Re: [pfSense] upgrade dual ALIX netgate box?
Le 8 mai 2014 à 21:18, Jim Thompson j...@netgate.com a écrit : On May 8, 2014, at 12:04 PM, b...@todoo.biz wrote: Hi we are french resellers of Alix / APU Le 6 mai 2014 à 21:16, Vick Khera vi...@khera.org a écrit : I have the dual ALIX RM1U box from netgate which is a bit over 2 years old now (and an older one too!) Has anyone attempted replacing the ALIX boards with APU2 boards? They appear to use the identical openings and case mounting holes. This is true. PC Engines updated their cases about 9 months ago. Cases older than this are about 1mm too small. APU1C comes with an iron plate to be sticked below the APU in order to dissipate the heat. Iron? It’s a heat-conductive pad, with an aluminum plate. Netgate themselves doesn't sell such a beast so it made me curious as to why they wouldn't sell a version with the board swapped and instead recommend other devices. I can’t really tell why NetGate does not resale APU1C http://store.netgate.com/APU1C.aspx (board only, 2GB ram) http://store.netgate.com/APU1C4.aspx (board only, 4GB ram) http://store.netgate.com/NetgateAPU2.aspx (system, 2GB ram) http://store.netgate.com/NetgateAPU2.aspx (system, 4GB ram) Currently there is a problem with the MSata sold by PCEngines which does not support TRIM - this has a limited effect on pfSense where TRIM is not activated by default. That being said It is not really « normal » for an MSata device not to support such function and might reveal some other problems… though so far we have noticed 0 problem on such device. These cards DO support TRIM, but you have to correctly install software on the device to have it be stable. We are working on a “platform specific release” of pfSense for the APU I am talking about PCEngine's ref : http://www.pcengines.ch/msata16a.htm As stated : « Currently on shipment hold . Some customer reported problems leading to data loss, e.g. with Sophos UTM. We finally managed to duplicate the problem. We suspect that it is related to the TRIM function included in modern file systems (e.g. Linux EXT4). » This ref has problem with TRIM. So you might want to wait for the problem to be solved (which might probably be « never ») or find another ref. We have updated the firmware of the 10 units we have received so far. We are currently testing the unit with quite good results considering the price. Also does anyone know of a crypto accelerator board for the APU2? Or is that even worth the effort for 4 home-office OpenVPN tunnels? You really don’t need such item - processor is strong enough to handle any kind of local VPN (our test shows about 80Mb/s with an OVPN tunnel)… We’re testing 67 Mbps using UDP over OpenVPN AES256. AES-128 is about 78Mbps. That’s the figure that we have also. But “don’t really need” is strong language, and to be clear, I disagree. My connection from my house is faster than this. Of course if you operate a 100Mb full duplex line from your home this won’t be sufficient… ;-) But, to get back to the question « does anyone know of a crypto accelerator board for the APU2? » — I am not aware of such device for the time being. Jim «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ Your provider of OpenSource Appliances www.osnet.eu «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ PGP ID -- 0x1BA3C2FD ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Port forwarding from multiple interfaces - reply packets are forwarded through the wrong interface.
Hi Does anybody has any idea on the issue? Thanks! Thierry On 05/06/2014 05:16 PM, Thierry De Leeuw wrote: Hi, I have some trouble to setup port forwarding with multiple interfaces. When a connection is initiated from the VPN tunnel (SYN), the SYN/ACK is sent from the VPN IP but throught the pppoe interface (which is the default gw, but I would expect the NAT to take care of that - maybe I am wrong?). I would like that my server is accessible from both pppoe and VPN tunnel. Here is more info: _Situation before:_ I had a pppoe interface from my ISP (WAN aka pppoe0), I have an interface for my DMZ (where my mail server is located -Orange aka em2 - range 10.50.1.0/24). I had an inbound NAT rule WANtcpsrc:*destAddr:WAN addressdestPort:25 NatIP:mail(ex 10.50.1.1) NAT port:25 and the firewall rule that allows traffic from WAN to mail server on port 25 This is working fine. _Current situation:_ ISP WAN and DMZ as before but I have added an open vpn tunnel to a provider that gives me a fixed IP address. The interface (VPNFIXED aka vpnc3) address on my firewall is 10.99.10.2, the gateway is 10.99.10.1. I have added the following rule for port forwarding: VPNFIXEDtcpsrc:*destAddr:VPNFIXED address destPort:25 NatIP:mail(10.50.1.1) NAT port:25 and of course the associated firewall rule that allows traffic from VPNFIXED towards mail server. When a SYN packet arrives through the vpnc3 interface (I see from SYN 209.85.217.181 to 10.99.10.2:25), it is then correctly passed on the em2 interface (209.85.217.181 -- 10.50.1.1:25) and the reply from the server is, as expected, a SYN/ACK on em2 (10.50.1.1 -- 209.85.217.181). The problem is that the SYN/ACK, is then passed to the pppoe0 interface instead of the vpnc3 (I see on pppoe SYN/ACK 10.99.10.2 -- 209.85.217.181). This is strange as it is using the IP address of the VPNFIXED. The routing table has the ISP as default route and 10.99.10.0/24 is marked as U and has the right vpnc3 interface. I am using pfSense .2.1.3-RELEASE (amd64). Any help would be greatly appreciated ! Thanks in advance! Thierry ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Thierry De Leeuw Avance Consulting SPRLu. Rue Warandeveld, 29 1120 Neder-Over-Hembeek Belgium Mobile: +32 479/470.512 TVA-VAT: BE 0876.491.406 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Port forwarding from multiple interfaces - reply packets are forwarded through the wrong interface.
On 5/9/2014 8:02 AM, Thierry De Leeuw wrote: I have some trouble to setup port forwarding with multiple interfaces. When a connection is initiated from the VPN tunnel (SYN), the SYN/ACK is sent from the VPN IP but throught the pppoe interface (which is the default gw, but I would expect the NAT to take care of that - maybe I am wrong?). I would like that my server is accessible from both pppoe and VPN tunnel. The multiple interfaces bit works fine when they're both actually WANs, but when one is a VPN it doesn't work that way by default. To get the behavior you want with OpenVPN, where reply-to sends the packets back the way they came in, you'll need to do the following: 1. Assign/enable the OpenVPN interface from Interfaces (assign). Set it to an IP type of 'none' 2. Restart the VPN (edit/save) 3. Move firewall rules from the OpenVPN tab to the new interface tab. No rules on the OpenVPN tab can match the traffic. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Port forwarding from multiple interfaces - reply packets are forwarded through the wrong interface.
Hi, Thanks for your answer. Unfortunately I already have created this interface and still it does not work ;-( Looking at my state table, I have an entry mail_server:25 - 10.99.10.2:25 (open vpn IP) - 209.85.215.41:53282 (Gmail) So it looks like, despite there is an entry for the connection, the orange firewall seems to use the default gateway and WAN interface (the one of the ISP) instead of the interface from which the SYN packet arrived (but still, the source IP is correctly changed to the IP of the of the VPN interface - so I am sending bogus packets to my ISP). Is my understanding right in assuming that NAT should make sure it uses the same interface as the incoming one (only applying the routing table indeed leads to using the pppoe interface which is what I see but not what I want)? If not how can I force the outgoing interface to be the same as the incoming interface? Best regards Thierry On 05/09/2014 03:22 PM, Jim Pingle wrote: On 5/9/2014 8:02 AM, Thierry De Leeuw wrote: I have some trouble to setup port forwarding with multiple interfaces. When a connection is initiated from the VPN tunnel (SYN), the SYN/ACK is sent from the VPN IP but throught the pppoe interface (which is the default gw, but I would expect the NAT to take care of that - maybe I am wrong?). I would like that my server is accessible from both pppoe and VPN tunnel. The multiple interfaces bit works fine when they're both actually WANs, but when one is a VPN it doesn't work that way by default. To get the behavior you want with OpenVPN, where reply-to sends the packets back the way they came in, you'll need to do the following: 1. Assign/enable the OpenVPN interface from Interfaces (assign). Set it to an IP type of 'none' 2. Restart the VPN (edit/save) 3. Move firewall rules from the OpenVPN tab to the new interface tab. No rules on the OpenVPN tab can match the traffic. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Thierry De Leeuw Avance Consulting SPRLu. Rue Warandeveld, 29 1120 Neder-Over-Hembeek Belgium Mobile: +32 479/470.512 TVA-VAT: BE 0876.491.406 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Intel Pro/1000 PT Quad Port PCI-e Gigabit Ethernet
Anyone have experience with a Intel Pro/1000 PT Quad Port PCI-e Gigabit Ethernet Server Adapter EXP19404PT on pfSense? From wandering the forums it looks like it should be supported in pfSense 2, but I can't find any confirmation that it actually works. Or alternatively, can anyone else recommend a quad port that's available at a reasonable price for a small deployment? -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Intel Pro/1000 PT Quad Port PCI-e Gigabit Ethernet
On 5/9/2014 3:02 PM, Dave Warren wrote: Anyone have experience with a Intel Pro/1000 PT Quad Port PCI-e Gigabit Ethernet Server Adapter EXP19404PT on pfSense? From wandering the forums it looks like it should be supported in pfSense 2, but I can't find any confirmation that it actually works. Or alternatively, can anyone else recommend a quad port that's available at a reasonable price for a small deployment? I have Intel Pro/1000PT Quad port (low-profile if that matters) in my home pfSense box. I just installed it 2 weeks ago actually (recent cheap ebay find). I have has no issue so far, but I am not a too demanding user. Check out the FreeBSD 8.3 HCL for supported network cards. http://www.freebsd.org/releases/8.3R/hardware.html#ETHERNET ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Intel Pro/1000 PT Quad Port PCI-e Gigabit Ethernet
On 2014-05-09 15:13, Jason McClung wrote: On 5/9/2014 3:02 PM, Dave Warren wrote: Anyone have experience with a Intel Pro/1000 PT Quad Port PCI-e Gigabit Ethernet Server Adapter EXP19404PT on pfSense? From wandering the forums it looks like it should be supported in pfSense 2, but I can't find any confirmation that it actually works. Or alternatively, can anyone else recommend a quad port that's available at a reasonable price for a small deployment? I have Intel Pro/1000PT Quad port (low-profile if that matters) in my home pfSense box. I just installed it 2 weeks ago actually (recent cheap ebay find). I have has no issue so far, but I am not a too demanding user. Check out the FreeBSD 8.3 HCL for supported network cards. http://www.freebsd.org/releases/8.3R/hardware.html#ETHERNET The one I'm looking at is listed, but I've learned that the HCL isn't always reliable as to whether something actually works in the real world :( I'm looking on eBay as well, it's worth the gamble vs buying new. Thanks! -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Intel Pro/1000 PT Quad Port PCI-e Gigabit Ethernet
On 9 May 2014, at 23:25, Dave Warren da...@hireahit.com wrote: I'm looking on eBay as well, it's worth the gamble vs buying new. Not pfSense-specific, but I've used quite a few from eBay (both dual and quad port cards) in generic FreeBSD installs and not had a problem with them. As others have said, they're so cheap (by comparison to new prices) on eBay that it's a gamble worth taking. Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Port forwarding from multiple interfaces - reply packets are forwarded through the wrong interface.
On Fri, May 9, 2014 at 10:15 AM, Thierry De Leeuw thie...@avanco.be wrote: Hi, Thanks for your answer. Unfortunately I already have created this interface and still it does not work ;-( Looking at my state table, I have an entry mail_server:25 - 10.99.10.2:25 (open vpn IP) - 209.85.215.41:53282 (Gmail) So it looks like, despite there is an entry for the connection, the orange firewall seems to use the default gateway and WAN interface (the one of the ISP) instead of the interface from which the SYN packet arrived (but still, the source IP is correctly changed to the IP of the of the VPN interface - so I am sending bogus packets to my ISP). Is my understanding right in assuming that NAT should make sure it uses the same interface as the incoming one (only applying the routing table indeed leads to using the pppoe interface which is what I see but not what I want)? If not how can I force the outgoing interface to be the same as the incoming interface? Exactly the way Jim noted. You have rules other than the ones on that specific VPN's interface that are matching, or disabled reply-to globally or on those rules in particular, if it's not getting routed back out the VPN. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Annoying Comcast Issue When Changing Hardware
Spent about an hour beating my head against the wall with this issue, hopefully this will save others some time. We had a stand-alone pfSense router. We just purchased two machines from ixsystems and were preparing them to be a failover pair of pfSense routers and then decommission the smaller older box. While we were installing the new servers, the HDD in the old firewall died. We figured we would just get the two new boxes up. Plugged them into the Comcast modem and configured everything. Comcast assigned us a /28 a while back and we were using a handful of IPs to access various internal services over HTTPS. The /28 looked roughly like: .1 - router1 .2 - router2 .3 - exchange (CARP) .4 - remote (CARP) .5 - VPN (CARP) .6 - spamfilter (physical machine) ...etc After everything was configured, I had someone test remotely that they could access the interface for router1 and router2 remotely. I then went home to finish up a few config details remotely. When I got home, I found I could access router1 and router2 as well as the physical spam filter, but I couldn't access any of the HTTPS services on the CARP IPs. I checked my NAT rules about 100 times, looked through firewall logs, and found nothing. Finally I connected in to the spam filter (linux box) and ran 'openssl s_client -connect exchange.example.tld:4433' and noticed it worked perfectly from a machine on the same WAN segment. ...but not remotely. I called Comcast and had them remotely reboot the modem. Everything immediately came up and started working perfectly. Hopefully this will save someone time. Reboot the brain-damaged Netgear CPE after swapping hardware around. -A ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Annoying Comcast Issue When Changing Hardware
I called Comcast and had them remotely reboot the modem. Whenever I connect a different network card to my home Comcast modem, I have to power cycle the modem for it come up. I think it keys off the MAC address of the old card, and won't accept the new one until then. I get a new IP address each time I test firewall builds. Not exactly the same situation, but something like. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
