Re: [pfSense-discussion] pfsense on a flash drive
On Thu, May 12, 2011 at 8:38 PM, Muhammad Panji sumodi...@gmail.com wrote: Dear All, Anyone has experience installing and using pfsens from a flash drive / thumb drive? how is the performance comparing to using hard drive? Thank you regards, For the most part there is no difference in performance. The firewall runs mostly from resident ram once the operating system is loaded. The bootup might take a few seconds longer than a hard drive but once the OS is booted no difference in speed unless you are running something like squid (which we disallow on flash drives). Scott - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] And so it ends...
On Thu, Feb 3, 2011 at 9:54 AM, Eugen Leitl eu...@leitl.org wrote: I have a hunch IPv6 deployment will pick up considerably 1-2 years from now. - Forwarded message from Scott Howard sc...@doc.net.au - From: Scott Howard sc...@doc.net.au Date: Thu, 3 Feb 2011 06:35:57 -0800 To: na...@nanog.org Subject: And so it ends... 102/8 AfriNIC 2011-02 whois.afrinic.net ALLOCATED 103/8 APNIC 2011-02 whois.apnic.net ALLOCATED 104/8 ARIN 2011-02 whois.arin.net ALLOCATED 179/8 LACNIC 2011-02 whois.lacnic.net ALLOCATED 185/8 RIPE NCC 2011-02 whois.ripe.net ALLOCATED Check out http://forum.pfsense.org/index.php/board,52.0.html Scott - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] PfSense localization
On Tue, Jan 4, 2011 at 5:07 AM, William David Armstrong biosyst...@gmail.com wrote: I can help for translate in Brazilian Portuguese http://pootle.pfsense.org.br:8080/docs/resources.html Scott - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] PfSense localization
On Tue, Jan 4, 2011 at 10:40 AM, st41...@st41ker.net wrote: Thank you. It's good to know that. But is there is some prognosis on the 2.0 release date? Yep, when it's done. Scott - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Re: Low end, cool CPE.
On Fri, Nov 12, 2010 at 5:51 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: [snip] But still - no IPv6 support (though a 3rd-party patch is now available to beat it in, it's not up to par yet, and it's not in 'stable'). :( The work Seth is doing will be in 2.1 sometime next year. He has made a lot of progress in a very short amount of time. Scott - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] pfSense router/firewall in a Vmware ESXi guest for other guests
On Sat, Oct 2, 2010 at 2:27 PM, Adam Thompson athom...@c3a.ca wrote: It works, but performance is, in my experience, poor. Don't use trunking (802.3ad / LACP) and VLANs together, or inter-vlan routing slows down drastically. This appears to be a VMWare problem, not a pfSense problem. I recommend creating one virtual Ethernet device per network, and in fact mapping each virtual switch (or vlan) to a physical NIC on the host. Basically, keep the networking as simple as possible, don't get fancy like I did. Was this with 4.0 or 4.1? 4.1 seems to drastically improved across the board in terms of I/O in general. Scott - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] pfSense 2.0 will do FreeBSD 8.1?
On Wed, Jul 28, 2010 at 10:11 AM, Eugen Leitl eu...@leitl.org wrote: Thanks. Is boot from zfs root an install option? No, the installer does not have ZFS support and we will not see ZFS support into 2.1 at the earliest when work on the new installer picks up steam. Scott
Re: [pfSense-discussion] port to freescale 8349e
On Fri, Jun 18, 2010 at 12:42 PM, Zied Fakhfakh zyd...@gnet.tn wrote: On 06/07/2010 05:07 PM, Zied Fakhfakh wrote: Hi, I'm planning to port/build pfsense on freescale 8349e powerpc based system. http://www.freescale.com/webapp/sps/site/prod_summary.jsp?code=MPC8349E It holds the e300 powerPC processor. Hi again, I have linux up and runnign on that board, can I cross-build pfsense from Linux ? Not to my knowledge but then again I have never tried. Sorry I do not have more information but I would suggest building this on FreeBSD first. Scott
Re: [pfSense-discussion] any chances to see pfsense on GuruPlug Plus?
On Thu, Feb 25, 2010 at 1:05 PM, Paul Mansfield it-admin-pfse...@taptu.comwrote: I asked them if there was a UK distributor, and they responded promptly with http://www.newit.co.uk/shop/products.php?cat=11 dual ethernet for less than £100 (US$150) seems quite a good deal. For about the same price why not purchase an Alix board? Just curious. Scott
Re: [pfSense-discussion] pfSense book now available for purchase
On Wed, Nov 4, 2009 at 12:13 PM, cl...@pfsense pfse...@mail-fwd.archie.dk wrote: Can't wait for the electronic version :-) I believe only commercial support customers will have access to the electronic version. And folks, please respect the authors and do not pirate it. kthanks Scott - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] IPsec and OPT
On Tue, Nov 3, 2009 at 7:45 AM, Eugen Leitl eu...@leitl.org wrote: Anyone has a working IPsec config with a virtual OPT device (VIP or similar) you could share? I've made a tunnel (one end is transparent bridge, terminated on WAN), but can't route between networks. I'll move on to OpenVPN (UDP port forwarded behind NAT and terminated on a LAN box) shortly, but I need to get IPsec working as well. It requires static-routes to ensure that the traffic goes back out the OPT interface IIRC. Scott - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] BGP to get Internet
On Thu, Oct 29, 2009 at 9:32 PM, Evgeny Yurchenko evg.yu...@rogers.com wrote: I thought you corrected .php to exclude Gateway input field. So I just modify config.xml and never go to gui to modify WAN interface, right? Yep, that boxes WAN IP never changes. Scott - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Is there a 1.2.2 change log?
On Fri, Oct 16, 2009 at 4:38 PM, Marty Nelson mnel...@transdyn.com wrote: Hey everyone. I’m running 1.2.1 and was wondering if there was a change log available? I poked around the pfSense site as well as the forums and I either blindly missed it, or it’s not obvious. J Please see http://blog.pfsense.org/?p=497 -- there is a link towards the end. Scott - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] fully redundant dual-WAN setup
On Tue, Aug 11, 2009 at 5:03 AM, Veiko Kukkveiko.k...@krediidipank.ee wrote: I have tried dual wan and dual machine setup with no success. Dual wan pfsense only works with single machine. carp also works, but both carp *and* dual wan together does not work! And seems there are very few who care about pfsense failover ability, probably most people use single machine and single wan setups. Bt. Nice assumptions there. I run both CARP and Dual Wan at my primary location and it works fine. If you want help you need to go into details of your setup etc. If its configured correctly it absolutely works great. Scott - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] xen aware pfsense.
On Tue, Jan 27, 2009 at 10:15 PM, pfsense sense pfse...@kavadas.org wrote: i'm not suggesting pfsense be run inside a VM, i am suggesting pfsense provide VM functionality i'm fully aware the VM's shortcomings, i manage a 14TB ESX cluster let me say that again... i am suggesting pfsense provide VM functionality cloud -- pfsense -- os -- service It certainly is a intriguing idea. This tweet caught my attention earlier today: http://twitter.com/Taggerz/statuses/1152928366 Scott - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] pfSense as VDSL Router
On Mon, Nov 3, 2008 at 11:41 AM, Eugen Leitl [EMAIL PROTECTED] wrote: FYI: http://www.heise.de/netze/pfSense-als-VDSL-Router--/artikel/116739 /kraut (Notice that IP-TV needs IGMP support which is apparently not in pfSense kernel? Here's a thread, which says the problem is an IGMP proxy http://forum.pfsense.org/index.php/topic,4491.0/all.html ) In case it's a bounty issue I'm willing to chip in with an additional $50. -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org I just added options MROUTING to the kernel. it will appear in the next snapshot. Have fun! Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] We have received your email and someone will be responding shortly.
[EMAIL PROTECTED] removed from mailing list discussion@pfsense.com Sorry about the noise folks! Scott On Thu, Sep 11, 2008 at 10:45 AM, [EMAIL PROTECTED] wrote: We have received your email and someone will be responding shortly. Please do not respond to this email -- it is automatically generated just to immediately confirm receipt of your communications Thank-you.
Re: [pfSense-discussion] DNS resolver test
On Tue, Jul 22, 2008 at 2:32 PM, Eugen Leitl [EMAIL PROTECTED] wrote: http://www.provos.org/index.php?/pages/dnstest.html DNS Resolver Test For secure name resolution, it is important that your DNS resolver uses random source ports. The box below will tell you if there is something you need to worry about. Your DNS Resolver needs to be updated. If the box says that you are using random ports, there is nothing to worry about. If it shows a red border, your resolver does not use completely random source ports. This could imply a security problem; see the following CERT advisory. However, some resolvers have implemented countermeasures that do not solely rely on random source sources. There is a little bit more information about this security problem on Dan Kaminsky's blog. Should be we getting worried now? If anyone is worried then update their dnsmasq. http://blog.pfsense.org/?p=210 Scott
[pfSense-discussion] 1.2.1-BETA snapshots now available!
Please see http://blog.pfsense.org/?p=207 for more information. Thanks!
Re: [pfSense-discussion] Used ALIX or Soekris?
On Fri, Jun 27, 2008 at 3:37 PM, Andrew Burnette [EMAIL PROTECTED] wrote: I had similar thoughts a while back. doesn't always work out the way you think. (e.g. toyota prius, while a politically and technologically needed car, actually saves no energy over it's lifespan due to the enormous amount of front end manufacturing cost and material used). Here's what I did. took single board athlon desktop. Underclocked it as low as the FSB would go on motherboard, and lowered the CPU and ram voltages to near minimum. Stuck in a laptop hard drive (3.5-2.5 adapter about $5) and an 80% efficient small as heck power supply with 3 intel nic cards in the PCI slots. cut power consumption by 1/2 over same setup with original PS running full speed. Still doesn't break a sweat at 20Mbps symmetrical and 6k connections.. Might try the same. pull CPU number 2, lower the FSB and so on. Big diff is the power supplies. Most are *lousy* (under 50% efficient) at light loads. You can find the energy star designated ones (80%+ efficient across broad operating range) for $40 and up at places like newegg.com (seasonic is one of the efficient brands I'm told, and they are quiet, as less heat loss, therefore less fan needed) Hope that helps. best of luck. andy Great ideas, thanks for sharing!! Scott
Re: [pfSense-discussion] clog size
On 4/14/08, Paul M [EMAIL PROTECTED] wrote: RB wrote: I've had a request to increase logging duration on systems that have no access to an external syslog server, so am making the necessary changes to maintain much larger ring-log files. Incredibly larger - what we've done is to make a few tweaks and install syslog-ng 1/ change the system include file so that it starts syslog with -b 127.0.0.1 so that it doesn't bind to an external IP. 2/ add some lines to /etc/rc.conf.local to make a restart of syslog also bind only to localhost: syslogd_enable=YES syslogd_flags= -s -f /var/etc/syslog.conf -b 127.0.0.1 3/ install syslog-ng and write config so that it does full logging to local file system as well as copying to a main log server 3a/ pkg_add -r syslog-ng 3b/ config file is /usr/local/etc/syslog-ng/syslog-ng.conf (if interested, I can provide ours after sanitisation) 3c/ make syslog-ng listen on, say, the sync interface or lan. 4/ add some lines to /etc/rc.conf.local to make sure that syslog-ng starts up 5/ use the pfsense gui to tell it to log to the syslog-ng IP address this works for us, and the key thing is that apart from having to fix the /etc/inc/system.inc file when upgrading pfsense (I offered the diffs/patch, I think it might have been accepted), you don't have to bend the system too far as you don't have to hack any other part of pfsense. I have commited some code to help with this: http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/pfSense/usr/local/www/guiconfig.inc?rev=1.90.2.50;content-type=text%2Fx-cvsweb-markup Scott
Re: [pfSense-discussion] BUG? Access to bandwidhtd without password
On 3/18/08, Cristiano Deana [EMAIL PROTECTED] wrote: Hi, pfsense 1.2, I installed hte package of bandwitdhd. If I access to https://my.pfsense/bandwithd/ there is no request for password Do you thing is it right? That is correct. Firewall off the port to only trusted hosts. Scott
Re: [pfSense-discussion] freebsd 6.2 ports archive
On 3/13/08, Paul M [EMAIL PROTECTED] wrote: Hi, I was looking for the syslog-ng package to install on my pfsense boxes, and discovered that the main freebsd site no longer has the ports for that release - only 6.3. I found the ftp.de.freebsd.org site still had it, so I did an evil hack to the hosts file thus: 213.83.42.56ftp.freebsd.org and I was able to pkg_add -r syslog-ng. anyway, my point is that anyone wanting to play with pfsense1.2 release and needs access to the ports might want to consider maintaining their own archive of the freebsd downloads otherwise they'll lose out! or, perhaps, should pfsense.org website keep a mirror for this purpose? We are working on it: http://blog.pfsense.org/?p=179 Scott
[pfSense-discussion] Mirror finder
Thanks everyone (20+) of you for notifying us of the mirror problems. It is now resolved. Scott
Re: [pfSense-discussion] 1.2RC5 or release
On Feb 11, 2008 9:15 AM, Chris Buechler [EMAIL PROTECTED] wrote: We'll probably skip RC5 as an official release even though the snapshots are labeled as such right now. Yeah. no plans to release 1.2-RC5 except in its current snapshot form. I changed the version so we can identify new issues beyond RC4 if they happen to come up (which so far we have been pretty good except for IPSEC reports). Scott
Re: [pfSense-discussion] bogons update issue
On 2/3/08, Jan Hoevers [EMAIL PROTECTED] wrote: I'm running the embedded version of pfSense on a Soekris 4801. Today (3 Feb 2008) I upgraded to 1.2-RC4 and it caught my eye that the bogons file (/etc/bogons) dated back to October 2007. I consider bogons filtering important, so I decided not to wait for the next automatic update, but instead I ran the update script (/etc/rc.bogons_update.sh) manually. That did not work and, although I'm not exactly a shell script expert, I decided to have a look into it. I got the script running by working around two problems: 1. The script starts with sleeping a random interval. This caused it to abort with a 'od: command not found' message. Apparently the od command is missing on the embedded platform, and I worked around this by commenting out the random interval sleep. Thanks, just fixed this. 2. On previous versions the bogons file was fetched from cymru.com, but on RC4 the script tries to get it from a pfSense server. The file is however missing on that pfSense server. I worked around this by copying the old cymru url back from RC3. Although my bogons update script is working now, I believe I didn't choose the best possible solution for both problems. I hope someone of the development team finds time to look into this before the next release. Hrm. Thanks for the heads up. We'll get this correct ASAP. Scott
Re: [pfSense-discussion] lagg + carp: carp not sending multicast via lagg interface
On 1/23/08, Fabio C Flores [EMAIL PROTECTED] wrote: And how can I find out if 1.2-RC4 uses that freebsd fix? http://pfsense.com/cgi-bin/cvsweb.cgi/tools/patches/RELENG_6_2/if_lagg.diff ... Is what we use. Feel free to send a new patch if it does not include the needed bits. Scott
Re: [pfSense-discussion] (DUP!) duplicated packets when pinging internal server
I bet it is being caused by your usage of LAGG. Unfortunately you are on your own on this one as LAGG is not supported as of yet. On Jan 22, 2008 2:03 PM, Fabio C Flores [EMAIL PROTECTED] wrote: # ping 10.0.2.10 PING 10.0.2.10 (10.0.2.10): 56 data bytes 64 bytes from 10.0.2.10: icmp_seq=0 ttl=64 time=0.208 ms 64 bytes from 10.0.2.10: icmp_seq=0 ttl=63 time=0.328 ms (DUP!) 64 bytes from 10.0.2.10: icmp_seq=1 ttl=64 time=0.110 ms 64 bytes from 10.0.2.10: icmp_seq=1 ttl=63 time=0.230 ms (DUP!) ^C --- 10.0.2.10 ping statistics --- 2 packets transmitted, 2 packets received, +2 duplicates, 0% packet loss round-trip min/avg/max/stddev = 0.110/0.219/0.328/0.077 ms # ifconfig em0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 options=bRXCSUM,TXCSUM,VLAN_MTU inet 10.0.2.2 netmask 0x broadcast 10.0.255.255 inet6 fe80::215:17ff:fe51:3f2e%em0 prefixlen 64 scopeid 0x1 ether 00:15:17:51:3f:2e media: Ethernet autoselect (1000baseTX full-duplex) status: active lagg: laggdev lagg0 em1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 options=bRXCSUM,TXCSUM,VLAN_MTU inet 192.168.0.221 netmask 0x broadcast 192.168.255.255 inet6 fe80::215:17ff:fe51:3f2f%em1 prefixlen 64 scopeid 0x2 ether 00:15:17:51:3f:2f media: Ethernet autoselect (100baseTX full-duplex) status: active bge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=1bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING inet 10.1.0.2 netmask 0xff00 broadcast 10.1.0.255 inet6 fe80::21c:23ff:fee1:f846%bge0 prefixlen 64 scopeid 0x3 ether 00:1c:23:e1:f8:46 media: Ethernet autoselect (1000baseTX full-duplex) status: active bge1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=1bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING inet 10.0.2.5 netmask 0x broadcast 10.0.255.255 inet6 fe80::21c:23ff:fee1:f847%bge1 prefixlen 64 scopeid 0x4 ether 00:15:17:51:3f:2e media: Ethernet autoselect (1000baseTX full-duplex) status: active lagg: laggdev lagg0 pfsync0: flags=41UP,RUNNING mtu 1348 pfsync: syncdev: bge0 syncpeer: 224.0.0.240 maxupd: 128 enc0: flags=0 mtu 1536 pflog0: flags=100PROMISC mtu 33208 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8 carp0: flags=49UP,LOOPBACK,RUNNING mtu 1500 inet 192.168.0.223 netmask 0xff00 carp: MASTER vhid 11 advbase 1 advskew 100 carp1: flags=49UP,LOOPBACK,RUNNING mtu 1500 inet 10.0.2.3 netmask 0x carp: MASTER vhid 12 advbase 1 advskew 100 tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1500 inet6 fe80::215:17ff:fe51:3f2e%tun0 prefixlen 64 scopeid 0xb inet 192.168.66.1 -- 192.168.66.2 netmask 0x Opened by PID 370 lagg0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 10.0.2.7 netmask 0x broadcast 10.0.255.255 inet6 fe80::215:17ff:fe51:3f2e%lagg0 prefixlen 64 scopeid 0xc ether 00:15:17:51:3f:2e media: Ethernet autoselect status: active lagg: laggproto failover laggport bge1 =4ACTIVE laggport em0 =5MASTER,ACTIVE - # netstat -nr Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.0.1UGS 00em1 10/16 link#12UCS 02 lagg0 10.0.1.205 00:16:ec:9b:c8:dc UHLW1 33 lagg0 1165 10.0.2.3 10.0.2.3 UH 00 carp1 10.0.2.6 00:15:17:51:4a:16 UHLW1 2664 lagg0234 10.0.2.10 00:19:b9:eb:62:7d UHLW1 1447 lagg0 1151 10.1/24link#3 UC 00 bge0 10.1.0.1 00:1c:23:e1:f7:d1 UHLW1 5294 bge0 1127 127.0.0.1 127.0.0.1 UH 00lo0 192.168.0/16 link#2 UC 01em1 192.168.0.100:17:9a:58:20:3f UHLW2 1771em1918 192.168.0.200:16:3e:31:80:07 UHLW11em1925 192.168.0.102 00:15:00:00:12:1f UHLW10em1972 192.168.0.223 192.168.0.223 UH 00 carp0 192.168.66 192.168.66.2 UGS 06 tun0 192.168.66.2 192.168.66.1 UH 10 tun0
[pfSense-discussion] #pfSensechat has been opened
All, We have opened a new FreeNode pfSense chat room that is meant for off topic discussions for like minded people (pfSensers). Please join us and chat with like minded folks! #pfSenseCHAT on FreeNode. Scott
Re: [pfSense-discussion] Dynamic remote endpoints (IPsec)
On Jan 2, 2008 6:10 PM, Dennis Karlsson [EMAIL PROTECTED] wrote: Hi In the current beta of m0n0wall they've included the possibility to use a host name as destination gateway address. Will this be included in the 1.2 release? No. 1.2 is frozen. It is already in RELENG_1 and HEAD so should arrive in 1.3. Scott
Re: [pfSense-discussion] Looking for a push in the right direction for VoIP/Cisco 7971 phones
On 1/2/08, patrickm [EMAIL PROTECTED] wrote: Hi all, I'm in charge of replacing our Cisco PIX firewall with one that will allow us to use VPN, and a bunch of my other sysadmin friends have suggested using pfsense. Everything was super easy to set up initially, and now I want to get our Cisco 7971 SIP VoIP phones working behind NAT. I was wondering if anyone had to do something similar, or if anyone has a link or links to some helpful resources that will push me in the right direction. Thanks in advance! Visit Firewall, Nat, Outbound. Enable Advanced outbound NAT. Edit auto-created LAN rule, check static-port. Save. It should work okay now. Scott
Re: [pfSense-discussion] Simple patch for Dynamic DNS.
On 12/5/07, Ben Timby [EMAIL PROTECTED] wrote: I have attached two patches. dyndns-HEAD.patch dyndns-RELENG_1.patch both patch two files: usr/local/www/services_dyndns.php etc/inc/services.inc Thanks! I will check into these this evening. Scott
Re: [pfSense-discussion] Support NTLM
On 12/5/07, Jose Augusto [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, I need help. I have a firewall running on Linux, and the most faster possible the change the firewall for PFSense, but, in pfsense is possible authentication on NTML (Active Directory) ??? On SQUID? I believe the feature is in place but has not been finished. Scott PS: No, I have no plan to finish it. Patches accepted.
Re: [pfSense-discussion] Simple patch for Dynamic DNS.
On 11/27/07, Ben Timby [EMAIL PROTECTED] wrote: I set up the Dynamic DNS feature today, however, I needed to be able to specify my DNS server address. The attached patch adds a field to the services_dyndns.php form. This field if provided will be written to the nscommands file (in services.inc) as server value\n This allows you to update an arbitrary DNS server. If not provided, the server line is omitted and the default behavior occurs. I hope this is useful to others. I pulled these two files from CVS so this patch should apply to head. At least this guy seems to have the same issue as I did. http://forum.pfsense.org/index.php?PHPSESSID=859b4334957ebc787b1cc945c4329c92topic=3525.0 Hello! Can you please provide RELENG_1 and HEAD diffs for this? Scott
Re: [pfSense-discussion] multiwan ftp proxy
On Nov 19, 2007 1:50 PM, Bill Marquette [EMAIL PROTECTED] wrote: Assuming I ftp at home (don't recall the last time I intentionally did that!) then ftp works just fine via the primary wan as Chris mentions. I think I did have to create a rule for traffic destined to 127.0.0.1 to use the default gateway instead of a load balance pool. Don't recall if that's still needed or not but it's still in my ruleset: * LAN net * 127.0.0.1 * * Use routing table for loopback traffic 1.3 now creates these hidden rules so for 1.2 you still need to permit the traffic without a gateway assigned. This is covered in http://devwiki.pfsense.org/FTPTroubleShooting Scott
Re: [pfSense-discussion] php: : Not installing nat reflection rules for a port range 500 (1.2-RC2)
You most likely have a port range defined. Scott On Nov 9, 2007 2:26 AM, Tortise [EMAIL PROTECTED] wrote: Hi Team I added a rule for MS TS access to 3389, I get logged php: : Not installing nat reflection rules for a port range 500 and the connection does not seem to be created. I cannot however find a port range 500 and the port added is a single port. Can anyone advise me on this please? Kind regards David PS on reviewing all my rules it seems that UDP NAT entries may have been erroneously automatically entered in rules as TCP rules?
Re: [pfSense-discussion] Captive portal could not deterimine clients MAC address
On 9/5/07, Nick Buraglio [EMAIL PROTECTED] wrote: What wireless AP are you using? nb I answered him here: http://forum.pfsense.org/index.php/topic,5999.msg35459.html#msg35459 Tunge2, please stop cross posting between the forum and the mailing list. Scott
Re: [pfSense-discussion] Firmware
No. Nothing will change from this perspective. Please visit our blog where we describe how this wilkl help the project. Scott On 8/25/07, Mike [EMAIL PROTECTED] wrote: With the recent move to paid support for pfsense and monowall, will this signify the end of the firmware upgrades, package availability, and this discussion list for those that don't cough up the money?
Re: [pfSense-discussion] 1.2-RC2 released
On mar, 21 aoû 2007 17:48:24 +0200, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Just one question, from a pfsense newbie where i can download 1.2RC2 update ? Best regards http://www.pfsense.com/mirror.php?section=updates/pfSense-Full-And-Embedded-Update-1.2-RC2.tgz Scott
Re: [pfSense-discussion] atmel avr port of pfsense?
On 7/31/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: [snip] This looks like a job for NetBSD! Good luck porting pfSense to Net! :) Scott
Re: [pfSense-discussion] atmel avr port of pfsense?
On 7/31/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Most of the steps should be the same for NetBSD as they are for FreeBSD since they share a lot of commonalities. Not quite. You will find a lot of items that rely on netgraph such as PPTP, PPPoE, etc. Scott
Re: [pfSense-discussion] Package installation / removal problem ?
Dashboard is still very much a work in progress and has a few issues. Scott On 7/17/07, Daniele Guazzoni [EMAIL PROTECTED] wrote: Small correction: only dashboard stalls Daniele Guazzoni wrote: I'm running 1.2-BETA-2-TESTING-SNAPSHOT-07-05-2007 and it stalls on adding and removing packages. Known issue ? regards - Daniele Guazzoni Senior Network Engineer, CCNP, CCNA Linux and AMD-x86_64 or do you still with Windows and Intel ? -- regards - Daniele Guazzoni Senior Network Engineer, CCNP, CCNA Linux and AMD-x86_64 or do you still with Windows and Intel ? -- This message has been scanned for viruses and dangerous content by MailGate, and is believed to be clean.
Re: [pfSense-discussion] Sun Fire X2100 M2 questions
On 6/21/07, Bill Marquette [EMAIL PROTECTED] wrote: On 6/20/07, Eugen Leitl [EMAIL PROTECTED] wrote: nfe won't be there in 1.3, correct? I can survive with just two interfaces (WAN and LAN) for a while, but I do need at least DMZ rather soon. When they say I should stay away from http://snapshots.pfsense.com/FreeBSD7/ I presume it's for a good reason, right? http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/current-stable.html It looks like the 7 tree is now frozen for release and all merges require re@ approval so I suspect we'll see a release in the next coming months which will be very exciting on many fronts. Scott
Re: [pfSense-discussion] Problems mit DynDNS Update
Try a recent snapshot. On 6/20/07, Fabian Steiner [EMAIL PROTECTED] wrote: Hello! We are using PfSense 1.2_BETA and are experiencing some serious problems concerning DynDNS updates. Sometimes they are performed (obviously without adding additional options, e.g. wildcard=ON) and sometimes they don't work at all. In 1.0.1 system.log shows the following output after the box received a 24h force disconnect: [...] Jun 19 07:19:51 pfsense mpd: [pppoe] IFACE: Up event Jun 19 07:19:54 pfsense check_reload_status: rc.newwanip starting Jun 19 07:20:01 pfsense php: : Informational: DHClient spawned /etc/rc.newwanip and the new ip is wan - 84.145.68.218. Jun 19 07:20:01 pfsense php: : Creating rrd update script Jun 19 07:20:01 pfsense php: : Creating rrd graph index Jun 19 07:20:06 pfsense php: : Resyncing configuration for all packages. Jun 19 07:20:06 pfsense check_reload_status: reloading filter Jun 19 07:20:14 pfsense check_reload_status: updating dyndns Jun 19 07:20:19 pfsense php: : DynDns: Running updatedns() [...] 1.2_BETA, however, prints out the following: [...] Jun 20 16:49:18 eros mpd: [pppoe] IFACE: Up event Jun 20 16:49:20 eros check_reload_status: rc.newwanip starting Jun 20 16:56:21 eros dnsmasq[9490]: reading /var/dhcpd/var/db/dhcpd.leases Jun 20 16:59:01 eros dnsmasq[9490]: reading /var/dhcpd/var/db/dhcpd.leases Jun 20 18:41:08 eros dnsmasq[9490]: reading /var/dhcpd/var/db/dhcpd.leases Jun 20 20:36:07 eros dnsmasq[9490]: reading /var/dhcpd/var/db/dhcpd.leases Jun 20 20:41:07 eros dnsmasq[9490]: reading /var/dhcpd/var/db/dhcpd.leases [...] Therefore I must run /etc/rc.dyndns.update manually in order to have my WAN IP updated. Maybe check_reload_status is responsible because of that failure, but I can not find its source code. Regards, Fabian
Re: [pfSense-discussion] RAID
On 6/15/07, Eugen Leitl [EMAIL PROTECTED] wrote: There's no SATA soft-RAID support planned in the pfsense install, right? RAID 1 is supported if two disks are present.
Re: [pfSense-discussion] openbsd 10gb stuff
One of the 10% patches have already been ported and in our tree. We are seeing up to a 33% improvement in performance on some machines such as Soekris 266. Stay tuned, Chris plans on blogging about the improvements soon. Scott On 6/4/07, Jure Pečar [EMAIL PROTECTED] wrote: Just saw this on undeadly.org: http://www.openbsd.org/papers/cuug2007/mgp1.html How does it affect freebsd/pf and when/if can we expect some of this work in pfsense? -- Jure Pečar http://jure.pecar.org
Re: [pfSense-discussion] MiniUPnPd security risks
On 4/25/07, DarkFoon [EMAIL PROTECTED] wrote: I'm considering installing the UPnP daemon on some home/home office boxes, and I'm curious what the security issues are. From my own (simple) analysis, the worst that could happen is a malicious application could ask for many, many (almost all?) of the ports above 1024 to be routed to a machine, and that an external attacker might be able to use all the port forwards to control said malicious program from the internet and perhaps wreak havoc on the LAN net and maybe even the pfSense box (with a keylogger and sniff the pw for the pfSense admin). This is assuming I don't use the custom rules that I can specify. (which I could use to mitigate some of the damage) Your analysis is dead on. Any application can open their own ports. However our package allows limiting of source ips that can use upnp to open ports. So you could lock this down to 1-2 ip's, etc. Scott
Re: [pfSense-discussion] Patch submittal deadline?
RELENG_1 and -HEAD would be fine. We are past RELENG_1_2 deadline. Scott On 4/22/07, Kyle Mott [EMAIL PROTECTED] wrote: Do you care if the diff's/patches are from a February 1.0.1 snapshot, or would you prefer it from a 1.2-BETA snapshot? -Kyle Scott Ullrich wrote: On 4/15/07, Kyle Mott [EMAIL PROTECTED] wrote: Is there a deadline for submitting a patch to be included in the base release? I'm still working on my EtherChannel port, but I've still got a few things to work out. Will I still be able to get it in to the next release (I assume 1.2), and/or 1.0.1 if I submit it soon (within the week)? Unfortunately 1.2 is frozen now. We can get it into 1.3 and the snapshots after 1.2 is released. Scott
Re: [pfSense-discussion] Patch submittal deadline?
On 4/15/07, Kyle Mott [EMAIL PROTECTED] wrote: Is there a deadline for submitting a patch to be included in the base release? I'm still working on my EtherChannel port, but I've still got a few things to work out. Will I still be able to get it in to the next release (I assume 1.2), and/or 1.0.1 if I submit it soon (within the week)? Unfortunately 1.2 is frozen now. We can get it into 1.3 and the snapshots after 1.2 is released. Scott
Re: [pfSense-discussion] 16 instance of Snort running ???
On 4/10/07, Daniele Guazzoni [EMAIL PROTECTED] wrote: I upgraded to 1.0.1-SNAPSHOT-03-27-2007, running with the snort package installed. Before the upgrade everything was ok, now I have 16 instances of snort running and crashing regularly. Known problem ? Yes. Uninstall and reinstall the package. Scott
Re: [pfSense-discussion] routing everything though an IPsec tunnel
On 3/30/07, Eugen Leitl [EMAIL PROTECTED] wrote: What I really like about pfsense/m0n0 is that it allows you to build IPsec tunnels between firewalls. This is rather important, because I happen to live in a country where ISPs are required to spy on their customers by law (storing all connection info, and allowing tapping on demand). By presenting the ISP only a VPN tunnel all they can do is only do traffic analysis. Since I have a few IP numbers out of my /24 I'm not using yet I'd like to build a VPN tunnel (pfsense to pfsense) to one or several public IPs at my hoster. I vaguely recall someone putting 0.0.0.0 into the remote subnet field in IPSEC and it set the default gateway to the IPSEC tunnel. This is all from memory and it was around version 0.80 so details are faint. If I recall Alan from the UK was the person working with it. Maybe he can chime in. Scott
Re: [pfSense-discussion] Box hangs because of PHP ?
Technically now that the images are 128 megabytes its possible. We just never spent the time to make it work correctly. On 3/22/07, Eugen Leitl [EMAIL PROTECTED] wrote: On Thu, Mar 22, 2007 at 12:20:12PM -0400, Scott Ullrich wrote: Is there a way to upgrade 1.0.1 embedded remotely? Embedded unfortunately not. Is this a principal (technology) limitation, or something which can be tackled by a bounty? -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFGAq4QdbAkQ4sp9r4RArBkAJ98WbDCftiALlLZMIREAzGCscvg3gCgjHdp VFaLY+VRxoJFBysqWNen1vM= =I2Mh -END PGP SIGNATURE-
Re: [pfSense-discussion] freebsd ports vs pfsense ports
On 2/28/07, Paul [EMAIL PROTECTED] wrote: Working on mpd, I saw that there's a pfSense ports directory in /home/pfsense/tools I need to port some custom packages to pfSense, so how do I tell the build scripts to use my own port instead of the freebsd ones, or shall I just copy them to /usr/ports? We have done this previously by hand but soon I will be altering FreeSBIE to automatically build the pfPorts tree so that the FreeBSD 7 and other architectures binaries get updated when we build an image. Unfortunately I do not have a timeframe as of yet. Scott
Re: [pfSense-discussion] m0n0wall to PFSense
On 2/15/07, Salcido, Cesar [EMAIL PROTECTED] wrote: If I were to install PFSense on my Nokia P020 m0n0wall currently installed could I use my existing config.xml with PFSense? Please see http://faq.pfsense.com/index.php?action=artikelcat=4id=89artlang=enhighlight=m0n0wall%20config
Re: [pfSense-discussion] Searched Google but nada
On 2/14/07, Chris Godwin [EMAIL PROTECTED] wrote: I'm getting a sync error. Both boxes are running 1.0.1 on a hacomm i386 box. I have added additional code to the XMLRPC sync area to hopefully tell us what is going on. Upgrade to a new snapshot an hour from now (around 9pm EST). http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/ Scott
Re: [pfSense-discussion] about manage a lot of pfsense in one console interface
No, this unfortunately will not work like this is outlined PF and IPF are a little too different. But you can use one of our anchors in the rules file to insert and remove rules from cron easier than IPF. On 1/18/07, Sjaak Nabuurs [EMAIL PROTECTED] wrote: Cristian Maybe this is a sugestion in your direction. I've no idea if it can be used in pfsense. http://wiki.m0n0.ch/wikka.php?wakka=PoorMansTimeBasedRules Good luck Sjaak Cristian Mata wrote: Hi, I have a problem actually, we have 43 points with pfsense (in vpn ipsec), are there anything to monitor that's in unique console? Because is very complex monitor that's one to one. In addition, you have any tool to apply rules in a lot pfsense to the some times? thanks Cristian
Re: [pfSense-discussion] about manage a lot of pfsense in one console interface
On 1/18/07, Cristian Mata [EMAIL PROTECTED] wrote: Thks Scoot, wich is the name of the rules file? Because en my freebsd y have pf.conf but in pfsense... the rules are in the xml file? Thanks in advance. Look at /tmp/rules.debug Scott
Re: [pfSense-discussion] Source based redirection
Nobody is working on it to my knowledge. Scott On 1/16/07, Adam Van Ornum [EMAIL PROTECTED] wrote: Is anyone working on source based redirection? I checked in the forums and one guy had been working on it supposedly but apparently he disappeared. Its a feature I need and I might try doing it myself if no one else is actively working on it. Get into the holiday spirit, chat with Santa on Messenger. Ho-Ho-Ho!
Re: [pfSense-discussion] VideoConference problems
Same situation that VOIP folks run into. Create an advanced outbound NAT rule for this particular port, move it to the top and be sure to enable the static pot option for the rule in question. Also search the forum for static port, it's discussed about once a week at least. Scott On 1/8/07, Carlos Julio Sánchez [ACC-SIS] [EMAIL PROTECTED] wrote: Hi! Anybody can help me, I connect from my home without pfsense to videoconference device, but when I try connect at work with pfsense firewall I don't have video and sound Anybody knows why? Carlos J. Sánchez Redes y Telecomunicaciones [EMAIL PROTECTED] www.americancallcenter.com Av. Fco. de Orellana 111 Edif. WTC Torre B Of. 812 Guayaquil, Ecuador Tel. +593 (4) 263-0750 – Ext. 5140 Fax. +593 (4) 263-0764
Re: [pfSense-discussion] VideoConference problems
Show a screen shot of the rules summary page (the page where you can add/edit/delete advanced outbound nat items). Also show a screenshot of the actual items setting as well. On 1/8/07, Carlos Julio Sánchez [ACC-SIS] [EMAIL PROTECTED] wrote: Hi! I created the advanced outbound NAT, but my netmeeting machine behind Pfsense don't have video and sound yet. I was reading the forum but said the same below -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Monday, January 08, 2007 12:19 PM To: discussion@pfsense.com Subject: Re: [pfSense-discussion] VideoConference problems Same situation that VOIP folks run into. Create an advanced outbound NAT rule for this particular port, move it to the top and be sure to enable the static pot option for the rule in question. Also search the forum for static port, it's discussed about once a week at least. Scott On 1/8/07, Carlos Julio Sánchez [ACC-SIS] [EMAIL PROTECTED] wrote: Hi! Anybody can help me, I connect from my home without pfsense to videoconference device, but when I try connect at work with pfsense firewall I don't have video and sound Anybody knows why? Carlos J. Sánchez Redes y Telecomunicaciones [EMAIL PROTECTED] www.americancallcenter.com Av. Fco. de Orellana 111 Edif. WTC Torre B Of. 812 Guayaquil, Ecuador Tel. +593 (4) 263-0750 – Ext. 5140 Fax. +593 (4) 263-0764
Re: [pfSense-discussion] VideoConference problems
You need to define the port in question as well. Scott On 1/8/07, Carlos Julio Sánchez [ACC-SIS] [EMAIL PROTECTED] wrote: Here I send the screenshots, please inform me if I have configured anything wrong Thansks! -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Monday, January 08, 2007 3:24 PM To: discussion@pfsense.com Subject: Re: [pfSense-discussion] VideoConference problems Show a screen shot of the rules summary page (the page where you can add/edit/delete advanced outbound nat items). Also show a screenshot of the actual items setting as well. On 1/8/07, Carlos Julio Sánchez [ACC-SIS] [EMAIL PROTECTED] wrote: Hi! I created the advanced outbound NAT, but my netmeeting machine behind Pfsense don't have video and sound yet. I was reading the forum but said the same below -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Monday, January 08, 2007 12:19 PM To: discussion@pfsense.com Subject: Re: [pfSense-discussion] VideoConference problems Same situation that VOIP folks run into. Create an advanced outbound NAT rule for this particular port, move it to the top and be sure to enable the static pot option for the rule in question. Also search the forum for static port, it's discussed about once a week at least. Scott On 1/8/07, Carlos Julio Sánchez [ACC-SIS] [EMAIL PROTECTED] wrote: Hi! Anybody can help me, I connect from my home without pfsense to videoconference device, but when I try connect at work with pfsense firewall I don't have video and sound Anybody knows why? Carlos J. Sánchez Redes y Telecomunicaciones [EMAIL PROTECTED] www.americancallcenter.com Av. Fco. de Orellana 111 Edif. WTC Torre B Of. 812 Guayaquil, Ecuador Tel. +593 (4) 263-0750 – Ext. 5140 Fax. +593 (4) 263-0764
Re: [pfSense-discussion] VideoConference problems
No, you do not want source port, you want destination port. On 1/8/07, Carlos Julio Sánchez [ACC-SIS] [EMAIL PROTECTED] wrote: Hi, i send the screen shots with the port 1720 of netmeeting -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Monday, January 08, 2007 3:59 PM To: discussion@pfsense.com Subject: Re: [pfSense-discussion] VideoConference problems You need to define the port in question as well. Scott On 1/8/07, Carlos Julio Sánchez [ACC-SIS] [EMAIL PROTECTED] wrote: Here I send the screenshots, please inform me if I have configured anything wrong Thansks! -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Monday, January 08, 2007 3:24 PM To: discussion@pfsense.com Subject: Re: [pfSense-discussion] VideoConference problems Show a screen shot of the rules summary page (the page where you can add/edit/delete advanced outbound nat items). Also show a screenshot of the actual items setting as well. On 1/8/07, Carlos Julio Sánchez [ACC-SIS] [EMAIL PROTECTED] wrote: Hi! I created the advanced outbound NAT, but my netmeeting machine behind Pfsense don't have video and sound yet. I was reading the forum but said the same below -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Monday, January 08, 2007 12:19 PM To: discussion@pfsense.com Subject: Re: [pfSense-discussion] VideoConference problems Same situation that VOIP folks run into. Create an advanced outbound NAT rule for this particular port, move it to the top and be sure to enable the static pot option for the rule in question. Also search the forum for static port, it's discussed about once a week at least. Scott On 1/8/07, Carlos Julio Sánchez [ACC-SIS] [EMAIL PROTECTED] wrote: Hi! Anybody can help me, I connect from my home without pfsense to videoconference device, but when I try connect at work with pfsense firewall I don't have video and sound Anybody knows why? Carlos J. Sánchez Redes y Telecomunicaciones [EMAIL PROTECTED] www.americancallcenter.com Av. Fco. de Orellana 111 Edif. WTC Torre B Of. 812 Guayaquil, Ecuador Tel. +593 (4) 263-0750 – Ext. 5140 Fax. +593 (4) 263-0764
Re: [pfSense-discussion] Memory issue
FreeBSD will buffer as much ram as you give it IIRC. What you really should monitor is top from a shell if you are this worried. I would not be worried at all until memory is in the 90+. Scott On 12/28/06, Jack Mayhew [EMAIL PROTECTED] wrote: I'm seeing the same thing (ver 1.0.1 - though I originally installed Snort while running an earlier version)- removed Snort a few months ago (not sure what version I was running when I removed it - upgraded since), but it is still showing up in Top (state is bpf). Memory use was up to 78%, dropped to 32% after I killed the process using Command. However, a few minutes later, it was back (in Top) in the bpf state again, and memory usage was back up to 68%! Seems like an issue with the removal process? Doesn't ever seem to bring the system down, but I will probably do a reinstall as well (pretty painless with the CD and saved config)... Other than that, running like a top on an old HP Vectra 733MHz PIII box with a CF card, and an Intel dual NIC card in addition to the on board NIC (a 3Com). I forget how much memory it has, but dmesg claims around 190 Meg total. Been rock solid (been up now for 22 days, due to our power being out for several hours back then, but other than that, has never gone down unless I told it to! I had been using M0n0wall on a Soekris 4501, which had been working flawlessly, but switched to pfSense to check out the packages, and maybe Carp eventually. Thanks for a great piece of work! Regards, Jack Mayhew Mike Johnson- Southwestech Computers wrote: Thanks. I am leaning towards that as well. Not the fix I was looking for, but it is what has to be done... quick and dirty. Thanks Holger Holger Bauer wrote: I recommend a reinstall. Backup your config.xml without package settings (it's an option at diagnosticsbackup/restore. Holger -Original Message- From: Mike Johnson- Southwestech Computers [mailto:[EMAIL PROTECTED] Sent: Thursday, December 28, 2006 5:49 PM To: discussion@pfsense.com Subject: Re: [pfSense-discussion] Memory issue
Re: [pfSense-discussion] Known PFsense Limits?
On 12/15/06, Odette [EMAIL PROTECTED] wrote: FYI, I've successfully substituted Linux-iptables with PFsense on Soekris net4801 using 5 eth ports and everything have been running fine for more than 30 days. About the rule translation nightmare: aliases and rules optimization permitted me to convert the 1000 lines in about 50 rules. Great! I think it would be a great enhacement to be able to define aliases of aliases to reduce further more the ruleset managing complexity. Yes, agree'd. I would also like to see this in a future version. Thanks again to everybody involved in PFsense dvelopment and support! Glad that it worked out for you. Scott
Re: [pfSense-discussion] FTP Server Logging
The only way to do this is turn off the FTP helper and port forward 21 and the dynamic port range defined on the FTP server. Scott On 12/13/06, Ben Flores [EMAIL PROTECTED] wrote: Is there a way to pass the original external source IP to the internal server? The only IP that shows in the logs of the ftp server is that of the firewall. TIA Ben Any questions? Get answers on any topic at www.Answers.yahoo.com. Try it now.
Re: [pfSense-discussion] help me
You need to reinstall. Scott On 11/23/06, Carlos Julio Sánchez [ACC-SIS] [EMAIL PROTECTED] wrote: Hi! I upgrades pfsense RC2 to Release 1.0.1 and i have an error in the banner that say [filter load] there were error(s) loading the rules: pfctl: DIOCSETSTATUSIF the line in question reads [DIOCSTATUSIF] Anybody knows why?
Re: [pfSense-discussion] NAT on tun0 used with OpenVPN
On 11/13/06, Stefan Tunsch [EMAIL PROTECTED] wrote: The problem is that push route options need to be established on both sides of the tunnel. If I establish them only on one side, routing does not happen. Can you please confirm me that there is no way to route traffic from a local network through the OpenVPN client on pfSense and back if push options aren't established on both sides? Let me preface by saying I don't know much of anything about OpenVPN but after speaking with the author of the OpenVPN GUI code, here is his reply: Can you please confirm me that there is no way to route traffic from a local network through the OpenVPN client on pfSense and back if push options aren't established on both sides? To route traffic from a local network through the OpenVPN client, you can use a simple route in custom commands, for example. To push a route through the OpenVPN server, well, just push it, it should work as long as your client accepts pushes. Scott
Re: [pfSense-discussion] NAT on tun0 used with OpenVPN
On 11/13/06, Stefan Tunsch [EMAIL PROTECTED] wrote: I have seen several posts in the forum stating that tun or tap interfaces should not be assigned to an interface of pfSense. That any/any firewall rules are automatically created when openvpn client establishes connection. And that no traffic will flow if static routes wheren't defined on BOTH sides of the tunnel. This supposes a problem for me. I have a centralized server infraestructure where an openvpn server is running. This server serves connections for different offices. Route push options. Look in the forum where this is also talked about. If I have to set up static routes on the server to each of these offices, the first problem I have is that several of them are using the same network settings. In this scenario, I have to either make sure each office uses a different network or this will not work. It sounds strange not to be able to establish outbound natting on the tunnel. Not being able to establish firewall rules to control who gets access to the tunnel also sounds weird. This was a known problem going into 1.0. We cannot make everyone happy overnight. Scott
Re: [pfSense-discussion] purpose of VLAN on LAN interface?
http://en.wikipedia.org/wiki/Vlan On 11/8/06, Jonathan Horne [EMAIL PROTECTED] wrote: i was wondering, what exactly is the purpose of the VLAN support on the LAN interface? can someone give me a quick example of how, why or where this might be used? thanks, jonathan
Re: [pfSense-discussion] Hotspot accounting software
On 11/8/06, Jason Brunk [EMAIL PROTECTED] wrote: I built something awhile back. This was my setup. 1. multiple captive portals at different locations 2. a freeradius server for authentication 3. mod to freeradius to use mysql for storing info instead of flat text files 4. an entry into the access points to allow access to my central site. 5. users tried to get online, went to a page that said please sign up, they paid their couple bucks 6. the corresponding records were added into the mysql db and they could then login 7. a customer interface was designed to take the mac addresses of each location and create a corresponding Location Profile when a customer logged in. They could see how much time they had purchased, how much was used, how much was left. As well as a log history to show how much time was used at what location and when. I can dig it up again if anyone is interested? What is it written in?
Re: [pfSense-discussion] Hotspot accounting software
On 11/8/06, Jason Brunk [EMAIL PROTECTED] wrote: Never used one before. Could be done I suppose. Any suggestions on a good one? I will give it a shot. Give http://asp2php.naken.cc/ a try. Scott
Re: [pfSense-discussion] dnsmasq config file support
On 10/18/06, Josh Stompro [EMAIL PROTECTED] wrote: I have come across a few situations where I have wanted to be able to add wildcard dns entries to a pfsense box. Dnsmasq does support this through it's config file, dnsmasq.conf with an entry like this. address=/proxy.dns.net/192.168.1.1 or on the command line. -A, --address=/domain/ipaddrReturn ipaddr for all hosts in specified domains. -A /proxy.dns.net/192.168.1.1 This would return 192.168.1.1 for every request for *.proxy.dns.net. The reason I would find this useful is so that users behind a pfsense firewall that are not using reflection can use a dns based rewriting proxy that is inside the firewall from inside the firewall. See http://www.usefulutilities.com/support/rewrite.html for a description of that type of proxy. The situation in our case is that we use our ISP's dns servers for the the entries that the world can access, so we have a wildcard dns entry setup with them, which points to the external address of a pfsense box, which forwards it to an internal server. The url rewriting works fine from a remote location, but from inside the firewall dnsmasq passes the long dns names to the external dns server, proquest.com.proxy.example.com gets translated to the external ip address, which doesn't work from inside the firewall. I think the setup would be very similar to the /usr/local/www/services_dnsmasq_domainoverride_edit.php setup, since it could just add a command line argument. Is this something that would be considered for inclusion? Thanks Absolutely. If you want to provide diff -rub format patches, we will commit. Scott
Re: [pfSense-discussion] IDS yet?
On 10/5/06, Chris Godwin [EMAIL PROTECTED] wrote: Am I correct about Snort being able to block as well as detect? Isn't this IDS/IPS, not just IDS. It is a delayed IDS. Generally an IPS hooks into the network stack directly and does not allow the traffic to pass through until its scanned. This is the counter of that, where a packet may be let through and then a block rule is added 50ms later, etc. Scott
Re: [pfSense-discussion] IDS yet?
On 10/5/06, Jason J. Ellingson [EMAIL PROTECTED] wrote: Snort is kicking some great arse! I'm really loving it. Any way to get it to syslog? I see a lot of MS-SQL worms and such and would (for giggles) like to see all the snort alerts. System logs only shows the attacking IP and not what kind of attack. Who is the sponsor for Snort, I want to buy them a beer! PS: I'm using ac mode. ac-std uses all the system RAM (512MB). I will look into adding a syslog mechanism. Scott
Re: [pfSense-discussion] IDS yet?
Snort requires 1.0-RC3. On 10/4/06, Donald Pulsipher [EMAIL PROTECTED] wrote: I tried to install the snort package but get an error. This was on my Soekris embedded box with the embedded version 1.0-RC1a. Here is the output : - Installation of snort FAILED! Downloading package configuration file... failed! Installation aborted. Installation halted. - Do I need to do something to the installed embedded version to allow it to install packages ? Or am I SOL because its embedded ? -Don On Wed, 4 Oct 2006 11:07:15 -0500, Bill Marquette [EMAIL PROTECTED] wrote: On 10/4/06, Holger Bauer [EMAIL PROTECTED] wrote: No, it sees everything. For example running at my WAN though nearly everything is blocked it detects portscans too and will block this IP (if enabled) so it can't start a bruteforce against my open ports. If you are lucky it will even block the intruder before it reaches open ports on your system for example :-) To be fair, ONLY stateless signatures (or signatures of attacks that only need one packet to do the damage) and the port scan engine can make any kind of detection on traffic blocked at the firewall. But hey, who really cares that someone is trying some uber attack against you if there's nothing listening? If you want to know that, I'm afraid you need a honeypot. --Bill
Re: [pfSense-discussion] IDS yet?
SH. Don't tell anyone this. ;) Scott On 10/4/06, Donald Pulsipher [EMAIL PROTECTED] wrote: The /pkg_mgr.php and related files are still in the www directory, I just pointed to them in my url. If I upgrade to RC3, is there an easy way to change the embedded image to support packages ? Otherwise I could always just compile and install snort myself I guess. Thanks for your replies. BTW, pfSense completely rocks. I love it. I've been running it on Soekris hardware for about 2 years now. The only feature I was waiting for was IDS. -Don On Wed, 4 Oct 2006 12:00:51 -0500, Bill Marquette [EMAIL PROTECTED] wrote: On 10/4/06, Donald Pulsipher [EMAIL PROTECTED] wrote: I tried to install the snort package but get an error. This was on my Soekris embedded box with the embedded version 1.0-RC1a. Two problems here. 1. RC1 is ancient, the snort package only works on RC3 and above 2. Embedded doesn't support packages, either we still had that in RC1 (unlikely) or you've bypassed those checks somehow --Bill
Re: [pfSense-discussion] add support for per-user bandwidth limitation
This is not feasible. Dummynet (which is what is used on the CP) is not compatible with PF due to a rdr bug of some sort. The problem has been brought up on the FreeBSD lists but nobody is interested in fixing it. Scott On 10/4/06, Jan-Patrick Perisse [EMAIL PROTECTED] wrote: Jonathan De Graeve has implemented this nice feature and they are working on monowall 1.23b1. Has anyone tried or is willing to implement them into pfsense captive portal? If someone can show me the way on that, I am willing to help and maybe to do all the job. At the time, I am using monowall for that, but I miss the other funcionalities of pfsense. -- AEON TECHNOLOGIES (21) 2705-3139 http://www.aeon.com.br -- Esta mensagem foi verificada pelo sistema de antivírus e acredita-se estar livre de perigo.
Re: [pfSense-discussion] FTP Helper on WAN - bug?
On 10/3/06, Peter Allgeyer [EMAIL PROTECTED] wrote: Am Dienstag, den 03.10.2006, 09:09 -0400 schrieb Scott Ullrich: I am telling you how to solve your problem now, not long term. I agree that the FTP system is a mess. Ok, fine, how? At the moment I start the ftpsesame per hand after booting up the firewall (which gladly isn't so often). With the afterfilterchangeshellcmd command. It is run every time a filter change occurs as the last item. So you can override *ANYTHING* the system does including launching your own scripts or launching a custom ftpsesame process. Sounds good. If you want to submit patches, feel free. I am focused on getting on 1.0 out the door then I plan on taking a vacation for a bit but will be happy to review a patch. So I'll wish you happy holidays. BTW: It was a question to all devs here. Anyone else? I'm especially looking for a solution to point 3). Maybe someone might know a good way to implement this. I cannot think of any way to cleanly solve this problem. In addition the entire FTP situation has me a little burned out at this point. I just want to get 1.0 out the door, relax a bit then revisit the problem for a future version. However, don't let me distract you from trying. If you can figure out a solution I am all ears. Scott
Re: [pfSense-discussion] FTP Helper on WAN - bug?
On 10/3/06, Peter Allgeyer [EMAIL PROTECTED] wrote: Hi Scott, hi Bill! Am Dienstag, den 03.10.2006, 10:05 -0400 schrieb Scott Ullrich: With the afterfilterchangeshellcmd command. It is run every time a filter change occurs as the last item. So you can override *ANYTHING* the system does including launching your own scripts or launching a custom ftpsesame process. No, as I told you already, the system_start_ftp_helpers() is launched _after_ filter_configure_sync in /etc/rc.bootup. And ftpsesame is killed by killall in system_start_ftp_helpers() after been started in filter_configure_sync :-( So, you can see, that the afterfilterchangeshellcmd command isn't any solution for that problem. When I'm posting lines of source code, you can believe me that I have bravely taken a look at it ;-) Yes, but the filter reloads yet again on final bootup, and it is the final thing to run, and you could work your magic at this point. OK, I'll write my own code, since I'm experienced enough. I wanted a clean solution for all users, but that's apparently not the goal here. People will further cry at the forum that ftp isn't working. I do know the reason why and now you know too. The goal here is to satisfy 99% of the users, which we have done. If someone really wants a FTP server on their dmz, then they can open up the port range that is required by the FTP server. I cannot think of any way to cleanly solve this problem. In addition the entire FTP situation has me a little burned out at this point. I just want to get 1.0 out the door, relax a bit then revisit the problem for a future version. Yes FTP is a shame. But it's used in many places and the solution isn't to tell people not to use it (though I'm of the same opinion as Bill is, don't use bad protocols over a FW). And think of the other bad designed - i case of firewalls - protocols like SIP, PPTP, many meeting/colaboration protocols ... BTW: I do love the way the netfilter connection tracking modules in linux are solving that problem and don't know any reason why that code isn't adapted by the pf devs. There must be any reason for not using such an API. I'll have to search why. Maybe you can give me a link. Maybe because its linux? FreeBSD != Linux, but I am sure you know this. However, don't let me distract you from trying. If you can figure out a solution I am all ears. I'll try to find one that will fit 99.999% of all users. Point 3) isn't solved and I do not know how, but give me some time. See above, DMZ's should simply punch the port range open on the firewall. Scott
Re: [pfSense-discussion] IDS yet?
On 9/20/06, Scott Ullrich [EMAIL PROTECTED] wrote: There is no IDS package with no intention on creating one. We are waiting for you all to step up to the plate. I somewhat lied about this. For some reason after seeing your post something clicked in my head and I spent a good 35 hours on a IDS package. Upgrade to 1.0-RC3a and you will now find Snort in our packages area. Scott PS: it appears that I also have a sponsor for the package. Will post more information once I secure the funds.
Re: [pfSense-discussion] FTP Helper on WAN - bug?
You want to use: o afterfilterchangeshellcmd http://pfsense.blogspot.com/2005/06/new-xml-system-tag-introduced.html Scott On 10/2/06, Peter Allgeyer [EMAIL PROTECTED] wrote: Am Sonntag, den 01.10.2006, 19:33 -0400 schrieb Scott Ullrich: We already run ftp-sesame for bridged interfaces. And yes, you are killing any running ftpsesame processes at system_start_ftp_helpers() in config.inc line 1338ff. This makes it unpossible to keep it running while started through shellcmd. Do you think, that we can savely put it in front of starting a new ftpsesame process on line 1372?. BTW: That's a good starting point to think about why it has to be killed anyway. Maybe because that function is called by reload_all_sync(). I'm not sure, but that would be reasonable. Possibly it makes sense to not use killall and instead to keep the PID of ftpsesame in /var/run, for killing only those processes started by system_start_ftp_helpers(). BR, PIT -- Peter Allgeyer (Dipl.-Inform. Univ.) Protec.t Informationstechnologie http://www.protec-t.de Phone +49 (0) 8623-919825 Fax+49 (0) 8623-919826 Mobile +49 (0) 173-2139076 --- copyleft(c) by | _-_ Linux: The OS people choose without Peter Allgeyer | 0(o_o)0 $200,000,000 of persuasion. -- Mike Coleman ---oOO--(_)--OOo---
Re: [pfSense-discussion] FTP Helper on WAN - bug?
On 10/1/06, Peter Allgeyer [EMAIL PROTECTED] wrote: Hi all! I do know of that problem since RC1 (possibly the first version I tried it). It hasn't been fixed in 1.0-SNAPSHOT-09-27-06. Since there are some tweaks with it I wanted to discuss about it before writing a bug report. The main problem is, that it seems, that the FTP-Helper for the WAN interface is never started. The second one, that it isn't possible to give the FTP-Helper another source IP-address than that of the interface it's enabled for. The FTP-Helper (pftpx) is started from system_start_ftp_helpers() in config.inc line 1363ff. It first builds an array to work with. That array contains only the LAN and the OPT interfaces, not WAN interfaces. In a loop over that array ($iflist) the FTP-Helper is started if $disableftpproxy isn't set for the interface. If no IP-Adress is bound to the interface, ftsesame is used. Correct me if I'm wrong, but that can only happen, if the interface is the WAN interface. To sum up: In system_start_ftp_helpers() the FTP-Helper isn't started for the WAN interface. Yes it is, it is started out of the NAT redirect section. Here is an example: proxy 597 0.0 0.1 656 232 ?? Ss 18Sep06 0:11.64 /usr/local/sbin/pftpx -f 10.0.0.180 -b XXX..81.16 -c 21 -g 21 Pftpx listens on the external address, port 21 and forwards (in this case) all ftp related items it sees to 10.0.0.180. I searched further and found some code in filter_nat_rules_generate(), in filter.inc, line 529ff. Here, the nat-anchor is defined firstly, then the anchor for redirects. Next the same as above: An array is build to work with (w/o an entry for the WAN interface) and in a loop the redirection rules for the FTP-Helper are created (line 713ff). In 818ff the FTP-Helper is started for interfaces with port-forwarding which don't have $disableftpproxy set. If the FTP-server isn't configured with port forwarding on the WAN interface (because it has a routable address), the FTP-Helper isn't started for it. Now my question: is this correct? How am I able to connect to my public routable FTP-server in the DMZ and do FTP data connections to it? The second item is a problem with our (bad) network design: Between the internet router and the FW there is a private transfer net (10.0.0.0/24). Therefor out FW has a private external (WAN) IP address. The hosts in the DMZ are fully routable and do have a public IP address, so the pfsense box has one too. Internal IP addresses are private ones. To make ftp work from inside to outside, I have to start the FTP-helper with a public reachable IP address as source IP, but pfsense launches the FTP-Helper with the WAN IP address as source. What I want to do is launching the FTP-Helper with my own proxy source IP (that from the DMZ interface in my case). pftpx gives me the following option for that: -p address Proxy source address. The proxy will use this as the source address to connect to servers. So is it possible to configure another source IP for pftpx anywhere in pfsense? A hidden option for that seldom case (maybe it's also an advantage in case of virtual IPs - carp for example) would be fine. Use shellcmd. Scott
Re: [pfSense-discussion] FTP Helper on WAN - bug?
Use CARP. On 10/1/06, Peter Allgeyer [EMAIL PROTECTED] wrote: Hi Scott! Am Sonntag, den 01.10.2006, 21:09 +0200 schrieb Peter Allgeyer: But that only works with port forwarding, right? What about an FTP server listening on 62.13.14.55 instead of 10.0.0.180? Ok, I can try to configure a redirection rule (port forwarding) for that. Does it also work for more than one FTP-server? Iface Ext IPExt Port Nat IP Local Port WAN62.13.14.55 2162.13.14.55 21 WAN62.13.14.56 2162.13.14.56 21 WAN62.13.14.57 2162.13.14.57 21 Have to test this, but don't think that it'll work, because the FTP-Helper always tries to listen to 127.0.0.1:21. You'll get a bind failed: port or address already in use. The right error message is: pftpx: bind failed: Can't assign requested address pftpx has to bind a listener on Ext IP. A virtual IP isn't enough in this case. Bad thing ... Anyone knows a solution for that problem? BR, PIT --- copyleft(c) by | stab_val(stab)-str_nok = 1; /* what a Peter Allgeyer | _-_ wonderful hack! */ -- Larry Wall in stab.c | 0(o_o)0 from the perl source code ---oOO--(_)--OOo---
Re: [pfSense-discussion] FTP Helper on WAN - bug?
We already run ftp-sesame for bridged interfaces. Scott On 10/1/06, Peter Allgeyer [EMAIL PROTECTED] wrote: Hi Scott! No, CARP isn't the answer (I saw your posting in the FAQ already). We are using CARP for HA already (and that IMHO should be the only reason for anyone to use CARP at all). The right answer is: use ftpsesame From http://www.sentia.org/projects/ftpsesame/: --- schnipp--- In general, ftpsesame is a good choice to run on a firewall in front of multiple FTP servers, where no NAT is involved. ftp-proxy(8) is usually the best choice when users behind NAT need to access FTP servers on the Internet. [...] --- schnapp--- The solution is to use ftpsesame where NAT isn't needed. Is there any good way to find out when this is the case? Would drop down list with an explanation -- like the one from above? -- on interfaces_wan.php be enough? We could call it: --- schnipp--- FTP Helper [x] Enable userland FTP-Proxy application | use ftpsesame v use ftp-proxy Note: In general, ftpsesame is a good choice to run on a firewall in front of (multiple) FTP server(s), where no NAT is involved. ftp-proxy is usually the best choice when the FTP server lies behind a NAT device. You'll need to configure port forwarding for that. --- schnapp--- I'll take some time tomorrow to test ftpsesame on our productive system. BR, PIT --- copyleft(c) by | _-_ World domination. Fast (By Linus Torvalds) Peter Allgeyer | 0(o_o)0 ---oOO--(_)--OOo---
Re: [pfSense-discussion] Tutorial - configuring the captive portal with the integrated user manager
On 9/28/06, Richard Davis [EMAIL PROTECTED] wrote: I was looking at the pfSense tutorial section and tried to connect to configuring the captive portal with the integrated user manager . All I got was dead links. Does anybody know if this is a good tutorial and if it is where can I get it? The tutorials are flash based.
Re: [pfSense-discussion] Nat reflection
On 9/20/06, Chris Godwin [EMAIL PROTECTED] wrote: I have several 1:1 nat mappings (replacing a pix). How do I get nat reflection to work. There's a check box that disables it but I do not have it checked. Also I've noticed that there is a note under the checkbox that say it only works for portforward type items. Is there I way I can create my own nat reflection rules? Refletion is covered here: http://faq.pfsense.com/index.php?action=artikelcat=8id=29artlang=enhighlight=reflection It's not supported for 1:1 but you may be able to wrap port forwards on top of the 1:1 to achieve what you are looking for.
Re: [pfSense-discussion] Proxy arp
On 9/18/06, Chris Godwin [EMAIL PROTECTED] wrote: I cannot get proxy arp to work, nor can I get VIP's to work as type other. Carp vip's work but when I add more than a few I get a kernel panic. Can anyone point me in the right direction to posts either here or in the forum on this issue so that I may get it resolved? Reset arp cache on crisco gear, etc.
Re: [pfSense-discussion] Proxy arp
On 9/18/06, Chris Godwin [EMAIL PROTECTED] wrote: Really? I just downloaded the newest RC2 today. I'll try it. What constitutes a invalid configuration? No, you need a newer snapshot: http://www.pfsense.com/~sullrich/1.0-SNAPSHOT-09-12-06/ Not reusing the vhid, adding an ip that is outside of the subnet of the real interface ip's, etc. Scott
Re: [pfSense-discussion] Proxy arp
On 9/18/06, Chris Godwin [EMAIL PROTECTED] wrote: Still get a panic after trying to add more than 4 vips. Then my box gets thrown into an infinite fsck and panic. Took single user mode to recover. It really shouldn't. What are the IP's that you are adding and what adv skew, vhid, did you use? If I can duplicate the problem I can get a trace and send it over to the CARP developers. Scott
Re: [pfSense-discussion] OpenVPN auth-ldap plugin?
On 9/7/06, Nathan Osborne [EMAIL PROTECTED] wrote: The auth-ldap plugin for OpenVPN looks very interesting. Has anyone taken a look at this for inclusion in pfSense? Authentication against Active Directory seems like a key feature that could help OpenVPN to replace PPTP once and for all. http://dpw.threerings.net/projects/openvpn-auth-ldap/ From the site: The OpenVPN Auth-LDAP Plugin implements username/password authentication via LDAP for OpenVPN 2.x. It also includes some integration with the OpenBSD packet filter, supporting adding and removing VPN clients from PF tables. It has been tossed around a few times but nobody has done the work. If someone is interested in adding support for this please do so and provide patches and I'll be happy to commit. Scott
Re: [pfSense-discussion] Dynamic DNS - no password encryption
On 8/29/06, DarkFoon [EMAIL PROTECTED] wrote: I was looking through my XML configuration recently, and I noticed that my Dynamic DNS password is not encrypted like the PFsense password is. It seems to me that this is a rather important password and should be encrypted (if possible). http://faq.pfsense.com/index.php?action=artikelcat=1id=37artlang=enhighlight=encrypted Refer to mailing list history for juicy flame wars. We are not going there again.
Re: [pfSense-discussion] FreeBSD LSI Logic fixes for VMware
On 8/16/06, Dmitry Sorokin [EMAIL PROTECTED] wrote: I'm not sure how you did that, but ESX Server doesn't support IDE Hard Drives (neither physical nor virtual). So your VM with IDE Virtual disk just wouldn't run on ESX Server (it's not FreeBSD related, just any OS). Maybe you moved the VM to GSX or VMware Server? Please test http://www.pfsense.com/~sullrich/pfSense-RC2f-ESX.iso I've just verified that it works on ESX 3. Scott
Re: [pfSense-discussion] Hamachi and PFSense
On 8/18/06, Chris Godwin [EMAIL PROTECTED] wrote: Hello All, My name is Chris. I use Hamachi which is supposed to be a zero conf vpn solution. I am having this problem: when creating a 1:1 bimap from my wan's interface to my local pc I can use hamachi fine… I can connect to the hamachi server and then create dynamic tunnels to the hosts in my hamachi network. If I open a ping to one of these hosts the requests go out and come back in with no problem. If I disable the bimap while pinging, the pings still come through. If I disconnect and reconnect hamachi after the bimap has been deleted the hosts become unreachable yet I still can login to hamachi's server and see the host list. I tried enableing the magick option in hamachi to specify the port however that doesn't work. Has anyone experienced this? Please see the Hamachi thread in the forum.
Re: [pfSense-discussion] source-hash and sticky-address in pf pools
On 8/17/06, Raja Subramanian [EMAIL PROTECTED] wrote:
Hi,
I have a pfSense box with 5 wan links, 1 wan and 1 dmz and
the load balancing and policy based routing in pfSense is
simply fantastic.
The one missing feature that I would like to see, is the ability to
specify the source-hash or sticky-address option in pf pools.
With this, I would be able to load balance troublesome websites
and protocols (eg. pptp) instead of pushing them all through the
default gateway.
I noticed that Bill M's pf sticky patches to slbd got included circa
Beta2. Will we be able to use this feature anytime soon?
Simply touch /var/etc/use_pf_pool__stickyaddr
From vsvc_rules.c:
vsvc_rules.c: if(fexist(/var/etc/use_pf_pool__stickyaddr) == 1) {
Scott
Re: [pfSense-discussion] source-hash and sticky-address in pf pools
On 8/17/06, Bill Marquette [EMAIL PROTECTED] wrote: slbd isn't used for gateway balancing, just for monitoring the gateways. The sticky patches that Scott committed (not me) were for server load balancing. My apologies, I thought he was talking about incoming load balancing.
Re: [pfSense-discussion] source-hash and sticky-address in pf pools
On 8/17/06, Heath Henderson [EMAIL PROTECTED] wrote: Thanks, I might hit you up for that script when I get to it. I have a DSL/Cable modem setup(2 WAN) 1 DMZ and 1 LAN. I am getting ready to setup. I haven't worked with this before, and the routing tables are a bit confusing the first time through. I think I have the basics though. Please share the script. It may be something we can turn into a package depending on how it looks and works, etc.
Re: [pfSense-discussion] Problem with ipsec
On 8/9/06, Carlos Julio Sánchez [ACC-SIS] [EMAIL PROTECTED] wrote: Hello! anybody can help me please? I have an error when I set up vpn with ipsec, my computer A have pfsense and my computer B have Centos(Linux) In the ipsec logs I have: racoon: ERROR: failed to get sainfo. racoon: ERROR: failed to get sainfo. racoon: ERROR: failed to pre-process packet. racoon: INFO: purging ISAKMP-SA spi=00bc15f02e56a4a5:69e1cebf2efd8757. racoon: INFO: purged ISAKMP-SA spi=00bc15f02e56a4a5:69e1cebf2efd8757. racoon: INFO: ISAKMP-SA deleted xxx.xxx.xxx.xxx [500]- xxx.xxx.xxx.xxx [500] spi:00bc15f02e56a4a5:69e1cebf2efd8757 in the logs of computer B I have: Aug 9 16:15:08 actibts1 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. Aug 9 16:15:08 actibts1 racoon: INFO: ISAKMP-SA established xxx.xxx.xxx.xxx[500]-xxx.xxx.xxx.xxx[500] spi:00bc15f02e56a4a5:69e1cebf2efd8757 Aug 9 16:15:09 actibts1 racoon: INFO: initiate new phase 2 negotiation: xxx.xxx.xxx.xxx [0]= xxx.xxx.xxx.xxx [0] Aug 9 16:15:39 actibts1 racoon: INFO: IPsec-SA expired: AH/Transport xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx spi=35812955(0x222765b) Aug 9 16:15:39 actibts1 racoon: WARNING: the expire message is received but the handler has not been established. Aug 9 16:15:39 actibts1 racoon: ERROR: xxx.xxx.xxx.xxx give up to get IPsec-SA due to time up to wait. Double check your phase 2 settings on both hosts. There is a mismatch somewhere. Scott
Re: [pfSense-discussion] ipv6 stuff
On 8/3/06, Nick Buraglio [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Is there an easy way to get the pfsense gui to see a gif interface that I create manually? I'm working on some v6 stuff via a public v6 delegation (and a tunnel) and want to be able to use the gui of the rule generation if possible. If not I can probably manipulate the pf rules manually or just swap out temporarily to a plain jane freebsd box while I work on it. Edit /etc/inc/util.inc and search for get_interface_list Once you locate this portion remove: 'gif', Then resave the file and you should be all set. You can now assign the gif interface to a pfSense interface if you wish. Scott
Re: [pfSense-discussion] xorp
On 3/6/06, Scott Ullrich [EMAIL PROTECTED] wrote: You would need to start from ground 0 with this. Its meant to be a router and does not have PF, etc. Nor does it have CARP, nor does it have insert another feature here. XORP is a great project but to integrate it would mean to start over and loose 99% of the features that make pfSense great IMHO. Well I have learned that XORP may work with pfSense. We may consider this for down the road after all. Scott PS: anyone with XORP experience, please get in touch with me.
Re: [pfSense-discussion] Limiting access through table virusprot
On 7/26/06, Peter Allgeyer [EMAIL PROTECTED] wrote: [snip] There's another table for sshlockout, but it's not referenced anywhere in a ruleset. Don't know, if useful for anything, nor if it's a stub already for a general solution to SSH brute force attacks. This works with our ssh lockout utility that aws broken up until a few weeks ago. If someone tries to login via SSH and enters a wrong password that person should immediately be blocked from ssh. Scott
