[pfSense-discussion] IPv6 needed, IPv4 exhaustion - was Re: [pfSense-discussion] Re: Low end, cool CPE.
On 12/11/10 13:43, Eugen Leitl wrote: - IPv6 support, native or tunnel to tunnelbroker.net type thing. ... The point is: We've been asking for IPv6 for too long. That's just one bit in a packet header. We need to start asking for the features we expect, which is a lot more than that bit. Leo Vegoda of IANA said on 13th Nov that a new block, 105/8, was recently released to AfriNIC, with previous allocations this year being 1/8 14/8 27/8 31/8 36/8 42/8 49/8 50/8 101/8 105/8 107/8 176/8 177/8 181/8 223/8 leaving only 11 unallocated /8's. so, that means none left by this time next year. oh, and it means people should check their bogon filter updaters are working! - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] IPSEC routing hack, and CARP, leading to arpresolve can't allocate route errors
if you recall, to make your pfsense firewall itself be able to talk to a remote site over an IPSEC tunnel, you need to add a hack which is a static route to remote network via the LAN address if you have a firewall cluster and you use the CARP address of the LAN, it does work, but it *seems* to cause the following errors to appear in system log: Sep 1 15:40:01 kernel: arpresolve: can't allocate route for 10.1.2.254 the 10.1.2.254 is the CARP ip on the LAN I can make these go away by using the IP of the firewall's LAN but that kind of defeats part of the purpose of having a cluster and carp! Apart from this being a distraction/nuisance, is this something to worry about?# thanks Paul - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] filling network with meaningful traffic
put up some linux mirrors with a web service on each IP - use https and that way you won't be asked to use named virtual hosts as that doesn't work with https - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] any chances to see pfsense on GuruPlug Plus?
I asked them if there was a UK distributor, and they responded promptly with http://www.newit.co.uk/shop/products.php?cat=11 dual ethernet for less than £100 (US$150) seems quite a good deal. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] broadcom BCM5722 only running at 100M not 1G
well, I simply swapped round the firewall's connections to the switch - both have just a 1m cable direct to the cisco 3560e the primary firewall is now connecting at 1Gb/s and strangely the secondary is still at 1G, so I have no idea what the problem was. tis a pity that Dell use broadcom on-board and not intel. oh well. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] broadcom BCM5722 only running at 100M not 1G
On 01/02/10 18:54, Chris Buechler wrote: Sure you're using CAT5e or better cables and not just CAT5? That's the most common cause when I run into things like that. thanks for the idea, but all our cables are cat6, and it's only a 1m cable directly from back of server into the switch so no patching or joins or anything to interfere - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] broadcom BCM5722 only running at 100M not 1G
On 02/02/10 12:19, Alexander Norman wrote: Try a firmware upgrade or downgrade. The broadcom firmware has been a bit shaky. The easiest way to do it is to install for example windows 2008 server (30 day evaluation) and do a firmware upgrade through it. I had a horrible feeling you were going to suggest installing windows. well, fortunately I bought a spare Dell disk caddy specifically for building a multi-boot utility disk for these sort of tasks. I'm going to have some spare R300 servers soon anyway so I can get set up on one of those first before I wreck our firewall :-) I've a few other last resort ideas to try before your yours, but thanks very much and if anything else occurs to anyone I'm willing to listen to anything even if it seems silly. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] broadcom BCM5722 only running at 100M not 1G
after complaint about slowness between our lan and dmz, I traced it to a firewall interface on our pfsense 1.2.3 firewall, a Dell R300 with onboard broadcom bcm5722 FreeBSD fwa.xxx.yyy 7.2-RELEASE-p5 FreeBSD 7.2-RELEASE-p5 #0: Sun Dec 6 23:20:31 EST 2009 sullr...@freebsd_7.2_pfsense_1.2.3_snaps.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.7 i386 a bit of googling came up with this http://groups.google.com/group/mailing.freebsd.current/browse_thread/thread/4b42a0fa82125473?pli=1 I bounced the interface as suggested and it didn't help, and swapped the cable, also no joy. this firewall is one of a clustered pair, the 2ndry is identical hardware and its bge0 is running fine at 1000baseT. the cisco switch they're both plugged into doesn't suggest any errors. stuff reported in dmesg... bge0: Broadcom BCM5722 A0, ASIC rev. 0xa200 mem 0xdfdf-0xdfdf irq 16 at device 0.0 on pci1 brgphy0: BCM5722 10/100/1000baseTX PHY PHY 1 on miibus0 brgphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto any suggestions please? Paul - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] broadcom BCM5722 only running at 100M not 1G
On 01/02/10 13:03, Paul Mansfield wrote: I bounced the interface as suggested and it didn't help, and swapped the cable, also no joy. oh. and a reboot didn't fix it either. ;-( # dmesg | egrep -i broadcom|bcm|bgr|bge|ukp|mii|phy bge0: Broadcom BCM5722 A0, ASIC rev. 0xa200 mem 0xdfdf-0xdfdf irq 16 at device 0.0 on pci1 miibus0: MII bus on bge0 brgphy0: BCM5722 10/100/1000baseTX PHY PHY 1 on miibus0 brgphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto bge0: Ethernet address: 00:22:19:7a:42:ae bge0: [ITHREAD] bge1: Broadcom BCM5722 A0, ASIC rev. 0xa200 mem 0xdfef-0xdfef irq 17 at device 0.0 on pci2 miibus1: MII bus on bge1 brgphy1: BCM5722 10/100/1000baseTX PHY PHY 1 on miibus1 brgphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto bge1: Ethernet address: 00:22:19:7a:42:af bge1: [ITHREAD] (mpt0:vol0:1): Physical (mpt0:0:1:0), Pass-thru (mpt0:1:0:0) (mpt0:vol0:0): Physical (mpt0:0:9:0), Pass-thru (mpt0:1:1:0) bge1: link state changed to UP bge0: link state changed to UP - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] openvpn and mac osx 10.6
On 27/01/10 12:27, Paul Mansfield wrote: On 26/01/10 16:01, Paul Mansfield wrote: On 26/01/10 15:39, Nate Davis wrote: BTW, Nate, were you using tun or tap? a test shows that using tap/bridging kicks off the mac's dhcp client and that successfully sets up DNS. I think we're going to end up building a non-pfsense (linux) box for this as it'll be easier and we can use a lot of openvpn options that require too much messing with custom fields in pfsense. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] openvpn and mac osx 10.6
On 26/01/10 18:19, Chris Buechler wrote: On Tue, Jan 26, 2010 at 10:23 AM, Paul Mansfield it-admin-pfse...@taptu.com wrote: we had openvpn working with osx 10.5 with a bit of bodging to get DNS to work, but 10.6.2 seems to have quite a few DNS quirks that prevent resolver from being set we've had to fiddle with the macs to add a new network location/profile called vpn which has manual DNS settings; it's made harder by the inconsistent way that apple airport connections are set. so I was wondering whether anyone had a better fix, or even a way to make it work seamlessly? we're using tunnelblick which is a wrapper round openvpn with some scripts; the build we're trying, I'm told, has a very up to date version of ovpn. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] openvpn and mac osx 10.6
On 26/01/10 16:01, Paul Mansfield wrote: On 26/01/10 15:39, Nate Davis wrote: Paul, We are using http://www.viscosityvpn.com/ as the OpenVPN Client for the Mac= s on our network, and it has worked like a dream. I can resolve items by name over the vpn and such. We were using tunnelblick for quite a while, but this paid product was the way to go in our environment. We are running 10.6.2 clients. hmm, interesting, so I suspect it's the tunnelblick helper app we're using that's failing to work. we did have one guy use viscosity and like it, but up till recently there wasn't anyone who was complaing of problems, but now I've got a real problem with a couple of non-technical users, unfortunately they're the ones who most need a roaming VPN solution :-( thanks very much for the feedback! My colleague tried viscosity and found that it didn't make a difference either I'd like to add I have tried shared key and x509 methods, and in both cases usign tunnelblick I have to put the route commands in as the Mac ignores it. I am using udp, but on a non-standard port for testing; here's the generated configuration on the pfsense 1.2.3 server. writepid /var/run/openvpn_server43.pid #user nobody #group nobody daemon keepalive 10 60 ping-timer-rem persist-tun persist-key dev tun proto udp cipher BF-CBC up /etc/rc.filter_configure down /etc/rc.filter_configure client-to-client server w.x.y.z 255.255.255.0 client-config-dir /var/etc/openvpn_csc lport push dhcp-option DOMAIN example.com push dhcp-option DNS a.b.c.d push dhcp-option DNS a.b.e.f push dhcp-option WINS a.b.c.d push dhcp-option NTP a.b.c.d push dhcp-option NTP a.b.e.f push dhcp-option DISABLE-NBT ca /var/etc/openvpn_server43.ca cert /var/etc/openvpn_server43.cert key /var/etc/openvpn_server43.key dh /var/etc/openvpn_server43.dh comp-lzo # pick up per-client options client-config-dir /var/etc/ccd # keep detailed log and status status /var/log/full/openvpn_server43.status log /var/log/full/openvpn_server43.log - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] getting your feet wet with BGP
On 16/12/09 14:55, Eugen Leitl wrote: On Tue, Dec 15, 2009 at 07:52:06PM +0100, Aarno Aukia wrote: offer that option (it doesn't). Becoming a LIR at the current juncture is prohibitive because of fees alone. and becoming an LIR doesn't guarantee you'll get an allocation of IPs either I already have a /24 PI. It's not nearly exhausted yet, though by the time it will getting IPv4 space will be more than slightly difficult. I'm looking into IPv6 seriously right now. Have a tunnel and a subnet there are some of the larger ISPs who won't accept something as small as a /24, to be pretty sure of being globally routable you need a /23 or larger space. that reminds me, we've not had a good discussion about pfSense and ipv6 for a while :-) - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] pfSense in TechRepublic article
http://blogs.techrepublic.com.com/opensource/?p=1110tag=nl.e102 - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] openvpn 2.1 rc20 out now
http://www.openvpn.net/index.php/open-source/downloads.html just thought people might want to upgrade, the RCs have been good for me, especially for vista users where you don't have to do the external route stuff. perhaps openvpn 2.1 will be released in time to make it into pfSense 1.3 and 2.0 releases? - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] jetway jnc92 - was Re: [pfSense-discussion] commercial ALIX pfsense routers
On 05/10/09 11:34, Eugen Leitl wrote: I typically use 2-4 GByte Transcend IDE SSD (DoM) dongles. the closest I can come to that would be a CF card in a CF-IDE adaptor. Thanks for the assembly pictures -- what kind of case is this? 'fraid I can't say, I bought it long ago and it was used as a multimedia computer for a while*. the only problem I have is that the PSU is long and thin, a bit like a zero-U PSU and not a cube like hte one that the case used before (about half the volume like a shrunken normal PC PSU). I didn't use the original PSU as it's quite old, not very efficient, and somewhat noisy* (hence stopped using as a media PC). - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] commercial ALIX pfsense routers
On 01/10/09 14:42, Eugen Leitl wrote: On Thu, Oct 01, 2009 at 02:08:32PM +0100, Paul Mansfield wrote: You might want to have a look at Linitx, they do m0n0wall kits and speaking to one of the guys who works there, they are happy to do a pfSense embeded version on request. http://linitx.com/viewcategory.php?catid=178pp=176,178 I've just ordered a Jetway JNC92-330LF miniITX board from them, they do a triple Intel-gigabit-NIC daughter board, and a dual-slot PCI riser. Do you have a pointer to the triple Intel GBit NIC daughter board? I can't find it in their shop. first result for linitx.com triple intel on google :-D http://linitx.com/viewproduct.php?prodid=12576 The UPS man delivered my parcel a few minutes ago so if people want I am happy to post a picture or two and run some benchmarks when I've had a chance to play. I'm not sure whether a VIA crypto engine wouldn't outperform the Atom. Apparentely, next-generation Intel and AMD chips will support e.g. AES directly in hardware. Don't know what took them so long. yeah, you'd have thunk it. maybe intel have shares in Rainbow Technologies? P. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] OT: freebsd8 vs ubuntu 9.10
http://www.linuxtoday.com/infrastructure/2009092801435NWCYSW thought it might be interesting albeit off topic - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] High latency on downloads with shaping
Joe Lagreca wrote: This seems odd, as I run pfsense at other locations without problems with their VOIP. So I'm wondering why the issue at this location. get a separate WAN circuit for your VOIP connections if they're that important? presumably your VOIP phones are on their own VLAN, and you have sufficient switch capacity? - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] High latency on downloads with shaping
Joe Lagreca wrote: But then you are in a catch 22, because without the shaper, VOIP will surely be choppy. get a separate WAN circuit for your VOIP connections if they're that important? - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] VOIP traffic shaping problems
Joe Lagreca wrote: Symptoms: When I download a large file and max our download speed, do you have VOIP network on a separate interface on your firewall (a necessity for call security anyway)? are you using decent switches with a high packet rate? - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Secure LAN and WLAN setup
David Nordin wrote: This might most likely come out as noise in here and wasted internetbits ;) I would like to create a pretty much maximum secure networkstructure for you probably want to read a primer about networking and security before you get bogged down in looking at any one product - whether checkpoint, pfsense, cisco etc. the Cheswick and Bellovin book http://tinyurl.com/b3j22j is well worth reading, if a little dated Paul - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] atom + US15W pico ITX board
Eugen Leitl wrote: I presume you're talking firewall, have you considered VIA Nano? The performance is slightly on top of Atom, and Atom doesn't have the RNG and the crypto built-in. yes, firewalling for minimal power. if you have any pointers to nano motherboards with suitable network interfaces I'd be interested cheers Paul - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] centralized management with distributed pfsense installations
Jason Dixon wrote: This is something I've been thinking about quite a bit lately. I'd like to see something modular that could potentially be used on any PF-based system. If there are others interested in this (or already working on it), please contact me. I nice feature I'd like would be to make the configuration selectively exportable/importable, in particular the aliases, so that it'd be easier to keep things consistent. It'd then be possible to expand the feature into having a master pfsense node selectively push configuration sections to slaves. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] atom + US15W pico ITX board
we've been a close observer of low-power CPUs and chipsets, because a lot of our costs are colocation fees which are mainly about power. In theory Pouslbo/US15W is much more efficient than the usual atom + desktop chipset, but it not particularly common... then I came across this: http://www.igologic.com/products/Product.aspx?ProductID=78 is anyone else considering these type of devices? - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Load balancer using carp interfaces?
Veiko Kukk wrote: Hi! I wonder if there are some good reasons why i'ts not possible to choose CARP interfaces (virtual IP-s) for load balancer pools? If not, then why can't I select carpx interfaces for ISP failover load balancer pool? Please fix it or help me how to fix that in my installation. huh, you can. create a pool of actual servers with internal IPs ports, then create the virtual external service listening on the carp IP with specific port. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] pfSense 1.2.1-RC2 now available
Chris Buechler wrote: More info: http://blog.pfsense.org/?p=284 woo! congrats to devs and support for all their hard work. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] SLC or MLC flash for full install
Eugen Leitl wrote: Have any of you made especially good/bad experiences wtith either SLC or MLC CF? Any vendors to recommend, or to stay away from? in theory SLC is going to be more reliable, speed probably doesn't matter. avoid small vendors and ebay as there's a huge number of counterfeit and dodgy cards around!
Re: [pfSense-discussion] openVPN routing
Mark Dueck wrote: I am having some problems getting openVPN to route a properly from site to site. I had it working perfectly in between, but now nothing seems to make a difference to make it work. what does netstat -rn say
[pfSense-discussion] solwise - UK seller of wifi kit - Re: [pfSense-discussion] Setup advice wanted, devices for public library
802.11 mini PCI cards: http://www.netgate.com/index.php?cPath=27_86 I've been quite happy with service from solwise for miniPCI adaptors and various wifi accessories. I bought one of these and fitted a spare intel 2915abg minipci card: http://www.solwise.co.uk/wireless-pci-slot.htm I can only use it in ad-hoc mode so it's wep only, and then that interface is heavily filtered but allows openvpn access. Paul
Re: [pfSense-discussion] Used ALIX or Soekris?
Adam Van Ornum wrote: Does anyone have any ALIX or Soekris kits that they don't need any more? I'm currently running pfSense on a dual P3 system at home and its way over-powered for what I need and I would like to get something that one of those new Intel Atom CPU motherboards would be worth looking at too.
Re: [pfSense-discussion] Used ALIX or Soekris?
Eugen Leitl wrote: On Wed, Jun 25, 2008 at 11:28:12AM +0100, Paul Mansfield wrote: one of those new Intel Atom CPU motherboards would be worth looking at too. Anyone aware of an affordable system with Nano or at least a C7, with decent (Intel would be best, but beggars can't be choosers) NICs onboard? Mini-ITX would be best. But any small brick or 19 1U form factor ok, too. http://www.tranquilpc-shop.co.uk/acatalog/T2e_atom_cd.html http://www.tranquilpc-shop.co.uk/acatalog/T7Atom.html ?
[pfSense-discussion] Re: Nessus : Change in the Plugin Feed Policy (Reminder)
now none-free for any commercial usage, I was wondering if anyone's looked at the alternatives? http://www.openvas.org/ http://www.lbtechservices.com/projects/sussen/ Original Message Tenable Subscriptions wrote: (You are receiving this email because you are using or used a Nessus plugin feed in the past) Dear Nessus User, Tenable announced on May 14th 2008 an important licensing change to the plugin subscriptions that will affect you as of July 31st, 2008. Please read the original announcement which has been attached to this email for your convenience. If you have further questions, please contact us at [EMAIL PROTECTED] or visit us at http://www.nessus.org/ Thank you, Tenable Network Security http://www.tenablesecurity.com
Re: [pfSense-discussion] clog size
RB wrote: I've had a request to increase logging duration on systems that have no access to an external syslog server, so am making the necessary changes to maintain much larger ring-log files. Incredibly larger - what we've done is to make a few tweaks and install syslog-ng 1/ change the system include file so that it starts syslog with -b 127.0.0.1 so that it doesn't bind to an external IP. 2/ add some lines to /etc/rc.conf.local to make a restart of syslog also bind only to localhost: syslogd_enable=YES syslogd_flags= -s -f /var/etc/syslog.conf -b 127.0.0.1 3/ install syslog-ng and write config so that it does full logging to local file system as well as copying to a main log server 3a/ pkg_add -r syslog-ng 3b/ config file is /usr/local/etc/syslog-ng/syslog-ng.conf (if interested, I can provide ours after sanitisation) 3c/ make syslog-ng listen on, say, the sync interface or lan. 4/ add some lines to /etc/rc.conf.local to make sure that syslog-ng starts up 5/ use the pfsense gui to tell it to log to the syslog-ng IP address this works for us, and the key thing is that apart from having to fix the /etc/inc/system.inc file when upgrading pfsense (I offered the diffs/patch, I think it might have been accepted), you don't have to bend the system too far as you don't have to hack any other part of pfsense. HTH Paul
Re: [pfSense-discussion] clog size
Scott Ullrich wrote: On 4/14/08, Scott Ullrich [EMAIL PROTECTED] wrote: I have commited some code to help with this: http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/pfSense/usr/local/www/guiconfig.inc?rev=1.90.2.50;content-type=text%2Fx-cvsweb-markup Woops, wrong URL: http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/pfSense/usr/local/www/guiconfig.inc?rev=1.90.2.49;content-type=text%2Fx-cvsweb-markup if clog is turned off, does it then use tail -N and look at a normal log file instead of using clog to view?
Re: [pfSense-discussion] ARP traffic causing routers to hang - ingle ARP cache with both LAN and WAN ARP entries?
Tortise wrote: kernel: arp: unknown hardware address format (0x) kernel: arp: unknown hardware address format (0xdd1f) kernel: arp: 192.168.0.7 is on em1 but got reply from 00:00:cd:1c:14:1a on em0 kernel: arp: 192.168.0.7 is on em1 but got reply from 00:09:bf:55:71:b0 on em0 could it be you have two machines accidentally set up with the same IP - perhaps broken DHCP? if you've got managed switches, can you check their arp tables to see where those mac addresses live? are you using vlans, and if so could you have accidentally joined them?
[pfSense-discussion] freebsd 6.2 ports archive
Hi, I was looking for the syslog-ng package to install on my pfsense boxes, and discovered that the main freebsd site no longer has the ports for that release - only 6.3. I found the ftp.de.freebsd.org site still had it, so I did an evil hack to the hosts file thus: 213.83.42.56ftp.freebsd.org and I was able to pkg_add -r syslog-ng. anyway, my point is that anyone wanting to play with pfsense1.2 release and needs access to the ports might want to consider maintaining their own archive of the freebsd downloads otherwise they'll lose out! or, perhaps, should pfsense.org website keep a mirror for this purpose? Paul
Re: [pfSense-discussion] freebsd 6.2 ports archive
Scott Ullrich wrote: or, perhaps, should pfsense.org website keep a mirror for this purpose? We are working on it: http://blog.pfsense.org/?p=179 freebsd is nice in that the paths to the files are the same on each mirror, so hacking the hosts file made it work with no changes; the equivalent path was this: ftp://ftp.de.freebsd.org/pub/FreeBSD/releases/i386/6.2-RELEASE/ a bit of wget -r should suffice?
Re: [pfSense-discussion] pfSense / Time Service
RB wrote: No, really - I asked you once in private, now I ask you again in I too have asked him privately. I suspect he's using Lotus Notes or something equally horrible which cannot be configured sanely! Can the list admin get the mail system changed to strip the recipient request headers out? public: please turn off your foolish Outlook receipts. It is ridiculous that we have to wade through your mail client's automated spew that just tells us you received/read a given message. Most of us really don't care (or actively dislike it), and you clutter stuff up by not being a good list citizen. On 3/5/08, Ryan Neily [EMAIL PROTECTED] wrote: Return Receipt Your document: [pfSense-discussion] pfSense / Time Service
Re: [pfSense-discussion] pfSense / Time Service
Eugen Leitl wrote: On Thu, Mar 06, 2008 at 02:53:19PM +, Paul M wrote: RB wrote: Bwa ha ha! Delicious, delicious irony! I knew it was inevitable since Ryan had to read the thread at least once more before fixing things, but it was worth it to see this one come in. has he fixed things? Just forward his spam to [EMAIL PROTECTED] and [EMAIL PROTECTED] with full headers. If anyone on this list would start doing it, maybe his admins would wise up, and LART him. shame SLTP never made it to a proper RFC http://buffy.sighup.org.uk/hfiles/aeds.html
Re: [pfSense-discussion] suggestions for a decent hardware
has anyone tried installing freebsd/pfSense on an AppleTV? you'd need a vlan-aware switch to expand the number of network ports, but it's compact, low power, commodity hardware... in the meanwhile I've asked http://www.appletvhacks.net/
[pfSense-discussion] internal load balancer doesn't return traffic to originator
scenario: two machines, on (A) 10.x.x.11 and (B) 10.x.x.12 run web servers on port 1024 which are made available to the world via public IP on port 80 by a pfsense firewall (F) (1.2RC4) running a load balancer. the internal IP of the firewall is 10.x.x.254. an application which runs on the 10.x.x.11,12 and others wishes to connect to the web server pool. nat reflection doesn't work, so we thought we could run a load balancer on the firewall's internal IP address. however, this doesn't work. using tcpdump on A, we see the firewall connecting to the web and the packets being returned normally, everything OK. using tcpdump on F, we can see the packets arrive on the firewall heading for10.x.x.254:80, and go off to the web server on port 1024, and come back to the firewall. the firewall doesn't then send the packets back to the host which originated the connection. firewall logs indicate the connection is being permitted from A to A, no indication of anything being refused! is what we are trying to do sensible, i.e. to use a load balancer on the *inside* of our network to allow callbacks to a webapp to be made resilient? thanks Paul
[pfSense-discussion] prioritising ACKs
I came across this, an interesting idea for improving throughput, works on openBSD, wondering if it can be done on pfsense/freebsd? http://www.benzedrine.cx/ackpri.html thanks
Re: [pfSense-discussion] bogons update issue
Jan Hoevers wrote: I'm running the embedded version of pfSense on a Soekris 4801. 1. The script starts with sleeping a random interval. This caused it to abort with a 'od: command not found' message. Apparently the od command is missing on the embedded platform, and I worked around this by commenting out the random interval sleep. hmm, yes, the non-embedded 1.2rc4 suffers this too... as a quick hack I just created a /bin/od script which does echo 10.. Scott's fix to the URL allowed the rest to work.
Re: [pfSense-discussion] which VPN client?
Ronald L. Rosson Jr. wrote: On my linux box, I can set my resolv.conf to the office's resolver (we have internal DNS which points everything to rfc1918 addresses) and it all works just fine! On OSX boxes, I can change resolv.conf but it doesn't seem to take effect :-( I have found this script and it works without any issue for OSX and tunnelblick. http://openvpn.net/archive/openvpn-users/2006-10/msg00120.html thanks for that, I shall give it a go.
Re: [pfSense-discussion] which VPN client?
one last thing, has anyone made the openvpn client automatically fix the DNS resolver settings on the client? I can't get this to work :-( so people working from home have to know IP addresses On my linux box, I can set my resolv.conf to the office's resolver (we have internal DNS which points everything to rfc1918 addresses) and it all works just fine! On OSX boxes, I can change resolv.conf but it doesn't seem to take effect :-( thanks again Paul
Re: [pfSense-discussion] which VPN client?
Curtis LaMasters wrote: Paul, I am using the OpenVPN GUI v1.0.3 from the link below and I have also included a copy of my client side configuration file on the Vista laptop. OK, well, I (reluctantly) booted up vista on my computer which didn't have OV installed so that I could do it from scratch, and followed the instructions to the letter... and basically it worked (once I remembered that my linux box at home was using it, and killed that connection!) So, I conclude that it's something wrong with my colleague's vista install! And, with relief, I can shutdown my vista install again, shudder quietly, and boot linux! :-D Oh, one thing.. each openvpn user has a dedicated OV daemon (different port) on the vpn server, so that I can have very tight control over what they're doing. ##c:/program files/openvpn/config/vpn.domain.com.ovpn float client I don't have either of the above two lines in the config(s), either on the linux box or vista box, didn't stop it working though. dev tun dev-node openvpn proto tcp-client remote xx.xx.xx.xx 1194 each user has an ifconfig line thus: ifconfig 10.xx.yy.2 10.xx.yy.1 route-method exe I've also got: route-delay 2 as recommended elsewhere persist-tun persist-key yup ca ca.crt cert client1.crt key client1.key ns-cert-type server tls-client am using shared key, each user has their own key, each openvpn daemon is thus specific to each user comp-lzo yup, need same setting at both ends ping 10 I'm using this: keepalive 10 60 instead of ping. pull not using pull verb 4 have verb 3 which is sufficiently detailed http://www.openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe I'll double-check my colleague's install. thanks again
Re: [pfSense-discussion] which VPN client?
Paul M wrote: I am using the OpenVPN GUI v1.0.3 from the link below and I have also I checked my colleague's version and he was running the older stable release, got him to upgrade and also got openvpn to delete and re-add the tunnel interface, and it now works (not sure which action solved it) thanks for taking time to discuss this with me! Paul
Re: [pfSense-discussion] which VPN client?
Curtis LaMasters wrote: Paul, Sorry to keep nagging on this one, but, are you using the OpenVPN gui or no, I'm very glad to have your help. the normal version? And what version of the software are you using? my colleague is using the openvpngui as downloaded from http://openvpn.se/ which comes with an openvpn binary. hmm, that's quite an old version of the openvpn binary, isn't it?
Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?
Bill Marquette wrote: or others that could make use of mechanisms like dynamic allocation of port. That could cause you problems potentially. But would be no different in any other firewall that didn't already understand your protocol. I regularly force vendors to redesign their applications to not use dynamic ports at work, it's a stupid design and really, there's zero reason to do it (other than sheer laziness on the developers side - or pissy legacy reasons when it comes to FTP, which is still not a good excuse IMO). java RMI being one major PITA! we've developers working from home and trying to get their openvpn connections working was a massive PITA. rant developers being developers seem to think that security considerations can be swept aside to let them do whatever they need to do. /rant
Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?
Paolo Gentili wrote: your thoughts or experiences about how much trust can i have on pfsense we've got seven boxes doing pfsense - three pairs of 1U servers as firewall clusters protecting public facing web services, and one acting as a VPN concentrator for road warriors. we rely on carp and the load balancer to give resilience. when one machine threw a disk, it took less than half an hour to restore functionality. all are 1.2RC3, some began as 1.2rc2. we considered Astaro during early eval, but it would have been expensive to have so many boxes, so we'd have had to compromise on the design of our network, pfsense has thus made it possible to adopt a much more flexible solution. Paul
Re: [pfSense-discussion] Beginner's Tutorial
jason whitt wrote: download iso burn to cd install set interfaces go to lan ip address login with default login admin/pfsense go from there. I'd add, if you've got an existing network with its own DHCP server, don't plug in the LAN port until you've fully installed pfsense and disabled its DHCP server!
Re: [pfSense-discussion] 1.2-RC3 released!
David Bottrill wrote: Paul M wrote: p.s .any chance of an upgrade image for those of us who installed it on a regular x86 server? Go to the downloads page an click on updates you need: d'oh, I was looking in the main download area. thanks. meanwhile, I noticed many of the mirrors are not doing too well so I reported them pfSense-Full-Update-1.2-RC3.tgz I installed this earlier today and it upgraded my system without any issues. thanks for that feedback.
Re: [pfSense-discussion] Via LAN drivers
sai wrote: Realtek and Via ethernet interfaces are supported and are used by many on this list, but the hadware and the drivers are not as good as the Intel ethernet. especially realtek's! We have a machine or two with realtek giga, and they simply cannot achieve anything like theoretical maximum gigabit throughput - just google for realtek performance problem or similar. so why are they so popular? very cheap to embed, and most people don't know the difference when they buy their desktop PC.
Re: [pfSense-discussion] Cacti Template
Ronald L. Rosson Jr. wrote: Has anyone come across or developed a template for pfsense firewalls to be polled by a Cacti server. Any information is helpful. dunno about cacti, but I got munin (node) to work quite happily using freebsd ports, so if there's a cacti in the freebsd port, you might try that.
Re: [pfSense-discussion] noob question
Zied Fakhfakh wrote: Hello everybody, I'm just starting with pfSense, nd I have a couple of questions - is there any logout button from the web interface ? it uses basic authentication, so you have to close browser (FYI, it's a long running bug/issue with firefox/mozilla to be able to forget the password and thus logout). I guess somebody might like to rewrite it to use cookies and thus have a logout function if they really cared? - how canI install third party softwares, like squid, on pfSense it's freebsd based so you can use 'ports'. I installed munin from ports and it works pretty well.
Re: [pfSense-discussion] any plans to implement smtp spam filter/ clam av?
ryn jackson wrote: just wanted to know if there were any plans to implement an smtp proxy package that could do spam filtering and email greylisting/blacklisting. act as a tarpit etc. also possibly clamav as well? could you not install these from freebsd ports?
Re: [pfSense-discussion] full instalation on 4 GB SSD
Eugen Leitl wrote: I was thinking a real 2.5 SSD would have a MTBF comparable to a real hard drive (SanDisk claims 2 Mh MTBF, can't find any such for Hama SSD, which is a bargain at about 100 EUR for 4 GByte, which probably already answers my question). I think that proper ssd units designed to replace a regular magnetic hard drive have to have very sophisticated wear-levelling algorithms, and probably have an intermediate store for written data, e.g. some battery-backed SRAM or non-wearable memory. By ensuring you mount the drive noatime and async you can reduce the number or writes; mounting everything except /var/log as read-only would enforce no writing. Perhaps put /var/log into a ram disk, rotate logs frequently and rsync them to flash would help too. However, this is speculation on my part as I've never created my own unix/linux flash based system (although I do have a zaurus, but rely on the distro creaters to solve the problem!). BTW I've seen very few reports of people having problems with the microdrive in their zauruses which take the 4 or 6GB drives, but people who've replaced their microdrives with CF cards report early failures! Paul
Re: [pfSense-discussion] transient network drops
Eugen Leitl wrote: wan-pfsense-lan | switch1--diverse hosts what's interesting is that I have transient outages to *some* IPs (it could be just one IP, actually). I can still ping that IP locally is your switch manageable? can you turn logging on it? can you look up the mac of the missing host (also check arp table on pfsense)?
Re: [pfSense-discussion] transient network drops
Eugen Leitl wrote: On Wed, Aug 29, 2007 at 02:33:45PM +0100, Paul M wrote: Eugen Leitl wrote: wan-pfsense-lan | switch1--diverse hosts what's interesting is that I have transient outages to *some* IPs (it could be just one IP, actually). I can still ping that IP locally is your switch manageable? can you turn logging on it? can you look up The gateway switch is a Netgear GS724T, the second switch is HP ProCurve. Logging, as in redirecting traffic to a sniffer port, and capture all traffic there? logging, as in getting the managed switch to send syslog messages to a server and seeing if it reports any errors. I don't know procurves, but in cisco it's fairly straight forward... add this to config for example: logging facility local5 logging 10.0.0.2 The hoster advised doing an mtr, which I will do once the host drops offline again. yeah, also check arp table on the disappearing host
Re: [pfSense-discussion] acx100 and 1.2 beta
Marius Schrecker wrote: Hi, I'm currently running 1.0.1 (developer) with the acx100 native driver from kewl.org which I compiled using the recommended patch. Works okay, but I remember it being quite a bit of work. What's the status on this driver in 1.2? Will it be built-in, or easier to compile, or is there a procedure for using ndiswrapper for this. I guess the only way to find out is to try the live CD version!
[pfSense-discussion] wiki signups
is there any chance of the wiki allowing signups again, or having a login created for me (mailme offlist pls) whilst the documentation on pfsense is quite good there's some useful notes on it in the wiki which could do with some small updates BTW, I am a newcomer to pfsense, tried the 1.2 first beta and didn't get on with it as it would crash/kernel panic all the time, but then tried rc1 and it's pretty good, only crashed once (when I was changing virtual IPs) thanks Paul
Re: [pfSense-discussion] PPPoE server mods
There's a provider-friendly mpd out there which I'm planning to integrate into pfsense. It's compatible with mpd, but has some ISP-grade features included. this sounds good, am i guessing this is the first step. is there any areas that you think i might be able to assist you. Yes, I'm doing some work on this side already. i felt that the issue with altq and queues qas you need a new parent queue each time you add a new user this makes it far more complicated than the dummynet method where you can still have differnet classes I'm under the impression that pfsense uses the hsfc classifier. In an ISP grade server you would reserve more resources to higher-paying customers by using different classes. Then in each class the customers would be able to use their allocated bandwidth without interference from customers in the lower or higher classes. Traffic will be borrowed only if one class is not using it's resources. You would have a 2 level limiter, where each ng channel is limited to the maximum up/down rate of the customer and then a second limiter where you allocate more resources where needed. Example: 5 customers with 640k contract 5 customers with 2M contract If every customer is equal to the others, they will all go at the same speed, but if you put the 10 customers in 1 class and the 5 customers in another class and then give different speeds to each of them you'll be able to keep the 640k customers at say 500k and the 2Mega customers at say 1.5M. Hope this explanation makes sense. well my knowledge here is somewhat useful as our pactical experiance with pfsense is from 0.20 This is good to know ;-) i was under the understanding that altq did not work well with multiple interfaces or is this just an issue with the pfsense implementation I have no idea. My guess is that you need the max speed limiter on ng and then a set of queues on the wan interface. Perhaps some packet tagging can take place so that packets go to their queue. this is the primary area that i would like to see worked on the termination of aaa well is a real enterprise class thing and pfsense is so close with ipsec openvpn and pppoe and pptp terminations intergrated well it would be fantastic. One more thing will be needed for full AAA and this is a port of the bpfinet and tcp_mss modules from bsd5 to 6. I'm not fluent enough with the bsd kernel to do it myself Btw all docs can be found here: http://www.foggy.ru/soft/mpd/ Paul.
Re: [pfSense-discussion] PPPoE server mods
Alan Walters wrote: i personally feel that time would be better spent on queuing to assist with sorting out dummynet and ipfilter queues as mpd already has integration here. There's a provider-friendly mpd out there which I'm planning to integrate into pfsense. It's compatible with mpd, but has some ISP-grade features included. and class based queues are great with this . personally a dont this altq is up to the task of managing lots of queues for lots of cbq but is great for service based queing. the modded mpd (as well as the normal one) has provisions to call scripts and/or insert rules directly in ipfw. But pfsense is PF bases and has hsfc (?) scheduler. This is superior way to handle traffic and allows you to have different classes of users (allocating more traffic to higher paying users and moving abusers to a slow queue)... hence being able to respect different minimum service rates on the same machine (as opposed to slowing down each user to the same speed). However, the pfsense rules generator is much more complex than what is needed to a normal ISP hence my request for help on this side. I don't want to break things like carp etc. Next move would be to attach each ng interface to a separate queue depending on the Filter-Id returned from the radius. This requires a patched mpd which I'm trying to substitute to the real one (it compiles cleanly under FreeBSD 5.x but requires some kernel modules and these are not yet ported to 6.x). There's some code to be written before we can see this happen :-( Paul.
Re: [pfSense-discussion] PPPoE server mods
I am including this patch here as it might be interesting for others and
because I would like some comments on it: It's against RELENG_1 but can
easily be adapted to HEAD.
The patch enables an inetd process which will show the currently logged
pppoe users. This can be easily hacked into freeradius so that double
logins can be checked for.
Modifications are for filter.inc (running the secondary inetd server,
separated from the one for FTP running on localhost). I'm not sure if
this is the best place, but since the other inetd server in started
here... I placed in the same file.
3 scripts are included. One generic for login and logout users + 2
adaptation for the mpd daemon. they should be set executable before they
will be used by mpd.
Everything runs nicely on my production/test system.
If anybody is interested in the freeradius checkrad modification that is
compatible with the following patch, please ask and I'll post it.
The next step is to redirect each ng interface to a specific queue and
set the speed on this queue according to the user (via radius issued
filter-id). This requires a modified mpd (this is easy) but I would like
some hints on how to modify the current queue discipline. It seems that
any modification can easily break the magic shaper wizard stuff. Any
help in this area will be greatly appreciated.
Paul.
Patch follows:
cut here
diff -NrU 3 /usr/jails/pfsense/home/pfsense/pfSense/etc/inc/filter.inc
pfSense/etc/inc/filter.inc
--- /usr/jails/pfsense/home/pfsense/pfSense/etc/inc/filter.incFri
Feb 23 21:38:59 2007
+++ pfSense/etc/inc/filter.incSun Feb 25 20:24:45 2007
@@ -799,6 +799,15 @@
$natrules .= rdr on \$wan proto ipv6 from any to any -
{$config['diag']['ipv6nat']['ipaddr']}\n;
}
+$inetd_fd = fopen(/var/etc/inetd-static.conf, w );
+fwrite( $inetd_fd,
pppoedusers\tstream\ttcp\tnowait\tnobody\t/usr/local/bin/loguser.sh\tloguser.sh
who\n ) ;
+fclose($inetd_fd);
+$helpers = trim(exec(/bin/ps ax | /usr/bin/grep inetd |
/usr/bin/grep -v grep | /usr/bin/grep inetd-static));
+if(!$helpers)
+mwexec(/usr/sbin/inetd -wW -R 0 /var/etc/inetd-static.conf);
+else
+mwexec(/usr/bin/killall -HUP inetd);
+
if(file_exists(/var/etc/inetd.conf))
mwexec(rm /var/etc/inetd.conf);
touch(/var/etc/inetd.conf);
@@ -1100,7 +1109,6 @@
mwexec(/usr/sbin/inetd -wW -R 0 -a 127.0.0.1
/var/etc/inetd.conf);
else
mwexec(/usr/bin/killall -HUP inetd);
-
}
}
diff -NrU 3 /usr/jails/pfsense/home/pfsense/pfSense/etc/inc/vpn.inc
pfSense/etc/inc/vpn.inc
--- /usr/jails/pfsense/home/pfsense/pfSense/etc/inc/vpn.incThu Feb
8 23:03:23 2007
+++ pfSense/etc/inc/vpn.incSun Feb 25 19:09:13 2007
@@ -895,6 +895,8 @@
new -i {$ngif} pppoe{$i} pppoe{$i}
{$isssue_ip_type}
load pppoe_standart
+set iface up-script /usr/local/bin/loginuser.sh
+set iface down-script /usr/local/bin/logoutuser.sh
EOD;
}
@@ -1019,4 +1021,4 @@
return 0;
}
-?
\ No newline at end of file
+?
diff -NrU 3 /usr/jails/pfsense/home/pfsense/pfSense/etc/services
pfSense/etc/services
--- /usr/jails/pfsense/home/pfsense/pfSense/etc/servicesSat Jan 28
01:20:26 2006
+++ pfSense/etc/servicesSun Feb 25 19:12:06 2007
@@ -4107,3 +4107,4 @@
wnn6_Tw22321/tcp #Wnn6 (Taiwanse input)
wnn6_Kr22305/tcp #Wnn6 (Korean input)
wnn6_DS26208/tcp #Wnn6 (Dserver)
+pppoedusers 9200/tcp # custom PG for logged in users
diff -NrU 3
/usr/jails/pfsense/home/pfsense/pfSense/usr/local/bin/loginuser.sh
pfSense/usr/local/bin/loginuser.sh
---
/usr/jails/pfsense/home/pfsense/pfSense/usr/local/bin/loginuser.sh
Thu Jan 1 01:00:00 1970
+++ pfSense/usr/local/bin/loginuser.shSun Feb 25 18:36:29 2007
@@ -0,0 +1,17 @@
+#!/bin/sh
+# MPD adaptation script for loguser.sh
+# will call loguser.sh with the proper parameters
+
+loguser=/usr/local/bin/loguser.sh
+
+# grab parametres from commandline
+user=$5
+iface=$1
+clientip=$4
+
+if [ -z $user ] ; then
+echo Usage: loginuser.sh iface proto local-ip
remote-ip auth-name
+exit ;
+fi
+
+$loguser login $user $iface $clientip
diff -NrU 3
/usr/jails/pfsense/home/pfsense/pfSense/usr/local/bin/logoutuser.sh
pfSense/usr/local/bin/logoutuser.sh
---
/usr/jails/pfsense/home/pfsense/pfSense/usr/local/bin/logoutuser.sh
Thu Jan 1 01:00:00 1970
+++ pfSense/usr/local/bin/logoutuser.shSun Feb 25 18:36:57 2007
@@ -0,0 +1,17 @@
+#!/bin/sh
+# MPD adaptation script for loguser.sh
+# will call loguser.sh with the proper parameters
+
+loguser=/usr/local/bin/loguser.sh
+
+# grab parametres from commandline
+user=$3
+iface=$1
+clientip=
+
+if [ -z $user ] ; then
+echo Usage: logoutuser.sh iface proto auth-name
+exit ;
+fi
+
+$loguser logout $user $iface $clientip
diff -NrU 3
/usr/jails/pfsense/home/pfsense/pfSense/usr/local/bin/loguser.sh
pfSense/usr/local/bin
[pfSense-discussion] PPPoE server mods
Hi, I hacked a quick mod for mpd/pppoe server to allow me to use pfsense as an access concentrator for dial-up users (via ethernet). Pfsense was perfectly capable of allowing access via pppoe / radius but was missing a way for the radius server to check if a particular user was still logged in. This is necessary because if the access server looses connection/resets etc, the radius server will contain active sessions that are stale. If the user tries to login (via another access server for example), the login will be denied because of the stale session. One way to prevent this is to have the radius server check the old access server. If the server cannot be accessed or the session is not active, the old session will be removed and a new session will be created. There're different ways to check if a user is logged (snmp being one, telnet etc being the others), but an easy way is to make a simple a server on a known port. Telnetting to this port shows currently logged users. My mod does exactly this: -) provides iface-up and iface-down scripts for mpd to keep track of the currently logged users. -) modifies filter.inc, vpn_pppoe.php and the mpd config generation script. -) provides a simple inetd-based server to list the users (separated from the inetd running on localhost for the nat reflection helpers). -) provides a script for freeradius to check if a particular user is logged on the access server. I have not provided this via a separate package because I want it to work on the embedded platform. I would like to know if these mods are interesting and could be included in the pfsense code ? Also, what is the best way to provide them (I have a patch-set ready). ? Paul.
[pfSense-discussion] freebsd ports vs pfsense ports
Working on mpd, I saw that there's a pfSense ports directory in /home/pfsense/tools I need to port some custom packages to pfSense, so how do I tell the build scripts to use my own port instead of the freebsd ones, or shall I just copy them to /usr/ports? Paul.
Re: [pfSense-discussion] PPPoE server mods
Scott Ullrich wrote: http://wiki.pfsense.com/wikka.php?wakka=SubmittingPatches describes the process. I'll clean up my patch and submit it. Thank you for answering. Paul.
[pfSense-discussion] Developer bootstrap errors
Hi All, I'm trying to get started with pfsense development (my goal is to make it an isp-grade access server). I am trying to get the developer cd boot-strapped by so far had no luck with each of the ISO versions I could find (including 1.0release and the latest builds from 02-23-2007). The problem is the same: the initial dev_bootstrap.sh fails with an error on the enc device during kernel configuration (I guess there's a patch for the IPSEC shaping), logs attached at the end for clarity. As a work-aroung I try to call cvsup_current (in /home/pftools/.: with sh ./cvsup_current) and it runs properly (cvs update and some patches that succeed) until I come to some failed patches. My question is: How do I get pfsense to build properly (i.e. RELENG_6_1) so that I can make my first modifications on a reasonably stable tree before moving to head? Thank you for helping! Paul PS: Here's the attached logs: Initial dev_bootstrap.sh errors (with clean install): - Building world for i386 architecture Rebuilding the temporary build tree stage 1.1: legacy release compatibility shims stage 1.2: bootstrap tools stage 2.1: cleaning up the object tree stage 2.2: rebuilding the object tree stage 2.3: build tools stage 3: cross tools stage 4.1: building includes stage 4.2: building libraries stage 4.3: make dependencies stage 4.4: building everything Building kernel for i386 architecture Kernel build for pfSense.6 started on Sat Feb 24 08:59:35 UTC 2007 stage 1: configuring the kernel Something went wrong, check errors! Log saved on /usr/obj.pfSense/home/pfsense/freesbie2/.tmp_buildkernel *** Signal 15 Stop in /home/pfsense/freesbie2. No matching processes were found # tail -n 30 /usr/obj.pfSense/home/pfsense/freesbie2/.tmp_buildkernel -- Kernel build for pfSense.6 started on Sat Feb 24 08:59:35 UTC 2007 -- === pfSense.6 mkdir -p /usr/obj.pfSense/usr/src/sys -- stage 1: configuring the kernel -- cd /usr/src/sys/i386/conf; PATH=/usr/obj.pfSense/usr/src/tmp/legacy/usr/sbin:/usr/obj.pfSense/usr/src/tmp/legacy/usr/bin:/usr/obj.pfSense/usr/src/tmp/legacy/usr/games:/usr/obj.pfSense/usr/src/tmp/usr/sbin:/usr/obj.pfSense/usr/src/tmp/usr/bin:/usr/obj.pfSense/usr/src/tmp/usr/games:/sbin:/bin:/usr/sbin:/usr/bin config -d /usr/obj.pfSense/usr/src/sys/pfSense.6 /home/pfsense/tools/builder_scripts/conf/pfSense.6 config: Error: device enc is unknown config: 1 errors *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src.
RE: [pfSense-discussion] Re: Newbie Q: security of php on perimeter firewall
Title: Re: [pfSense-discussion] Re: Newbie Q: security of php on perimeter firewall Is there any way we can reboot the mail server now? It is running at 100% cpu but they are services that should normally be runningI think we need to shake it out. Paul From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Monday, November 28, 2005 1:27 PM To: discussion@pfsense.com Subject: Re: [pfSense-discussion] Re: Newbie Q: security of php on perimeter firewall There are still a few other small ones. In paticular with the status queues screen + fast cgi. When we kill pfctl somehow its signal is being passed up and killing off the fast-cgi handler. Woops. On 11/28/05, Bill Marquette [EMAIL PROTECTED] wrote: On 11/28/05, Lists [EMAIL PROTECTED] wrote: well hell maybe i should do devel work for pfsense cause ive already migrated my build to lighttpd :) then when browsing the cvs trees noticed it was in there We had some problems with lighty when we first imported it - firmware upgrades didn't work on embedded due to a bug in their handling of large POSTs. That's been fixed in a recent release, so we're moving back (that was the only bug that I know of, but it was kinda big ;-P) --Bill avast! Antivirus: Inbound message clean. Virus Database (VPS): 0547-5, 11/26/2005Tested on: 11/28/2005 1:27:38 PMavast! - copyright (c) 1988-2005 ALWIL Software. avast! Antivirus: Outbound message clean. Virus Database (VPS): 0547-5, 11/26/2005Tested on: 11/28/2005 1:52:52 PMavast! - copyright (c) 1988-2005 ALWIL Software.
