Re: [pfSense Support] 0.70.2 ???
Try http://www.pfsense.com/downloads/pfSense-Full-Update-0.70.2.tgz and another useful URL :) http://www.pfsense.com/downloads/ On 7/17/05, David Strout [EMAIL PROTECTED] wrote: I saw the post on the BLOG about ver 0.70.2 but can seem to find it on the updates link or in the downloads directory at http://www.pfsense.com/ Am I missing something??? -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Re: [BULK] AW: [pfSense Support] carp array
Yikes...why aren't you using proxy arp? At any rate, carp will work for that too - it'll be somewhat noisy, but'll work just fine. In fact...what the hell I recommend it, there, I said it...;-P --Bill On 7/18/05, ijez [EMAIL PROTECTED] wrote: Hi, 1. config all your public IPs as CARP-IPs, so the pfsense will answer them on wan Sorry to ask, it is possible for me to do this for replacing IP Aliases? currently i'm have to manually edit config.xml to include all those Public IP that i have under shellcmd so that my WAN interfaces will answer to all my public IP and port forward to my server on DMZ with private IP set ( 192.168.0.x ) Please shed me some light on this and thanks in advances, Regards, - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] round robin on inbound nat
On 7/21/05, alan walters [EMAIL PROTECTED] wrote: I would like to try and test an inbound round robin to our test web servers. This isn't currently a feature, it's being worked on. Would it be possible to put a shell command In to do this. Please tell me if you figure something out that's easier than me writing code. If so would this sync across a carp array. Not at this time. Look forward to your replies -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.9.2/53 - Release Date: 20/07/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] traffic shaper queues scheduler options
Use the EZ-Shaper wizard. It will do exactly what you want. --Bill On 7/24/05, Xtian [EMAIL PROTECTED] wrote: Hi, I have done my best to read the FAQs, documentation, and mailing list archives for both pfSense and Monowall, and have not found any information on this, hence I am asking here. If I overlooked something, please point me to the information. Thanks! pfSense has no documentation for the traffic shaper. Since the traffic shaper is significantly different than that of Monowall's, the Monowall documentation (which is also non-existent, but there is one example in their mailing list archives on how to prioritize ACKs) doesn't directlu apply. Specifically, in Firewall: Shaper: Queues: Edit, what do the following fields or check boxes in the Scheduler options section mean: This is a parent queue of HFSC/CBQ Upperlimit: [field] [field] [field] Real time: [field] [field] [field] Link share: [field] [field] [field] How are they to be set? If I were to be more specific: I wish to prioritize interactive SSH traffic above all else (such that FTP, bittorrent, etc., do not create such massive lag in my SSH sessions.) If you tell me about the Scheduler options I am sure I can figure it out on my own, but if you want I would also be glad for information specific to the SSH question. Perhaps this could be added to the pfSense documentation? Or tutorials? I think that besides firewalling and routing, traffic shaping must be the most used feature in pfSense. Documentation would be highly welcome. Thanks, -Christian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] traffic shaper queues scheduler options
On 7/25/05, Christian Rohrmeier [EMAIL PROTECTED] wrote: I haven't found that to be true. It doesn't create any rules for SSH. pfSense has a wide selection of games and P2P software that it will make rules and queues for, but not SSH, unless I overlooked something. Certainly trying to SSH whilst FTPing a large suffered from the same massive lag as always. SSH sets the TOS lowdelay bit on all it's ACKs, so non-bulk SSH should by default go into the ACK queue. Any chance you were saturating your downstream with ACKs, which would force SSH and FTP to then compete within the same queue? I would still like to know what the 6 fields in the traffic shaper scheduler are for though! I'll update the code with comments, in the meantime, from the pf.conf man page: The hfsc scheduler supports some additional options: realtime _sc_ The minimum required bandwidth for the queue. upperlimit _sc_ The maximum allowed bandwidth for the queue. linkshare _sc_ The bandwidth share of a backlogged queue. sc is an acronym for service curve. The format for service curve specifications is (m1, d, m2). m2 controls the bandwidth assigned to the queue. m1 and d are optional and can be used to control the initial bandwidth assignment. For the first d mil- liseconds the queue gets the bandwidth given as m1, afterwards the value given in m2. The boxes correspond to m1, d, m2 in that order (except m1 and d are not optional with pfsense). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 0.71.2 on WRAP
On 7/29/05, Scott Ullrich [EMAIL PROTECTED] wrote: On 7/29/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: - I created a Virtual IP using the same IP address as my WAN interface, trying to get the router to accept (or redirect) ICMP (I want my system pingable). I failed in doing that. (1) How do I make my router pingable from the outside world? (2) In making that change above, I wasn't able to remove the interface. The error always said that that VIP was in use by a NAT rule. In order to remove it, I needed to remove all my NAT rules, delete the VIP, and re-enter all the NAT rules by hand. Painful! I'll let Bill chime in here but to get ICMP working you need to allow the protocol in the interface rules. Hrm, I'll check this out. I've got a code change that I need to commit for this stuff anyway. The VIP code does check to see if you've used the VIP in a NAT entry (probably cause the only reason you need a VIP is if you don't use the interface address in your NAT), I don't see that changing. I can probably easily add code to not allow a VIP that is the same IP as the interface address though. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] concurrent captive portal users
On 8/2/05, Paul Taylor [EMAIL PROTECTED] wrote: Woops - I was trying to paste this in after like so: when I accidentally sent the email... :) Last 50 captive portal log entries Aug 2 13:44:33 LOGIN: pault, 00:50:da:b2:42:36, 192.168.1.254 Aug 2 13:45:29 LOGIN: pault, 00:10:4b:76:91:4e, 192.168.1.253 Aug 2 14:01:34 DISCONNECT: pault, 00:10:4b:76:91:4e, 192.168.1.253 Aug 2 14:01:51 CONCURRENT LOGIN - TERMINATING: pault, 00:50:da:b2:42:36, 192.168.1.254 Aug 2 14:01:51 LOGIN: pault, 00:10:4b:76:91:4e, 192.168.1.253 Aug 2 14:01:55 CONCURRENT LOGIN - TERMINATING: pault, 00:10:4b:76:91:4e, 192.168.1.253 Aug 2 14:01:55 LOGIN: pault, 00:50:da:b2:42:36, 192.168.1.254 Aug 2 14:02:24 CONCURRENT LOGIN - TERMINATING: pault, 00:50:da:b2:42:36, 192.168.1.254 Aug 2 14:02:24 LOGIN: pault, 00:10:4b:76:91:4e, 192.168.1.253 Aug 2 14:02:38 CONCURRENT LOGIN - TERMINATING: pault, 00:10:4b:76:91:4e, 192.168.1.253 Aug 2 14:02:38 LOGIN: pault, 00:50:da:b2:42:36, 192.168.1.254 Note that I kicked the pault user at 14:01:34, then tried logging in as pault at 14:01:51 (after saving the code onto Monowall). It kicked the other login of pault out (the .254 user) and then logged me in (.253). Then, we went back and forth logged each other out... What fun! You might also make the behaviour configurable - say, _not_ logging the existing user out, or giving an option asking first. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Enable 'routed'
On 8/2/05, Scott Muller [EMAIL PROTECTED] wrote: Is it possible to enable the Routing daemon (routed). Our pfsense box sits on a network that uses rip v2. I have manually started /sbin/routed -q (-q means listen only) from the shell prompt but need an integrated way to do this, or is there a recommended alternative way to get this going. You can use shellcmd for this (http://m0n0.ch/wall/list/?action=show_msgactionargs[]=135actionargs[]=62) --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Two ISP configuration
It sure does :) I had an ISP failure last night, quite annoying :) I've now got a duplicate of all my rules with different gateways setup. I enable/disable the rules depending on which ISP I need/want the traffic to head out at that time. Can't wait 'til this weekend so we can make all that automatic instead of manually doing it :) So, yes to answer the unasked question...the people that know how to fix this are getting annoyed by it too so it _will_ be fixed. It's not just a feature that we think would be cool so we're putting it in, it's going to work because we want it to work for ourselves too :) --Bill On 8/3/05, alan walters [EMAIL PROTECTED] wrote: Configure opt 1 with publicips and set gateway to (LMDS). Configure wan the same way with yourdchp setting. Now on the lan use advanced outbound nat and 1 to nat to configure the clients to there respective gateway. Nofailover but dual WAN works -Original Message- From: Charrua [mailto:[EMAIL PROTECTED] Sent: 03 August 2005 21:45 To: Scott Ullrich Cc: support@pfsense.com Subject: Re: [pfSense Support] Two ISP configuration Great ! Thanks for your prompt reply. Right now I'm trying version 0.73.2. Could you please give me a hint on how to accomplish each point ? Thanks in advance, Andrés - Original Message - From: Scott Ullrich [EMAIL PROTECTED] To: Charrua [EMAIL PROTECTED] Cc: support@pfsense.com Sent: Wednesday, August 03, 2005 5:36 PM Subject: Re: [pfSense Support] Two ISP configuration On 8/3/05, Charrua [EMAIL PROTECTED] wrote: Hi I have two Internet connections from two different ISPs. Connection A is ADSL, connection B is another kind of broadband connection (LMDS). In the ADSL link I have 1 public ip which changes dynamically, and in the B connection I have 28 fixed public IP's that I can use. Each of them come into my network through a standard Ethernet 10BaseT connection. I would like to have the following configuration: 1. A few users will be assigned public IPs (belonging to the B connection). This is doable. 2. The rest of the users will be assigned private IPs, and their traffic will go out using NAT Should be ok. 3. I want to route some of the users which have private IPs through conection A (ADSL) and other users having private IPs through the B connection (kind of static balance of the traffic). No load balancing available yet. Its scheduled for the weekend. 4. If there is no Internet connectivity through the B connection, I want that all the users with private IPs, be automatically routed through the A (ADSL) link. Not doable until after this weekend. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Internal Virus Database is out-of-date. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.9.2/52 - Release Date: 19/07/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] FreeRadius Package - slight security issue
On 8/5/05, Paul Taylor [EMAIL PROTECTED] wrote: While looking through the config.xml file to see if I could spot anything unusual (to help me fix the last issue I posted about), I noticed the FreeRadius config... The problem that I saw is that the passwords are stored in clear text. I would think that the passwords should be at least base64encoded for storage, so at least they would be as secure as the locally managed passwords, native to pfSense and Monowall. Actually, base64encoding would still be less secure (and as an application auditor, wouldn't provide more than another 10 seconds of delay in retrieving them) than local passwords which are one way hashed. I don't know anything about the FreeRadius package so I can't comment directly on what it requires or what the passwords it stores in our config.xml are supposed to resemble. It's an issue, I don't know how to fix it at this point as I've never even looked at that part of code. --Bill --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] FreeRadius Package - slight security issue
On 8/5/05, Paul Taylor [EMAIL PROTECTED] wrote: Bill, Well, yes, I realize that base64encoding doesn't provide much in the way of security... But it's better than the data being completely in the clear... I have some encryption/decryption code around here somewhere that could probably be used, but of course the key would have to be in the code, where it could be seen, so even that doesn't provide great security... And I disagree. base64encoding provides zero security. Obscuring the data is no excuse for real protection. If we can protect it the right way (a one way hash), we will. Anything less than a one-way hash means it's reversible, passwords shouldn't be reversible in any way shape or form - I'd rather have glaring plaintext passwords reminding me to do something about them than something that at first glance passes muster. I'll personally back out any commit that does a half-ass job at it (not that I expect anyone to make such a commit). Don't hand out your config.xml and you'll be fine. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] FreeRadius Package - slight security issue
Get a privacy screen for your monitor. Or get a mirror for the monitor so you can see the corporate spies. Or retrieve the config file via status.php which will sanitize the passwords. Masking the passwords w/ base64 doesn't solve the problem and we will _NOT_ implement a half assed solution. --Bill On 8/5/05, Paul Taylor [EMAIL PROTECTED] wrote: Bill, Sure, if someone gets a hold of the config.xml file, no amount of base64encoding will stop them from getting a password.. But, if someone is in the same room with you looking over your shoulder while you are looking through the config.xml file, there is no need to give them a clear view of usernames and passwords. In a corporate environment, people can walk by your office or cube any time... We have found ourselves in this very situation more than once... Having passwords in a file that we were working on in clear text, when someone unexpectedly dropped by.. In our situation, we are pretty out-of-the-way, but in most corporate environments, that just isn't the case... People are crammed in cubes right next to each other, and they might not even be doing related jobs. Paul -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Friday, August 05, 2005 11:17 AM To: Paul Taylor Cc: support@pfsense.com Subject: Re: [pfSense Support] FreeRadius Package - slight security issue On 8/5/05, Paul Taylor [EMAIL PROTECTED] wrote: Bill, Well, yes, I realize that base64encoding doesn't provide much in the way of security... But it's better than the data being completely in the clear... I have some encryption/decryption code around here somewhere that could probably be used, but of course the key would have to be in the code, where it could be seen, so even that doesn't provide great security... And I disagree. base64encoding provides zero security. Obscuring the data is no excuse for real protection. If we can protect it the right way (a one way hash), we will. Anything less than a one-way hash means it's reversible, passwords shouldn't be reversible in any way shape or form - I'd rather have glaring plaintext passwords reminding me to do something about them than something that at first glance passes muster. I'll personally back out any commit that does a half-ass job at it (not that I expect anyone to make such a commit). Don't hand out your config.xml and you'll be fine. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] load balancer
You won't find one until that work is complete. How it should work is not how it currently works - it's a functioning work in progress. --Bill On 8/8/05, alan walters [EMAIL PROTECTED] wrote: Just looking for a quick blah on how the incoming load balancer should work - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ISO problems ... still
Hrm..I've got a GX110 sitting on my desk here that I installed FreeBSD on just fine. If I can dig up another HD, I'll try the install on it. --Bill On 8/11/05, Wesley Joyce [EMAIL PROTECTED] wrote: I'm in the same boat as well on Dell GX 110's. I have followed the 'upgrade solution' of installing 0.68.x and upgrading from there. -Original Message- From: William Pflaumer [mailto:[EMAIL PROTECTED] Sent: Thursday, August 11, 2005 7:11 AM To: David Strout Cc: support@pfsense.com Subject: RE: [pfSense Support] ISO problems ... still David and List, I,too have not been able to do a harddrive install on my Dell Dimension XPS R300 since V 0.63 or so.(Last version that the installer functioned properly) That version had a bug with DHCP Client on the WAN Interface. I get Kernel Page Faults about 50% of the install will all later LiveCDs. I don't have specific errors, but I tried about 6 different Live CDs versions. I tried Bios tweaks (NO sound, NO power Management, NO USB), different memory (Ran Extensive memory tests),different HD,CDROM Drives, Use known good 3Com 3c905b from my Monowall PC. As a New Version comes out and fails to install, I try different things (place HD and CDROM Drive on the Same IDE Channel or delete the Partition with DELPART), the list goes on and on. I tried the install on a Toshiba 300mhz Celeron and I get ATA IDENTITY issues. Someone will probably suggest install that earlier version ( I believe it was 0.63) and do a manual update from there, but the way this product is evolving that idea probable will not work. I really like this firewall (been using Monowall since pb27) but I just cannot get this SOB to install. The feature I am waiting to see is DANSGUARDIAN WebFilter with Squid Transparent Proxy. I can post the specific errors that I receive if need be (no time to do it now) Thanks for this great Product, Bill -Original Message- From: David Strout [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 10, 2005 12:59 PM To: support@pfsense.com Subject: [pfSense Support] ISO problems ... still Anyone, I have tried burning all of the version 0.73.x ISOs, and still the problem of when you launch the /FreeSBIE/scripts/install.sh script it hangs on the Waiting for Backend ANSI screen. Additionally, a couple of mesages pop up on the bottom of the screen ... xl0 link changed state to DOWN xl0 link tate changed to UP. BTW ... xl0 is configured for the WAN interface on the ISO boot up and pre-config. I'm at a loss ... tried a few BIOS tweaks and nothing seems to help. I'm wondering if anyone else is experiencing the same symptoms. BTW2 ... tried two different PC's a Dell GX260 a generic PC running an AMD Athelon 700Mhz I have had no problems w/ prior versions (0.68.x), but this issue crept up in/or about the 0.73.0 version. Any ideas ? -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Ping issue
On 8/12/05, Chris Buechler [EMAIL PROTECTED] wrote: On 8/12/05, Bill Marquette [EMAIL PROTECTED] wrote: Let me guess, the hosts initiating the PING are running Windows? I'm pretty sure we've recently fixed this bug. Care to try it? With ipfilter 3.x (and hence m0n0wall) it doesn't matter if the hosts are Windows or not. It isn't even as smart as PF's behavior prior to that latest patch. Just doesn't work from multiple sources behind NAT no matter what. Ahhh, didn't realize IPFilter still sucked that hard. I've never used it with NAT. I thought it at least knew about the ICMPID though. But yes, should be completely fixed here. :) The patch for those that care (it's commited in OpenBSD now I think) is http://marc.theaimsgroup.com/?l=openbsd-pfm=112316815028454w=2 and see http://marc.theaimsgroup.com/?l=openbsd-pfm=112299265510286w=2 for an explanation of what the patch actually does. The patch has been in since at least the hackathon, so all versions newer than .74 should have this fixed. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense on complex Network
No. Use the new Virtual IP screen to create virtual IPs that are
either proxy arp or other depending on whether those IPs are routed
to the physical subnet the box is on or to it directly.
--Bill
On 8/15/05, Paulus Edwin Prasetya [EMAIL PROTECTED] wrote:
So, it is really because of realtek, so I cannot NAT using
xxx.xxx.148.11 or other on the wan with IP xxx.xxx.148.10?
Ted Crow wrote:
For my production unit, I have a SuperMicro 5013 server with 2 LOB
Intel Gigabit LAN/WAN interfaces and a PCI/64 Intel Quad Fast
Ethernet for my OPT interfaces. Works great with top notch throughput.
(IIRC, I've been using this hw since 0.49)
I pretty much gave up on Realtek a couple years ago, and now avoid
systems with built in Realtek NICs. A while back I did a test with 11
Intel NICs in one pfSense box and it worked /flawlessly/. So, probably
needless to say, I highly recommend Intel NICs. In general practice, I
put 3Com NICs third on my list right behind Broadcom.
*Ted Crow*
/MCP/W2K/
Information Technology Manager
*Tuttle Services, Inc.*
(419) 228-6262 x 247
*From:* David Strout [mailto:[EMAIL PROTECTED]
*Sent:* Monday, August 15, 2005 1:54 PM
*To:* [EMAIL PROTECTED]; [EMAIL PROTECTED]
*Cc:* [EMAIL PROTECTED]; support@pfsense.com
*Subject:* Re: Re: [pfSense Support] pfSense on complex Network
I have an old Dell Precission w/ PCI-X slots and use the Intel
(PCI/PCI-X) quad 10/100/1000 card (I have two working flawlessly w/
0.74.8) that's my reccomendation - stick w/ intel on many/multi homed
(more than 2-3 NICs) boxes.
--
David L. Strout
Engineering Systems Plus, LLC
- Original Message -
*Subject: *Re: [pfSense Support] pfSense on complex Network
*From: [EMAIL PROTECTED]
*To: [EMAIL PROTECTED]
*Date: *08-15-2005 1:43 pm
On 8/15/05, Scott Ullrich [EMAIL PROTECTED] wrote:
On 8/15/05, Paulus Edwin Prasetya [EMAIL PROTECTED] wrote:
Hi,
! I'm new to this list, any one can help me?
I am setup a quite complex gateway using pfSense
the box contain 6 NIC all using RealTek (rl0-rl5)
Are you sure that all 6 Realtek NICS function correctly in the
machine? That's a lot of NICS and RealTeks at that (read: I would
use better nics such as intel/3com).
I wouldn't even recommend 3Com - I've had more tons of problems with
them. Absolutely agreed though that Realtek suck *ss. Expect poor
performance.
--Bill
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
javascript:popup('/webapps/groupoffice_205/modules/email/[EMAIL
PROTECTED]','650','500')
For additional commands, e-mail: [EMAIL PROTECTED]
javascript:popup('/webapps/groupoffice_205/modules/email/[EMAIL
PROTECTED]','650','500')
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Port Forward failing
On 8/16/05, Howard Virag [EMAIL PROTECTED] wrote: Hello, This is likely not strictly (or loosely) a pfSense problem. Can someone venture a guess as to why simple port forwarding is failing for me? In short, It works to my Linux PC, an older AMD 800 MHz machine, but port forwards to my Sun Sparc Ultra 2 fail regardless of port. Interesting...hows routing on the U2 set up? Is the default gateway the same as the AMD? Hows the ARP table look - is it similar to the AMD box? I'm kind of assuming that the AMD and U2 are on the same network ;) I am using pfSense, 0.74.4, behind an Actiontec GT704 set up as a transparent bridge after having used a simpler DSL Paradyne modem weeks ago successfully with IPCop. I recall that all worked nicely before. PPPOE on the pfSense? I'm not completely following your network setup here. Any suggestions on what to look at? With previous posts in mind, I do have a mix of 3Com and a cheap new Realtek card. Will using these cards make any difference for a small home network? Performance issues mainly. The NICs work, just don't expect 100Mbit out of them (with exception to 3com which can just have wierd issues), --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Alert about pf rules syntax errors... again...
I've had coworkers report the same issue. The solution was to remove the entire IPSEC section in the XML file (actually, if you know exactly what to remove, you don't need to, but this is the easier more generic way describing the fix). At some point in one of the versions right after the hackathon we accidentally set an empty tunnel in memory which got saved to the config file. Maybe in the next release we can update config file versions and clear any blank tunnel fields (if someone can send me a known bad config file exhibiting this behaviour). --Bill On 8/17/05, Scott Ullrich [EMAIL PROTECTED] wrote: The problem is the previous version had a parser bug and I bet money your ipsec profiles are now corrupted. I had to readd my ipsec connections after the version in question (cannot recall which version it was). The web gui's job is to enforce data but if it becomes corrupted then it gets rather hard to enforce, no? Scott On 8/17/05, Randy B [EMAIL PROTECTED] wrote: Scott Ullrich wrote: I just tested the latest vpn.inc with my home firewall that has 4+ ipsec links and it works fine.I'll be releasing a new version soon. Please be on the lookout for it and give it a try. Scott I'm still showing this issue in 0.77. My last fix was to comment out a large swath of /etc/inc/filter.inc, but I tried to be a bit more pragmatic about it this time, and realized that I came to the precise same conclusions that M. Kohn came to. There needs to be some catch, some hook in vpn_ipsec.php (line 36 where the empty definition is created), filter.inc (see previously submitted patch), or vpn.inc. Something somewhere either has to stop making the empty tunnel or everything else has to be changed to be able to deal with it. Scott - you said a change to filter.inc is not the correct fix, and to make it in /etc/inc/vpn.inc. Why would that be? AFAICT, vpn.inc just sets up defined tunnels - very little error control in it. The specified code chunk in filter.inc (starting ~2093) seems to be the flawed one - it just happily chews right over definitions, uncaring whether they're empty or not. Shouldn't a process that's generating system commands be a bit more concerned about whether or not it's putting out proper syntax? RB - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 0.78 on WRAP 1E board
What SSH client are you using? Is it configured for 'keyboard-interactive' ? --Bill On 8/20/05, Giorgio Ducci [EMAIL PROTECTED] wrote: Hi, I get installed the last embedded release 0.78 on a WRAP 1E board and now all the minor webgui problem related to status==interfaces are ok. Wonderful!! After that I tried to connect by SSH to pfsense after, of course, have enabled it in System==advanced but I cannot log in: it says ...no further authentication methods avalaible..I also disabled the firewall to be sure tha some rule would not interfere but no chances. Should I do something else to enable the ssh or the problem is elsewhere? Has someone else the same problem with embedded release? cheers Giorgio - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Virtual IPs not working
On 8/22/05, Bastian Schern [EMAIL PROTECTED] wrote: Hi, SNIP I'm using pfSense Version 0.79.2 and my Virtual IPs are not functional. It's not possible to ping any Virtual Interface. Most important thing is to get the external IPs back to work. Because all of them should be forwarded to Webserver, Mailserver, ... Expected behaviour. ProxyARP doesn't create another IP address on the firewall, it just replies to the upstream router with an arp reply when queried for that IP. As has been suggested, do a 1:1 NAT, or Port Forward the ICMP to the appropriate server (rules permitting). Alternately, use CARP - it'll create an interface with that IP so the firewall will respond (rules permitting). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Virtual IPs not working
Bastian Schern, you probably already know this, but your email is busted. --Bill On 8/22/05, Mail Delivery System [EMAIL PROTECTED] wrote: This is the Postfix program at host server19.greatnet.de. I'm sorry to have to inform you that your message could not be be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster If you do so, please include this problem report. You can delete your own text from the attached returned message. The Postfix program [EMAIL PROTECTED] (expanded from [EMAIL PROTECTED]): delivery temporarily suspended: connect to kundt.homeip.net[213.191.40.68]: Connection timed out Final-Recipient: rfc822; [EMAIL PROTECTED] Original-Recipient: rfc822; [EMAIL PROTECTED] Action: failed Status: 4.0.0 Diagnostic-Code: X-Postfix; delivery temporarily suspended: connect to kundt.homeip.net[213.191.40.68]: Connection timed out -- Forwarded message -- From: Bill Marquette [EMAIL PROTECTED] To: Bastian Schern [EMAIL PROTECTED] Date: Mon, 22 Aug 2005 18:18:24 -0500 Subject: Re: [pfSense Support] Virtual IPs not working On 8/22/05, Bastian Schern [EMAIL PROTECTED] wrote: Okay I believe you, but what can I do to solve my Problem with my three LAN subnets: 192.168.0.0/24 (main), 192.168.3.0/24 and 192.168.101.0/24. All of them are located on the same physical interface and in this moment it is not possible to join the subnets. Is there a way to handle that configuration? If ping is a big issue (I can understand), use CARP instead of ProxyARP. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] .79 issues
There was a nasty bug in .79 that partially reverted the config file version. This left a config file that had newer syntax and an older version number. Upgrading past .79 w/out taking some corrective measure will break your system. Again, if you installed or upgraded to .79 and plan on using anything newer, please read. Two issues in particular affect those that are on .79 and plan to upgrade. During boot, we check to see if the config file version is older than what we claim is current. If it is, we upgrade it. One of the upgrade steps encrypts the (already encrypted) password in the xml file leaving you with a system you couldn't access (there are a couple workarounds that I'll mention shortly). The other somewhat damaging item I've had mixed reports on are irreversible issues with the DHCP config; if you don't use the dhcp server you will be fine. Disabling the server and re-enabling it is not enough to fix it if you are using DHCP. This issue _only_ affects people that upgraded/installed .79 and then upgraded to anything above it (.79.2 is currently the only thing above it). There was about a three hour window where .79 was the most recent version, so I expect very few people actually got affected. Workarounds: This is for those that upgraded to .79. We now version every change that happens on your pfSense box. They are available via the Diagnostics menu, choose Backup/Restore then click Remote. You'll see a list of all the times your configuration changed and at a minimum where in the firewall the change was made (still working on exact change details). You should the Current entry showing as Upgraded config version level from 1.9 to 1.1 or similar. Clicking on the + (plus) symbol on the line below will restore the previous configuration file. Then upgrade to .79.2 w/out rebooting. .79.2 will correctly upgrade your configuration file to version 2.0 w/out destroying anything. For those that installed .79 and wish to upgrade. If you aren't using the DHCP server, the only item that should affect you is the password. Upgrade to .79.2 and use menu option number 3 from the shell (Reset webGUI password). If you are using the DHCP server, be thankful this is a new install. Hopefully you've installed before and have an old config laying around. If not, you'll be reconfiguring from scratch, there's not much we can do. You can try disabling/reenabling the DHCP server after upgrading to .79.2. I've had one report of that works and one of that didn't work - if it doesn't work, reinstall. --Bill PS. For those wondering... 1.10 == 1.1 I apparently failed floating point 101! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] wireless card on lan
On 8/23/05, Scott Ullrich [EMAIL PROTECTED] wrote: I'll check it out. I really need to rip out the interfaces crap and redo it completely. But no time and a feature freeze. GRR. Yeah, I think this work is slated for 2.x / next hackathon or something. The right way to do this requires a significant redesign for how interfaces work in pfSense. In the meantime it sounds like Scott will fix up the remaining screens to at least allow for the same info. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Upgrade from m0n0 to pfSense?
On 8/23/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
As a test, I tried to create a rule to send all VNC traffic over the
OPT1 WAN interface, but it always used the default WAN interface.
I must be missing something. How can this be done when the second WAN
interface has a static IP?
Possibly, possibly not.Check /tmp/rules.debug for the rule that
your adding and please post it here to see if the gateway portion is
being added correctly for the rule in question.
# NAT Inbound Redircts
...
rdr on xl2 proto tcp from any to port 5900 - 192.168.1.230 port 5900
rdr on xl1 proto tcp from any to port 5900 - 192.168.1.230 port 5900
# User-defined rules follow
...
pass in quick on $WANII proto tcp from any to { 192.168.1.230 } port =
5900 keep state label USER_RULE: NAT Allow VNC to buzz via WAN2
...
That's inbound. The multi-wan code we're talking about is outbound.
By default inbound traffic to an IP will return out the
interface/gateway it came in on (as long as you have a gateway setup
in the interface config). It's up to the user to get the inbound
traffic on the right link, via DNS, or IP, or whatever other trick.
--Bill
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] captive portal
I noticed this behaviour this morning. https didn't work, http sent me to the login page, but ping worked (usually) and I could SSH through the firewall. Oddly, last night after I setup CP, it worked as intended. --Bill On 8/23/05, Tobias Frank [EMAIL PROTECTED] wrote: Hello, when trying to use the captive portal on 0.79 there is a strange thing. Following ports work without authentication: MySQL, smtp, ping, ssh, name. Others I didn´t check. m0n0wall (1.2b9) doesn´t show this behaviour. Is this a bug or a feature? heres my configuration 212.x.x.x 192.168.0.x / 24192.168.1.x / 24 -- -- --- -| Router |--| FW |--| pfsense |- -- -- --- (WAN - 192.168.0.129) (LAN - 192.168.1.1) I didn´t check the checkbox block private networks because one of the Mail-Servers has a private ip-address (192.168.99.x) Another feature of m0n0wall which i think its very useful is the Reauthentication in current beta version. So accounting works good for our use. Is it planned to integrate this feature in a future pfsense version? Greeting from Munich Tobias Frank - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Running multiple routed subnets on LAN interface
iy yi yi...I can't ever begin to remember what bugs lurked back that far. Any chance you can upgrade to current? We're fixing stuff left and right, I'm not going to go back through the last three months changelogs to see if we've already fixed whatever might be affecting you (if anything). If it's still affecting you on something recent (preferably .80 at a minimum) we can take a look. --Bill PS. I agree with John, we need a network diagram. If you don't have Visio, please use Dia (http://www.gnome.org/projects/dia/) On 8/25/05, Ted Crow [EMAIL PROTECTED] wrote: I am (still) running pfSense 70.4 and I am in the process of adding a routed subnet to my LAN. I don't have any trouble seeing the remote LAN from my core LAN, nor any trouble seeing the core LAN from the remote LAN. But, my remote LAN gets no responses from devices on any other interface on the firewall. The routing appears to be correct as far as I can tell using traceroute/ping. I can ping machines on the remote LAN from the firewall, and the firewall from the remote network. The firewall appears to be black-holing the remote LAN traffic. -- From REMOTE LAN -- Tracing the route to xx.xx.xx.xx (public) 1 1 ms1 ms1 ms172.16.11.1 --- New Remote (172.16.11/24) 2 4 ms4 ms4 ms172.16.0.2 --- Internal Router (172.16.0/23) 3 5 ms5 ms5 ms172.16.0.1 --- pfSense Firewall (172.16.0/23) 4 * * * --- should be Gateway Router (public) 5 * * * --- should be ISP Router (public) ... --- on to oblivion I do have a LAN rule explicitly allowing the remote subnet to have full access to any^3. Any ideas? Or do I just need to get the latest version of pfSense on the box? Ted Crow MCP/W2K Information Technology Manager Tuttle Services, Inc. (419) 228-6262 x 247 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Outgoing load balancing problem
0.81 contained a number of load balancer fixes. --BillOn 8/30/05, Holger Bauer [EMAIL PROTECTED] wrote: It can be done the way you describe it and I have this setup at home in my testenvironment (however, I use different subnets on my wans, but it should work with your setup too as far as I know). If properly configured you should see the 2 wans used roundrobin. In my setup this means if I traceroute to internet testtarget1.com I can see the traffic going out wan1. Tracerouting testtarget2 shows the route going out via wan2. If you always trace the same target it will mostprobably stay at the same wan for some time as the connections are sticky to the wan it went out the first time unless the states for that connection are gone because of closing the connection or statetable-timeout removes it. (I'm not sure if the latest changes to the loadbalancer to work this way are in 0.80.4 already or if you have to upgrade some files first. At some point the loadbalancer only worked for more than one client as a clients IP was mapped to one of the wans, but I lost trace here, check cvs-trac for further info ;-). You should upgrade to the latest image after itbecomes available. With this one you don't need the manual NAT setup any more and also enabling advanced outbound NAT should create correct rules for the loadbalancer by default.The monitor IP can be any IP you want to check through this wan. Of course it should be a highavailablity IP as the connection will be assumed broken if it doesn't get an answer from this and the wan will be removed from the roundrobin-pool. Monitoring doesn't work at the moment as far as I know, so at the moment it isn't used anyway.The problem with the non-editable list is known already, thanks for reporting.Holger-Ursprüngliche Nachricht-Von: Daniel Solsona [mailto: [EMAIL PROTECTED]]Gesendet: Dienstag, 30. August 2005 09:49An: support@pfsense.comBetreff: [pfSense Support] Outgoing load balancing problem I have soekirs 4501 with 0.80.4 and I was trying outoing load balancing.I've read the wiki document and I can get it work atm.I just have done a quick test to try it, will try to do a better one when I have more time. Actually I tryed:Lan on eth0 with ip 192.168.1.1Linux client on lan with ip 192.168.1.10 and gateway 192.168.1.1Wan on eth1 with ip 192.168.50.199On wan I've two adsl routers conected to a switch. Ip for adsl1 is192.168.50.240 and ip for adsl2 is 192.168.50.80I go to sevices and create the load balancer pool.At this point I've a question about ip monitor, it needs to be an internet ip? the adsl router ip?I add the 2 adsl gateways ip to the pool.Probably at this point there is a bug in 0.80.4 when you try to edit anoutgoing load balancer pool. You click on edit and you dont get all the info from the pool, just the name, description and type of pool, but the list isempty.After I go to nat and enable advanced outbound nat. And then change thefirewall rule to the new gateway pool. When i try to see if it works, i do a traceroute to google and it goes to thefirst adsl router (192.168.50.80) but if I unplug the adsl router It doesntchange to the other router. So the question, it can be done on this way or I need to make two wan adaptersand put the router on diferent ethernet?Thanks for the help- To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit-To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] WARNING: R/W mount of denied. File system is not clean - run fsck
Interestingly the WRAP image is supposed to be mounted read-only anyway. Only /cf should normally get mounted r/w and then only for changes. --BillOn 8/30/05, Fleming, John (ZeroChaos) [EMAIL PROTECTED] wrote: Just an FYI this is why you see the error message. You should only beworried if you see it twice.# Mount all. If it fails run a fsck./sbin/mount -a || /sbin/fsck -y /sbin/mount -a || /sbin/fsck -y The error message you've seen came from the first /sbin/mount -a. fsckthen cleaned all the file systems (fsck -a).Had the file system been dirty after that you would have seen the erroragain, but that would mean something was really hosed as in Bad hard drive or some kind of storage communications error (flash, IDE or SCSIwrite error).-Original Message-From: Tomas Hodan [mailto:[EMAIL PROTECTED]]Sent: Tuesday, August 30, 2005 2:10 PM To: support@pfsense.comSubject: [pfSense Support] WARNING: R/W mount of denied. Filesystem isnot clean - run fsckhi,I installed pfsense to CF card, booted once, repowered wrap and on next bootI got lot of messages like: WARNING: R/W mount ofdenied.Filesystemisnot clean - run fsckshould not be pfsense able to handle such situations? or I'm doingsomethingwrongregards, tomas-To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]-To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 81.4 load balance + carp
Hmmm, that's a seriously high interrupt load. How much traffic goes through this box? What type of NICs and CPU do the boxes have? --BillOn 8/31/05, Rodolfo Vardelli [EMAIL PROTECTED] wrote: second part.Now backup is completly frozer,here top:last pid: 737;load averages:0.97,0.43,0.17up 0+00:02:5111:30:3325 processes:5 running, 20 sleepingCPU states:0.3% user,0.3% nice, 10.2% system, 77.2% interrupt, 11.9%idleMem: 13M Active, 7404K Inact, 10M Wired, 24K Cache, 9200K Buf, 87M Free Swap: PID USERNAMETHR PRI NICE SIZERES STATETIME WCPU COMMAND 668 root1 8 10 10856K9588K ppwait 0:040.00% php 663 root17602264K1516K RUN0:010.00% top 540 root17601292K 868K select 0:010.00% syslogd 657 root1 801580K1228K wait 0:000.00% login 662 root12002616K2000K pause0:000.00% tcsh 297 root1 -5803656K1748K bpf0:000.00% tcpdump 543 root17603480K1960K RUN0:000.00% mini_httpd 554 root1 801620K1120K wait 0:000.00% sh 641 root1 801300K 984K nanslp 0:000.00% cron 299 root1-801188K 688K piperd 0:000.00% logger 658 root1 801624K1092K wait 0:000.00% sh 659 root1 801632K1160K wait 0:000.00% sh 298 _pflogd 1 -5801536K1180K bpf0:000.00% pflogd 669 root1-803484K2012K piperd 0:000.00% mini_httpd 295 root1 401472K1136K sbwait 0:000.00% pflogd 667 root1 801168K 480K nanslp 0:000.00% sleep 656 root1 80 228K 124K nanslp 0:000.00%check_reload_st 547 nobody1 13201320K 940K select 0:000.00% dnsmasqno answer from serial console.It answers to ping.Here the last message arrived at syslog server:Aug 31 11:29:40 192.168.9.32 kernel: webgui doesn't answer.nothing elseregards, Rodolfo-To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Outgoing Load Balancer and policy based routing
I don't believe slb is fully integrated into the outbound load balancer. If you don't have a load balanced server you probably won't see anything in the logs at this time. --BillOn 9/2/05, Daniel Solsona [EMAIL PROTECTED] wrote: Well, awesome job guys for the work on the outbound load balancer and ofcourseon pfsense project itself. I'm using 0.82.4 on a soekris 4501 and I've tried the load balancer with twoadsl lines on the same wan. It works really well, fast change between the two gateways. I dont know if it's an error or something not done yet, but on thelog page, the load balancer is clear all the time. That part it¡s only forserver load balancer? or it should have something about outgoing load balancer too?And i've been playing with policy based routing too, having pop3,smtp goingacross one ADSL and http going on the other one. It works really well too.Thx for the work- To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Soekris Net4801
Not all CF cards are created equal. Some are better than others. http://www.m0n0.ch/bsd/#knownprobs http://lists.soekris.com/pipermail/soekris-tech/2004-October/022017.html --Bill PS. Scott, note the especially Lexar in the m0n0 page? Wasn't it Lexar cards we were trying to use at the hackathon that gave us mixed results? On 9/5/05, Leuchter, Lars [EMAIL PROTECTED] wrote: Hi ScottDo you refer to theset flash=primaryreboot??If so, it doesn´t work, at least when using a 512MB Flash-Card.Is there another hack how to make this possible ?ThanksLars -Ursprüngliche Nachricht-Von: Scott Ullrich [mailto:[EMAIL PROTECTED]]Gesendet: Sonntag, 4. September 2005 15:24An: Leuchter, LarsCc: support@pfsense.comBetreff: Re: [pfSense Support] Soekris Net4801Change your compact flash to primary in the BIOS.There is a blog entry for this as well.ScottOn 9/4/05, Leuchter, Lars [EMAIL PROTECTED] wrote: Hi all, I am trying to get the latest embedded image to work on a Soekris Net4801, however, after I have written the image to flash-card and boot it up, I do get the following error message : sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0 sio0: type 16550A, console sio1 at port 0x2f8-0x2ff irq 3 on isa0 sio1: type 16550A Timecounters tick every 1.000 msec Fast IPsec: Initialized Security Association Processing. ad1: 497MB SAMSUNG CF/ATA 04/05/06 at ata0-slave PIO4 Trying to mount root from ufs:/dev/ad0a Manual root filesystem specification: fstype:deviceMount device using filesystem fstypeeg. ufs:da0s1a ?List valid disk boot devices empty line Abort manual input mountroot Any idea ? Thanks Lars- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Multiple WANs
Technically, we do put the interface in the rule when it's created. But I can guarantee we'll only snag the first one. So, while you can enter the same IP multiple times in a pool (artificially creating a ratio based round robin) I'd be willing to bet that we don't correctly support this on one device. --BillOn 9/5/05, Scott Ullrich [EMAIL PROTECTED] wrote: On 9/5/05, Holger Bauer [EMAIL PROTECTED] wrote: using the same gateway for both wans won't work as you can't specify rules for this I think. the rules are applied to a gateway and with both gateways the same... :-/ you might have to come up with a workaround like having a nated router in front of one connection to use this as gateway on one wan and put the pfsense in the dmz of this router.You *possibly* could create a load balancing pool with 1 device in it.Select this as your gateway from the rules. Again, haven't testedthis so I'm not sure if it will work or not.Scott -To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfsense and static IPs through PPPoE
Yup, I have SBC's static offering. With the Cayman router that comes with that offering you can terminate PPPOE on the modem and allow for the 5 addresses to be used on the ethernet side with pfSense. You then have the option of bridging those IPs to inside (or DMZ) and putting real addresses on your machines, or doing a 1 to 1 NAT. The other option is to terminate PPPOE on the pfSense box - you still get the option to do 1 to 1 NAT, but you lose the bridging option (I think, I haven't tried that setup, can't see how it would work though). I've done both setups, started with terminating PPPOE on the pfSense box, moved to terminating on the router so I could work on CARP and am back to terminating on pfSense because my Cayman died. --BillOn 9/9/05, Darin [EMAIL PROTECTED] wrote: I have DSL with 5 static IPs through SBC. I've also been a FreeBSD userfor a few years now, and currently have a firewall up and running on 4.11The 5 statics are actually a /29 block, and the IP info is passed down through the PPP session.In order to use the statics on other machines,I have to use the nat functions in the PPP daemon and assign a public IPto a private IP.Here is an example from my ppp.conf on how this is done: nat enable yes nat same_ports yes nat addr 192.168.1.5 1.2.3.4 nat addr 192.168.1.6 1.2.3.5This is the only way I was able to assign those public IPs to anotherbox.I could not get it to work using natd.Will pfsense be able to do this?I installed 82.4 on a test machinejust to get a feel for the interface and didnt really see any provision for it.Any idea how something like this would work?Thanks for your time.Darin --To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfsense and static IPs through PPPoE
Right now I'm running on a borrows 5100a which bridges the PPPOE only. Works fine. I don't know anything about the 5360, is it terminating the PPPOE, or is bridging the PPPOE? --BillOn 9/9/05, Darin [EMAIL PROTECTED] wrote: What if you dont have the Cayman router anymore? I'm just using a standard Speedstream 5360 modem that has no routing or firewall capabilities. Bill Marquette wrote: Yup, I have SBC's static offering. With the Cayman router that comes with that offering you can terminate PPPOE on the modem and allow for the 5 addresses to be used on the ethernet side with pfSense. You then have the option of bridging those IPs to inside (or DMZ) and putting real addresses on your machines, or doing a 1 to 1 NAT. The other option is to terminate PPPOE on the pfSense box - you still get the option to do 1 to 1 NAT, but you lose the bridging option (I think, I haven't tried that setup, can't see how it would work though). I've done both setups, started with terminating PPPOE on the pfSense box, moved to terminating on the router so I could work on CARP and am back to terminating on pfSense because my Cayman died. --Bill On 9/9/05, Darin [EMAIL PROTECTED] wrote: I have DSL with 5 static IPs through SBC. I've also been a FreeBSD user for a few years now, and currently have a firewall up and running on 4.11 The 5 statics are actually a /29 block, and the IP info is passed down through the PPP session.In order to use the statics on other machines, I have to use the nat functions in the PPP daemon and assign a public IP to a private IP.Here is an example from my ppp.conf on how this is done: nat enable yes nat same_ports yes nat addr 192.168.1.5 1.2.3.4 nat addr 192.168.1.6 1.2.3.5 This is the only way I was able to assign those public IPs to another box.I could not get it to work using natd. Will pfsense be able to do this?I installed 82.4 on a test machine just to get a feel for the interface and didnt really see any provision for it. Any idea how something like this would work? Thanks for your time. Darin - - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:4322115d830751396210774!
Re: [pfSense Support] pfsense and static IPs through PPPoE
Give 'er a shot. Should work like a charm. Just put your [EMAIL PROTECTED] username in the WAN config for PPPOE and watch it fly. You'll need to do some playing with Virtual IPs so you can handle the 1 to 1 NATs, but shouldn't take too long of poking through the interface to figure it out. --BillOn 9/9/05, Darin [EMAIL PROTECTED] wrote: Its just a bridge. Its a pretty old modem with very basic functions. About 3-4 years old. http://www.chipweb.de/dsl/index.php?menu=2id2=33 Darin - Bill Marquette wrote: Right now I'm running on a borrows 5100a which bridges the PPPOE only. Works fine. I don't know anything about the 5360, is it terminating the PPPOE, or is bridging the PPPOE? --Bill On 9/9/05, Darin [EMAIL PROTECTED] wrote: What if you dont have the Cayman router anymore? I'm just using a standard Speedstream 5360 modem that has no routing or firewall capabilities. Bill Marquette wrote: Yup, I have SBC's static offering. With the Cayman router that comes with that offering you can terminate PPPOE on the modem and allow for the 5 addresses to be used on the ethernet side with pfSense. You then have the option of bridging those IPs to inside (or DMZ) and putting real addresses on your machines, or doing a 1 to 1 NAT. The other option is to terminate PPPOE on the pfSense box - you still get the option to do 1 to 1 NAT, but you lose the bridging option (I think, I haven't tried that setup, can't see how it would work though). I've done both setups, started with terminating PPPOE on the pfSense box, moved to terminating on the router so I could work on CARP and am back to terminating on pfSense because my Cayman died. --Bill On 9/9/05, Darin [EMAIL PROTECTED] wrote: I have DSL with 5 static IPs through SBC. I've also been a FreeBSD user for a few years now, and currently have a firewall up and running on 4.11 The 5 statics are actually a /29 block, and the IP info is passed down through the PPP session.In order to use the statics on other machines, I have to use the nat functions in the PPP daemon and assign a public IP to a private IP.Here is an example from my ppp.conf on how this is done: nat enable yes nat same_ports yes nat addr 192.168.1.5 1.2.3.4 nat addr 192.168.1.6 1.2.3.5 This is the only way I was able to assign those public IPs to another box.I could not get it to work using natd. Will pfsense be able to do this?I installed 82.4 on a test machine just to get a feel for the interface and didnt really see any provision for it. Any idea how something like this would work? Thanks for your time. Darin - - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:432226be835511404224424!
Re: [pfSense Support] SS with Putty don`t work
Username 'admin' works too. --BillOn 9/10/05, Scott Ullrich [EMAIL PROTECTED] wrote: Use the username root and the pfsense webConfigurator password.On 9/10/05, Robo.K. [EMAIL PROTECTED] wrote: When I use a PUTTY for Windows and I`m tying acces pfesnese via SSh,Putty ask for me user name and for password, but then window of Putty dismiss. This occurs on all versions of PFSENSE. Wher is the problem? Thanx. --No virus found in this outgoing message. Checked by AVG Anti-Virus.Version: 7.0.344 / Virus Database: 267.10.20/95 - Release Date: 9.9.2005 --* www.inMail.sk - Vasa emailova adresa na cely zivot ZDARMA * www.php5.sk - novy freehosting s php5 a MySQL, forum o php5* www.inshop.sk - virtualna obchodna galeria s viac ako 230 obchodmi! -To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Plan author of TrafficShaper some expanation of use the traffic shaper?
I'm still somewhat working on the shaper and since I've taken about a much needed 2 month break from it, I'm going to have to do a little re-education. Here's a little info right from the pf.conf man page: The hfsc scheduler supports some additional options: realtime _sc_ The minimum required bandwidth for the queue. upperlimit _sc _ The maximum allowed bandwidth for the queue. linkshare _sc_ The bandwidth share of a backlogged queue. sc is an acronym for service curve. The format for service curve specifications is (m1, d, m2). m2 controls the bandwidth assigned to the queue. m1 and d are optional and can be used to control the initial bandwidth assignment. For the first d mil- liseconds the queue gets the bandwidth given as m1, afterwards the value given in m2. In some cases percentages were easier or more right to enter, in other cases the KB values were the right thing to do...the decision for each had nothing to do with what valid values for those fields were, but what my experience showed as useful. --Bill On 9/10/05, Robo.K. [EMAIL PROTECTED] wrote: Planauthor of TrafficShaper some expanation of use the traffic shaper? Because one thing is theory of HFSC and other thing is filling boxes Upperlimit Real time Link share Parent queue ...? There http://wiki.pfsense.com/wikka.php?wakka=HFSCBandwidthShapingNotes is some explanation, but not complete. In boxes Upperlimit Realtime Link share are used three values and once percents and once Kbite/s... What is for?what is what? Can explain anybody this more complex? Thank you. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.10.20/95 - Release Date: 9.9.2005 -- * www.inMail.sk - Vasa emailova adresa na cely zivot ZDARMA * www.EuropskaDomena.sk - bezplatna predregistracia domen .EU * Zoner Photo Studio 7 - Spoznajte kuzlo digitalnej fotografie! http://www.zoner.cz/photo-studio
Re: [pfSense Support] Slow response from graphical menu of Pfsense
Are you using traffic shaping and filling the downstream queue? --BillOn 9/10/05, Robo.K. [EMAIL PROTECTED] wrote: Why is so slow response from menu of PF ? Time is from 3 to 5 seconds on 100TX 3COM cardfull duplexin PFsense drop down menu. In mettalic is responses more slower. Classic view is more faster.Acceptable. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.10.20/95 - Release Date: 9.9.2005 -- * www.inMail.sk - Vasa emailova adresa na cely zivot ZDARMA * Zoner Photo Studio 7 - Spoznajte kuzlo digitalnej fotografie! http://www.zoner.cz/photo-studio * www.ZonerPress.sk - pocitacova literatura, zameranie na webdesign a grafiku
Re: [pfSense Support] Re: [pfSense-discussion] L3 load balancer
On 9/12/05, Tom Müller-Kortkamp [EMAIL PROTECTED] wrote: What about pound as LB? It works greate on several Sites !(http://www.apsis.ch/pound/) One of the requirements was that we didn't proxy the traffic. It appears that pound proxies the traffic. Feel free to make a package for this. --Bill
Re: [pfSense Support] pfsense on mac mini?
Tier 2 platform, don't even both with it until it's a Tier 1 platform unless you like fixing things. http://www.freebsd.org/platforms/ppc.html I'd also like to point out that we've had nothing but issues with usb keyboards and that's all that currently works in the PPC port. Wait another year and a half or so and it won't matter. --BillOn 9/12/05, dny [EMAIL PROTECTED] wrote: btw.i read somewhere, freebsd does run on maci even seen the screenshoots...-To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] FW: Cosmetic Bug in Trafficshaper?
ack, I'll poke at this shortly. I had some interesting experiences with the bandwidth fields when writing the wizard. They shouldn't be needed - realtime/upperlimit/linkshare are supposed to be better. What I found was that bandwidth is needed so that pfctl doesn't bitch about bandwidth being over allocated (also, it seemed like it stomped on the queue even though I'd set upperlimit to a reasonable setting). --BillOn 9/13/05, Ben Browning [EMAIL PROTECTED] wrote: I installed pfSense a few days ago using pfSense-LiveCD-0.84.iso (theversion from 09/11/05).I've observed this bug also. After examining the source of the filefirewall_shaper_queues_edit.php I came to the following conclusion: * When using HFSC, the bandwidth input box doesn't appear.* Because of this, when you press the save button on any HFSC queue,it clears the bandwidth value of that queue in the config xml file.* Thus, anytime you press save on a HFSC queue, the bandwidth field gets blanked.This is more than just a cosmetic bug. If you ever edit the rootqueues, their bandwidth gets set to 0. This bandwidth value is usedwhen calculating the maximum available bandwidth to give out to the other queues. So, if I create a queue called qSSHUp under my qWANRoot(which we'll pretend I have saved since running the wizard, and it nowshows up blank in the bandwidth field) and tell qSSHUp to guarantee a realtime bandwidth of 32Kb, the traffic shaping rules won't load. Itwill complain that there isn't that much bandwidth available to giveout.To fix this, on line 202 of firewall_shaper_queues_edit.php I changed: ?php if ($schedulertype == cbq): ?to?php if ($schedulertype == cbq or $schedulertype == hfsc): ?This has solved my disappearing bandwidth-field issue, and now allows me to modify rules and have them load successfully.-To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Understand log entry
On 9/15/05, Mojo Jojo [EMAIL PROTECTED] wrote: So, if I am reading you right, this is something I should mostly ignore and not worry about too much? Mostly, don't worry about it too much. I'd keep an eye on them as it's possible it's part of a stealth scan. But I wouldn't put too much weight in them if it's just onesy-twosy type stuff. --Bill
Re: [pfSense Support] Problems in Traffis shapper in 0.84.6 are outlive, but even more.
On 9/16/05, Robo.K. [EMAIL PROTECTED] wrote: Version 0.84.6 1./ In traffic shaper is still problem as described here - http://marc.theaimsgroup.com/?l=pfsense-supportm=112662324102230w=2 Fixed in CVS, must have missed the 0.84.6 release. 2./ In Queues isn`t displayed three boxes for speed - min/max/shared. Not sure what you're asking for here? Is this a bug, or a feature request? 3./ In logs are this messages: php: : There were error(s) loading the rules: /tmp/rules.debug:22: queue qWANRoot has no parent /tmp/rules.debug:22: errors in queue definition /tmp/rules.debug:23: queue qWANdef has no parent /tmp/rules.debug:23: errors in queue definition /tmp/rules.debug:24: queue qLANRoot has no parent /tmp/rules.debug:24: errors in queue definition /tmp/rules.debug:25: queue qLANdef has no parent /tmp/rules.debug:25: errors in queue definition /tmp/rules.debug:26: queue qLANacks has no parent /tmp/rules.debug:26 Fixed in CVS. http://cvstrac.pfsense.com/tktview?tn=515 When reporting bugs, please tell us how you got there, errors with no detail don't help much. In this case, you had to have changed something as the wizard creates clean, parseable rules by default. I understand the traffic shaper stuff is somewhat touchy, but we need details. --Bill
Re: [pfSense Support] Relativelly long ping to Pfsense on local direct connection.
On 9/16/05, Robo.K. [EMAIL PROTECTED] wrote: Version 0.84.6 If I have connected computer /Celer 2.4Ghz, 256MB RAM, 100Mbps 3COM TX interface/ directly to test computer via crossover cable, or both are in some switch, ping time response is from bellow 1ms to 9-10 msand abou 700 - 900ms if i go to the menu, for example Traffic shaper.Is it normal? Maybe. Are you transferring data when the ping times increase? More work is upcoming on the shaper to address some of the local lan to local firewall speed issues (it's due to what's being queued). Monowall is more more faster. Bad comparison any more (and you don't explain what you mean anyway). We have some significant technology differences from m0n0 these days. --Bill
Re: [pfSense Support] PFSTAT don`t works. ow PFSTAT works?
Please create a ticket, this has been reported before. --BillOn 9/16/05, Robo.K. [EMAIL PROTECTED] wrote: 0.84.6 After attempt to configure PFSTAT after save options there i gett screen with error messages: $value = $_POST['location0'];$value = $_POST['counters0'];$value = $_POST['color0'];$value = $_POST['appearance0'];$value = $_POST['location1'];$value = $_POST['counters1'];$value = $_POST['color1'];$value = $_POST['appearance1'];$value = $_POST['location2'];$value = $_POST['counters2'];$value = $_POST['color2'];$value = $_POST['appearance2'];$value = $_POST['location3'];$value = $_POST['counters3'];$value = $_POST['color3'];$value = $_POST['appearance3'];$value = $_POST['location4'];$value = $_POST['counters4'];$value = $_POST['color4'];$value = $_POST['appearance4'];$value = $_POST['location5'];$value = $_POST['counters5'];$value = $_POST['color5'];$value = $_POST['appearance5'];$value = $_POST['location6'];$value = $_POST['counters6'];$value = $_POST['color6'];$value = $_POST['appearance6'];$value = $_POST['location7'];$value = $_POST['counters7'];$value = $_POST['color7'];$value = $_POST['appearance7'];$value = $_POST['location8'];$value = $_POST['counters8'];$value = $_POST['color8'];$value = $_POST['appearance8'];$value = $_POST['location9'];$value = $_POST['counters9'];$value = $_POST['color9'];$value = $_POST['appearance9'];$value = $_POST['location10'];$value = $_POST['counters10'];$value = $_POST['color10'];$value = $_POST['appearance10'];$value = $_POST['location11'];$value = $_POST['counters11'];$value = $_POST['color11'];$value = $_POST['appearance11'];$value = $_POST['location12'];$value = $_POST['counters12'];$value = $_POST['color12'];$value = $_POST['appearance12'];$value = $_POST['location13'];$value = $_POST['counters13'];$value = $_POST['color13'];$value = $_POST['appearance13'];$value = $_POST['location14'];$value = $_POST['counters14'];$value = $_POST['color14'];$value = $_POST['appearance14'];$value = $_POST['location15'];$value = $_POST['counters15'];$value = $_POST['color15'];$value = $_POST['appearance15'];$value = $_POST['location16'];$value = $_POST['counters16'];$value = $_POST['color16'];$value = $_POST['appearance16'];$value = $_POST['location17'];$value = $_POST['counters17'];$value = $_POST['color17'];$value = $_POST['appearance17'];$value = $_POST['location18'];$value = $_POST['counters18'];$value = $_POST['color18'];$value = $_POST['appearance18'];$value = $_POST['location19'];$value = $_POST['counters19'];$value = $_POST['color19'];$value = $_POST['appearance19'];$value = $_POST['location20'];$value = $_POST['counters20'];$value = $_POST['color20'];$value = $_POST['appearance20'];$value = $_POST['location21'];$value = $_POST['counters21'];$value = $_POST['color21'];$value = $_POST['appearance21'];$value = $_POST['location22'];$value = $_POST['counters22'];$value = $_POST['color22'];$value = $_POST['appearance22'];$value = $_POST['location23'];$value = $_POST['counters23'];$value = $_POST['color23'];$value = $_POST['appearance23'];$value = $_POST['location24'];$value = $_POST['counters24'];$value = $_POST['color24'];$value = $_POST['appearance24'];$value = $_POST['location25'];$value = $_POST['counters25'];$value = $_POST['color25'];$value = $_POST['appearance25'];$value = $_POST['location26'];$value = $_POST['counters26'];$value = $_POST['color26'];$value = $_POST['appearance26'];$value = $_POST['location27'];$value = $_POST['counters27'];$value = $_POST['color27'];$value = $_POST['appearance27'];$value = $_POST['location28'];$value = $_POST['counters28'];$value = $_POST['color28'];$value = $_POST['appearance28'];$value = $_POST['location29'];$value = $_POST['counters29'];$value = $_POST['color29'];$value = $_POST['appearance29'];$value = $_POST['location30'];$value = $_POST['counters30'];$value = $_POST['color30'];$value = $_POST['appearance30'];$value = $_POST['location31'];$value = $_POST['counters31'];$value = $_POST['color31'];$value = $_POST['appearance31'];$value = $_POST['location32'];$value = $_POST['counters32'];$value = $_POST['color32'];$value = $_POST['appearance32'];$value = $_POST['location33'];$value = $_POST['counters33'];$value = $_POST['color33'];$value = $_POST['appearance33'];$value = $_POST['location34'];$value = $_POST['counters34'];$value = $_POST['color34'];$value = $_POST['appearance34'];$value = $_POST['location35'];$value = $_POST['counters35'];$value = $_POST['color35'];$value = $_POST['appearance35'];$value = $_POST['location36'];$value = $_POST['counters36'];$value = $_POST['color36'];$value = $_POST['appearance36'];$value = $_POST['location37'];$value = $_POST['counters37'];$value = $_POST['color37'];$value = $_POST['appearance37'];$value = $_POST['location38'];$value = $_POST['counters38'];$value = $_POST['color38'];$value = $_POST['appearance38'];$value = $_POST['location39'];$value = $_POST['counters39'];$value = $_POST['color39'];$value =
Re: [pfSense Support] Relativelly long ping to Pfsense on local direct connection.
On 9/16/05, Robo.K. [EMAIL PROTECTED] wrote: I know that kernel in monowall 4.xx is faster than 5.xx used in PFSENSE. But from this For the archives. pfSense uses FreeBSD 6, not FreeBSD 5. --Bill
Re: [pfSense Support] 0.84.6 errors
Oddly, the upgrade should have moved that setting to the right place. :-/ I'll look into this a little more as this shouldn't have bitten you. --BillOn 9/16/05, Damien Dupertuis [EMAIL PROTECTED] wrote: It is done thank you...--- Scott Ullrich [EMAIL PROTECTED] a écrit : Rerun the EZ Shaper Wizard.We moved the scheduler location so it can be sync'd properly. Scott On 9/16/05, Damien Dupertuis [EMAIL PROTECTED] wrote: Hello, I just upgraded from 0.84 to 0.84.6 and the system gives me this: php: : There were error(s) loading the rules: /tmp/rules.debug:13: no scheduler specified! /tmp/rules.debug:14: no scheduler specified! /tmp/rules.debug:16: queue qWANRoot has no parent /tmp/rules.debug:16: errors in queue definition /tmp/rules.debug:17: syntax error /tmp/rules.debug:18: queue qLANRoot has no parent /tmp/rules.debug:18: errors in queue definition /tmp/rules.debug:19: syntax error /tmp/rules.debug:20: syntax error /tmp/rules.debug:21: syntax error /tmp/rules.debug:22: syntax error /tmIs it usefull for you if I post the errors or not??? I'm interrested in helping but not in bothering... ;-) regards... Damien ___ Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger Téléchargez cette version sur http://fr.messenger.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ___Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez cette version sur http://fr.messenger.yahoo.com-To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Dhcp server
This works for me, can you try your update_file.sh again? # update_file.sh /usr/local/www/services_dhcp_edit.php trying to fetch latest /usr/local/www/services_dhcp_edit.php # --BillOn 9/16/05, Damien Dupertuis [EMAIL PROTECTED] wrote: Okay,I've done it but it didn't worked...here is what Igot:$ update_file.sh /usr/local/www/services_dhcp_edit.phpStatus: 404Content-type: text/htmlX-Powered-By: PHP/4.3.10No input file specified. trying to fetch latest/usr/local/www/services_dhcp_edit.phpStatus: 404Content-type: text/htmlX-Powered-By: PHP/4.3.10No input file specified.--- Scott Ullrich [EMAIL PROTECTED] a écrit : I just commited a change.Hopefully this will fix your problem. >From a shell do: update_file.sh /usr/local/www/services_dhcp_edit.php Scott On 9/16/05, Damien Dupertuis [EMAIL PROTECTED] wrote: Hello, I love the abbility to add a static mapping to a mac adress in the dhcp server but I saw that the only way to actually make it works is by rebooting pfsense every time you add an adress... otherwise even if you ask for a new adress (client side), the dhcp dont gives you the static one you just configured... Maybe a future task for your already hudge to do list ? regards... Damien ___ Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger Téléchargez cette version sur http://fr.messenger.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ___Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez cette version sur http://fr.messenger.yahoo.com-To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Dhcp server
Doh, we thought you were talking about a different setting. Should be fixed in the latest services_dhcp_edit.php --BillOn 9/17/05, Damien Dupertuis [EMAIL PROTECTED] wrote: Hello,I tried again this morning with a new nic...the sameproblem is here again... the adress in dhcp leasehas the priority over the static mappingregards..Damien --- Bill Marquette [EMAIL PROTECTED] a écrit: This works for me, can you try your update_file.sh again? # update_file.sh /usr/local/www/services_dhcp_edit.php trying to fetch latest /usr/local/www/services_dhcp_edit.php # --Bill On 9/16/05, Damien Dupertuis [EMAIL PROTECTED] wrote: Okay, I've done it but it didn't worked...here is what I got: $ update_file.sh /usr/local/www/services_dhcp_edit.php Status: 404 Content-type: text/html X-Powered-By: PHP/4.3.10 No input file specified. trying to fetch latest /usr/local/www/services_dhcp_edit.php Status: 404 Content-type: text/html X-Powered-By: PHP/4.3.10 No input file specified.--- Scott Ullrich [EMAIL PROTECTED] a écrit :I just commited a change. Hopefully this will fix your problem. From a shell do: update_file.sh /usr/local/www/services_dhcp_edit.php Scott On 9/16/05, Damien Dupertuis [EMAIL PROTECTED] wrote:Hello, I love the abbility to add a static mapping to a macadress in the dhcp server but I saw that the only wayto actually make it works is by rebooting pfsenseevery time you add an adress... otherwise even if you ask for a new adress (client side), the dhcp dontgives you the static one you just configured... Maybe a future task for your already hudge to dolist ? regards... Damien ___ Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez cette version sur http://fr.messenger.yahoo.com -To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ___ Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger Téléchargez cette version sur http://fr.messenger.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ___ Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez cette version sur http://fr.messenger.yahoo.com- To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Access ADSL modem on WAN port
You might be able to create a proxy arp address on that interface (virtual IPs screen) and then create an outbound nat that matches your dsl modems IP address and source it from the proxy arp address. --BillOn 9/17/05, Jeroen Geusebroek [EMAIL PROTECTED] wrote: Hi,I have an DSL modem with a web interface from which i can get the status etc.It only reacts to an IP adres in the same subnet (10.0.0.0/24).Pfsense gets an IP using DHCP, but it is in a different range then the DSL modem (while being on the same interface).Is it possible to have 2 IP's on the WAN side? Dhcp Static 10.0.0.0/24?I've tried using virtual ip addresses but that doesn't seem to work, unless i'm doing something wrong.The ideal situation would be to have 2 ip addresses and tell outbound NATto use IP adress X for 10.0.0.0/24 and IP address Y for the rest ofthe internet. Is this possible with pfsense?--Jeroen-To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 2 ADSL and load balancing
One of the two PPPOE connections will need to be terminated on a router unless I missed a major change recently. --BillOn 9/18/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: hello I read the archives and found 2 posts in relation with my question : http://www.mail-archive.com/support@pfsense.com/msg00326.html http://www.mail-archive.com/support@pfsense.com/msg00084.html Both were posted a month ago and it seems a lot of changes have been made since then. so... I would like to know if the features for 2 ADSL and / or load balancing are now OK ? In my case I have : ___ | | | |- ADSL1 (pppoe1) LAN || -| IPSens|- ADSL2 (pppoe2) | | | |- SL |___| I would like to have : some protpcols have to go through ADSL1, all requests from an IP in LAN area network on SL all other requests have to go through ADSL2 Is it now possible without adding a routeur (as said in one of the previous mentioned posts) ? Thanks for answering. Melanie
Re: [pfSense Support] Argg! My PfSense just died!
On 9/19/05, Mojo Jojo [EMAIL PROTECTED] wrote: Any idea why my Pf died in the middle of running? I didn't do an upgrade, itwas a system running on a fresh install of 0.84 days before.Also, besided the booting problem, I am wondering why it just stopped working which is what caused me to reboot it in the first place.Thanks for any insight on this.. We've had reports on the IRC channel of this happening after a power hit, or other crash too. --Bill
Re: [pfSense Support] Dual Wan with PPPOE and Static isp
On 9/20/05, raphael [EMAIL PROTECTED] wrote: Does anyone already tested and validated the dual wan using pppoe on thefirst link ? Yes, that's my configuration at home. PPPOE on WAN and DHCP (cable) on OPT1. LAN is my internal network (gee imagine that) and OPT2 is my DMZ. BTW, I downgraded my wrap to the latest stable0.70.4 version as I don't want to have errors on the web interface :) Well, I suspect this is the problem. .70.4 is ancient, you should upgrade to the .84 series - I can't count the number of multi wan fixes that went in between .70.4 and .84 (heck, we had a hackathon in between there!) What errors on the web interface are you referring to? --Bill
Re: [pfSense Support] Load balancing-aggregate more WAN connections
Nope, it's not possible to aggregate a single TCP flow over multiple connections. With load balancing you can at least get number of WAN link TCP flows going at full speed, but you won't bet a single flow at the speed of all connections. --Bill On 9/22/05, Robo.K. [EMAIL PROTECTED] wrote: Hi, is possible with PFSENSE load balancing features make aggregation with 2 or more connections to Internet from various ISP /or some ISP, dont matter/, no only failover or load balancing? Thanx. Bop. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.11.4/109 - Release Date: 21.9.2005 -- * www.inMail.sk - Vasa emailova adresa na cely zivot ZDARMA * www.SlovakNET.sk - profesionalny webhosting, domena .SK ZADARMO * www.inshop.sk - virtualna obchodna galeria s viac ako 230 obchodmi! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] sockets over pfsense nat very slow
On 9/25/05, Jeroen Hermans [EMAIL PROTECTED] wrote: I have the following situation at a site: - 1 pfsense box connected to the internet and lan (194.1.1.41) - lan behind pfsense box (nat) (194.1.1.0/24) - proxy (squid) box in lan (194.1.1.31) - a few clients in the lan The last few weeks internet was really slow. I first started to look at the squid configuration, but i found out that when i did a telnet hostnameontheinternet 80 on the squid-box, that too was really slow (about 5 seconds till the socket was open). So i suspected that there was not (primairily) something wrong with the squid config. The strange thing is that when i open the same connection twice on the squid-box (telnet port 80), the first time it takes about 5 seconds till i get a connection to the host. The second time it works in about 0,1 second. Now, pfsense has its own ssh-shell, so i tried the same test on the pfsense-box. But there the socket to the internethost opens fast the first time. My conclusion is that the delay happends on the pfsense box (nat?). I can resolve all hostnames and ip-adresses (forward and reverse) without any delay on the pfsense and squid-box. The firewall is completely open btw (lan, wan and pptp). I hope someone can give me pointers to what the problem can be. Thanks a lot in advance, Hmmm...slow the first time and fast the second possibly sounds like an issue in DNS resolution somewhere. Are you using pfSense as your DNS server for the LAN? Can you telnet to any host via IP address and see if the results differ? How about telneting through the pfSense box from a machine other than the squid box (you changed two things when you tested from the pfSense box, not one). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] dual WAN failover
On 9/25/05, Matt Fanady [EMAIL PROTECTED] wrote: Hello, I've got a PC with 3 identical NIC's in it. I have a landline internet connection and a satellite internet connection. I would like to use PFsense to use the landline when it's up, and then fail over to the satellite if the landline goes down. So far, I have added my static IP address for the opt1 interface and included the gateway for that internet connection. Can someone push me in the right direction for the next step? In short, multi-wan failover isn't supported at this time http://wiki.pfsense.com/wikka.php?wakka=ReleaseTimeline Show Stoppers for release version 1 SLBD outgoing LB monitoring What I do is have an identical set of rules for the second wan already configured but disabled and ready to go. It's annoying, but we're just not there yet. --Bill PS. if you haven't found it yet, http://wiki.pfsense.com/wikka.php?wakka=OutgoingLoadBalancing is useful. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] sockets over pfsense nat very slow
On 9/25/05, Jeroen Hermans [EMAIL PROTECTED] wrote: Hmmm...slow the first time and fast the second possibly sounds like an issue in DNS resolution somewhere. Are you using pfSense as your DNS server for the LAN? Can you telnet to any host via IP address and see if the results differ? Indeed, you are right. At first i suspected the dns being faulty. I am using the pfsense box as a dns-server, but i am also using another machine in the subnet as a secondary dns-server (need it for non-dhcp adresses). The point is that when i resolve the ip-adresses and hostnames, the dns seems to be working (on both the dns-servers). So i tried to telnet to ip-adresses. The very same problem occured (first telnet is slow, the second is fast). That's really strange. About all I can offer is that none of my pfSense installs work that way. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Argg! My PfSense just died!
On 9/25/05, Mojo Jojo [EMAIL PROTECTED] wrote: Ever heard of CARP? We have that you know. Yes, it's one of the reasons I chose your product over others.. However, I was going to set it up in case of unplanned failure of hardware or software. In this case, I am basically planning on failure because that's exactly what's happening AND it's consistent. I plan on my machines failing, so I run carp...if I didn't plan on them failing, I wouldn't :) With that said, yes it shouldn't be hanging or locking up on you. But if it does, it's likely to be an OS bug that we can't fix. I don't know what more to tell you - none of my pfSense boxes randomly hang, from time to time I've seen a kernel panic - but even that's cleaned up alot as the FreeBSD betas have stabilized. This is sort of like putting a UPS battery on a server because the power goes out every two or three days. The UPS is a good idea but it's a better idea to fix the real problem. Erm, sometimes you can't fix the power company...actually, I've never been able to fix the power company. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] wrap 85.2
Oddly I haven't seen this on my wrap installs :-/ There was a broken commit of /etc/filter.inc that would have exhibited this behavior on a wrap, but that didn't make it into 0.85.2 (just confirmed on one of my installs) Warning: touch(): Unable to create file /filter_dirty makes me think we missed a global $g somewhere. --Bill On 9/26/05, Scott Ullrich [EMAIL PROTECTED] wrote: This is not correct. WRAP's should be running on a memory mounted /tmp/ What does /etc/platform say?If it does not say wrap, pleae change it and reboot. Scott On 9/26/05, Rodolfo Vardelli [EMAIL PROTECTED] wrote: I have just upgrade from 84.6 to 85.2 (on wrap), modifying a firewall rule I got this error Warning: touch(): Unable to create file /filter_dirty because Read-only file system in /etc/inc/filter.inc on line 57 regards Rodolfo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] wrap 85.2
N...don't do that :) I split the shaper code off into another file, you will break if you simply follow this. /etc/rc.conf_mount_rw touch /etc/inc/shaper.inc /etc/rc.conf_mount_ro update_file.sh /etc/inc/shaper.inc update_file.sh /etc/inc/filter.inc --Bill On 9/26/05, Scott Ullrich [EMAIL PROTECTED] wrote: update_file.sh /etc/inc/filter.inc On 9/26/05, Rodolfo Vardelli [EMAIL PROTECTED] wrote: Scott Ullrich wrote: Where? So I can fix on my board regards Rodolfo Yep, there was a small typo in filter.inc. It's fixed now. Scott On 9/26/05, Bill Marquette [EMAIL PROTECTED] wrote: Oddly I haven't seen this on my wrap installs :-/ There was a broken commit of /etc/filter.inc that would have exhibited this behavior on a wrap, but that didn't make it into 0.85.2 (just confirmed on one of my installs) Warning: touch(): Unable to create file /filter_dirty makes me think we missed a global $g somewhere. --Bill On 9/26/05, Scott Ullrich [EMAIL PROTECTED] wrote: This is not correct. WRAP's should be running on a memory mounted /tmp/ What does /etc/platform say?If it does not say wrap, pleae change it and reboot. Scott On 9/26/05, Rodolfo Vardelli [EMAIL PROTECTED] wrote: I have just upgrade from 84.6 to 85.2 (on wrap), modifying a firewall rule I got this error Warning: touch(): Unable to create file /filter_dirty because Read-only file system in /etc/inc/filter.inc on line 57 regards Rodolfo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Interesting failure
Probably not when certain people split a dozen or so functions out into their own file :) 0.85.4 has all the latest fixes. At this time, there isn't much patched post 0.85.4 (unless you try running ipv6 tunneling :)), I'd recommend moving to it. --Bill On 9/27/05, Dan Swartzendruber [EMAIL PROTECTED] wrote: At 11:56 PM 9/26/2005, you wrote: This file was introduced after 0.85.2. Are you sure you didn't update filter.inc ? i probably did. i think i was trying to pick up a bugfix. probably not a good idea. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 050.2 CARP won't go Master or Backup
Only problems I've had with carp recently weren't actually due to carp, but the dhcp daemon. There's a hold down timer somewhere that won't let it come up as primary for 300 or 360 seconds (my bet is there two different timeouts, a 60 second timeout and a 300 second one). So if you're running a highly available DHCP server on your pfSense box, keep this in mind - don't reboot both within about 10 minutes of each other for now. --Bill On 9/27/05, Holger Bauer [EMAIL PROTECTED] wrote: I have a working carp config at home. Have failed over several times the last days, with 0.85.2 and 0.85.4 no session was dropped (I even was tunnelling from a client behind the carpmachines to the office). DNS and DHCP is configured for failover as well. I haven't seen any issues so far. Anybody else seeing having problems? Strange. Holger -Ursprüngliche Nachricht- Von: Frimmel, Ivan (ISS South Africa) [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 27. September 2005 11:47 An: support@pfsense.com Betreff: RE: [pfSense Support] 050.2 CARP won't go Master or Backup HI Yes .. 085.2 .. 085.4 does the same too. Enable / disable does not work ... goes to init always. 0.85 worked.. did an upgrade to 085.2 it stopped working. I deleted all carp entries and re-setup from scratch. I will try update_file.sh and let you know results. Tx Ivan -Original Message- From: Holger Bauer [mailto:[EMAIL PROTECTED] Sent: Monday, September 26, 2005 10:55 AM To: support@pfsense.com Subject: AW: [pfSense Support] 050.2 CARP won't go Master or Backup 0.50.2? I guess you are talking about 0.85.2, if not upgrade! ;-) I only have experienced such problems if the carpinterfaces didn't match the real ip/subnet-range of the real interface the carp interface is running on. Another thing to try is to manually disable and enable CARP at StatusCARP(failover) in the webgui. If it's working after that there might be a problem bringing up everything in the right order. There also have been some changes to CARP lately. You might want to run update_file.sh -all from the shell to grab the latest changes. Holger -Ursprüngliche Nachricht- Von: Frimmel, Ivan (ISS South Africa) [mailto:[EMAIL PROTECTED] Gesendet: Montag, 26. September 2005 09:34 An: support@pfsense.com Betreff: [pfSense Support] 050.2 CARP won't go Master or Backup HI I have Carp running successfully on 0.50. Upgraded yesterday to 050.2 and CARP absolutely refuses to start. OPT1 is up. PPPoE is UP. CARP goes to INIT and does not ever go master or backup. I deleted all CARP configs and recreated everything from scratch. On both boxes CARP will not start. Hitting Disable / enable makes it go from disable to INIT.. but never starts. Even tried doing everything with the second box physically turned off. No difference. Any ideas? Tx Ivan. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 050.2 CARP won't go Master or Backup
On 9/27/05, Frimmel, Ivan (ISS South Africa) [EMAIL PROTECTED] wrote: HI PPPoe is on WAN .. CARP is on LAN with carp sync on OPT1. OK so you guys are going to laugh at me. I do feel stupid. As a fault finding procedure and just to get connectivity back I halted router2, which is UTP crossed over connected to router 1 on OPT1. So OPT1 (carp sync) is down. (no link since you need both nic up to have link). CARP will NOT come up without link on OPT1. My suggestion in terms of best practice is to have a switch on OPT(sync) when using CARP. It has wasted a lot of my time and it IS my fault cause I was cheap just using cross over cable. Tx all .. Hrm...I'll have to test this out at home :-/ At work everything is always plugged into a switch (the machines are miles apart), but at home I'm using a crossover cable for the dedicated sync network. But I didn't think that CARP would stay down forever if the sync interface was down :-/ --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 85.2 traffic Shapper TOS error
Are both supposed to be selected? I suspect for this to work we'll need to convert those to the hex values and do a bitwise AND on them. I trust you'll be able to test any changes we make? --Bill On 9/27/05, William Armstrong [EMAIL PROTECTED] wrote: The error is not on TF wizard.. I try clone rule for MS-RDP ( port 3389 ) to a another service RADMIN ( port 4899 ) but I select TOS low delay and to throughput for this rule I get this error and if I not select it's work fine. 2005/9/27, Scott Ullrich [EMAIL PROTECTED]: This just came up moments ago Rerun the ez-shaper wizard. Scott. On 9/27/05, William Armstrong [EMAIL PROTECTED] wrote: I get this error on I include manual rule for service Radmin php: : There were error(s) loading the rules: /tmp/rules.debug:115: syntax error /tmp/rules.debug:116: syntax error /tmp/rules.debug:117: syntax error /tmp/rules.debug:118: syntax error pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [115]: pass in on xl0 proto tcp from 10.0.1.0/24 to any port 4899 tos lowdelay,throughput keep state tag qOthersDownH -- -=-=-=-=-=-=-=-=-=- William David Armstrong Bio Systems Security. ICQ 10253747 MSN [EMAIL PROTECTED] -- Ninguém nasce sabendo de tudo. Mas tudo pode ser Aprendido; E principalmente porque tudo pode ser Ensinado By Bio. -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- -=-=-=-=-=-=-=-=-=- William David Armstrong Bio Systems Security. ICQ 10253747 MSN [EMAIL PROTECTED] -- Ninguém nasce sabendo de tudo. Mas tudo pode ser Aprendido; E principalmente porque tudo pode ser Ensinado By Bio. -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] unexpected dhcp lease
Are these two logical networks on the same physical network? I'm noticing the request came in on both fxp0 and xl0 - that seems kinda odd. Sep 28 14:35:03 dhcpd: DHCPREQUEST for 192.168.2.254 (192.168.2.4) from 00:12:79:ad:c6:fc (TRC-dc5100) via fxp0: wrong network. Sep 28 14:35:03 dhcpd: DHCPREQUEST for 192.168.2.254 (192.168.2.4) from 00:12:79:ad:c6:fc (TRC-dc5100) via xl0 --Bill On 9/28/05, Imre Ispanovits [EMAIL PROTECTED] wrote: Hi, I have a problem with pfSense's dhcp server since 0.85.x (I guess it wasn't an issue in 0.84.6). I have two lan interfaces and both serves as dhcp server, of course not overlapping. My problem is that on lan2 (opt2 - xl0) a dynamic ip address is always issued despite it shouldn't be because only fixed leases expected. This is the only address I have to configure for the dhcp servers range. What's more strange for that mac address (00:12:79:ad:c6:fc) is a fixed lease reserved on the other (fxp0) interface. Which as I see in the logs once offered, but the other address picked up. This never happened on the other interface. In syslog I have: Sep 28 14:35:04 last message repeated 2 times Sep 28 14:35:03 kernel: arp: 192.168.2.254 is on xl0 but got reply from 00:12:79:ad:c6:fc on fxp0 Sep 28 14:34:49 last message repeated 5 times Sep 28 14:34:36 dhcpd: send_packet: Invalid argument and in dhcp logs: Sep 28 14:35:03 dhcpd: DHCPNAK on 192.168.2.254 to 00:12:79:ad:c6:fc via fxp0 Sep 28 14:35:03 dhcpd: DHCPREQUEST for 192.168.2.254 (192.168.2.4) from 00:12:79:ad:c6:fc (TRC-dc5100) via fxp0: wrong network. Sep 28 14:35:03 dhcpd: DHCPACK on 192.168.2.254 to 00:12:79:ad:c6:fc (TRC-dc5100) via xl0 Sep 28 14:35:03 dhcpd: DHCPREQUEST for 192.168.2.254 (192.168.2.4) from 00:12:79:ad:c6:fc (TRC-dc5100) via xl0 Sep 28 14:35:03 dhcpd: DHCPOFFER on 192.168.0.22 to 00:12:79:ad:c6:fc via fxp0 Sep 28 14:35:03 dhcpd: DHCPDISCOVER from 00:12:79:ad:c6:fc via fxp0 Sep 28 14:35:03 dhcpd: DHCPOFFER on 192.168.2.254 to 00:12:79:ad:c6:fc (TRC-dc5100) via xl0 Sep 28 14:35:03 dhcpd: DHCPDISCOVER from 00:12:79:ad:c6:fc via xl0 Sep 28 14:34:51 dhcpd: DHCPRELEASE of 192.168.2.254 from 00:12:79:ad:c6:fc via fxp0 (found) Sep 28 14:34:51 dhcpd: DHCPRELEASE of 192.168.2.254 from 00:12:79:ad:c6:fc (TRC-dc5100) via xl0 (found) Sep 28 14:34:49 dhcpd: send_packet: Invalid argument Sep 28 14:34:49 dhcpd: DHCPACK on 192.168.2.254 to 00:12:79:ad:c6:fc (TRC-dc5100) via fxp0 Sep 28 14:34:49 dhcpd: DHCPREQUEST for 192.168.2.254 from 00:12:79:ad:c6:fc (TRC-dc5100) via fxp0 Sep 28 14:34:49 dhcpd: send_packet: Invalid argument ## My two lan inrefaces are as below: interfaces lan iffxp0/if ipaddr192.168.0.3/ipaddr subnet24/subnet media/ mediaopt/ bridge/ bandwidth100/bandwidth bandwidthtypeMb/bandwidthtype /lan opt2 descrLAN2/descr ifxl0/if bridge/ enable/ bandwidth100/bandwidth bandwidthtypeMb/bandwidthtype ipaddr192.168.2.4/ipaddr subnet24/subnet gateway/ spoofmac/ mtu/ /opt2 /interfaces and dhcp servers : dhcpd lan range from192.168.0.250/from to192.168.0.250/to /range defaultleasetime/ maxleasetime/ denyunknown/ failover_peerip/ gateway/ staticmap mac00:14:c2:0b:95:49/mac ipaddr192.168.0.21/ipaddr descrlvc-felsorec/descr /staticmap staticmap mac00:08:02:d8:1f:eb/mac ipaddr192.168.0.130/ipaddr descrI.I. nc6000/descr /staticmap staticmap mac00:12:79:ad:c6:fc/mac ipaddr192.168.0.22/ipaddr descrdc5100 teszt/descr /staticmap staticarp/ enable/ dnsserver192.168.1.5/dnsserver dnsserver192.168.1.1/dnsserver /lan opt2 range from192.168.2.254/from to192.168.2.254/to /range defaultleasetime/ maxleasetime/ failover_peerip/
Re: [pfSense Support] 1:1 NAT loopback
Well, it's not supposed to work. I'm still not sure how it was made to work in this fashion. But, I can offer one suggestion on a way that it might work. On the outbound NAT screen, you'll need to create a NAT bound to the LAN interface NATing everything from LAN destined for LAN to the LAN IP on your firewall. The problem you're seeing is that the firewall is redirecting you to the server, but the reply traffic from the server is getting sent to your workstations real IP. --Bill On 9/28/05, Simon SZE-To [EMAIL PROTECTED] wrote: Hello, I had read the thread at Aug 26 and found that some pfSense's user able to access 1:1 NATTed service in LAN segment, but when I try it today, it's failed. My testing environment: - the public IP xx.xx.xx.46 1:1 NAT to 10.0.138.9 - proxy ARP the xx.xx.xx.46 - allow any to any access to xx.xx.xx.46 in firewall rule - my workstation IP is 10.0.138.130 - pfSense's IP is xx.xx.xx.42 I did the following steps: - telnet xx.xx.xx.46 110 (of cos. I have POP3 service listening) - I've got connection failed after around 20sec - the states got the following 2 lines: self tcp 10.0.138.130:1941 - xx.xx.xx.42:51404 - xx.xx.xx.46:110 SYN_SENT:CLOSED self tcp xx.xx.xx.46:110 - 10.0.138.130:1941CLOSED:SYN_SENT Thanks! Simon SZE-To - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 802.11q vlans
Is the switch port configured for tagging, or did you configure it to allow vlans 1-4 to talk to port 2? The VLAN setup in pfSense utilises 802.1q tagging, enabling vlans on a port doesn't necessarily configure that port for tagged frames. --Bill On 9/29/05, alan walters [EMAIL PROTECTED] wrote: This might be off topic but I am flummoxed by the problem so I thought I would ask. Configuration Pfsense Lan –with 3 vlans and lan as parent. Switch with vlan 1 through to 4 enabled Port 2 is setup on switch with all vlans and is plugged into lan on pfsense. Then the other ports are allocated to individual vlans. The communications across vlans looks fine on the switch itself(traffic seems to only flow within members of the vlans) The switch is a 3com 3300xm Lan | | Port2 on switch-port 4 on switch vlan 3--win XP | | port 3 on switch vlan 2 | | WinXP
Re: [pfSense Support] import monowall xml files
This used to work, but our config has significantly diverged from m0n0. I suspect if you used a config from where we forked it'd probably work, but assuming m0n0 changed _anything_ in their config file since then, it's unlikely to convert over. I think we're at the point where either someone needs to make it work, or the restore function rejects a m0n0 config. --Bill On 9/29/05, Jonathan Woodard [EMAIL PROTECTED] wrote: i know this has probably been answered in previous posts but i didn't see them. i'm wondering if / how i can move my monowall xml file over to pfsense. i tried to just restore, thinking that i had seen a previous post saying it was ok, it but killed everything and i had to re-install. i would love to try pfsense and most likely will when i have more time. i just really hoped that all my configurations are not lost when moving over. thanks and i apologize if i wasn't detailed enough. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 802.11q vlans
On 9/29/05, Dan Swartzendruber [EMAIL PROTECTED] wrote: i assumed he had all that correct, since he said he could see the traffic going into the pfsense port. i was going to ask the same question, myself. this has to be a config problem, as i'm using this exact same setup. I agree, which is why I asked the obvious question :) Not everyone realizes that marking a port with multiple vlans doesn't mean that it's a tagged port, just that the machine on that port can see and talk to each of the vlans (untagged). That of course would require pfSesne to support real interface aliases - which we don't (and I'm not yet convinced is required) --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Traffic shaping. Parent Queue
Wrong. A parent queue denotes a child queue. Create 4 queues and
assign your rules to the two child queues. Better yet, use the
ezshaper wizard, it's there so you don't have to try and figure out
how it all works.
--Bill
On 9/29/05, Audun Brekke [EMAIL PROTECTED] wrote:
There seems to be an error in the traffic shaping.
When I set the queues manually it is not possible to set the parent queue.
I can set the queue to be parent in the webui, but the queue don't seem to
be updated.
I get an error like:
php: : There were error(s) loading the rules: /tmp/rules.debug:16: queue
MaxDownload has no parent /tmp/rules.debug:16: errors in queue definition
/tmp/rules.debug:17: queue MaxUpload has no parent /tmp/rules.debug:17:
errors in queue definition pfctl: Syntax error in config file: pf rules not
loaded - The line in question reads [16]: queue MaxDownload bandwidth 4100Kb
cbq
There is no change in the config file if I set or unset the this is the
parent queue in the webui.
I line like this shoud be added in the config files when the this is the
parent queue is selected
altq on xl0 cbq queue { MaxDownload }
-Audum-
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.11.9/115 - Release Date: 29.09.2005
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Questions about Load Balancing
Not unique, we just don't have an easy way to implement ratio based load balancing at this time. BTW, it'd be connection based anyway, not true bandwidth balancing. I'd recommend putting some clients on one connection, some on the other and manually balance the links using rules. --Bill On 9/29/05, Wesley K. Joyce [EMAIL PROTECTED] wrote: Hi Scott, is there a solution to this? Am I unique in that I have multiple WAN connections of different capacities? Anyone have another solution? Thanks From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Thu 9/29/2005 7:20 PM To: support@pfsense.com Subject: Re: [pfSense Support] Questions about Load Balancing Load balancing uses round robin. Scott On 9/29/05, Wesley K. Joyce [EMAIL PROTECTED] wrote: Greetings, I have a Squid PROXY server that I want to use two DSL connections that I have with. However, one of them is a 1 megabit connection and the other is a 512kbps connections. Based on what I have read on the list, I am concerned that the load balancing algorithm will NOT distribute 2/3 and 1/3 of the combined 1.5mbps for the outgoing traffic over the two connections respectively. Am I incorrect in this? Will it maximize each connection if they are of difference capacities? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] beep on ready suggestion
http://img.m0n0.ch/docbook-current/faq-hiddenopts.html I'm assuming beep is in our standard build (I don't have one in front of me). Just add: shellcmd/usr/local/bin/beep/shellcmd to the system tree in config.xml --Bill On 9/30/05, Jonathan Woodard [EMAIL PROTECTED] wrote: LOL, thanks bill. however, i'm about as dumb as a brick when it comes to bsd. i was just hoping that a particular start/stop sequence could be added to the pfsense .iso. i'd be happy to help accomplish this if someone would point me in the direction or add it and allow me to test it. also, i realize that there might be some people who don't like it, i would think there needed to be a simple way to disable it if desired. thank you very much again for your interest in my idea. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSecPassThru not working with .86 Wrap?
On 10/3/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: All- Today I upgraded my Wrap .84 to .86 via the Mini-Wrap Upgrade file. My Cisco VPN (software client on my laptop to connect to my office) no longer connects. Logs from the pfsense firewall (forwarded to a server via syslog) show that ISAKMP is being blocked inbound. With PFSense .84, I never had to have a NAT port-forward for UDP/500. ==snip=== Oct 3 14:23:09 192.168.0.1 pf: 39. 806905 rule 146/0(match): block in on sis1: 65.215.72.34.500 64.142.26.224.500: [|isakmp] ==snip=== How bizarre...that's the pre-NAT'd address too. It's almost like the outbound NAT rule for this got re-arranged. Can I see your /tmp/rules.debug? Even setting up a port-forward for UDP/500 doesn't work. Without this of course :) You would have needed it to create a rule too...but my bet is that the outbound traffic is getting NATd wrong. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSecPassThru not working with .86 Wrap?
OK, this is now fixed in CVS. Expect this fix in the next release. --Bill On 10/3/05, Scott Ullrich [EMAIL PROTECTED] wrote: upgrade.tgz is a safe bet if you have a full install. upgrade.tgz is used by the BSD Installer to have an easy upgrade path although that may be slated for removal since it can be somewhat confusing. If you care to spend a few minutes to try a few things, it may be very helpful: Save a copy of /tmp/rules.debug from the version that does not work and downgrade back to 0.84. Send /tmp/rules.debug from both 0.84 and and the version that doesn't work to us so we can inspect it. Thanks! On 10/3/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: At 02:28 PM 10/3/2005, Scott Ullrich wrote: On 10/3/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: All- Today I upgraded my Wrap .84 to .86 via the Mini-Wrap Upgrade file. My Cisco VPN (software client on my laptop to connect to my office) no longer connects. Logs from the pfsense firewall (forwarded to a server via syslog) show that ISAKMP is being blocked inbound. With PFSense .84, I never had to have a NAT port-forward for UDP/500. ==snip=== Oct 3 14:23:09 192.168.0.1 pf: 39. 806905 rule 146/0(match): block in on sis1: 65.215.72.34.500 64.142.26.224.500: [|isakmp] ==snip=== Even setting up a port-forward for UDP/500 doesn't work. Any ideas? Very interesting. I looked back through the commits from 0.84 - 0.86 but I honestly don't see anything that altered the rules except for aliases. How are you allowing the traffic out (from the LAN interface I would guess)? My laptop is on the LAN, and I am allowing all outbound traffic. I used the upgrade .tgz, is that supported at this time? Or was I jumping the gun? I can try a full install of .86, or go back to a full install of .84. I have a small Wrap box I have to take apart whenever I do a full install, so I'll take your best hint at the moment. Anything in particular I can post here from my rules.debug? -- [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Traffic shaper-rules
Yeah, the bandwidth in the queue screen doesn't really work quite right :-/ Try setting the upperlimit field. It's kind of difficult for me to test some of this stuff out any more - my home network is under strict change control and I don't have all the equipment needed to keep a test network for all the parts of pfSense that I work on up at all times. If anyones willing to help out, I need another wrap/soekris and an atheros card w/ or w/out antenna (I have spare u.fl pigtails and antenna already). I've got a sick design that should allow me to test out most if not all features I currently have a hand in supporting and allow for some future development work w/out impacting my wife (and thus me, which in turn means you ;-P !). --Bill On 10/4/05, Robo.K. [EMAIL PROTECTED] wrote: Hi Bill. Can you please tell me, which item manage speed to internet from LAN in traffic shaper after what i executed es shaper wizard? Because if I create new queue with defined speed forexample 128kbit and as parent is LAN default queue/1024kbit/s and new rule based on this queue and this new rule i place on top of rules, my speed to internet is still max. as i specified into parent default queue. Thank you. Robo. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.11.9/116 - Release Date: 30.9.2005 -- * www.inMail.sk - Vasa emailova adresa na cely zivot ZDARMA * www.ZonerPress.sk - pocitacova literatura, zameranie na webdesign a grafiku * Zoner Photo Studio 7 - Spoznajte kuzlo digitalnej fotografie! http://www.zoner.cz/photo-studio - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: FW: [pfSense Support] Traffic shaper-rules
On 10/4/05, Robo.K. [EMAIL PROTECTED] wrote: Sorry, i am crazy. Now its working. But I don`t know what happens. :-}}} The shaper is stateful. Changes to it will not impact in-flight connections, only new. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Error in traffic shaper in 0.86
Hmmm...was the queue128klienti,zhlt ??? I don't think comma's are allowed in queue names, I'll have to fix (hrm, or create!) the input validation on that field. --Bill On 10/4/05, Robo.K. [EMAIL PROTECTED] wrote: After running ezshaper wizard is all ok. When i create new queue 128kbit/s and choose as parent qWANRoot or qLANRoot /don`t matter/ andd choose RED and ECN and save and apply, then i get in news and in system logs message: php: : There were error(s) loading the rules: /tmp/rules.debug:32: syntax error /tmp/rules.debug:202: syntax error /tmp/rules.debug:220: syntax error /tmp/rules.debug:249: syntax error pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [32]: queue 128klienti,zhlt bandwidth 128Kb priority 5 hfsc ( red ecn ) System was upgraded from 0.85.6 to 0.86 Regards Robo. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.11.9/116 - Release Date: 30.9.2005 -- * www.inMail.sk - Vasa emailova adresa na cely zivot ZDARMA * www.php5.sk - novy freehosting s php5 a MySQL, forum o php5 * www.EuropskaDomena.sk - bezplatna predregistracia domen .EU - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 256MB Wrap Image?
Hmmm, maybe I'm missing something here. What's wrong with the 128M image? It fits on my 256M flashes w/out problems. And seeing as the WRAPs no longer support packages it's kind of pointless to add more space to them (I think - but then I'm obviously missing something :)) --Bill On 10/7/05, Michiel de Jager [EMAIL PROTECTED] wrote: Maybe someone cal mail it also to me :-) Same situation here. Michiel On Thu, 2005-10-06 at 23:02 -0400, Eric M. Faden wrote: Does anyone have a 256MB wrap image they can email me? or that I can download from somewhere? I don't actually have a FreeBSD box handy to resize the image. -Eric - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] suggestion for LAN rule menu
On 10/7/05, Dan Swartzendruber [EMAIL PROTECTED] wrote: allowable protocol can be tcp/udp, and it add separate rules for tcp and udp.cool.unfortunately, you then have to add one manually for icmpassuming one wants to be able to ping outside hosts.how about tcp/udp/icmp also/instead? tcp and udp require ports (or any) and icmp requires no ports, so any would have to be the setting.I can see more problems than benefits from that.--Bill PS. we actually only add one rule if you choose tcp/udp - pf does the heavy lifting of making that two rules (which is why 'keep state' is the only state option you can choose for tcp/udp).
Re: [pfSense Support] suggestion for LAN rule menu
On 10/7/05, Dan Swartzendruber [EMAIL PROTECTED] wrote: p.s. the reason i bumped into this was looking at my ntop data, i noticed a small amount of non-IP data going out the WAN port. no idea what - i have a windows box (XP) but it should be doing NETBIOS over TCP (or whatever the option is), so I thought i'd get rid of that. Hmmm, interesting. For the default rule, we allow any protocol out. I'm a little surprised to hear non-IP data though as all that should be going out is IP data. Does ntop give you any indication of what the non-IP data is? I'll try a tcpdump on my home boxen and see if we're sending something we shouldn't be. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Traffic shaper question + no parent problem
That's because you added them wrong and I'm not 100% positive the existing shaper will work in that configuration. Bottom line is that only the EZ-Shaper output is supported at this time. I'm working on more shaper changes (stuff that will likely break whatever custom stuff you do anyway), but I just got an offer on my house so it's unlikely that work will be anywhere but in my head for another month or two. --BillOn 10/9/05, Szasz Revai Endre [EMAIL PROTECTED] wrote: On 10/9/05, Scott Ullrich [EMAIL PROTECTED] wrote: Take a look at how the EZ Shaper wizard creates parent queues. Either way I have to edit the created configuration manually, or there is a possibilty to create parent queues with the webconfigurator ? Yes, via the webConfigurator.Ah, sorry I messed up the question.I wanted to ask if there is a possibility to derive more queues from the hfsc queue. I tried to keep the traffic shaper rules what thewizard created, and add 2 master queues on top of that which wouldrepresent the whole traffic. Then the internet traffic would bederived from these queues. http://www.pfsense.com/pastebin/244I have also tried creating 2 more parent rules beside the rules whichthe wizard created, but that didn't work either. -To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Traffic shaper question + no parent problem
PS. I'd be willing to answer any intelligent questions on the code in the meantime from anyone willing to work on making setups like this work. Hint, most of this will be XML setup in the wizard and making sure the code in /etc/inc/shaper.inc actually parses a queue tree with more than 2 levels (parent and child). --BillOn 10/9/05, Bill Marquette [EMAIL PROTECTED] wrote: That's because you added them wrong and I'm not 100% positive the existing shaper will work in that configuration. Bottom line is that only the EZ-Shaper output is supported at this time. I'm working on more shaper changes (stuff that will likely break whatever custom stuff you do anyway), but I just got an offer on my house so it's unlikely that work will be anywhere but in my head for another month or two. --BillOn 10/9/05, Szasz Revai Endre [EMAIL PROTECTED] wrote: On 10/9/05, Scott Ullrich [EMAIL PROTECTED] wrote: Take a look at how the EZ Shaper wizard creates parent queues. Either way I have to edit the created configuration manually, or there is a possibilty to create parent queues with the webconfigurator ? Yes, via the webConfigurator.Ah, sorry I messed up the question.I wanted to ask if there is a possibility to derive more queues from the hfsc queue. I tried to keep the traffic shaper rules what thewizard created, and add 2 master queues on top of that which wouldrepresent the whole traffic. Then the internet traffic would bederived from these queues. http://www.pfsense.com/pastebin/244I have also tried creating 2 more parent rules beside the rules which the wizard created, but that didn't work either. -To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Traffic shaper question + no parent problem
On 10/9/05, Szasz Revai Endre [EMAIL PROTECTED] wrote: So it should be possible to create 2 parentqueues(overall_lan,overall_wan), which under them would contain theactual shaper wizard config, or create 2 more separatequeues(overall_lan,overall_wan) aside from what the shaper wizard created.. It _should_ be :) Here's the problem:I have generated a config with the wizard and saved it. It worked perfectly, thank you Bill :DAnd aside from that I have created 2 more parent queues, no specialconfig (i have set the 100Mb/s bandwidth with 5 priority), and i havechecked parent queue, and the shaper instantly said this: There were error(s) loading the rules: /tmp/rules.debug:32: queueoverallLAN has no parent /tmp/rules.debug:32: errors in queuedefinition /tmp/rules.debug:33: queue overallWAN has no parent/tmp/rules.debug:33: errors in queue definition pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [32]:queue overallLAN bandwidth 100Mb priority 5 hfsc overallWAN and overallLAN need to be marked as parents. As do qWANroot and qLANroot. qLAN/WANroot need to then be set as children of overallWAN and overallLAN. This is, however, where I suspect you'll run into trouble. I don't recall offhand, how recursive I made the parent queue detection :) pf does support this configuration, but our code doesn't do the recursion correctly (just tested what you are trying). I did take a quick peek at the code and thought I had a workaround, but it didn't work. --Bill
Re: [pfSense Support] Sesamie Street on 086.2
So who's gonna make the sesame street one? I'll put that on my son's firewall! ;-P --BillOn 10/9/05, Holger Bauer [EMAIL PROTECTED] wrote: we can start selling ringtones at some point for $1? lolHolger-Ursprüngliche Nachricht-Von: Scott Ullrich [mailto:[EMAIL PROTECTED]]Gesendet: Sonntag, 9. Oktober 2005 21:22 An: support@pfsense.comBetreff: Re: [pfSense Support] Sesamie Street on 086.2I think so.I'm not sure how much effort we should spend on modifyingthe sounds of pfSense. ;) ScottOn 10/9/05, Frimmel, Ivan (ISS South Africa) [EMAIL PROTECTED] wrote: 2 profiles then ? Loud annoying or Smooth and Neighbour/partner friendly?! No seriously .. I think this is one feature that people can roll their own with now that the script is their? -Original Message- From: Scott Ullrich [mailto: [EMAIL PROTECTED]] Sent: Sunday, October 09, 2005 9:15 PM To: support@pfsense.com Subject: Re: [pfSense Support] Sesamie Street on 086.2 Oh really? I thought that it was kinda loud last night when I rebooted the machine at 5 am :) Scott On 10/9/05, Frimmel, Ivan (ISS South Africa) [EMAIL PROTECTED] wrote: On my hands and knees.. it does;) They are amongst other more noisy equipment. I had to increase pitch to 2400,2450 and 2500 to get a more noticeable noise ;). -p 2500 gives you a very nice audible(annoying?) tone. 200ms makes it sound like a cat being pressed in a vice.. not pleasant, but effective. Tx Ivan.-Original Message- From: Scott Ullrich [mailto: [EMAIL PROTECTED]] Sent: Sunday, October 09, 2005 8:46 PM To: support@pfsense.com Subject: Re: [pfSense Support] Sesamie Street on 086.2 It should just work.Try running beep.sh from the console. ScottOn 10/9/05, Frimmel, Ivan (ISS South Africa) [EMAIL PROTECTED] wrote: I scoured all the webgui pages .. but I don't seem to find a simple way to make my router beep on up or down ..is it a shell command that I need to add the rc scripts? PS: Update_file.sh after 086.2 upgrade and then reset password from console fixes the webgui issue for me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]-To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]Virus checked by G DATA AntiVirusKit- To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Traffic shaper question + no parent problem
On 10/9/05, Szasz Revai Endre [EMAIL PROTECTED] wrote:
Okay, so I linked the qWanRoot and qLanRoot to the overallWan andoverallWan respectively, each of them being parent queues (parentsto the real root queue(hfsc))but this is the generated config(rules.debug
)altq on fxp1 hfscqueue {qWANRoot }altq on fxp0 hfscqueue {qLANRoot }queue overallLAN bandwidth 100Mb priority 5 hfsc { qLANRoot }queue overallWAN bandwidth 100Mb priority 5 hfsc { qWANRoot }
the overallLAN, and overallWAN should have been the parent queueswhich are only children to the `real root queue(hfsc)` and nothingelse.
Yep. You and I are getting the same thing.
If I were to modify rules.debug by hand, could the system then usethat? How would I load that configuration up?
pfctl -f /tmp/rules.rules.debug
and
/sbin/pfctl -a {$queue['name']} -f /tmp/{$queue['name']}.rules
on each of the rules files in /tmp.
Any reboots and any webgui change will likely blow your manual configs away.
--Bill
Re: [pfSense Support] CF Installation options limitations
On 10/10/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hello, I've been struggling trying to install pfSense on my system for several days now. My system only has 1 IDE channel. I am planning on running off of a Compact Flash through an IDE adapter. This way, my system will have no moving parts but the Fan on the processor. I have attempted to download the CF image file for the WRAP, but that apparently doesn't boot because it's missing VGA. Then I tried to It won't boot, or you never checked the output on COM1? I've got a handful of boxes with VGA cards in them that boot pfSense off of flash using the WRAP image just fine. install by using a USB CF adapter and CDROM on the IDE channel. I was able to boot off of the CD, however it says that it requires 300 MB to install. I was trying to do the install on a 256 MB CF. So I'm confused as to why the LiveCD install requires so much space in compared to the CF image for the WRAP. Is it possible to create a Generic PC CF image similar to the one that is put out for monowall? I'd prefer not to buy another CF card. Also, I think it makes sense to put space requirements for hard drive installation on the Hardware FAQ page. Probably cause it's impossible to buy a HD that is too small for pfSense? CF isn't HD even if it might look like that to the PC - nor do you want to use a CF as a HD (read the archives for reasons). Am I missing something obvious, or is there no way to install pfSense on a 256 MB CF for a Generic PC. Should be. Read the archives, I know this has been addressed. Also, it would be really nice if it could be installed via either PXE or boot floppy for systems that don't have a CDROM drive. Unlikely to happen any time soon, too many other fires, not enough hands. --Bill
Re: [pfSense Support] Traffic shaper question + no parent problem
On 10/8/05, Szasz Revai Endre [EMAIL PROTECTED] wrote: 1) Is it possible, in the traffic shaper - to create another parent queue (parent to HFSC) - and to add some rules to this queue, so that traffic coming andgoing from specific ip adresses would go through this queue (which wouldhave separate bandwidth)?My WAN consists of 2 types of speeds: a separate speed for theinternet and a separate speed to the metropolian area (which is alsoon the internet, public ip addresses) +--+ Internet (256Kb)LAN +--+ PfSense +--++--+ Metropolian area (10Mb)I wanted the Internet to be traffic shaped and the rest of theMetropolian Area to go through a separate queue (10Mb).If this is not possible with the current configuration, just by hand, would there be a possibility to do it somehow with routing? Forexample 2 NICs, 2 public ips. I've been thinking a little more about this. Is the MAN part of your local subnet? IE, if the pfSense WAN interface was on 24.0.0.0/8 is the MAN the same subnet, or is it just something you have to go through? I think I can make an easy change for local subnet on the WAN side of the firewall. --Bill
Re: [pfSense Support] Traffic shaper question + no parent problem
On 10/10/05, Bill Marquette [EMAIL PROTECTED] wrote: I've been thinking a little more about this. Is the MAN part of your local subnet? IE, if the pfSense WAN interface was on 24.0.0.0/8 is the MAN the same subnet, or is it just something you have to go through? I think I can make an easy change for local subnet on the WAN side of the firewall. Never mind...I started to implement this and realized it won't work w/out more queues which I don't want to add right now ;) --Bill
Re: [pfSense Support] UDP consistent translation
On 10/12/05, Kevin Wolf [EMAIL PROTECTED] wrote: It seems my problems playing GunZ are related to the fact that pfSense doesn't seem to do UDP consistent translation... is there any way around this, a hidden option somewhere? I tested with the tool from this site: http://midcom-p2p.sourceforge.net/ If I enable 1:1, GunZ works, and UDP consistent translation is listed as YES in this program. If I disable 1:1, GunZ does not work, and UDP consistent translation is listed as NO. Some cheaper routers and a few Netgear models do not do this, and the game GunZ also refuses to work on those... which is why I'm quite sure this is the problem. Especially after reading that link. I don't think I should have to enable 1:1 to get this to work, as other routers can do this without forcing me to do DMZ or whatever they're closest thing to 1:1 is. I would shutup and just enable 1:1 for this, but I use this game on two computers (1 runs the game on 7700, the other on 7750. 7700 is the default but I changed the port in the other one, and it shouldn't matter as long as you forward the right port to the right pc). I can't do 1:1 on two computers with only one public IP address. Used advanced outbound NAT, it'll allow you to force the source port to whatever arbitrary port you like. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Outgoing Load Balancing mini-howto
On 10/13/05, Rajkumar S [EMAIL PROTECTED] wrote: Hi, I have some clarifications about the Outgoing Load Balancing mini-howto. I assume this is about sharing two internet links so that outbound traffic flows to both of them. 1. visit services - load balancer 2. delete any pools that are there that do not work 3. add a new pool and call it loadbalancetowans or something descriptive 4. set the description to load balancing from lan - internet or something descriptive 5. set the type to gateway 6. in the monitor ip box, set a box upstream from this router that can be polled (via tcp socket) to ensure link is up What is this monitor ip? If I have two internet connections, which ip can I specify here? When we get this working, it'll be ICMP monitoring and you'll need to provide the IP address of something on the other end of your WAN link to ping to determine link availability. 7. in the ip box type in the 1st router gateway ip I assume this to be the gateway of first internet connection. yes. 8. repeat for the second gateway Gateway of second internet connection and so on... yes. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Outgoing Load Balancing mini-howto
On 10/13/05, Frimmel, Ivan (ISS South Africa) [EMAIL PROTECTED] wrote: And does CARP have to be running? Nothing to do with CARP :) --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Outgoing Load Balancing mini-howto
On 10/13/05, Rajkumar S [EMAIL PROTECTED] wrote: Create NAT-Rules for your WAN-POOL 1. visit firewallNATOutbound 2. enable advanced outbound nat 3. check the automatically created rules. 4. create rules for all your internal networks to map to OPT interfaces.. (one rule for each internal network to each opt-interface in the pool) I could not understand this? Which OPT interface? each internal network ? I have only one. This is mainly a confirmation that the source addresses for your internal network(s) will be presented to the internet correctly. If it looks right, don't do anything. Policy based balancing 1. Edit a firewall rule on the LAN or Optional interfaces. * NOTE! We do not recommend editing the default pass all rule! Create a new rulebefore the default rule for your policy. 2. Set the gateway to the newly created pool Done!. It seems the loadbalancer is working. I am able to tcpdump the second gateway and see some good :) packets. But when I traceroute from the lan, all packets goes via the first gateway. Also State tables. Wait a while try again. Eventually you'll get on the other side of your new 50-50 logic as to which link a new IP flow will go down. can I specify the priority of each gateway. ie I have an 1mbps link and a 256kbps, out of 5 packets 4 must go through 1mbps link and one via 256 kbps. Also in the wish list is to Not today. I think I have this locked out right now, but you can do ratio based load balancing...put the 1Mbit link in the gateway pool 4 times and the 256K link once - that would have the same effect. Again, I believe this isn't currently possible in the UI, if you're willing to test it, I'll open it up (I have a MUCH larger discrepency at home 8Mbit and 384Kbit, so I don't load balance, I send targeted traffic out each link). specify one gateway for some ips. ie dns and smtp server for first isp should always be routed via first isp and vice versa. Policy based routing. Create a rule for each item you'd like to direct over a given link. Remember, we're a first match system, just place the more specific rules first in your list and it'll match. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] UDP consistent translation
On 10/12/05, Kevin Wolf [EMAIL PROTECTED] wrote: I'm sorry, your solution actually worked. I forgot to move the new rule above the default, so it had priority! D'oh!!! Good to hear...I was actually about to suggest that you double check that ;) Thank you for the help, it was much appreciated :) Glad to help. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] RE: Wrap upgrading from 0.70.4 to latest version
On 10/13/05, Susanto Leman [EMAIL PROTECTED] wrote: Hi, Thanks for your reply. The image is with embedded. Because according to the tutorial in flash, the image should be with wrap. Will it work with my wrap box ? just need to confirm. ;-) -santo- The tutorial is probably a hair out of date by now. At the point it was created we were still under heavy development and stuff was changing daily. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Change mode of Traffic shaper.
On 10/14/05, Robo.K. [EMAIL PROTECTED] wrote: Hi, i use version 0.86.4 and after initial configuration / via wizard/ of pfsense and choose type of traffic shaper , if i want change type of traffic shaper later, for example from FSC to class based, this item in Advanced menu is missing. In earlier versions of pfsense this was able. Is ot bug or ..? It was removed as it was broken. Until we can make the existing shaper rock solid it's not worth my energy trying to debug anything other than HFSC issues. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Change mode of Traffic shaper.
On 10/14/05, Robo.K. [EMAIL PROTECTED] wrote: Aha! I`ll be a patient. Thank you. Please be aware that the other schedulers may never come back. But until the HFSC scheduler implementation is solid (and queue/rule changes are straightforward), we won't even look at priq and cbq. I am certainly rewriting the code with the thought of being able to bring them back at some point, but we'll see how portable I can make it. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Change mode of Traffic shaper.
On 10/15/05, Robo.K. [EMAIL PROTECTED] wrote: Thanks for notices, because last nigh I was trying set-up pfsense to priq and cbq without success, because manual creating queue in HFSC don`t work for the present. There are good news, that HFSC is your priority.Good for you! :-} And importatn question is, if finally will be able create manually more parent queues? That's the plan. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Question about pf and ipfw...
On 10/16/05, Tommaso Di Donato [EMAIL PROTECTED] wrote: On 10/15/05, Bill Marquette [EMAIL PROTECTED] wrote: Not sure I follow with the redirection part. But if I understand correctly, yes we can use both ipfw and pf in conjunction for different tasks. This is how our shaper code used to work - define the queues in PF and assign the traffic in IPFW. Our ultimate goal is to get IPFW out of the core system altogether and we had done that until we found some nasty bugs in CP due to it (just stuff that'll take a little longer to work around). Thank you for your reply. I am trying to run p3scan on pfsense, but it needs a redirection done with ipfw... When I am trying to add the rule, I have the following error: # ipfw add fwd 127.0.0.1:8110 tcp from 10.0.0.0/24 to any 110 ipfw: getsockopt(IP_FW_ADD): Invalid argument When I am loading ipfw module, I see the following in dmesg: ipfw2 (+ipv6) initialized, divert loadable, rule-based forwarding disabled, default to accept, logging disabled Does this mean that I cannot do forwarding with this ipfw? Module probably isn't loaded (it's only loaded if CP is in use I believe). Any reason you wouldn't just create a port forward for this? Seems like what you want to do is forward any traffic from 10.0.0.0/24 destined to port 110 anywhere to localhost on port 8110 (transparent pop3 server? interesting). This can be done easily in our GUI, just use a port forward (it was renamed from Inbound NAT to try and remind people it can be used in either direction). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Dynamic interfaces pf
On 10/16/05, Eric Masson [EMAIL PROTECTED] wrote: Hello, I've managed to install and setup ssltunnel-client on my 0.84.6 embedded image (should I upgrade to 0.86.4, I didn't find any changelog on the website) Tunnel goes up, additionnal routes are triggered by ppp, everything's fine 'til this point. I can't use ppp0 tunnel as pf drops traffic, the last 2 rules of the ruleset deny everything not explicitely allowed. So is there a standard way to add an interface and associated rules in the web interface or do I have to hack some file to achieve this result ? Look at how OpenVPN works. Hint, you'll probably end up doing something along the lines of copying those files and doing a s/OpenVPN/ssltunnel VPN/ and changing the commands to run it to whatever brings up your ssltunnel ppp connection. Depending on how well this works out, we might consider it for inclusion post 1.0. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] VPN NAT Traversal
On 10/16/05, stephan schneider [EMAIL PROTECTED] wrote:
Hello Folks,
i am trying to get a (NATed) connection to an external VPN using
the cisco vpn client. Unfortunately it just doesn't work -
no connection. I added the port 500 (isakmp) and allowed ESP to pass
the firewall. But I think there's more to do to get NAT-Traversal
to work :-(
According to
http://kerneltrap.org/node/2948
it is necessary to set up the rule:
nat on $ext_if inet proto { tcp, udp } from $internal port = 500 to any
- ($ext_if:0) port 500
How can this rule be set using the GUI?
This is enabled by default unless you use advanced outbound NAT.
Make sure:
Firewall-NAT-Outbound: Enable IPSec passthru
is checked.
I am using pfsense-0.86.4.
Should be working in 0.86.4, I did introduce a bug a version or two
back that broke IPSec passthru, but I believe the fix for that made it
into 86.4 (hard to say, my boxes are usually running some Frankenstein
version). If you send in your /tmp/rules.debug, I'd be willing to
take a quick peek and make sure the NAT rule is correct.
--Bill
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
