Re: [pfSense] Multi-WAN network access
Make sure you have outbound NAT rules for both WAN and COMCAST. - Original Message - From: Walter Parker walt...@gmail.com To: pfSense support and discussion list@lists.pfsense.org Sent: Wednesday, December 4, 2013 5:57:41 PM Subject: [pfSense] Multi-WAN network access Hi, I've got a pfSense router with a WAN connection that has 4 interfaces: WAN - A 200 mbs connection. This is on a /20 subnet and the other side is the default route. LAN - This is a static routed /24 network from the company providing the 200 mbs WAN connection COMCAST - This is a static routed /28 network from Comcast. I set the WAN interface with a route back to Provider A, and the COMCAST interface with a route back to the Comcast gateway address. I created two gateway groups, one that the WAN network as Tier1 and COMCAST as Tier2, and another that COMCAST as Tier2 and the WAN network as Tier2. The instructions on the wiki say firewall rules must be add changed to use these groups rather than the system routing. I tried changed the allow all route to use the gateway group (rather than the default of *), but this didn't seem to route packets out the COMCAST link when the WAN link was down. I did a little bit of testing: I used the ping test and was able to ping the outside world when using WAN as the interface, but when I changed the interface to COMCAST, I could only ping the Comcast gateway (as if the packets would not route). From an external host, I was able to do an ICMP ping to the COMCAST interface, but was not able to do a UDP ping or make a TCP connection. Questions: I think I missed a step in the whole add a firewall rule for the gateway group process, which seem more like a solution left as exercise for the reader, what do I need to do to get gateway groups working on the firewall? When using ping, when I pick the interface, does it work like a Cisco, where the source IP is the interface address and the next hop router would be interface's router, in this case the Comcast gateway? When I have squid running a bound to the LAN interface, I'd like the system use which ever WAN/COMCAST interface is currently up and working. I want that to be the WAN interface unless it is down. When the WAN interface is down, I'd like to be able to ssh/https to the COMCAST interface address to see what is gong wrong. Can I set up the system to work like this? Thank you for any ideas as to what I might has done wrong, Walter -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] List Digest, Vol 28, Issue 4
On Thu, December 5, 2013 07:22, Pedro Almeida wrote: Hello Matheus, I have a problem with this model. My firewall in three days reboot alone three times. In the screen (ssh) always show this message: re0: watchdog timeout I dont have this. All I can see here is: re0: link state changed to DOWN re0: link state changed to UP re0: link state changed to DOWN re0: link state changed to UP re0: link state changed to DOWN re0: link state changed to UP re0: link state changed to DOWN re0: link state changed to UP re0: link state changed to DOWN re0: link state changed to UP re0: link state changed to DOWN re0: link state changed to UP that may reflect the switch power oscillation :) I have two identical appliance, but tested only one. Today I changed the appliance e during the day i'll monitor to see if happen the problem again. I think I dealt with this nic on some other hardware. Not sure where now, may be on boxes I no longer have access to. Are you Brazilian? yes :) re0: RealTek 8168/8111 B/C/CP/D/DP/E/F PCIe Gigabit Ethernet port 0xa800-0xa8ff mem 0xfdbfb000-0xfdbfbfff,0xfdbfc000-0xfdbf irq 17 at device 0.0 on pci2 re0: Using 1 MSI-X message re0: Chip rev. 0x2c80 re0: MAC rev. 0x they look like relatives :) re0: RealTek 8168/8111 B/C/CP/D/DP/E PCIe Gigabit Ethernet port 0x2000-0x20ff mem 0xf0004000-0xf0004fff,0xf000-0xf0003fff irq 16 at device 0.0 on pci1 re0: Using 1 MSI-X message re0: Chip rev. 0x2c00 re0: MAC rev. 0x miibus0: MII bus on re0 rgephy0: RTL8169S/8110S/8211 1000BASE-T media interface PHY 1 on miibus0 rgephy0: none, 10baseT, 10baseT-FDX, 10baseT-FDX-flow, 100baseTX, 100baseTX-FDX, 100baseTX-FDX-flow, 1000baseT, 1000baseT-master, 1000baseT-FDX, 1000baseT-FDX-master, 1000baseT-FDX-flow, 1000baseT-FDX-flow-master, auto, auto-flow but mine seems older. att, matheus Regards, Pedro de Almeida Jundia�-SP Brazil From: list-requ...@lists.pfsense.org Subject: List Digest, Vol 28, Issue 4 To: list@lists.pfsense.org Date: Wed, 4 Dec 2013 12:00:01 -0500 Send List mailing list submissions to list@lists.pfsense.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.pfsense.org/mailman/listinfo/list or, via email, send a message with subject or body 'help' to list-requ...@lists.pfsense.org You can reach the person managing the list at list-ow...@lists.pfsense.org When replying, please edit your Subject line so it is more specific than Re: Contents of List digest... Today's Topics: 1. Re: Who uses a Realtek RTL-8111 based nic without problems? (Nenhum_de_Nos) -- Message: 1 Date: Wed, 4 Dec 2013 12:33:07 -0300 From: Nenhum_de_Nos math...@eternamente.info To: list@lists.pfsense.org Subject: Re: [pfSense] Who uses a Realtek RTL-8111 based nic without problems? Message-ID: f04088c98ffe294e09bb751a2b00c289.squir...@arroway.org Content-Type: text/plain;charset=UTF-8 On Wed, December 4, 2013 11:57, Mathieu Simon wrote: I have a Intel D510MO board (Atom D510) that I recently tossed 10.0-BETA3, now BETA4 on it. It seems this board has a the NIC you and others encounter issues with: re0@pci0:1:0:0: class=0x02 card=0xd6158086 chip=0x816810ec rev=0x03 hdr=0x00 vendor = 'Realtek Semiconductor Co., Ltd.' device = 'RTL8111/8168B PCI Express Gigabit Ethernet controller' class = network subclass = ethernet hail, I have a similar, if not equal, model (mini itx atom intel board) re0@pci0:1:0:0: class=0x02 card=0xd6258086 chip=0x816810ec rev=0x06 hdr=0x00 vendor = 'Realtek Semiconductor Co., Ltd.' device = 'RTL8111/8168B PCI Express Gigabit Ethernet controller' class = network subclass = ethernet This is not pfSense, though. FreeBSD 9.0R, as home fileserver since April 2012. No issues so far I could say its the nic/nic-driver fault. att, matheus -- We will call you Cygnus, The God of balance you shall be A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? http://en.wikipedia.org/wiki/Posting_style -- ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list End of List Digest, Vol 28, Issue 4 *** ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- We will call you Cygnus, The God of balance you shall be A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? http://en.wikipedia.org/wiki/Posting_style ___ List mailing
[pfSense] Server Unresponsive
I am have been having problem with pfsense becoming unresponsive and not allowing traffic to pass-through (most of the time established connection will continue to work, i.e. I have a site 2 site connection running and that will still be functional) or access to the web interface. I have 4 pfsense servers (all the VMs running on ESXi 5.0) configured in 2 CARP pairs. 1 set is configured as a firewall / router and the other set is configures as a layer three switch. Both pairs are having the same problem and there is no consistency as to when the problem will happen. Some times it is after a day or two other times it will be after 10 to 14 days. The server will respond to ping and this event is not trigging a CARP fail-over. The console via vSphere is still operational during this time and I have tried to reboot the server with option 5 Reboot system but the server will hang and never shutdown. I have to use VM - Power - Reset in the vSphereclient to restart the server. Once the server comes back online it will be operating normally again. I started this setup with 2.0.1 (no CARP) and am now currently running 2.1 (with CARP). The problem started after the upgrade from 2.0.1 to 2.0.2. I implemented CARP after the upgrade to 2.0.2. I am currently experiencing this problem with my layer three cluster. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Multi-WAN network access
Walter did you get all your questions answered? I just set this up (Charter ethernet handoff/ATT PPoE) and there are some nuances in the fw rules and routing that were not so intuitive. Let me know if you need a hand. I'd be happy to webex and show you what I have. Hit me off list (wade.blackw...@bablam.com). -W On Wed, Dec 4, 2013 at 2:57 PM, Walter Parker walt...@gmail.com wrote: Hi, I've got a pfSense router with a WAN connection that has 4 interfaces: WAN - A 200 mbs connection. This is on a /20 subnet and the other side is the default route. LAN - This is a static routed /24 network from the company providing the 200 mbs WAN connection COMCAST - This is a static routed /28 network from Comcast. I set the WAN interface with a route back to Provider A, and the COMCAST interface with a route back to the Comcast gateway address. I created two gateway groups, one that the WAN network as Tier1 and COMCAST as Tier2, and another that COMCAST as Tier2 and the WAN network as Tier2. The instructions on the wiki say firewall rules must be add changed to use these groups rather than the system routing. I tried changed the allow all route to use the gateway group (rather than the default of *), but this didn't seem to route packets out the COMCAST link when the WAN link was down. I did a little bit of testing: I used the ping test and was able to ping the outside world when using WAN as the interface, but when I changed the interface to COMCAST, I could only ping the Comcast gateway (as if the packets would not route). From an external host, I was able to do an ICMP ping to the COMCAST interface, but was not able to do a UDP ping or make a TCP connection. Questions: I think I missed a step in the whole add a firewall rule for the gateway group process, which seem more like a solution left as exercise for the reader, what do I need to do to get gateway groups working on the firewall? When using ping, when I pick the interface, does it work like a Cisco, where the source IP is the interface address and the next hop router would be interface's router, in this case the Comcast gateway? When I have squid running a bound to the LAN interface, I'd like the system use which ever WAN/COMCAST interface is currently up and working. I want that to be the WAN interface unless it is down. When the WAN interface is down, I'd like to be able to ssh/https to the COMCAST interface address to see what is gong wrong. Can I set up the system to work like this? Thank you for any ideas as to what I might has done wrong, Walter -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Wade Blackwell Solutions Architect (D) 805.457.8825 X998 (C) 805.400.8485 (S) coc.wadeblackwell ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
