RE: [pfSense Support] Incorrect System Log Order/Logging Bug?
>2011/7/13 Jim Pingle mailto:li...@pingle.org>> >On 7/9/2011 9:17 PM, Dimitri Rodis wrote: >> The system is and has been set to -8 (I am Pacific Daylight Time, USA), and >> hasn't been re/booted since the first boot on that build--and I >have >> reported this issue back in RC1 and it still appears to be an issue. It >> almost looks as if the check_reload_status (among a couple of others >that >> haven't shown up in the log yet) specifically always logs with the wrong >> timestamp. >Are you actually using the GMT +/- zone or a named zone such as >America/Los_Angeles? > > >http://www.timeanddate.com/worldclock/ > >;-) See screen snip below. [cid:image001.png@01CC4162.4D0586B0] <>
RE: [pfSense Support] Incorrect System Log Order/Logging Bug?
>On Fri, Jul 8, 2011 at 4:26 PM, Vick Khera wrote: >> On Fri, Jul 8, 2011 at 1:06 PM, Dimitri Rodis >> wrote: >>> >>> I have my log set to show newest on top, and the log is "mostly" in >>> order, but notice how there are some entries that are in the middle >>> of this screenshot that are "newer" than everything else. (The >>> problem is that Jul 8 >>> 15:12:29 has not yet happened in my time zone, it is only shortly >>> after 10AM >>> here..) >> >> What's your offset to GMT? I'll guess +5 If the process started >> before the timezone was set, then you will see stuff like this. Same >> if you alter the timezone after the process is started. >> They do not re-read the timezone file ever. >> > >This. If you want everything to be on the right timezone you have to reboot >after setting it (or restart the services individually), that's always been >the case. The logs show in the order they were >logged, with the timestamp of >the process doing the logging. > >- The system is and has been set to -8 (I am Pacific Daylight Time, USA), and hasn't been re/booted since the first boot on that build--and I have reported this issue back in RC1 and it still appears to be an issue. It almost looks as if the check_reload_status (among a couple of others that haven't shown up in the log yet) specifically always logs with the wrong timestamp. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Incorrect System Log Order/Logging Bug?
2.0-RC3 (i386) built on Mon Jun 27 13:31:27 EDT 2011 Can anyone else confirm what appears to be either a bug in the logging with respect to the timestamps or a bug in the sorting of the log entries? (I don't know which) I have my log set to show newest on top, and the log is "mostly" in order, but notice how there are some entries that are in the middle of this screenshot that are "newer" than everything else. (The problem is that Jul 8 15:12:29 has not yet happened in my time zone, it is only shortly after 10AM here..) [cid:image001.png@01CC3D56.B846EF00] Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com <>
[pfSense Support] NAT Reflection Broken in recent builds
Just put a new FW in production a day and a half/two days ago (it was a few days old from a fresh flash to CF.. pfSense-2.0-RC1-2g-i386-20110519-1115-nanobsd.img) and I got the following message in a browser when folks were trying to hit sites hosted internally using NAT reflection: nc: getaddrinfo: hostname nor servname provided, or not known So yesterday I went ahead and told the thing to just upgrade to the latest build hoping that the problem would be resolved (the latest build showed RC2-yay), but it was not fixed, so I have reverted to my previous CF card which has the following build in which reflection seems to work properly for me (except for reflection on 1:1 which has always been flaky for me, but the websites/SMTP servers work flawlessly) 2.0-RC1 (i386) built on Mon Mar 14 17:33:11 EDT 2011 I can still potentially access anything on the newer build for debugging/troubleshooting purposes if someone needs it since I have a spare unit that I can boot the CF on.. Thanks, Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com
RE: [pfSense Support] COM-port Watchguard Firebox X500 with 2.0-RC1
>Do you know if this is a special Firebox problem or a more general one? >AFAIR FreeBSD supports the Realtek 8139C+ since version 5.2 or so. >Should this driver still have problems with this chip or is this a problem >only on this special machine? > >Thanks >Markus The support has been present, but that doesn't mean the support is flawless. The problem is with the 8139C+ chip. I wouldn't be surprised if the problems with the re driver have something to do with the way the console is behaving. In my experience, the console once again begins to respond (for awhile anyway) if I get the re driver to watchdog timeout on the firebox (strange, right?). You wouldn't think they are related, but I have made this happen a number of times this way so it looks more like a correlation than a coincidence to me. I have resigned myself to putting it aside until I can get a hardware sample to Pyun. I don't think the support for 8139C+ will ever be 100% (I'd take 99%) until this happens. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] COM-port Watchguard Firebox X500 with 2.0-RC1
>>> Executing rc.d items... >>> Starting /usr/local/etc/rc.d/*.sh...done. >>> Bootup complete >> >> ... and now we should see the login command shell. > >And what happens if you press return a couple of times at this point? > >-jim I hate to break it to you guys, but this has been an issue for quite a while in the 2.0 builds (8-9 months now). Not quite sure what started it happening, but I did experience this behavior way back then, and still do when I try the builds on it every now and then. Even if you get the console to work, you are still going to get watchdog timeouts on the NICs of this unit, which is something that I have been working with the driver maintainer on for quite some time in order to try and fix. Ideally, if someone in South Korea can donate a device (or someone that can send a device to South Korea) with a Realtek 8139C+ chip on it (like a Firebox X500, X700, X1000, or X2500) that is what it's going to take to fix the Realtek driver problem. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Incorrect Sort on 2.0-RC1
2.0-RC1 (i386) built on Mon Mar 14 17:33:11 EDT 2011 Log sorting is set to newest first, however, the log sort is "randomly incorrect" (see screen snippet). I didn't see anything in redmine, thought I would check here first.. [cid:image001.png@01CBF837.8BDBAAF0] Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com <>
RE: [pfSense Support] Traffic that is explicitly allowed occasionally blocked
>No, those are RSTs and FINs coming after the state is closed, expected >behavior. >http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F Ok, but unless I'm misunderstanding, I am not logging packets blocked by the default rule, so why would this be logged? And how do I know which rule was applied to this traffic like in the screenshot above? [cid:image001.png@01CBD738.2C9B5970] <>
[pfSense Support] Traffic that is explicitly allowed occasionally blocked
2.0-BETA5 (i386) built on Mon Feb 21 15:43:32 EST 2011 I am seeing the above occur maybe once a day or once every other day, but the source IP address is in an alias that is a list of aliases (and that list contains my mail server aliases). Whenever I see this, I manually try to telnet to the same IP on port 25 and the traffic is passed, yet the mail server shows a failed connection attempt in the logs which coincides with the firewall log as above. I have a rule that explicitly allows port tcp/25 as a destination from my inbound mail servers alias group, and then there is a rule right beneath that rule that explicitly blocks outbound SMTP from all IP addresses on the subnet, and I have logging turned on for that rule. So, the rule beneath the one that should be triggered is being triggered instead. Is there a Bug/Race condition in rule evaluation?? Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com <>
RE: [pfSense Support] pfSense 2.0, upgrade to this morning's snap problem
On Mon, Jan 24, 2011 at 7:42 PM, Dimitri Rodis wrote: > After an upgrade to this morning's snap, I received the following > after the upgrade/reboot (it's what's on my PuTTY atm): > > > > Syncing OpenVPN settings...done. > > Starting syslog...done. > > Configuring firewall..done. > > Starting PFLOG...done. > > Setting up gateway monitors...done. > > Synchronizing user settings...done. > > Starting webConfigurator...done. > > Configuring CRON...done. > > Starting OpenNTP time client...done. > > Starting DHCP service...done. > > Starting DNS forwarder...done. > > Configuring firewall..done. > > kernel trap 12 with interrupts disabled > > > > > > Fatal trap 12: page fault while in kernel mode > > cpuid = 0; apic id = 00 > > fault virtual address = 0x8 > > fault code = supervisor read, page not present > > instruction pointer = 0x20:0xc094d130 > > stack pointer = 0x28:0xc27d1b84 > > frame pointer = 0x28:0xc27d1ba4 > > code segment= base 0x0, limit 0xf, type 0x1b > > = DPL 0, pres 1, def32 1, gran 1 > > processor eflags= resume, IOPL = 0 > > current process = 11 (swi4: clock) > > trap number = 12 > > panic: page fault > > cpuid = 0 > > Uptime: 25s > > Cannot dump. Device not defined or unavailable. > > Automatic reboot in 15 seconds - press a key on the console to abort > > --> Press a key on the console to reboot, > > --> or switch off the system now. > > >If you have a bridge setup please upgrade to the 2nd next snapshot. > > >-- >Ermal I did have ports bridged on this device, yes. For some reason, the device would still not boot even if I booted back to the original slice using the boot menu on the console---I ended up having to reflash my CF card and then it booted (but the config is still default). Then again, I don't know that I rebooted ever since I configured the bridge Thanks Ermal. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] pfSense 2.0, upgrade to this morning's snap problem
After an upgrade to this morning's snap, I received the following after the upgrade/reboot (it's what's on my PuTTY atm): Syncing OpenVPN settings...done. Starting syslog...done. Configuring firewall..done. Starting PFLOG...done. Setting up gateway monitors...done. Synchronizing user settings...done. Starting webConfigurator...done. Configuring CRON...done. Starting OpenNTP time client...done. Starting DHCP service...done. Starting DNS forwarder...done. Configuring firewall..done. kernel trap 12 with interrupts disabled Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0x8 fault code = supervisor read, page not present instruction pointer = 0x20:0xc094d130 stack pointer = 0x28:0xc27d1b84 frame pointer = 0x28:0xc27d1ba4 code segment= base 0x0, limit 0xf, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags= resume, IOPL = 0 current process = 11 (swi4: clock) trap number = 12 panic: page fault cpuid = 0 Uptime: 25s Cannot dump. Device not defined or unavailable. Automatic reboot in 15 seconds - press a key on the console to abort --> Press a key on the console to reboot, --> or switch off the system now.
[pfSense Support] Traffic Graph accurate--but not the host list
pfSense 2.0, most recent builds When I go to status/traffic graph, the graph is correct but the list of hosts is not. I don't know if there's something I'm not doing, but here's what I did to test it: Put a windows machine (my laptop) on the LAN interface, and plug the WAN into my internal network. I connected to my file server from the laptop, and copied 10 GB of data from the file server to the laptop. When I did, the graph showed 98Mb of traffic fairly consistently, but the host list never showed more than a few kb of traffic for my laptop, and on the WAN side it never showed the file server's ip address at all. It almost looks like the host list is only looking at traffic directed to pfSense itself as opposed to through that particular interface. Anyone else confirm? Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com
[pfSense Support] Bootup Complete - but no console
Running latest build of 2.0 on a Firebox x500 (just flashed 2 hours ago), totally clean. The box boots up and works fine-assigned LAN and WAN interfaces, no problem. The box responds to console input until you get to "Bootup complete", and you never get the console menu. Webconfigurator works-- if you ssh in to the box and log in, you get the console menu-- but you never get it on the COM console, and the COM console does not respond to keyboard input of any kindbut that's the only thing that doesn't work, the box seems to be usable besides this. Odd... Any reasons why this might be? Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com
[pfSense Support] Alias Renaming Issue
pfSense 2.0-BETA5 (i386) built on Wed Jan 19 12:45:14 EST 2011 I created a NAT rule with a linked firewall rule using a port alias that I called OWA_PORTS. After creating the rule I decided to rename the port alias to PORTS_WEBSERVER. When I did, the alias was renamed in the NAT rule properly, but it was not updated in the linked firewall rule, and now in the log I see: php: : filter_generate_address: OWA_PORTS is not a valid source port. Opening up the NAT rule and just hitting "save" again did cause the firewall rule to update (as a workaround)--but you first have to notice that your stuff doesn't work ;) Anyone else see this? Dimitri Rodis http://www.integritasystems.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] 1:1 NAT Entry issue - Bug or mistake?
On Thu, Jan 20, 2011 at 9:28 PM, Dimitri Rodis wrote: > pfSense 2.0-BETA5 (i386) built on Wed Jan 19 12:45:14 EST 2011 > > > > When I try to use an alias in the Internal IP field (suppose the alias > was > ) I receive the following error upon saving (or trying to save): > > > > The following input errors were detected: > > is not a valid internal IP address > > > > > > I know in <2.0 you could not use aliases in the 1:1 fields, but in > this version the boxes are RED, implying that aliases are allowed. I > don't know if this is a bug or just a mistake (in formatting the > fields RED) but in any event it looks like something needs to be fixed > or changed. I did not try using an Alias in the External Subnet IP field, > although it is RED also. > > >That's correct, the fields shouldn't be red though, I just fixed that. >Aliases aren't supported in binat in pf. Even if binat doesn't support them, they could theoretically be "resolved" via code prior to updating the rulesin 2.1 :) - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] 1:1 NAT Entry issue - Bug or mistake?
pfSense 2.0-BETA5 (i386) built on Wed Jan 19 12:45:14 EST 2011 When I try to use an alias in the Internal IP field (suppose the alias was ) I receive the following error upon saving (or trying to save): The following input errors were detected: is not a valid internal IP address I know in <2.0 you could not use aliases in the 1:1 fields, but in this version the boxes are RED, implying that aliases are allowed. I don't know if this is a bug or just a mistake (in formatting the fields RED) but in any event it looks like something needs to be fixed or changed. I did not try using an Alias in the External Subnet IP field, although it is RED also. Anyone else see this? Dimitri Rodis http://www.integritasystems.com
RE: [pfSense Support] Testing 2.0 - What is the upgrade and downgrade process for Daily snapshots?
>Hi Everyone, > >Just loaded a nanobsd image of pfSense 2.0 onto a CF card for Alix board. I >have only used v1.2.3 in the past and I never used the internet to upgrade it. >In fact, I am under the impression >that v1.2.3 is the latest and there are no >upgrades to it. > >I am wondering if there is a nice and easy way of upgrading 2.0 to the new >daily snapshots or to downgrade a day or two back? > >Thanks, When you flash an image appropriate to the size of the CF you are using, there are two partitions that are flashed (slices). When you upgrade, it upgrades the slice you aren't using with the new version, and if that doesn't work, you can use the gui to boot off of the old slice. Very nice and easy. Dimitri
[pfSense Support] pfSense Beta 5 - upgrade/reboot issue
The last 3-4 upgrades that I've done using nano are not automatically rebooting after the upgrade is complete, even though it says it is on the console (and last night I left it to see if it eventually would, and it did not and I logged in this morning). The following is literally a cut and paste from the console window (other than the ip address). --- Broadcast Message from r...@firewall2.integritasystems.com (no tty) at 16:31 PST... NanoBSD Firmware upgrade is complete. Rebooting in 10 seconds. Message from sysl...@firewall2 at Jan 12 10:05:37 ... firewall2 php: /index.php: Successful webConfigurator login for user 'admin' from x.x.x.x --- Using the console option to reboot does nothing. I have to drop to shell and issue shutdown -r now before it reboots. This is a 2g nano image that has been upgraded several times since beta 4 (I have pretty much been upgrading it every day for testing), and it has done this since Monday. FreeRADIUS is the only package installed and there is really no config to speak of as this is just for testing. Dimitri
RE: [pfSense Support] 2.0 B5 Update Breaks Web GUI - 08-Jan-2011 15:37
>Hi, > >I upgraded 2.0 B5 last night and it seems to have broken the web Gui. All my >tunnels are up and the command line works fine. > >Thanks, > >-- >Mark Street, D.C., RHCE >Chief Technology Officer >Alliance Medical Center >(707) 433-5494 If you reboot does the WebGUI start working again? Dimitri
RE: [pfSense Support] CARP IP/Hyper-V/Hyper-V R2
>On Mon, Nov 15, 2010 at 9:57 PM, Evgeny Yurchenko wrote: >> >> I do not know a lot about Hyper-v but in VMWare for instance you can >> block frames with 'faked' mac-addresses. Probably you hit the same >> problem as CARP-packets have MAC-addresses 'not real' but specifically crafted. > >I'm sure that's exactly the problem, something in hyper-v changed to block/break that. Better to ask on a Microsoft forum why you can no longer use two MAC addresses on the same host. > For what it's worth, I figured this out a few days back thanks to Evgeny's hint. On the virtual NICs on the Virtual Machine itself in Hyper-V R2, there is a checkbox labeled "Allow MAC Address Spoofing" (or something close to that). Checking that box allows the CARP addresses to work fine. smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] CARP IP/Hyper-V/Hyper-V R2
On 10-11-15 09:22 PM, Dimitri Rodis wrote: I recently migrated a pfSense virtual machine (version 1.2.2) that was running flawlessly on Hyper-V (first release) with 2 additional CARP IP addresses on the WAN interface for about 16 months. Over the weekend, I migrated that virtual machine over to a Hyper-V R2 machine, and all was well except that the 2 additional CARP IPs do not respond to traffic (although traffic to/from/in/out of the WAN's actual IP works fine). After rebooting nearly every piece of equipment between the servers and the ISP, the only thing that made the CARP IPs work again was migrating the virtual machine back to the original Hyper-V (non-R2) host. Any ideas on why CARP IPs wouldn't work on Hyper-V R2? Is there something since 1.2.2 that might change this? Thanks, Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com I do not know a lot about Hyper-v but in VMWare for instance you can block frames with 'faked' mac-addresses. Probably you hit the same problem as CARP-packets have MAC-addresses 'not real' but specifically crafted. Weird thing though in your e-mail is that you mention only one virtual machine... do you use CARP-IPs with one pfSense? if yes then why would you need such set up? Evgeny. I have several public IPs from the ISP, and need to use each of them for different purposes (SSL/TCP-443 for different sites & services). I use CARP addresses for the rest of the IPs I've been given-then if I get the opportunity to add redundancy, they are already set up that way. Obviously the point is that the additional CARP addresses don't seem to function at all when pfSense is run under Hyper-V R2 as opposed to Hyper-V R1, and I am hoping to resolve that issue so that the old server can be formatted and upgraded and added to the cluster.. FWIW, both hosts are Dell PowerEdge 2900s *identically* configured, with the only exception currently being the of the amount of RAM, smime.p7s Description: S/MIME cryptographic signature
[pfSense Support] CARP IP/Hyper-V/Hyper-V R2
I recently migrated a pfSense virtual machine (version 1.2.2) that was running flawlessly on Hyper-V (first release) with 2 additional CARP IP addresses on the WAN interface for about 16 months. Over the weekend, I migrated that virtual machine over to a Hyper-V R2 machine, and all was well except that the 2 additional CARP IPs do not respond to traffic (although traffic to/from/in/out of the WAN's actual IP works fine). After rebooting nearly every piece of equipment between the servers and the ISP, the only thing that made the CARP IPs work again was migrating the virtual machine back to the original Hyper-V (non-R2) host. Any ideas on why CARP IPs wouldn't work on Hyper-V R2? Is there something since 1.2.2 that might change this? Thanks, Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] CARP and NAT problems
If the port forwards are on the WAN addresses themselves, to my knowledge they will not fail over. My understanding is that all "addresses" (and port forwards) that you intend to survive a failover must be on CARP addresses. Dimitri Rodis Integrita Systems LLC -Original Message- From: Justin The Cynical [mailto:cyni...@penguinness.org] Sent: Sunday, May 30, 2010 10:56 PM To: support@pfsense.com Subject: [pfSense Support] CARP and NAT problems Greetings. I finally set up a failover box for CARP. And so far, everything seems to be working fine, with one minor detail. WAN IP range: .65 - .96 .66 - .68 are setup as CARP .65 and .69 are the WAN interfaces Port forwards on .65 and .69 The problem: When this was a single machine, I had port forwards set up on all the IP's, and everything was peachy. However, now with multiple machines, the port forwards on the WAN interfaces will work, depending on the machine that is active. Take a port forward from .65 to internal address (master) Take a port forward from .69 to internal address (backup) The port forward to .65 works, but the .69 does not. If the machines failover (.69 becomes the active machine), the forward for .69 works, but the .65 does not. When .65 comes back up as the active box, the forward on .69 stops working. And since I don't have the WAN addresses as a VIP, this also breaks AON for the mentioned IP's. Last time I looked, I was told that the WAN addresses were useable for IB/OB NAT, but it appears this is not the case, or I'm missing something. Any suggestions on where to look or any words of wisdom? Thank you, Justin - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Wierd CARP problem
On Thu, Apr 22, 2010 at 7:51 PM, Dimitri Rodis > wrote: >> >> I would really like to see this work reliably at some point. From what I can >> tell, this problem is not limited to just Fireboxes, >it is on pretty much >> all NICs that have >> RTL8139C+ chips on them. >> > >There is something specific about the Fireboxes (and some other >scenarios), but the re(4) driver isn't always that problematic. I have >at least two boxes that function normally even under heavy load with >such cards. Yes, the re(4) driver is considered stable-- but it depends on which Realtek chip you're talking about. The RTL8139C+ chip specifically has (and has had) this problem since 6.x from what I can tell, and there were/are apparently a number of things were causing timeouts. A good portion of those issues have been fixed by Pyun over the last couple of years, (which have reduced the occurence of timeouts with RTL8139C+ chips--this I can personally attest to), but there are some other "undiscovered" cases where they still occur. I am also willing to put more time into testing/fixing it, but when the maintainer of the driver itself cries uncle, I'm not going to twist his arm unless I have something that makes sense for him to change (and I am out of ideas). What he believes is that there is some undocumented change (or bug) in that chip that we wouldn't have any hope of fixing without an engineer from Realtek. So, if anyone has any connections, the entire "FreeBSD-Realtek-RTL8139C+-using" community would likely thank you.profusely even :)
RE: [pfSense Support] Wierd CARP problem
>On Mon, Apr 19, 2010 at 6:56 PM, Hans Maes wrote: >> >> Although it is definately related to the type of NIC's in the watchguard >> boards, I'm still not completely convinced this is 100% a hardware problem >> since the Watchguard Linux OS seems to work just fine on it. Sounds more >> like a FreeBSD driver problem to me, and therefore not directly related to >> pfsense. >> > >It's not a hardware problem any more than the countless workarounds >already in the Realtek drivers for hardware bugs are hardware >problems, it's likely just yet another quirk in a different >implementation of the same chipset that isn't worked around in >FreeBSD. It's most likely a hardware quirk with a software work around >that doesn't exist in FreeBSD (7.2 at least). I have put in quite a bit of time into getting this to work, along with Pyun YongHyeon, the current maintainer of the Realtek driver(s) in FreeBSD. He has sent me several patches and has had me set several other options, and I repeatedly flashed new pfSense builds and tested the changes (he and I were at this for about a month). While his initial changes made a big difference and greatly reduced the watchdog timeouts, we could never completely eliminate them. Before I became involved, the problem was much, much worse than it is today. However, Pyun ran out of ideas and needed to move on to other things (understandably). We were working against 8 prior to its release. I would really like to see this work reliably at some point. From what I can tell, this problem is not limited to just Fireboxes, it is on pretty much all NICs that have RTL8139C+ chips on them. > >> Has anyone tested pfsense 2.0 on these fireboxes ? >> Since it is based on a newer version of FreeBSD, maybe an updated NIC driver >> solves these issues ? >> > >If anyone has any interest in putting in the time to help get it >fixed, that's where I would start, and post any problems to the >freebsd-net list. 2.0 is based on RELENG_8, what will become 8.1. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Redirect to Captive Portal is not working
Stupid question--- the pfSense box is (still) the gateway address for your network, right? Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: apiase...@midatlanticbb.com [mailto:apiase...@midatlanticbb.com] Sent: Thursday, June 11, 2009 5:42 PM To: support@pfsense.com Subject: Re: [pfSense Support] Redirect to Captive Portal is not working Try another PC? I've seen issues where pop-up blockers, all kinds of Anti-whatever stuff, will prevent it. After all your being redirected to a page you didn't type in.. I would think a reinstall would have fixed any issue with the software being corrupt. Adam Atkins, Dwane P wrote: > > We are experiencing an issue where the redirection has stopped working > for Captive Portal. WE have a series of pfsense devices set up the > same way and this one just decided to stop. > > > > Yesterday, we upgraded to 1.2.3 RC1 to see if that corrected the > issue. I also removed and reinstalled all the CP pages. Neither > fixed the issue. > > > > Does anyone have anything we can look at on the device? We can http > into both inside and outside interfaces with no issues. We do get an > DHCP address served from the pfSense device. > > > > Any help would be appreciated. > > > Dwane > > > > > > __ Information from ESET NOD32 Antivirus, version of virus > signature database 4148 (20090611) __ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Re: Can't get more than 15kpps.
My understanding is that Giant lock is gone from the FreeBSD network stack in 8: http://unix.derkeiler.com/Mailing-Lists/FreeBSD/arch/2009-04/msg00075.html Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Bill Marquette [mailto:bill.marque...@gmail.com] Sent: Wednesday, May 13, 2009 4:13 PM To: support@pfsense.com Subject: Re: [pfSense Support] Re: Can't get more than 15kpps. On Wed, May 13, 2009 at 10:25 AM, Bill McIlhargey Jr wrote: > Sounds like over kill for pfsense! :D > > Message sent from my iPhone > > Bill McIlhargey Jr > COMPUTERONIX, LLC > 978.500.5936 > supp...@compute-ronix.com > www.compute-ronix.com It's only overkill if you don't need the horsepower...with that said, pfSense isn't going to scale anywhere near linearly given PF being under the Giant lock, although it will scale a bit with more cores. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Captive Portal Question
We use the switches in a client's executive office suite buildings. We needed a way to provide internet access on a per suite basis, and we needed to provide public addresses on an as-needed basis (if they had a mail server, for example). We had a previous solution in place, but it was about 8-9 years old, and required manual intervention when tenants move from suite to suite (which happens a lot in these buildings). So our new (15 month old at this point) setup has 3 vlans on the switches: "private unauthenticated", "private authenticated", and "public authenticated". ("private" and "public" refer to the address spaces in use on the vlans). As part of that setup, we use mac-based authentication on the HP switches. So, a client (aka tenant) can be plugged into any port on the switch, and the FreeRADIUS package from pfSense can provide authentication and VLAN assignments to the switch, and the switch will use the RADIUS information to put them on the correct VLAN automatically. For any client that does not authenticate, the switch throws them on the "private unauthenticated" vlan, and then the client cannot get on the internet without authenticating with the pfsense captive portal (the custom captive portal page pretty much says "hey, you aren't getting on the internet unless you pay the land lord more $$. If you want access, call up xxx and give them this mac address: xx:xx:xx:xx:xx:xx"). If their mac address is present in FreeRADIUS, then they get put on whatever vlan is assigned them from the vlan box. The "private authenticated" vlan is a private address space vlan that is NATted to the internet, and the "public authenticated" vlan is directly on the internet. In order to keep clients from seeing each other on the "private authenticated" vlan (basically this vlan is for tenants that have a single pc with no router), we add the following to each client entry in the "Additional RADIUS Options" box: HP-Nas-Filter-Rule = "permit in ip from any to 172.20.1.1", HP-Nas-Filter-Rule += "deny in ip from any to 172.20.1.0/24", HP-Nas-Filter-Rule += "permit in ip from any to 0.0.0.0/0" This permits the clients to talk to the gateway and the rest of the internet, but not to any other machine on the same subnet. I don't know how much of this applies to your setup, but to sum up this solution, unauthenticated clients get put on a vlan that can't get on the internet (they can, but are "stopped" by a custom captive portal page from pfSense that tells them what to do), and authenticated clients get put on vlans that can freely access the internet. In your case, you might just need to use FreeRADIUS along with some switch ACLs (in the "Additional RADIUS Options" box) to allow/limit/prevent internet access. Hopefully that made some sense. It's a bit tough to describe without seeing it! :) Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Tim Dressel [mailto:tjdres...@gmail.com] Sent: Friday, May 08, 2009 9:07 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal Question Hi folks, Just an update. I built a new machine from the ground up today. Took a backup from the old machine, and just copied and pasted the 300+ mac-bypass entries into the new config file. Everything is working well, and as expected. I'm interested though Dimitri on the switch issue. I'm connected entirely to new managed HP 2848's and 2510G-48's and I have great LAN performance. Are you doing something directly with your switches as far as authentication goes, or did you just include the switches for completeness? Finally, I'd appreciate any feedback out there on installs with counts on mac bypass entries topping a 1000 count. I am considering tying together several of my networks and would like to know what the upper end on the captive portal looks like. Thanks! On Fri, May 8, 2009 at 1:33 AM, Dimitri Rodis wrote: > We have a pfSense setup with the FreeRADIUS package that authenticates folks > that plug in to HP 3500yl and 2626 switches-- the set up is for a few > executive office suite buildings that are linked together by fiber and all > share a single 10Mb symmetric connection to the internet. 0 problems for > about > 15 months now--still running on 1.2-release. If you have some good managed > switches, that's the way to do it IMHO. > > Dimitri Rodis > Integrita Systems LLC > http://www.integritasystems.com > > -Original Message- > From: RB [mailto:aoz@gmail.com] > Sent: Thursday, May 07, 2009 3:16 PM > To: support@pfsense.com > Subject: Re: [pfSense Support] Captive Portal Question > > On Thu, May 7, 2009 at 15:55, Tim Dressel wrote: >> 1.
RE: [pfSense Support] Captive Portal Question
I'm drafting a reply. Be done shortly. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Tim Dressel [mailto:tjdres...@gmail.com] Sent: Friday, May 08, 2009 11:11 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal Question I agree completely. What we were using it for is all our wired clients and wireless *were* on the same internal lan. The captive portal was enabled on the LAN interface. All wired clients had mac-bypass entries, and the wireless clients had to get past the captive portal. What I'm thinking is that I will have to investigate some sort of rouge detection, or maybe network access protection for the wired clients, and then completely separate the wireless traffic on another interface. I'm still interested though in anyone out there with large numbers of mac-bypass entries. Any takers? Cheers, P.S. Chris/PFsense team, I am consistently impressed by this product. You guys do very good work, and my team and I appreciate your efforts immensely. The coding is important, but the community support is above and beyond! On Fri, May 8, 2009 at 10:25 PM, RB wrote: > On Fri, May 8, 2009 at 22:06, Tim Dressel wrote: >> Finally, I'd appreciate any feedback out there on installs with counts >> on mac bypass entries topping a 1000 count. I am considering tying >> together several of my networks and would like to know what the upper >> end on the captive portal looks like. > > The captive portal's default configuration is to filter users by MAC > address. The main difference between that and what you're doing is > that the MAC entries are made dynamically each time a user logs in. > That said, I have run a pair of Dell 2660s (dual 2GHz, 2GB) in that > default configuration over a high-churn environment with several > thousand unique clients per day with no ill effect. > > My concern was not whether pfSense could handle the number of entries, > but mainly administrative overhead. Maintaining a list of even 100 > MACs is terribly cumbersome, especially considering how trivial > MAC-only authentication is to bypass. Additionally, some of pfSense's > GUI components just don't scale well - there are some diagnostic pages > (DHCP status, CP status, ARP tables, etc.) that I've just become > accustomed to not using if the client count is over a couple hundred. > > Check your system's RRD graphs during the slowdown - if your states, > queues, or CPU aren't pegged, pfSense is likely not the culprit. > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Captive Portal Question
We have a pfSense setup with the FreeRADIUS package that authenticates folks that plug in to HP 3500yl and 2626 switches-- the set up is for a few executive office suite buildings that are linked together by fiber and all share a single 10Mb symmetric connection to the internet. 0 problems for about 15 months now--still running on 1.2-release. If you have some good managed switches, that's the way to do it IMHO. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: RB [mailto:aoz@gmail.com] Sent: Thursday, May 07, 2009 3:16 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal Question On Thu, May 7, 2009 at 15:55, Tim Dressel wrote: > 1. What is the limitation on the number of mac-bypass entries? And is > what I am seeing expected with 300 entries? I'm sure someone will chime in with the precise ipfw limitation, but this is mostly going to be dependent on your system's performance specs - memory & CPU. > 2. If I should not be doing this with 300 clients, is anyone using > another FOSS product to do MAC authenticated control outbound from > their firewall? Possibly, but [as I hope you know] MAC filtering only keeps honest people honest, it is in no way any form of authentication. At that number of unique users, you may be better served by setting up an actual RADIUS server to do proper authentication and AAA instead of manually maintaining tables. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Attention Firebox X Series Users - Testing Needed
Currently, we have a couple of people (including myself just Monday) that were able to reproduce watchdog timeouts on these units, although they seem to be significantly reduced relative to previous builds. I am still working with Pyun to try and get the issue resolved. Of course, we won't know that it's fully resolved without people willing to beat these units up after patches make their way into builds, so the more people we have, the better. Folks interested in trying to narrow the remaining issues down should follow (and post) on the forum, here: http://forum.pfsense.org/index.php/topic,15669.0.html Thanks, Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Joshua Schmidlkofer [mailto:joshl...@gmail.com] Sent: Tuesday, April 28, 2009 8:23 PM To: support@pfsense.com; j...@pax2cargo.com Subject: Re: [pfSense Support] Attention Firebox X Series Users - Testing Needed On 4/18/09 11:17 AM, Dimitri Rodis wrote: > Attention Firebox X500/700/1000 Users using pfSense: > > > > Watchdog timeouts getting' you down? Thinkin' about throwin' that old > Firebox in to the fireplace? Don't do that just yet! J > > > > Thanks to the pfSense devs, along with Pyun YongHyeon, the maintainer for > the FreeBSD Realtek network driver, it appears that we may have solved the > issue with the watchdog timeouts on the Realtek 8139C+ chips that are used > in these units. For the past couple of days, I have worked with Pyun, and > yesterday Pyun sent me a patch, and that patch was committed to the 1.2.3 > snapshot builds, as well as to the 2.0 alpha snapshot builds by the pfSense > devs, and is part of any snapshot build as of yesterday (4/17) at 2pm > Eastern time, or later. > > > > Snapshot builds can be downloaded from > > http://snapshots.pfsense.org/FreeBSD7/RELENG_1_2/ > > or > > http://snapshots.pfsense.org/FreeBSD7/HEAD/ > > > > I have been testing a build with this patch since yesterday, and have yet to > see a single watchdog timeout on my interfaces-and no modifications to > loader.conf have been made. This is a default install-no special options > have been set anywhere. > > > > If at all possible, please try to install a recent snapshot build on your > firebox units (those of you that have them) and test this patch. If you do > still receive watchdog timeouts, please let me know either on this list, or > off-list. Either way, please try to detail what you were doing when the > watchdog timeout occurred so that we can try to reproduce it, and Pyun can > fix it. > > > > Thanks to all that have helped, and thanks to those that are willing to > test! > > > > Dimitri Rodis > > Integrita Systems LLC > > <http://www.integritasystems.com> http://www.integritasystems.com > > > > > HOT! We are so looking into this. We have 5 watchguards which we can use for this project, and I hate the idea of them collecting dust. Count us IN! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Attention Firebox X Series Users - Testing Needed
Unfortunately, they aren't completely gone. I've been able to consistently get watchdog timeouts on 1.2.3 since Monday (including the official RC1 released yesterday) by simply browsing the web interface on the LAN side (I usually use re2) using Internet Explorer 7 (All I ever do is just click between options in the GUI, and I get them after 10-15 clicks). The patch that was put in definitely helped, though (a lot). I'm still working with Pyun (the maintainer of the FreeBSD Realtek driver) on a solution. I do have yet to reproduce watchdog timeouts on 2.0, however, although one person has reported that 2.0 gives him timeouts (see http://forum.pfsense.org/index.php?topic=15669). I don't yet have an explanation as to why I get timeouts in 1.2.3 and not in 2.0, but I'm working on figuring out why. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Tim Nelson [mailto:tnel...@fudnet.net] Sent: Thursday, April 23, 2009 7:43 PM To: support@pfsense.com Subject: Re: [pfSense Support] Attention Firebox X Series Users - Testing Needed Well, I threw the latest 1.2.3-RC1 on a CF card and booted up my X500. I've been passing all sorts of traffic through it (WAN and OPT1 bridge) with no pauses in traffic or watchdog timeouts. My traffic has been anything from netperf tests TCP and UDP, raw FTP traffic, random web browsing, and some very heavy bittorrent traffic (Latest Ubuntu released today :-) ). In fact, I've run some of those tests concurrently. Thus far, after saturating the 100mbit link through the bridge for nearly 4 hours, I've yet to see a problem. I can post any additional information you need, just let me know. This X500 is 100% stock with the exception of the CF card. The 64MB CF was a bit small so it was replaced with a Sandisk 256MB I had lying around. Out of curiosity, what is the largest DIMM these units will accept? They come with 256MB which seems a bit light. I'd like to throw a 1GB stick in if possible. --Tim Dimitri Rodis wrote: > Attention Firebox X500/700/1000 Users using pfSense: > > > > Watchdog timeouts getting' you down? Thinkin' about throwin' that old > Firebox in to the fireplace? Don't do that just yet! J > > > > Thanks to the pfSense devs, along with Pyun YongHyeon, the maintainer > for the FreeBSD Realtek network driver, it appears that we may have > solved the issue with the watchdog timeouts on the Realtek 8139C+ chips > that are used in these units. For the past couple of days, I have worked > with Pyun, and yesterday Pyun sent me a patch, and that patch was > committed to the 1.2.3 snapshot builds, as well as to the 2.0 alpha > snapshot builds by the pfSense devs, and is part of any snapshot build > as of yesterday (4/17) at 2pm Eastern time, or later. > > > > Snapshot builds can be downloaded from > > http://snapshots.pfsense.org/FreeBSD7/RELENG_1_2/ > > or > > http://snapshots.pfsense.org/FreeBSD7/HEAD/ > > > > I have been testing a build with this patch since yesterday, and have > yet to see a single watchdog timeout on my interfaces-and no > modifications to loader.conf have been made. This is a default > install-no special options have been set anywhere. > > > > If at all possible, please try to install a recent snapshot build on > your firebox units (those of you that have them) and test this patch. > If you do still receive watchdog timeouts, please let me know either on > this list, or off-list. Either way, please try to detail what you were > doing when the watchdog timeout occurred so that we can try to reproduce > it, and Pyun can fix it. > > > > Thanks to all that have helped, and thanks to those that are willing to > test! > > > > Dimitri Rodis > > Integrita Systems LLC > > http://www.integritasystems.com > > > - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] 1.2.3-RC1 released!
Tim, See http://forum.pfsense.org/index.php?topic=15669 if you have issues with the Firebox. I'm collecting as much data as I can from those that are having issues. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Tim Nelson [mailto:tnel...@fudnet.net] Sent: Wednesday, April 22, 2009 8:37 PM To: support@pfsense.com Subject: Re: [pfSense Support] 1.2.3-RC1 released! THANK YOU!!! --Tim Chris Buechler wrote: > Info here: http://blog.pfsense.org/?p=428 > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Can captive portal authenticate based on windows login
Not to get too far OT, but whenever I have a machine that doesn't have the ISA firewall client, I get credential prompts with ISA (when it's configured for specific user/group access lists, etc). >From the Firewall Client for ISA Server Download: http://www.microsoft.com/downloads/details.aspx?FamilyID=05C2C932-B15A-4990- B525-66380743DA89&displaylang=en "...Firewall Client sends user information transparently with each request, enabling you to create a firewall policy on the ISA Server computer with rules that use the authentication credentials presented by the client." I'd use pfSense any day of the week over ISA, even if it meant they had to use credential prompts. Bottom line: if eliminating credential prompts is an absolute must, ISA can do it for sure. pfSense, not yet ;) Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Tuesday, April 21, 2009 3:35 PM To: support@pfsense.com Subject: Re: [pfSense Support] Can captive portal authenticate based on windows login On Tue, Apr 21, 2009 at 3:46 PM, Dimitri Rodis wrote: > Microsoft Internet Security and Acceleration Server (ISA Server), and you > need to have AD. > > I've used it, but only in this particular case. I do not know of anything in > the open source world that works reliably specifically the way you want it > to. (That is not to say that nothing exists, I just may not know about it). > With respect to ISA, there is a client installation (aka Firewall Client) > that is required to make the authentication transparent--without it, it > would work just like pfSense would-- with RADIUS against AD, and the user > would have to enter credentials manually. > Not exactly, so long as you're using IE it'll pass through credentials automatically. The firewall client is so you don't have to configure all your applications to use a proxy, it automatically picks up any traffic not destined to your internal networks (as defined in ISA) and pushes it through the proxy. Works well in the environments I use it. ISA is a good proxy. I personally don't like it as a perimeter firewall, and it can be buggy (2006 is much better than 2004 and 2000, though still quirky at times), but its proxy functionality in a Windows environment is great. The reverse proxy is also nice if you use OWA and/or OMA with Exchange. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Can captive portal authenticate based on windows login
Single Sign-on (aka one set of credentials) is one thing, the captive portal's ability to automatically _receive_ (and authenticate) the credentials from the requesting client/browser is another. Unless I'm misunderstanding, Ryan wants to get rid of the username/password prompt from the captive portal, and have the "current" windows logon credentials automatically pass to the captive portal, which is currently not possible with pfSense-- ISA Server is the only thing I know of that does this. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Jim Pingle [mailto:li...@pingle.org] Sent: Tuesday, April 21, 2009 1:18 PM To: support@pfsense.com Subject: Re: [pfSense Support] Can captive portal authenticate based on windows login Ryan wrote: > >> Without seeing the CP screen, automatically logging them in with Windows > credentials, no. You can authenticate them on. >> the CP screen with RADIUS using their Windows credentials to IAS on a > Windows Server DC (if you're using AD). > > > I kinda thought that was the case. Thank you for your help Chris. Do you > know of anything that might do this? I don't know if the Captive Portal can be coerced to support LDAP or Kerberos, but I have heard of people achieving a single sign-on type setup with Squid that way. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Can captive portal authenticate based on windows login
Microsoft Internet Security and Acceleration Server (ISA Server), and you need to have AD. I've used it, but only in this particular case. I do not know of anything in the open source world that works reliably specifically the way you want it to. (That is not to say that nothing exists, I just may not know about it). With respect to ISA, there is a client installation (aka Firewall Client) that is required to make the authentication transparent--without it, it would work just like pfSense would-- with RADIUS against AD, and the user would have to enter credentials manually. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Ryan [mailto:radiote...@aaremail.com] Sent: Tuesday, April 21, 2009 11:50 AM To: support@pfsense.com Subject: RE: [pfSense Support] Can captive portal authenticate based on windows login >Without seeing the CP screen, automatically logging them in with Windows credentials, no. You can authenticate them on. >the CP screen with RADIUS using their Windows credentials to IAS on a Windows Server DC (if you're using AD). I kinda thought that was the case. Thank you for your help Chris. Do you know of anything that might do this? __ NOD32 3834 (20090206) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Attention Firebox X Series Users - Testing Needed
Forum link: http://forum.pfsense.org/index.php/topic,15669.0.html Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Saturday, April 18, 2009 11:33 AM To: support@pfsense.com Subject: Re: [pfSense Support] Attention Firebox X Series Users - Testing Needed On Sat, Apr 18, 2009 at 2:17 PM, Dimitri Rodis wrote: > Attention Firebox X500/700/1000 Users using pfSense: > Glad to hear that looks like it fixes it. There's at least one thread on the forum reporting this issue as well, might want to post to those threads too to give those folks a heads up. > > > Watchdog timeouts getting you down? Thinkin about throwin that old > Firebox in to the fireplace? Dont do that just yet! J > > > > Thanks to the pfSense devs, along with Pyun YongHyeon, the maintainer for > the FreeBSD Realtek network driver, it appears that we may have solved the > issue with the watchdog timeouts on the Realtek 8139C+ chips that are used > in these units. For the past couple of days, I have worked with Pyun, and > yesterday Pyun sent me a patch, and that patch was committed to the 1.2.3 > snapshot builds, as well as to the 2.0 alpha snapshot builds by the pfSense > devs, and is part of any snapshot build as of yesterday (4/17) at 2pm > Eastern time, or later. > > > > Snapshot builds can be downloaded from > > http://snapshots.pfsense.org/FreeBSD7/RELENG_1_2/ > > or > > http://snapshots.pfsense.org/FreeBSD7/HEAD/ > > > > I have been testing a build with this patch since yesterday, and have yet to > see a single watchdog timeout on my interfacesand no modifications to > loader.conf have been made. This is a default installno special options > have been set anywhere. > > > > If at all possible, please try to install a recent snapshot build on your > firebox units (those of you that have them) and test this patch. If you do > still receive watchdog timeouts, please let me know either on this list, or > off-list. Either way, please try to detail what you were doing when the > watchdog timeout occurred so that we can try to reproduce it, and Pyun can > fix it. > > > > Thanks to all that have helped, and thanks to those that are willing to > test! > > > > Dimitri Rodis > > Integrita Systems LLC > > http://www.integritasystems.com > > - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
[pfSense Support] Attention Firebox X Series Users - Testing Needed
Attention Firebox X500/700/1000 Users using pfSense: Watchdog timeouts getting' you down? Thinkin' about throwin' that old Firebox in to the fireplace? Don't do that just yet! J Thanks to the pfSense devs, along with Pyun YongHyeon, the maintainer for the FreeBSD Realtek network driver, it appears that we may have solved the issue with the watchdog timeouts on the Realtek 8139C+ chips that are used in these units. For the past couple of days, I have worked with Pyun, and yesterday Pyun sent me a patch, and that patch was committed to the 1.2.3 snapshot builds, as well as to the 2.0 alpha snapshot builds by the pfSense devs, and is part of any snapshot build as of yesterday (4/17) at 2pm Eastern time, or later. Snapshot builds can be downloaded from http://snapshots.pfsense.org/FreeBSD7/RELENG_1_2/ or http://snapshots.pfsense.org/FreeBSD7/HEAD/ I have been testing a build with this patch since yesterday, and have yet to see a single watchdog timeout on my interfaces-and no modifications to loader.conf have been made. This is a default install-no special options have been set anywhere. If at all possible, please try to install a recent snapshot build on your firebox units (those of you that have them) and test this patch. If you do still receive watchdog timeouts, please let me know either on this list, or off-list. Either way, please try to detail what you were doing when the watchdog timeout occurred so that we can try to reproduce it, and Pyun can fix it. Thanks to all that have helped, and thanks to those that are willing to test! Dimitri Rodis Integrita Systems LLC <http://www.integritasystems.com> http://www.integritasystems.com smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] VMware ESXi - Protect all VM's with pfSense VM in Bridge Mode - HELP!
There is a promiscuous mode on the vSwitches. That setting might need to be adjusted. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Tim Nelson [mailto:tnel...@fudnet.net] Sent: Thursday, April 16, 2009 9:01 AM To: support@pfsense.com Subject: Re: [pfSense Support] VMware ESXi - Protect all VM's with pfSense VM in Bridge Mode - HELP! Apparently I wasn't missing anything. I rebooted the pfSense VM and walked a way for a while and now all is well. I suspect an ARP or other layer two issue after introducing the bridge and moving the VM nics over to vSwitch1. Thanks for all your help! :-) --Tim On Thu, 16 Apr 2009 10:42:24 -0500, Tim Nelson wrote: > Greetings all- > > I've got a beefy machine running VMware ESXi with a handful of hosts. I'd > like to protect those hosts with a pfSense VM in bridge mode. Here is my > vSwitch configuration: > > vSwitch0 > -vmnic0 (Physical NIC 0) > -OUTSIDE_FW (VM Port Group) >*TBRIDGE (pfSense WAN) > -VMkernel Port (Management Network) > > vSwitch1 > -vmnic1 (Physical NIC 1 - Unplugged) > -INSIDE_FW (VM Port Group) >*TBRIDGE (pfSense LAN - Bridged to WAN) >*VM_1 >*VM_2 >*VM_etc... > > > I've setup "ALLOW ALL from ALL to ALL protocol ALL" rules on both > interfaces and also enabled promiscuous mode on the vSwitches. However, I'm > not getting any traffic flowing. It's incredibly bizarre. > > What am I missing? > > --Tim > - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Possible Outbound NAT Bug in 1.2.3 Snapshot?
I put that in also-- like I said it didn't take effect until I rebooted. If the rule wasn't there, it wouldn't matter how many times I rebooted :) Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Kimmo Paasiala [mailto:kpaas...@gmail.com] Sent: Friday, April 10, 2009 9:00 AM To: support@pfsense.com Subject: Re: [pfSense Support] Possible Outbound NAT Bug in 1.2.3 Snapshot? I think you're missing a firewall rule on LAN interface that would do the actual policy routing to the cable connection for http(s). Remember that outbound nat rules do not say where the traffic should go but rather how it should be natted when it goes out via the specified interface after routing decision is made. Hope this helps. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] CARP Bug in 1.2.3
Good deal. I'll go to a later snapshot then. Are upgrades between snapshots on embedded working at the moment, or should I just reflash? Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Scott Ullrich [mailto:sullr...@gmail.com] Sent: Thursday, April 09, 2009 11:37 AM To: support@pfsense.com Subject: Re: [pfSense Support] CARP Bug in 1.2.3 On Thu, Apr 9, 2009 at 1:57 PM, Dimitri Rodis wrote: > The snapshot I'm using is dated April 1.. that's a couple of days after the > hackathon, I believe. Any idea when the xmlparse.inc from HEAD was removed? You where affected then. It was removed for causing various problems such as these. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] CARP Bug in 1.2.3
The snapshot I'm using is dated April 1.. that's a couple of days after the hackathon, I believe. Any idea when the xmlparse.inc from HEAD was removed? Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Scott Ullrich [mailto:sullr...@gmail.com] Sent: Thursday, April 09, 2009 10:17 AM To: support@pfsense.com Subject: Re: [pfSense Support] CARP Bug in 1.2.3 On Thu, Apr 9, 2009 at 12:37 PM, Dimitri Rodis wrote: > I think this is more obscure than you think-- this is on a snapshot build, > so how many people have 1) run a 1.2.3 snapshot, 2) _had_ a redundant CARP > config, and then 3) removed the redundant member and 4) added some Outbound > NAT rules and interface rules (which is what finally triggered the XMLRPC > sync, and thus the error)? > > My guess is that people with redundant configs are probably not testing > snapshot builds (or even production builds) in this manner. I don't know if > this happens on previous builds, and you are probably going to say that the > code hasn't changed, and that's very likely to be true if you say so--I'm > just saying I think the bug is present, but obscure. > > Obviously if it happens it's easy enough to fix by downloading the config, > deleting the duped sections and uploading the config again, but I would tend > to think there's a bug in there somewhere, because like I said, I didn't > dupe the section myself. My guess would be that you installed a snapshot that contained xmlparse.inc from HEAD. Right around the hackathon time this was included but has since been removed. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] CARP Bug in 1.2.3
I think this is more obscure than you think-- this is on a snapshot build, so how many people have 1) run a 1.2.3 snapshot, 2) _had_ a redundant CARP config, and then 3) removed the redundant member and 4) added some Outbound NAT rules and interface rules (which is what finally triggered the XMLRPC sync, and thus the error)? My guess is that people with redundant configs are probably not testing snapshot builds (or even production builds) in this manner. I don't know if this happens on previous builds, and you are probably going to say that the code hasn't changed, and that's very likely to be true if you say so--I'm just saying I think the bug is present, but obscure. Obviously if it happens it's easy enough to fix by downloading the config, deleting the duped sections and uploading the config again, but I would tend to think there's a bug in there somewhere, because like I said, I didn't dupe the section myself. Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:sullr...@gmail.com] Sent: Thursday, April 09, 2009 8:15 AM To: support@pfsense.com Subject: Re: [pfSense Support] CARP Bug in 1.2.3 On Wed, Apr 8, 2009 at 11:31 PM, Dimitri Rodis wrote: > Currently running: > > 1.2.3-RC1 > built on Wed Apr 1 16:59:10 EDT 2009 > > > > Changed the CARP config-- had a redundant member that I removed, so I shut > pfsync off. However, I kept getting messages along the top that XMLRPC sync > was failing. I checked, and it was disabled--so, I unchecked absolutely > everything and saved and rebooted, but the errors persisted. > > > > I think I found the problem. I downloaded my config file and had a look. > Check out the following section: > > > > > > > > > > > > opt3 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > on > > opt3 > > > > on > > on > > on > > on > > on > > on > > > on > > on > > on > > > on > > > > 172.19.0.2 > > xx > > > > > > on > > opt3 > > > > on > > on > > on > > on > > on > > on > > > on > > on > > on > > > on > > > on > > 172.19.0.3 > > x > > > > > > > > > > > > Shouldn't only be in there once? Looks like it added > another section it each time I tried to change/save it, > and it's only using the last one. > > > > Bug or user error? > > > > Dimitri Rodis > > Integrita Systems LLC > > http://www.integritasystems.com > > Doubt its a bug or we would be seeing a lot more of this. Scott smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Possible Outbound NAT Bug in 1.2.3 Snapshot?
Nope, using embedded. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Wednesday, April 08, 2009 8:30 PM To: support@pfsense.com Subject: Re: [pfSense Support] Possible Outbound NAT Bug in 1.2.3 Snapshot? On Wed, Apr 8, 2009 at 11:12 PM, Dimitri Rodis wrote: > Currently running: > > 1.2.3-RC1 > built on Wed Apr 1 16:59:10 EDT 2009 > > > > > > In addition to a fiber connection at this particular location, there is also > a second connection brought in via a cable modem. The fiber connection is > intended to serve the incoming connections to web servers, mail servers, > etc. The second cablemodem connection is intended for web browsing and other > misc traffic, as to not bog down the fiber so much. > > > > So, I added an outbound NAT so that traffic originating from the LAN side > destined to port 80 would use the interface address of the cable connection. > Initially, this did not work as expected-- until I rebooted pfSense. Web > traffic did pass, but it was not NATTing to the correct address--I verified > by browsing to http://www.whatismyip.com, and until I rebooted pfSense, it > did not report the correct address. So, I tried it again with port 443 > (whatismyip supports SSL :). Sure enough, it reported the old IP address > until I rebooted pfSense again. > > > > I don't remember having this problem before--why would I need to reboot for > this to take effect? And yes, I did completely close the browser so that an > existing state wouldn't be reused. > > > > Bug? Unlikely, Outbound NAT hasn't changed in a long time. Any packages installed? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
[pfSense Support] CARP Bug in 1.2.3
Currently running: 1.2.3-RC1 built on Wed Apr 1 16:59:10 EDT 2009 Changed the CARP config-- had a redundant member that I removed, so I shut pfsync off. However, I kept getting messages along the top that XMLRPC sync was failing. I checked, and it was disabled--so, I unchecked absolutely everything and saved and rebooted, but the errors persisted. I think I found the problem. I downloaded my config file and had a look. Check out the following section: opt3 on opt3 on on on on on on on on on on 172.19.0.2 xx on opt3 on on on on on on on on on on on 172.19.0.3 x Shouldn't only be in there once? Looks like it added another section it each time I tried to change/save it, and it's only using the last one. Bug or user error? Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com smime.p7s Description: S/MIME cryptographic signature
[pfSense Support] Possible Outbound NAT Bug in 1.2.3 Snapshot?
Currently running: 1.2.3-RC1 built on Wed Apr 1 16:59:10 EDT 2009 In addition to a fiber connection at this particular location, there is also a second connection brought in via a cable modem. The fiber connection is intended to serve the incoming connections to web servers, mail servers, etc. The second cablemodem connection is intended for web browsing and other misc traffic, as to not bog down the fiber so much. So, I added an outbound NAT so that traffic originating from the LAN side destined to port 80 would use the interface address of the cable connection. Initially, this did not work as expected-- until I rebooted pfSense. Web traffic did pass, but it was not NATTing to the correct address--I verified by browsing to http://www.whatismyip.com, and until I rebooted pfSense, it did not report the correct address. So, I tried it again with port 443 (whatismyip supports SSL :). Sure enough, it reported the old IP address until I rebooted pfSense again. I don't remember having this problem before--why would I need to reboot for this to take effect? And yes, I did completely close the browser so that an existing state wouldn't be reused. Bug or user error? Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] pfSense gets RFC1918 address on WAN interface after reboot
The easiest way to see if it's something from the ISP's side is to boot up your pfSense with the WAN plugged into a switch _all by itself_, or boot up with a loopback adapter plugged into the WAN port. If it boots up and doesn't get an IP when it's set up like this, then it's something from the ISP. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com From: Karl Fife [mailto:karlf...@gmail.com] Sent: Friday, April 03, 2009 10:51 PM To: support@pfsense.com Subject: [pfSense Support] pfSense gets RFC1918 address on WAN interface after reboot pfSense consistently has a 10.0.1.x address on the WAN interface after reboot (DHCP client). pfSense WAN interface gets REAL public IP address only after explicit release/renew event. This happens every time, To the users it manifests as 'it doesn't work' after a reboot without administrator intervention. Does anyone have any idea what could be going on here? I configured pfSense as a 10.2/16 not a 10./8 because I routinely create PPTP tunnels to other networks 10.x /16 networks thinking that this configuration would give me proper routing. Perhaps that is not incorrect, and perhaps I have broken something by choosing 10.2 /16 instead of 10. /8. I originally assumed that someone in my ISP's network had a rogue DHCP server occasionally filling my WAN interface's DHCP requests. Evidence against this theory is that pfSense only gets this 'bad' address on reboot, and it seems to happen 100% of the time, and I can NEVER replicate the problem with release/renew NOR can I get replicate the problem with a modem-attached windows host even by trying hard (many times) to be issued a bad address by aforementioned theoretical ROGUE DHCP server. A higher-up tech at my ISP mumbled some stuff about BSD DHCPD being known to issue addresses to itself if dhcpd is not configured 100% properly. I found this idea somewhat absurd because the 10.0.1.x address is not even in my subnet, (10.2.x.x/16) neither do I see any noise about the DHCP transaction in the System Log. ALTHOUGH dhcpd IS configured to allocate leases between ..1.254 and ..1.1--so at least it's got the third octet right if indeed there's something's wrong related to /16 vs /8 on a 10. network By the way, this happens with 1.2-Release AND with 1.2.2 (embedded on Soekris 5501) Anybody know what's going on? Any help or pointers are MUCH appreciated! Thank you! -Karl Fife smime.p7s Description: S/MIME cryptographic signature
[pfSense Support] RE: Load Balancer Using TCP
Given the log, I would say that they are set for TCP and not ICMP. On some versions of pfSense, I have noticed that the option box reverts to TCP from ICMP when you edit the service a second (or subsequent) time. Have another look-betcha it's set to TCP. Also, you might want to post what version of pfSense you are using J Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com From: Nathan Eisenberg [mailto:nat...@atlasnetworks.us] Sent: Wednesday, April 01, 2009 9:10 PM To: support@pfsense.com Subject: [pfSense Support] Load Balancer Using TCP Hello, I have a load balancer with two web servers behind it. The web servers are to be monitored via ICMP. However, the servers frequently flap, and I see this message in the load balancer log: Apr 1 21:06:57 slbd[56826]: TCP poll succeeded for 192.168.20.61:80, marking service UP Apr 1 21:06:52 slbd[56826]: Service servicename changed status, reloading filter policy Apr 1 21:06:52 slbd[56826]: TCP poll failed for 192.168.20.61:80, marking service DOWN What's going on? :( Best Regards Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC supp...@atlasnetworks.us http://support.atlasnetworks.us/portal smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] AW: Firebox X series w/ 1.2 and 1.2.2 issue
So I put on 1.2.3 snapshot from earlier today, and threw the box into production. Didn't see a single watchdog timeout... browsed around in the web interface with Firefox, no problem. Downloaded a few files, watched people hit websites, etc. No problem. Then I whip open Internet Explorer and navigate to carp_status.php and the very second I hit that page, wouldn't you know: 0) Logout (SSH only) 1) Assign Interfaces 2) Set LAN IP address 3) Reset webConfigurator password 4) Reset to factory defaults 5) Reboot system 6) Halt system 7) Ping host 8) Shell 9) PFtop 10) Filter Logs 11) Restart webConfigurator 12) pfSense PHP shell 13) Upgrade from console 14) Enable Secure Shell (sshd) Enter an option: re2: watchdog timeout re2: watchdog timeout re2: watchdog timeout re2: watchdog timeout re2: watchdog timeout re2: watchdog timeout re2: watchdog timeout DOH! Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message----- From: Dimitri Rodis [mailto:dimit...@integritasystems.com] Sent: Tuesday, March 31, 2009 9:55 PM To: support@pfsense.com Subject: RE: [pfSense Support] AW: Firebox X series w/ 1.2 and 1.2.2 issue Woohoo! Didn't know you guys got this put in.. I'll test tomorrow or Thursday as time permits. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Tuesday, March 31, 2009 8:49 PM To: support@pfsense.com Subject: Re: [pfSense Support] AW: Firebox X series w/ 1.2 and 1.2.2 issue On Tue, Mar 31, 2009 at 11:37 PM, Tim Nelson wrote: > I've just acquired an X500 unit and after throwing boatloads of traffic through it, I haven't seen a single watchdog timeout. Two ports are connected to a switch and a third port to a workstation. I can send you any information on my config if you'd like for testing/comparison. > What version are you running on it? 1.2.3 snapshots as of this past Sunday have re(4) and rl(4) from FreeBSD 8-CURRENT per recommendations of the FreeBSD developer who maintains that code. It may not be an issue with snapshots since Sunday. Those who are seeing watchdog timeouts on re or rl cards should try a 1.2.3 snapshot. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] AW: Firebox X series w/ 1.2 and 1.2.2 issue
Woohoo! Didn't know you guys got this put in.. I'll test tomorrow or Thursday as time permits. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Tuesday, March 31, 2009 8:49 PM To: support@pfsense.com Subject: Re: [pfSense Support] AW: Firebox X series w/ 1.2 and 1.2.2 issue On Tue, Mar 31, 2009 at 11:37 PM, Tim Nelson wrote: > I've just acquired an X500 unit and after throwing boatloads of traffic through it, I haven't seen a single watchdog timeout. Two ports are connected to a switch and a third port to a workstation. I can send you any information on my config if you'd like for testing/comparison. > What version are you running on it? 1.2.3 snapshots as of this past Sunday have re(4) and rl(4) from FreeBSD 8-CURRENT per recommendations of the FreeBSD developer who maintains that code. It may not be an issue with snapshots since Sunday. Those who are seeing watchdog timeouts on re or rl cards should try a 1.2.3 snapshot. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] AW: Firebox X series w/ 1.2 and 1.2.2 issue
What version are you currently running? I have seen watchdog timeouts with 1.2 and 1.2.2. I have 2 units in a CARP cluster, and 5 of the interfaces are being used (2 WANs, although 1 of the WANs was not configured for the test, 2 LANs, and 1 dedicated sync interface). I have made various modifications to /boot/loader.conf which have reduced the watchdog timeouts, but they still show up. The behavior gets really weird when I have both units operating in a cluster.. Anyway, I think it might show up when you use more than 2 interfaces. Initial testing with just a LAN/WAN setup didn't appear to really have any issues.. then I added a second LAN and a dedicated sync interface for CARP and threw it into production, and it lasted about 10 minutes before it melted down with watchdog timeouts. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Tim Nelson [mailto:tnel...@rockbochs.com] Sent: Tuesday, March 31, 2009 8:38 PM To: support@pfsense.com Subject: Re: [pfSense Support] AW: Firebox X series w/ 1.2 and 1.2.2 issue I've just acquired an X500 unit and after throwing boatloads of traffic through it, I haven't seen a single watchdog timeout. Two ports are connected to a switch and a third port to a workstation. I can send you any information on my config if you'd like for testing/comparison. Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 > -Original Message- > From: Andrew Cotter [mailto:andrew.cot...@somersetcapital.com] > Sent: Friday, March 20, 2009 12:35 PM > To: support@pfsense.com > Subject: RE: [pfSense Support] AW: Firebox X series w/ 1.2 and 1.2.2 > issue > > >Von: Dimitri Rodis [mailto:dimit...@integritasystems.com] > >Gesendet: Freitag, 20. März 2009 18:27 > >An: support@pfsense.com > >Betreff: [pfSense Support] Firebox X series w/ 1.2 and 1.2.2 issue > > > > > > So, I have a pair of firebox x700 units that I have put new CF > cards > in. I have tried both 1.2-RELEASE and 1.2.2 (both embedded), >and > both > behave the same way. > > > > On the serial console, I will see the following: > > re4: watchdog timeout > > re4: watchdog timeout > > etc > > > > If I change the LAN interface to re1, the same thing happens, > except > on the serial console I will see: > > re1: watchdog timeout > > re1: watchdog timeout > > ...etc > > > > > I had a similar issue while I was working on a few X500/700 whatever > boxes > last week. I know people suggest that various low end switches > produce this > error, but I had no switch in the mix. > > I was going direct to a desktop and was getting it. It was a home > made > looking cable. As soon as I plugged in one of our prefab cables it > went > away. Try and switch out the ethernet cable. > > Let us know. I have 5 of these boxes in the corner of my office. 3 > of > which I am planning on deploying in the next two weeks. > > Andrew - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Router supporting multiple WAN IP Addresses.
The feature you are looking for is Virtual IPs (or CARP IPs). Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Kipton Moravec [mailto:k...@kdream.com] Sent: Sunday, March 29, 2009 9:08 PM To: support@pfsense.com Subject: [pfSense Support] Router supporting multiple WAN IP Addresses. Forgive me if this is a stupid question, as I am new to this, but I have a DSL line with 5 static IP addresses. I want to use one WAN port to filter all 5 IP Addresses. I can not figure out how to set up the WAN port to accept address XXX.XXX.XXX.109 - XXX.XXX.XXX.113. Right now I only have use for three of the static addresses. I have two computers that needs to be seen at a static address for their function, and I want the router to shut off all ports that are not necessary for their operation. The third is a more typical NAT translation that it appears PF Sense was made for. Do I need a different Ethernet card for each WAN IP Address? I have 6 cards as it is already, I do not have PCI slots for more. What topic do I look up? Where do I find the documentation for this? Thanks, Kip -- Kipton Moravec AE5IB .- . . .. -... == Four Way Test Is it the Truth? Is it Fair to all concerned? Will it build Goodwill and Better Friendships? Will it be Beneficial to all concerned? - Herbert J Taylor (1932) - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] ACPI/APIC in loader.conf - watchdog timeouts
So, the hint.apic.0.disabled=1 seems to have _significantly_ reduced the watchdog timeouts, but they are not completely gone, and the ones that are happening now seem to happen somewhat randomly. Browsing through the GUI does not seem to cause issues any more. I will continue with the SMP kernel testing tomorrow. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Monday, March 23, 2009 6:05 PM To: support@pfsense.com Subject: Re: [pfSense Support] ACPI/APIC in loader.conf - watchdog timeouts On Mon, Mar 23, 2009 at 1:02 AM, Dimitri Rodis wrote: > Do you think this has any potential relevance to the firebox watchdog > timeouts? Obviously I am going to test it and simply observe the results-- > not too hard to reproduce the issue. > It could. > Also, there was a suggestion that using an SMP kernel would alleviate the > issue also. Given that this is a single core P3, I don't know what > difference it will make (obviously the kernel locking mechanisms are > different), but is there a way to easily swap the kernel on embedded with an > SMP version (if it isn't already--I don't know what the default is for an > embedded image since there isn't an "installer")? Mount it rw (run /etc/rc.conf_mount_rw) and copy over the kernel from a full install. Then switch back to ro with /etc/rc.conf_mount_ro and reboot. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] ACPI/APIC in loader.conf - watchdog timeouts
Do you think this has any potential relevance to the firebox watchdog timeouts? Obviously I am going to test it and simply observe the results-- not too hard to reproduce the issue. Also, there was a suggestion that using an SMP kernel would alleviate the issue also. Given that this is a single core P3, I don't know what difference it will make (obviously the kernel locking mechanisms are different), but is there a way to easily swap the kernel on embedded with an SMP version (if it isn't already--I don't know what the default is for an embedded image since there isn't an "installer")? Doing a full install on these fireboxes is pretty tough and requires some soldering (I believe) to get a keyboard header working, not to mention that you have to get the board completely out of the chassis to fit a video card on it. Thanks Chris.. Dimitri Rodis Integrita Systems LLC -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Sunday, March 22, 2009 9:44 PM To: support@pfsense.com Subject: Re: [pfSense Support] ACPI/APIC in loader.conf - watchdog timeouts On Mon, Mar 23, 2009 at 12:38 AM, Dimitri Rodis wrote: > > hint.apic.0.disabled=1? I thought it was hint.acpi.0.disabled=1 (see > http://doc.pfsense.org/index.php/Booting_Options, and also the forum posts > regarding firebox installs) > APIC and ACPI are entirely different things. APIC is another one that can cause problems on some systems. http://en.wikipedia.org/wiki/Advanced_Programmable_Interrupt_Controller http://en.wikipedia.org/wiki/Advanced_Configuration_and_Power_Interface - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
[pfSense Support] ACPI/APIC in loader.conf - watchdog timeouts
So I just came across this little tidbit while searching for potential solutions to the re: watchdog timeout issue on the firebox installs that I have pfSense running on. Some folks suggest that the problem is due to an interrupt storm which can result in a partial/total system hang. While doing further research, I found this: http://www.freebsd.org/doc/en/books/handbook/acpi-debug.html Specifically: -- 11.16.3.3 System Hangs (temporary or permanent) Most system hangs are a result of lost interrupts or an interrupt storm. Chipsets have a lot of problems based on how the BIOS configures interrupts before boot, correctness of the APIC (MADT) table, and routing of the System Control Interrupt (SCI). Interrupt storms can be distinguished from lost interrupts by checking the output of vmstat -i and looking at the line that has acpi0. If the counter is increasing at more than a couple per second, you have an interrupt storm. If the system appears hung, try breaking to DDB (CTRL+ALT+ESC on console) and type show interrupts. Your best hope when dealing with interrupt problems is to try disabling APIC support with hint.apic.0.disabled="1" in loader.conf. -- hint.apic.0.disabled=1? I thought it was hint.acpi.0.disabled=1 (see http://doc.pfsense.org/index.php/Booting_Options, and also the forum posts regarding firebox installs) Is there a typo here or are these two totally different things? I have not tried the hint.apic.0.disabled=1 yet, but I plan to tomorrow. Also, are the double quotes of particular importance? Some docs show them there, others don't. Any info appreciated.. I think these old end of life firebox x series units would be great for pfSense, provided we can get the watchdog timeouts to go away (and a specially sized sticker than can cover up the Firebox X logo J) Dimitri Rodis Integrita Systems LLC smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] AW: Firebox X series w/ 1.2 and 1.2.2 issue
Switched the cables a few times now. 3 different pre-fab cables (different colors even!). Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Andrew Cotter [mailto:andrew.cot...@somersetcapital.com] Sent: Friday, March 20, 2009 12:35 PM To: support@pfsense.com Subject: RE: [pfSense Support] AW: Firebox X series w/ 1.2 and 1.2.2 issue >Von: Dimitri Rodis [mailto:dimit...@integritasystems.com] >Gesendet: Freitag, 20. März 2009 18:27 >An: support@pfsense.com >Betreff: [pfSense Support] Firebox X series w/ 1.2 and 1.2.2 issue > > > So, I have a pair of firebox x700 units that I have put new CF cards in. I have tried both 1.2-RELEASE and 1.2.2 (both embedded), >and both behave the same way. > > On the serial console, I will see the following: > re4: watchdog timeout > re4: watchdog timeout > etc > > If I change the LAN interface to re1, the same thing happens, except on the serial console I will see: > re1: watchdog timeout > re1: watchdog timeout > ...etc I had a similar issue while I was working on a few X500/700 whatever boxes last week. I know people suggest that various low end switches produce this error, but I had no switch in the mix. I was going direct to a desktop and was getting it. It was a home made looking cable. As soon as I plugged in one of our prefab cables it went away. Try and switch out the ethernet cable. Let us know. I have 5 of these boxes in the corner of my office. 3 of which I am planning on deploying in the next two weeks. Andrew - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Existing pfSense 1.2.2, adding redundant member
It looked that easy-- just wanted to be sure before messing with a production set up! Thanks, Dimitri Rodis Integrita Systems LLC -Original Message- From: Paul Mansfield [mailto:it-admin-pfse...@taptu.com] Sent: Wednesday, March 18, 2009 4:45 AM To: support@pfsense.com Subject: Re: [pfSense Support] Existing pfSense 1.2.2, adding redundant member Dimitri Rodis wrote: > So, what is the procedure for adding a redundant member to a single > pfSense 1.2.2 install? All IPs used in the rules are already CARP > addresses on all interfaces being used--WAN, LAN, and OPT1. There are > another 3 interfaces-- one of them will be dedicated to sync (of > course). I've seen the FAQs, and did some forum searches, but all of > them discuss new installs, not adding redundancy down the line (at least > I couldn't find it if so). if you already set up the IPs as carp, it should be fairly easy. just bring up another machine on unused IPs (wan and lan) and enable carp on it, will preferably want a spare interface for sync, then set up replication push on the master. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
[pfSense Support] Existing pfSense 1.2.2, adding redundant member
So, what is the procedure for adding a redundant member to a single pfSense 1.2.2 install? All IPs used in the rules are already CARP addresses on all interfaces being used--WAN, LAN, and OPT1. There are another 3 interfaces-- one of them will be dedicated to sync (of course). I've seen the FAQs, and did some forum searches, but all of them discuss new installs, not adding redundancy down the line (at least I couldn't find it if so). Thanks, Dimitri Rodis Integrita Systems LLC smime.p7s Description: S/MIME cryptographic signature
[pfSense Support] LCDProc Package on Embedded
Just installed 1.2-RELEASE embedded on an old FireBox x500. I read in the forums that someone wrote an LCDProc package for this. Of course, you can't do packages on the embedded platform. I found this link in the forums http://forum.pfsense.org/index.php/topic,12995.0.html which tells you how to make pfsense think it's a full install, but my question is this: does anyone know if the LCDProc package really needs rw access once it's installed? In other words, can I reverse this safely after LCDProc installed? Or should I just leave it rw? echo "/dev/ufs/pfSense / ufs rw 1 1" > /etc/fstab; echo "/dev/ufs/pfSenseCfg /cf ufs rw 1 1" >> /etc/fstab Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Exchange RPC/HTTPS outbound client
https://www.testexchangeconnectivity.com/ is your friend when it comes to troubleshooting RPC over HTTP(S) and ActiveSync issues. We are using RPC/HTTPS on a few pfSense setups. I have categorically never found pfSense to be the problem when troubleshooting issues with Exchange-- but I have also categorically never used squid in one of these setups either. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: RB [mailto:aoz@gmail.com] Sent: Monday, February 09, 2009 7:16 PM To: support@pfsense.com Subject: Re: [pfSense Support] Exchange RPC/HTTPS outbound client On Mon, Feb 9, 2009 at 19:46, Joseph L. Casale wrote: > I am using 1.2-RELEASE and have a client that needs to connect to an > Exchange Server via > RPC/HTTPS that I know to be in working order. This client cannot connect > when behind pfsense > but can access owa on this server. > > Are there any known issues, I couldn't find anything that suggested any > additional config? pfSense by default does not employ any application-layer logic and would not interfere with typical HTTPS (tcp/443) traffic. If, however, you have installed the Squid package or have some other proxy intercepting the traffic, it's most likely silently dropping methods it's not configured for. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Packages with pfSense embedded not an option - very sad
Re-do what you did, but create a 2GB partition and try again. Leave the other 6GB unused. I had this problem with an older PC and an actual 20GB hard drive-- from what I understand, it has to do with the IDE-->CF adapters and how well they support LBA/DMA modes, etc. Dimitri Rodis Integrita Systems LLC -Original Message- From: Chuck Mariotti [mailto:cmario...@xunity.com] Sent: Monday, January 26, 2009 9:40 AM To: support@pfsense.com Subject: RE: [pfSense Support] Packages with pfSense embedded not an option - very sad I have gone out and purchased a SanDisk 8GB CF Card. Using VMWare Workstation, mounted the CF as physical drive. Booted off CD, ran install to disk option, all defaults to install to CF (chose Embedded Kernel). Shut down, installed into ALIX, boot only comes up with the following: PfSense Default: F1 Can't do anything from there. Redid the above, followed the http://forum.pfsense.org/index.php?topic=12973.msg72095 (steps 1 to 14), this is of course for a CF HDD Microdrive. Specifically the da0s1a to ad0s1a entries in fstab. Still get the same thing: PfSense Default: F1 Any ideas on how to solve this? Regards, Chuck -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Thursday, January 22, 2009 10:30 PM To: support@pfsense.com Subject: Re: [pfSense Support] Packages with pfSense embedded not an option - very sad On Thu, Jan 22, 2009 at 10:18 PM, Morgan Reed wrote: > > Wear leveling is your friend. If your CF card is significantly larger > than the data stored on it you'll get longer life out of it. > Definitely seems to be the case, even when using half the CF. > Catch is getting it installed on the 4GB CF first, I've done this once > using a random CF->IDE adapter, disabling DMA in BIOS and from the > loader prompt so that it'll actually work (most CF->IDE adapters > aren't built in such a way that they allow the CF card to negotiate > DMA like an HDD would), install ran fine, modified loader.conf to > ensure DMA is turned off, it did seem to work but it took a good 20 > mins to boot, so I'm not sure what the other differences are between a > full and an embedded system. > If you choose the embedded kernel during install, it should boot no problem. It includes disabling DMA, enabling serial console, etc. In the not too distant future we'll likely be distributing a new embedded 1.2.x, essentially a full install img for various size cards. It upgrades reliably (though pretty slowly, that doesn't really matter), and packages work fine. It'll be equivalent to installing it from iso yourself, just easier. It's easy to install to CF using a USB CF writer and VMware USB redirection. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Outbound NAT to Virt. IP issues. Maybe it's the config, maybe it's VMWare ESXi?
What kind of Virtual IP are you using? If you are using CARP addresses (which is what I'm using), make sure your subnet mask actually matches your WAN interface subnet mask. Dimitri Rodis Integrita Systems LLC -Original Message- From: Jason Lixfeld [mailto:jason-lists.pfse...@lixfeld.ca] Sent: Monday, December 22, 2008 8:04 AM To: support@pfsense.com Subject: [pfSense Support] Outbound NAT to Virt. IP issues. Maybe it's the config, maybe it's VMWare ESXi? Hello, and happy holidays! I have an ESXi server installed with the 1.2.1-RC2 VM upgraded to RC4 up and running. Everything has been working as expected, but then I tried to setup outbound NAT to a virtual IP and everything stopped: I've configured a Virtual IP on the WAN side which is on the same subnet as the WAN interface itself. I have an outbound NAT rule set up to nat all outbound connections to the Virtual IP. I also have the outbound NAT set for Manual Outbound NAT rule generation (Advanced Outbound NAT (AON)). From the WAN side, I see the MAC for both the virtual IP and the physical WAN interface IP but I can't ping the Virtual IP however I can ping the physical WAN interface IP, no problem. As soon as I set outbound NAT to Automatic Outbound NAT rule generation, traffic works again (albeit I still can't ping the virtual IP, but at that point, it's moot). I checked the pfSense firewall rules and verified that it's configured to pass ICMP from any to any on the WAN interface and the LAN interface has a rule to allow IP from any to any, so by all accounts this should be working. I'm not sure if it's something in pfSense that I'm doing wrong, or if it's a VMWare issue. The fact that I can see the MAC Address on the WAN side seems to indicate that ESXi is doing what it's supposed to. I haven't seen any indication that ESXi doesn't want to pass traffic for a virtual MAC address while I've been looking over it's configuration, so I'm at a loss and I'm wondering if anyone has any insight. Just for completeness, here's the ARP table from a 3550 I have on the WAN side to verify it sees the MAC address and ARP, etc. I've also included the ifconfig from the pfSense shell. switch>show arp | i Vlan5 Internet aaa.bbb.ccc.215 - 000b.5f33.6100 ARPA Vlan5 Internet aaa.bbb.ccc.209 0 0013.5f1e.93c0 ARPA Vlan5 Internet aaa.bbb.ccc.211 16 000c.291b.3c6f ARPA Vlan5 Internet aaa.bbb.ccc.210 17 .5e00.0101 ARPA Vlan5 switch>show mac-address-table | i Fa0/1 5.5e00.0101DYNAMIC Fa0/1 5000c.291b.3c6fDYNAMIC Fa0/1 .215 is the 3550 I'm using to verify the WAN side. .209 is the default gateway for the pfSense box that leads to the intermaweb. .210 is the virtual IP. .211 is the physical IP. switch>ping aaa.bbb.ccc.209 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to aaa.bbb.ccc.209, timeout is 2 seconds: ! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms switch>ping aaa.bbb.ccc.211 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to aaa.bbb.ccc.211, timeout is 2 seconds: ! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms switch>ping aaa.bbb.ccc.210 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to aaa.bbb.ccc.210, timeout is 2 seconds: . Success rate is 0 percent (0/5) switch> # ifconfig le0: flags=8843 metric 0 mtu 1500 options=8 ether 00:0c:29:1b:3c:65 inet 10.1.11.1 netmask 0xff00 broadcast 10.1.11.255 inet6 fe80::20c:29ff:fe1b:3c65%le0 prefixlen 64 scopeid 0x1 media: Ethernet autoselect status: active le1: flags=8943 metric 0 mtu 1500 options=8 ether 00:0c:29:1b:3c:6f inet6 fe80::20c:29ff:fe1b:3c6f%le1 prefixlen 64 scopeid 0x2 inet aaa.bbb.ccc.211 netmask 0xfff0 broadcast aaa.bbb.ccc.223 media: Ethernet autoselect status: active le2: flags=8843 metric 0 mtu 1500 options=8 ether 00:0c:29:1b:3c:79 inet 10.255.255.1 netmask 0xff00 broadcast 10.255.255.255 inet6 fe80::20c:29ff:fe1b:3c79%le2 prefixlen 64 scopeid 0x3 media: Ethernet autoselect status: active plip0: flags=108810 metric 0 mtu 1500 pfsync0: flags=41 metric 0 mtu 1460 pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128 lo0: flags=8049 metric 0 mtu 16384 inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 enc0: flags=0<> metric 0 mtu 1536 pflog0: flags=100 metric 0 mtu 33204 tun0: flags=8051 metric 0 mtu 1500 inet6 fe80::20c:29ff:fe1b:3c65%tun0 prefixlen 64 scopeid 0x9 inet 192.0.2.1 --> 192.0.2.2 netmask 0x Opened by PID 334 carp0: flags=49 metric 0 mtu 1500 inet aaa.bbb.ccc.210 netmask 0xfff0 carp: MASTER vhid 1
[pfSense Support] RE: DNS Forwarder/Authoritative DNS Server
No love? Dimitri Rodis Integrita Systems LLC From: Dimitri Rodis [mailto:dimit...@integritasystems.com] Sent: Tuesday, December 02, 2008 9:36 AM To: support@pfsense.com Subject: [pfSense Support] DNS Forwarder/Authoritative DNS Server On one of my networks, I have 4 Windows server domain controllers that run DNS for Active Directory on this network in particular. On the services_dnsmasq.php page in pfSense, the bottom section allows you to specify authoritative DNS servers for domains that are not part of the internet (or to override for the purpose of split-brain DNS). Let's say that this particular domain is internaldomain.local. There are 4 authoritative DNS servers for this zone-however, the interface on this page only allows you to add one: [cid:image001.gif@01C95BE4.9B01D730] The following input errors were detected: * A override already exists for this domain. Is there a way that I can specify multiple DNS servers for a particular domain suffix? You should be able to, IMO. Thanks, Dimitri Rodis Integrita Systems LLC <>
RE: [pfSense Support] Dell Hardware Monitoring - pfSense 1.2 Final
OpenManage Server Administrator is what you're looking for. Dimitri Rodis Integrita Systems LLC From: Curtis LaMasters [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2008 11:16 AM To: support@pfsense.com Subject: Re: [pfSense Support] Dell Hardware Monitoring - pfSense 1.2 Final No problem, I'm on the phone with Dell support now for which ISO/tool to download. Thanks. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Tue, Dec 9, 2008 at 1:12 PM, Chris Buechler <[EMAIL PROTECTED]> wrote: On Tue, Dec 9, 2008 at 2:05 PM, Curtis LaMasters <[EMAIL PROTECTED]> wrote: > I'm just trying to minimize failover/failback and downtime. If I knew it > was a memory module, hard drive or fan, I could have one ordered and ready > to go all in one big swoop. You can tell if it's a hard drive by looking at the lights on the drive sleds, they'll go orange on a dead disk. Aside from that, it's probably a bad power supply, fan, or RAM, and you have to get into the diag software to tell unfortunately. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
[pfSense Support] DNS Forwarder/Authoritative DNS Server
On one of my networks, I have 4 Windows server domain controllers that run DNS for Active Directory on this network in particular. On the services_dnsmasq.php page in pfSense, the bottom section allows you to specify authoritative DNS servers for domains that are not part of the internet (or to override for the purpose of split-brain DNS). Let's say that this particular domain is internaldomain.local. There are 4 authoritative DNS servers for this zone-however, the interface on this page only allows you to add one: [cid:image001.gif@01C95461.5B11E4B0] The following input errors were detected: * A override already exists for this domain. Is there a way that I can specify multiple DNS servers for a particular domain suffix? You should be able to, IMO. Thanks, Dimitri Rodis Integrita Systems LLC <>
RE: [pfSense Support] Bridge + Captive Portal
The HP implementation on the procurve line places you on a temp vlan until you authenticate. Once you do, your port membership changes. Besides that, if you want to make use of the public IPs, why not set up 1:1 NAT mappings for all of your public IPs and then just set your DHCP pool on your LAN interface to use the corresponding private IPs? That way, you can "use" all your public IPs, and each client will have one-- I've never used 1:1 in conjunction with captive portal, though, so what I just said may or may not work. Dimitri Rodis Integrita Systems LLC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Buechler Sent: Wednesday, November 19, 2008 12:10 AM To: support@pfsense.com Subject: Re: [pfSense Support] Bridge + Captive Portal On Wed, Nov 19, 2008 at 1:58 AM, Olivier Nicole <[EMAIL PROTECTED]> wrote: > Hi Dimitri, > > Thanks for the clues, i will look at what i can do with the switch. > >> Is there a particular reason you are trying to do a captive portal using a >> bridge setup vs NAT? > > We have the right amount of public IP available (only a class C, but > for around 150 users, that's plenty enough), so no reason to NAT. > > I have been running a bridged firewall (FreeBSD + ipf) for ages (since > FreeBSD 4.0 maybe), it is working smoothly, it is invisible (obscurity > is not security, but it contributes to security), it simplifies > routing (one less hop) and in case of problem, it can be replaced with > an Ethernet cable. That's among the reasons why I like bridged > firewall. > All valid, but a captive portal implementation by definition cannot be transparent. It has to redirect hosts to an IP on one of its interfaces to serve the portal content. I'd just use a /30 on the WAN, and your public IP block on the LAN, disable NAT, enable captive portal, and you're set. You can still have the "remove the firewall" option by adding your LAN IP on the upstream router if necessary, and removing the firewall. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] NAT Reflection States
There are a ton of lines that look like this: 19004 stream tcp nowait/0nobody /usr/bin/nc nc -w 20 I guess we found the culprit then? Why is it using 20 as opposed to 2000? Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 4:07 PM To: support@pfsense.com Subject: Re: [pfSense Support] NAT Reflection States On Tue, Nov 18, 2008 at 7:04 PM, digger <[EMAIL PROTECTED]> wrote: > I have the same issue with reflection and SSH. The session closes after > about 20 seconds. > > I am using* *1.2.1-RC1 built on Thu Oct 16 07:20:59 EDT 2008 > > Not a huge issue as I can connect directly to the internal IP in the DMZ but > it would be nice. What does /var/etc/inetd.conf look like? Do you see the timeouts defined? Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] NAT Reflection States
I am using 1.2-RELEASE built on Sun Feb 24 17:04:58 EST 2008 so it isn't an RC thing. Dimitri Rodis Integrita Systems LLC -Original Message- From: digger [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 4:04 PM To: support@pfsense.com Subject: Re: [pfSense Support] NAT Reflection States I have the same issue with reflection and SSH. The session closes after about 20 seconds. I am using* *1.2.1-RC1 built on Thu Oct 16 07:20:59 EDT 2008 Not a huge issue as I can connect directly to the internal IP in the DMZ but it would be nice. Regards, Digger. Dimitri Rodis wrote: > the -w param is in seconds according to > http://www.securityforest.com/wiki/index.php/Netcat_-_Basic_Overview > > Any other ideas as to why connections would be dropping/timing out like > this? > > Dimitri Rodis > Integrita Systems LLC > > > -Original Message- > From: Dimitri Rodis [mailto:[EMAIL PROTECTED] > Sent: Tuesday, November 18, 2008 3:52 PM > To: support@pfsense.com > Subject: RE: [pfSense Support] NAT Reflection States > > Check this out: http://cvstrac.pfsense.com/chngview?cn=18706 > > "Comment: Default to nat-reflection inactivity of 2000 which is roughtly 33 > minutes." > > lol, 2000=33 minutes? Can't be. I have an RDP session open to another server > in the building here and it's timed out at least 6 times since you emailed > me last. > > Dimitri Rodis > Integrita Systems LLC > > > -Original Message- > From: Scott Ullrich [mailto:[EMAIL PROTECTED] > Sent: Tuesday, November 18, 2008 3:44 PM > To: support@pfsense.com > Subject: Re: [pfSense Support] NAT Reflection States > > On Tue, Nov 18, 2008 at 6:40 PM, Dimitri Rodis > <[EMAIL PROTECTED]> wrote: > >> That's milliseconds, correct? >> > > I believe that is seconds, actually (whatever the default nc uses -- > netcat). > > Scott > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > Commercial support available - https://portal.pfsense.org > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] NAT Reflection States
the -w param is in seconds according to http://www.securityforest.com/wiki/index.php/Netcat_-_Basic_Overview Any other ideas as to why connections would be dropping/timing out like this? Dimitri Rodis Integrita Systems LLC -Original Message- From: Dimitri Rodis [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 3:52 PM To: support@pfsense.com Subject: RE: [pfSense Support] NAT Reflection States Check this out: http://cvstrac.pfsense.com/chngview?cn=18706 "Comment: Default to nat-reflection inactivity of 2000 which is roughtly 33 minutes." lol, 2000=33 minutes? Can't be. I have an RDP session open to another server in the building here and it's timed out at least 6 times since you emailed me last. Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 3:44 PM To: support@pfsense.com Subject: Re: [pfSense Support] NAT Reflection States On Tue, Nov 18, 2008 at 6:40 PM, Dimitri Rodis <[EMAIL PROTECTED]> wrote: > That's milliseconds, correct? I believe that is seconds, actually (whatever the default nc uses -- netcat). Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] NAT Reflection States
Check this out: http://cvstrac.pfsense.com/chngview?cn=18706 "Comment: Default to nat-reflection inactivity of 2000 which is roughtly 33 minutes." lol, 2000=33 minutes? Can't be. I have an RDP session open to another server in the building here and it's timed out at least 6 times since you emailed me last. Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 3:44 PM To: support@pfsense.com Subject: Re: [pfSense Support] NAT Reflection States On Tue, Nov 18, 2008 at 6:40 PM, Dimitri Rodis <[EMAIL PROTECTED]> wrote: > That's milliseconds, correct? I believe that is seconds, actually (whatever the default nc uses -- netcat). Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] NAT Reflection States
That's milliseconds, correct? Dimitri Rodis Integrita Systems LLC -Original Message- From: Dimitri Rodis [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 3:38 PM To: support@pfsense.com Subject: RE: [pfSense Support] NAT Reflection States Thanks, Scott. Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 3:36 PM To: support@pfsense.com Subject: Re: [pfSense Support] NAT Reflection States On Tue, Nov 18, 2008 at 6:32 PM, Dimitri Rodis <[EMAIL PROTECTED]> wrote: > How long will pfSense hold onto the states required to maintain a tcp > connection/udp "session", and can this be changed? > > > > It seems like connections on my network that are utilizing NAT reflection > are timing out extremely fast (like 20 seconds or less). The firewall > optimization is set to "conservative." > > > > This is only a guess, but it's the only thing that I can think of that makes > sense based on the behavior I'm experiencing. (RDP sessions timing out and > constantly reconnecting, and uploading changes to websites via sharepoint > server extensions are all timing out, long transfers between mail servers as > well). > >From /etfc/inc/filter.inc: if($config['system']['reflectiontimeout']) $reflectiontimeout = $config['system']['reflectiontimeout']; else $reflectiontimeout = "2000"; You can set an override with Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] NAT Reflection States
Thanks, Scott. Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 18, 2008 3:36 PM To: support@pfsense.com Subject: Re: [pfSense Support] NAT Reflection States On Tue, Nov 18, 2008 at 6:32 PM, Dimitri Rodis <[EMAIL PROTECTED]> wrote: > How long will pfSense hold onto the states required to maintain a tcp > connection/udp "session", and can this be changed? > > > > It seems like connections on my network that are utilizing NAT reflection > are timing out extremely fast (like 20 seconds or less). The firewall > optimization is set to "conservative." > > > > This is only a guess, but it's the only thing that I can think of that makes > sense based on the behavior I'm experiencing. (RDP sessions timing out and > constantly reconnecting, and uploading changes to websites via sharepoint > server extensions are all timing out, long transfers between mail servers as > well). > >From /etfc/inc/filter.inc: if($config['system']['reflectiontimeout']) $reflectiontimeout = $config['system']['reflectiontimeout']; else $reflectiontimeout = "2000"; You can set an override with Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Bridge + Captive Portal
Olivier, Depending on the switches that you have, (like the HP procurves), you can make those switches serve up a captive portal before traffic can be sent to any other MAC address. I know that this isn't a pfSense "answer," but depending on the equipment that you have, you may be able to accomplish it. Is there a particular reason you are trying to do a captive portal using a bridge setup vs NAT? Dimitri Rodis Integrita Systems LLC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Buechler Sent: Tuesday, November 18, 2008 12:34 AM To: support@pfsense.com Subject: Re: [pfSense Support] Bridge + Captive Portal On Mon, Nov 17, 2008 at 11:15 PM, Olivier Nicole <[EMAIL PROTECTED]> wrote: > Hi, > > Sorry to bug, but the question is of some importance to me as I have > to select and implement a solution. > > Is pfSense can use bridge and captive portal at the same time? No, at least not that I'm aware of. It needs an IP to serve the portal content, and accessing it could be problematic in a bridged environment. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org smime.p7s Description: S/MIME cryptographic signature
[pfSense Support] NAT Reflection States
How long will pfSense hold onto the states required to maintain a tcp connection/udp "session", and can this be changed? It seems like connections on my network that are utilizing NAT reflection are timing out extremely fast (like 20 seconds or less). The firewall optimization is set to "conservative." This is only a guess, but it's the only thing that I can think of that makes sense based on the behavior I'm experiencing. (RDP sessions timing out and constantly reconnecting, and uploading changes to websites via sharepoint server extensions are all timing out, long transfers between mail servers as well). Dimitri Rodis Integrita Systems LLC smime.p7s Description: S/MIME cryptographic signature
[pfSense Support] Force Speed/Duplex on NIC
What's the preferred method of forcing a NIC to 100Mb Full Duplex using pfSense? The only things I've managed to come across in my searches is "why would you want to do that" and "your NIC is b0rk3d" and "switch the cable." The ISP (Cox) requires that interfaces plugged into their Atrica units be hard set to 100 Full (for good reason). And yes, personally I've seen Intel 1000T Server adapters auto negotiate with these Atrica units randomly to either 100 half or 10 half, so the standard auto-detect isn't going to cut it for this unit. (Cox uses these units in a metro SONET ring in Las Vegas). I would rather not have to go get some junk 8 port managed switch just to force a speed/duplex if it's possible to do in the pfSense config. Dimitri Rodis Integrita Systems LLC smime.p7s Description: S/MIME cryptographic signature
RE: [pfSense Support] Captive Portal enabling Ethernet Port Traffic
If you want to authenticate machines connecting to switch ports, install the FreeRADIUS package. I added some interface options to the package earlier this year that should allow you to use it for mac-based authentication and vlan assignment for switches that support it. I use it in a couple different places and it works quite well for us. Dimitri Rodis Integrita Systems LLC -Original Message- From: Tim Nelson [mailto:[EMAIL PROTECTED] Sent: Thursday, September 11, 2008 3:43 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal enabling Ethernet Port Traffic If you want per port (on your switch) based authentication, you may want to look at 802.1x with RADIUS. If you'd like to do per IP "authentication", pfSense will work nicely. Tim Nelson Systems/Network Engineer Rockbochs Inc. (218)727-4332 x105 - "Chris Flugstad" <[EMAIL PROTECTED]> wrote: > So I have a need that I'm not sure if Pfsense is currently doing. I > want to have a captive portal, but once auth'd that the ethernet port > > that was used to go through the captive portal, be enabled. well i > guess it would already be enabled, since it got through, but more or > less that the port had full access. Each port will go to different > rooms in a hotel. > > Any ideas would be appreciated. > > -Topher > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] pfSense 1.2-RELEASE: Performance Issue?
Ted, I had a similar issue with 10Mb symmetric Cox fiber connection in Las Vegas. For some reason, their equipment didn't like the BroadCom NIC in the system I had. Fortunately, there was another NIC in the system (Intel) that worked just fine. When I performed a bandwidth test using the BroadCom, I got barely over 2Mb. Using the Intel, I got 9.5Mb. What kind of NICs are in your pfSense box? Dimitri Rodis Integrita Systems LLC -Original Message- From: Ted Crow [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2008 1:03 PM To: support@pfsense.com Subject: [pfSense Support] pfSense 1.2-RELEASE: Performance Issue? I'm running 1.2-RELEASE and we recently upgraded from 10mbps DSL to a metro fiber link and we were seeing a pretty significant performance hit across the firewall, especially outbound. In troubleshooting this, my provider has disabled all limiting on their end and the connection is basically a wide open FDX 100Mbps link. This *really* made the performance drop noticeable. Simple Diagram: -- | Fiber Switch |---| Cisco 2801 |---| Firewall |--> Multiple LANs -- | -- | DMZ Switch |--> DMZ Hosts -- A laptop directly connected to the fiber switch can pump >80Mbps to many points on the Internet. Behind my router it only hits 45-60Mbps probably because the router was never intended to be used at this speed (before the speed was bumped to 100mbps there was no significant performance drop). Behind the pfSense box, however, averages around 20-25Mbps to the Internet. LAN to DMZ Hosts are around 55-60Mbps. The box is pretty beefy - a SuperServer 5015M-MF+B, Xeon 3040 with 1GB DDR2 and six Intel 1Gbps ports. I'd be a little surprised if the hardware has anything to do with it. CPU and RAM usage have never exceeded 10%. I tried enabling polling but that made no difference. I've disabled the traffic shaper and removed most of my packages to get where I am now and I've run out of ideas. Anyone? Ted Crow Information Technology Manager Tuttle Services, Inc. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Intel Pro 1000 VT
Adam, This may sound strange, but you might want to load linux and vmware server on the machine, and run pfSense virtualized until the hardware support comes for your NICs. We run pfSense virtualized on Dell PE1800s, PE2900s, and PE2950 servers all the time. Dimitri Rodis Integrita Systems LLC From: Adam Costello [mailto:[EMAIL PROTECTED] Sent: Thursday, May 15, 2008 7:47 AM To: support@pfsense.com Subject: RE: [pfSense Support] Intel Pro 1000 VT Hi Sean, Sorry didn't put this in the message below, the Braodcom (NetXtreme BCM5722) is actually the embedded NIC so I can't replace :( Is my only option a custom build (if I can find the FreeBSD drivers for it)? Cheers Adam From: Sean Cavanaugh [mailto:[EMAIL PROTECTED] Sent: 15 May 2008 15:09 To: support@pfsense.com Subject: RE: [pfSense Support] Intel Pro 1000 VT > From: [EMAIL PROTECTED] > To: support@pfsense.com > Date: Thu, 15 May 2008 09:50:17 +0100 > Subject: RE: [pfSense Support] Intel Pro 1000 VT > > I originally thought the problem was that the Intel was not working and the > Braodcom was, however with my recent findings have led me to believe neither > were working originally :( > > I've had a look at the supported hardware list for FreeBSD 7 and it doesn't > appear in there. I'm quite worried that there is no way round this problem. > > Cheers > > Adam If the hardware is not on the supported hardware list, they will NOT work with pfSense. You will have to get another NIC for the server. Windows Live SkyDrive lets you share files with faraway friends. Start sharing. <http://www.windowslive.com/skydrive/overview.html?ocid=TXT_TAGLM_WL_Ref resh_skydrive_052008> __ This email has been scanned by the SecuraProtect Email Security System. For more information please visit http://www.securaprotect.com
RE: [pfSense Support] 1.2 package add-on missing
1. Did you install pfSense to the hard drive? (You need to for packages) 2. Yes.. Go to the interfaces page and add it. Dimitri Rodis Integrita Systems LLC From: Paul Peziol [mailto:[EMAIL PROTECTED] Sent: Monday, May 05, 2008 8:41 AM To: support@pfsense.com Subject: [pfSense Support] 1.2 package add-on missing Not sure if its a bug or something in my installation but the new version appears to not have a choice to add packages and the firmware update page seems to be out of line. If its a installation issue I will re-install it. 2nd question I have 3 NIC's. I only setup 2 of them on the initial setup. Is there a way to add the 2nd optional one after the fact. Paul
RE: [pfSense Support] 3-way CARP
One last thing: Is there currently any way to *not* assign an IP directly to the WAN interface in a CARP config? Since the IPs assigned directly to the WAN can't be used in a failover situation (if I understand correctly), I would like to not have to use an extra public static IP to set up each CARP member. I was thinking that *maybe* if I just assigned an IP from a private address range to the WAN interface (obviously NOT an address I'm using internally on the LAN side), but actually used the correct subnet mask and gateway address for my public subnet, maybe it would work if I changed AON to NOT use the "default" IP on the WAN. Does that make sense? If there is currently no way, maybe a feature could be added such that you could choose one of the CARP IPs to be the "default" IP on the WAN interface to achieve this and have the rules work. Would that make sense? Of course, this might be moot if there's a way to do it already.. Thanks guys.. Dimitri Rodis Integrita Systems LLC -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Thursday, April 17, 2008 5:32 PM To: support@pfsense.com Subject: Re: [pfSense Support] 3-way CARP On Thu, Apr 17, 2008 at 8:24 PM, Dimitri Rodis <[EMAIL PROTECTED]> wrote: > So really the peer IP option is there for folks who don't have a > dedicated interface, so that the pfsync traffic doesn't flood the > network, is that right? > No, it's more for networks with switches that don't play nicely with multicast traffic. > So, in a 3-way config, do you always have to make configuration changes > on the "master"? Or can they be made on any of them? > you always have to make changes on the master. any changes made on any other machine will be overwritten. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] 3-way CARP
So really the peer IP option is there for folks who don't have a dedicated interface, so that the pfsync traffic doesn't flood the network, is that right? So, in a 3-way config, do you always have to make configuration changes on the "master"? Or can they be made on any of them? Dimitri Rodis Integrita Systems LLC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Buechler Sent: Thursday, April 17, 2008 5:10 PM To: support@pfsense.com Subject: Re: [pfSense Support] 3-way CARP On Thu, Apr 17, 2008 at 7:46 PM, Dimitri Rodis <[EMAIL PROTECTED]> wrote: > > Is it possible to have a 3-way CARP setup? I can't seem to find mention of > anyone having one up and running, so I just thought I would check to see if > there was any reason it wouldn't work... > Yeah, you can. The only "catch" is with config replication - the primary replicates to the secondary which has to replicate to the tertiary. That's something Scott has discussed changing for 1.3, but I'm not sure if that'll happen or not. > I do see that you have to set up a "peer IP," so in a 3 way setup what would > you put there? > That's only if you don't want to use multicast, that's an optional field. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] 3-way CARP
Is it possible to have a 3-way CARP setup? I can't seem to find mention of anyone having one up and running, so I just thought I would check to see if there was any reason it wouldn't work... I do see that you have to set up a "peer IP," so in a 3 way setup what would you put there? Reason being-I have a site with 3 beefy physical machines running VMware, and I would like to have a pfSense "node" on each physical machine. Any special considerations? (other than the dedicated interface for pfsync?) If it's not possible, then I'll just stick with 2. Any comments/suggestions appreciated! Thanks, Dimitri Rodis Integrita Systems LLC
[pfSense Support] pfsync/FreeRADIUS
Is there a way to make the FreeRADIUS (or just generally package) information sync between two pfSense boxes? I have 2 different customers that need radius-1 of them I can use CARP, but the other has 2 different sites. Scenario 1: Customer with 2 office buildings providing internet access to tenants. We currently have 2 pfSense boxes in place, 1 for NAT and FreeRADIUS (to mac authenticate tenants and auto-assign them to the appropriate VLANs), and 1 just as a filtering bridge between the "public" segment (where we assign people that need to have public static IP addresses) and the internet. I would like to set up a secondary pfSense NAT box, perhaps even in a CARP config, but I would very much like for the FreeRADIUS info to sync between them. Scenario 2: 2 real estate offices, VPN'd together. Each location has good wireless APs (proxim). We want to mac authenticate each of the agents laptops (so when they leave we can just deactivate their mac) against FreeRADIUS, and we would like to replicate the FreeRADIUS account information to the other office. Already have 2 pfsense boxes, but 1 is at 1 office and 1 is at the other. Is there currently a way to make either (or both) of the above scenarios work using pfSense? If not, if someone can give me a bump in the right direction, maybe I can add it to the FreeRADIUS package and send that change to coreteam also. Thanks, Dimitri Rodis Integrita Systems LLC
RE: [pfSense Support] Routing MSN
Advanced Outbound NAT is what you're looking for. I don't know what the ports are, but Advanced Outbound NAT is your friend. Dimitri Rodis Integrita Systems LLC -Original Message- From: Mike Lever [mailto:[EMAIL PROTECTED] Sent: Saturday, April 05, 2008 1:45 PM To: support@pfsense.com Subject: [pfSense Support] Routing MSN Hi, Been having problems the last few days with users on my LAN not being able to login to MSN messenger. I have been fiddling around on my firewall but unsure what I affected to make this change. How can I route all mu MSN traffic through a specific wan port ? I have 5 various types and would like to direct it through one of them. Regards, Mike Lever Tenacity Films (Pty) Ltd t/a Velocity Films (T) +2711-807-0100 (F) 086-681-7518 http://www.velocityfilms.com CONFIDENTIALITY CAUTION: If you have received this communication in error, please note that it is intended for the addressee only, is privileged and confidential and dissemination or copying prohibited. Please notify us immediately by e-mail and return the original message. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] pfSense as a VM
That's weird that it would work with Xen and not with Virtual Iron-do you happen to remember what version of Xen? Dimitri Rodis Integrita Systems LLC From: Curtis LaMasters [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2008 4:51 PM To: support@pfsense.com Subject: Re: [pfSense Support] pfSense as a VM I have had it running on VMware, MS Virtual Server and XenSource. I have not used it in production but in lab it has worked flawlessly. Curtis On Wed, Apr 2, 2008 at 5:36 PM, Dimitri Rodis <[EMAIL PROTECTED]> wrote: Anyone have any luck running pfSense as a VM on: Virtual Iron? (no luck for me-v4.2, won't boot) Xen? (haven't tried, but Virtual Iron is based on Xen, so I think this is a no-go also) Hyper-V? (Tried with Beta and with latest RC-won't boot) I am only able to get it to boot up and be used with MS Virtual Server and with VMware (all editions). I know that this would qualify are more of a FreeBSD issue, but I figured more people would probably have tried to use pfSense in a VM as opposed to the full blown FreeBSD-at least for me, I tend to run it as a VM 95% of the time using either MS VS or VMware internally and for customers. Any feedback appreciated.. Thanks-- Dimitri Rodis Integrita Systems LLC -- Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com
[pfSense Support] pfSense as a VM
Anyone have any luck running pfSense as a VM on: Virtual Iron? (no luck for me-v4.2, won't boot) Xen? (haven't tried, but Virtual Iron is based on Xen, so I think this is a no-go also) Hyper-V? (Tried with Beta and with latest RC-won't boot) I am only able to get it to boot up and be used with MS Virtual Server and with VMware (all editions). I know that this would qualify are more of a FreeBSD issue, but I figured more people would probably have tried to use pfSense in a VM as opposed to the full blown FreeBSD-at least for me, I tend to run it as a VM 95% of the time using either MS VS or VMware internally and for customers. Any feedback appreciated.. Thanks-- Dimitri Rodis Integrita Systems LLC
[pfSense Support] WRAP Bandwidth
Would a WRAP board be capable of NATting and Shaping a 10 megabit symmetric connection without choking? Dimitri Rodis Integrita Systems LLC
[pfSense Support] DHCP on WAN
Any workaround for getting DHCP to work on the WAN interface? Dimitri Rodis Integrita Systems LLC
RE: [pfSense Support] Captive Portal
Email just sent to [EMAIL PROTECTED] with the captive portal changes. I also emailed some freeradius package changes to coreteam back on 3/19. Were those committed? Thanks, Dimitri Rodis Integrita Systems LLC -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Sunday, March 23, 2008 7:03 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal Dimitri Rodis wrote: > If I made the modifications to display the mac/client IP on the > "default" captive portal page, would you commit it and make it the > default captive portal page? I would just throw a couple of lines right > beneath the login button that say: > Client MAC: xx:xx:xx:xx:xx:xx > Client IP: xxx.xxx.xxx.xxx > Sure, that's a worthwhile addition to the default page. If you send it to coreteam@ someone will get it committed. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Captive Portal
If I made the modifications to display the mac/client IP on the "default" captive portal page, would you commit it and make it the default captive portal page? I would just throw a couple of lines right beneath the login button that say: Client MAC: xx:xx:xx:xx:xx:xx Client IP: xxx.xxx.xxx.xxx Dimitri Rodis Integrita Systems LLC -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Saturday, March 22, 2008 6:41 PM To: support@pfsense.com Subject: Re: [pfSense Support] Captive Portal Dimitri Rodis wrote: > > If I wanted to display a user's IP address AND MAC address on the > captive portal page, does anyone have a code snippet that would do > that on the pfSense captive portal page? Is this possible? > I suggest opening a feature request ticket on cvstrac.pfsense.org, and/or starting a bounty. Somebody would probably be willing to pick this up for relatively cheap. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Captive Portal
If I wanted to display a user's IP address AND MAC address on the captive portal page, does anyone have a code snippet that would do that on the pfSense captive portal page? Is this possible? Basically, I want to make it really easy for someone to call us and have us provision them for access, and if I am able to display that information on the Captive Portal, I can just have them read it to me as opposed to trying to step them through all of the hoops to get the mac address. Thanks, Dimitri Rodis Integrita Systems LLC
RE: [pfSense Support] DHCP Server Issues
The ticket is 1679. I don't know if I classified it correctly-- I don't know if you guys wanted to consider it a bug or a feature req, but really it's both. I wanted to point this out so one of the dev gods can look at it with this in mind and change it if necessary. I do need DHCP on the WAN so if there's a quick workaround that anyone knows of, that would be great. Thanks, Dimitri Rodis Integrita Systems LLC -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 19, 2008 10:42 AM To: support@pfsense.com Subject: Re: [pfSense Support] DHCP Server Issues Dimitri Rodis wrote: > > Two things I've noticed in pfSense 1.2 release: > > 1. The subnet mask in the scope settings for DHCP keeps reverting back > to "32". At one point, the DHCP server would not start until I went > through all of my DHCP scopes (3 interfaces) and reset the subnet > masks appropriately. It seems to stick in the config file, but the GUI > is not picking the setting back up out of the config-so if someone > just goes to say, change the DNS server field and hits save, all of a > sudden your mask gets changed to a /32. > That must be OLSR related, I've never seen nor heard of that. I don't know that anybody is actually using OLSR. If you disable OLSR does that stop? > 2. I enabled OLSR (but did not bind it to any of the interfaces > because I don't actually **need** OLSR) because I need a DHCP Server > on my WAN interface. I noticed in the php code for the DHCP pages that > enabling OLSR would "turn on" DHCP for the WAN interface. However, > DHCP is not binding to the WAN interface according to the DHCP log-it > is only binding to my OPT1 and OPT2 interfaces. (There are 4 > interfaces in the machine total). > This might be related to other OLSR issues. We haven't had a DHCP server bug in years, so I can only assume that's likely the case. We don't let DHCP run on WAN for obvious reasons, though maybe we need a hidden config option to allow this since it is useful in some circumstances. Can you submit a feature request ticket at http://cvstrac.pfsense.org ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] DHCP Server Issues
Yes, when I disable OLSR the problem goes away because the subnet mask is no longer a dropdown when "Enable OLSR" is unchecked-- rather, it inherits the subnet mask from the interface that the server is bound to. In other words, when you enable OLSR, the subnet mask becomes a dropdown box (with 1-32 as options) and the setting does not stick, it always reverts to /32. Again, the only reason I even checked the box was to get a DHCP Server on the WAN (which doesn't appear to work anyway). So I guess there's a "bug" and a "feature request" both :) Any quick workarounds that I can use to get the WAN tab to show up (and DHCP to work) on the WAN side? I will submit the feature request shortly. Dimitri Rodis Integrita Systems LLC -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 19, 2008 10:42 AM To: support@pfsense.com Subject: Re: [pfSense Support] DHCP Server Issues Dimitri Rodis wrote: > > Two things I've noticed in pfSense 1.2 release: > > 1. The subnet mask in the scope settings for DHCP keeps reverting back > to "32". At one point, the DHCP server would not start until I went > through all of my DHCP scopes (3 interfaces) and reset the subnet > masks appropriately. It seems to stick in the config file, but the GUI > is not picking the setting back up out of the config-so if someone > just goes to say, change the DNS server field and hits save, all of a > sudden your mask gets changed to a /32. > That must be OLSR related, I've never seen nor heard of that. I don't know that anybody is actually using OLSR. If you disable OLSR does that stop? > 2. I enabled OLSR (but did not bind it to any of the interfaces > because I don't actually **need** OLSR) because I need a DHCP Server > on my WAN interface. I noticed in the php code for the DHCP pages that > enabling OLSR would "turn on" DHCP for the WAN interface. However, > DHCP is not binding to the WAN interface according to the DHCP log-it > is only binding to my OPT1 and OPT2 interfaces. (There are 4 > interfaces in the machine total). > This might be related to other OLSR issues. We haven't had a DHCP server bug in years, so I can only assume that's likely the case. We don't let DHCP run on WAN for obvious reasons, though maybe we need a hidden config option to allow this since it is useful in some circumstances. Can you submit a feature request ticket at http://cvstrac.pfsense.org ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] DHCP Server Issues
Two things I've noticed in pfSense 1.2 release: 1. The subnet mask in the scope settings for DHCP keeps reverting back to "32". At one point, the DHCP server would not start until I went through all of my DHCP scopes (3 interfaces) and reset the subnet masks appropriately. It seems to stick in the config file, but the GUI is not picking the setting back up out of the config-so if someone just goes to say, change the DNS server field and hits save, all of a sudden your mask gets changed to a /32. 2. I enabled OLSR (but did not bind it to any of the interfaces because I don't actually *need* OLSR) because I need a DHCP Server on my WAN interface. I noticed in the php code for the DHCP pages that enabling OLSR would "turn on" DHCP for the WAN interface. However, DHCP is not binding to the WAN interface according to the DHCP log-it is only binding to my OPT1 and OPT2 interfaces. (There are 4 interfaces in the machine total). Bugs? Confirmation? Dimitri Rodis Integrita Systems LLC
RE: [pfSense Support] FreeRADIUS Package
The pfSense log viewer is broken? Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Thursday, March 06, 2008 1:02 PM To: support@pfsense.com Subject: Re: [pfSense Support] FreeRADIUS Package On 3/6/08, Dimitri Rodis <[EMAIL PROTECTED]> wrote: > Is there a better place to post/email this stuff? I don't seem to be > getting much in the way of responses. I have some nice additions to the > FreeRADIUS package that I want to submit, but I would like to add the > logging support before I do. > > Trying to contribute! I would imagine that is broken and you will need to roll your own log viewer. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] FreeRADIUS Package
Is there a better place to post/email this stuff? I don't seem to be getting much in the way of responses. I have some nice additions to the FreeRADIUS package that I want to submit, but I would like to add the logging support before I do. Trying to contribute! Thanks, Dimitri Rodis Integrita Systems LLC -Original Message- From: Dimitri Rodis [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 04, 2008 2:55 PM To: support@pfsense.com Subject: RE: [pfSense Support] FreeRADIUS Package Any hints on how to add logging support? I would really like to add this feature to the package, but I haven't been able to find any information. I've looked at practically every .xml file in http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/ , and I haven't found a package with logging support yet. I've also looked at the CoreGUI docs at http://devwiki.pfsense.org/CoreGUI , but there is no mention of adding logging support anywhere. Can anyone provide some docs/input on how to do this? Having to ssh into the pfSense box and tail -f /var/log/radius.log is a pain, and I would rather just go to a web based log. Also, when using a textarea widget, is there a way to preserve the carriage returns in the data when it is subsequently received? It isn't affecting any of the functionality that I've added, it would just be nice if it would preserve the formatting so that when the data for that field is subsequently retrieved, it looks the same way it did when I put it in. Again, I didn't see anything in the CoreGUI docs that says whether or not this is possible. Thanks, Dimitri Rodis Integrita Systems LLC -Original Message- From: Dimitri Rodis Sent: Thursday, February 14, 2008 2:45 PM To: support@pfsense.com Subject: RE: [pfSense Support] FreeRADIUS Package I installed Squid (per Martin to see the syntax for some of the XML), but when I go to the Package Logs page, I get: "No packages with logging facilities are currently installed." Also, would you happen to know the options you guys would want me to use with "diff" using cygwin so I can send up my changes so far? (I did the VLAN support already, figured I'd send that up now and then follow up with the logging stuff). Thanks, Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 10:24 AM To: support@pfsense.com Subject: Re: [pfSense Support] FreeRADIUS Package On 2/11/08, Dimitri Rodis <[EMAIL PROTECTED]> wrote: > The FreeRadius log seems to be located at /var/log/radius.log. According to the current package, there is no logging set up in the package, so you basically have to ssh into pfSense to look at the log. > > What's involved in "web enabling" the FreeRADIUS log? (looked in the forums, didn't find much.) Does it take something more than just adding a reference to the location of the log in the .xml file somewhere? I believe the squid package makes usage of this. Cannot recall 100% but I do know one of our packages has this implemented that should be a good guide. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] CARP Documentation
Several recent forum posts regarding CARP refer to the following page: http://doc.pfsense.org/index.php/Setting_up_CARP_with_pfSense When I go to that page, it says: "There is currently no text in this page, you can search for this page title <http://doc.pfsense.org/index.php/Special:Search/Setting_up_CARP_with_pf Sense> in other pages or edit this page <http://doc.pfsense.org/index.php?title=Setting_up_CARP_with_pfSense&act ion=edit> ." Where'd the CARP doc go? Dimitri Rodis Integrita Systems LLC
RE: [pfSense Support] Dual-wan Setup issue (Yes, I've read a few Dual-Wan HOWTO docs AND I've rebuilt the router)
You need to use Manual Outbound NAT, and add a rule above the default rule that has the source address of your machine, destination * *, and then select the address of your WAN2 interface. Dimitri Rodis Integrita Systems LLC From: Michael Richardson [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 04, 2008 4:54 PM To: support@pfsense.com Subject: [pfSense Support] Dual-wan Setup issue (Yes, I've read a few Dual-Wan HOWTO docs AND I've rebuilt the router) First let me say that I love PF and am using it enough that I'm considering the standard support contract, but I'm not quite there yet so I still need community support. I've got a dual-wan setup and I want to cause traffic between an internal machine, and external machine to occur over WAN2 (I could use source or destination as criteria). Both public IPs would share a gateway so I've put a NAT device on WAN2 and connected the modem to it so now both WAN ports are on different subnets. (more) With the appropriate LAN rule in place, traffic doesn't flow UNLESS I start a packet capture on WAN2 (I found this while trying to troubleshoot). Why would this be? Anyone got the time and know-how to help me troubleshoot this? Here's my setup. Hope the art comes through decently. The reason for the SpeedStream device is because otherwise both WAN interfaces would have the same gateway IP and I read that is unacceptable for a dual-wan config. | WAN 67.x.x.12 | Cable Modem1 | | | "pfSense 1.2"| | LAN 192.168.1.0 | | | | "SpeedStream 2601" for NAT | | WAN2 192.168.0.2 |-- | 192.168.0.1 |-- Cable Modem 2 I want to be sure that traffic FROM 192.168.1.22 or traffic TO 78.x.x.10 goes through WAN2 (I can use source, destination, or both). Outbound NAT is set to Automatic and has only the default LAN rule in place. I have added a LAN rule, but instead of trying to communicate what it is and confirm it's right, I think it would be faster if someone could tell me what it should be (at least one of the options), and I'll just use that. ANYthing else I haven't mentioned, I likely don't know about and need pointed out. Thanks in advance, and I'm loving 1.2. The upgrade was flawless. Mike
RE: [pfSense Support] FreeRADIUS Package
Any hints on how to add logging support? I would really like to add this feature to the package, but I haven't been able to find any information. I've looked at practically every .xml file in http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/ , and I haven't found a package with logging support yet. I've also looked at the CoreGUI docs at http://devwiki.pfsense.org/CoreGUI , but there is no mention of adding logging support anywhere. Can anyone provide some docs/input on how to do this? Having to ssh into the pfSense box and tail -f /var/log/radius.log is a pain, and I would rather just go to a web based log. Also, when using a textarea widget, is there a way to preserve the carriage returns in the data when it is subsequently received? It isn't affecting any of the functionality that I've added, it would just be nice if it would preserve the formatting so that when the data for that field is subsequently retrieved, it looks the same way it did when I put it in. Again, I didn't see anything in the CoreGUI docs that says whether or not this is possible. Thanks, Dimitri Rodis Integrita Systems LLC -Original Message- From: Dimitri Rodis Sent: Thursday, February 14, 2008 2:45 PM To: support@pfsense.com Subject: RE: [pfSense Support] FreeRADIUS Package I installed Squid (per Martin to see the syntax for some of the XML), but when I go to the Package Logs page, I get: "No packages with logging facilities are currently installed." Also, would you happen to know the options you guys would want me to use with "diff" using cygwin so I can send up my changes so far? (I did the VLAN support already, figured I'd send that up now and then follow up with the logging stuff). Thanks, Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 10:24 AM To: support@pfsense.com Subject: Re: [pfSense Support] FreeRADIUS Package On 2/11/08, Dimitri Rodis <[EMAIL PROTECTED]> wrote: > The FreeRadius log seems to be located at /var/log/radius.log. According to the current package, there is no logging set up in the package, so you basically have to ssh into pfSense to look at the log. > > What's involved in "web enabling" the FreeRADIUS log? (looked in the forums, didn't find much.) Does it take something more than just adding a reference to the location of the log in the .xml file somewhere? I believe the squid package makes usage of this. Cannot recall 100% but I do know one of our packages has this implemented that should be a good guide. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Outbound NAT Problem, 1.2-RELEASE
Got an issue with Outbound NAT. I have 2 interfaces, LAN and WAN. WAN has an IP assigned to its interface, as well as an additional 4 virtual IPs for a total of 5 IP addresses which are used in various inbound NAT rules. I have turned on manual outbound NAT, as I need my outgoing SMTP traffic to always come from a particular IP. My outbound NAT page looks like this (obviously with real IP addresses as opposed to .x.x.): Interface, Source, Source Port, Destination, Destination Port, NAT Address, NAT Port, Static Port WAN192.x.x.11/32 * * 25209.x.x.62 * NO WAN192.x.x.6/32 * * 25209.x.x.62 * NO WAN192.x.x.5/32 * * 25209.x.x.62 * NO WAN192.x.x.0/24 * * * * * NO The top 3 items are mail servers, and I want those to always use a particular IP address when communicating with the outside world (which seems to work just fine). The problem comes with rule #4-- none of my internal machines are able to communicate with the outside world (and #4 is the "auto generated rule"). I told the rule to use the "interface address" of the WAN for the NAT Address, but there doesn't seem to be any difference between "interface address" and "any" in the rule selection (which looks wrong to me), as the resulting rule looks exactly the same (bug?). When I specifically choose one of the virtual IPs, rule #4 THEN looks like this: WAN192.x.x.0/24 * * * 209.x.x.61 * NO ... and then my internal machines are able to communicate to the outside world. The interface address is 209.x.x.55-- so when I choose "interface address," shouldn't the rule be: WAN192.x.x.0/24 * * * 209.x.x.55 * NO Or maybe WAN192.x.x.0/24 * * * (WAN) * NO ?? Or am I doing something wrong? Congrats on a great release, by the way. :) Dimitri Rodis Integrita Systems LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]