Re: [pfSense] IPSec log comments

[Chris Buechler]

On Thu, Jul 28, 2016 at 11:19 AM, Paul Galati  wrote:
> I noted installed packages
> I backed up my configuration xml, 2.2.4
> I replaced hard disk with SSD
> Installed fresh 32-bit 2.3.2
> Installed packages
> imported config
>
> The 3 openvpn clients logged back in with no problem and tunneled VOIP phones 
> logged back in as well.  My guest network was unable to reach the internet 
> until I added a line to rules.  Not quite sure why it worked with 2.2.4 but 
> did not in 2.3.2.  Nonetheless, the pass !LAN statement worked.  The only 
> things I am noticing so far is that when I change any preference in the 
> dashboard, the traffic graphs fall back to only showing the WAN traffic.  
> Resetting the traffic graph prefs works until I change a different dashboard 
> pref.
>
> The more important is the IPSec log file.  The only IPSec config is the 
> mobile client.  Here is what I am seeing in the the log when no one is 
> connected.
>
>
> Jul 28 12:01:08  charon  
> 14[CFG] vici client 891 disconnected
> Jul 28 12:01:08  charon  
> 14[CFG] vici client 891 requests: list-sas
> Jul 28 12:01:08  charon  
> 10[CFG] vici client 891 registered for: list-sa
> Jul 28 12:01:08  charon  
> 14[CFG] vici client 891 connected
> Jul 28 12:01:02  charon  
> 08[CFG] vici client 890 disconnected
> Jul 28 12:01:02  charon  
> 08[CFG] vici client 890 requests: list-sas
> Jul 28 12:01:02  charon  
> 08[CFG] vici client 890 registered for: list-sa
> Jul 28 12:01:02  charon  
> 14[CFG] vici client 890 connected
> Jul 28 12:00:51  charon  
> 14[CFG] vici client 889 disconnected
> Jul 28 12:00:51  charon  
> 08[CFG] vici client 889 requests: list-sas
> Jul 28 12:00:51  charon  
> 08[CFG] vici client 889 registered for: list-sa
> Jul 28 12:00:51  charon  
> 08[CFG] vici client 889 connected
> Jul 28 12:00:44  charon  
> 08[CFG] vici client 888 disconnected
> Jul 28 12:00:44  charon  
> 09[CFG] vici client 888 requests: list-sas
> Jul 28 12:00:44  charon  
> 12[CFG] vici client 888 registered for: list-sa
> Jul 28 12:00:44  charon  
> 12[CFG] vici client 888 connected
> Jul 28 12:00:28  charon  
> 12[CFG] vici client 887 disconnected
> Jul 28 12:00:28  charon  
> 09[CFG] vici client 887 requests: list-sas
> Jul 28 12:00:28  charon  
> 09[CFG] vici client 887 registered for: list-sa
> Jul 28 12:00:28  charon  
> 07[CFG] vici client 887 connected
>
> What might be generating these log messages?

The IPsec status page and dashboard widget, when your logging level is
higher than default.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] CARP/DHCP

[Chris Buechler]

On Thu, Jul 28, 2016 at 8:10 AM, scorpions floripa
 wrote:
> Good Morning
>
>
> The dhcp in secondary carp is even distributing IP with the active
> master . Anyone know how to solve this ?
>

It's not a problem, that's how it's supposed to work.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] yesterday update to 2.3.2 has not worked - these machines now can not update any more

[Chris Buechler]

On Wed, Jul 27, 2016 at 8:53 AM, WolfSec-Support  wrote:
> Hi Jim
>
> Many thanks for your hint.
> Well it is still not working.
>
> See:
>
 Updating repositories metadata...
> Updating pfSense-core repository catalogue...
> pfSense-core repository is up-to-date.
> Updating pfSense repository catalogue...
> Fetching meta.txz: . done
> Fetching packagesite.txz: ... done
> pkg:
> https://pkg.pfsense.org/pfSense_v2_3_2_amd64-pfSense_v2_3_2/packagesite.txz:
> Operation timed out
> Unable to update repository pfSense
>
> May something else was broken in update progress ?
>

No, there were some server issues at that time which caused some
timeouts like you got there. It's been fixed since this morning
shortly after your message here, give it another shot and I'm sure
it'll be fine.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Lightning strike

[Chris Buechler]

On Tue, Jul 26, 2016 at 7:43 PM, Volker Kuhlmann  wrote:
> On Tue 26 Jul 2016 09:41:37 NZST +1200, Karl Fife wrote:
>
>> Interesting how it failed: The fried port 'simply' broke
>> connectivity for the interface's LAN segment.  Everything else
>> continued to work.  I kinda didn't believe the report that Internet
>> was out for the one LAN, since the other was not.
>
> I don't think this is that unusual or surprising. You get the same
> effect if you plug in a real POTS line into an Ethernet port...
>
>>  After some
>> testing, I found the system would not come up after reboot because
>> it had gone into port reassignment mode since the config made
>> reference to a non-existent interface.
>
> I find this really really annoying of pfsense! Especially for headless
> systems. Hey, why run with only one interface and some functionality
> missing when one can run with functionality of zero point zero instead?
>

Because any fall back there is potentially unsafe. Say you have
igb0-igb5, and igb2 dies. Now your igb3 is igb2, igb4 is igb3, etc.
Any assumptions you make about what's correct are potentially
dangerous, and likely to be wrong. We've had discussions around that
in greater depth multiple times over the years. Any way you do it has
edge case bugs, is dangerous and/or wouldn't be right anyway.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] 2.3.2-RELEASE Now Available!

[Chris Buechler]

We are happy to announce the release of pfSense® software version 2.3.2!

This is a maintenance release in the 2.3.x series, bringing a number
of bug fixes. You can find all the details on the blog.

https://blog.pfsense.org/?p=2108
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] PFS 2.3.1-RELEASE-p5 and Cisco 5520 IPSEC

[Chris Buechler]

On Fri, Jul 15, 2016 at 2:08 PM, Marc R. Meshurle Jr.  wrote:
> x.x.x.x is the PFSense and y.y.y.y is the Cisco
>
> Jul 16 00:05:54 charon: 11[IKE]  deleting IKE_SA con2000[673] 
> between x.x.x.x[x.x.x.x]...y.y.y.y[y.y.y.y]
> Jul 16 00:05:54 charon: 11[IKE]  received DELETE for IKE_SA 
> con2000[673]
> Jul 16 00:05:54 charon: 11[ENC]  parsed INFORMATIONAL_V1 request 
> 303027 [ HASH D ]
> Jul 16 00:05:54 charon: 11[NET]  received packet: from 
> y.y.y.y[500] to x.x.x.x[500] (84 bytes)
> Jul 16 00:05:54 charon: 05[IKE]  received NO_PROPOSAL_CHOSEN 
> error notify
> Jul 16 00:05:54 charon: 05[ENC]  parsed INFORMATIONAL_V1 request 
> 1608868438 [ HASH N(NO_PROP) ]

No proposal means something doesn't match in your config. The ASA is
sending that, it might be logging something more useful as to why it's
sending NO_PROP. No way to tell anything other than "config doesn't
match" from the logs on that side. It's a mismatch in P1.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] PFS 2.3.1-RELEASE-p5 and Cisco 5520 IPSEC

[Chris Buechler]

On Fri, Jul 15, 2016 at 11:32 AM, Marc R. Meshurle Jr.
 wrote:
> I'm having an issue connecting to a Cisco ASA5520 with IPSEC. The vendor with 
> the Cisco states that Phase 1 is good, but dropping out on Phase 2. We've 
> matched the Phase 2 proposals up and it still fails on the Phase 2 side. I've 
> tried every combination of SA protocols and none stay connected.
>
> Any thoughts?
>

What do your IPsec logs show?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] connect more than 255 clients + server ppoe

[Chris Buechler]

On Tue, Jul 12, 2016 at 3:12 PM, sp1b0t  wrote:
> Hello
>
> You can connect more than 255 clients in a server ppoe pfsense?
>

Not without hacking the source, though that should work if you do so.
No limitation in the underlying mpd that runs the PPPoE server, people
apparently run thousands of simultaneous users with it on stock
FreeBSD.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2 server ppoe on the same interface

[Chris Buechler]

On Tue, Jul 12, 2016 at 3:10 PM, sp1b0t  wrote:
> Hi.
> You can create 2 servers on the same interface pppoe?

No. Wouldn't be possible to differentiate which should answer.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 502 Bad Gateway

[Chris Buechler]

On Thu, Jul 7, 2016 at 1:16 PM, Bill Arlofski  wrote:
> On 07/07/2016 08:09 AM, Jon Gerdes wrote:
>> Bill
>>
>> I maybe off target here but the IPSEC widget used to cause php-fpm
>> daemon to die after a few days.
>>
>> I haven't looked into it since but removing that widget fixed it for me
>> on two pfSenses.
>>
>> Cheers
>> Jon
>
> Hi Jon,
>
> Hmmm, I do have the IPsec widget on my dashboard, so this is at least
> somewhere to start. :)
>
> I guess I will remove it the next time this happens and see if there is any
> change.
>
> Do you know if this is a known (and reported) issue?
>

It's worth trying at least. The case I had where that problem was
replicable was worked around in 2.3.1_5 on this ticket.
https://redmine.pfsense.org/issues/6318

There may be a related issue still outstanding from that, as the root
cause is still an issue. The timeout works around it where I saw it,
though that system does still have an occasional 502. I just pushed
that out to 2.4.0 since we're rolling a 2.3.2 soon, but it will be
looked at. If removing the widget does fix the issue, then you know
it's a remaining symptom of #6318. It's not an easily replicable
issue, most people aren't seeing it.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DMZ not working since upgrade 2.3

[Chris Buechler]

On Wed, Jun 29, 2016 at 8:27 AM, Jean-Laurent Ivars
 wrote:
> Hello Piba (and anyone else…)
>
> Sorry for not having answered before…
>
> To answer you questions, firstly, I’m not in a datacenter, only a client 
> offices with different ISP.
>
> I agree with you double NAT is bad but you can’t alway get rid of it… and you 
> should know that on one of my wan connexion I was technically able to make a 
> bridge and I though the problem were the same with this connexion but in 
> fact, my fault, bad setting, so with this connexion everything is working !
>
> So I stay with my third connexion witch is not working (double NAT) and only 
> with this one, I can see traffic but it’s not working, so I gave a try with 
> the flag you requested to try to give more information to understand what 
> happens…
>
> from outside to 2223 portwitch is where SSH deamon is listening on the 
> pfsense from OVH Connexion (double NAT) = not working
>
> 2.3.1-RELEASE][r...@pfsense.concorde-pereire.loc]/root: tcpdump -en -i re0 
> port 2223
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on re0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 14:42:56.509422 a4:b1:e9:f7:13:e8 > 00:0d:b9:33:7c:6c, ethertype IPv4 
> (0x0800), length 66: 62.210.139.211.49236 > 192.168.101.254.2223: Flags [S], 
> seq 2309097405, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], 
> length 0
> 14:42:56.509584 00:0d:b9:33:7c:6c > 24:95:04:fb:ae:90, ethertype IPv4 
> (0x0800), length 66: 192.168.101.254.2223 > 62.210.139.211.49236: Flags [S.], 
> seq 3034279515, ack 2309097406, win 65228, options [mss 1460,nop,wscale 
> 7,sackOK,eol], length 0
> 14:42:59.509726 00:0d:b9:33:7c:6c > 24:95:04:fb:ae:90, ethertype IPv4 
> (0x0800), length 66: 192.168.101.254.2223 > 62.210.139.211.49236: Flags [S.], 
> seq 3034279515, ack 2309097406, win 65228, options [mss 1460,nop,wscale 
> 7,sackOK,eol], length 0
> 14:42:59.529210 a4:b1:e9:f7:13:e8 > 00:0d:b9:33:7c:6c, ethertype IPv4 
> (0x0800), length 66: 62.210.139.211.49236 > 192.168.101.254.2223: Flags [S], 
> seq 2309097405, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], 
> length 0
>
>
> from outside to 2223 port witch is where SSH deamon is listening on the 
> pfsense from SFR Connexion (double NAT) =  working
>
> [2.3.1-RELEASE][r...@pfsense.concorde-pereire.loc]/root: tcpdump -en -i re0 
> port 2223
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on re0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 14:43:47.280639 24:95:04:fb:ae:90 > 00:0d:b9:33:7c:6c, ethertype IPv4 
> (0x0800), length 66: 62.210.139.211.49239 > 192.168.101.254.2223: Flags [S], 
> seq 2327707324, win 9652, options [mss 1460,wscale 3,sackOK,eol], length 0
> 14:43:47.280797 00:0d:b9:33:7c:6c > 24:95:04:fb:ae:90, ethertype IPv4 
> (0x0800), length 66: 192.168.101.254.2223 > 62.210.139.211.49239: Flags [S.], 
> seq 3881093896, ack 2327707325, win 65228, options [mss 1460,nop,wscale 
> 7,sackOK,eol], length 0
> 14:43:47.311955 24:95:04:fb:ae:90 > 00:0d:b9:33:7c:6c, ethertype IPv4 
> (0x0800), length 60: 62.210.139.211.49239 > 192.168.101.254.2223: Flags [.], 
> ack 1, win 32850, length 0
> 14:43:47.322754 24:95:04:fb:ae:90 > 00:0d:b9:33:7c:6c, ethertype IPv4 
> (0x0800), length 82: 62.210.139.211.49239 > 192.168.101.254.2223: Flags [P.], 
> seq 1:29, ack 1, win 32850, length 28
> 14:43:47.322883 00:0d:b9:33:7c:6c > 24:95:04:fb:ae:90, ethertype IPv4 
> (0x0800), length 54: 192.168.101.254.2223 > 62.210.139.211.49239: Flags [.], 
> ack 29, win 513, length 0
> 14:43:47.343017 00:0d:b9:33:7c:6c > 24:95:04:fb:ae:90, ethertype IPv4 
> (0x0800), length 75: 192.168.101.254.2223 > 62.210.139.211.49239: Flags [P.], 
> seq 1:22, ack 29, win 513, length 21
>
>
> To the light of this new details, I can see that the pfsense is trying to 
> respond to the bad mac address (the working connexion one) ! and that is the 
> reason it’s not working ! So I had a look at the interface settings and I 
> noticed that the mac address it tries to reply is the one selected here in 
> the menu list, I have two since I have two gateway for one interface in the 
> same private network space…
>
> First I want to tank you helping me clarifying what was going wrong (for the 
> second pfsense installation it’s a bad coincidence the problem is with the 
> modem configuration witch is defective)
>
> So my question now is : How can I set both the gateway to have the same 
> priority or at least make the system answer to the address that initiate the 
> connexion ?
>

Don't put two WANs on one interface, the reply-to rules can't properly
handle return routing in that case. Use another NIC or a VLAN for one
of them.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Setup DNS question

[Chris Buechler]

On Fri, Jun 24, 2016 at 5:35 PM, Richard A. Relph  wrote:
> Brand new pfSense user here… setting up a VMWare system after upgrading it to 
> 2.3.1_5, doing a reset to factory config, and restarting the web configurator.
> I get to this point:
>
>
> and what I want to say is have this pfSense instance have all LAN DNS queries 
> go to the DNS servers configured here. Ignore the DNS servers requested by 
> LAN clients, and ignore DNS servers specified from the WAN DHCP server.
>
> So I filled in the 2 boxes with the DNS server IP addresses, unchecked the 
> Override DNS box, and then went to Services > DNS Resolver and enabled DNS 
> Query Forwarding as described.
>
> No dice… no DNS queries succeed. Uncheck the DNS Query Forwarding box and DNS 
> works fine.
>
> What am I misunderstanding?

Your DNS servers probably don't support DNSSEC. Disable DNSSEC and
it'll probably work.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] CPU Utilization on landing page

[Chris Buechler]

On Fri, Jun 24, 2016 at 12:46 PM, Karl Fife  wrote:
> Scaling down the update frequency on the traffic graphs seems to
> meaningfully reduce utilization.  Many other widgets don't appear to have
> have settings for their poll intervals.   Are there other settings hidden
> away reduce the update frequency (to prolong the suitability of older
> hardware)?
>

Most don't. Might be worthwhile to add (pull requests welcome).

> I know that old routers have to meet their makers eventually, but I hate to
> do so only because dashboard starts causing real-time applications to fall
> over.
>

It took you 5 instances of the dashboard to reach 70% CPU, how many
duplicate dashboards do you want to run? :) Running one or two
instances of the dashboard on your system won't have any noticeable
impact unless you're already running way too close to the top end
capacity of the hardware.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] PCI/PCIe crypto cards?

[Chris Buechler]

On Fri, Jun 24, 2016 at 6:15 PM, Cheyenne Deal  wrote:
> Is there a list of working crypto cards for x86 and 64bit PC versions of
> pfsense 2.3 release line?

https://www.freebsd.org/releases/10.3R/hardware.html#crypto-accel

Though AES-NI is your best bet at this point.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Traffic Limiter name change

[Chris Buechler]

On Fri, Jun 24, 2016 at 1:01 PM, Karl Fife  wrote:
> We've entered the wonderful world of the traffic limiters. Specifically, we
> put FACEBOOK subnets through a comparatively skinny pipe.  This is done to
> make it JUST a bit too painful to look at kitten photos, but perfectly
> suitable to look at CompetitorCo's facebook page for legitimate business
> purposes. We're still collecting empirical data on how much it disuades
> personal use, but it doesn't seem to create tension the way that explicit
> blocking would.
>
> The issue:
>
> in <=2.2 if an in-use limiter is renamed, the system will yell at you.  IMO,
> that's good.
>

That's not true actually. No input_errors there when renaming a
limiter. You can't delete one that's in use. 2.3 is the same in that
regard.

There is a bug ticket open on updating firewall rules when a limiter
is renamed (or preventing renaming) to avoid removal of limiters from
rules when renamed. That's no diff than it's ever been though.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] CPU Utilization on landing page

[Chris Buechler]

On Thu, Jun 23, 2016 at 11:55 AM, Karl Fife  wrote:
> Ever since upgrading to 2.3, I notice that the CPU utilization is uncommonly
> high when a browser is pointed at the Status / Dashboard.
>
> Naturally, this is the php-fpm process.  Each instance of php-fpm runs at
> between 8 and 40% of my 1.8ghz Atom (dual core, HT).  With four or five
> dasbord windows open and I can burn 70% of the CPU on the idle box.   Doing
> the same on <= 2.2 barely registers additional utilization.
>

Many more things dynamically update than before, and do so more often.
Opening up 5 dashboard instances basically turns the box into a
relatively busy web server, doing probably a few dozen requests per
second depending on which all widgets are enabled. Yes that will chew
some CPU on an old Atom.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPSEC Issue

[Chris Buechler]

On Tue, May 31, 2016 at 2:46 AM, Daniel Eschner  wrote:
> Hi There,
>
> i get since some days a couple of errors:
>
> May 31 09:42:40 gw01 charon: 08[KNL]  unable to query SAD entry 
> with SPI c6bce4d4: No such file or directory (2)
> May 31 09:42:49 gw01 charon: 08[KNL]  unable to query SAD entry 
> with SPI c6bce4d4: No such file or directory (2)
> May 31 09:42:56 gw01 charon: 10[KNL]  unable to query SAD entry 
> with SPI c6bce4d4: No such file or directory (2)
> May 31 09:43:12 gw01 charon: 10[KNL]  unable to query SAD entry 
> with SPI c6bce4d4: No such file or directory (2)
> May 31 09:43:29 gw01 charon: 13[KNL]  unable to query SAD entry 
> with SPI c6bce4d4: No such file or directory (2)
> May 31 09:43:45 gw01 charon: 10[KNL]  unable to query SAD entry 
> with SPI c6bce4d4: No such file or directory (2)
> May 31 09:43:57 gw01 charon: 05[KNL]  unable to query SAD entry 
> with SPI c6bce4d4: No such file or directory (2)
> May 31 09:44:14 gw01 charon: 16[KNL]  unable to query SAD entry 
> with SPI c6bce4d4: No such file or directory (2)
> May 31 09:44:30 gw01 charon: 09[KNL]  unable to query SAD entry 
> with SPI c6bce4d4: No such file or directory (2)
> May 31 09:44:30 gw01 charon: 09[KNL]  unable to query SAD entry 
> with SPI ccc89c04: No such file or directory (2)
> May 31 09:44:46 gw01 charon: 09[KNL]  unable to query SAD entry 
> with SPI c6bce4d4: No such file or directory (2)
> May 31 09:44:46 gw01 charon: 09[KNL]  unable to query SAD entry 
> with SPI ccc89c04: No such file or directory (2)
>
> I looked arrounf and just found „Its a bug which ist fixed in the current 
> Version“
> Ok i use the current Version but didnt seems fixed :-(
>

Those log lines in particular weren't the bug you found. Those are
normal under a variety of circumstances, usually when the OS deletes
an SA and then strongswan gets something that wants to delete it
again. Just something that happened along with whatever that issue
was.

If you aren't actually having any problems, that's safe to ignore. If
you are having problems, more log context and a description of the
issue will be necessary.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Turning UDP broadcast into a unicast on anotherinterface

[Chris Buechler]

On Wed, Jun 1, 2016 at 8:00 AM, Jason Pyeron  wrote:
>> -Original Message-
>> From: On Behalf Of Jim Thompson
>> Sent: Tuesday, October 02, 2012 19:24
>> Subject: [pfSense] Turning UDP broadcast into a unicast on another
> interface
>>
>> Without writing a small program?  No, I can't think of a way.
>
> Before I go a write such a program, does anyone think this is currently
> supported as a pf rule?
>

Possibly via rdr (port forward), though can't say that I've tried it.
Interface LAN, proto src and dst matching the traffic in question,
target IP being the destination IP.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Strange fe80::1:1 link-local address on LAN interface

[Chris Buechler]

On Thu, May 26, 2016 at 6:03 AM, Olivier Mascia  wrote:
> LAN Interface (lan, igb0)
> Status  up
> MAC Address 00:08:a2:09:58:96
> IPv4 Address10.32.0.1
> Subnet mask IPv4255.255.0.0
> IPv6 Link Local fe80::1:1%igb0  (???)
> IPv6 Address2a02:578:4d07::1
> Subnet mask IPv664
> MTU 1500
> Media   1000baseT 
>
> I do not understand where this fe80:1:1 comes from, it clearly isn't derived 
> from the MAC.
>

That's your link-local gateway IP, it exists on every interface that
obtains its IP via PD. It's common to use that as a gateway IP in that
case. It also provides an easy IP to use to hit the GUI.


> Indeed workstations on the LAN capture fe80::1:1 for their default gateway 
> and even pinging that IP from a workstation doesn't work:
>
> ping6 fe80::1:1
> PING6(56=40+8+8 bytes) fe80::aa20:66ff:fe21:7c8e%en2 --> fe80::1:1
> ping6: sendmsg: No route to host

You need an interface scope when pinging link local. For instance on a
Linux host whose connected NIC is wlan0, this is pinging the gateway
IP on a PD-configured interface.

$ ping6 fe80::1:1%wlan0
PING fe80::1:1%wlan0(fe80::1:1) 56 data bytes
64 bytes from fe80::1:1: icmp_seq=1 ttl=64 time=3.01 ms
64 bytes from fe80::1:1: icmp_seq=2 ttl=64 time=3.20 ms
64 bytes from fe80::1:1: icmp_seq=3 ttl=64 time=3.49 ms
^C
--- fe80::1:1%wlan0 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 3.010/3.235/3.493/0.209 ms
$ ip -6 neighbor
fe80::1:1 dev wlan0 lladdr 00:08:a2:09:3b:b4 router REACHABLE

Or on a Mac where en0 is the interface.

$ ping6 fe80::1:1%en0
PING6(56=40+8+8 bytes) fe80::426c:8fff:fe2c:d08%en0 --> fe80::1:1%en0
16 bytes from fe80::1:1%en0, icmp_seq=0 hlim=64 time=0.225 ms
16 bytes from fe80::1:1%en0, icmp_seq=1 hlim=64 time=0.252 ms
^C
--- fe80::1:1%en0 ping6 statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.225/0.238/0.252/0.014 ms

$ ndp -an
NeighborLinklayer Address  Netif ExpireSt Flgs Prbs

fe80::1:1%en0   0:8:a2:9:3b:b4   en0 7sR  R


> So I could get rid of it and get there a proper link-local address?
>

There's nothing improper about it, it's fine as-is.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] USB hard drive on SG-2220

[Chris Buechler]

On Fri, May 27, 2016 at 10:00 PM, Walter Parker  wrote:
> Hi,
>
> I just plugged a small WDC USB 2.0 hard drive into my pfSense firewall as
> an external, second drive and everything booted:
> da1 at umass-sim1 bus 1 scbus7 target 0 lun 0
> da1:  Fixed Direct Access SCSI device
> da1: 40.000MB/s transfers
> da1: 238475MB (488397168 512 byte sectors)
> da1: quirks=0x2
>
> But when I tried to plug in a Seagate 2TB or 4TB drive (USB 3.0), the
> system crashes with a power outage and doesn't restart (even after a power
> cycle). It appears as if it doesn't post because the network indicators
> never start flashing and the console never shows any output.
>
> When plugged into a full sized desktop/server running FreeBSD 10.3, it
> shows:
>
> da0 at umass-sim0 bus 0 scbus8 target 0 lun 0
> da0:  Fixed Direct Access SPC-4 SCSI device
> da0: Serial Number XXX
> da0: 400.000MB/s transfers
> da0: 3815447MB (7814037167 512 byte sectors)
> da0: quirks=0x2
>
> My first guess would be that the first drive takes less power than the
> second. My second guess would be that there is some incompatibility between
> the USB2.0 on the the Atom board and the USB3.0 on the drive (on the full
> FreeBSD machine, the drive is plugged into a USB3.0 outlet).
>
> If I got USB drive with an external power supply, could I use a 4TB drive
> on the firewall?
>

There is a recently-discovered issue on those systems with USB devices
that draw power more heavily. If you plug it in before powering up,
it'll be fine, just can't while the system's running. An external
drive with its own power supply should be fine. Anything plugged into
a powered USB hub is fine.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to manually update 2.3 onwards?

[Chris Buechler]

On Tue, May 24, 2016 at 8:08 AM, Pete Boyd  wrote:
> I have a pfSense 2.3.0_1 which has had an issue connecting to
> pfsense.com to check for updates for years. That's not the issue, as far
> as I believe. Perhaps its LAN and WAN are mistakenly the wrong way
> around. It routes between two LANs. Anyway I always update it manually
> by downloading a tgz file.
>
> With 2.3.0_1 it appears to offer no means of manually updating, giving
> these error messages on the System > Update screen [1].
> I see the release notes say "Removed "full update" or "full slice"
> upgrade for systems on 2.3 to later versions" - is this what I am seeing?
>
> How do I manually update pfSense now please?
>

There currently is no means of doing so, the system must be online.

The errors from pkg you posted make it seem like the box is behind a
captive portal maybe, so it's fetching a portal page rather than the
pkg files.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Update 2.3_1 to 2.3.1 failed

[Chris Buechler]

On Tue, May 24, 2016 at 6:47 PM, Jeppe Øland  wrote:
> Is the "NanoBSD filesystem is mounted r/w" a temporary thing until you fix
> these issues?
>

No. The issue is some flash media is really slow to rw->ro mount. We
used to carry a forcesync patch to forcefully un-mount it without the
drive saying it was safe to do so. While we never saw any indications
of that causing issues, it was removed because it's unsafe. Since
then, many have had to set permanent rw for that reason, and it got
worse. Being rw doesn't really change anything other than not jumping
through a bunch of mount/remount hoops. The things that get written to
often are still in RAM disk.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Update 2.3_1 to 2.3.1 failed

[Chris Buechler]

On Tue, May 24, 2016 at 2:25 PM, WebDawg <webd...@gmail.com> wrote:
> On Tue, May 24, 2016 at 2:18 PM, Chris Buechler <c...@pfsense.com> wrote:
>
>> On Tue, May 24, 2016 at 1:28 PM, WebDawg <webd...@gmail.com> wrote:
>> > On Tue, May 24, 2016 at 11:34 AM, Chris Buechler <c...@pfsense.com>
>> wrote:
>> >
>> >> On Tue, May 24, 2016 at 5:33 AM, OSN | Marian Fischer <m...@osn.de>
>> wrote:
>> >> > Hi list,
>> >> >
>> >> > when i try to update one carp member from 2.3_1 to the latest update
>> >> (2.3.1) it fails after
>> >> >
>> >> > # snip
>> >> > Updating pfSense-core repository catalogue...
>> >> > Unable to update repository pfSense-core
>> >> > Updating pfSense repository catalogue...
>> >> > # snip
>> >> >
>> >> > the other member did the update well. Both are running on 4GB  CF nano
>> >> install.
>> >> >
>> >> > any solution out there?
>> >>
>> >> Diag>NanoBSD, set to permanent rw, and reboot for good measure. It work
>> >> then?
>> >> ___
>> >>
>> >
>> >
>> > I have a few pfSense devices that I purchased, do I need to set permanent
>> > rw on them for 2.3.1?
>>
>> If you have problems with them, yes. Once upgraded to 2.3.1, they'll
>> be set permanent rw with no option to go ro.
>>
>
>
> So if I already have them up to 2.3.1, I am fine.

Yes.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Update 2.3_1 to 2.3.1 failed

[Chris Buechler]

On Tue, May 24, 2016 at 1:28 PM, WebDawg <webd...@gmail.com> wrote:
> On Tue, May 24, 2016 at 11:34 AM, Chris Buechler <c...@pfsense.com> wrote:
>
>> On Tue, May 24, 2016 at 5:33 AM, OSN | Marian Fischer <m...@osn.de> wrote:
>> > Hi list,
>> >
>> > when i try to update one carp member from 2.3_1 to the latest update
>> (2.3.1) it fails after
>> >
>> > # snip
>> > Updating pfSense-core repository catalogue...
>> > Unable to update repository pfSense-core
>> > Updating pfSense repository catalogue...
>> > # snip
>> >
>> > the other member did the update well. Both are running on 4GB  CF nano
>> install.
>> >
>> > any solution out there?
>>
>> Diag>NanoBSD, set to permanent rw, and reboot for good measure. It work
>> then?
>> ___
>>
>
>
> I have a few pfSense devices that I purchased, do I need to set permanent
> rw on them for 2.3.1?

If you have problems with them, yes. Once upgraded to 2.3.1, they'll
be set permanent rw with no option to go ro.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Why can't we define a point-to-point OpenVPN using only IPv6?

[Chris Buechler]

On Tue, May 24, 2016 at 11:57 AM, Olivier Mascia  wrote:
>> Le 24 mai 2016 à 17:56, Doug Lytle  a écrit :
>>
>>> Is the IPv4 requirement something thats planned to be removed in future
>>> releases?
>>>
>>> I don't assume many people have adopted IPv6 yet.
>>
>> Ensuring stable, robust and complete IPv6 (+IPv4) support was and is
>> the primary goal for 2.4
>>
>> IPv6-only was a non-goal so far, so nobody invested time into it yet -
>> but of course, eventually nobody wants to bother with IPv4 anymore :-)
>>
>> Realistically, though, there's more pressing things to work on - like
>> cipher negotiation (so you can upgrade encryption without having to
>> roll out new configs to all your clients), actually *releasing* 2.4, etc.
>
> You're going too far compared to what I asked: I'm not asking for IPv6 only 
> support.
> It just is that I have a need to create an OpenVPN tunnel between two sites 
> only transporting IPv6

He's just quoting a post to the OpenVPN list on said topic. You can
transport only IPv6 across an OpenVPN tunnel, but you'll need an IPv4
tunnel network defined even if you don't use it. Requirement of
OpenVPN.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Update 2.3_1 to 2.3.1 failed

[Chris Buechler]

On Tue, May 24, 2016 at 5:33 AM, OSN | Marian Fischer  wrote:
> Hi list,
>
> when i try to update one carp member from 2.3_1 to the latest update (2.3.1) 
> it fails after
>
> # snip
> Updating pfSense-core repository catalogue...
> Unable to update repository pfSense-core
> Updating pfSense repository catalogue...
> # snip
>
> the other member did the update well. Both are running on 4GB  CF nano 
> install.
>
> any solution out there?

Diag>NanoBSD, set to permanent rw, and reboot for good measure. It work then?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.3_1 ?

[Chris Buechler]

On Thu, May 5, 2016 at 3:11 PM, Bob Gustafson  wrote:
> On 05/05/2016 02:35 PM, Larry Rosenman wrote:
>
>> On 2016-05-05 14:23, Bob Gustafson wrote:
>>>
>>> On 05/05/2016 02:05 PM, Jim Thompson wrote:
>
> On May 5, 2016, at 6:26 AM, Paul Mather 
> wrote:
>
> On May 5, 2016, at 9:13 AM, Vick Khera  wrote:
>
>> On Tue, May 3, 2016 at 11:24 AM, Jeppe Øland  wrote:
>>
>>> Does this update actually work?
>>>
>>> After hitting install and crunching for a while, it showed "firmware
>>> installation failed!" at the top.
>>>
>> I just did the upgrade and it succeeded. However, ntpd was not
>> restarted on
>> either of the two systems upgraded. I had to manually restart ntpd.
>
>
> Same here.  In fact, in my case, ntpd ended up in the stopped state,
> and I had to start it manually.

 it’s documented that you need to (re)start NTP manually.

>>> I haven't yet upgraded to 2.3+
>>>
>>> My question is whether ntpd is dead on every  reboot of pfSense, or
>>> just the one after upgrading?
>>
>> 2.3 to 2.3_1 is NO reboot.
>>
> What does "2.3 to 2.3_1 is NO reboot" mean?
>

That doing the upgrade from 2.3 to 2.3_1 doesn't reboot the system.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.3 show stopper -- in most cases openvpn client specific overrides will fail to send proper iroute/push route

[Chris Buechler]

On Tue, May 3, 2016 at 5:43 AM, Philipp Tölke  wrote:
> Hi everyone,
>
> just FYI, I also had to un-check "Address Pool" for our vpn with
> "Static-IP-Overrides".
>

You probably should just set it back to net30 as noted in my last post
in this thread.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pf2ad update to pfSense 2.3

[Chris Buechler]

On Sun, May 1, 2016 at 3:01 AM, Odhiambo Washington  wrote:
> But he doesn't force anyone to install this. I see no reason to ban him
> from posting or even the forum. Open Source was for the willing, IIRC.
>

Not saying he can't do it. He can't use our resources to promote it,
for the reasons I posted earlier in the thread.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pf2ad update to pfSense 2.3

[Chris Buechler]

On Sun, May 1, 2016 at 1:58 AM, Luiz Gustavo S. Costa
<luizgust...@luizgustavo.pro.br> wrote:
> 2016-05-01 3:35 GMT-03:00 Chris Buechler <c...@pfsense.com>:
>
>> people's systems. He's been told again to not post about this to our
>> lists or forum, next time it's a ban.
>
> that is ... do not talk any more about or will be banned !!!
>
> 8-o
>

We're not real keen on allowing people to promote dangerous, insecure
third party things. You're welcome to contribute to the official
package, and then you're welcome to talk about it on our sites and
lists. There's no reason for that to be a separate package anyway. I'm
not saying you can't do it, you just can't use our resources to
promote it.

We've already seen how this story ends multiple times from other
similar third party packages in the past. A shocking number of people
will execute a shell script as root that they downloaded over HTTP.
The maintainer eventually stops maintaining it, bitrot takes over and
leaves people with broken systems at some point in the future. Then
it's our fault, not because they ran a script from some person on the
Internet.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pf2ad update to pfSense 2.3

[Chris Buechler]

On Sun, Apr 17, 2016 at 1:01 PM, WebDawg  wrote:
> On Fri, Apr 15, 2016 at 12:39 PM, Luiz Gustavo S. Costa <
> luizgust...@luizgustavo.pro.br> wrote:
>
>> Hello,
>>
>> Who wants to go now testing the pf2ad update to pfSense 2.3 can now
>> apply the script with the following command:
>>
>> fetch -q -o - http://projetos.mundounix.com.br/pfsense/2.3/samba3/pf2ad.sh
>> | sh
>>
>> The code versioning, can be followed:
>>
>> https://gitlab.mundounix.com.br/pfsense/pf2ad
>>
>> I have the support of the crowd with stipend (paypal) and/or time to
>> coding.
>>
>> More info: http://pf2ad.mundounix.com.br/en/index.html
>>
>> Regards
>>
>> --
>> Luiz Gustavo Costa (Powered by BSD)
>> *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+
>> ICQ: 2890831 / Gtalk: gustavo@gmail.com
>> Blog: http://www.luizgustavo.pro.br
>> ___
>>
>>
> I never knew about this, any reason it is not in the official packages?

Because Luiz refuses to contribute to the official package. He seems
to want to make people execute a shell script as root downloaded over
the Internet via HTTP without even looking at its contents, adding a
package repo that could break other parts of the system, and
installing packages via HTTP that aren't signed. It's an awful,
insecure hack when it could just be added to the official package
without creating massive security problems and risk of breaking
people's systems. He's been told again to not post about this to our
lists or forum, next time it's a ban.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DNS secondary server on 2.3?

[Chris Buechler]

On Thu, Apr 28, 2016 at 10:21 AM, Adam Thompson  wrote:
> OK, I'm lost...  In v2.3, what service, and/or where in the GUI, should I go
> to make pfSense act as a slave (authoritative) DNS server?
>

No such capability. Neither dnsmasq nor unbound are authoritative
servers. The tinydns and BIND packages were removed as they had no
active maintainers.


> On a related note, in Services / DNS Resolver / General Settings, what does
> "DNS Query Forwarding" do?
> There's no description, so I assume if it's *not* set, unbound starts at the
> root servers, and if is *is* set, unbound tries my upstream ISP's servers
> first (based on the system global DNS settings)?
>

Yes, it forwards queries to the defined DNS servers rather than doing
its own recursion.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] CARP and both IPv4 and IPv6: do they live together?

[Chris Buechler]

On Tue, Apr 26, 2016 at 7:38 AM, Olivier Mascia  wrote:
>> Le 26 avr. 2016 à 00:37, Olivier Mascia  a écrit :
>>
>> It looks like as soon as I bring IPv6 to the party, my secondary starts 
>> thinking it's MASTER instead of BACKUP. Sometimes on the WAN side, sometimes 
>> on the LAN, sometimes both.  Quite hard to describe, I'm still trying to 
>> build up a reproducible test case on my 2.3 cluster.  So out of the blue, 
>> are there known-bugs or other kind of difficulties in having H.A. along with 
>> IPv4 and IPv6?
>
> This stabilized after reboots.
>

My first guess at that issue would have been putting IPv6 IP aliases
on an IPv4 CARP parent or vice versa. Input validation didn't prevent
that until I added it a few days ago for 2.3.1+. But I don't think
that would have changed after reboot. That symptom usually means
ifconfig fails to add the IP on one or the other for some reason,
generally always with IP aliases on CARP parent.

Outside that circumstance, there aren't any caveats to having both
IPv4 and IPv6 CARP, we do it on all our systems internally and have
for over 5 years, and countless others do the same.


> Sure, I'm not helped by the transit provider which does not actually route 
> the /56 prefix to my link (savages!) but merely 'switch' it to me, expecting 
> ARP/NDP from
> each of my connected devices, and me using one dedicated IP of the block as 
> gateway.

That's a mess, make them fix that. It's ugly at a minimum, and will
make many typical uses of IPv6 impossible. No competent ISP will
assign your /56 directly to their router in its entirety.


> Until I thought of the RA!! I have set RA on WAN to Router Only over my 
> defined WAN IPv6 CARP

You don't want RAs enabled on WAN. Your ISP's router is the one
sending RAs in that case (if anything is). You're advertising yourself
on that network as a router for other hosts, which is never what you
want on your WAN.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPV6 WAN/LAN routing

[Chris Buechler]

On Wed, Apr 20, 2016 at 4:53 PM, Olivier Mascia  wrote:
>>> I must be tired or something but I have a strange thing with IPv6 on a new 
>>> box I just setup.
>>>
>>> Have a x:y:z:d800::/56 routed to me.
>>> WAN is static IPv6 on x:y:z:d800::1/64, gateway is 
>>> x:y:z:d800::::: (not a nice one but that is what they gave 
>>> me).
>>> LAN is static IPv6 on x:y:z:d801::1/64, no gateway as usual for LAN 
>>> interface.
>>>
>>> From a host on the LAN side, at x:y:z:d801::100 (or any other), I can reach 
>>> pf LAN interface on x:y:z:d801::1, I can also reach pf WAN interface on 
>>> x:y:z:d800::1, but I can't get a packet to go further.
>>>
>>> Yet, from pf itself, I can reach (ping for instance) www.google.com (IPv6) 
>>> from WAN interface, but not from LAN interface.
>>>
>>> I would have thought "ok I miss a pass rule on the LAN interface", but 
>>> there is one. This by far is not my first pfSense box, and they all have 
>>> various kind of IPv6 links. Not that I couldn't be awfully wrong somewhere. 
>>> So what obvious detail am I overlooking here? If you have any idea?
>>>
>>> This is 2.3-RELEASE by the way. Other boxes (on other networks) are still 
>>> 2.2.x.
>
>
> From some packet captures, something caught my eye, but I'm not sure if this 
> an issue in the hands of my upstream provider or something local to my 
> pfSense box.
> Here are two captures on the WAN of pfSense.
>
> First one, I'm pinging the WAN ip from a very remote location. One clearly 
> see 4 echo requests and 4 echo replies.
>
> 23:32:47.466402 IP6 2a02:578:85a0:101:5cf:576b:9daf:77ca > x:y:z:d800::1: 
> ICMP6, echo request, seq 73, length 40
> 23:32:47.466455 IP6 x:y:z:d800::1 > 2a02:578:85a0:101:5cf:576b:9daf:77ca: 
> ICMP6, echo reply, seq 73, length 40
> 23:32:48.476917 IP6 2a02:578:85a0:101:5cf:576b:9daf:77ca > x:y:z:d800::1: 
> ICMP6, echo request, seq 74, length 40
> 23:32:48.476933 IP6 x:y:z:d800::1 > 2a02:578:85a0:101:5cf:576b:9daf:77ca: 
> ICMP6, echo reply, seq 74, length 40
> 23:32:49.491979 IP6 2a02:578:85a0:101:5cf:576b:9daf:77ca > x:y:z:d800::1: 
> ICMP6, echo request, seq 75, length 40
> 23:32:49.492019 IP6 x:y:z:d800::1 > 2a02:578:85a0:101:5cf:576b:9daf:77ca: 
> ICMP6, echo reply, seq 75, length 40
> 23:32:50.507963 IP6 2a02:578:85a0:101:5cf:576b:9daf:77ca > x:y:z:d800::1: 
> ICMP6, echo request, seq 76, length 40
> 23:32:50.507987 IP6 x:y:z:d800::1 > 2a02:578:85a0:101:5cf:576b:9daf:77ca: 
> ICMP6, echo reply, seq 76, length 40
>
> This time, I'm pinging the LAN ip (x:y:z:d801::1) from the same remote 
> location. No echo requests, only neighbor solicitations from a link-local 
> address fe80...dc78, which I could trace as the upstream router, to 
> ff02::1:ff00:1. But no advertisements on return from the pfSense box.
>
> What looks wrong here?
> The absence of advertisements from pfSense box on these solicitations (I 
> would have an issue with my pfSense setup)?
> Or are these solicitations unexpected (the upstream provider has a setup 
> issue regarding my /56 network)?

They're unexpected. That means your ISP isn't routing that network to
you as they must be for it to be usable inside your network. ISP
issue.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Ambiguous gateway monitoring

[Chris Buechler]

On Fri, Apr 15, 2016 at 12:31 PM, Karl Fife  wrote:
> I'm bringing this up in the off chance that it is a bug.  I think it might
> be expected behavior but want to bounce it off a few others.
>
> I have an installation with two fiber uplinks.  Each uplink has an IP on the
> ISP's single WAN subnet (e.g. one single subnet, not a pair of tunnels).
> This is a temporary configuration but in the meantime I observed the
> following.
>
> In this configuration, the gateway monitoring's default settings use a
> single gateway monitoring IP address (their DHCP default gateway).  What I
> observe is that ONE of the two interfaces will have 'unknown/pending'
> gateway status.  Obviously, the gateway monitoring ICMP messages for BOTH
> interfaces are routing via only ONE of the two, leaving other gateway's
> status unknown.
>

The issue isn't gateway monitoring, it's that you can't have the same
subnet on multiple interfaces and can't have multiple WANs with the
same gateway IP. There can only one one ARP cache entry for a given IP
and it will be associated with only a single interface. It's a toss up
as to which will work in that case. It's impossible to communicate
with the same IP on two diff NICs.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSnese 2.3 unresponsive on

[Chris Buechler]

On Wed, Apr 13, 2016 at 6:11 PM, Rosen Iliev  wrote:
> Hi guys,
>
> Just upgraded my embedded pfsense to 2.3.
> I have problems getting to the box (web or ssh) it just time outs.
> On the web I sometime I get Nginx 504, sometime, just nothing.
> Eventually I got logged in, try to check what's going on.
> I have open Diagnostics->System Activity page, and start monitoring the
> network traffic.
>
> There is Java Script that updates the page content every 2.5, but actual
> response in my case was more then 15 sec.
> So I ended up with +20 pending requests to /diag_system_activity.php.
>
> I don't think that setInterval is a good option here. Especially when you
> don't know how long it will take for the request to complete.
>
> My suggestion is to use setTimeout like this:
>

Yeah that's what 2.2.x and prior used.
https://redmine.pfsense.org/issues/6166
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Upgrade from 2.2.x to 2.3 - upgrading formware since almost 7 hours.

[Chris Buechler]

On Thu, Apr 14, 2016 at 1:57 PM, WebDawg  wrote:
> On Thu, Apr 14, 2016 at 1:53 PM, J. Echter <
> j.ech...@echter-kuechen-elektro.de> wrote:
>
>> Am 14.04.2016 um 19:32 schrieb J. Echter:
>> > Hi,
>> >
>> > here, everything works as expected. :)
>> >
>> > But i have a upgrade running since round about 7 hours...
>> >
>> >
>> > I didn't check full backup before upgrade.
>> >
>> > 7 hours seem long... :)
>> >
>> > Is this still expected behaviour?
>> >
>> > Thanks
>> >
>> > J.
>> > ___
>> > pfSense mailing list
>> > https://lists.pfsense.org/mailman/listinfo/list
>> > Support the project with Gold! https://pfsense.org/gold
>> >
>>
>> seems normal, i have a reboot mail now :D
>>
>>
> I think I had this problem when I had a bunch of sarge reports and stuff.
> For some reason one of the upgrade steps was to look through the entire FS.

It does an mtree on all the installed files, which can take quite some
time, but it goes through a specific list of files that are installed.
Having a huge number of files on the filesystem could slow it down
some. Hours is really excessive though.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.3.1 -> 2.3 ?

[Chris Buechler]

On Wed, Apr 13, 2016 at 4:53 AM, Olivier Mascia  wrote:
> Hello,
>
> I had a 2.3 RC installed and (mistakenly) let it auto-upgrade some hours ago. 
> It went straight to some 2.3.1 DEV instead of 2.3 REL as I  expected (my 
> mistake). Is there any appropriate way to come back to 2.3 REL other than 
> rebuilding it from scratch?
>

Yes, check here.
https://forum.pfsense.org/index.php?topic=109690.0
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] vmware tools

[Chris Buechler]

On Wed, Apr 13, 2016 at 5:12 AM, Olivier Mascia  wrote:
> Reading this: https://doc.pfsense.org/index.php/Open_VM_Tools_package
> after package installation and reboot,
>
> ps uxawww | grep vmware
>
> gives me this output which differs from the doc.pfsense.org article:
>
> root55265   0.0  0.2  17000  2516  -  S12:04PM  0:00.00 sh -c ps 
> uxawww | grep vmware 2>&1
> root55414   0.0  0.2  18740  2248  -  S12:04PM  0:00.00 grep vmware
> root84296   0.0  0.8 103460  8236  -  S11:37AM  0:00.34 
> /usr/local/bin/vmtoolsd -c /usr/local/share/vmware-tools/tools.conf -p 
> /usr/local/lib/open-vm-tools/plugins/vmsvc
>
> Does /usr/local/bin/vmtoolsd here correspond to /usr/local/sbin/vmware-guestd 
> which the article shows?
> It says "As long as vmware-guestd is shown in the output, it is working."
> Here I have vmtoolsd, not vmware-guestd.
> Merely a matter of older/newer version of this stuff between the article and 
> 2.3.x?
>

Correct, that hadn't been updated for more recent changes in
open-vm-tools. I just updated the page, yours is fine.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.3 - webConfigurator Fails

[Chris Buechler]

On Wed, Apr 13, 2016 at 5:46 PM, David White  wrote:
> I just upgraded to 2.3, and internet seems to be working fine, but the
> webConfigurator is failing.
>
> pfSense is running on some older x86 hardware. Checking the system.log, I
> see this entry:
>
> php-cgi: rc.bootup: The command '/usr/local/sbin/nginx -c
> /var/etc/nginx-webConfigurator.conf' returned exit code '1', the output was
> 'PANIC: unprotected error in call to Lua API (CPU not supported)'
>

That appears to mean your CPU's lacking CMOV support. You're the first
to run into that. What CPU is it? Must be really ancient to be lacking
CMOV support, something like a Pentium I or AMD K6. Talking CPUs from
the '90s.


> Does this mean that the old hardware I'm running won't support 2.3? Is
> there anyway that I can fix / get around this limitation, or do I simply
> need to roll back and do a clean install of the latest 2.2.x branch?
>
> (At some point, I guess I should just replace this hardware, but I'm trying
> to save money these days...)
>

People throw away much newer hardware than that all the time. :) I'm
sure you can find something better than that for free.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.3 show stopper - bind package missing -- don't install if you need bind!

[Chris Buechler]

On Wed, Apr 13, 2016 at 5:17 PM, Steve Yates  wrote:
> I should restate/clarify that I was looking at the 
> https://doc.pfsense.org/index.php/2.3_New_Features_and_Changes
> page which mentions the package system changed but doesn't specifically 
> mention the below

Good point, I added that to the list there.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.3 show stopper -- in most cases openvpn client specific overrides will fail to send proper iroute/push route

[Chris Buechler]

On Wed, Apr 13, 2016 at 6:08 AM, mayak  wrote:
> hi all ,
>
> openvpn will fail on v2.3 if you are using `client specific overrides` where
> `iroute` and `push route` are being used:
>
> if the `tunnel network` is:
> 10.16.52.8/30
>
> and the `advanced section`:
> iroute 172.16.32.0 255.255.255.0;
> push "route 10.0.0.0 255.0.0.0";
> push "route 172.16.0.0 255.240.0.0.0"
>

Sounds like this part of the release notes:

OpenVPN topology change – configuration upgrade code was intended to
set upgraded OpenVPN servers to topology net30, rather than the new
default of topology subnet. This is not working as intended in some
cases, but has been fixed for 2.3.1. In the mean time, editing your
OpenVPN server instance and setting the topology to “net30” there will
accomplish the same thing and fix it.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.3 show stopper - bind package missing -- don't install if you need bind!

[Chris Buechler]

On Wed, Apr 13, 2016 at 1:48 PM, Steve Yates  wrote:
> The release notes don't mention specific package compatibility

Yes it does.

"Packages

The list of available packages in pfSense 2.3 has been significantly
trimmed.  We have removed packages that have been deprecated upstream,
no longer have an active maintainer, or were never stable. A few have
yet to be converted for Bootstrap and may return if converted. See the
2.3 Removed Packages list for details."
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.3 "Secure Connection Failed"

[Chris Buechler]

On Tue, Apr 12, 2016 at 4:50 PM, Pete Boyd  wrote:
> What is the change in 2.3.0 that means that Firefox 38 ESR now gives me
> this message when trying to login using the GUI on 2 of 3 systems I have
> upgraded from 2.2.6 so far, via OpenVPN:
>
> "Secure Connection Failed
> The connection to X.X.X.X was interrupted while the page was loading.
> The page you are trying to view cannot be shown because the authenticity
> of the received data could not be verified."
>
> I can get around this with Chrome 49, by choosing Advanced and something
> like 'Login anyway'.
>
> Firefox works fine with one of the systems I've upgraded, the local one.
>

TLSv1.0 was disabled. Firefox 31 and newer all have TLS 1.1 and 1.2
enabled by default, so that shouldn't impact anything. The cipher list
is a bit stronger as well. But it works with everything but old
unsupported IE versions and Windows XP. If it's the same browser and
system that can connect to 1 of 3 but not the other two, there's
something else going on there. Not sure what, haven't heard of that
from anyone else.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop

[Chris Buechler]

On Wed, Feb 10, 2016 at 3:47 PM, Romain Lapoux
 wrote:
> I am not agree, because how do you explain that all works correctly when I 
> disable only the firewall feature in pfSense ?
>

Because stateful firewalls must see both directions of traffic. If
you'd just fix your routing so reply traffic comes back in the same
interface the request left, things would work fine with the firewall
enabled. Given the Linux routing table earlier, you likely need to
check "Bypass firewall rules for traffic on the same interface" under
System>Advanced, Firewall/NAT. That may be enough, depending on
whether routing in other portions of your network is correct to keep
things symmetrical.


On Fri, Feb 12, 2016 at 6:11 PM, Romain Lapoux
 wrote:
> Hi,
>
> I did the same setup with OPNSense 16.1 + Compiled HAProxy 1.6.3 using:
> /sbin/kldload ipfw
...

Good luck with that hot mess.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop

[Chris Buechler]

On Sun, Feb 7, 2016 at 12:24 PM, Romain Lapoux
 wrote:
> My last test in conservation optimization, if I upload files with 4 parallel 
> connections, it drop each in less 10 seconds.
> (And don't free them on backend server, they stay ESTABLISHED in netstat.
>

More than likely because one or more of the hosts involved are dual
homed and you have asymmetric routing.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Suricata sync crashes WebConfigurator, and other issues

[Chris Buechler]

On Fri, Jan 15, 2016 at 11:59 PM, Steve Yates  wrote:
> I don't like leaving things not fully stable so I bit the bullet and 
> clicked "Remove Enable/Disable changes in the current Category" so it would 
> at least sync.  To my surprise it did not help, even after doing it on 
> router2 as well.  Then I noticed the CARP sync was also starting to fail.
>
> After thinking about it a bit I restarted router2 and syncing 
> immediately worked again.  That implies something was wrong with the XMLRPC 
> sync that wasn't fixed by restarting webConfigurator and/or PHP-FPM.  Notably 
> there was a config sync fix included in pfSense 2.2.6...
>

That was strictly the upgrade to lighttpd to fix a regression they
introduced in the updated version new in 2.2.5.
http://redmine.lighttpd.net/issues/2670

The fact you're hitting at least one lighttpd crash makes me think
there's some other issue there, though no one else has seen any issues
in 2.2.6, the issue in 2.2.5 wasn't replicable in most cases either.
There's a reason nginx is now the web server in 2.3.

That could be an issue in the Suricata package, given the web server
only crashed once it appears. Since you end up in a situation where
you're stuck until restarting php-fpm, that points to the issue being
in PHP, though an issue in lighttpd could impact PHP.

Not sure offhand whether Suricata is even usable in 2.3, but that
might be worth a shot.

If you want to troubleshoot the sync, maybe the easiest way is to
switch to HTTP temporarily, packet capture the config sync traffic,
follow TCP stream in Wireshark. That's usually telling to at least
narrow it down much more.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2.6-RELEASE Now Available!

[Chris Buechler]

On Tue, Dec 22, 2015 at 3:48 AM, Victor Padro <vpa...@gmail.com> wrote:
> Blog's greatest public annoucement.
>
> Error establishing a database connection
>

Oops, fixed.


> On Tue, Dec 22, 2015 at 3:04 AM, Chris Buechler <c...@pfsense.com> wrote:
>
>> pfSense® software version 2.2.6 is now available. This release
>> includes a few bug fixes and security updates. You can find all the
>> details in the release announcement on our blog.
>> https://blog.pfsense.org/?p=1971
>>
>> Happy holidays, everyone!
>>
>> Enjoy,
>> Chris
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>
>
>
>
> --
> "Everything that irritates us about others can lead us to an understanding
> of ourselves"
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] 2.2.6-RELEASE Now Available!

[Chris Buechler]

pfSense® software version 2.2.6 is now available. This release
includes a few bug fixes and security updates. You can find all the
details in the release announcement on our blog.
https://blog.pfsense.org/?p=1971

Happy holidays, everyone!

Enjoy,
Chris
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] CARP / XMLRPC sync problem

[Chris Buechler]

On Thu, Dec 17, 2015 at 2:17 AM, Mário Barbosa  wrote:
> Hello everyone,
>
> I'm getting this notice every time I try syncing two pfsense routers.
>
> "An error code was received while attempting XMLRPC sync with username
> admin http://192.168.4.2:80 - Code 6: The requested method didnt return
> an XML_RPC_Response object."
>
>
> More data points:
> * 192.168.4.1 and .2 are the ip addresses of the respective Sync
> interfaces (as per [1])
> * both routers are running the latest release, 2.2.5
> * I have switched back to HTTP on both router's webui's (just to
> eliminate any cert validation issues with the default ones).
>

This matches the symptoms of this problem.
https://redmine.pfsense.org/issues/5509

which others have confirmed is fixed in 2.2.6, so that'll probably
work once you upgrade.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] HAproxy question

[Chris Buechler]

On Fri, Dec 11, 2015 at 9:14 AM, C. R. Oldham  wrote:
> Greetings,
>
> We've recently replaced both our routers with pfSense.  I am using tinc for
> site-to-site VPN and OpenVPN for clients to connect.
>
> Since some of our support engineers often end up onsite with customers, I
> want to enable OpenVPN over TCP port 443--we've noticed that many of our
> customers block outbound UDP, but using the https port works fine.
>
> However, we also have haproxy on our firewall proxying for some web
> applications on port 443. but on a different virtual IP from OpenVPN.  If I
> enable OpenVPN on the TCP port, haproxy stops working, even though they are
> listening on different IPs.
>

One or the other must be bound to *:443 (guessing haproxy since
OpenVPN will only bind to a single IP). You can check that with
'sockstat -4' if you want to pursue that further.

It's probably easiest to just run your OpenVPN on some other port on
localhost, say port 4443. Then add a port forward on WAN to send 443
on the OpenVPN VIP to 127.0.0.1:4443. Then you can also add port
forwards for ports 80, 53, and however many others you want to make
available for additional options.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Enable bypass for LAN interface IP not working? ver 2.2.5

[Chris Buechler]

It's there and it works (from the LAN subnet to the LAN subnet is
skipped). Check the first config entry in /var/etc/ipsec/ipsec.conf.

On Mon, Nov 23, 2015 at 11:08 AM, Nicolas Fabris
 wrote:
> Hi folks! How are you?
>
> Nobody?
>
> Thksss!!!
>
> Lic. Nicolas A. Fabris
> Seguridad Informática
> Gcia. De Procesos y Sistemas
> O.S.P.R.E.R.A.
> OO4312-2500 Int. 3119
> nicolas.fab...@osprera.org.ar
>
>
> -Mensaje original-
> De: List [mailto:list-boun...@lists.pfsense.org] En nombre de Nicolas Fabris
> Enviado el: jueves, 19 de noviembre de 2015 12:49 p.m.
> Para: list@lists.pfsense.org
> Asunto: [pfSense] Enable bypass for LAN interface IP not working? ver 2.2.5
>
> Hi folks! How are you today?
>
> Having problems after upgrading to 2.2.5 with Enable bypass for LAN interface 
> IP option (VPN, IPSEC, Advanced.)
>
> When IPsec tunnel is established I lost ping to LAN IP of pfsense.
> When tunnel is not established, automatically ping come again.
>
> Can somebody give me a hand?
>
> Thks!
>
>
> Lic. Nicolas A. Fabris
> Seguridad Informática
> Gcia. De Procesos y Sistemas
> O.S.P.R.E.R.A.
> * 4312-2500 Int. 3119
> nicolas.fab...@osprera.org.ar
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Latency issues with 2.2.25 Release

[Chris Buechler]

On Wed, Nov 11, 2015 at 9:47 AM, Wade Blackwell  wrote:
> Good morning list,
>I recently upgraded to *2.2.5-RELEASE * (amd64) on a VMware stack
> and noticed that my Wan latency shot up by about 100ms rtt. Nothing else on
> the box had changed. I reverted to a pre-upgrade snapshot and the latency
> went back down to 10-12 ms rtt. Anyone seen anything like this with the
> update to 2.2.5?
>

Not that I've seen or heard of. Latency as measured by what?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Please support, pdo and mysqli extensions of php on pfsense new release

[Chris Buechler]

On Wed, Oct 28, 2015 at 6:35 PM, Ceylan BOZOĞULLARINDAN
 wrote:
> Hello,
>
> I am working for three days on add pdo_mysql and mysqli extensions on
> pfsense 2.2.4 php. But i didn't. I need to connect database with using
> mysqli or pdo instead of mysql. Let me explain to you what i have tried;
>
> When you run "pkg search mysqli" command, you see this result;
>
> php5-mysqli-5.4.45 The mysqli shared extension for php
> php55-mysqli-5.5.30The mysqli shared extension for php
> php56-mysqli-5.6.14The mysqli shared extension for php
>
> After that, if you attend to install one of these packets, you will
> encourage some requirements;
>
>
> New packages to be INSTALLED:
> php5-mysqli: 5.4.45
> php5: 5.4.45
>
> But if i install these requirements, i will see the error like this;
>
>
> Warning: Illegal string offset 'alias' in /etc/inc/util.inc on line 1401
>
>
> The problem is clear; how can i install or enable pdo_mysql or mysqli
> extensions of php on pfsense 2.2.4 or others (it doesn't matter) ?

You can't pkg install anything PHP-related.
https://doc.pfsense.org/index.php/How_do_I_get_PHP_support_for_mysql,_sqlite,_sockets,_etc
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Backup/Restore to another router

[Chris Buechler]

On Mon, Oct 26, 2015 at 12:26 PM, Edward Holcroft  wrote:
> Hello list
>
> I am setting up my second pfSense box, with a view to eventually replacing
> 20 Pelink Balance routers on my network.
>
> The first one works great and I have IPSec tunnels working between it and
> all the Peplink sites. Now since I am lazy, I was hoping to be able to
> backup the IPSec tunnels on the first one and simply restore it on the
> second and subsequent routers, to save myself some effort. Naturally I
> edited the content of the xml file to match the new router. However, I have
> now noticed that there is an entry for each tunnel called  which
> is, well, unique.
>
> Does this mean I have to create each and every tunnel manually? Or can I
> use the existing backup with that same uniqid on a different router?

That's an identifier that only has to be unique to the system it's
running on, so you can use the same ones on different systems. Just
make sure not to duplicate them on the same system.


> Or is
> there some way to generate uniqid's if that's what it requires?
>

It's just the output of PHP's uniqid() if you want to generate them.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Has anybody experiance with installing on Openstack?

[Chris Buechler]

On Thu, Oct 22, 2015 at 4:19 PM, WebDawg  wrote:
> On Wed, Oct 21, 2015 at 9:52 PM, Frank Lowe 
> wrote:
>
>> I am trying to do this now. I have Pfsense working in proxmox. I now have
>> an Openstack cloud controller running comput and neutron(single host) I am
>> now trying to figure out how to
>> have pfsense on the tenant network with an external (openstack floating
>> network) this would be the inside interface. All of this is easy, just need
>> to figureout how to link in the WAN interface. Needs to be direct to the
>> Internet.
>>
> I was going to virtualize my instance but there was all this nonsense about
> limiters not working with the xen network cards.

Limiters have no NIC restrictions. ALTQ/traffic shaper isn't supported
with xn. Every other hypervisor's NIC types support ALTQ.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Problem with a second pfSense in LAN

[Chris Buechler]

On Thu, Oct 8, 2015 at 7:31 AM, Lorenzo Milesi  wrote:
> hi.
> My office pfsense happily works with an IPv6 tunnel since months.
> right now I'm preparing a new server in my lab, and it's running pfSense 
> 2.2.4.
> I don't have IPv6 enabled on this new box, nor DHCP of any kind 
> (relay/server), nevertheless when it's running my client DHCPv6 gets
> crazy and keeps looping, even if it receives a lease.

That's the behavior of dhcp6c if you configure it to obtain a prefix
delegation, and the DHCP6 server doesn't offer one. Set the PD size to
"none" if you're not handing out PDs.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Unbound DHCP leases refresh

[Chris Buechler]

On Thu, Sep 17, 2015 at 6:58 AM, Tom Fanning  wrote:
> Quick question regarding the unbound resolver.
>
> I can't find it documented anywhere how often unbound refreshes the DHCP
> leases table.
>

Instantaneously, normally. There is this situation though where it's
not instantaneous, you can have an hour or so delay before it picks up
new names.
https://redmine.pfsense.org/issues/4931

Can restart dhcpleases manually as a workaround in the mean time.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] domain override: multiple IPs?

[Chris Buechler]

On Mon, Sep 14, 2015 at 5:41 PM, Erik Anderson  wrote:
> Hello all -
>
> We're running 2.2.4.
>
> We have a domain override in our DNS Forwarder for our Active
> Directory domain. Is there any way to provide multiple IP addresses
> for this override? For obvious reasons, I'd like to provide both of
> our domain controller IPs.
>

Add the same domain multiple times.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Why no dnssec in dnsmasq by default?

[Chris Buechler]

On Sun, Aug 23, 2015 at 9:28 AM, Adrian Zaugg a...@ente.limmat.ch wrote:

 Adding the three lines

 dnssec
 dnssec-check-unsigned
 
 trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5

 to dnsmasq in pfSense makes dnsmasq dnsssec aware. Is there a reason why
 there is no tickable box to enable this in the GUI or why it is not
 enabled by default?


Because that was only recently added to dnsmasq, and by the time it
was, we'd switched to Unbound as the default resolver. You can add it
in the advanced options.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] GUI performance on an ALIX 2d3

[Chris Buechler]

On Thu, Aug 13, 2015 at 4:50 PM, Rainer Duffner rai...@ultra-secure.de wrote:

 Mine is a 2D1 (apparently) and has only 128 MB RAM - which apparently is too 
 little these days.
 Since 2.2.4, I get a warning in the GUI - but because I do nothing fancy with 
 it, I don’t see any slowdowns.
 Memory-usage and all other parameters seem to be OK, according to the 
 dashboard.


It's technically been too little for a number of years, but will work
in limited circumstances. 2.2x is actually a bit better there than
2.1.x and previous because php-fpm is slightly less RAM hungry.


 I just checked - I ordered it at the end of September 2008.
 It’s going to be seven years old in a couple of weeks.
 That’s quite impressive - do you still get firmware-updates for seven year 
 old commercial DSL-routers?


Nope. Often not even when backdoors or other serious security issues
are disclosed and they're not nearly that old.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Got an alert after updating to 2.2.4

[Chris Buechler]

On Thu, Jul 30, 2015 at 5:34 PM, Rainer Duffner rai...@ultra-secure.de wrote:
 php: rc.bootup: New alert found: pfSense requires at least 128 MB of RAM. 
 Expect unusual performance. This platform is not supported.

 I have an Alix board:


 CPU: Geode(TM) Integrated Processor by AMD PCS (431.65-MHz 586-class CPU)
   Origin = AuthenticAMD  Id = 0x5a2  Family = 0x5  Model = 0xa  Stepping = 2
   Features=0x88a93dFPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CLFLUSH,MMX
   AMD Features=0xc040MMX+,3DNow!+,3DNow!
 real memory  = 134217728 (128 MB)
 avail memory = 94752768 (90 MB)

 So, is the Alix deprecated?


The 128 MB ones, yes. Have been for a long time. We've stated 256 MB
as the minimum supported since one of the 1.2.x releases, at least 6-7
years ago.

Sure it wasn't showing the same before? Maybe some change in FreeBSD
10.1 made the avail memory less than it was previously. It warns at
less than 101 MB avail (which was generally enough to not warn on
systems with 128 MB real).

If you're running nothing beyond the defaults on a small network, 128
MB might be OK. But forget about running any type of VPN, or much of
anything outside of defaults.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] weakness reported by scanner in pfsense

[Chris Buechler]

On Thu, Jul 30, 2015 at 12:54 PM, Ted Byers r.ted.by...@gmail.com wrote:
 How do we deal with this:

 TCP/IP Initial Sequence Number (ISN) Reuse Weakness


Ask your scanner vendor. That check blindly trusts OS identification
in a case where it's just making a guess at the OS (of OpenBSD 4.0 as
the closest match, but not that close of a match).

It's a false positive.
https://forum.pfsense.org/index.php?topic=88601.0
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Connect pfSense as client to a Hotel WLAN?

[Chris Buechler]

On Wed, Jul 29, 2015 at 7:59 PM, Ray r...@renegade.zapto.org wrote:
 Hi,

 I run pfSense on a few ALIX boxes, usually as tunnel end and as access
 point. When I can plug one of these machines into any (wired) network, I
 have easy access to my home network through the private WLAN the ALIX
 provides.

 This works beautifully.

 I travel a lot and today hotels only provide WLAN access. Ethernet ports in
 hotel rooms are relics of the past.

 I solved this problem by using a Mac to connect to the Hotel WLAN and then
 select Share my Intenet (WLAN) connection to Ethernet in the Sharing
 control panel. When I then connect the ALIX WAN interface to my Mac using a
 cable, things again work nicely, but I effectively block a Mac as router
 that I would rather carry around.

 My thought was throw a second ALIX box at the problem and make that one
 connect as client to the hotel's WLAN, then plug the two ALIX's together
 with a short cable.

 I did try this, hacking the hotel's WLAN details into the WLAN interface
 configuration of the second ALIX (configured to use Infrastructure mode,
 of course), but the WLAN interface always stays down, no matter what I try.

 My hope was that the the hotel's captive portal mechanism could be fooled to
 give access to my client ALIX from any client computer connected to AP
 provided by ALIX number 1, but as the client ALIX's WLAN is always down, I
 didn't even make it to this point.


 Did anyone here successfully do this (and share some insights)?


Definitely doable. I've done it in about every combination imaginable.
ALIX or similar hardware with a wifi card, a pfSense VM on a laptop
with a LTE card via USB passthrough, same for wifi USB. Ethernet
bridged to a VM on a laptop. Some ugly combinations of those where
multiple layers of NAT were necessary before the traffic left my
equipment, but was fine as a temporary hack.

For connecting to captive portal networks, everything behind it will
look like one device as far as their network is concerned, as you're
NATing everything to the same source IP and MAC.

How do you have the wireless interface configured for standard and
channel? What wireless card are you using?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DHCP Relay attaching to wrong interface

[Chris Buechler]

On Sat, Jul 25, 2015 at 8:06 AM, Juan Bernhard j...@inti.gob.ar wrote:
 Hi list, first I want to congratulates all pfsense developoers for this
 magnificent piece of software.

 I think I found a simple bug:
 I configuring a pfsense in a single server to replace a cisco 2821 and an
 asa 5520, and at the moment almost everithing is working great.
 But... I'm having troubles with the dhcp relay. I have a 2 real inteface
 configurations, one on the internet side and the other in de inside, with 8
 vlan in there. I cofigured dhcp relay to listen to some vlan interfaces, but
 it also attaches to the lan interface (the one with out vlan tag), having 2
 dhcp responding server on the same collision domain.


At some point ages ago, if you didn't specify the interface where the
target server resides in the list, it wouldn't work. Has nothing to do
with it being a VLAN parent, that's just where your target DHCP server
resides or is reachable. That no longer appears to be necessary. It
won't relay requests out the same interface they came in on, so it
should have no functional difference. Regardless, shouldn't be
specified now.

Ticket, and commit that removes it.
https://redmine.pfsense.org/issues/4908
https://github.com/pfsense/pfsense/commit/97613114b5b74c334609d7fcd79c94741b111793

If you could help verify, please replace your /etc/inc/services.inc
file with this:
https://raw.githubusercontent.com/pfsense/pfsense/RELENG_2_2/etc/inc/services.inc

Then just click Save under ServicesDHCP Relay.

I have tested it in VLAN and non-VLAN circumstances, and it works.
Additional confirmation appreciated.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Problem with load vpn status

[Chris Buechler]

On Wed, Jul 29, 2015 at 2:18 PM, Edward Josette Ortega Salas
edward.jose...@gmail.com wrote:
 Hi!.

 Yes, it was quick:

 -  For setkey -D its took:  0.253u 0.276s 0:31.37 1.6% 93+178k 0+0io 0pf+0w
 - And  for setkey -DP:  0.017u 0.008s 0:00.02 50.0% 204+408k 0+0io 0pf+0w


 And.. we are talking about 157 vpn, So what can we do with this delay?, do
 you need another parse code or additional information for solve this?


That's not the part that it's parsing on that page, it's an XML
version of 'ipsec statusall'. Try applying this patch:
https://files.pfsense.org/jimp/patches/ss-keep-smp_status.diff

and then load the page, and grab the file /tmp/smp_status.xml. Can
email that to me offlist.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Chris Buechler]

On Fri, Jul 24, 2015 at 3:51 PM, Ted Byers r.ted.by...@gmail.com wrote:
 I have checked our installation of our website (a classic protected LAN
 with a DMZ formed by two pfsense machines serving as our inner and outer
 firewall, and one machine in the DMZ and the rest behind the inner
 firewall) using a PCI scanner.

 The PCI scan identified two vulnerabilities WRT our pfsense machines.

 First, the scanner complains that TLS1 is supported and we need to restrict
 it to TLS1.2.  We modified the configuration of lighttpd to use TLS1.2, but
 that did not make the complaint go away, so is there anything else that
 uses TLS that we need to reconfigure to use only TLS1.2?

That's one where maybe you can disregard compatibility concerns and
only allow TLS 1.2. We're a bit more conservative for compatibility
reasons where there isn't a significant security risk (though TLSv1
probably will get disabled in 2.3-REL). Update the code in
/etc/inc/system.inc to generate the lighttpd config as you desire (and
captiveportal.inc if you're using CP).

 Second, it appears that ssh-server on pfsense is version 6.6 and it would
 be good if we can upgrade that to 6.9 or better (well, if there is better -
 the scan only complains the version if earlier than 6.9)


In that case your scanner is stupid, and you can't fix stupid
applies. We use the SSH version used in the base FreeBSD version,
which is 6.6 for 10.1. That's perfectly fine. You can't reasonably
upgrade it, and there is no point at all in trying.

Re: upgrading, which you should do as there are legit security reasons
your scanner is blind to (though best to wait a few hours and you can
go to 2.2.4), details here:
https://doc.pfsense.org/index.php/Upgrade_Guide
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.1.4-RELEASE to 2.2.3 problems

[Chris Buechler]

On Tue, Jul 21, 2015 at 2:39 PM, Zach Underwood zunder1...@gmail.com wrote:
 Lastnight/this morning we upgraded pfsense from 2.1.4 to 2.2.3

 We are having problems will ssh and siproxd. We are unable to ssh to the
 box and ssh on the service tab will not start.


Is this nanobsd or a full install?

Try to run /usr/sbin/sshd from a command prompt, what output do you get?


 Here is the crash report
 Crash report begins.  Anonymous machine information:

 i386
 10.1-RELEASE-p13
 FreeBSD 10.1-RELEASE-p13 #0 c77d1b2(releng/10.1)-dirty: Tue Jun 23 17:02:27
 CDT 2015 root@pfs22-i386-builder
 :/usr/obj.i386/usr/pfSensesrc/src/sys/pfSense_SMP.10

 Crash report details:

 PHP Errors:
 [21-Jul-2015 02:12:45 America/New_York] PHP Fatal error:  Call to undefined
 function is_service_running() in /usr/local/pkg/siproxd.inc on line 67

That's a different line number from the current package. Guessing that
was maybe from an older package version that was there before package
reinstall. Is it still occurring, or was that just during the
post-upgrade reboot?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Any update on 2.2.4?

[Chris Buechler]

On Thu, Jul 16, 2015 at 4:22 PM, Ryan Coleman ryan.cole...@cwis.biz wrote:
 For those of us with IPsec needs: is there an update on the release of 2.2.4? 
 I’m avoiding upgrading my secondary firewall because I cannot afford to lose 
 some basic VPN functionality.


Right now we're working through some of the last IPsec test scenarios
to verify functionality. A few other things still target 2.2.4, most
of which are either fixed and awaiting testing completion, or can be
pushed out. Looking to release by end of month.

If you're in an affected IPsec circumstance, I'd run a 2.2.4 snapshot
at this point. Or just replace /etc/inc/vpn.inc with the latest.
https://github.com/pfsense/pfsense/blob/RELENG_2_2/etc/inc/vpn.inc

Then hit Save under VPNIPsec and it'll be applied. Might want to
stop/start IPsec service (not restart) after doing so to make sure
changes are applied and everything previous is definitely gone.


 —
 Ryan
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Issue with Layer 7

[Chris Buechler]

On Tue, Jul 14, 2015 at 5:20 AM, Joy pj.netfil...@gmail.com wrote:
 Hi,
  i am using latest version of pfsense 2.2.3 after upgrade from 2.1.5.
 In 2.1.5 my layer 7 filtration was working perfectly while enabling the
 same in 2.2.3 not allowing traffic to go outside. Please let me know what
 could be the solution for the same.


It has issues on 2.2.x versions.
https://redmine.pfsense.org/issues/4276
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Cannot Spoof MAC

[Chris Buechler]

On Sat, Jul 11, 2015 at 10:13 AM, Doug Lytle supp...@drdos.info wrote:
 Everyone,

 I talked a small automotive shop into replacing their aging pfSense computer
 with a GA-J1900N-D3V.  They purchased an all-in-one unit from mini-box.com

 http://www.mini-box.com/SYS-M350-Gigabyte-J1900N-D3V-picoPSU-90-60W
 http://www.gigabyte.com/products/product-page.aspx?pid=4918#ov

 I got it loaded up, restored their 2.2.3 config from the old system and took
 it over after work the following day.  I ended up spending over an hour
 trying to get that little system to pick up a DHCP address for their Comcast
 router.

 I finally gave up and put the old system back in.

 Working on it today, I've tracked it down to pfSense not being able to spoof
 their MAC address.  When trying to spoof any address, I get the below (ISC
 DHCP logs)


Is it link cycling on that NIC? What type of NIC is it? There are
certain NICs that get weird and start link cycling with MAC spoofing
(possibly plus DHCP client). If that's the case it's not that it's not
accepting the lease, it is, but then loses link and regains it, which
triggers another DHCP request as part of the linkup process, which
cycles link again, rinse and repeat.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Upgrade 2.2.2-2.2.3 and OpenVPN Client Export Utility

[Chris Buechler]

On Fri, Jul 3, 2015 at 3:16 AM, Микаел Бак mikael@yandex.ru wrote:
 Hi list,

 I run pfsense nanobsd (1g) on an old PC Engines ALIX board with 256MB RAM.

 After upgrading to v2.2.3 my only installed package OpenVPN Client Export
 Utility and its dependencies disappeared.

 I tried to reinstall it, but no success.

 From the syslog:
 kernel: tar: Error opening archive: Failed to open
 '/usr/local/pkg/openvpn-client-export-2.3.6.tgz'
 php: rc.bootup: Successfully installed package: OpenVPN Client Export
 Utility.
 php: rc.bootup: Finished installing package OpenVPN Client Export Utility
 [snip]
 php: rc.bootup: Finished reinstalling all packages.
 php-fpm[83412]: /pkg_mgr_install.php: Beginning package installation for
 OpenVPN Client Export Utility .
 [snip]
 php-fpm[83412]: /pkg_mgr_install.php: Failed to install package: OpenVPN
 Client Export Utility.


What's logged in the snipped part?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Loading pfSense on Netgate 1U rack mount server c2758

[Chris Buechler]

On Thu, Jul 2, 2015 at 1:31 PM, Paul Upson pmup...@thewestmoreland.org wrote:
 I recently purchased this device and am now trying to load pfSense onto it
 using a usb stick. Each time the load fails with the following error.
 Mounting from cd9660:/dev/iso9660/PFSENSE fails with error 19. I found a
 post that said to add the command set kern.cam.boot_delay=1 but it
 doesn't change the result. I need a resolution soon.


Don't think we've ever tried using a CD to load those. It should work,
but maybe something with the media or drive it's not happy with. The
memstick is your best bet, write that out to a USB flash drive, boot
from it and do the install.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Internal Clock Broke

[Chris Buechler]

On Sat, Jun 27, 2015 at 7:27 PM, Ryan Clough ryan.clo...@dsic.com wrote:
 Check your Timezone on the System::General Settings page. After I upgraded
 it had been reset to Africa/Abidjan.

2.2.3 got updated tz data. That's what would happen if you were using
a timezone that's no longer included in the tz data. The system would
likely be on GMT in that circumstance. When browsing to that page,
it'd just show you the first in the list as there wouldn't be a
matching one to get selected. Do you know what zone you were on
previously?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Dashboard Source

[Chris Buechler]

On Thu, Jun 11, 2015 at 12:10 PM, Mehma Sarja mehmasa...@gmail.com wrote:
 Hi all,

 If available open source, can someone point me to the source directory for
 the pfs dashboard?


For 2.2.x:
https://github.com/pfsense/pfsense/tree/RELENG_2_2/usr/local/www
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 Router Advertisement DNS

[Chris Buechler]

On Wed, Jun 3, 2015 at 4:19 AM, İhsan Doğan ih...@dogan.ch wrote:
 Hi,

 I'm running IPv6 on my LAN interface and I'm experiencing some
 weird IPv6 Router advertisement issues. When I look at at Router
 Advertisement Daemon configuration, only the prefix and the DNS
 domain should be sent:

 # Automatically Generated, do not edit
 # Generated config for dhcp6 delegation from wan on lan
 interface em0 {
 AdvSendAdvert on;
 MinRtrAdvInterval 3;
 MaxRtrAdvInterval 10;
 AdvLinkMTU 1500;
 AdvOtherConfigFlag on;
 prefix 2a02:168:9800::/64 {
 AdvOnLink on;
 AdvAutonomous on;
 AdvRouterAddr on;
 };
 DNSSL lan.dogan.ch { }


It's not setting RDNSS, so it's not from radvd. You have DHCPv6
enabled, are you assigning DNS via it?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Remote syslog logging keeps stopping

[Chris Buechler]

On Mon, May 4, 2015 at 1:25 AM, Volker Kuhlmann
list0...@paradise.net.nz wrote:
 I noticed that after a re-install of 2.2.2 (with sections of config file
 from 2.1.5 and several reboots) syslog to remote was not sending any
 data.

 The settings at
 https://fw.site/diag_logs_settings.php
 were all correct (Remote Syslog Servers, IP address) and just saving the
 page sends syslog data from pfsense to a remote host.

 Now there is no syslog data again. Saving the above page as is makes it
 flow out again.

 I conclude that under some condition(s) pfsense stops sending syslog
 data to a remote host. What might those conditions be, and where do I
 start looking?

 The last line logged is
   ...T02:57:57.142885+12:00 xx syslogd: sendto: Operation not permitted

Does local logging stop as well in this circumstance? The operation
not permitted from syslog is often because of something blocking the
traffic, like Snort with block offenders is a common one. But that
should only stop remote logging. And a kick of syslogd shouldn't be
enough to change that.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 1 of 8 phase2 tunnel will not come up

[Chris Buechler]

On Wed, Apr 29, 2015 at 1:22 PM, Christoph Hanle
christoph.ha...@leinpfad.de wrote:
 On 28/04/15 22:34, Christoph Hanle wrote:
 Hi,
 we are getting crazy with one tunnel
 our system pfSense 2.2 failover cluster
 other side a bigger Juniper.
 VPN with 6 tunnels was up.
 the 7th tunnel (10.2.2.55) fails.
 the afterwards created 8th tunnel is OK again.

 Problem is gone, don't ask why.

My guess is this:
https://redmine.pfsense.org/issues/4665

It might not be, but the symptom seems like it could match.

If you see a similar symptom, check the output of ipsec statusall
for the reqid values. They should be unique for each P2. If any of
them are duplicated, that's #4665.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pf(4) relative performance: opinions?

[Chris Buechler]

On Sat, Apr 11, 2015 at 10:14 PM, Jim Thompson j...@netgate.com wrote:

 George Neville-Neil and I presented a paper at AsiaBSDcon last month.  Slides 
 and paper are attached.

Attachments exceeded the list's size limit and somehow got dropped in
approving the post, they're available here:
https://files.pfsense.org/papers/netperf.pdf
https://files.pfsense.org/papers/netperf-talk.pdf
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] testing email

[Chris Buechler]

This should be fixed. mailer-daemon@ ended up as a list member in
mailman, AFAICT from day one of this list, but in the past few days
ended up being spoofed to send a couple viruses to the list. Those
messages bounced for a number of people, and mailman can't
differentiate between what type of bounce it is.

The bounce counter was reset for everyone, so you can disregard any
messages you received along those lines.

Mailman was setup to block a number of risky file attachment types
(exe, scr, etc.), but I hadn't noticed the functionality that actually
applies that extension block list wasn't enabled. It is now.

Sorry for the noise, should be all good now.



On Wed, Apr 8, 2015 at 12:42 PM, Jeremy Porter
jpor...@electricsheepfencing.com wrote:
 We are having some problem with apparent bounces, this is a test.  No
 need to reply.
 I'll announce when everything is back to normal.

 Thanks
 Jeremy Porter

 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Odd problem with the Bing website

[Chris Buechler]

On Thu, Apr 2, 2015 at 8:05 PM, Peder Rovelstad provels...@comcast.net wrote:
 Looks like this is probably Snort associated.  Same symptom on another site
 just now traffic from Akamai.  I'll figure it out.  Thanks for reading.


That would add up. Where nothing replies to traceroute like you were
showing, either it's getting completely blocked by the firewall, or
your client never sends the traffic.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] GRE between 2 pfsense boxes

[Chris Buechler]

On Mon, Mar 30, 2015 at 6:40 AM, Adam Thompson athom...@athompso.net wrote:
 OpenVPN is good at getting unicast IP traffic from A to B, but it's difficult 
 to, say, run OSPF over it.

There are reasons, but that's not one of them. Lots of people run OSPF
over OpenVPN.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2.1 Site-to-Site IPsec VPN Connection Instability

[Chris Buechler]

On Mon, Mar 23, 2015 at 9:34 AM, Christopher CUSE cc...@ccuse.com wrote:

 On 03/23/2015 03:03 PM, mayak wrote:

 On 03/22/2015 12:38 AM, Bryan D. wrote:

 We've had a pfSense-to-pfSense always on IPsec VPN connecting 2 offices
 since 2008 (pfSense 1.2 IIRC) and it's:
 - been ultra reliable (if VPN is down, suspect ISP issue or pfSense box
 failure)
 - it's been quick to connect (about 1 second, almost unnoticeable)
 - it's worked across numerous upgrades without issue (nice!)

 Beginning with pfSense v2, we added multiple P2s at each end (still same
 reliability, etc.).

 One of the offices has had its hardware updated and its pfSense updated
 to 2.2 then 2.2.1 (after testing to see whether we seemed to be affected by
 the multiple P2 issue noted in the upgrade page -- we're OK on that one).
 This connection has continued to work with the same characteristics as
 before.  The 2.2.1 system is 64-bit and the other end is v2.1.5 32-bit

 We recently added a second site-to-site IPsec VPN, essentially the same
 as the existing one except both sides are pfSense v2.2.1 (but other end is
 32-bit) and stronger algorithms are being used and P1 is set to v2
 (supposedly avoiding any multiple P2 issues).

 snip

 i have to say that i am also experiencing this. i'm in the process of
 installing smokeping to prove connectivity is good between the public ip
 endpoints between various vpns.

 will report back with those results.

 thanks

 m


 just got dropped again -- fourth time in last few hours -- something is
 definitely wrong.

 upgraded all my pfsenses to 2.2.1 over the weekend.


Go to SystemAdvanced, System Tunables, and add a new tunable there.
Name net.key.preferred_oldsa, value 0, then save and apply changes.
That have any impact on things?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2.1 serial console menu different on some boxes

[Chris Buechler]

On Tue, Mar 24, 2015 at 8:27 AM, Vick Khera vi...@khera.org wrote:

 On two of my firewalls upgraded to 2.2.1, I see three options in
 Advanced-Admin Access menu serial communications menu:

 Serial Terminal *Enables the first serial port with 115200/8/N/1 by
 default, or another speed selectable below.* Note: This will redirect the
 console output and messages to the serial port. You can still access the
 console menu from the internal video card/keyboard. A *null modem* serial
 cable or adapter is required to use the serial console.Serial Speed
 115200  57600  38400  19200  14400  9600   bps
 Allows selection of different speeds for the serial console port. Primary
 Console  Serial Console  VGA Console
 Select the preferred console if multiple consoles are present. The
 preferred console will show pfSense boot script output. All consoles
 display OS boot messages, console messages, and the console menu.

 but on others I see:

 Serial Speed  115200  57600  38400  19200  14400  9600   bps
 Allows selection of different speeds for the serial console port. Primary
 Console  Serial Console  VGA Console
 Select the preferred console if multiple consoles are present. The
 preferred console will show pfSense boot script output. All consoles
 display OS boot messages, console messages, and the console menu.


 The latter is running the netgate firmware, being a netgate box.  This box
 configuration for /etc/ttys and loader.conf does seem to be as if the
 checkbox is turned on.

 Is this intentional?


Yes. The systems we ship pre-installed which run from a serial console have
$g['enableserial_force'] = true, which makes that checkbox not appear so
you can't disable the serial console on systems that only have a serial
console.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ipsec and multi-wan

[Chris Buechler]

On Thu, Mar 19, 2015 at 12:48 PM, Gregory K Shenaut
gkshen...@ucdavis.edu wrote:
 Hi, I have a system with two sites. One of the sites has two WAN connections, 
 the other one. I have an IPSEC tunnel passing all traffic between the two 
 sites. I'm having some difficulty with site-to-site access. I can ping 
 anything in either site from either site, but can't do much of anything else. 
 For example, I can't open web pages across the tunnel: sometime I get 
 nothing, sometimes a hundred or so characters then nothing else. When I try 
 to transfer lots of data across the tunnel, typically I get some initial 
 data, again a hundred or so characters, then it hangs, and, frequently, the 
 tunnel itself goes down and I have to wait for it to re-establish itself.


Almost certainly needing MSS clamping. Advanced settings tab, check
that box there. Then start new connections (may want to kill states
just to make really sure), and things will probably work.


 I've tried all sorts of things, and I believe that there may be a problem in 
 routing due to the dual-WAN setup on one of the sites. I'm not entirely 
 certain, but it's possible the problem began when I set up dual-WAN.

 I'm on pfsense 2.2.1.

 There is a sentence in the documentation at 
 https://doc.pfsense.org/index.php/VPN_Capability_IPsec under Prerequisites:

 If pfSense is not the default gateway on the LAN where it is installed, 
 static routes must be added to the default gateway, pointing the remote VPN 
 subnet to the IP address on pfSense in the LAN subnet.


Is that actually the case? VPN is on a separate box from the default
gateway on the LAN?


 I've tried adding various static routes based on my understanding of that 
 sentence, but they haven't helped, which is why I'm asking this question.

 First, preliminary question: when you make a change to the System  Static 
 Routes web page and apply it, it seems like sometimes older
 routes aren't deleted. Is it necessary to reboot every time you change the 
 static routes to make sure that you get rid of ones you deleted or
 deactivated?

Never necessary to reboot. Where are you seeing they're still there?
Routes being there after you deleted the static route is generally
indicative of something else adding them back, like a dynamic routing
protocol, or them being in an OpenVPN client or server, or similar.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2.1 Site-to-Site IPsec VPN Connection Instability

[Chris Buechler]

There's nothing to go on to offer any worthwhile suggestions. IPsec
logs best place to start.

On Mon, Mar 23, 2015 at 6:02 PM, Bryan D. pfse...@derman.com wrote:
 FWIW, since my original report, I've noticed some other things:

 - since it's not yet deployed, the v2.2.1 (at both ends) site-to-site IPsec 
 VPN has only 1 laptop and 1 wireless access point on the LAN and virtually 
 nothing else happening on the WAN (it's tied to a cable modem)

 - the condition, when I did the original report, was that the laptop was 
 sleeping -- it's a Mac with network wake-up configured and, in that mode, 
 they constantly bring the port up 'n down (hundreds of times per day, each, 
 according to switches at this office)

 - I needed to make some changes to that laptop so I had someone bring it over 
 here ... and that significantly changed the VPN up-ness behavior:

   + now the VPN is _much_ more likely to be up when I attempt to use it 
 (i.e., with no LAN-to-LAN non-pfSense traffic, assuming there is some 
 generated by the VPN mechanisms, themselves), but ... wait for it ...

   + if I ping the pfSense at the other end and the VPN connection _is_ alive, 
 it'll stay alive as long as I continue the once-a-second pinging (from a 
 non-pfSense system on the LAN) ...

   + however, if I kill the ping, wait 2 or 3 minutes then ping it again, 
 it'll be down ... i.e., the pinging activity seems to stimulate a connection 
 failure once the pinging stops (this seems to be a consistent behavior) ...

   + or maybe what I'm seeing is the norm -- i.e., that, as soon as there's 
 a lull in Lan-to-Lan traffic for a short time, the connection drops (even 
 though the config includes DPD and ping'd host at each end)

 e.g.:
 [surprise, it's up]
 __
 /Users/admin  (2015-03-23 @ 15:26:05)
 root # ping 172.16.22.1
 PING 172.16.22.1 (172.16.22.1): 56 data bytes
 64 bytes from 172.16.22.1: icmp_seq=0 ttl=63 time=26.280 ms
 64 bytes from 172.16.22.1: icmp_seq=1 ttl=63 time=17.740 ms
 64 bytes from 172.16.22.1: icmp_seq=2 ttl=63 time=18.134 ms
 ^C
 --- 172.16.22.1 ping statistics ---
 3 packets transmitted, 3 packets received, 0.0% packet loss
 round-trip min/avg/max/stddev = 17.740/20.718/26.280/3.936 ms


 [now wait about 2.5 minutes ... and it's down]
 __
 /Users/admin  (2015-03-23 @ 15:26:12)
 root # ping 172.16.22.1
 PING 172.16.22.1 (172.16.22.1): 56 data bytes
 Request timeout for icmp_seq 0
 Request timeout for icmp_seq 1
 ... snip'd
 Request timeout for icmp_seq 95
 Request timeout for icmp_seq 96
 Request timeout for icmp_seq 97
 64 bytes from 172.16.22.1: icmp_seq=98 ttl=63 time=15.365 ms
 64 bytes from 172.16.22.1: icmp_seq=99 ttl=63 time=14.927 ms
 64 bytes from 172.16.22.1: icmp_seq=100 ttl=63 time=13.905 ms
 64 bytes from 172.16.22.1: icmp_seq=101 ttl=63 time=15.105 ms
 64 bytes from 172.16.22.1: icmp_seq=102 ttl=63 time=17.298 ms
 64 bytes from 172.16.22.1: icmp_seq=103 ttl=63 time=18.674 ms
 64 bytes from 172.16.22.1: icmp_seq=104 ttl=63 time=16.015 ms
 64 bytes from 172.16.22.1: icmp_seq=105 ttl=63 time=15.246 ms
 64 bytes from 172.16.22.1: icmp_seq=106 ttl=63 time=15.009 ms
 64 bytes from 172.16.22.1: icmp_seq=107 ttl=63 time=15.953 ms
 64 bytes from 172.16.22.1: icmp_seq=108 ttl=63 time=17.085 ms
 64 bytes from 172.16.22.1: icmp_seq=109 ttl=63 time=21.631 ms
 64 bytes from 172.16.22.1: icmp_seq=110 ttl=63 time=16.873 ms
 64 bytes from 172.16.22.1: icmp_seq=111 ttl=63 time=16.639 ms
 64 bytes from 172.16.22.1: icmp_seq=112 ttl=63 time=15.385 ms
 ^C
 --- 172.16.22.1 ping statistics ---
 113 packets transmitted, 15 packets received, 86.7% packet loss
 round-trip min/avg/max/stddev = 13.905/16.341/21.631/1.823 ms

 __
 /Users/admin  (2015-03-23 @ 15:30:21)
 root #

 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2.1-RELEASE sudo issues?

[Chris Buechler]

On Tue, Mar 17, 2015 at 3:48 PM, Manojav Sridhar mano...@manojav.com wrote:
 Just upgraded my pfsense to 2.2.1-RELEASE,

 [2.2.1-RELEASE][user@host]/usr/lib: sudo
 Shared object libintl.so.9 not found, required by sudo

 Cant seem to fin the libintl.so.9, this breaks the sudo package. Anyone else
 run into this?

This 32 or 64 bit? Not seeing it on 64, haven't had a chance to try 32 yet.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] 2.2.1-RELEASE now available

[Chris Buechler]

Since I know a number of you don't necessarily watch the blog and may
not be on the announcements list. 2.2.1-RELEASE is now available.
You'll find the details in the release notes on the blog.
https://blog.pfsense.org/?p=1661
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] default firewall rules

[Chris Buechler]

On 2/26/2015 6:19 PM, Randy Bush wrote:

could someone whack me with a clue bat as to why the default install has
filters for rfc1918 space yet does not filter being an open dns resolver
on the wan?  and there is a check-box for the former and not the latter
(that i could see/understand).


Nothing at all is allowed on WAN by default, hence there is no open DNS 
resolver by default. dnsmasq binds to *:53 by default, so if you do open 
up your WAN rules excessively, you'll have an open resolver open to the 
Internet. You can control interface bindings in its configuration. In 
2.2, we switched to Unbound by default (for new configurations only, 
dnsmasq still used if you upgraded), which is better in that regard 
since it has ACLs limiting recursion, which we automatically populate 
with your internal subnets.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] no stable ipsec connection after upgrade to 2.2

[Chris Buechler]

On Wed, Feb 25, 2015 at 9:02 AM, compdoc comp...@hotrodpc.com wrote:

  peer client ID returned doesn't match my proposal

 I have two ipsec tunnels and after the upgrade, for one tunnel I had to
 change the 'Peer identifier' on my side to use the IP address it was
 seeing.
 Been working great since.


Especially since NAT is involved on at least one side judging by the logs,
yes it's almost certainly that same circumstance. The ID wasn't actually
matched before, but racoon would fall back to the source IP it was
receiving traffic from, where strongSwan requires an exact match.
https://doc.pfsense.org/index.php/Upgrade_Guide#Stricter_Phase_1_Identifier_Validation
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense 2.2 Strongswan rekeying issues

[Chris Buechler]

On Tue, Feb 24, 2015 at 8:02 AM, Brian Candler b.cand...@pobox.com wrote:

 We appear to have the same problem here after upgrading a box from pfSense
 2.1.5 to 2.2.  The other side is a Cisco ASA5505.

 X.X.X.219 = pfSense, internal subnet 10.19.0.0/16
 Y.Y.Y.155 = Cisco, internal subnet 10.26.0.0/16

 Here is the log we get from the Cisco:

 2015 Feb 24 13:20:03 Group = X.X.X.219, IP = X.X.X.219, Error: dynamic map
 SYSTEM_DEFAULT_CRYPTO_MAP: * to any not permitted.
 2015 Feb 24 13:20:03 Group = X.X.X.219, IP = X.X.X.219, Rejecting IPSec
 tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0
 local proxy 10.26.0.0/255.255.0.0/0/0 on interface outside
 2015 Feb 24 13:20:03 Group = X.X.X.219, IP = X.X.X.219, QM FSM error (P2
 struct 0xcc9648f8, mess id 0x4c6e71f9)!
 2015 Feb 24 13:20:03 Group = X.X.X.219, IP = X.X.X.219, Removing peer from
 correlator table failed, no match!

 From this, it looks pretty clear that the phase 2 request from pfSense is
 wrong: it is requesting 0.0.0.0/0 - 10.26.0.0/16, instead of
 10.19.0.0/16 - 10.26.0.0/16

 Here is the log from the pfSense side:

 Feb 24 13:20:03charon: 08[IKE] received INVALID_ID_INFORMATION error
 notify
 Feb 24 13:20:03charon: 08[IKE] con1000|42 received
 INVALID_ID_INFORMATION error notify
 Feb 24 13:20:03charon: 08[ENC] parsed INFORMATIONAL_V1 request
 3283507075 [ HASH N(INVAL_ID) ]
 Feb 24 13:20:03charon: 08[NET] received packet: from Y.Y.Y.155[500] to
 X.X.X.219[500] (260 bytes)
 Feb 24 13:20:03charon: 08[NET] sending packet: from X.X.X.219[500] to
 Y.Y.Y.155[500] (204 bytes)
 Feb 24 13:20:03charon: 08[ENC] generating QUICK_MODE request
 1282306553 [ HASH SA No ID ID ]
 Feb 24 13:20:03charon: 14[KNL] creating acquire job for policy
 X.X.X.219/32|/0 === Y.Y.Y.155/32|/0 with reqid {1}


That's this:
https://redmine.pfsense.org/issues/4178

disabling Unity on the Advanced tab, followed by a manual stop and start
(not just restart) of strongswan may resolve that. There was one person
reporting that wasn't adequate, the plugin had to be not loaded at all, not
just disabled like that. I haven't yet had a chance to try to duplicate
that circumstance.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I stop noise to logs

[Chris Buechler]

On Mon, Feb 23, 2015 at 10:48 AM, Tim Hogan t...@hoganzoo.com wrote:

 Ed,

 I have version 2.1.46.30093 installed on my NAS which is newer than the
 link below.  I have also discovered burred under the noise being created by
 the NAS that I have one other device also generating the same type of
 traffic, just not as often.  This other device was my Samsung Tablet and I
 found that if I turned off the media discovery service on the table that
 the traffic stopped.  I have disabled media sharing on the NAS but the
 traffic is still being generated.

 My point here is not to fix broken implementations that various vendors
 put in place but instead my feeling that I should be able to have some
 control over the built-in rules and prevent logging if I so desire.


Logging on that rule is controlled by whether you log for the default deny.
StatusSystem logs, Settings tab.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Suddenly getting pfi_table_update errors

[Chris Buechler]

On Tue, Feb 17, 2015 at 10:22 PM, Bryan D. pfse...@derman.com wrote:
 I have a relatively low-traffic pfSense 2.1.5 i386 setup on a system with 1.5 
 GB of memory that always shows 50% used.

 This setup has normally been reliable but, since upgrading to 2.1.5, today is 
 the 4th time I've run into a problem after making changes to some aliases.  
 For some reason that I've been unable to see much pattern to, pfSense will 
 suddenly report a rash of errors similar to:
 ---
 [ There were error(s) loading the rules: pfctl: DIOCADDRULE: Invalid argument 
 - The line in question reads [0]: ]
 ---
 and/or an error indicating that it can't allocate memory (but there's over 
 50% reported as being available).


 When this happens, the following kind of error will occur during the reboot 
 while first configuring the firewall ...
 ---
 pfi_table_update cannot set x new addresses into table blah: x
 ---
 where blah varies, even with the same config being rebooted, and seems to 
 be either an interface name or self.  The error continues to recur with a 
 considerable blocking pause (up to 10's of seconds) each time it 
 (apparently) attempts a reload.


It sounds like something in 32 bit isn't happy with very large table
sizes. Can't say we've tried large tables on 32 bit, nor do I know of
others who have offhand. Where there is a need for large table sizes,
you're almost always running 64 bit hardware and the 64 bit version.
Is that not a 64 bit CPU? If it is, reinstalling with 64 bit and
restoring your backup should be a quick, proven solution.

If you wouldn't mind sharing your aliases, email that portion of your
config to me off-list.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues

[Chris Buechler]

On Tue, Feb 17, 2015 at 9:50 PM, Chuck Mariotti cmario...@xunity.com wrote:
 I have 4 Yealink T46G phones, 3 on one network (problematic), 1 on a
 separate network… all phones are OpenVPNing into pfSense box at datacenter…
 then using a phone system through the OpenVPN connection.

 The problematic location keeps having issues with phones not receiving calls
 or making calls… as well as call quality issues. Rebooting the phones solves
 the problems.

 The OpenVPN logs contain a number of TLS Errors (TLS keys are out of sync)…
 as well as Auth/Decript errors (packet HMAC authentication failed). Logs are
 below.

Think you forgot the logs. That should be enough of a summary to have
a good idea though.

What's the firewall/router/NAT device on the network where the 3
phones reside? That sounds like what could happen with a NAT device
that doesn't handle UDP well. Some consumer-grade routers and some NAT
implementations built into DSL/cable modems can have problems handling
long-lived UDP connections especially where multiple devices are being
NATed out to a single destination IP and port.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] OpenVPN (pfSense 2.1.5-RELEASE) - VoIP Phone Issues

[Chris Buechler]

On Tue, Feb 17, 2015 at 11:13 PM, Chuck Mariotti cmario...@xunity.com wrote:
Think you forgot the logs. That should be enough of a summary to have a good 
idea though.

What's the firewall/router/NAT device on the network where the 3 phones 
reside? That sounds like what could happen with a NAT device that doesn't 
handle UDP well. Some consumer-grade routers and some NAT implementations 
built into DSL/cable modems can have problems handling long-lived UDP 
connections especially where multiple devices are being NATed out to a single 
destination IP and port.

 And here is the log below... argh.
 The devices are behind a 256Mbit cable modem... Any suggestions on how to 
 resolve if that is the case? 3rd party router?

 Feb 17 22:35:49 openvpn[78847]: Phone-Ext213/172.172.172.66:1086 
 send_push_reply(): safe_cap=940
 Feb 17 22:35:47 openvpn[78847]: MULTI_sva: pool returned IPv4=10.9.12.14, 
 IPv6=(Not enabled)
 Feb 17 22:35:47 openvpn[78847]: 172.172.172.66:1086 [Phone-Ext213] Peer 
 Connection Initiated with [AF_INET]172.172.172.66:1086
 Feb 17 19:50:44 openvpn[78847]: Phone-Ext212/172.172.172.66:1194 
 send_push_reply(): safe_cap=940
 Feb 17 19:50:42 openvpn[78847]: Phone-Ext212/172.172.172.66:1194 MULTI_sva: 
 pool returned IPv4=10.9.12.18, IPv6=(Not enabled)
 Feb 17 19:50:42 openvpn[78847]: 172.172.172.66:1194 [Phone-Ext212] Peer 
 Connection Initiated with [AF_INET]172.172.172.66:1194
 Feb 17 19:49:39 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Error: 
 local/remote TLS keys are out of sync: [AF_INET]172.172.172.66:1194 [0]
 Feb 17 19:49:37 openvpn[78847]: Phone-Ext212/172.172.172.66:1086 TLS Auth 
 Error: TLS object CN attempted to change from 'Phone-Ext212' to 
 'Phone-Ext211' -- tunnel disabled
 Feb 17 19:49:37 openvpn[78847]: Phone-Ext211/172.172.172.66:1194 TLS Auth 
 Error: TLS object CN attempted to change from 'Phone-Ext211' to 
 'Phone-Ext212' -- tunnel disabled

That's definitely the cable modem's NAT getting confused. If you can
get the phones to randomize their source ports on their OpenVPN
traffic, that might resolve. I'm not sure if that's possible on those
phones. In stock OpenVPN, specifying lport 0 in the config will make
it choose a random port. I'm not sure if that's configurable for the
Yealink phones though. We disable that automatically in our OpenVPN
client export for Yealink because they didn't support it at least up
until recently.

If you can change the modem to bridge mode to pass through the public
IP to a router of some sort that will properly handle that
circumstance, it'll resolve that. That might be hit or miss with
consumer-grade routers. A completely default pfSense config will work
fine in that circumstance, as it'll randomize the source ports on its
own so the phones don't have to.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense 2.2 Strongswan rekeying issues

[Chris Buechler]

On Sun, Feb 15, 2015 at 12:37 PM, Mark Relf mark.r...@4slgroup.com wrote:

   Hi all,

  We are experiencing a number of issues with IPSEC tunnels rekeying.  We
 see the following in the IPSEC log :

   Feb 15 17:30:45 4slgbmernfw01 charon: 13[IKE] con1000|1080 received
 INVALID_ID_INFORMATION error notify

 Feb 15 17:30:50 4slgbmernfw01 charon: 14[IKE] con1000|1080 received
 INVALID_ID_INFORMATION error notify

 Feb 15 17:30:54 4slgbmernfw01 charon: 09[IKE] con1000|1080 received
 INVALID_ID_INFORMATION error notify

 Feb 15 17:30:59 4slgbmernfw01 charon: 09[IKE] con1000|1080 received
 INVALID_ID_INFORMATION error notify

 Feb 15 17:31:04 4slgbmernfw01 charon: 15[IKE] con1000|1080 received
 INVALID_ID_INFORMATION error notify


  This is not always for the same connection but does happen frequently
 and has made release 2.2 almost unusable for us.

  We have to issue ipsec down con xxx and ipsec up con xxx to reset the
 tunnel.

  I have had a brief look at the strongswan website and they seem to be
 indicating an issue and have a patch.

  Has this/when will this patch be incorporated into pfsense (strongswan
 issue819 seems to be a close match)


One of our community members opened that strongswan 819 ticket when it's at
least a mix of two completely different problems, and not a good
description of what might be happening there. I can't seem to find a
replicable circumstance that produces that issue.

Do you have multiple phase 2 entries on a single phase 1? What is the
remote endpoint you're connecting to? The only confirmed issue where I'm
aware of a specific cause is a problem in the Cisco Unity plugin that can
be triggered when rekeying with certain configurations in place on the
Cisco end.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Unbound error in 2.2

[Chris Buechler]

That's what you would end up with if you have 2.1.x's dhcpleases binary
running on 2.2, and I can't think of any other circumstance that would
cause something along those lines. The former version didn't have the -u
flag for unbound. Shouldn't be any way for that to occur short of manual
modifications though. Check that file.

# file /usr/local/sbin/dhcpleases
/usr/local/sbin/dhcpleases: ELF 64-bit LSB executable, x86-64, version 1
(FreeBSD), dynamically linked (uses shared libs), for FreeBSD 10.1, stripped

That's what you should see, FreeBSD 10.1.

Where the 2.1x shows:
# file /usr/local/sbin/dhcpleases
/usr/local/sbin/dhcpleases: ELF 64-bit LSB executable, x86-64, version 1
(FreeBSD), dynamically linked (uses shared libs), for FreeBSD 8.3, stripped



On Tue, Feb 3, 2015 at 7:50 AM, Brian Caouette bri...@dlois.com wrote:


 Last 50 system log entriesFeb 3 08:19:42check_reload_status: Reloading
 filterFeb 3 08:19:41php-fpm[69134]: /pkg_edit.php: Reloading Squid for
 configuration syncFeb 3 08:19:33php-fpm[69134]: /pkg_edit.php: [Squid] -
 Squid_resync function call pr:1 bp: rpc:noFeb 3 08:19:33check_reload_status:
 Syncing firewallFeb 3 07:57:26php-fpm[60269]:
 /services_unbound_advanced.php: The command '/usr/local/sbin/dhcpleases -l
 /var/dhcpd/var/db/dhcpd.leases -d dlois.com -p /var/run/unbound.pid -u
 /var/unbound/dhcpleases_entries.conf -h /var/etc/hosts' returned exit code
 '2', the output was 'dhcpleases: illegal option -- u Wrong number of
 arguments given.: No such file or directory'Feb 3 07:57:20check_reload_status:
 Syncing firewallFeb 3 07:55:54check_reload_status: Reloading filterFeb 3
 07:55:53php-fpm[18170]: /pkg_edit.php: Reloading Squid for configuration
 syncFeb 3 07:55:53check_reload_status: Syncing firewallFeb 3 
 07:55:44php-fpm[18170]:
 /pkg_edit.php: [Squid] - Squid_resync function call pr:1 bp: rpc:noFeb 3
 07:54:40syslogd: kernel boot file is /boot/kernel/kernel

 Sent from my iPad

 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2-RELEASE now available!

[Chris Buechler]

Hey Seth,

On Mon, Jan 26, 2015 at 8:38 AM, Seth Mos seth@dds.nl wrote:
 Sorry to reply to myself here, but 2.2 in combination with the Intel
 X540-2 card isn't very stable. The card keeps dropping the Phy which is
 fine on 2.1.5.


That's surprising, we've seen much better results on our systems with
ix cards, and I know of one system where they push near 2 Gbps across
tens to hundreds of thousands of simultaneous connections through ix
and have had great results where with 2.1.5 they were at times hitting
the limit of what pf could push. They have a good deal of head room to
spare now.

You using any of those cards on stock FreeBSD? I think most of the
Intel 10G cards we have are X520 rather than 540, which might be the
difference.

 [zone: mbuf_jumbo_9k] kern.ipc.nmbjumbo9 limit reached
 ix1: Could not setup receive structures

 That didn't happen on 2.1.5 at all, apparently the limits have changed.

 In FreeBSD 10 these changes need to into loader.conf during boot,
 different from before.
 https://pleiades.ucsc.edu/hyades/FreeBSD_Network_Tuning

 kern.ipc.nmbclusters=262144
 kern.ipc.nmbjumbop=262144
 kern.ipc.nmbjumbo9=65536
 kern.ipc.nmbjumbo16=32768


Some of that does like higher limits in 10.x. Though some of that
actually isn't much different from 8.x/2.1.5, like I'm surprised you
were getting by with  262144 mbufs. We've taken to gnn@'s million
packet march as they referred to it at a past employer of his, and
recommended nmbclusters=100 in the NIC tuning guide.
https://doc.pfsense.org/index.php/Tuning_and_Troubleshooting_Network_Cards#Intel_ix.284.29_Cards

We've seen some bad behavior with low-ish nmbclusters on ix NICs which
are similar to what you describe, I'm curious if things would be fine
if you bumped nmbclusters to 1 million. You have a test setup where
you could try that on the specific hardware you're using?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Problem upgrading pfSense on Sun Fire x4100

[Chris Buechler]

On Wed, Jan 28, 2015 at 6:37 AM, Toni Garcia toni.gar...@sistel.es wrote:

 well, no kernel crash ?


 no kernel crash after upgrade


 answering myself, seems to be this problem:

 https://redmine.pfsense.org/issues/3749


It's definitely not that problem, that was specific to 2.2 alpha snapshots
6+ months ago only. The change you linked is in 2.2.

It sounds like the problem with limiters and HA, since you mentioned you
are using limiters.
https://redmine.pfsense.org/issues/4310

Removing the limiters will work around, otherwise we'll get that fixed in
2.2.1 which will follow before long.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2-RELEASE now available!

[Chris Buechler]

On Mon, Jan 26, 2015 at 6:26 AM, Doug Lytle supp...@drdos.info wrote:
 I've also noted this morning that the 3 systems I've upgraded, all of them 
 have lost their limiter rules.

 I've read the release notes, nothing that I saw stated they'd be removed.


Limiters won't be removed. Check your config history,
DiagBackup/restore, Config History tab. Hopefully you still have a
revision there pre-upgrade. Use the diff functionality there to see
where that changed. By lost their limiter rules, what specifically
do you mean? The limiters are gone from FirewallTraffic Shaper,
Limiters? The rules that were using them are gone? Their specification
in the rule that was there is now missing?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold