the LAN NIC would be part of vlan3 and vlan4. Vlan1 is 10.100.0.0/24 and vlan2 is 192.168.100.0/24 Here is the current config of the new switch: vlan 1 name DEFAULT_VLAN untagged 4-5,7-26 ip address dhcp-bootp no untagged 1-3,6 exit vlan 2 name Inet_Ports untagged 1-3,6 exit vlan 3 name Lan1 tagged 4-5,7-14 exit vlan 4 name Lan2 tagged 18-23 exit I have configured vlans as such in pfsense: Interface Vlan Tag bge1 3 bge1 4 bge0 2 My Pfsense interface assignments are such: LAN: bge1 (connected in port 4) WAN: bge0 (conected in port 3) Lan2: Vlan4 on bge Right now this setup is working with the Dell switch, but lan2 is not accessible. One difference on the dell switch, on all vlans, I've set the member ports as 'tagged'. Where are my mistakes? According to this: http://www.boosten.org/content/view/52/34/, it may look as the LAN interface should be VLAN3 and LAN2 should be VLAN4, but I think that pfsense needs 2 real interfaces to work right? I'm looking forward for suggestions/corrections. The setup is in a datacenter and is currently running production servers, so I can't put everything down for a long time. My first aim will be to restore the working config (Inet/LAN1 only working) and then I'll try to make lan2 work too. I know that there are situations where a pfsense needs to be rebooted when we change something. Is it when we create a vlan in Interfaces:vlan or when we assign a vlan to an interface? Regards, Ugo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]