Re: [pfSense-discussion] happy IPv6 day
On Wed, Jun 8, 2011 at 6:57 PM, Chris Buechler cbuech...@gmail.com wrote: On Wed, Jun 8, 2011 at 9:40 AM, Eugen Leitl eu...@leitl.org wrote: This being the World IPv6 day, I enabled IPv6 on three pfSense instances, using the excellent http://iserv.nl/files/pfsense/ipv6/ (thanks, Seth!) without problems. Works nicely indeed. Lots of pieces remaining to complete but what's there works great. I was hoping we'd have IPv6 live at our main datacenter in time for today but the ISP doesn't have it fully available as of yet and we're not going to bother with a tunnel when we'll have native soon, but we'll have it up there in the near future. Actually I take that back, it was fixed today. Firewalls are all good, haven't had a chance to get it up on the servers yet though. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Problems with CARP VIP and layer 3 switch
On Sun, Apr 17, 2011 at 10:25 PM, Vinicius Coque vco...@gmail.com wrote: Now I understand the problem. I'll keep track of the bug on redmine. I would definitely check the problem on the switch too as in a CARP setup it shouldn't have problems with MACs that switch between ports quickly. That bug in and of itself isn't the problem, the nature of CARP means that switch issue will potentially cause other issues for you in the future. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Problems with CARP VIP and layer 3 switch
On Fri, Apr 15, 2011 at 4:14 PM, Vinicius Coque vco...@gmail.com wrote: What does the CARP status show, and what do the logs show for CARP? CARP Status pfSense master: vip1 172.16.0.39 MASTER pfSense backup: vip1 172.16.0.39 BACKUP System logs: pfSense master: Apr 15 17:08:08 utm-teste1 syslogd: kernel boot file is /boot/kernel/kernel Apr 15 20:08:32 utm-teste1 check_reload_status: syncing firewall Apr 15 17:08:32 utm-teste1 php: : Beginning XMLRPC sync to https://10.10.0.2:5081. Apr 15 17:08:33 utm-teste1 php: : XMLRPC sync successfully completed with https://10.10.0.2:5081. Apr 15 17:08:33 utm-teste1 php: : Beginning XMLRPC sync to https://10.10.0.2:5081. Apr 15 17:08:33 utm-teste1 php: : XMLRPC sync successfully completed with https://10.10.0.2:5081. Apr 15 17:08:35 utm-teste1 php: : Filter sync successfully completed with https://10.10.0.2:5081. pfSense backup: Apr 15 17:08:12 utm-teste2 syslogd: kernel boot file is /boot/kernel/kernel Apr 15 17:08:32 utm-teste2 check_reload_status: syncing firewall Apr 15 17:08:32 utm-teste2 kernel: vip1: link state changed to DOWN Apr 15 17:08:32 utm-teste2 kernel: vip1: INIT - MASTER (preempting) Apr 15 17:08:32 utm-teste2 kernel: vip1: link state changed to UP Apr 15 17:08:32 utm-teste2 kernel: vip1: MASTER - BACKUP (more frequent advertisement received) That looks like a consequence of: http://redmine.pfsense.org/issues/1433 plus something on your switch(es). The MAC will move in the switch's CAM table from the primary's port to the secondary's when the secondary switches from master to backup even though it's for a fraction of a second, but should immediately move back on the switch when the master picks back up. There's something on the switch that isn't behaving correctly for MACs that quickly change ports, which is ultimately the actual problem, though that CARP switch shouldn't happen during a config change which exacerbates the issue. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Problems with CARP VIP and layer 3 switch
On Wed, Apr 13, 2011 at 10:32 PM, Vinicius Coque vco...@gmail.com wrote: Hi I have two pfSense machines configured as cluster using carp, they are both connected to a layer 3 switch. There are about 10 different subnets configured on that and each client machine under these subnets use the switch as its default gateway, and then it routes the traffic. 10.10.0.2 10.10.0.3 --- | pfSense | - | pfSense | --- VIP 10.10.0.1 \ / \ / - | switch | - / \ / \ 10.10.1.0/24 10.10.2.0/24 The problem is that every time a configuration is changed, I can access the VIP with no problem from the same subnet of the pfSense machine (10.10.0.0/24), but for any other subnet the VIP becomes unreachable. Some kind of routing issue it seems. Check the routing table on the firewall when it doesn't work and verify it. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] 2.0-RC1 now available!
http://blog.pfsense.org/?p=585 - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Considering Switching to Pfsense
On Wed, Feb 9, 2011 at 5:41 PM, Tony Zakula tonyzak...@gmail.com wrote: We have a 5mb line, is a quad core processor with 4gb of ram overkill? Way, way overkill, that's closer suited to a 5 Gb connection than 5 Mb. Not that that's a problem, you can get by with a whole lot less hardware if needed though. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] DreamPlug
On Wed, Feb 2, 2011 at 4:43 AM, Cédric Jeanneret pfse...@tengu.ch wrote: Hello, Just wondering if anyone has already used pfsense on such material: http://www.newit.co.uk/shop/proddetail.php?prod=DreamPlug There are some other computer plugs, like http://www.globalscaletechnologies.com/t-guruplugdetails.aspx Those are not x86, they're not a compatible architecture at this time. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] PfSense localization
On Mon, Jan 3, 2011 at 4:36 PM, st41ker st41...@st41ker.net wrote: Hello, PfSense is a very popular project and it used around the globe. So I can say that that is an international wide product. But when I look at localization I see that it's not so good for international usage. Hardcoded english is everywhere. I know that there is nothing wrong with that but that is a huge blank space for a modern opensource software since that almost every product of such type is supporting localization and at least gives the community ability to localize it. I know that there is people that will help in translating PfSense but developers should help from their end also: templates, localization string usage etc. Is that is so hard to implement? 2.0 already has gettext on the entire web interface, and all of inc is in a git clone that wasn't finished quickly enough to be merged for 2.0 release but will be shortly after its release I expect. It was a *huge* amount of work. Bluepex, who sells a rebranded and translated version in Brazil, had a few staff members on that for many weeks (not full time but putting in a lot of hours) to get it finished. More will come on that later, including seeking people willing to help translate. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Re: ARIN space not accepted
On Sat, Dec 11, 2010 at 11:23 AM, Gé Weijers g...@weijers.org wrote: [...] That means, prior to end of Q1, the bogon list will be: 0/8 10/8 127/8 172.16/12 192.168/16 224/3 There's a number of special-use ranges that are not in this list, but which should not occur as (source) addresses on the internet. So if you're manually configuring a list and are sufficiently paranoid refer to RFC5735 and use these additional ones: 192.0.0/24 (future-use special purpose) 192.0.2/24 (TEST-NET-1) 198.18/15 (benchmark testing of interconnect devices) 198.51.100/24 (TEST-NET-2) 203.0.113/24 (TEST-NET-3) You should filter these source addresses as well: 169.254/16 (link-local addresses) 192.88.99/24 (6to4 anycast, not a valid *source* address) The bogons list we use is from Cymru, it includes all of the above with the exception of 6to4 anycast. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] country blocking for single address
On Fri, Nov 26, 2010 at 12:34 PM, Adam Thompson athom...@athompso.net wrote: The specific country involved might take far less than that; accuracy also matters. For example, I can block about 80% of Africa with less than ten rules. Blocking 100% of Africa takes hundreds of entries. I do recall there was a way previously discussed on-list to import huge aliases; unfortunately, I *think* it consisted of download (backup) config.xml, edit it programmatically, then upload (restore) it. You don't want to do that with 20K+ entries in 1.2.x, the XML parser in 1.2.x is too slow. The countryblock package handles basically the same functionality automatically in a way that doesn't slow things down. I also think there are enhancement requests still open for 2.0 to make this easier, but of course I can't find them right now... Nothing still open as it's already done. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] pfSense router/firewall in a Vmware ESXi guest for other guests
On Thu, Oct 7, 2010 at 3:43 PM, Eugen Leitl eu...@leitl.org wrote: On Sat, Oct 02, 2010 at 03:53:54PM -0400, Chris Buechler wrote: That's not the normal experience from what I've seen, sounds specific to something in particular you're doing. I believe every environment I've seen that routes between VLANs within ESX handles the VLANs entirely at the ESX level, with one vswitch per VLAN and the firewall connected to the individual vswitches, maybe that's the difference. Running inside of VMware isn't nearly as fast as running on equivalent bare metal, but most of the time you don't need that kind of performance, 300 Mbps is easily achievable with e1000 NICs and moderately new (anything with VT) server hardware. I've been on dozens Chris, how much memory do you recommend for a pfSense ESXi instance, which handles 4 guests (one IP address each), 100 MBit/s switched setup? Do I need 1+ GByte, or can I risk allocating just 512 MBytes to the guest? It depends. Virtual sizing no diff from physical. Depends on simultaneous connections, what packages and configurations they use, etc. I use 128 MB RAM and 2 GB disks on most of my test and dev boxes, they're mostly pretty basic though. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] pfSense router/firewall in a Vmware ESXi guest for other guests
On Sat, Oct 2, 2010 at 2:44 PM, Adam Thompson athom...@c3a.ca wrote: This started with 4.0, I have upgraded to 4.1 but haven't specifically tested performance since. Routing from one VLAN to another entirely inside VMware is still slow, however. AFAIK this is somehow related to interrupt handling and/or mitigation. The bad news is that since upgrading to 4.1, the pfSense guest occasionally loses ALL network interrupts for about 15 minutes at a time - this happens at least once or twice a week. It starts slowly, performance is merely degraded, then nothing, then slowly returns to normal - whole event takes ~15min. Traffic arriving at or leaving the VMWare HOST shows normal performance levels, it's only traffic within the host that seems slow: SMB traffic across the pfSense router, no NAT involved, one pass-all pf rule, runs between 10Mbit/sec and 100Mbit/sec. I also see lots of TCP badness if I run a sniffer on either end - dup acks, dup pkts, and missing packets. That's not the normal experience from what I've seen, sounds specific to something in particular you're doing. I believe every environment I've seen that routes between VLANs within ESX handles the VLANs entirely at the ESX level, with one vswitch per VLAN and the firewall connected to the individual vswitches, maybe that's the difference. Running inside of VMware isn't nearly as fast as running on equivalent bare metal, but most of the time you don't need that kind of performance, 300 Mbps is easily achievable with e1000 NICs and moderately new (anything with VT) server hardware. I've been on dozens of such systems personally this year alone, across numerous different customer environments. It's a common setup, and works well including for routing between VLANs. I know at least a couple setups that route backups between VLANs, maxes out the system at a bit over 300 Mbps, but runs fine every night and the resulting performance degradation for the other interfaces while the firewall VM is pegged isn't an issue in that environment (everything else still works fine). We have customers who run their entire colo environments in vSphere including firewalls, setting the edge CARP pair so the two never get vmotioned to the same host for proper redundancy. To answer the original question, there are numerous environments running that way with great results. Very solid performance and reliability. ESX and ESXi are equivalent, any mentions of ESX here could be ESXi just the same (and many of the environments I'm referring to are ESXi). - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] training session at EuroBSDCon
For those who don't follow the blog, a reminder on our upcoming training session at EuroBSDCon. http://blog.pfsense.org/?p=568 - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] IPSEC routing hack, and CARP, leading to arpresolve can't allocate route errors
On Wed, Sep 1, 2010 at 12:23 PM, Paul Mansfield it-admin-pfse...@taptu.com wrote: if you recall, to make your pfsense firewall itself be able to talk to a remote site over an IPSEC tunnel, you need to add a hack which is a static route to remote network via the LAN address if you have a firewall cluster and you use the CARP address of the LAN, it does work, but it *seems* to cause the following errors to appear in system log: Sep 1 15:40:01 kernel: arpresolve: can't allocate route for 10.1.2.254 the 10.1.2.254 is the CARP ip on the LAN I can make these go away by using the IP of the firewall's LAN but that kind of defeats part of the purpose of having a cluster and carp! Apart from this being a distraction/nuisance, is this something to worry about?# No, just happens when the system tries to ARP its own CARP IPs. Only cosmetic. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] article: Millions of Home Routers at Risk
On Mon, Aug 2, 2010 at 3:53 AM, LM asturlui...@gmail.com wrote: What is the status of this? A patch is going to be released or what? I'll put up a blog post later - the just of it is use a strong password and you're fine. The protection we added simply protects from gross negligence (or future vulnerabilities in the web interface, of which none are known), there is no patch to fix anything as nothing in our code is a problem. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Hints on no firewall and bridge
On Sun, Jul 4, 2010 at 5:46 AM, Tonix (Antonio Nati) to...@interazioni.it wrote: First question. We are planning to use PFsense as frontend gateway routing to customers subnets, and in such architecture, we could use pfsense as pure routing device, except we want to protect the LAN network. Does the disable firewall option exclude completely any NAT or filtering rules, without any possibility to protect the LAN interface? Yes. Second question. We may have one frontend Internet link doubled on two FE switches (using redundant switches and spanning tree features), so if one FE switch fails, we can have the connection on the other FE switch. Apart of using a master/slave couple of fw, we are evaluating if to bridge two interfaces, for each FW, placed on both FE switches. Link --- --- SW1 em0 (pf1-em0) --- SW2 em1 (pf1-em1 bridged to em0) In such a case, the bridging feature on PFsense, can handle the trick? In case of SW1 failure, can states open on interface em0 work also on interface em1-bridged-to em-0? Never tried anything like that on a single system, it works with two systems using CARP (with proper STP or a devd script to up/down the bridge accordingly). Not sure if the states would failover correctly with one system. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] 2.0 on a two-NIC system
On Mon, Jun 7, 2010 at 7:50 AM, Eugen Leitl eu...@leitl.org wrote: I've manated to resurrect my oldish VIA C3 dual mini-ITX upgrading them to 2.0beta. Is there a way to get them to run as a failover cluster in 2.0, despite having only two physical NICs? This wasn't possible in 1.3. Yes, and it's always been possible. It's not recommended with any version for security and performance reasons, but will work fine. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] modified nanoBSD 1.2.3 image for WRAP?
On Mon, Mar 8, 2010 at 5:59 PM, Jim Pingle li...@pingle.org wrote: On 3/8/2010 5:51 PM, David Rees wrote: I've seen same or similar behavior on an ALIX box with a fairly large ruleset and decent number of VPNs. We could never get all the VPNs to come up properly and we eventually ended up with a corrupted configuration file while we were trying to disable/enable various VPNs (which takes a LONG time on ALIX hardware and is very tedious). Ended up dropping the config file into a more powerful machine and it works fine. I'm guessing that there is some sort of race condition somewhere in at least a couple places. How many VPNs? I've had as many as 9 IPsec tunnels going between ALIX boxes on 1.2.3 and never had any issues. I know of one embedded box that's running 200+ OpenVPN servers (making for a very large config), on a VIA that's only marginally faster than an ALIX, and performs great. Most very large configs are running on much, much faster hardware than an ALIX though, just by the nature of what those boxes have to push. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] broadcom BCM5722 only running at 100M not 1G
On Mon, Feb 1, 2010 at 8:03 AM, Paul Mansfield it-admin-pfse...@taptu.com wrote: after complaint about slowness between our lan and dmz, I traced it to a firewall interface on our pfsense 1.2.3 firewall, a Dell R300 with onboard broadcom bcm5722 FreeBSD fwa.xxx.yyy 7.2-RELEASE-p5 FreeBSD 7.2-RELEASE-p5 #0: Sun Dec 6 23:20:31 EST 2009 sullr...@freebsd_7.2_pfsense_1.2.3_snaps.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.7 i386 a bit of googling came up with this http://groups.google.com/group/mailing.freebsd.current/browse_thread/thread/4b42a0fa82125473?pli=1 I bounced the interface as suggested and it didn't help, and swapped the cable, also no joy. this firewall is one of a clustered pair, the 2ndry is identical hardware and its bge0 is running fine at 1000baseT. the cisco switch they're both plugged into doesn't suggest any errors. stuff reported in dmesg... bge0: Broadcom BCM5722 A0, ASIC rev. 0xa200 mem 0xdfdf-0xdfdf irq 16 at device 0.0 on pci1 brgphy0: BCM5722 10/100/1000baseTX PHY PHY 1 on miibus0 brgphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto any suggestions please? Sure you're using CAT5e or better cables and not just CAT5? That's the most common cause when I run into things like that. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Ping
On Wed, Jan 6, 2010 at 5:18 AM, cl...@pfsense pfse...@mail-fwd.archie.dk wrote: I wonder: Has there really been no activity on this list since Dec 21 or has my feed been cut ? This list isn't very active, the support list is much more active, and the forum far more active than both the lists combined. And the auto-reply loop person has been unsubscribed, sorry for the noise. :) - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] two /24 on a WAN
On Sun, Dec 20, 2009 at 5:27 PM, Eugen Leitl eu...@leitl.org wrote: I see there are no multiple fields for subnets in the WAN interface. My ISP doles out networks as /24 as the largest chunk. Does this mean I can't add a second subnet in the pfSense GUI and have to use the command line, or do it in FreeBSD? That can be handled entirely in the GUI. Exactly how depends on your ISP and what they're willing to do, and that's not a simple, short discussion. There are 5 pages in the book (http://pfsense.org/book) covering the various ways of handling multiple public IPs and multiple public IP subnets. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Traffic shaping VOIP on low bandwidth connections?
On Mon, Dec 14, 2009 at 11:12 PM, Joe Lagreca lagr...@gmail.com wrote: I have a T-1 (1.54mb symmetrical) for our data connection. Whenever there is a big download filling the pipe, the inbound voice chops. When I set the inbound traffic to 1450kb (tested all the way down to 1000kb), I got VERY bad results. Audio was VERY choppy inbound, and ping latency to the internal interface of the firewall would jump from 1ms to 700ms. I was told you can't effectively rate limit the inbound traffic, Wrong. so I set the inbound bandwidth to 5,000 kb. The outbound is set to 1450kb. It sounds much better, but I still have chops when a big download is initiated. Because of the above excessive limit. You can't do anything once traffic is on your downstream, but limiting on the download side delays traffic after it gets to you, causing TCP's congestion control to slow down the connection, and hence not overfill your downstream. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] pfSense 1.2.3 release now available!
Details here: http://blog.pfsense.org/?p=531 - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] optimal way for a colo setup
On Mon, Nov 9, 2009 at 8:09 AM, Eugen Leitl eu...@leitl.org wrote: generally prefer getting a smaller WAN block and having the larger internal block routed to you, then you can use a combination of NAT So you have a small address space just for the firewalls WANs and other stuff, and get the networks handled to you? Using which protocol, BGP? No routing protocols. The routing is done upstream by the provider. So how does the layout look like WAN and LAN side? Which addresses do the hosts on the LAN side have, private IPs (e.g. 10.x.x.x)? You can have some interfaces with private, some with public, all private, all public, whatever you want to use. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] pfSense book now available for purchase
On Wed, Nov 4, 2009 at 12:17 PM, Scott Ullrich sullr...@gmail.com wrote: On Wed, Nov 4, 2009 at 12:13 PM, cl...@pfsense pfse...@mail-fwd.archie.dk wrote: Can't wait for the electronic version :-) I believe only commercial support customers will have access to the electronic version. I think - not completely sure yet on this - that at least one of our hardware resellers will be selling individual electronic copies. The publisher is working on that. For those who have a support or reseller subscription, you can grab it here after logging in: https://portal.pfsense.org/book/pfSense-book.pdf And folks, please respect the authors and do not pirate it. kthanks Indeed. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Rebecca L. Bowman/CHMCA is out of the office.
On Thu, Oct 29, 2009 at 5:38 PM, iggd...@gmail.com wrote: I'd like you all to know that unlike Ms. Bowman I will be in the office or at least available more or less at all times. I kind of live on the internet. Thanks. That was confidential!! ;) On a serious note, I wish people would configure their mail servers to only send out of office replies when they are expressly listed in the to or cc lines. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] long upgrade of 1.2.3RC3full on ALIX
On Thu, Oct 15, 2009 at 4:59 AM, Eugen Leitl eu...@leitl.org wrote: On Thu, Oct 15, 2009 at 10:10:59AM +0200, Eugen Leitl wrote: I've updated 1.2.3RC3 on a SunFire X2100 M2 yesterday without a hitch. Same upgrade on ALIX takes now about an hour. What's the name of the upgrade process? bsdtar isn't running according to ps -aux Update: the system crashed, and had to be rebooted manually. It shows version 1.2.2 again. I can upload the tarball manually to /root : pfsense:~# md5 /root/pfSense-Full-Update-1.2.3-RC3.tgz MD5 (/root/pfSense-Full-Update-1.2.3-RC3.tgz) = 3f5fe57bb12d376a2817ecc5bc8e601e Is there a way to start the update manually, without the web interface? Console upgrade. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] layer 4-7 load balancing
On Mon, Aug 24, 2009 at 8:45 PM, Aristedes Maniatisa...@ish.com.au wrote: I've since discovered that our application server doesn't need sessions to be bound to a particular httpd front-end. So 3 4 are not actually required (although SSL offloading would be convenient simply to reduce the number of IP addresses we have to configure on each web server). That leaves 5. How flexible is pfSense's dead host detection? Instead of a ping check can we substitute an arbitrary http check (at a minimum to check for a 200 response, but ideally we want to perform a regex check to find specific content on a page)? Or alternatively since we already have nagios performing these checks can we use that to notify pfsense to perform a failover? Some of that functionality does exist in relayd, but the implementation in 2.0 hasn't been finished and currently has a number of issues. I'll email you off list on taking this on as a project, we'll find a solution that will meet your needs. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] layer 4-7 load balancing
On Thu, Aug 20, 2009 at 10:16 PM, Aristedes Maniatisa...@ish.com.au wrote: Is anyone using pfSense to perform load balancing (and failover) for two or more web servers in a redundant configuration? Yes, lots, but in more generic setups. Bonus points for being able to also perform SSL offloading. Our application server uses HTTP cookies to maintain sessions, so it is important that the load balancer be able to maintain connection to a specific web server for the life of the cookie. The session stickiness is based on firewall states, which isn't going to guarantee that it's tied to that server for the life of the cookie. Current stable versions don't provide the kind of functionality you require for that. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Very odd issue - Transparent Firewall - 2 Locations
On Thu, Jul 16, 2009 at 3:22 AM, Angus Jordanangus.jor...@gmail.com wrote: Hi again, I've attached the logs directly from the /var/log/filter.log. These show up at exactly the same time the download stops... What happens if you lower the MTU on the server to 1450? - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Very odd issue - Transparent Firewall - 2 Locations
On Thu, Jul 16, 2009 at 4:01 AM, Angus Jordanangus.jor...@gmail.com wrote: I had configured the servers behind the pfsense bridge with the gateway pointing directly at the pfsense firewall. When I modified the gateway on the servers to use the real upstream gateway, all is normal. Ah yeah, that'll do it. Logs were strange (not now that I know what you were doing), only showing 1500 byte frames getting blocked, and from your earlier description that mostly emails with attachments were having issues, seemed maybe a smaller MTU would fix things. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] dhcp relay | failover
On Sat, Jul 11, 2009 at 4:14 AM, Zied Fakhfakhzyd...@gnet.tn wrote: Hi, I have a dhcp relay on pfsense to a dhcpd at, let's say, 192.168.2.1. There's a failover dhcpd server at 192.168.2.2 (withou floating IP). is there anyway pfsense can handle that ? Manually change the relay. There's a feature request open for multiple server IPs. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] euroBSDcon
On Wed, May 27, 2009 at 8:26 AM, Paul Mansfield it-admin-pfse...@taptu.com wrote: http://www.ukuug.org/events/eurobsdcon2009/ anyone going? I submitted a talk on pfSense, if it gets accepted I'll be there. We've submitted to 5 BSD conferences over the past 4 years and haven't been rejected yet, so probably a good chance I'll be there. Should know for sure in about a month. and more to the point, anyone interested in a beer :-) Definitely, if I'll be there. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] High latency on downloads with shaping
On Fri, May 8, 2009 at 5:59 PM, Joe Lagreca j...@bignetonline.com wrote: I'm having a STANGE problem when our traffic shaper is turned on. Normal. limitation of 1.2.x shaper. treats no differently than Internet-bound pings. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] High latency on downloads with shaping
On Fri, May 8, 2009 at 6:21 PM, Joe Lagreca j...@bignetonline.com wrote: Why only on the download portion of the test and not the upload portion? If I switch to pfsense 1.0.1 can I avoid these limitations/problems? No. The shaper in 1.0.x is slightly worse, and 1.0.x is riddled with problems. Though mostly edge cases, and a ton of people still run it, even including yours truly on the firewall in front of our hosting servers until it died last week, *don't* do that. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] High latency on downloads with shaping
On Fri, May 8, 2009 at 7:04 PM, Joe Lagreca j...@bignetonline.com wrote: The problem is the high latency is wreaking havoc with our VOIP PBX. That's irrelevant, ICMP is queued differently from your VoIP traffic. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] HSRP log messages on BRIDGE0
On Mon, Apr 27, 2009 at 5:45 PM, Angus Jordan angus.jor...@gmail.com wrote: Hi there, We have a pfSense 1.2.2 box setup in a transparent firewall configuration (ie. LAN is bridged to WAN). This works just fine, but the colocation where this box is sitting is broadcasting HSRP (UDP port 1985) over the network, and our pfSense box is picking it up and logging it every 3 seconds. I have disabled the logging on the WAN interface just fine, but it still logs messages on interface BRIDGE0 which is not an interface that I can add firewall rules to at all. Strange, filtering on bridges themselves is forced to disabled. What did you do to get it to stop logging on the WAN? - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] 1.2.3-RC1 released!
Info here: http://blog.pfsense.org/?p=428 - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Cannot Save changes in /tmp/rules.debug
On Sat, Apr 11, 2009 at 11:52 AM, RI 1 / ipv6.or.id risna...@ipv6.or.id wrote: Hallo Chris, Yes, changing PF Rules. GUI doesn't seem to work, i already set allow all for all interface. It works fine, you're seeing something else like out of state traffic or asymmetrically routed traffic. If you want to allow all, disable the filter under System - Advanced. Might be PFSense creates new interface called bridge 0 which is not yes define any of rule. There is no filtering on bridge interfaces. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] OT: simple SMTP relay daemon?
On Fri, Apr 10, 2009 at 1:52 AM, David Rees dree...@gmail.com wrote: On Thu, Apr 9, 2009 at 8:07 PM, Chris Buechler c...@pfsense.org wrote: I'm looking for something simple to do nothing but accept SMTP mail from a defined list of hosts allowed to relay and push it off to another SMTP server (using gmail, so must be with auth and TLS). Must run on FreeBSD. Any full blown MTA is out of the question, too complex. I suspect something out there does just what I'm after, but all I'm finding are MTAs or simple apps that don't accept SMTP over the network. Browsing the mail ports in FreeBSD didn't help, though I could have missed something. Anyone have any suggestions? Although it is a full blown MTA, Postfix is lightweight, simple configure and reliable. Lightweight for a full blown MTA, but not lightweight. Postfix is what I started trying actually, but too many missing libraries and other difficulties into getting it running on a pfSense box without a decent amount of effort. I suspect there's a tiny, simple daemon somewhere that will do this without a lot of fuss, I just can't find it. I'd probably turn it into a pfSense package and slap a simple GUI on it. It would essentially be a proxy from SMTP to authenticated SMTP, relaying for SMTP clients on the LAN subnet that don't support authentication. Or as a single point for sending mail from your LAN if you don't have an internal mail server. One of those things I wouldn't run on *my* firewall (that's a server's job), but desired by some and not entirely unreasonable. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Cannot Save changes in /tmp/rules.debug
On Fri, Apr 10, 2009 at 9:00 PM, RI 1 / ipv6.or.id risna...@ipv6.or.id wrote: Hi, I just worked with PFSense lately. Why can't I save any changes made to /tmp/rules.debug file due to web interface firewall doesn't seem to work ? It's always after a while back to block default deny rule or after the box restarted. Not sure if I understand what you're saying, but it sounds like you're making manual changes to the PF ruleset. You can't do that, all the rules must be entered in the GUI. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] OT: simple SMTP relay daemon?
On Thu, Apr 9, 2009 at 11:46 PM, RB aoz@gmail.com wrote: On Thu, Apr 9, 2009 at 21:07, Chris Buechler c...@pfsense.org wrote: I'm looking for something simple to do nothing but accept SMTP mail from a defined list of hosts allowed to relay and push it off to another SMTP server (using gmail, so must be with auth and TLS). Must run on FreeBSD. Any full blown MTA is out of the question, too complex. I suspect something out there does just what I'm after, but all I'm finding are MTAs or simple apps that don't accept SMTP over the network. Browsing the mail ports in FreeBSD didn't help, though I could have missed something. What about http://esmtp.sourceforge.net or nullmailer? The addition of the relaying capability does definitely limit the choices. Saw both of those, though from what I can see neither one of them will accept SMTP over the network, they're local only. If I'm mistaken, let me know. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] pfSense / Free BSD CPU kern.cp_time Jams in some environments
On Sat, Apr 4, 2009 at 4:50 PM, Tortise tort...@paradise.net.nz wrote: Hi Is anyone else getting this? It is occurring if you get a either a 1) divide by zero error on the index page for CPU Usage or 2) an indication the CPU is always on 0% use, which it shouldn't be for long! It seems to occur 1.2.2 onwards and on some motherboards and not others. Should be 1.2.1 onwards, there are no FreeBSD differences from 1.2.1 to 1.2.2. 1.2.3 also exhibits the same behavior on these 440BX systems, though our calculation has changed so you can never get a divide by 0, it just returns 0% when these counters are wrong. I checked a wide range of hardware and I don't have anything that exhibits this, but I don't have any 440BX systems either, which seems to be what this is limited to, and not all of them at that or we would have heard about it quite some time ago I'm sure. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] extending LAN private network
On Fri, Apr 3, 2009 at 3:34 PM, David Rees dree...@gmail.com wrote: On Fri, Apr 3, 2009 at 7:48 AM, Paul Mansfield it-admin-pfse...@taptu.com wrote: use vlans, a managed switch, and use 192.168.x.0/24 for each vlan. for bonus points, use NAC and dynamic vlans to allow only approved devices and put them on the right network. (we do something similar, vlan N is 192.168.N/24. it's bad practise to use vlan1 so we start at 2) I'm fairly new to VLANs - why is it bad practice to use vlan1? Security reasons. Vulnerable to VLAN hopping/dropping in some circumstances. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] VPN Tunnel Dual WAN failover
On Thu, Mar 5, 2009 at 10:03 PM, Chris Buechler c...@pfsense.org wrote: On Wed, Mar 4, 2009 at 7:30 AM, Mark Slatem nitro...@gmail.com wrote: Chris, Will version 2 support this natively by any chance? Just need a package for OSPF, which could be added on 1.2.x and 2.0. That's a project I want to take on in the next few months. And may require some policy routing from localhost capabilities in some circumstances, that part should be doable in 2.0 already. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] VPN Tunnel Dual WAN failover
On Wed, Mar 4, 2009 at 7:30 AM, Mark Slatem nitro...@gmail.com wrote: Thanks for all advice. I recall attempting to add a static route to the openvpn server endpoint ip, but it still did not work for me. Then you aren't doing something right. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] VPN Tunnel Dual WAN failover
On Tue, Mar 3, 2009 at 6:57 PM, Mark Slatem nitro...@gmail.com wrote: Hi all. I have about 50 Alix embedded firewalls running at branches. All the branches connect to a central pfsense at our data centre via an openvpn tunnel. This solution works absolutely beautifully and allows all the branches to be on one private network. The problem is some of the branches are in locations where the ADSL links have intermittent connectivty problems and can go down for extended periods. We have countered this by putting down 3G routers at these branches and having a Dual Wan with load balancing pools for failover. This works well and when one link goes down the traffic is routed via the other link. However this does not work for the openvpn tunnel that refuses to establish down the secondary WAN link, I have tried and tried but can not get it to work. You have to add a static route to direct the traffic. Manual failover works fine with appropriate routes. Automatic failover would require configuration of a routing protocol. None of the existing supported ones are a good fit, though we'll likely see OSPF support at some point in the not too distant future. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] 1.2.2 CPU Division by zero error in index.php
On Sat, Feb 28, 2009 at 4:02 PM, Tortise tort...@paradise.net.nz wrote: Hi In the index.php page CPU usage value I am getting: Warning: Division by zero in /usr/local/www/includes/functions.inc.php on line 66 0% This is with the embedded image on a CF, Pentium 400, 756M RAM. Run this from Diagnostics - Command and post the output: sysctl -n kern.cp_time - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] xen aware pfsense.
On Tue, Jan 27, 2009 at 10:15 PM, pfsense sense pfse...@kavadas.org wrote: i'm not suggesting pfsense be run inside a VM, i am suggesting pfsense provide VM functionality Refer back to my earlier post. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] FreeNAS
On Sat, Jan 24, 2009 at 5:13 AM, Eugen Leitl eu...@leitl.org wrote: IIRC one developer (Chris?) mentioned a number of different pfSense possible flavors, Yes. including a NAS appliance. but no to that part. :) That's one thing that probably won't ever be added, at least not by any of our existing developers. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Load Balance Cannot Do Logins on forums , webmails , etc ,etc
On Thu, Jan 22, 2009 at 3:27 AM, John Dakos [ Enovation Technologies ] gda...@enovation.gr wrote: hi Ron and thanks for reply look , i turn ON the sticky connections and for 30 seconds everything is working. but until 30 seconds i have no Internet Don't use sticky connections. It's broken in FreeBSD. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] 1.2.2 released
see http://blog.pfsense.org/?p=351 - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] single interface operation
On Sun, Jan 4, 2009 at 8:36 PM, Jure Pečar pega...@nerv.eu.org wrote: Hello, would it be possible to use pfsense on a platform with a single nic, where wan,lan,opt are all vlans? With managed switch, of course. Yes.
Re: [pfSense-discussion] Load balancer using carp interfaces?
On Fri, Dec 19, 2008 at 10:11 AM, Veiko Kukk veiko.k...@krediidipank.ee wrote: Hi! I wonder if there are some good reasons why i'ts not possible to choose CARP interfaces (virtual IP-s) for load balancer pools? Because you use only the physical interfaces, the CARP VIPs just go with the physical interface. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Load balancer using carp interfaces?
On Fri, Dec 19, 2008 at 11:09 AM, Paul Mansfield it-admin-pfse...@taptu.com wrote: Veiko Kukk wrote: Hi! I wonder if there are some good reasons why i'ts not possible to choose CARP interfaces (virtual IP-s) for load balancer pools? If not, then why can't I select carpx interfaces for ISP failover load balancer pool? Please fix it or help me how to fix that in my installation. huh, you can. create a pool of actual servers with internal IPs ports, then create the virtual external service listening on the carp IP with specific port. That's correct, though for server load balancing. He's talking about multi-WAN it seems. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] Network Perimeter Redundancy with pfSense session at DCBSDCon
info here: http://blog.pfsense.org/?p=334 - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] PHP uses 100% CPU on 1.2 and 1.2.1-RC2
On Mon, Dec 1, 2008 at 11:21 PM, Roland Giesler [EMAIL PROTECTED] wrote: So I removed all the routes except one, just to test if all else is ok, but found that on both release 1.2 and 1.2.1-RC2, PHP steadily increased when I save a change until it hits 100% usage on one CPU. Then, if I click something else, the second CPU gets a PHP process that also goes to 100%. Why would this be happening? Any packages installed? I could see Dashboard causing something like that. There could be something very, very usual about your configuration (the one minus 9499 of the 9500 static routes) that's hitting a bug no one has seen before. That's not very likely unless you're hitting a package bug. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] a pair of transparent bridges gotcha
On Sun, Oct 5, 2008 at 5:17 AM, Eugen Leitl [EMAIL PROTECTED] wrote: I presume this is the same problem as http://forum.pfsense.org/index.php?topic=11531.msg63655 That person bought a support contract and we helped him resolve that, his firewall rules weren't setup properly to allow the DNS traffic. My WAN IPs were from a public /24, my LAN IPs 10.0.0.0/24. With that setup all DNS requests from behind the transparent bridge would time out. I put some random IPs from the public /24 on LAN (different from WAN ones, since that is something FreeBSD doesn't like). This sounds like your LAN rule was still set to allow source of the LAN subnet.
Re: [pfSense-discussion] a pair of transparent bridges gotcha
On Sat, Oct 4, 2008 at 4:58 PM, Eugen Leitl [EMAIL PROTECTED] wrote: I have a pair of pfsense 1.2.1-RC1 working in a poor man's failover (a parallel pair of transparent bridges). Had a problem with DNS lookup blockage, the problem is that LAN was on a different subnet. Put them on the same network (different from WAN) and things work now. LAN was on a different subnet from what? I guess you're bridging an OPT interface?
Re: [pfSense-discussion] a pair of transparent bridges gotcha
On Sat, Oct 4, 2008 at 5:18 PM, Eugen Leitl [EMAIL PROTECTED] wrote: On Sat, Oct 04, 2008 at 05:13:27PM -0400, Chris Buechler wrote: LAN was on a different subnet from what? LAN was a different subnet from WAN (in transparent bridge this shouldn't matter, and it doesn't, with the exception of DNS). Now I'm just as confused. :) You mentioned the problem is that LAN was on a different subnet. Put them on the same network (different from WAN) - what does them refer to then? When bridging, the subnet in use on the member interfaces is irrelevant. It won't affect behavior of filtering. There are some caveats when bridging LAN, like I would recommend disabling the webGUI antilockout rule.
Re: [pfSense-discussion] can't filter on transparent bridge
On Sat, Sep 13, 2008 at 8:46 AM, Eugen Leitl [EMAIL PROTECTED] wrote: I can't get an 1.2.1-RC1 full with two NICs (VIA mini ITX) to filter traffic using http://pfsense.trendchiller.com/transparent_firewall.pdf No rules either in WAN or LAN, to the bridge must block everything -- but doesn't. No change when I define explict blocking rules for everything. There are some default rules on LAN, like the anti-lockout rule that could be passing the traffic. You can disable that on the Advanced page. That's the only one I can think of offhand that would pass traffic, though LAN is a bit special in 1.2x and there could be something else I'm not thinking of offhand. Note the enable filtering bridge checkbox does nothing in 1.2.1 and should have done nothing in 1.2. In 1.2, turning that on actually can create some weird problems with filtering in some circumstances. That's a hold over from the way m0n0wall does things, and should have been removed when we switched to if_bridge. If you're running bridging on 1.2, I recommend leaving that disabled. It adds rules to the bridge itself, when the bridge should never have rules. The member interfaces get rules added, and you want to filter on both the member interfaces and not the bridge itself.
Re: [pfSense-discussion] hardware
On Thu, Jul 31, 2008 at 1:44 AM, Mark Dueck [EMAIL PROTECTED] wrote: Throughput will be minimal. From 512Kbps to 2Mbps max. I guess my biggest concern is stability. I have lab tested the Soekris 4801 with openVPN to have throughput of up to 3MB/s, so it should be fine for these locations, but I'm just a little unsure of a 'business critical' decision and wanted some input. I would probably go with ALIX hardware for such a deployment. I get the ALIX hardware I use from netgate.com and would recommend them. That'll push about 75 Mb of throughput, and about 10-12 Mb of VPN traffic based on numbers I have heard from others. I haven't had a chance to test max throughput on any of mine yet, they're definitely more than adequate for what you're looking to do and give you a good deal of scalability for the future.
Re: [pfSense-discussion] DNS resolver test
On Tue, Jul 22, 2008 at 2:32 PM, Eugen Leitl [EMAIL PROTECTED] wrote: http://www.provos.org/index.php?/pages/dnstest.html DNS Resolver Test For secure name resolution, it is important that your DNS resolver uses random source ports. The box below will tell you if there is something you need to worry about. Your DNS Resolver needs to be updated. I'll put a new blog post up later today with in depth info now that the cat's out of the bag on this. In short: - the dnsmasq update is good, but not related to this at all - dnsmasq doesn't issue recursive queries, so you don't have to update it. - if you're using the DNS forwarder on pfSense, whether or not you're vulnerable depends on what servers it relies on for answering queries. Unless you specify otherwise, this is your ISP. - if your recursive servers are behind pfSense doing NAT with a default NAT configuration, you're fine even *without* patching your DNS servers. Note this is only true if pfSense is the *only* thing doing NAT - see thread yesterday on one of the lists where someone who was double NATing was blaming pfSense for something that some commercial box was doing wrong when pfSense was behaving fine. - if you're using the DNS server package on pfSense, it's djbdns, and it never was vulnerable to this. What you're likely seeing above (though you've left out details) is your ISP hasn't fixed their DNS servers. If your ISP is still vulnerable, switch to OpenDNS and you're fine.
Re: [pfSense-discussion] DNS resolver test
On Tue, Jul 22, 2008 at 4:48 PM, Chris Buechler [EMAIL PROTECTED] wrote: - if your recursive servers are behind pfSense doing NAT with a default NAT configuration, you're fine even *without* patching your DNS servers. Scratch that part depending on your DNS server - if it uses a single static source port for all queries like I've confirmed in BIND and Windows Server 2003 DNS (both unpatched), no rewriting is going to help. The quad tuple (source and dest IP and port) used to maintain UDP state in pf won't change for any given single external server - so while it *will* rewrite the source port to something random, that same state will be used for subsequent queries so all the traffic to that one particular server will always appear from the same source port. But at least unlike Cisco, Checkpoint, and many others, pf and pfSense won't degrade your patched DNS server to leave you vulnerable. Blog post with recommendations depending on your DNS setup forthcoming.
Re: [pfSense-discussion] Captive Portal on pfsense
On Wed, Jul 16, 2008 at 11:22 PM, Bill Marquette [EMAIL PROTECTED] wrote: Considering that you are talking about the Linux variant of the WRT54G, I think it's safe to say that Chris probably assumed you were not running the stock Linksys firmware on it. Actually that is what I meant - you can do as David Rees mentioned in this thread and run the WRTs with stock firmware as just a bridged AP. I run one at home that way. The stock firmware bridges the AP to the switch ports. Just don't use the WAN port and disable DHCP server and you have a bridged AP.
Re: [pfSense-discussion] Captive Portal on pfsense
On Thu, Jul 17, 2008 at 7:02 PM, Jim Thompson [EMAIL PROTECTED] wrote: I'm happy to respond more fully to this: A) off-list, Jim, I'd encourage you to keep it on-list, a number of us have learned quite a bit from sharing of your expertise over the years. It may not be precisely on-topic for this list, but it's completely appropriate.
Re: [pfSense-discussion] Re: Nessus : Change in the Plugin Feed Policy (Reminder)
On Wed, Jun 11, 2008 at 12:50 PM, Paul Mansfield [EMAIL PROTECTED] wrote: now none-free for any commercial usage, I was wondering if anyone's looked at the alternatives? I've been a Nessus user since its very early days, been roughly 7 years now I believe. I've had a Nessus Direct Feed subscription for about a year, and I'll maintain it. The plugins are what makes the scanner, and the additional audit checks they used to offer subscribers only were adequate to justify the relatively small cost for my purposes. I won't speak specifically to any of the open source alternatives as I haven't tried them. I do believe Nessus provides significantly better coverage with its plugins, and the cost is 5% or less of what most competitive vendors charge. It takes a significant amount of resources to develop the thousands of plugins Nessus has, and they typically add 100-200 plugins every week (I follow their plugin RSS feed). I very seriously doubt if any of the competitive open source offerings are adding even remotely that much just because of the time involved in putting out that amount of work. Given that Nessus went closed source because the community and numerous companies selling Nessus-based appliances were contributing virtually nothing, I don't see any similar projects getting the vast community support that would be required to put together a truly competitive plugin set. Given the price and the value, and my lack of any free time, I personally don't have any interest in looking at alternatives. I am also very curious of the experiences of others though.
Re: [pfSense-discussion] SIP Phones and SIPROXD
Lee is a commercial support customer and we helped him offlist with this. There was a problem with the siproxd package, it should now work. Lee confirmed he now has two phones working simultaneously, so this must be working now. If you have installed the package previously, uninstall it first. Then replace /etc/inc/filter.inc with this one: http://cvstrac.pfsense.org/fileview?f=pfSense/etc/inc/filter.incv=1.1092 and reinstall the package. Then configure it, save your changes, and it should work. With it you should be able to connect multiple phones on one public IP. This is good news - one more limitation knocked out! Thanks to Lee for providing access to the system and testing our changes.
Re: Fw: [pfSense-discussion] I Cannot Uploading Files
On Mon, May 26, 2008 at 7:08 AM, John Dakos [ Enovation Technologies ] [EMAIL PROTECTED] wrote: thank u SAI , but i have a problem with this configuration. this configuration work with NAT , and i dont want NAT because i have 200 public IP on Cisco Router, and i want all clients to join out with this public Ips any idea how to do that ? i hear with static routes You need a public IP on the WAN side, then need to route the public subnet from where ever it's coming from to that WAN IP, disable NAT on pfSense, and setup that public subnet on the LAN interface. Or if you only have one subnet, a bridge setup might be better.
Re: [pfSense-discussion] disappearing httpd
On Wed, Apr 30, 2008 at 11:52 PM, RB [EMAIL PROTECTED] wrote: Anyone have a situation where they're switching WAN types and somehow /usr/local/sbin/lighttpd just disappears? Can't say that I've seen that. You can restart it at the console menu for future reference. Anything relevant in the logs?
Re: [pfSense-discussion] disappearing httpd
On Thu, May 1, 2008 at 12:08 AM, RB [EMAIL PROTECTED] wrote: Can't say that I've seen that. You can restart it at the console menu for future reference. Anything relevant in the logs? Nothing at all, and no restarting - the binary is *gone*, as in deleted. Oh wow! Definitely haven't heard of that. It dying isn't unheard of, though it's very unusual. It disappearing that's a new one on me. I would question hardware, maybe bad drive or flaky controller. Maybe a FreeBSD driver quirk specific to something related to your disks, though that's highly unlikely. The console upgrade is how I would recover if this happened to me, even upgrading to the same version as is currently running will work. If it's something you can reliably replicate, please let us know how. There is no code anywhere in pfSense to delete the lighty binary so it's nearly impossible it would be a pfSense bug.
Re: [pfSense-discussion] pfsense on alix, slow to access via WAN
Joe Lagreca wrote: I am running pfSense on an Alix system 2c3. When accessing via the LAN everything works great. However when I try to access it via the WAN, its very slow, and will time out. This is NOT a bandwidth issue. Sometimes the pages will load, but look as if the css file didn't load. Has anyone run into this problem before? Only on a box where the state table was exhausted, doesn't sound like that's likely to be the case in your circumstance.
Re: [pfSense-discussion] Detailled syslog format.
[EMAIL PROTECTED] wrote: Hi I'm trying to do some analysing on the raw log format sent to syslog: snip check out pflog. http://www.openbsd.org/faq/pf/logging.html http://www.google.com/search?q=pflog quite a bit of stuff available. for the underlying ruleset you're running, see status.php.
Re: [pfSense-discussion] Traffic shaper bug ?
Jan Hoevers wrote: While not unwilling to donate to projects, this bounty thing is not for me because of a strict open source policy. Again, is there any estimate for 1.3? This is 100% completely open source. The source ported to RELENG_1_2 is even in the public CVS server in its own branch. It's just the images including it are not publicly available. It was back ported as a thanks to those who contributed. You could figure out what it is in CVS and sync a 1.2 install with that code. The latest info on the 1.3 release is on http://blog.pfsense.org as always. Scroll down a couple posts.
Re: [pfSense-discussion] RELENG_1 library linking (was: Traffic shaper bug ?)
RB wrote: I understand, and have tangled some of the terminology. My ticket was about HEAD, but the library breakage seems to have seeped from HEAD to 1.3 (RELENG_1). Because all the binaries in RELENG_1 and HEAD are for FreeBSD 7.0. You can't go from 1.2 to 1.3 just by pulling the files from CVS, and that'll be true of most if not all different CVS tags. As I know the rest of us are, I'm time constrained and just wish I had a quick way to pull up a running copy of recent development work and see what neat things have been done lately, as well as help test/develop/validate them. To me, following your 'Building pfSense' document is a tedious amount of buildup when I just want to fiddle with some of the PHP or script some back-end functionality. That's what snapshots are for, when 1.3 is ready for wider consumption, snapshots will be available. You won't be able to run 1.3 until that point, and that'll happen soon enough. HEAD should also be testable at that point, with a cvssync from a RELENG_1 install.
[pfSense-discussion] Registration open for pfSense training at BSDCan!
Please see the following post for more information. http://blog.pfsense.org/?p=182 Hope to see you there! Chris
Re: [pfSense-discussion] Traffic shaper bug ?
Ermal Luçi wrote: Expected behaviour. Since ALTQ shapes on outgoing that shapes every thing that goes through the interface where the shaper is enabled. For 1.2, it should be noted. For 1.3, Ermal has done a nice job completely rewriting the traffic shaper to accommodate these kinds of situations and more. The traffic shaper in 1.2 only works properly with two interface setups (LAN and WAN).
Re: [pfSense-discussion] Sorry guys
[EMAIL PROTECTED] wrote: Gentlemen! I sorry to have started this Return Receipt storm. Chris Buechler complained to me in private and asked me to turn off RR when writing to this forum which I will of course do my outmost to remember in the future. I half expected a read receipt pop up when I clicked on this message. ;) Thanks. If someone wants to tell me how to strip that off messages with ezmlm, I'll gladly do it, but I don't have time or care enough to look into how.
Re: [pfSense-discussion] 2 WAN
Jose Augusto wrote: Look this http://pfsense.blogspot.com/2005/05/captive-portal-and-traffic-shaping-to.html That's outdated info. Traffic shaper does not work properly with more than two interfaces (LAN + WAN) in 1.2. That's already fixed in 1.3.
Re: [pfSense-discussion] CD-ROM + floppy
DarkFoon wrote: Yes. just the config is kept on the floppy. This means that the RRD graphs don't save across reboots, right? And packages can't be installed. (well that's sort of obvious...) Correct on both accounts.
Re: [pfSense-discussion] CD-ROM + floppy
DarkFoon wrote: Does pfSense 1.2 still support booting from CD-rom and storing the config (and possibly other data) on a floppy disk? Yes. just the config is kept on the floppy. USB flash drives are also supported, and recommended over floppies.
Re: [pfSense-discussion] 1.2RC5 or release
Ronald L. Rosson Jr. wrote: On Feb 11, 2008, at 1:08 PM, Scott Dale wrote: http://forum.pfsense.org/index.php/topic,7313.0/topicseen.html This brought back my dashboard without a re-install. Thanks, that's good to know. Those who use the dashboard on 1.2, keep in mind it's experimental and can blow things up, it's not considered stable on 1.2.
Re: [pfSense-discussion] 1.2RC5 or release
Paul M wrote: Hi, given the a number of minor bug fixes, we will be seeing a 1.2RC5 variant sometime, or is the next step a full release? We'll probably skip RC5 as an official release even though the snapshots are labeled as such right now.
Re: [pfSense-discussion] bogons update issue
Jan Hoevers wrote: 2. On previous versions the bogons file was fetched from cymru.com, but on RC4 the script tries to get it from a pfSense server. The file is however missing on that pfSense server. I worked around this by copying the old cymru url back from RC3. Thanks for catching that, there was a typo in the URL. I fixed it, and put the file in the typo location as well so the existing installs will work also.
Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?
Jure Pečar wrote: Since everyone is just singing praises, I'll add some things to look for ;) Besides running it at home we run it on three production locations, which are two server rooms and one fast growing wireless lan. First bad expirience: it is really touchy about the quality of your cd burner and blank CDs. This mostly shows as misterious crashes and kernel panics during boot or later during install. It took us some time to figure that out. I know a very small percentage of people have issues of this nature. On dozens of different systems I have used, I've never personally seen it, and the vast majority of users have never seen it. Second bad expirience: 1.0.1 leaves hw.ata.wc enabled by default (didn't check 1.2), which ended up with one toasted fs after a power failure. Fortunately config.xml was backed up :) 1.2 has that disabled, and also fixed some other issues that caused file system and/or configuration corruption. 1.2 beta/RC has been the recommended version for months now for this reason and others. Unfortunately we can't release 1.0 bug fix updates because we didn't tag that release in CVS, 1.2 will receive interim bug fix updates as necessary to address issues of this nature. Third bad expirience: once it's up it works rock solid, but there is a kernel panic every now and then during boot or during shutdown. Again, this is 1.0.1, haven't looked at 1.2. 1.2 should be better in that area, but those are likely FreeBSD issues specific to your hardware. If it's something you can replicate with 1.2, it might be worthwhile to install the developer kernel with debugging tools (an option during the install now), and get a back trace. Start a new thread if you want to investigate in the future. For the original poster: The only really common issue going from a test environment into production, when replacing an existing firewall (which is common to any network device, not pfsense-specific) is ARP caches - your perimeter router, or your ISP's router (depending on the type of connection you have) has an ARP cache with your existing firewall's MAC address. When you change the firewall, it can take several hours for that cache to timeout and recognize the new system. On Cisco routers, the ARP cache is 4 hours by default. You may need cooperation from your ISP if you don't have access to that router. If you do have access to the router, you can just power cycle it. Cable and DSL modems commonly require a power cycle to pick up a replaced system. Aside from that, which is common to any firewall migration regardless of software, we haven't seen any widespread issues with going from testing to production.
Re: RES: [pfSense-discussion] Problems to use PPTP/GRE traffic to connect in a server - Please advice.
Luciano Areal wrote: Hi Bill! The pfSense box is in front of the PPTP server. In other ways, it will act as the main gateway, and the PPTP server will be on the LAN. Clients will access it from WAN, passing through the pfSense box. I just did what you said. Removed all rules from NAT and firewall using PPTP/GRE, and activated that option (Redirect incoming PPTP connections to:). I also installed Frickin PPTP proxy package on system, and did a bind of this software on WAN port. Last I checked, the Frickin package is broken. Haven't had a chance to verify more recently, but I'm almost positive it isn't going to work. It won't break anything, it just isn't going to do anything. You likely don't need that when running a server accepting inbound connections anyway, that's more for multiple outbound sessions to the same external server.
Re: [pfSense-discussion] 1.2-RC3 released!
Paul M wrote: meanwhile, I noticed many of the mirrors are not doing too well so I reported them some of the update mirrors are no good either.. in fact the downloads are pretty slow. The mirrors are all fine. Many only sync once a day, so as it says in the release announcement it will be 24 hours before they all have the files. All but one have them as of now. Speed-wise, it depends on where you are and what mirror you're using. In the US, the untouchable.net and NCSA mirrors are very fast from several different ISP's I routinely use. I've been able to pull more than 10 Mb from them. Some of the others, especially in Asia are very slow from here, but that's normal for servers that are extremely far away in parts of the world that don't have exceptional connectivity to the rest of the world. If you use a server that's geographically close to you, you should have no issues at all. Paul, you appear to be in the UK, I think we have a UK mirror that will be online later today which should be faster for you. Though I would guess the other mirrors in Europe are probably not bad from the UK.
[pfSense-discussion] 1.2-RC3 released!
http://blog.pfsense.org/?p=152
Re: [pfSense-discussion] IPsec tunnel to a transparent bridge
Eugen Leitl wrote: I used to have a nice pre-shared key IPsec tunnel between two m0n0walls/pfSenses, running in NAT. Worked very nicely. However, I now have a transparent bridge with a public /24 network, and whenever I activate the tunnel I no longer can ping any host on the network (the firewall included) from inside my home firewall (NATted). Is there a trick to it, or does this configuration simply not work? In a transparent bridge setup, the gateway of the hosts on the bridge isn't going to be pfsense, it'll be something on the outside interface. If you have a routed subnet setup on an OPT interface this will work fine.
Re: [pfSense-discussion] web interface gone after upgrade to 1.0.2
Daniele Guazzoni wrote: I just upgraded from 1.0.1 to 1.0.2 with pfSense-1.0.2-Full-Embedded-Update.tgz and although the firwall is functional I cannot access the webconfigurator. Any idea how to fix it ? There is no 1.0.2, so I'm not sure which version you're using, for embedded upgrades to work you can't use the 1.2 RC2 Full-Embedded image. Only the embedded image from here will work right (bug that's been fixed): http://snapshots.pfsense.org/FreeBSD6/RELENG_1_2/updates/ There's a decent chance if you tried upgrading to 1.2RC2 using the Full-Embedded image, it blew up your install (it was causing a kernel panic, and/or other issues). I'd start with reflashing to 1.2RC2, or a RELENG_1_2 snapshot.
Re: [pfSense-discussion] Via LAN drivers
Adam Van Ornum wrote: I've been looking into a Via C7 based system to run pfSense on and so far all of the systems seem to have either Realtek or Via based LAN chipsets. Several people have mentioned before that the Realtek chipsets are not very well supported at this time and I'm wondering how well the Via chipsets are supported. They're supported fine, the problem is there are bunches of no name manufacturers putting out junk cards based on the Realtek chipset because it's cheap. Many of them make flaky hardware, hence it's gotten a bad name. People tend to pull stuff out of their junk hardware pile and throw it together to make a firewall, or buying whatever is cheapest on ebay, and hence end up using this flaky hardware. I have several embedded devices with Realtek NIC's and they're perfectly reliable (see our recommended vendors page on the website, they're from companies listed there). They aren't as fast as Intel cards, mostly noticeable only on the gigabit cards or very slow CPU's (1 GHz VIA with Realtek 10/100 cards will do 100 Mb wire speed no problem), but they work fine. Specifically, are VLANs supported on the Via chipsets? Check the man page for the driver used by the specific chipset you're talking about.
Re: [pfSense-discussion] Cacti Template
Ronald L. Rosson Jr. wrote: Has anyone come across or developed a template for pfsense firewalls to be polled by a Cacti server. Any information is helpful. haven't heard of any, it would be nice to see.
Re: [pfSense-discussion] ALIX shipping soon
Eugen Leitl wrote: I see on http://pcengines.ch/order1.php?c=2 that ALIX (e.g. alix2c3) is ETA 20071020. http://blog.pfsense.org/ sez snip ... Anyone knows how well AMD Geode LX does accelerated IPsec on FreeBSD? As far as we know at this time, it's not yet supported.
Re: [pfSense-discussion] commercial support
Eugen Leitl wrote: I see there's commercial support for pfSense, starting at about 300 EUR/year. Are there proper invoices for that? I can't tell. $300 USD actually. Yes, we can send you a proper invoice, or you can pay via credit card online and we'll send you the typical email receipt. Email me offlist if you'd like further info. thanks, Chris
[pfSense-discussion] 1.2-RC2 released
http://pfsense.blogspot.com/2007/08/12-rc2.html Please test! This may be the last RC before 1.2 is released.
Re: [pfSense-discussion] SNAT / masquerading
Eugen Leitl wrote: I have a somewhat strange setup (thanks to our provider) which looks like this: LAN* - bge0- 192.168.0.1 WAN* - bge1- 10.0.2.6 OPT1(DMZ)- vlan0 - 62.245.148.129 Yes, the WAN is really 10.0.2.6/30, and the gateway is 10.0.2.5 The provider rewrites the traffic so it appears to come from their own address space. I don't see the point, but that's what they use. What I need to do is rewrite the traffic from LAN which is currently exiting through WAN and is rewritten on the part of the provider to emerge from one of the addresses from our /26 network space. The operative words are SNAT and masquerading, but I haven't been able to see examples of such rewriting rules for pfsense. Any pointers? Advanced Outbound NAT.
Re: [pfSense-discussion] atmel avr port of pfsense?
Paul M wrote: http://www.linuxdevices.com/news/NS2837651365.html 32MB of SDRAM and 16MB of flash, expandable via an SD-card slot. aside from the fact that those two numbers alone mean it's far from compatible, it's not an x86 system, it's RISC. It won't run m0n0wall either.
Re: [pfSense-discussion] Start other processes inside pfSense?
Roland Giesler wrote: Is it possible to start a VMware or Xen client inside pfSense? no. VMware doesn't support FreeBSD as a host, and Xen is still questionable on FreeBSD I believe.
Re: [pfSense-discussion] network layout
Bill Marquette wrote: Low end switches have a tendency to not have enough ram or cpu to handle a high volume mac spoofing attack and will usually end up turning into a hub under this kind of attack, rendering your vlans useless. Any switch's CAM table can be overflowed by directly connected users, but good switches won't fully turn into a hub in that scenario. Good switches keep one CAM table per VLAN, and in the case of overflow, only the overflowed VLAN turns into a hub and only on the ports it's configured. I know Cisco switches do this properly, from personal experimentation and reading other sources that confirm the same. I can't vouch one way or another for any other switch vendors. I have no doubt some (maybe many) switches behave exactly as Bill described, and it's difficult for most people to perform the type of testing required to validate a VLAN switch config and determine what bad things can be done to said config. Be careful with VLAN's, but also don't be completely averse to using them. Whether or not to trust them, and for what particular usage, will vary depending on your environment and level of risk tolerance.
Re: [pfSense-discussion] MiniUPnPd security risks
DarkFoon wrote: I'm considering installing the UPnP daemon on some home/home office boxes, and I'm curious what the security issues are. From my own (simple) analysis, the worst that could happen is a malicious application could ask for many, many (almost all?) of the ports above 1024 to be routed to a machine, and that an external attacker might be able to use all the port forwards to control said malicious program from the internet and perhaps wreak havoc on the LAN net and maybe even the pfSense box (with a keylogger and sniff the pw for the pfSense admin). As Scott said, you're right on. In a home environment, I wouldn't hesitate much to enable it if it's useful for a certain application. I've never heard of any malware that exploits uPnP, nor have I heard stories of any attackers using it. It's much more likely they would use outbound channels to tunnel things back in, like using SSH for example. There are so many ways to contact or control a PC inside your network, or tunnel back into your network without actually opening ports into your network that it adds little risk. If an outsider can execute arbitrary things inside your network as required to exploit uPnP, you're owned regardless of whether or not you have uPnP enabled.