[pfSense-discussion] IPv6 needed, IPv4 exhaustion - was Re: [pfSense-discussion] Re: Low end, cool CPE.
On 12/11/10 13:43, Eugen Leitl wrote: - IPv6 support, native or tunnel to tunnelbroker.net type thing. ... The point is: We've been asking for IPv6 for too long. That's just one bit in a packet header. We need to start asking for the features we expect, which is a lot more than that bit. Leo Vegoda of IANA said on 13th Nov that a new block, 105/8, was recently released to AfriNIC, with previous allocations this year being 1/8 14/8 27/8 31/8 36/8 42/8 49/8 50/8 101/8 105/8 107/8 176/8 177/8 181/8 223/8 leaving only 11 unallocated /8's. so, that means none left by this time next year. oh, and it means people should check their bogon filter updaters are working! - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] IPSEC routing hack, and CARP, leading to arpresolve can't allocate route errors
if you recall, to make your pfsense firewall itself be able to talk to a remote site over an IPSEC tunnel, you need to add a hack which is a static route to remote network via the LAN address if you have a firewall cluster and you use the CARP address of the LAN, it does work, but it *seems* to cause the following errors to appear in system log: Sep 1 15:40:01 kernel: arpresolve: can't allocate route for 10.1.2.254 the 10.1.2.254 is the CARP ip on the LAN I can make these go away by using the IP of the firewall's LAN but that kind of defeats part of the purpose of having a cluster and carp! Apart from this being a distraction/nuisance, is this something to worry about?# thanks Paul - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] filling network with meaningful traffic
put up some linux mirrors with a web service on each IP - use https and that way you won't be asked to use named virtual hosts as that doesn't work with https - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] any chances to see pfsense on GuruPlug Plus?
I asked them if there was a UK distributor, and they responded promptly with http://www.newit.co.uk/shop/products.php?cat=11 dual ethernet for less than £100 (US$150) seems quite a good deal. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] broadcom BCM5722 only running at 100M not 1G
well, I simply swapped round the firewall's connections to the switch - both have just a 1m cable direct to the cisco 3560e the primary firewall is now connecting at 1Gb/s and strangely the secondary is still at 1G, so I have no idea what the problem was. tis a pity that Dell use broadcom on-board and not intel. oh well. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] broadcom BCM5722 only running at 100M not 1G
On 01/02/10 18:54, Chris Buechler wrote: Sure you're using CAT5e or better cables and not just CAT5? That's the most common cause when I run into things like that. thanks for the idea, but all our cables are cat6, and it's only a 1m cable directly from back of server into the switch so no patching or joins or anything to interfere - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] broadcom BCM5722 only running at 100M not 1G
On 02/02/10 12:19, Alexander Norman wrote: Try a firmware upgrade or downgrade. The broadcom firmware has been a bit shaky. The easiest way to do it is to install for example windows 2008 server (30 day evaluation) and do a firmware upgrade through it. I had a horrible feeling you were going to suggest installing windows. well, fortunately I bought a spare Dell disk caddy specifically for building a multi-boot utility disk for these sort of tasks. I'm going to have some spare R300 servers soon anyway so I can get set up on one of those first before I wreck our firewall :-) I've a few other last resort ideas to try before your yours, but thanks very much and if anything else occurs to anyone I'm willing to listen to anything even if it seems silly. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] broadcom BCM5722 only running at 100M not 1G
after complaint about slowness between our lan and dmz, I traced it to a firewall interface on our pfsense 1.2.3 firewall, a Dell R300 with onboard broadcom bcm5722 FreeBSD fwa.xxx.yyy 7.2-RELEASE-p5 FreeBSD 7.2-RELEASE-p5 #0: Sun Dec 6 23:20:31 EST 2009 sullr...@freebsd_7.2_pfsense_1.2.3_snaps.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.7 i386 a bit of googling came up with this http://groups.google.com/group/mailing.freebsd.current/browse_thread/thread/4b42a0fa82125473?pli=1 I bounced the interface as suggested and it didn't help, and swapped the cable, also no joy. this firewall is one of a clustered pair, the 2ndry is identical hardware and its bge0 is running fine at 1000baseT. the cisco switch they're both plugged into doesn't suggest any errors. stuff reported in dmesg... bge0: Broadcom BCM5722 A0, ASIC rev. 0xa200 mem 0xdfdf-0xdfdf irq 16 at device 0.0 on pci1 brgphy0: BCM5722 10/100/1000baseTX PHY PHY 1 on miibus0 brgphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto any suggestions please? Paul - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] broadcom BCM5722 only running at 100M not 1G
On 01/02/10 13:03, Paul Mansfield wrote: I bounced the interface as suggested and it didn't help, and swapped the cable, also no joy. oh. and a reboot didn't fix it either. ;-( # dmesg | egrep -i broadcom|bcm|bgr|bge|ukp|mii|phy bge0: Broadcom BCM5722 A0, ASIC rev. 0xa200 mem 0xdfdf-0xdfdf irq 16 at device 0.0 on pci1 miibus0: MII bus on bge0 brgphy0: BCM5722 10/100/1000baseTX PHY PHY 1 on miibus0 brgphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto bge0: Ethernet address: 00:22:19:7a:42:ae bge0: [ITHREAD] bge1: Broadcom BCM5722 A0, ASIC rev. 0xa200 mem 0xdfef-0xdfef irq 17 at device 0.0 on pci2 miibus1: MII bus on bge1 brgphy1: BCM5722 10/100/1000baseTX PHY PHY 1 on miibus1 brgphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto bge1: Ethernet address: 00:22:19:7a:42:af bge1: [ITHREAD] (mpt0:vol0:1): Physical (mpt0:0:1:0), Pass-thru (mpt0:1:0:0) (mpt0:vol0:0): Physical (mpt0:0:9:0), Pass-thru (mpt0:1:1:0) bge1: link state changed to UP bge0: link state changed to UP - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] openvpn and mac osx 10.6
On 27/01/10 12:27, Paul Mansfield wrote: On 26/01/10 16:01, Paul Mansfield wrote: On 26/01/10 15:39, Nate Davis wrote: BTW, Nate, were you using tun or tap? a test shows that using tap/bridging kicks off the mac's dhcp client and that successfully sets up DNS. I think we're going to end up building a non-pfsense (linux) box for this as it'll be easier and we can use a lot of openvpn options that require too much messing with custom fields in pfsense. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] openvpn and mac osx 10.6
On 26/01/10 18:19, Chris Buechler wrote: On Tue, Jan 26, 2010 at 10:23 AM, Paul Mansfield it-admin-pfse...@taptu.com wrote: we had openvpn working with osx 10.5 with a bit of bodging to get DNS to work, but 10.6.2 seems to have quite a few DNS quirks that prevent resolver from being set we've had to fiddle with the macs to add a new network location/profile called vpn which has manual DNS settings; it's made harder by the inconsistent way that apple airport connections are set. so I was wondering whether anyone had a better fix, or even a way to make it work seamlessly? we're using tunnelblick which is a wrapper round openvpn with some scripts; the build we're trying, I'm told, has a very up to date version of ovpn. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] openvpn and mac osx 10.6
On 26/01/10 16:01, Paul Mansfield wrote: On 26/01/10 15:39, Nate Davis wrote: Paul, We are using http://www.viscosityvpn.com/ as the OpenVPN Client for the Mac= s on our network, and it has worked like a dream. I can resolve items by name over the vpn and such. We were using tunnelblick for quite a while, but this paid product was the way to go in our environment. We are running 10.6.2 clients. hmm, interesting, so I suspect it's the tunnelblick helper app we're using that's failing to work. we did have one guy use viscosity and like it, but up till recently there wasn't anyone who was complaing of problems, but now I've got a real problem with a couple of non-technical users, unfortunately they're the ones who most need a roaming VPN solution :-( thanks very much for the feedback! My colleague tried viscosity and found that it didn't make a difference either I'd like to add I have tried shared key and x509 methods, and in both cases usign tunnelblick I have to put the route commands in as the Mac ignores it. I am using udp, but on a non-standard port for testing; here's the generated configuration on the pfsense 1.2.3 server. writepid /var/run/openvpn_server43.pid #user nobody #group nobody daemon keepalive 10 60 ping-timer-rem persist-tun persist-key dev tun proto udp cipher BF-CBC up /etc/rc.filter_configure down /etc/rc.filter_configure client-to-client server w.x.y.z 255.255.255.0 client-config-dir /var/etc/openvpn_csc lport push dhcp-option DOMAIN example.com push dhcp-option DNS a.b.c.d push dhcp-option DNS a.b.e.f push dhcp-option WINS a.b.c.d push dhcp-option NTP a.b.c.d push dhcp-option NTP a.b.e.f push dhcp-option DISABLE-NBT ca /var/etc/openvpn_server43.ca cert /var/etc/openvpn_server43.cert key /var/etc/openvpn_server43.key dh /var/etc/openvpn_server43.dh comp-lzo # pick up per-client options client-config-dir /var/etc/ccd # keep detailed log and status status /var/log/full/openvpn_server43.status log /var/log/full/openvpn_server43.log - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] getting your feet wet with BGP
On 16/12/09 14:55, Eugen Leitl wrote: On Tue, Dec 15, 2009 at 07:52:06PM +0100, Aarno Aukia wrote: offer that option (it doesn't). Becoming a LIR at the current juncture is prohibitive because of fees alone. and becoming an LIR doesn't guarantee you'll get an allocation of IPs either I already have a /24 PI. It's not nearly exhausted yet, though by the time it will getting IPv4 space will be more than slightly difficult. I'm looking into IPv6 seriously right now. Have a tunnel and a subnet there are some of the larger ISPs who won't accept something as small as a /24, to be pretty sure of being globally routable you need a /23 or larger space. that reminds me, we've not had a good discussion about pfSense and ipv6 for a while :-) - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] pfSense in TechRepublic article
http://blogs.techrepublic.com.com/opensource/?p=1110tag=nl.e102 - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] openvpn 2.1 rc20 out now
http://www.openvpn.net/index.php/open-source/downloads.html just thought people might want to upgrade, the RCs have been good for me, especially for vista users where you don't have to do the external route stuff. perhaps openvpn 2.1 will be released in time to make it into pfSense 1.3 and 2.0 releases? - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] jetway jnc92 - was Re: [pfSense-discussion] commercial ALIX pfsense routers
On 05/10/09 11:34, Eugen Leitl wrote: I typically use 2-4 GByte Transcend IDE SSD (DoM) dongles. the closest I can come to that would be a CF card in a CF-IDE adaptor. Thanks for the assembly pictures -- what kind of case is this? 'fraid I can't say, I bought it long ago and it was used as a multimedia computer for a while*. the only problem I have is that the PSU is long and thin, a bit like a zero-U PSU and not a cube like hte one that the case used before (about half the volume like a shrunken normal PC PSU). I didn't use the original PSU as it's quite old, not very efficient, and somewhat noisy* (hence stopped using as a media PC). - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] commercial ALIX pfsense routers
On 01/10/09 14:42, Eugen Leitl wrote: On Thu, Oct 01, 2009 at 02:08:32PM +0100, Paul Mansfield wrote: You might want to have a look at Linitx, they do m0n0wall kits and speaking to one of the guys who works there, they are happy to do a pfSense embeded version on request. http://linitx.com/viewcategory.php?catid=178pp=176,178 I've just ordered a Jetway JNC92-330LF miniITX board from them, they do a triple Intel-gigabit-NIC daughter board, and a dual-slot PCI riser. Do you have a pointer to the triple Intel GBit NIC daughter board? I can't find it in their shop. first result for linitx.com triple intel on google :-D http://linitx.com/viewproduct.php?prodid=12576 The UPS man delivered my parcel a few minutes ago so if people want I am happy to post a picture or two and run some benchmarks when I've had a chance to play. I'm not sure whether a VIA crypto engine wouldn't outperform the Atom. Apparentely, next-generation Intel and AMD chips will support e.g. AES directly in hardware. Don't know what took them so long. yeah, you'd have thunk it. maybe intel have shares in Rainbow Technologies? P. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] OT: freebsd8 vs ubuntu 9.10
http://www.linuxtoday.com/infrastructure/2009092801435NWCYSW thought it might be interesting albeit off topic - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] High latency on downloads with shaping
Joe Lagreca wrote: This seems odd, as I run pfsense at other locations without problems with their VOIP. So I'm wondering why the issue at this location. get a separate WAN circuit for your VOIP connections if they're that important? presumably your VOIP phones are on their own VLAN, and you have sufficient switch capacity? - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] High latency on downloads with shaping
Joe Lagreca wrote: But then you are in a catch 22, because without the shaper, VOIP will surely be choppy. get a separate WAN circuit for your VOIP connections if they're that important? - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] VOIP traffic shaping problems
Joe Lagreca wrote: Symptoms: When I download a large file and max our download speed, do you have VOIP network on a separate interface on your firewall (a necessity for call security anyway)? are you using decent switches with a high packet rate? - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Secure LAN and WLAN setup
David Nordin wrote: This might most likely come out as noise in here and wasted internetbits ;) I would like to create a pretty much maximum secure networkstructure for you probably want to read a primer about networking and security before you get bogged down in looking at any one product - whether checkpoint, pfsense, cisco etc. the Cheswick and Bellovin book http://tinyurl.com/b3j22j is well worth reading, if a little dated Paul - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] atom + US15W pico ITX board
Eugen Leitl wrote: I presume you're talking firewall, have you considered VIA Nano? The performance is slightly on top of Atom, and Atom doesn't have the RNG and the crypto built-in. yes, firewalling for minimal power. if you have any pointers to nano motherboards with suitable network interfaces I'd be interested cheers Paul - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] centralized management with distributed pfsense installations
Jason Dixon wrote: This is something I've been thinking about quite a bit lately. I'd like to see something modular that could potentially be used on any PF-based system. If there are others interested in this (or already working on it), please contact me. I nice feature I'd like would be to make the configuration selectively exportable/importable, in particular the aliases, so that it'd be easier to keep things consistent. It'd then be possible to expand the feature into having a master pfsense node selectively push configuration sections to slaves. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] atom + US15W pico ITX board
we've been a close observer of low-power CPUs and chipsets, because a lot of our costs are colocation fees which are mainly about power. In theory Pouslbo/US15W is much more efficient than the usual atom + desktop chipset, but it not particularly common... then I came across this: http://www.igologic.com/products/Product.aspx?ProductID=78 is anyone else considering these type of devices? - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Load balancer using carp interfaces?
Veiko Kukk wrote: Hi! I wonder if there are some good reasons why i'ts not possible to choose CARP interfaces (virtual IP-s) for load balancer pools? If not, then why can't I select carpx interfaces for ISP failover load balancer pool? Please fix it or help me how to fix that in my installation. huh, you can. create a pool of actual servers with internal IPs ports, then create the virtual external service listening on the carp IP with specific port. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] pfSense 1.2.1-RC2 now available
Chris Buechler wrote: More info: http://blog.pfsense.org/?p=284 woo! congrats to devs and support for all their hard work. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] SLC or MLC flash for full install
Eugen Leitl wrote: Have any of you made especially good/bad experiences wtith either SLC or MLC CF? Any vendors to recommend, or to stay away from? in theory SLC is going to be more reliable, speed probably doesn't matter. avoid small vendors and ebay as there's a huge number of counterfeit and dodgy cards around!
Re: [pfSense-discussion] openVPN routing
Mark Dueck wrote: I am having some problems getting openVPN to route a properly from site to site. I had it working perfectly in between, but now nothing seems to make a difference to make it work. what does netstat -rn say
[pfSense-discussion] solwise - UK seller of wifi kit - Re: [pfSense-discussion] Setup advice wanted, devices for public library
802.11 mini PCI cards: http://www.netgate.com/index.php?cPath=27_86 I've been quite happy with service from solwise for miniPCI adaptors and various wifi accessories. I bought one of these and fitted a spare intel 2915abg minipci card: http://www.solwise.co.uk/wireless-pci-slot.htm I can only use it in ad-hoc mode so it's wep only, and then that interface is heavily filtered but allows openvpn access. Paul
Re: [pfSense-discussion] Used ALIX or Soekris?
Adam Van Ornum wrote: Does anyone have any ALIX or Soekris kits that they don't need any more? I'm currently running pfSense on a dual P3 system at home and its way over-powered for what I need and I would like to get something that one of those new Intel Atom CPU motherboards would be worth looking at too.
Re: [pfSense-discussion] Used ALIX or Soekris?
Eugen Leitl wrote: On Wed, Jun 25, 2008 at 11:28:12AM +0100, Paul Mansfield wrote: one of those new Intel Atom CPU motherboards would be worth looking at too. Anyone aware of an affordable system with Nano or at least a C7, with decent (Intel would be best, but beggars can't be choosers) NICs onboard? Mini-ITX would be best. But any small brick or 19 1U form factor ok, too. http://www.tranquilpc-shop.co.uk/acatalog/T2e_atom_cd.html http://www.tranquilpc-shop.co.uk/acatalog/T7Atom.html ?
[pfSense-discussion] Re: Nessus : Change in the Plugin Feed Policy (Reminder)
now none-free for any commercial usage, I was wondering if anyone's looked at the alternatives? http://www.openvas.org/ http://www.lbtechservices.com/projects/sussen/ Original Message Tenable Subscriptions wrote: (You are receiving this email because you are using or used a Nessus plugin feed in the past) Dear Nessus User, Tenable announced on May 14th 2008 an important licensing change to the plugin subscriptions that will affect you as of July 31st, 2008. Please read the original announcement which has been attached to this email for your convenience. If you have further questions, please contact us at [EMAIL PROTECTED] or visit us at http://www.nessus.org/ Thank you, Tenable Network Security http://www.tenablesecurity.com