Re: [pfSense] 2.3.4-RELEASE (amd64) - Kernel Panics

2017-07-17 Thread Juan Pablo 
I had the same issue but it was a problem in prio traffic shappers over a
vlan interface, which triggers a bug.
best thing to do is re-install and restore config.
no issues on a fresh install.




2017-07-13 12:39 GMT-03:00 WebDawg :

> See, I do not think it is just me.
>
> On Thu, Jul 13, 2017 at 11:12 AM, Moshe Katz  wrote:
>
> > I saw a very similar crash when booting a fresh 2.3.4 install yesterday
> for
> > the first time.
> > I think it was before I had even configured it for the first time
> > (assigning interfaces and addresses, etc).
> > I rebooted the machine and then it came up fine and is still up with no
> > trouble.
> >
> >
> > Moshe
> >
> > --
> > Moshe Katz
> > -- mo...@ymkatz.net
> > -- +1(301)867-3732
> >
> > On Wed, Jul 12, 2017 at 9:43 PM, WebDawg  wrote:
> >
> > > Hello,
> > >
> > > I just upgraded 2.3.something to 2.3.4 and immediately upon reboot
> > > experienced kernel panics/crash dumps over and over.  The system would
> > > cycle over and over.
> > >
> > > I stopped the process thinking I had a bad raid but upon a fresh
> install
> > of
> > > 2.3.4 I experienced the same thing, except this time the system
> rebooted
> > 2
> > > times with the panics:
> > >
> > > <118>Synchronizing user settings...
> > >
> > >
> > > Fatal trap 12: page fault while in kernel mode
> > > cpuid = 4; apic id = 04
> > > fault virtual address= 0x0
> > > fault code= supervisor read data, page not present
> > > instruction pointer= 0x20:0x80d716ee
> > > stack pointer= 0x28:0xfe0467c5ea00
> > > frame pointer= 0x28:0xfe0467c5ea20
> > > code segment= base 0x0, limit 0xf, type 0x1b
> > > = DPL 0, pres 1, long 1, def32 0, gran 1
> > > processor eflags= interrupt enabled, resume, IOPL = 0
> > > current process= 12 (swi1: pfsync)
> > >
> > > And then fixed itself.  I proceeded to reboot it a few times with no
> more
> > > panics.
> > >
> > > I submitted a crash dump to pfsense but has anyone seen this on x64
> intel
> > > hardware?
> > > ___
> > > pfSense mailing list
> > > https://lists.pfsense.org/mailman/listinfo/list
> > > Support the project with Gold! https://pfsense.org/gold
> > >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPSEC with public network as P2 Remote Network: ok from router, not from LAN

2017-03-14 Thread Juan Pablo 
Im running the same issue. were you able to troubleshoot it?


2016-05-20 15:44 GMT-03:00 Olivier Mueller :

> Hello, bonjour,
>
> I have some "Simple" IPv4 tunnels (IKEv1) to customers here, 3 are
> already running.  Our LAN: 192.168.1.0/24, WAN IP address 80.254.x.y.
>
> Already working tunnels are having a Phase 2 setup similar to:
> - Local Network: LAN Subnet
>   NAT/BINAT:  Type Network, Address 192.168.10.0/24
> - Remote Network:  Type Network , Address 10.116.0.0/16
>
> I now have to add a new tunnel, but this time and for the first time the
> Remote Network Address is using public IP ranges.  Current phase 2 setup:
> - Local Network:  WAN Subnet - no NAT/BINAT
> - Remote Network:  Type Network, Address 159.16x.y.z/30
>
> IPSEC connection status for Phase 1 and Phase 2 are fine, everything
> works as planed when testing from the router itself (when connected via
> ssh to the pfsense system, I can ping one remote target IP as
> 159.16x.y.7).  But the only issue is that I cannot access the target
> range 159.16x.y.z/30 from our LAN (192.168.1.0/24).
>
> I tried changing the phase 2 settings, but with anything else the tunnel
> will not work.And if I set "LAN subnet" as NAT/BINAT network, it
> seems to be ignored and will not be saved.
> I also thought about adding a static route, but it's not possible to
> select an tunnel as a gateway, so is it the right place to do this ?
>
> So how could I route these packets to 159.16x.y.z/30 over the tunnel
> instead as directly over our gateway ?
>
> Any hint would be very welcome as I am not very experienced with ipsec
> topics.  Merci & kind regards, Olivier
>
>
> PS: I originally posted this in the forum under
> https://forum.pfsense.org/index.php?topic=111512.0, so of course I will
> repost any update/solution there too, sorry for any inconvenience.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] how does on create a DNS blacklist with aout 1000 or so entries?

2016-10-05 Thread Juan Pablo 
pfblockerng = IPs
squid= http/https
pfblockerng under dnsbl options/settings. thats for DNS. *
bind=DNS. *

* you need to use one of those, and 'block' under the root domain the .cn
etc.





2016-09-30 17:08 GMT-03:00 Benjamin E. Nichols :

> Forgive me, but, those arent DNS Blacklists, they are just CCID ip
> blacklists.
>
> This thread clearly has absolutely nothing to do with DNS blacklists.
>
>
>
>
> On 9/30/2016 2:23 PM, Steve Yates wrote:
>
>> Basically, but doing it directly would avoid dealing with the
>> package.  I guess it's just down to how often the chosen list is updated.
>> And, if it's just via allocation, aren't they done allocating IPv4 blocks...
>>
>> --
>>
>> Steve Yates
>> ITS, Inc.
>>
>> -Original Message-
>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Vick
>> Khera
>> Sent: Friday, September 30, 2016 2:19 PM
>> To: pfSense Support and Discussion Mailing List 
>> Subject: Re: [pfSense] how does on create a DNS blacklist with aout 1000
>> or so entries?
>>
>> On Fri, Sep 30, 2016 at 12:57 PM, Doug Lytle  wrote:
>>
>>> On 09/30/2016 11:53 AM, Steve Yates wrote:
>>>
 So you could keep your list somewhere else on a web server.

>>>
>>> This is what I do.
>>>
>>> And I grab the list from
>>>
>>> http://www.wizcrafts.net/chinese-iptables-blocklist.html
>>>
>>> Once a month
>>>
>>> Isn't this more or less what pfBlockerNG does for you automatically?
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
>>
>>
> --
> --
>
> Signed,
>
> Benjamin E. Nichols
> http://www.squidblacklist.org
>
> 1-405-397-1360 - Call Anytime.
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Slow speed on 100Base TX full duplex.

2016-01-11 Thread Juan Pablo 
use Intel ethernets. even the cheap ones work as expected.
also ask them to set ports to 10 half 10 full 100 half, reset counters on
each change, you change to the same and see if in any works without errors.
or ask them to set it to auto. also change cables to something real.

its swimming with eyes closed with other than intel cards.
FYI:
https://doc.pfsense.org/index.php/Tuning_and_Troubleshooting_Network_Cards
https://www.pfsense.org/hardware/ at the bottom

sorry.


2016-01-11 10:46 GMT-03:00 Muhammad Yousuf Khan <sir...@gmail.com>:

> em0@pci0:4:0:0: class=0x02 card=0x15d9 chip=0x10968086 rev=0x01
> hdr=0x00
> class  = network
> subclass   = ethernet
> em1@pci0:4:0:1: class=0x02 card=0x15d9 chip=0x10968086 rev=0x01
> hdr=0x00
> class  = network
> subclass   = ethernet
>
> We had a switch in b/w Pfsense and Colo uplink. we even removed that switch
> and directly plug the cable with pfsense interface. but still getting the
> same low bandwidth.
>
> is it a good idea. to install two new interfaces of 100Mbps and set them to
> Auto instead of making it static 100Base TX full dublex out of Gig
> Interfaces.  ?
>
> Any help will be highly appreciated.
>
> Thanks,
> Yousuf
>
>
> On Mon, Jan 11, 2016 at 6:03 PM, C. R. Oldham <c...@ncbt.org> wrote:
>
> > Re: pkg_add, try just 'pkg install' instead.
> >
> > Like Juan said, did you get them to try a different cable? Those errors
> > are indicative of a bad Ethernet cable.
> >
> > Also, if the Ethernet chipset is a Realtek, there is a bug in the FreeBSD
> > driver that affects auto negotiation with some switch hardware.
> >
> > --cro
> >
> >
> > > On Jan 11, 2016, at 05:40, Muhammad Yousuf Khan <sir...@gmail.com>
> > wrote:
> > >
> > > Here you go, yes there are error in the interfaces  i can not get more
> > > detail as i can not run the command pkg_add  it is saying that command
> > not
> > > found however i know its a server board and it has two bultin LAN. 1 i
> am
> > > using for WAN and For LAN.
> > > here is CPU details.
> > >
> > > Intel(R) Xeon(R) CPU E5440 @ 2.83GHz
> > > 8 CPUs: 2 package(s) x 4 core(s)
> > >
> > > Any guide will be highly appreciated.
> > >
> > > WAN interface (wan, em0)StatusupMAC addressxIPv4
> > address
> > > xxSubnet masGateway
> > IPv4xxIPv6
> > > Link Locaxxx
> > >
> > > ISP DNS serversxxxMTU1500Media100baseTX
> > In/out
> > > packets3709795/2014620 (3.06 GB/551.84 MB)In/out packets
> > (pass)3709795/2014620
> > > (3.06 GB/551.84 MB)In/out packets (block)90881/1 (6.59 MB/52
> bytes)In/out
> > > errors665/0Collisions0LAN interface (lan, em1)StatusupMAC address
> > > xxIPv4 addressSubnet mask IPv4
> > > IPv6 Link
> > > LocalxxxMTU1500Media100baseTX
> > > In/out packets1071425/2719703 (439.25 MB/2.78 GB)In/out
> > > packets (pass)1071425/2719703 (439.25 MB/2.78 GB)In/out packets
> > (block)2040/0
> > > (174 KB/0 bytes)In/out errors2140/0Collisions0
> > >
> > > On Mon, Jan 11, 2016 at 2:16 PM, Juan Pablo <pablo.localh...@gmail.com
> >
> > > wrote:
> > >
> > >> Hey, yes usually you should set 10/100/g to see when the link state
> > >> changes, also if the auto protocol is not working or if the cable goes
> > bad
> > >> is easier to troubleshoot, have seen this on co-los worldwide.  in any
> > >> case, setting 10/100 etc shouldnt affect the bandwidth. so the
> question
> > >> here is: which Nic you are using? is it supported?
> > >> do you see any network issue/crc issue, alert/errors, or something
> onthe
> > >> logs? via the web interface check if there are any error on the
> > interface
> > >> counters.
> > >> also: check with ifconfig 'interface name' for crc errors, and the
> > >> advertised speeds, paste here the full output of the problematic
> > interface.
> > >>
> > >>
> > >> let us know how it goes.
> > >>
> > >>
> > >> 2016-01-11 3:23 GMT-03:00 Muhammad Yousuf Khan <sir...@gmail.com>:
> > >>
> > >>> I am remotely supporting one of my client who is using pfsense.  i
> have
> > >>> been using pfsense for years and never face such issue in this
> > >&

Re: [pfSense] state table optimization best options

2015-09-21 Thread Juan Pablo 
hey Zach, what you mean with make it better? whats the issue?



2015-09-21 16:01 GMT-03:00 Zach Underwood :

> I have setup a pfsense infront of out small ISP. Right now we have at avg
> 55k states open and can peak 150k states. We are using the firewall as a
> default allow. Here is our firewall settings
>
> Firewall Optimization Options=Normal
> Disable Firewall Scrub=checked
> Firewall Maximum States)default=201k
> Static route filtering=checked
>
>
> Are there any settings that we shhould change to make it better for our
> clients.
>
> --
> Zach Underwood (RHCE,RHCSA,RHCT,UACA)
> greenvilletowers.com
> My website 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] postfix+mailscanner on 2.2.4

2015-07-30 Thread Juan Pablo 
Hello guys, does anybody know if $subject packages are working on
2.2.4? I have not seen it working since 2.1.5, and would like to hear
about it.

thanks everyone for the effort on making such a beauty as pfSense!
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DHCP Relay attaching to wrong interface

2015-07-27 Thread Juan Pablo 
hola Juan!
dont know if you solved this, what you trying to achieve here? what's
your wan interface IP doing there? =)
can you provide more info, maybe an idea of the topology?

bye,
me

2015-07-25 10:06 GMT-03:00 Juan Bernhard j...@inti.gob.ar:
 Hi list, first I want to congratulates all pfsense developoers for this
 magnificent piece of software.

 I think I found a simple bug:
 I configuring a pfsense in a single server to replace a cisco 2821 and an
 asa 5520, and at the moment almost everithing is working great.
 But... I'm having troubles with the dhcp relay. I have a 2 real inteface
 configurations, one on the internet side and the other in de inside, with 8
 vlan in there. I cofigured dhcp relay to listen to some vlan interfaces, but
 it also attaches to the lan interface (the one with out vlan tag), having 2
 dhcp responding server on the same collision domain.

 In shell I can see that dhcrelay in up and has the command is wrong:
 [2.2.3-RELEASE][r...@inti1.inti.gob.ar]/root: ps auxww | grep dhc
 root30087   0.0  0.1  20184  9820  -  Ss9:34AM  0:00.05
 /usr/local/sbin/dhcrelay -i bce1_vlan3 -i bce1_vlan10 -i bce1_vlan20 -i
 bce1_vlan33 -i bce1_vlan51 -i bce1 -a -m replace 200.10.161.34

 it hould not say -i bce this interface (lan) is not selected in the dhcp
 relay web configration.



 Saludos, Juan.
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold