[pfSense-discussion] HEADS UP: this mailing list has moved
The mailing list has moved to l...@lists.pfsense.org. This list server is being decommissioned. Your email address on this list has been subscribed to the new list, and you will receive a welcome message on that list shortly. The old support@ and discussion@ emails will bounce. Feel free to continue existing threads, but you'll have to change the to address to l...@lists.pfsense.org. Chris - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] happy IPv6 day
On Wed, Jun 8, 2011 at 6:57 PM, Chris Buechler wrote: > On Wed, Jun 8, 2011 at 9:40 AM, Eugen Leitl wrote: >> >> This being the World IPv6 day, I enabled IPv6 on three pfSense >> instances, using the excellent http://iserv.nl/files/pfsense/ipv6/ >> (thanks, Seth!) without problems. >> > > Works nicely indeed. Lots of pieces remaining to complete but what's > there works great. I was hoping we'd have IPv6 live at our main > datacenter in time for today but the ISP doesn't have it fully > available as of yet and we're not going to bother with a tunnel when > we'll have native soon, but we'll have it up there in the near future. > Actually I take that back, it was fixed today. Firewalls are all good, haven't had a chance to get it up on the servers yet though. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] happy IPv6 day
On Wed, Jun 8, 2011 at 9:40 AM, Eugen Leitl wrote: > > This being the World IPv6 day, I enabled IPv6 on three pfSense > instances, using the excellent http://iserv.nl/files/pfsense/ipv6/ > (thanks, Seth!) without problems. > Works nicely indeed. Lots of pieces remaining to complete but what's there works great. I was hoping we'd have IPv6 live at our main datacenter in time for today but the ISP doesn't have it fully available as of yet and we're not going to bother with a tunnel when we'll have native soon, but we'll have it up there in the near future. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] pfSense comment packetpushers.net
On Wed, May 25, 2011 at 11:59 AM, BSDwiz wrote: > > Guys, > I was Listening to a packetpushers.netpodcast regarding the topic of > firewalls and decided to chime in. I thought you may have some thoughts or > opinions to add. Basically, I mentioned pfSense and was not very happy with > his(Greg Ferro) response. If you get a minute, check out this guys > reasoning behind not using pfSense. It's a reasonable response - I've heard much worse, and things that have no basis in reality, from the likes of enterprise consultants such as Greg (I've been following his blog for a long time and listen to a few of the packetpushers podcasts). He's much more sensible in general than a lot of Cisco fan boys I've encountered. Reasonable response to the extent that it's possible to get in and screw with things, install additional software, etc. and in some environments that's unacceptable. In others it's a huge, huge plus, there are countless examples of people being able to meet the specific requirements in their environment only because it's an open platform that can be easily modified or added to. In those instances they simply could never meet the ideal requirements of their environment on a closed platform, as you're never going to get Cisco, Juniper, etc. to add a feature or do custom development for you - at best it may go into some request queue and you may see it years down the road. With an open platform you can do it yourself, or hire us to do it and have what you're looking for in a matter of days or weeks depending on the scope, that's how several of us make a full time living working on the project. The type of customers Greg does work for probably don't need anything a closed platform can't provide, and feel better about a big name on the product, regardless of cost and lack of flexibility. That lack of flexibility is viewed as a plus by some. Regardless of open or closed, there's no one product that best suits every network. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Problems with CARP VIP and layer 3 switch
On Sun, Apr 17, 2011 at 10:25 PM, Vinicius Coque wrote: > > Now I understand the problem. I'll keep track of the bug on redmine. > I would definitely check the problem on the switch too as in a CARP setup it shouldn't have problems with MACs that switch between ports quickly. That bug in and of itself isn't the problem, the nature of CARP means that switch issue will potentially cause other issues for you in the future. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Problems with CARP VIP and layer 3 switch
On Fri, Apr 15, 2011 at 4:14 PM, Vinicius Coque wrote: >> >> What does the CARP status show, and what do the logs show for CARP? >> > > > CARP Status > pfSense master: > > vip1 172.16.0.39 MASTER > > pfSense backup: > > vip1 172.16.0.39 BACKUP > > > System logs: > > pfSense master: > > Apr 15 17:08:08 utm-teste1 syslogd: kernel boot file is /boot/kernel/kernel > Apr 15 20:08:32 utm-teste1 check_reload_status: syncing firewall > Apr 15 17:08:32 utm-teste1 php: : Beginning XMLRPC sync to > https://10.10.0.2:5081. > Apr 15 17:08:33 utm-teste1 php: : XMLRPC sync successfully completed > with https://10.10.0.2:5081. > Apr 15 17:08:33 utm-teste1 php: : Beginning XMLRPC sync to > https://10.10.0.2:5081. > Apr 15 17:08:33 utm-teste1 php: : XMLRPC sync successfully completed > with https://10.10.0.2:5081. > Apr 15 17:08:35 utm-teste1 php: : Filter sync successfully completed > with https://10.10.0.2:5081. > > pfSense backup: > > Apr 15 17:08:12 utm-teste2 syslogd: kernel boot file is /boot/kernel/kernel > Apr 15 17:08:32 utm-teste2 check_reload_status: syncing firewall > Apr 15 17:08:32 utm-teste2 kernel: vip1: link state changed to DOWN > Apr 15 17:08:32 utm-teste2 kernel: vip1: INIT -> MASTER (preempting) > Apr 15 17:08:32 utm-teste2 kernel: vip1: link state changed to UP > Apr 15 17:08:32 utm-teste2 kernel: vip1: MASTER -> BACKUP (more > frequent advertisement received) That looks like a consequence of: http://redmine.pfsense.org/issues/1433 plus something on your switch(es). The MAC will move in the switch's CAM table from the primary's port to the secondary's when the secondary switches from master to backup even though it's for a fraction of a second, but should immediately move back on the switch when the master picks back up. There's something on the switch that isn't behaving correctly for MACs that quickly change ports, which is ultimately the actual problem, though that CARP switch shouldn't happen during a config change which exacerbates the issue. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Problems with CARP VIP and layer 3 switch
On Thu, Apr 14, 2011 at 5:57 AM, Vinicius Coque wrote: > > I don't think it is a routing issue because I can access the VIP and > the pfSense lan IP from other subnets. When I change some > configuration on cluster just the VIP goes down, while the lan IP of > the pfSense boxes (10.10.0.2 and 10.10.0.3) are still available. > What does the CARP status show, and what do the logs show for CARP? - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Problems with CARP VIP and layer 3 switch
On Wed, Apr 13, 2011 at 10:32 PM, Vinicius Coque wrote: > Hi > > I have two pfSense machines configured as cluster using carp, they are > both connected to a layer 3 switch. There are about 10 different > subnets configured on that and each client machine under these subnets > use the switch as its default gateway, and then it routes the traffic. > > 10.10.0.2 10.10.0.3 > --- > | pfSense | - | pfSense | > --- > VIP 10.10.0.1 > \ / > \ / > - > | switch | > - > / \ > / \ > 10.10.1.0/24 10.10.2.0/24 > > The problem is that every time a configuration is changed, I can > access the VIP with no problem from the same subnet of the pfSense > machine (10.10.0.0/24), but for any other subnet the VIP becomes > unreachable. > Some kind of routing issue it seems. Check the routing table on the firewall when it doesn't work and verify it. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] VPN IPSEC
On Mon, Mar 21, 2011 at 11:35 PM, Vinicius Coque wrote: > Hi > > I have an IPSEC tunnel configured to connect the network 170.60.x.x, > on side A, with network 189.19.x.x on side B. > > LAN Server A INTERNET Server B > 10.0.0.0/8 189.19.x.x 170.60.x.x > > The tunnel connection is established and the traffic between servers > go through the tunnel with no problems, the problem is when the > traffic came from LAN. Since the tunnel network is configured to my > WAN address range, SPD table doesn't has my lan network 10.0.0.0/8 > configured, then traffic from lan to 170.60.x.x goes through wan > interface instead of enc0. > > I know that is possible to do it using NAT on enc0 interface, but I > tried to configure this many ways without success. > > Anybody knows how to make it works on pfSense, or if is it possible to do? > It's not possible because of the way the processing in kernel functions in FreeBSD, traffic won't hit the SPD after NAT is applied, so traffic that gets NATed to your public IPs even if they're the local end of your IPsec, won't hit IPsec. That's true of tunnel mode, but not transport mode. Transport mode may be an option. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] 2.0-RC1 now available!
http://blog.pfsense.org/?p=585 - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Considering Switching to Pfsense
On Wed, Feb 9, 2011 at 5:41 PM, Tony Zakula wrote: > > We have a 5mb line, is a quad core processor with 4gb of ram overkill? > Way, way overkill, that's closer suited to a 5 Gb connection than 5 Mb. Not that that's a problem, you can get by with a whole lot less hardware if needed though. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] DreamPlug
On Wed, Feb 2, 2011 at 4:43 AM, Cédric Jeanneret wrote: > Hello, > > Just wondering if anyone has already used pfsense on such material: > http://www.newit.co.uk/shop/proddetail.php?prod=DreamPlug > > There are some other "computer plugs", like > http://www.globalscaletechnologies.com/t-guruplugdetails.aspx > Those are not x86, they're not a compatible architecture at this time. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] PfSense localization
On Mon, Jan 3, 2011 at 4:36 PM, st41ker wrote: > Hello, > > PfSense is a very popular project and it used around the globe. So I can say > that that is an international wide product. > But when I look at localization I see that it's not so good for > international usage. > Hardcoded english is everywhere. I know that there is nothing wrong with > that but that is a huge blank space for a modern opensource software since > that almost every product of such type is supporting localization and at > least gives the community ability to localize it. > > I know that there is people that will help in translating PfSense but > developers should help from their end also: templates, localization string > usage etc. > > Is that is so hard to implement? > 2.0 already has gettext on the entire web interface, and all of inc is in a git clone that wasn't finished quickly enough to be merged for 2.0 release but will be shortly after its release I expect. It was a *huge* amount of work. Bluepex, who sells a rebranded and translated version in Brazil, had a few staff members on that for many weeks (not full time but putting in a lot of hours) to get it finished. More will come on that later, including seeking people willing to help translate. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Re: ARIN space not accepted
On Sat, Dec 11, 2010 at 11:23 AM, Gé Weijers wrote: > > >> [...] That means, prior to end of Q1, the bogon list will be: >> >> 0/8 >> 10/8 >> 127/8 >> 172.16/12 >> 192.168/16 >> 224/3 > > There's a number of special-use ranges that are not in this list, but which > should not occur as (source) addresses on the internet. So if you're > manually configuring a list and are sufficiently paranoid refer to RFC5735 > and use these additional ones: > > > 192.0.0/24 (future-use special purpose) > 192.0.2/24 (TEST-NET-1) > 198.18/15 (benchmark testing of interconnect devices) > 198.51.100/24 (TEST-NET-2) > 203.0.113/24 (TEST-NET-3) > > You should filter these source addresses as well: > > 169.254/16 (link-local addresses) > 192.88.99/24 (6to4 anycast, not a valid *source* address) > The bogons list we use is from Cymru, it includes all of the above with the exception of 6to4 anycast. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Re: ARIN space not accepted
On Sat, Dec 4, 2010 at 4:13 PM, Nathan Eisenberg wrote: >> -Original Message- >> From: Scott Ullrich [mailto:sullr...@gmail.com] >> Sent: Saturday, December 04, 2010 11:47 AM >> To: discussion@pfsense.com >> Subject: Re: [pfSense-discussion] Re: ARIN space not accepted >> >> On Sat, Dec 4, 2010 at 7:26 AM, Eugen Leitl wrote: >> > - Forwarded message from Leo Bicknell - >> > >> > From: Leo Bicknell >> > Date: Fri, 3 Dec 2010 14:24:16 -0800 >> > To: na...@nanog.org >> > Subject: Re: ARIN space not accepted >> > Organization: United Federation of Planets >> > >> > In a message written on Fri, Dec 03, 2010 at 04:13:58PM -0600, Jack >> Bates wrote: >> >> The first takers in a space are hit the hardest. Rementioning here >> is >> >> important. Do a google search and find any pages still mentioning >> >> blocking the range. Contact them and ask them to update. Then you >> have >> >> to start the long list with others. it's recommended you setup a >> server >> >> with 2 IP addresses, one in the range, one outside the range, so >> that >> >> people can check against them both to verify that the problem is >> with >> >> the range itself. I've seen some networks that run automatic probes >> from >> >> both ranges and compare the results, automatically sending emails to >> >> whois contacts concerning the problem. >> > >> > For those not playing attention, the current bogon list should be: >> > >> > 0/8 >> > 10/8 >> > 39/8 >> > 102/8 >> > 103/8 >> > 104/8 >> > 106/8 >> > 127/8 >> > 172.16/12 >> > 179/8 >> > 185/8 >> > 192.168/16 >> > 224/3 >> > >> > It is speculated that no later than Q1, two more /8's will be >> allocated, >> > triggering a policy that will give the remaining 5 /8's out to the >> > RIR's. That means, prior to end of Q1, the bogon list will be: >> > >> > 0/8 >> > 10/8 >> > 127/8 >> > 172.16/12 >> > 192.168/16 >> > 224/3 >> > >> > I'd suggest it would be good if folks updated to that now, to prevent >> > these sorts of problems. I promise, this time it is the last update >> > you'll need to do. :) >> > >> > -- >> > Leo Bicknell - bickn...@ufp.org - CCIE 3440 >> > PGP keys at http://www.ufp.org/~bicknell/ >> > >> > >> > >> > - End forwarded message - >> >> Anyone needing to update their bogons can run this from a command >> prompt (shell - option #8): >> >> /etc/rc.update_bogons.sh now >> exit >> >> Scott >> >> - >> To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com >> For additional commands, e-mail: discussion-h...@pfsense.com >> >> Commercial support available - https://portal.pfsense.org >> >> >> > How often is this automatically done? > On the first of every month, which is plenty between assignment and actual use. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] country blocking for single address
On Fri, Nov 26, 2010 at 12:34 PM, Adam Thompson wrote: > The specific country involved might take far less than that; accuracy also > matters. > For example, I can block about 80% of Africa with less than ten rules. > Blocking 100% of Africa takes hundreds of entries. > > I do recall there was a way previously discussed on-list to import huge > aliases; unfortunately, I *think* it consisted of download (backup) > config.xml, edit it programmatically, then upload (restore) it. You don't want to do that with 20K+ entries in 1.2.x, the XML parser in 1.2.x is too slow. The countryblock package handles basically the same functionality automatically in a way that doesn't slow things down. > I also > think there are enhancement requests still open for 2.0 to make this > easier, but of course I can't find them right now... > Nothing still open as it's already done. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Dell PowerEdge 750
On Tue, Oct 26, 2010 at 3:59 PM, Eugen Leitl wrote: > > It would probably still beat my 4x NIC 1.6 GHz dual-core Atoms > (about Pentium 3 level of performance) You'd be surprised - a dual core Atom is considerably faster than a P3 at pushing packets, depending on NICs and the specific board. The better embedded firewall boards with Atoms can push around 500 Mbps. A PE750 would be faster, though takes ~8-9 times as much power. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] pfSense router/firewall in a Vmware ESXi guest for other guests
On Thu, Oct 7, 2010 at 3:43 PM, Eugen Leitl wrote: > On Sat, Oct 02, 2010 at 03:53:54PM -0400, Chris Buechler wrote: > >> That's not the normal experience from what I've seen, sounds specific >> to something in particular you're doing. I believe every environment >> I've seen that routes between VLANs within ESX handles the VLANs >> entirely at the ESX level, with one vswitch per VLAN and the firewall >> connected to the individual vswitches, maybe that's the difference. >> >> Running inside of VMware isn't nearly as fast as running on equivalent >> bare metal, but most of the time you don't need that kind of >> performance, 300 Mbps is easily achievable with e1000 NICs and >> moderately new (anything with VT) server hardware. I've been on dozens > > Chris, how much memory do you recommend for a pfSense ESXi instance, > which handles 4 guests (one IP address each), 100 MBit/s switched > setup? Do I need 1+ GByte, or can I risk allocating just 512 > MBytes to the guest? > "It depends". Virtual sizing no diff from physical. Depends on simultaneous connections, what packages and configurations they use, etc. I use 128 MB RAM and 2 GB disks on most of my test and dev boxes, they're mostly pretty basic though. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] pfSense router/firewall in a Vmware ESXi guest for other guests
On Sat, Oct 2, 2010 at 2:44 PM, Adam Thompson wrote: > This started with 4.0, I have upgraded to 4.1 but haven't specifically > tested performance since. Routing from one VLAN to another entirely > inside VMware is still slow, however. AFAIK this is somehow related to > interrupt handling and/or mitigation. The bad news is that since > upgrading to 4.1, the pfSense guest occasionally loses ALL network > interrupts for about 15 minutes at a time - this happens at least once or > twice a week. It starts slowly, performance is merely degraded, then > nothing, then slowly returns to normal - whole event takes ~15min. > > Traffic arriving at or leaving the VMWare HOST shows normal performance > levels, it's only traffic within the host that seems slow: SMB traffic > across the pfSense router, no NAT involved, one pass-all pf rule, runs > between 10Mbit/sec and 100Mbit/sec. I also see lots of TCP badness if I > run a sniffer on either end - dup acks, dup pkts, and missing packets. > That's not the normal experience from what I've seen, sounds specific to something in particular you're doing. I believe every environment I've seen that routes between VLANs within ESX handles the VLANs entirely at the ESX level, with one vswitch per VLAN and the firewall connected to the individual vswitches, maybe that's the difference. Running inside of VMware isn't nearly as fast as running on equivalent bare metal, but most of the time you don't need that kind of performance, 300 Mbps is easily achievable with e1000 NICs and moderately new (anything with VT) server hardware. I've been on dozens of such systems personally this year alone, across numerous different customer environments. It's a common setup, and works well including for routing between VLANs. I know at least a couple setups that route backups between VLANs, maxes out the system at a bit over 300 Mbps, but runs fine every night and the resulting performance degradation for the other interfaces while the firewall VM is pegged isn't an issue in that environment (everything else still works fine). We have customers who run their entire colo environments in vSphere including firewalls, setting the edge CARP pair so the two never get vmotioned to the same host for proper redundancy. To answer the original question, there are numerous environments running that way with great results. Very solid performance and reliability. ESX and ESXi are equivalent, any mentions of ESX here could be ESXi just the same (and many of the environments I'm referring to are ESXi). - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] training session at EuroBSDCon
For those who don't follow the blog, a reminder on our upcoming training session at EuroBSDCon. http://blog.pfsense.org/?p=568 - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] NYCBSDCon 2010
For those who don't follow the blog: http://blog.pfsense.org/?p=565 - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] IPSEC routing hack, and CARP, leading to "arpresolve can't allocate route" errors
On Wed, Sep 1, 2010 at 12:23 PM, Paul Mansfield wrote: > > if you recall, to make your pfsense firewall itself be able to talk to a > remote site over an IPSEC tunnel, you need to add a hack which is a > static route to remote network via the LAN address > > if you have a firewall cluster and you use the CARP address of the LAN, > it does work, but it *seems* to cause the following errors to appear in > system log: > > Sep 1 15:40:01 kernel: arpresolve: can't allocate route for 10.1.2.254 > > the 10.1.2.254 is the CARP ip on the LAN > > I can make these go away by using the IP of the firewall's LAN but that > kind of defeats part of the purpose of having a cluster and carp! > > Apart from this being a distraction/nuisance, is this something to worry > about?# > No, just happens when the system tries to ARP its own CARP IPs. Only cosmetic. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] article: Millions of Home Routers at Risk
On Mon, Aug 2, 2010 at 3:53 AM, LM wrote: > What is the status of this? > A patch is going to be released or what? > I'll put up a blog post later - the just of it is use a strong password and you're fine. The protection we added simply protects from gross negligence (or future vulnerabilities in the web interface, of which none are known), there is no patch to fix anything as nothing in our code is a problem. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] ipfw and dummynet on 1.2.3
On Mon, Jul 26, 2010 at 6:57 AM, Matias wrote: > Hi, > > I've read on the forums that using ipfw and dummynet for traffic shaping > breaks pf rdr rules, but those posts seems to be quite old. > > Does someone know if the problem still exist? Yes. There's a FreeBSD PR on it. We have it fixed in our version of 8.1 though (2.0), limiters use dummynet and they don't break rdr that I've seen. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Hints on "no firewall" and bridge
On Sun, Jul 4, 2010 at 5:46 AM, Tonix (Antonio Nati) wrote: > First question. > We are planning to use PFsense as frontend gateway routing to customers > subnets, and in such architecture, we could use pfsense as pure routing > device, except we want to protect the "LAN" network. > Does the "disable firewall" option exclude completely any NAT or filtering > rules, without any possibility to protect the LAN interface? > Yes. > Second question. > We may have one frontend Internet link doubled on two FE switches (using > redundant switches and spanning tree features), so if one FE switch fails, > we can have the connection on the other FE switch. > > Apart of using a master/slave couple of fw, we are evaluating if to bridge > two interfaces, for each FW, placed on both FE switches. > > Link ---> > ---> SW1 > em0 (pf1-em0) > ---> SW2 > em1 (pf1-em1 bridged to em0) > > In such a case, the bridging feature on PFsense, can handle the trick? In > case of SW1 failure, can states open on interface em0 work also on interface > em1-bridged-to em-0? > Never tried anything like that on a single system, it works with two systems using CARP (with proper STP or a devd script to up/down the bridge accordingly). Not sure if the states would failover correctly with one system. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] 2.0 on a two-NIC system
On Mon, Jun 7, 2010 at 7:50 AM, Eugen Leitl wrote: > > I've manated to resurrect my oldish VIA C3 dual mini-ITX > upgrading them to 2.0beta. Is there a way to get them to > run as a failover cluster in 2.0, despite having only two > physical NICs? This wasn't possible in 1.3. > Yes, and it's always been possible. It's not recommended with any version for security and performance reasons, but will work fine. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] override routes on WAN
On Sun, May 2, 2010 at 2:30 PM, Scott Lambert wrote: > On Sun, May 02, 2010 at 01:03:50PM +0200, Eugen Leitl wrote: >> I'm attempting to simulate a production network 88.198.238.112/28 >> with gateway 88.198.238.113 on the OPT1 interface (set to 88.198.238.113) >> but I'm too dense to figure out how override the default route, which sends >> the packet to WAN. >> >> I obviously need to do something along the lines of >> route add -net 88.198.238.112/28 88.198.238.113 > > No, I believe you have what you want simply by specifying the IP and > netmask on the the OPT1 interface. If there is a subnet other than > 88.198.248.112/28 which you want to speak to across the OPT1 interface, > you may want to specify the gateway, on the OPT1 interface, of the > router which knows how to speak to that other subnet. Then you would > add a static route. > Exactly that. If you have OPT1 configured with that subnet, and traffic to that destination subnet is going out WAN, then you probably haven't enabled OPT1 or have its IP info wrong or maybe don't have that NIC plugged in. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Hardware acceleration for pfSense vmware VM?
On Fri, Mar 26, 2010 at 3:02 AM, Philippe Lang wrote: > Hi, > > Has anyone tried using a Soekris VPN acceleration board with a pfSense > appliance running as a vmware VM? > Can't, VMware won't pass that through. Besides, on any recent server, you're better off avoiding the PCI bus and doing the crypto on the CPU without a card, it will actually slow it down to use a PCI crypto card. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] modified nanoBSD 1.2.3 image for WRAP?
On Mon, Mar 8, 2010 at 5:59 PM, Jim Pingle wrote: > On 3/8/2010 5:51 PM, David Rees wrote: >> I've seen same or similar behavior on an ALIX box with a fairly large >> ruleset and decent number of VPNs. >> >> We could never get all the VPNs to come up properly and we eventually >> ended up with a corrupted configuration file while we were trying to >> disable/enable various VPNs (which takes a LONG time on ALIX hardware >> and is very tedious). >> >> Ended up dropping the config file into a more powerful machine and it >> works fine. >> >> I'm guessing that there is some sort of race condition somewhere in at >> least a couple places. > > How many VPNs? I've had as many as 9 IPsec tunnels going between ALIX > boxes on 1.2.3 and never had any issues. > I know of one embedded box that's running 200+ OpenVPN servers (making for a very large config), on a VIA that's only marginally faster than an ALIX, and performs great. Most very large configs are running on much, much faster hardware than an ALIX though, just by the nature of what those boxes have to push. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] broadcom BCM5722 only running at 100M not 1G
On Mon, Feb 1, 2010 at 8:03 AM, Paul Mansfield wrote: > after complaint about slowness between our lan and dmz, I traced it to a > firewall interface on our pfsense 1.2.3 firewall, a Dell R300 with > onboard broadcom bcm5722 > > FreeBSD fwa.xxx.yyy 7.2-RELEASE-p5 FreeBSD 7.2-RELEASE-p5 #0: Sun Dec 6 > 23:20:31 EST 2009 > sullr...@freebsd_7.2_pfsense_1.2.3_snaps.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.7 > i386 > > > a bit of googling came up with this > http://groups.google.com/group/mailing.freebsd.current/browse_thread/thread/4b42a0fa82125473?pli=1 > > I bounced the interface as suggested and it didn't help, and swapped the > cable, also no joy. > > this firewall is one of a clustered pair, the 2ndry is identical > hardware and its bge0 is running fine at 1000baseT. the cisco switch > they're both plugged into doesn't suggest any errors. > > stuff reported in dmesg... > > bge0: mem 0xdfdf-0xdfdf > irq 16 at device 0.0 on pci1 > > brgphy0: PHY 1 on miibus0 > > brgphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, > 1000baseT-FDX, auto > > > any suggestions please? Sure you're using CAT5e or better cables and not just CAT5? That's the most common cause when I run into things like that. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] openvpn and mac osx 10.6
On Tue, Jan 26, 2010 at 10:23 AM, Paul Mansfield wrote: > > we had openvpn working with osx 10.5 with a bit of bodging to get DNS to > work, but 10.6.2 seems to have quite a few DNS quirks that prevent > resolver from being set > > we've had to fiddle with the macs to add a new network location/profile > called "vpn" which has manual DNS settings; it's made harder by the > inconsistent way that apple airport connections are set. > > so I was wondering whether anyone had a better fix, or even a way to > make it work seamlessly? > You sure that's not a problem with the client? What client are you using? - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Ping
On Wed, Jan 6, 2010 at 5:18 AM, cl...@pfsense wrote: > > I wonder: Has there really been no activity on this list since Dec 21 or has > my feed been cut ? > This list isn't very active, the support list is much more active, and the forum far more active than both the lists combined. And the auto-reply loop person has been unsubscribed, sorry for the noise. :) - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] two /24 on a WAN
On Sun, Dec 20, 2009 at 5:27 PM, Eugen Leitl wrote: > > I see there are no multiple fields for subnets in the WAN interface. > My ISP doles out networks as /24 as the largest chunk. Does this mean > I can't add a second subnet in the pfSense GUI and have to use the > command line, or do it in FreeBSD? > That can be handled entirely in the GUI. Exactly how depends on your ISP and what they're willing to do, and that's not a simple, short discussion. There are 5 pages in the book (http://pfsense.org/book) covering the various ways of handling multiple public IPs and multiple public IP subnets. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Traffic shaping VOIP on low bandwidth connections?
On Mon, Dec 14, 2009 at 11:12 PM, Joe Lagreca wrote: > I have a T-1 (1.54mb symmetrical) for our data connection. Whenever > there is a big download filling the pipe, the inbound voice chops. > > When I set the inbound traffic to 1450kb (tested all the way down to > 1000kb), I got VERY bad results. Audio was VERY choppy inbound, and > ping latency to the internal interface of the firewall would jump from > 1ms to 700ms. > > I was told you can't effectively rate limit the inbound traffic, Wrong. > so I > set the inbound bandwidth to 5,000 kb. The outbound is set to 1450kb. > It sounds much better, but I still have chops when a big download is > initiated. > Because of the above excessive limit. You can't do anything once traffic is on your downstream, but limiting on the download side delays traffic after it gets to you, causing TCP's congestion control to slow down the connection, and hence not overfill your downstream. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] pfSense 1.2.3 release now available!
Details here: http://blog.pfsense.org/?p=531 - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] optimal way for a colo setup
On Mon, Nov 9, 2009 at 8:09 AM, Eugen Leitl wrote: > >> generally prefer getting a smaller WAN block and having the larger >> internal block routed to you, then you can use a combination of NAT > > So you have a small address space just for the firewalls WANs and > other stuff, and get the networks handled to you? Using which protocol, > BGP? > No routing protocols. The routing is done upstream by the provider. > So how does the layout look like WAN and LAN side? Which addresses > do the hosts on the LAN side have, private IPs (e.g. 10.x.x.x)? > You can have some interfaces with private, some with public, all private, all public, whatever you want to use. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] optimal way for a colo setup
On Mon, Nov 9, 2009 at 7:17 AM, Eugen Leitl wrote: > > I've built a 1.2.3RC3 box on beforementioned Supermicro > dual-core Atom box with an Intel dual-port server NIC > and a 2 GByte Transcend DoM (some 200 EUR the Supermicro > kit, 35 EUR memory, and 100 EUR the dual-port Intel > NIC, the DoM is some 20-30 EUR IIRC). > > All four NICs (onboard Realteks and Intel) are apparently > fully functional. > The box is reasonably quiet, and probably not underventilated > if it's not sandwiched between two other rackmounts (it > does have enough fan headers on the motherboard to rectify > that potential problem, though no fan mounts; hotglue would > probably do). > > I've assigned WAN and LAN to the Intel NIC, and will use > the Realteks for pfsync, redundancy and the like. > > Now the question, assuming I have a /24 network on WAN, what is > the optimal routing setup if I want to go carp+pfsync > eventually fully redundant? I'm currently running two > mini-ITX C3 boxes in a poor man's failover setup, both > as transparent bridges, with one disabled through STP > or other loop-detection feature. > > So what do I do with my /24? Private IP space behind > LAN, and 1:1 for every address? (That would be pretty > difficult to recover from should my firewall die, right > now every box has public IPs and can be fully routed > even though then directly exposed to the hostile > Internet). > Lots of options there - they're discussed in depth in the book. I generally prefer getting a smaller WAN block and having the larger internal block routed to you, then you can use a combination of NAT and routed public IPs as needed, and easily add additional IP space in the future if needed. I don't like bridging in a serious colo environment, because of the complications possible with relying on STP, or hacks on the firewall. I would never setup the network with a design consideration that you can use it if the firewalls fail, that's why you have redundant firewalls. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] pfSense book now available for purchase
On Wed, Nov 4, 2009 at 12:17 PM, Scott Ullrich wrote: > On Wed, Nov 4, 2009 at 12:13 PM, cl...@pfsense > wrote: >> Can't wait for the electronic version :-) > > I believe only commercial support customers will have access to the > electronic version. > I think - not completely sure yet on this - that at least one of our hardware resellers will be selling individual electronic copies. The publisher is working on that. For those who have a support or reseller subscription, you can grab it here after logging in: https://portal.pfsense.org/book/pfSense-book.pdf > And folks, please respect the authors and do not pirate it. kthanks > Indeed. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Rebecca L. Bowman/CHMCA is out of the office.
On Thu, Oct 29, 2009 at 5:38 PM, wrote: > I'd like you all to know that unlike Ms. Bowman I will be in the office or > at least available more or less at all times. I kind of live on the > internet. Thanks. > That was confidential!! ;) On a serious note, I wish people would configure their mail servers to only send out of office replies when they are expressly listed in the to or cc lines. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] long upgrade of 1.2.3RC3full on ALIX
On Thu, Oct 15, 2009 at 7:40 AM, Jim Pingle wrote: > > I have seen a similar problem when installing some packages. It seems to > particularly dislike having system libraries overwritten underneath it. > Installing the packages would cause the system to sig11 and lots of > processes would die. The same task on a normal PC full install worked fine. > He's actually running a full install on CF though, which is interesting. We thought those problems were embedded specific somehow, doesn't appear that's the case. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] long upgrade of 1.2.3RC3full on ALIX
On Thu, Oct 15, 2009 at 4:59 AM, Eugen Leitl wrote: > On Thu, Oct 15, 2009 at 10:10:59AM +0200, Eugen Leitl wrote: >> >> I've updated 1.2.3RC3 on a SunFire X2100 M2 yesterday without >> a hitch. Same upgrade on ALIX takes now about an hour. What's >> the name of the upgrade process? bsdtar isn't running according >> to ps -aux > > Update: the system crashed, and had to be rebooted manually. > It shows version 1.2.2 again. > > I can upload the tarball manually to /root : > > pfsense:~# md5 /root/pfSense-Full-Update-1.2.3-RC3.tgz > MD5 (/root/pfSense-Full-Update-1.2.3-RC3.tgz) = > 3f5fe57bb12d376a2817ecc5bc8e601e > > Is there a way to start the update manually, without > the web interface? Console upgrade. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] layer 4-7 load balancing
On Mon, Aug 24, 2009 at 8:45 PM, Aristedes Maniatis wrote: > I've since discovered that our application server doesn't need sessions to > be bound to a particular httpd front-end. So 3 & 4 are not actually required > (although SSL offloading would be convenient simply to reduce the number of > IP addresses we have to configure on each web server). > > That leaves 5. How flexible is pfSense's dead host detection? Instead of a > ping check can we substitute an arbitrary http check (at a minimum to check > for a 200 response, but ideally we want to perform a regex check to find > specific content on a page)? Or alternatively since we already have nagios > performing these checks can we use that to notify pfsense to perform a > failover? Some of that functionality does exist in relayd, but the implementation in 2.0 hasn't been finished and currently has a number of issues. I'll email you off list on taking this on as a project, we'll find a solution that will meet your needs. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] layer 4-7 load balancing
On Thu, Aug 20, 2009 at 10:16 PM, Aristedes Maniatis wrote: > Is anyone using pfSense to perform load balancing (and failover) for two or > more web servers in a redundant configuration? Yes, lots, but in more generic setups. > Bonus points for being able > to also perform SSL offloading. Our application server uses HTTP cookies to > maintain sessions, so it is important that the load balancer be able to > maintain connection to a specific web server for the life of the cookie. > The session stickiness is based on firewall states, which isn't going to guarantee that it's tied to that server for the life of the cookie. Current stable versions don't provide the kind of functionality you require for that. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] fully redundant dual-WAN setup
in case the other replies weren't enough: On Tue, Aug 11, 2009 at 5:03 AM, Veiko Kukk wrote: > > I have tried dual wan and dual machine setup with no success. Dual wan > pfsense only works with single machine. Wrong. > carp also works, but both carp > *and* dual wan together does not work! Wrong. > And seems there are very few who care about pfsense failover ability, > probably most people use single machine and single wan setups. > Wrong. Probably a slight majority (something > 50%) don't use either (and are home users), but that minority that does is a very large number of installs. The bulk of the installs I work with use CARP, multi-WAN, or both. The majority of our developers maintain mission critical production environments with both. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Sudden climb of CPU usage with no change of usage.
On Sat, Aug 8, 2009 at 4:14 PM, cl...@pfsense wrote: > See attached > > Can anyone explain what have happened to my CPU usage over the last > week. > The firewall has been running for approx 2 months and the usage have not > changed. > > I noticed this as my ip-phone started to have drop outs. > Unlikely that's related, but hard to say. > I just rebooted and things looks normal again. > That cleared out indications of what was happening. There have been 3-4 reports of RRD graph data gathering causing this (from people who rebooted and stopped its occurrence and any ability for us to track it down), but nothing any of the developers has ever seen or been able to replicate. If it comes back, email me offlist before doing anything else, I'd like to get in to the system and see what's happening. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] fully redundant dual-WAN setup
On Fri, Aug 7, 2009 at 5:41 AM, Eugen Leitl wrote: > > Is any of you running pfSense in a fully redundant hosting setting? > Care to share your setup? > I've done numerous designs and deployments like this for customers, it's one of the more common things we do. You might find my DCBSDCon 2009 presentation helpful. It covered network perimeter redundancy in general, and showed a specific design that's modeled after the most common hosting/colo environment redundant setups. http://www.youtube.com/watch?v=aElQidbWUxA I'm scared to watch it personally. :) But others have said it's pretty good. I'd stay away from bridging if you can avoid it. Get a /29 on your WAN side and a separate public block for the inside (if you don't want to NAT), with the provider routing the inside subnet to a CARP VIP on WAN. For the second drop, that depends on how they have it setup. Whether they can offer BGP, or if that even makes sense, is NIC bonding a possibility, what are any other potential routing options, etc... That's mostly provider-dependent. Lot more to it than I have time to cover. (though I'd be glad to work with you one on one with the design and setup, see the link in the footer for commercial support) ESX or ESXi are good choices for testing, and it's not unheard of to run your entire hosting/colo infrastructure including firewalls in ESX or ESXi. It can make sense in some scenarios. I typically don't. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Very odd issue - Transparent Firewall - 2 Locations
On Thu, Jul 16, 2009 at 4:01 AM, Angus Jordan wrote: > > I had configured the servers behind the pfsense bridge with the > gateway pointing directly at the pfsense firewall. When I modified the > gateway on the servers to use the real upstream gateway, all is > normal. > Ah yeah, that'll do it. Logs were strange (not now that I know what you were doing), only showing 1500 byte frames getting blocked, and from your earlier description that mostly emails with attachments were having issues, seemed maybe a smaller MTU would fix things. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Very odd issue - Transparent Firewall - 2 Locations
On Thu, Jul 16, 2009 at 3:22 AM, Angus Jordan wrote: > Hi again, > > I've attached the logs directly from the /var/log/filter.log. These > show up at exactly the same time the download stops... > What happens if you lower the MTU on the server to 1450? - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Very odd issue - Transparent Firewall - 2 Locations
On Thu, Jul 16, 2009 at 3:06 AM, Angus Jordan wrote: > Hi Chris, > >> Make sure you're using e1000 interfaces. Also might want to try >> "disable checksum offload" under System -> Advanced. > > Both of these options are selected, same symptoms..although it does > take much longer for the problem to creep up. > > Unfortunately this is mainly affecting outbound email, the connections > just seem to time out. More-so when there are attachments, but also > sometimes even without attachments.. > Paste some of the firewall logs you're seeing, raw logs from status.php. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Very odd issue - Transparent Firewall - 2 Locations
On Wed, Jul 15, 2009 at 6:57 PM, Angus Jordan wrote: > Hi Greg, > > Yes, the pfSense does show blocks in on the wan interface. I wish I > could send them to you, but for some reason since you sent this email > the issue seems to have stopped...but it will be back, I know that. > > One thing that I failed to mention in my earlier email is that both of > these pfSense firewalls are running inside of VMWare Server (1.0.9) on > top of Debian hosts. I know this is not the cause of the issue though, > since these problems existed before we virtualized the firewall at one > of the sites... Make sure you're using e1000 interfaces. Also might want to try "disable checksum offload" under System -> Advanced. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] Next generation of pfSense embedded now available
For those who don't follow the blog: http://blog.pfsense.org/?p=472 - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] Fwd: [FreeBSD-Announce] Announcing EuroBSCon 2009
I will be presenting on pfSense at EuroBSDCon. info here: http://blog.pfsense.org/?p=481 and below -- Forwarded message -- From: Robert Watson Date: Mon, Jul 13, 2009 at 9:18 AM Subject: [FreeBSD-Announce] Announcing EuroBSCon 2009 To: annou...@freebsd.org EuroBSDcon 2009 Friday 18th - Sunday 20th September, University of Cambridge, UK A day of tutorials followed by 2 days of conference talks covering a wide variety of BSD related topics. This is the European BSD Community's annual event to meet, share and interact across the projects and between friends. This year's line up features... * ISC and *BSD * OpenBSD malloc * How FreeBSD finds oil * NetBSD's LVM * faster packets in OpenBSD * Wireless Mesh networks * Kirk McKusick's FreeBSD Guide * and more, The full talk list and schedule: http://2009.euroBSDcon.org Discounted Early Bird registration runs until 2nd September. Book your place now at http://2009.euroBSDcon.org Final programme may be subject to alteration. EuroBSDcon is a not for profit event open to everyone so please help spread the word online and offline. Thanks for reading! If you're interested to read this far, you can sign up for future announcements about EuroBSDcons by sending an email to eurobsdcon-announce-subscr...@lists.ukuug.org . Your address will only be used to contact you about European BSD events. EuroBSDcon 2009 : September 18-20th, Cambridge, England. http://www.ukuug.org/events/eurobsdcon2009/ EuroBSDcon is grateful to our sponsors; Premier Sponsor iXsystems.com, and The FreeBSD Foundation, NetApp and Google. ___ freebsd-annou...@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscr...@freebsd.org" - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] dhcp relay | failover
On Sat, Jul 11, 2009 at 4:14 AM, Zied Fakhfakh wrote: > Hi, > > I have a dhcp relay on pfsense to a dhcpd at, let's say, 192.168.2.1. > > There's a failover dhcpd server at 192.168.2.2 (withou floating IP). > > is there anyway pfsense can handle that ? > Manually change the relay. There's a feature request open for multiple server IPs. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] euroBSDcon
On Wed, May 27, 2009 at 8:26 AM, Paul Mansfield wrote: > http://www.ukuug.org/events/eurobsdcon2009/ > > anyone going? and more to the point, anyone interested in a beer :-) > I am now officially going to be at EuroBSDCon. The schedule isn't finished yet, but my talk on pfSense has been accepted. Anyone else? I haven't been to EuroBSDCon before, but if it's anything like BSDCan and DCBSDCon there will be ample opportunities for drinking. :) Usually official social events at bars, but if there aren't any such things we can setup a pfSense meetup somewhere. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] euroBSDcon
On Wed, May 27, 2009 at 8:26 AM, Paul Mansfield wrote: > http://www.ukuug.org/events/eurobsdcon2009/ > > anyone going? I submitted a talk on pfSense, if it gets accepted I'll be there. We've submitted to 5 BSD conferences over the past 4 years and haven't been rejected yet, so probably a good chance I'll be there. Should know for sure in about a month. > and more to the point, anyone interested in a beer :-) > Definitely, if I'll be there. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] High latency on downloads with shaping
On Fri, May 8, 2009 at 7:04 PM, Joe Lagreca wrote: > The problem is the high latency is wreaking havoc with our VOIP PBX. That's irrelevant, ICMP is queued differently from your VoIP traffic. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] High latency on downloads with shaping
On Fri, May 8, 2009 at 6:21 PM, Joe Lagreca wrote: > Why only on the download portion of the test and not the upload portion? > > If I switch to pfsense 1.0.1 can I avoid these limitations/problems? > No. The shaper in 1.0.x is slightly worse, and 1.0.x is riddled with problems. Though mostly edge cases, and a ton of people still run it, even including yours truly on the firewall in front of our hosting servers until it died last week, *don't* do that. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] High latency on downloads with shaping
On Fri, May 8, 2009 at 5:59 PM, Joe Lagreca wrote: > I'm having a STANGE problem when our traffic shaper is turned on. Normal. limitation of 1.2.x shaper. treats no differently than Internet-bound pings. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] QoS / multiple network interfaces
On Mon, May 4, 2009 at 12:40 PM, cl...@pfsense wrote: > Ahhh, that's why I didn't find it > Realized it wasn't out there and added it. ;) - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] QoS / multiple network interfaces
On Mon, May 4, 2009 at 7:55 AM, cl...@pfsense wrote: > Hi > > I have VOIP on eth3, LAN on eth2 and wan on eth0 > > I have setup QoS using the shaping wizard and as result two rules exist > > VOIP -> WAN > WAN -> VOIP > > However when I (using LAN) uploaded a huge (3G) file this weekend I > noticed very poor quality on the VOIP in terms of long delays etc. > > My question is: Does my traffic shaper work when competing traffic runs > LAN <-> WAN and voip VOIP <-> WAN ? > http://doc.pfsense.org/index.php/Does_the_traffic_shaper_work_with_more_than_2_interfaces - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] HSRP log messages on BRIDGE0
On Mon, Apr 27, 2009 at 5:45 PM, Angus Jordan wrote: > Hi there, > > We have a pfSense 1.2.2 box setup in a transparent firewall > configuration (ie. LAN is bridged to WAN). This works just fine, but > the colocation where this box is sitting is broadcasting HSRP (UDP > port 1985) over the network, and our pfSense box is picking it up and > logging it every 3 seconds. > > I have disabled the logging on the WAN interface just fine, but it > still logs messages on interface "BRIDGE0" which is not an interface > that I can add firewall rules to at all. > Strange, filtering on bridges themselves is forced to disabled. What did you do to get it to stop logging on the WAN? - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] 1.2.3-RC1 released!
Info here: http://blog.pfsense.org/?p=428 - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Cannot Save changes in /tmp/rules.debug
On Sat, Apr 11, 2009 at 11:52 AM, RI 1 / ipv6.or.id wrote: > Hallo Chris, > > > Yes, changing PF Rules. > GUI doesn't seem to work, i already set allow all for all interface. It works fine, you're seeing something else like out of state traffic or asymmetrically routed traffic. If you want to allow all, disable the filter under System -> Advanced. > Might be PFSense creates new interface called bridge 0 which is not yes > define any of rule. There is no filtering on bridge interfaces. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Cannot Save changes in /tmp/rules.debug
On Fri, Apr 10, 2009 at 9:00 PM, RI 1 / ipv6.or.id wrote: > Hi, > > > I just worked with PFSense lately. > Why can't I save any changes made to /tmp/rules.debug file due to web > interface firewall doesn't seem to work ? > It's always after a while back to block "default deny rule" or after the box > restarted. Not sure if I understand what you're saying, but it sounds like you're making manual changes to the PF ruleset. You can't do that, all the rules must be entered in the GUI. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] OT: simple SMTP relay daemon?
On Fri, Apr 10, 2009 at 8:33 AM, Curtis LaMasters wrote: > I don't know if it works on FreeBSD but busybox has an SMTP engine. > That receives SMTP over the network? Looks like it includes ssmtp which appears to send from the local system only. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] OT: simple SMTP relay daemon?
On Fri, Apr 10, 2009 at 1:52 AM, David Rees wrote: > On Thu, Apr 9, 2009 at 8:07 PM, Chris Buechler wrote: >> I'm looking for something simple to do nothing but accept SMTP mail >> from a defined list of hosts allowed to relay and push it off to >> another SMTP server (using gmail, so must be with auth and TLS). Must >> run on FreeBSD. Any full blown MTA is out of the question, too >> complex. I suspect something out there does just what I'm after, but >> all I'm finding are MTAs or simple apps that don't accept SMTP over >> the network. Browsing the mail ports in FreeBSD didn't help, though I >> could have missed something. >> >> Anyone have any suggestions? > > Although it is a full blown MTA, Postfix is lightweight, simple > configure and reliable. > Lightweight for a full blown MTA, but not lightweight. Postfix is what I started trying actually, but too many missing libraries and other difficulties into getting it running on a pfSense box without a decent amount of effort. I suspect there's a tiny, simple daemon somewhere that will do this without a lot of fuss, I just can't find it. I'd probably turn it into a pfSense package and slap a simple GUI on it. It would essentially be a proxy from SMTP to authenticated SMTP, relaying for SMTP clients on the LAN subnet that don't support authentication. Or as a single point for sending mail from your LAN if you don't have an internal mail server. One of those things I wouldn't run on *my* firewall (that's a server's job), but desired by some and not entirely unreasonable. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] OT: simple SMTP relay daemon?
On Fri, Apr 10, 2009 at 12:20 AM, RB wrote: > On Thu, Apr 9, 2009 at 21:58, Chris Buechler wrote: >> Saw both of those, though from what I can see neither one of them will >> accept SMTP over the network, they're local only. If I'm mistaken, let >> me know. > > My check was cursory, I only mentioned them because they both have the > word 'relay' in some package manager's description. Like you, I see > nothing that simply proxies mail without a large amount of overhead. > Thanks for the confirmation. Doesn't seem like an unusual thing to want... - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] OT: simple SMTP relay daemon?
On Thu, Apr 9, 2009 at 11:46 PM, RB wrote: > On Thu, Apr 9, 2009 at 21:07, Chris Buechler wrote: >> I'm looking for something simple to do nothing but accept SMTP mail >> from a defined list of hosts allowed to relay and push it off to >> another SMTP server (using gmail, so must be with auth and TLS). Must >> run on FreeBSD. Any full blown MTA is out of the question, too >> complex. I suspect something out there does just what I'm after, but >> all I'm finding are MTAs or simple apps that don't accept SMTP over >> the network. Browsing the mail ports in FreeBSD didn't help, though I >> could have missed something. > > What about http://esmtp.sourceforge.net or nullmailer? The addition > of the relaying capability does definitely limit the choices. > Saw both of those, though from what I can see neither one of them will accept SMTP over the network, they're local only. If I'm mistaken, let me know. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] OT: simple SMTP relay daemon?
I'm looking for something simple to do nothing but accept SMTP mail from a defined list of hosts allowed to relay and push it off to another SMTP server (using gmail, so must be with auth and TLS). Must run on FreeBSD. Any full blown MTA is out of the question, too complex. I suspect something out there does just what I'm after, but all I'm finding are MTAs or simple apps that don't accept SMTP over the network. Browsing the mail ports in FreeBSD didn't help, though I could have missed something. Anyone have any suggestions? thanks, Chris - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] pfSense / Free BSD CPU kern.cp_time Jams in some environments
On Sat, Apr 4, 2009 at 4:50 PM, Tortise wrote: > Hi > > Is anyone else getting this? > > It is occurring if you get a either a > > 1) divide by zero error on the index page for CPU Usage or > 2) an indication the CPU is always on 0% use, which it shouldn't be for long! > > It seems to occur 1.2.2 onwards and on some motherboards and not others. > Should be 1.2.1 onwards, there are no FreeBSD differences from 1.2.1 to 1.2.2. 1.2.3 also exhibits the same behavior on these 440BX systems, though our calculation has changed so you can never get a divide by 0, it just returns 0% when these counters are wrong. I checked a wide range of hardware and I don't have anything that exhibits this, but I don't have any 440BX systems either, which seems to be what this is limited to, and not all of them at that or we would have heard about it quite some time ago I'm sure. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] extending LAN private network
On Fri, Apr 3, 2009 at 3:34 PM, David Rees wrote: > On Fri, Apr 3, 2009 at 7:48 AM, Paul Mansfield > wrote: >> use vlans, a managed switch, and use 192.168.x.0/24 for each vlan. for >> bonus points, use NAC and dynamic vlans to allow only approved devices >> and put them on the right network. >> >> (we do something similar, vlan N is 192.168.N/24. it's bad practise to >> use vlan1 so we start at 2) > > I'm fairly new to VLANs - why is it bad practice to use vlan1? > Security reasons. Vulnerable to VLAN hopping/dropping in some circumstances. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] VPN Tunnel Dual WAN failover
On Thu, Mar 5, 2009 at 10:03 PM, Chris Buechler wrote: > On Wed, Mar 4, 2009 at 7:30 AM, Mark Slatem wrote: >> >> Chris, Will version 2 support this natively by any chance? >> > > Just need a package for OSPF, which could be added on 1.2.x and 2.0. > That's a project I want to take on in the next few months. > And may require some policy routing from localhost capabilities in some circumstances, that part should be doable in 2.0 already. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] VPN Tunnel Dual WAN failover
On Wed, Mar 4, 2009 at 7:30 AM, Mark Slatem wrote: > > Chris, Will version 2 support this natively by any chance? > Just need a package for OSPF, which could be added on 1.2.x and 2.0. That's a project I want to take on in the next few months. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] VPN Tunnel Dual WAN failover
On Wed, Mar 4, 2009 at 7:30 AM, Mark Slatem wrote: > Thanks for all advice. > > I recall attempting to add a static route to the openvpn server endpoint ip, > but it still did not work for me. Then you aren't doing something right. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] VPN Tunnel Dual WAN failover
On Tue, Mar 3, 2009 at 6:57 PM, Mark Slatem wrote: > Hi all. > > I have about 50 Alix embedded firewalls running at branches. All the > branches connect to a central pfsense at our data centre via an openvpn > tunnel. This solution works absolutely beautifully and allows all the > branches to be on one private network. The problem is some of the branches > are in locations where the ADSL links have intermittent connectivty problems > and can go down for extended periods. We have countered this by putting down > 3G routers at these branches and having a Dual Wan with load balancing pools > for failover. This works well and when one link goes down the traffic is > routed via the other link. However this does not work for the openvpn tunnel > that refuses to establish down the secondary WAN link, I have tried and > tried but can not get it to work. > You have to add a static route to direct the traffic. Manual failover works fine with appropriate routes. Automatic failover would require configuration of a routing protocol. None of the existing supported ones are a good fit, though we'll likely see OSPF support at some point in the not too distant future. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] 1.2.2 CPU Division by zero error in index.php
On Sat, Feb 28, 2009 at 4:02 PM, Tortise wrote: > Hi > > In the index.php page CPU usage value I am getting: > > Warning: Division by zero in /usr/local/www/includes/functions.inc.php on > line 66 0% > > This is with the embedded image on a CF, Pentium 400, 756M RAM. > Run this from Diagnostics -> Command and post the output: sysctl -n kern.cp_time - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] xen aware pfsense.
On Tue, Jan 27, 2009 at 10:15 PM, pfsense sense wrote: > i'm not suggesting pfsense be run inside a VM, i am suggesting pfsense > provide VM functionality Refer back to my earlier post. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] xen aware pfsense.
On Tue, Jan 27, 2009 at 7:42 PM, pfsense sense wrote: > has anyone considered the possibility of intergrating xen with pfsense ? > It's ok in some circumstances, bad in others. The primary difficulty is lack of FreeBSD dom0 Xen support. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] FreeNAS
On Sat, Jan 24, 2009 at 5:13 AM, Eugen Leitl wrote: > > IIRC one developer (Chris?) mentioned a number of different pfSense > possible flavors, Yes. > including a NAS appliance. but no to that part. :) That's one thing that probably won't ever be added, at least not by any of our existing developers. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] PPTP user passwords unencrypted in config file?
On Thu, Jan 22, 2009 at 3:23 PM, jason whitt wrote: > i was going through my config file the other day and noticed that when using > pptp against local users the users passwords are stored in clear text in the > config file. > Is it possible to encrypt them? > No, and never will be for reasons explained here: http://doc.pfsense.org/index.php/Why_are_some_passwords_stored_in_plaintext_in_config.xml%3F - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Load Balance Cannot Do Logins on forums , webmails , etc ,etc
On Thu, Jan 22, 2009 at 3:27 AM, John Dakos [ Enovation Technologies ] wrote: > hi Ron and thanks for reply > > look , i turn ON the sticky connections and for 30 seconds everything is > working. > > but until 30 seconds i have no Internet > Don't use sticky connections. It's broken in FreeBSD. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] start on safe mode
On Mon, Jan 19, 2009 at 3:18 AM, Zied Fakhfakh wrote: > Hi, > > I need to start pfSense, always on SAFE MODE, can someone point me to a good > documentation ? > What do you mean by "safe mode"? - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] 1.2.2 released
see http://blog.pfsense.org/?p=351 - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] single interface operation
On Sun, Jan 4, 2009 at 8:36 PM, Jure Pečar wrote: > > Hello, > > would it be possible to use pfsense on a platform with a single nic, where > wan,lan,opt are all vlans? With managed switch, of course. > Yes.
[pfSense-discussion] 1.2.1 released!
see http://blog.pfsense.org/?p=340 - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Load balancer using carp interfaces?
On Fri, Dec 19, 2008 at 11:09 AM, Paul Mansfield wrote: > Veiko Kukk wrote: >> Hi! >> >> I wonder if there are some good reasons why i'ts not possible to choose >> CARP interfaces (virtual IP-s) for load balancer pools? >> If not, then why can't I select carpx interfaces for ISP failover load >> balancer pool? >> Please fix it or help me how to fix that in my installation. > > huh, you can. create a pool of actual servers with internal IPs & ports, > then create the virtual external service "listening" on the carp IP with > specific port. > That's correct, though for server load balancing. He's talking about multi-WAN it seems. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Load balancer using carp interfaces?
On Fri, Dec 19, 2008 at 10:11 AM, Veiko Kukk wrote: > Hi! > > I wonder if there are some good reasons why i'ts not possible to choose CARP > interfaces (virtual IP-s) for load balancer pools? Because you use only the physical interfaces, the CARP VIPs just go with the physical interface. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] Network Perimeter Redundancy with pfSense session at DCBSDCon
info here: http://blog.pfsense.org/?p=334 - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] PHP uses 100% CPU on 1.2 and 1.2.1-RC2
On Mon, Dec 1, 2008 at 11:21 PM, Roland Giesler <[EMAIL PROTECTED]> wrote: > > So I removed all the routes except one, just to test if all else is > ok, but found that on both release 1.2 and 1.2.1-RC2, PHP steadily > increased when I save a change until it hits 100% usage on one CPU. > Then, if I click something else, the second CPU gets a PHP process > that also goes to 100%. > > Why would this be happening? > Any packages installed? I could see Dashboard causing something like that. There could be something very, very usual about your configuration (the one minus 9499 of the 9500 static routes) that's hitting a bug no one has seen before. That's not very likely unless you're hitting a package bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] PHP uses 100% CPU on 1.2 and 1.2.1-RC2
On Mon, Dec 1, 2008 at 11:21 PM, Roland Giesler <[EMAIL PROTECTED]> wrote: > > I use 9488 static route entries m0n0wall and pfSense aren't exactly designed to work with 9500 static routes (is anything? if you need 9500 routes, you need a routing protocol). I'm sure you're the first to even try it. I understand the reasoning, though BGP is certainly more suitable. Such a configuration does make for an interesting test case though - mind emailing me the XML of those static routes off list? That would be interesting to play with, though it will be quite a while before I have time to do so. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
[pfSense-discussion] pfSense 1.2.1-RC2 now available
More info: http://blog.pfsense.org/?p=284 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] a pair of transparent bridges gotcha
On Sun, Oct 5, 2008 at 5:17 AM, Eugen Leitl <[EMAIL PROTECTED]> wrote: > > I presume this is the same problem as > http://forum.pfsense.org/index.php?topic=11531.msg63655 > That person bought a support contract and we helped him resolve that, his firewall rules weren't setup properly to allow the DNS traffic. > My WAN IPs were from a public /24, my LAN IPs 10.0.0.0/24. > With that setup all DNS requests from behind the transparent > bridge would time out. I put some random IPs from the public /24 > on LAN (different from WAN ones, since that is something FreeBSD > doesn't like). > This sounds like your LAN rule was still set to allow source of the LAN subnet.
Re: [pfSense-discussion] a pair of transparent bridges gotcha
On Sat, Oct 4, 2008 at 5:18 PM, Eugen Leitl <[EMAIL PROTECTED]> wrote: > On Sat, Oct 04, 2008 at 05:13:27PM -0400, Chris Buechler wrote: > >> LAN was on a different subnet from what? > > LAN was a different subnet from WAN (in transparent bridge > this shouldn't matter, and it doesn't, with the exception of DNS). > Now I'm just as confused. :) You mentioned "the problem is that LAN was on a different subnet. Put them on the same network (different from WAN)" - what does "them" refer to then? When bridging, the subnet in use on the member interfaces is irrelevant. It won't affect behavior of filtering. There are some caveats when bridging LAN, like I would recommend disabling the webGUI antilockout rule.
Re: [pfSense-discussion] a pair of transparent bridges gotcha
On Sat, Oct 4, 2008 at 4:58 PM, Eugen Leitl <[EMAIL PROTECTED]> wrote: > > I have a pair of pfsense 1.2.1-RC1 working in a poor man's > failover (a parallel pair of transparent bridges). > > Had a problem with DNS lookup blockage, the problem is that > LAN was on a different subnet. Put them on the same network > (different from WAN) and things work now. > LAN was on a different subnet from what? I guess you're bridging an OPT interface?
Re: [pfSense-discussion] W.O.L. Security Question
On Tue, Sep 30, 2008 at 2:39 AM, DarkFoon <[EMAIL PROTECTED]> wrote: > Greetings all, > > I recently upgraded my pfsense platform to a new(er) motherboard with an > integrated NIC with Wake On LAN. > If I use this as my WAN interface, does it pose any security vulnerability? > I do not see a way in the BIOS or as a jumper to turn off WOL. > > I would normally assume that it would get ignored by pfSense, as all > unsolicited traffic is, but I want to be sure. > The most anyone could do (barring some sort of future exploit in WoL, which is unlikely) is turn on the machine if it's off. The default firewall rules will block the WoL traffic when the machine is on, though even if it didn't you can't wake a machine that's on already.
Re: [pfSense-discussion] can't filter on transparent bridge
On Sat, Sep 13, 2008 at 8:46 AM, Eugen Leitl <[EMAIL PROTECTED]> wrote: > > I can't get an 1.2.1-RC1 full with two NICs (VIA mini ITX) to filter traffic > using http://pfsense.trendchiller.com/transparent_firewall.pdf > > No rules either in WAN or LAN, to the bridge must block > everything -- but doesn't. No change when I define explict > blocking rules for everything. > There are some default rules on LAN, like the anti-lockout rule that could be passing the traffic. You can disable that on the Advanced page. That's the only one I can think of offhand that would pass traffic, though LAN is a bit special in 1.2x and there could be something else I'm not thinking of offhand. Note the "enable filtering bridge" checkbox does nothing in 1.2.1 and should have done nothing in 1.2. In 1.2, turning that on actually can create some weird problems with filtering in some circumstances. That's a hold over from the way m0n0wall does things, and should have been removed when we switched to if_bridge. If you're running bridging on 1.2, I recommend leaving that disabled. It adds rules to the bridge itself, when the bridge should never have rules. The member interfaces get rules added, and you want to filter on both the member interfaces and not the bridge itself.
Re: [pfSense-discussion] weird openVPN behaviour
Mark Dueck wrote: Hi everyone, I am trouble shooting a VPN that I'm creating between 2 businesses. I am not sure if it has to do with the VPN, or the actual link instability. The link is a wireless that currently is quite unstable, but traffic can still go through at 100 kbps. Not really usable, but I'm working on making the wireless more stable. Situation: 2 networks linked via routed openVPN. Wan IP addresses are 172.27.200.x and sites are at 10.20.30.x and 192.168.0.x -- I know that one is not the best, but it's out of my control to change. Now when I ping from one network to the next, my ping times continously increase, while at the same time I'm pinging the 172.27.200.x at the other site, and it's ping times are normal. Pinging through VPN: PING 192.168.0.250 (192.168.0.250) 56(84) bytes of data. 64 bytes from 192.168.0.250: icmp_seq=1 ttl=62 time=839 ms 64 bytes from 192.168.0.250: icmp_seq=2 ttl=62 time=1310 ms 64 bytes from 192.168.0.250: icmp_seq=3 ttl=62 time=1766 ms 64 bytes from 192.168.0.250: icmp_seq=4 ttl=62 time=2206 ms 64 bytes from 192.168.0.250: icmp_seq=5 ttl=62 time=2700 ms 64 bytes from 192.168.0.250: icmp_seq=6 ttl=62 time=3150 ms 64 bytes from 192.168.0.250: icmp_seq=7 ttl=62 time=3651 ms 64 bytes from 192.168.0.250: icmp_seq=8 ttl=62 time=4069 ms 64 bytes from 192.168.0.250: icmp_seq=9 ttl=62 time=4548 ms it keeps on going up to 17000ms or even more. Pinging VPN server at other site: PING 172.27.200.2 (172.27.200.2): 56 data bytes 64 bytes from 172.27.200.2: icmp_seq=0 ttl=64 time=136.973 ms 64 bytes from 172.27.200.2: icmp_seq=1 ttl=64 time=5.015 ms 64 bytes from 172.27.200.2: icmp_seq=2 ttl=64 time=9.780 ms 64 bytes from 172.27.200.2: icmp_seq=3 ttl=64 time=7.119 ms 64 bytes from 172.27.200.2: icmp_seq=4 ttl=64 time=15.883 ms 64 bytes from 172.27.200.2: icmp_seq=5 ttl=64 time=5.063 ms 64 bytes from 172.27.200.2: icmp_seq=6 ttl=64 time=8.558 ms 64 bytes from 172.27.200.2: icmp_seq=7 ttl=64 time=11.865 ms 64 bytes from 172.27.200.2: icmp_seq=8 ttl=64 time=7.440 ms These ping times as you can see are almost normal. The wireless has several retries during this time already. When I scp a file directly to the vpn server, it goes through, but as soon as I do it over the VPN, it dies within 200k of transfers. Can someone shed some light on this? Is ssl traffic so sensitive to packet loss, or packet sequence that it would cause this? Are you using TCP or UDP for the OpenVPN connection? If it's TCP this would be expected, tunneling TCP over TCP is problematic when there is packet loss, not related to the encryption protocol. Using UDP it should function no differently than a connection between the same two endpoints outside the OpenVPN tunnel. You shouldn't use TCP in most cases for any VPN, unless it's desirable for reasons like TCP 80 or 443 usually making it through every firewall and proxy.
Re: [pfSense-discussion] hardware
On Thu, Jul 31, 2008 at 1:44 AM, Mark Dueck <[EMAIL PROTECTED]> wrote: > > Throughput will be minimal. From 512Kbps to 2Mbps max. I guess my biggest > concern is stability. I have lab tested the Soekris 4801 with openVPN to > have throughput of up to 3MB/s, so it should be fine for these locations, > but I'm just a little unsure of a 'business critical' decision and wanted > some input. > I would probably go with ALIX hardware for such a deployment. I get the ALIX hardware I use from netgate.com and would recommend them. That'll push about 75 Mb of throughput, and about 10-12 Mb of VPN traffic based on numbers I have heard from others. I haven't had a chance to test max throughput on any of mine yet, they're definitely more than adequate for what you're looking to do and give you a good deal of scalability for the future.
Re: [pfSense-discussion] hardware
On Thu, Jul 31, 2008 at 12:35 AM, Mark Dueck <[EMAIL PROTECTED]> wrote: > Hi, > > I got an opportunity today to provide a business with 5 locations with a > VPN solution. My intention is to use pfSense with openVPN, but I'm not > sure of the hardware. Should I go with a Soekris board, or a minibox? > Or got for the cheapest Dell rack mount server? > What kind of Internet throughput and VPN throughput is required? See also: http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49
Re: [pfSense-discussion] DNS resolver test
I encourage everyone to read this post and ensure they are protected. http://blog.pfsense.org/?p=220 In short: there is nothing to update on pfSense itself, however you may wish to make some configuration changes as detailed in the post.