Re: [pfSense] Strange problem after auto update
Hi, According to the details it looks like Ichmp echo is blocked. Does it do the same pinging to google etc? Sincerely yours, Mikey van der Worp -- Utelisys Communications B.V. Op 5 nov. 2012 om 04:23 heeft Jerome Alet jerome.a...@univ-nc.nc het volgende geschreven: Hi, We've got two pfsense 2.1-BETA0 snapshots running on AMD64 as a failover cluster. Each of these two Dell R610 has two Intel quad ports Gigabit Ethernet (igb) and one (integrated) Broadcom (bce) quad ports Gigabit Ethernet cards. Both were running 8.3-RELEASE-p4 #1: Thu Sep 27 14:06:33 EDT 2012 just fine. This morning, I've updated the slave to 8.3-RELEASE-p4 #1: Sat Nov 3 16:04:02 EDT 2012. Fortunately I haven't updated the master for now. Since this upgrade, all syslog from the slave host logs to our central syslog server as the CARP VIP address of the LAN. Before, it went to the central syslog server as its own LAN address, just like the master host. This is a really big change and I don't really understand why it would happen or even be a good idea. Finally, the slave host does seem to have big connectivity problems, causing at least DNS to fail : One of our DNS server's IP address is 10.10.0.3, on the LAN. The master's IP address is 10.10.3.252, the slave is 10.10.3.253 and the CARP virtual IP is 10.10.3.254. The network mask is 255.255.252.0 Now here's a ping from our DNS server to the slave : awa:~ # ping pfsense2 PING pfsense2-intra.univ-nc.nc (10.10.3.253) 56(84) bytes of data. 64 bytes from pfsense2-intra.univ-nc.nc (10.10.3.253): icmp_seq=1 ttl=64 time=0.267 ms 64 bytes from pfsense2-intra.univ-nc.nc (10.10.3.253): icmp_seq=2 ttl=64 time=0.205 ms 64 bytes from pfsense2-intra.univ-nc.nc (10.10.3.253): icmp_seq=3 ttl=64 time=0.215 ms 64 bytes from pfsense2-intra.univ-nc.nc (10.10.3.253): icmp_seq=4 ttl=64 time=0.243 ms --- pfsense2-intra.univ-nc.nc ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3012ms rtt min/avg/max/mdev = 0.205/0.232/0.267/0.028 ms The other way around, from the slave to DNS : [2.1-BETA0][r...@pfsense2.univ-nc.nc]/etc(13): ping 10.10.0.3 PING 10.10.0.3 (10.10.0.3): 56 data bytes ^C --- 10.10.0.3 ping statistics --- 9 packets transmitted, 0 packets received, 100.0% packet loss So this way all packets are lost, but traceroute works fine : [2.1-BETA0][r...@pfsense2.univ-nc.nc]/etc(20): traceroute -n 10.10.0.3 traceroute to 10.10.0.3 (10.10.0.3), 64 hops max, 52 byte packets 1 10.10.0.3 0.276 ms 0.308 ms 0.221 ms If I do a full restore (I did a full backup before the slave update), then all works fine again. Any idea of what could be wrong with our setup ? Thanks so much in advance -- Jérôme Alet - jerome.a...@univ-nc.nc - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Bandwidth limiter
Good morning, I have a question regarding the bandwidth limiter on pfsense. Im going to describe the current situation and what I have done so far. I want to limit every user on the network to a 20Mbit/s down/10Mbit/s upload speed and the whole network should have a 100Mbit/s download and upload speed. Limiter made Limit_In at 20Mbit/s and Limit_Out on 10Mbit/s. Firewall Rule on the LAN, with Interface LAN, Protocol TCP/UDP, Source type LAN subnet and In/Out set to Limit_Out and Limit_In. When I do a speedtest I get the 20/10 speed as I have configured it, but what I'm doubting of is this speed now set per user or for the LAN subnet? What will happen if more users connect to the LAN subnet? And if I want to limit the Whole bandwidth speed of the pipe to 100Mbit/s, how would I need to make a rule for that? Uplink is 100Mbit's Speed per user 20Mbit/s download 10Mbit's upload on LAN subnet. Thanks in advance. Sincerely yours, Jeremy Martijn ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Bandwidth limiter
Jeremy Martijn wrote on 05.11.2012 12:42: Good morning, I have a question regarding the bandwidth limiter on pfsense. Im going to describe the current situation and what I have done so far. I want to limit every user on the network to a 20Mbit/s down/10Mbit/s upload speed and the whole network should have a 100Mbit/s download and upload speed. Limiter made Limit_In at 20Mbit/s and Limit_Out on 10Mbit/s. Firewall Rule on the LAN, with Interface LAN, Protocol TCP/UDP, Source type LAN subnet and In/Out set to Limit_Out and Limit_In. When I do a speedtest I get the 20/10 speed as I have configured it, but what I’m doubting of is this speed now set per user or for the LAN subnet? What will happen if more users connect to the LAN subnet? And if I want to limit the Whole bandwidth speed of the pipe to 100Mbit/s, how would I need to make a rule for that? Uplink is 100Mbit’s Speed per user 20Mbit/s download 10Mbit’s upload on LAN subnet. Thanks in advance. Sincerely yours, Jeremy Martijn ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list Hi Jeremy for the per-user limiter, check the Mask setting: If 'source' or 'destination' is chosen, a dynamic pipe with the bandwidth, delay, packet loss and queue size given above will be created for each source/destination IP address encountered, respectively. This makes it possible to easily specify bandwidth limits per host. If you want to limit the whole subnet too, I guess you would need to make a different rule at a higher priority. Hope it helps! Vassilis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Strange problem after auto update
Hi, According to the details it looks like Ichmp echo is blocked. Does it do the same pinging to google etc? Sincerely yours, Mikey van der Worp -- Utelisys Communications B.V. Op 5 nov. 2012 om 04:23 heeft Jerome Alet jerome.a...@univ-nc.nc het volgende geschreven: Hi, We've got two pfsense 2.1-BETA0 snapshots running on AMD64 as a failover cluster. Each of these two Dell R610 has two Intel quad ports Gigabit Ethernet (igb) and one (integrated) Broadcom (bce) quad ports Gigabit Ethernet cards. Both were running 8.3-RELEASE-p4 #1: Thu Sep 27 14:06:33 EDT 2012 just fine. This morning, I've updated the slave to 8.3-RELEASE-p4 #1: Sat Nov 3 16:04:02 EDT 2012. Fortunately I haven't updated the master for now. Since this upgrade, all syslog from the slave host logs to our central syslog server as the CARP VIP address of the LAN. Before, it went to the central syslog server as its own LAN address, just like the master host. This is a really big change and I don't really understand why it would happen or even be a good idea. Finally, the slave host does seem to have big connectivity problems, causing at least DNS to fail : One of our DNS server's IP address is 10.10.0.3, on the LAN. The master's IP address is 10.10.3.252, the slave is 10.10.3.253 and the CARP virtual IP is 10.10.3.254. The network mask is 255.255.252.0 Now here's a ping from our DNS server to the slave : awa:~ # ping pfsense2 PING pfsense2-intra.univ-nc.nc (10.10.3.253) 56(84) bytes of data. 64 bytes from pfsense2-intra.univ-nc.nc (10.10.3.253): icmp_seq=1 ttl=64 time=0.267 ms 64 bytes from pfsense2-intra.univ-nc.nc (10.10.3.253): icmp_seq=2 ttl=64 time=0.205 ms 64 bytes from pfsense2-intra.univ-nc.nc (10.10.3.253): icmp_seq=3 ttl=64 time=0.215 ms 64 bytes from pfsense2-intra.univ-nc.nc (10.10.3.253): icmp_seq=4 ttl=64 time=0.243 ms --- pfsense2-intra.univ-nc.nc ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3012ms rtt min/avg/max/mdev = 0.205/0.232/0.267/0.028 ms The other way around, from the slave to DNS : [2.1-BETA0][r...@pfsense2.univ-nc.nc]/etc(13): ping 10.10.0.3 PING 10.10.0.3 (10.10.0.3): 56 data bytes ^C --- 10.10.0.3 ping statistics --- 9 packets transmitted, 0 packets received, 100.0% packet loss So this way all packets are lost, but traceroute works fine : [2.1-BETA0][r...@pfsense2.univ-nc.nc]/etc(20): traceroute -n 10.10.0.3 traceroute to 10.10.0.3 (10.10.0.3), 64 hops max, 52 byte packets 1 10.10.0.3 0.276 ms 0.308 ms 0.221 ms If I do a full restore (I did a full backup before the slave update), then all works fine again. Any idea of what could be wrong with our setup ? Thanks so much in advance -- Jérôme Alet - jerome.a...@univ-nc.nc - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] More than one MAC address on one phys.ethernet interface
Hi, my ISP gives me one global IP per computer (mac address / dhcp) attached to my cable modem. When I use pfsense as firewall, I can only get one IP since it only has one wan interface. I do not know the IP addresses before, they are not static IPs. Is there a way to do that in pfsense without adding another ethernet card? I already found similar topics, but they are quit old and the links are not working (http://www.mail-archive.com/support@pfsense.com/msg02096.html). It seams that either I need the kernel modul ng_ether.ko or change some scripts since I can not add a bridge to my interfaces. If I run ngctl list I'll get unamed interfaces and the real interfaces re0 and re1 are not in the list, similar to http://forum.pfsense.org/index.php/topic,36722.msg189344.html . The solution they describe is missing some steps or I just do not get it :-D. I also tried http://www.daemonforums.org/showpost.php?s=3301fb2839be371ede93676af845f86bp=19494postcount=12 but the line ngctl mkpeer ngeth0: bridge lower link0 gives me an error (probably the missing ng_ether.ko). Is there a way to get that kind of configuration? This is the first time working with BSD so don't be to harsh :-) Thanks for the help, David -- ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] More than one MAC address on one phys.ethernet interface
you have to attache the interface yourself to netgraph. ngctl ether $iface -iirc After that you can continue renaming the interface etc... But you will have issues with restart of pfSense. There was never something pushing this to be implemented. On Mon, Nov 5, 2012 at 2:16 PM, David Brodski da...@brodski.eu wrote: Hi, my ISP gives me one global IP per computer (mac address / dhcp) attached to my cable modem. When I use pfsense as firewall, I can only get one IP since it only has one wan interface. I do not know the IP addresses before, they are not static IPs. Is there a way to do that in pfsense without adding another ethernet card? I already found similar topics, but they are quit old and the links are not working (http://www.mail-archive.com/support@pfsense.com/msg02096.html). It seams that either I need the kernel modul ng_ether.ko or change some scripts since I can not add a bridge to my interfaces. If I run ngctl list I'll get unamed interfaces and the real interfaces re0 and re1 are not in the list, similar to http://forum.pfsense.org/index.php/topic,36722.msg189344.html . The solution they describe is missing some steps or I just do not get it :-D. I also tried http://www.daemonforums.org/showpost.php?s=3301fb2839be371ede93676af845f86bp=19494postcount=12but the line ngctl mkpeer ngeth0: bridge lower link0 gives me an error (probably the missing ng_ether.ko). Is there a way to get that kind of configuration? This is the first time working with BSD so don't be to harsh :-) Thanks for the help, David -- ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Ermal ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Strange problem after auto update
Hi, From: Mikey van der Worp mvdw...@utelisys.com Sent: Mon Nov 05 15:29:04 NCT 2012 To: pfSense support and discussion list@lists.pfsense.org Subject: Re: [pfSense] Strange problem after auto update According to the details it looks like Ichmp echo is blocked. Does it do the same pinging to google etc? Sorry, forgot to add that I don't see any rejected packet in our central syslog server, for any of these two pfSense boxes. As far as pinging google is concerned, DNS doesn't work either, so I don't think ICMP echo is particular, I mentioned this to expose the connectivity problem. BTW since our DNS server is on the LAN interface, and the default rule in pfSense (IIRC) is to allow all from LAN (and we kept this default rule active), the DNS queries should just work, and they don't. What is strange though is that both the web interface and the ssh server work, even when connecting from LAN. Could this be a misconfiguration on our part, being exposed only because of the update ? Thanks in advance for any hint -- Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Strange problem after auto update
Me, again :-) I've noticed something that might be helpful... When I have upgraded the slave member of my pfSense cluster, the version number of the configuration file changes from 9.0 to 9.1 So I've got two members of the cluster with different versions, since I've not upgraded the master yet, and I'm not sure I want to do it before knowing the source of my problem. So master is still in 9.0 and slave is in 9.1. Could this be the cause of my problem ? I mean, when the master tries to sync its configuration to the slave, doesn't it break the slave's configuration ? Is the proper way to upgrade by upgrading the master first ??? Does this mean that if I upgrade the master now, all will be fine again ? Thanks (again) in advance for any answer. -- Jérôme Alet - jerome.a...@univ-nc.nc - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] More than one MAC address on one phys.ethernet interface
Thank you for the replay, but I it is not working. If I try to use the commands from http://www.daemonforums.org/showpost.php?s=192d3b485d84462d3982051f5959b35ap=19494postcount=12 ngctl mkpeer . eiface hook ether - works ifconfig ngeth0 up - works [2.0.1-RELEASE][admin@pfsense.localdomain]/root(5): ngctl mkpeer ngeth0: bridge lower link0 ngctl: send msg: Protocol family not supported and that is where it does not work anymore. If I try your command: [2.0.1-RELEASE][admin@pfsense.localdomain]/root(2): ngctl ether re0 -iirc ngctl: ether: unknown command Any idea what went wrong? Thanks, David General information: re0 is the external interface, ngeth0 is created after the first command. I can assign an other mac to ngeth0 but of course I can not send any data. [2.0.1-RELEASE][admin@pfsense.localdomain]/root(8): ngctl list There are 5 total nodes: Name: unnamed Type: socket ID: 0010 Num hooks: 0 Name: unnamed Type: socket ID: 000f Num hooks: 0 Name: ngctl31879 Type: socket ID: 002e Num hooks: 0 Name: ngeth0 Type: eiface ID: 002a Num hooks: 0 Name: fwe0Type: ether ID: 0001 Num hooks: 0 [2.0.1-RELEASE][admin@pfsense.localdomain]/root(7): ifconfig fwe0: flags=8802BROADCAST,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8VLAN_MTU ether 02:00:00:00:00:00 ch 1 dma -1 fwip0: flags=8802BROADCAST,SIMPLEX,MULTICAST metric 0 mtu 1500 lladdr 0.0.0.0.0.0.0.0.a.2.ff.fe.0.0.0.0 re0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=389bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC ether 00:03:1d:03:e8:1c inet6 fe80::203:1dff:fe03:e81c%re0 prefixlen 64 scopeid 0x3 inet 83.XXX.XXX.XX netmask 0xfe00 broadcast 83.XXX.XXX.255 nd6 options=3PERFORMNUD,ACCEPT_RTADV media: Ethernet autoselect (100baseTX full-duplex) status: active re1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=389bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC ether 00:03:1d:03:e8:1d inet 192.168.140.2 netmask 0xff00 broadcast 192.168.140.255 inet6 fe80::203:1dff:fe03:e81d%re1 prefixlen 64 scopeid 0x4 nd6 options=3PERFORMNUD,ACCEPT_RTADV media: Ethernet autoselect (1000baseT full-duplex) status: active plip0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST metric 0 mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 options=3RXCSUM,TXCSUM inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 nd6 options=3PERFORMNUD,ACCEPT_RTADV pfsync0: flags=0 metric 0 mtu 1460 syncpeer: 224.0.0.240 maxupd: 128 syncok: 1 pflog0: flags=100PROMISC metric 0 mtu 33200 enc0: flags=0 metric 0 mtu 1536 ngeth0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 00:00:00:00:00:00 inet6 fe80::203:1dff:fe03:e81c%ngeth0 prefixlen 64 scopeid 0xa nd6 options=3PERFORMNUD,ACCEPT_RTADV On 05.11.2012 16:56, Ermal Luçi wrote: you have to attache the interface yourself to netgraph. ngctl ether $iface -iirc After that you can continue renaming the interface etc... But you will have issues with restart of pfSense. There was never something pushing this to be implemented. On Mon, Nov 5, 2012 at 2:16 PM, David Brodski da...@brodski.eu mailto:da...@brodski.eu wrote: Hi, my ISP gives me one global IP per computer (mac address / dhcp) attached to my cable modem. When I use pfsense as firewall, I can only get one IP since it only has one wan interface. I do not know the IP addresses before, they are not static IPs. Is there a way to do that in pfsense without adding another ethernet card? I already found similar topics, but they are quit old and the links are not working (http://www.mail-archive.com/support@pfsense.com/msg02096.html). It seams that either I need the kernel modul ng_ether.ko or change some scripts since I can not add a bridge to my interfaces. If I run ngctl list I'll get unamed interfaces and the real interfaces re0 and re1 are not in the list, similar to http://forum.pfsense.org/index.php/topic,36722.msg189344.html . The solution they describe is missing some steps or I just do not get it :-D. I also tried http://www.daemonforums.org/showpost.php?s=3301fb2839be371ede93676af845f86bp=19494postcount=12 but the line ngctl mkpeer ngeth0: bridge lower link0 gives me an error (probably the missing ng_ether.ko). Is there a way to get that kind of configuration? This is the first time working with BSD so don't be to harsh :-) Thanks for the help, David --
Re: [pfSense] More than one MAC address on one phys.ethernet interface
On Mon, Nov 5, 2012 at 2:31 PM, David Brodski da...@brodski.eu wrote: Thank you for the replay, but I it is not working. There's about 0 chance of that working without source code hacking. You'll need one NIC per IP to do that easily. I'd suggest a real, proper static IP assignment rather than that mess that no packaged firewall solution can properly support without one NIC per IP if your ISP can offer anything different. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] More than one MAC address on one phys.ethernet interface
2012/11/6 Chris Buechler c...@pfsense.org: On Mon, Nov 5, 2012 at 2:31 PM, David Brodski da...@brodski.eu wrote: Thank you for the replay, but I it is not working. There's about 0 chance of that working without source code hacking. You'll need one NIC per IP to do that easily. I'd suggest a real, proper static IP assignment rather than that mess that no packaged firewall solution can properly support without one NIC per IP if your ISP can offer anything different. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list Just an idea (thoughts not fully replayed to end): Put some further Nics (as much as macs needed - would be difficult if you like to have 16 or more IP's - lol) into the pfSense box. Configure Proxy Arp - you have to manually add a line to /boot/loader.conf and into the config as shell cmd. iirc it was 'net.link.ether.inet.proxyall=1' for loader.conf and sysctl net.link.ether.inet.proxyall=1 as shell cmd. So you will get the different IP's onto those nics. Forward all traffic to (over) those nics to the default gw assigned by your ISP. this, may be will, not work cause of the Bootp/dhcp-requests if you have the local dhcp service enabled. Not fully sure, but if so dhc-relay can may be help. And for completeness, its not the securest solution - if it should work. M. -- = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] More than one MAC address on one phys.ethernet interface
2012/11/6 Michael Schuh michael.sc...@gmail.com: 2012/11/6 Chris Buechler c...@pfsense.org: On Mon, Nov 5, 2012 at 2:31 PM, David Brodski da...@brodski.eu wrote: Thank you for the replay, but I it is not working. There's about 0 chance of that working without source code hacking. You'll need one NIC per IP to do that easily. I'd suggest a real, proper static IP assignment rather than that mess that no packaged firewall solution can properly support without one NIC per IP if your ISP can offer anything different. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list Just an idea (thoughts not fully replayed to end): Put some further Nics (as much as macs needed - would be difficult if you like to have 16 or more IP's - lol) into the pfSense box. Configure Proxy Arp - you have to manually add a line to /boot/loader.conf and into the config as shell cmd. iirc it was 'net.link.ether.inet.proxyall=1' for loader.conf and sysctl net.link.ether.inet.proxyall=1 as shell cmd. So you will get the different IP's onto those nics. Forward all traffic to (over) those nics to the default gw assigned by your ISP. Sorry not very precise here: the outgoing traffic routed to 0.0.0.0/0. this, may be will, not work cause of the Bootp/dhcp-requests if you have the local dhcp service enabled. Not fully sure, but if so dhc-relay can may be help. And for completeness, its not the securest solution - if it should work. M. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] More than one MAC address on one phys.ethernet interface
2012/11/6 Michael Schuh michael.sc...@gmail.com: 2012/11/6 Michael Schuh michael.sc...@gmail.com: 2012/11/6 Chris Buechler c...@pfsense.org: On Mon, Nov 5, 2012 at 2:31 PM, David Brodski da...@brodski.eu wrote: Thank you for the replay, but I it is not working. There's about 0 chance of that working without source code hacking. You'll need one NIC per IP to do that easily. I'd suggest a real, proper static IP assignment rather than that mess that no packaged firewall solution can properly support without one NIC per IP if your ISP can offer anything different. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list Just an idea (thoughts not fully replayed to end): Put some further Nics (as much as macs needed - would be difficult if you like to have 16 or more IP's - lol) into the pfSense box. Configure Proxy Arp - you have to manually add a line to /boot/loader.conf and into the config as shell cmd. iirc it was 'net.link.ether.inet.proxyall=1' for loader.conf and sysctl net.link.ether.inet.proxyall=1 as shell cmd. So you will get the different IP's onto those nics. Forward all traffic to (over) those nics to the default gw assigned by your ISP. Sorry not very precise here: the outgoing traffic routed to 0.0.0.0/0. this, may be will, not work cause of the Bootp/dhcp-requests if you have the local dhcp service enabled. Not fully sure, but if so dhc-relay can may be help. And for completeness, its not the securest solution - if it should work. M. *doh* as i sayed before - not thought to end: is it not possible and simpler to put further nics from that pfSense on a switch connected to the cable modem? The ISP should than give you a netmask of 32 bits setted back? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Strange problem after auto update
On Mon, Nov 5, 2012 at 1:41 PM, Jerome Alet jerome.a...@univ-nc.nc wrote: Me, again :-) I've noticed something that might be helpful... When I have upgraded the slave member of my pfSense cluster, the version number of the configuration file changes from 9.0 to 9.1 So I've got two members of the cluster with different versions, since I've not upgraded the master yet, and I'm not sure I want to do it before knowing the source of my problem. So master is still in 9.0 and slave is in 9.1. Could this be the cause of my problem ? I mean, when the master tries to sync its configuration to the slave, doesn't it break the slave's configuration ? Is the proper way to upgrade by upgrading the master first ??? Does this mean that if I upgrade the master now, all will be fine again ? Everything you did was fine as you did it, it's preferable to upgrade the secondary first, test it by disabling CARP on the primary, and if successful then upgrade the secondary. Doesn't really matter which order you do it in, but doing the secondary first makes it easier to keep traffic off of it should something go wrong with the upgrade (as the primary will always want to take over CARP, the secondary won't unless you take the primary down). You're running into some kind of regression and I'm not exactly sure what. I have a suspicion it's related to the various problems with if-bound states, but not sure. You can try either upgrading to a November 6 or newer snapshot, or just removing the line containing set state-policy if-bound from /etc/inc/filter.inc and reloading the filter rules under StatusFilter reload. See if that changes anything. Keep doing that only on the secondary and don't upgrade the primary until the secondary is fixed as it's almost certain it'll break too. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Strange problem after auto update
Hi, From: Chris Buechler c...@pfsense.org Sent: Tue Nov 06 17:17:02 NCT 2012 To: pfSense support and discussion list@lists.pfsense.org Subject: Re: [pfSense] Strange problem after auto update You're running into some kind of regression and I'm not exactly sure what. I have a suspicion it's related to the various problems with if-bound states, but not sure. You can try either upgrading to a November 6 or newer snapshot, or just removing the line containing set state-policy if-bound from /etc/inc/filter.inc and reloading the filter rules under StatusFilter reload. See if that changes anything. Keep doing that only on the secondary and don't upgrade the primary until the secondary is fixed as it's almost certain it'll break too. Unfortunately I won't be able to test this until Thursday, but I'll let you know how it goes. bye, and thanks a lot for your help -- Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
