Re: [pfSense] USB3 to ethernet adaptor
Op 2-5-2016 om 15:57 schreef WebDawg: > On May 2, 2016 1:56 AM, "Frans Meulenbroeks"> wrote: >> >> Hi, >> >> Has anyone experience using USB3 to ethernet adapters ? I need an extra >> interface but my HW (Intel NUC) does not have room for another card). >> Anything recommendable? >> >> Best regards, Frans. >> ___ > > If you can skip the USB stuff and enable vlans...in my opinion it is worth > it. A relatively simple HP Procurve 1810 supports VLANs and gives you another few ports you can use as a WAN. Cheers, Seth ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPV6 WAN/LAN routing
Op 20-4-2016 om 18:38 schreef Olivier Mascia: > Dear all, > > I must be tired or something but I have a strange thing with IPv6 on a new > box I just setup. > > Have a x:y:z:d800::/56 routed to me. > WAN is static IPv6 on x:y:z:d800::1/64, gateway is > x:y:z:d800::::: (not a nice one but that is what they gave > me). > LAN is static IPv6 on x:y:z:d801::1/64, no gateway as usual for LAN interface. > > From a host on the LAN side, at x:y:z:d801::100 (or any other), I can reach > pf LAN interface on x:y:z:d801::1, I can also reach pf WAN interface on > x:y:z:d800::1, but I can't get a packet to go further. > > Yet, from pf itself, I can reach (ping for instance) www.google.com (IPv6) > from WAN interface, but not from LAN interface. > > I would have thought "ok I miss a pass rule on the LAN interface", but there > is one. This by far is not my first pfSense box, and they all have various > kind of IPv6 links. Not that I couldn't be awfully wrong somewhere. So what > obvious detail am I overlooking here? If you have any idea? > Do you have radvd configured (from the DHCP6 settings) so that clients on the lan can find the gateway? Or is the client statically configured? If you only do DHCP6d on pfSense but no RADVD no clients will end up with a route. Kind regards, Seth ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.2.6 and IPv6 RA
Op 22-1-2016 om 8:53 schreef Antonio Prado: > Hi, > > on a fresh installed box, IPv4 configured on 2 NICs (WAN and LAN), IPv6 > not configured, pfSense starts advertising itself as IPv6 gateway on LAN > using its link-local address (fe80::/64). > > That's not the correct behavior I guess. > > Is it a bug? No, that sounds about right, it advertises itself as the gateway. You can safely run RA on the LAN even without a public prefix, this works fine in combination with static addressing as well. Some devices only allow you to set a static address, but not the gateway, they will pick it up from RA. I think you'll find that the RA has no options set for auto configuration. Cheers ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.2.6 and IPv6 RA
Op 22-1-2016 om 12:15 schreef Antonio Prado: > On 1/22/16 11:02 AM, Seth Mos wrote: >>> on a fresh installed box, IPv4 configured on 2 NICs (WAN and LAN), IPv6 >>> not configured, pfSense starts advertising itself as IPv6 gateway on LAN >>> using its link-local address (fe80::/64). >>> >>> That's not the correct behavior I guess. >>> >>> Is it a bug? >> >> No, that sounds about right, it advertises itself as the gateway. > > well, let me disagree. > when a router (pfSense) has RA disabled (as previously stated in my > message), it simply should not per RFC 4861. > > in other words, nevertheless pfSense 2.2.6 has no IPv6 configured (i.e. > no v6 address on interfaces, RA disabled), it advertises itself as IPv6 gw. Is your LAN interface not configured for IPv6 with address fe80::1:1? It should be, it's in the default config, unless you disable it. Regards, Seth ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Slow speed on 100Base TX full duplex.
Op 11-1-2016 om 14:46 schreef Muhammad Yousuf Khan: > em0@pci0:4:0:0: class=0x02 card=0x15d9 chip=0x10968086 rev=0x01 > hdr=0x00 > class = network > subclass = ethernet > em1@pci0:4:0:1: class=0x02 card=0x15d9 chip=0x10968086 rev=0x01 > hdr=0x00 > class = network > subclass = ethernet > > We had a switch in b/w Pfsense and Colo uplink. we even removed that switch > and directly plug the cable with pfsense interface. but still getting the > same low bandwidth. > > is it a good idea. to install two new interfaces of 100Mbps and set them to > Auto instead of making it static 100Base TX full dublex out of Gig > Interfaces. ? > > Any help will be highly appreciated. Only set the interface hard if the other side does that as well. You can set it to 100 Mbit Full duplex, but if the other side does not force it to the same value it will autonegotiate from the ISP or switch to Half Duplex. Overruns and runts galore. If you put a unmanaged switch in between you will get this. If the ISP switch is set to auto it will do the same thing. So just leave it on auto, setting interfaces hard shouldn't be needed anymore since we helft Nortel gear behind in the year 2000. Cheers, Seth ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] pfSense 2.1.5 crashing
Hi, Just a heads up, this week we have had multiple 2.1.5 firewall on different hardware in different locations crashing hard and rebooting. These firewalls have been running for over a year before they rebooted, with no rule changes lately. Anybody else seeing these hard crashes with respect to 2.1.5? I've uploaded the crash reports, but I don't have a crash report handy at this moment. Kind regards, Seth ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Large amount of tunnels failing on 2.2.4 upgraded from 2.1.5
Hi, We attempted a upgrade from 2.1.5 to 2.2.4 today and it backfired entirely requiring a reinstall of both nodes to get back to a working situation. We did make config backups beforehand, but rolling back is a bit painful in this regard. We have about 300 IPsec tunnels with Draytek Vigor (2820/2850) routers. Of the 300 tunnels, just 2 managed to come online immediately, and never more then about 10 in half an hour. This was taking way too long and meanwhile the phone was getting hammered. What appeared to be happening is that these routers are too aggressive, triggering the DoS protection in charon. Some tunnels were establishing but triggering DPD and falling off again. We disabled DPD entirely, but alas, this was not enough to get anywhere fast. After searching some more I see that strongswan.conf had options for the SA table size, as well as a option for disabling the Dos protection. Unfortunately, none of these are listed in the UI. The dos_protection is enabled per default, something which racoon never had. It does however need adjusting, or disabling above n tunnels. And the cookie settings need adjusting for the larger amount of tunnels too. Does the ikesa_table_size = 32 and ikesa_table_segments = 4 need ajusting too? The init_limit_half_open = 1000 needs to be twice the number of tunnels for succesful negotiation. So this default should be good for 500 tunnels. Although if there are multiple attempts I could see people running out. Another thing I hit on the way was the initial phase1 negotiation timing out. For Linux the default is 165 seconds, but I have no idea what the defaults for FreeBSD are. Apart from the issues with IPsec I didn't appear to have any other issues relating to firewall rules or CARP, so it was a succes in that respect. Still a shame that we missed 2600 calls just this morning because the network broke. Kind regards, Seth Mos ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Connect pfSense as client to a Hotel WLAN?
Chris Buechler schreef op 30-7-2015 om 8:55: On Wed, Jul 29, 2015 at 7:59 PM, Ray r...@renegade.zapto.org wrote: Hi, I run pfSense on a few ALIX boxes, usually as tunnel end and as access point. When I can plug one of these machines into any (wired) network, I have easy access to my home network through the private WLAN the ALIX provides. This works beautifully. I travel a lot and today hotels only provide WLAN access. Ethernet ports in hotel rooms are relics of the past. You have a few choices here too, the term travel router has become a lot more common then before. The cheapest are ~30-40 euro. However, these are single radio, multiple SSID operation. This is bad as it has a large impact on the RF bandwidth, you double the amount of RF space you use with this method. Hotels and other networks really don't appreciate this. The current crown goes to the Dlink DIR510L which is a dual band travel router with dual radios (dual band) and a 4Ah battery for charging phones or operating on it. This you can attach to the wireless over 2.4Ghz and connect your laptop/ipad/phone to the hotspot router over 5Ghz and not impact the lackluster 2.4Ghz band. Excellent for sticking to a window where you do have reception in some of the concrete bunkers that we call hotel rooms. Also works well for RV's (Campers) when mounted on a stick or inside the roof window to get above all those aluminium boxes on wheels. I've considered building a package for pfSense to perform this travel router scenario to make it easier to do without requiring logging into pfSense itself. I never got round to it. I've found the wireless client support to be lacking in some respects during the 2.1 Cycle, might be quite a bit different now since I last tried this. In my case it started flapping the wireless link and cycling with DHCP requests. It was less then optimal :) Cheers, Seth ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Access Point Recommendations?
Karl Fife schreef op 23-7-2015 om 17:46: Your point about having a one-off solution is a great one. Installing a single UniFi AP would be unnecessarily complex. In a pinch I use the Linksys E2500 or EA2700 dual band wireless access points. Set a static IP, disable the DCHP server and connect the cable to the LAN ports. That's handy for connecting the Xbox in the living room. I mounted it behind the TV using one of the VESA mount screw holes for hanging it off, and route the wires through the base of the TV. Excellent wireless signal in the room. You get a 3 free switch ports on location as well for just ~40 euros. The TP-Link TL-WA801nd is a BGN-only device. Do you (or anyone) have a preferred stand-alone AC access point? If anyone is going to deploy anything new then BGN is not a valid solution anymore. I see way too many issues with channel overlap in 2.4Ghz. Especially in densely populated areas. The record so far is 38 SSIDs from a table at a cafe in Barcelona, Spain. Then there was the genius that installed all APs on the same channel, don't do that :( At work we use the Ubiquiti Unifi-Pro access points, about 20 of them. One of them is a repeater with a wireless backhaul (over 5Ghz). We have a Debian VM for the controller which is handy as well. All wireless traffic is put on a seperate VLAN, and that works well as intended, pfSense routes it out to the internet. I've also not found any issues so far with the IPv6 support on any of the devices attached to the wireless, it works. The roaming is also quite good, I have no dropping 3CX soft phone calls whilst roaming through the building. Cheers, Seth ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Pfsense + Cloudflare
Roy Sandbergen - Webguru schreef op 30-4-2015 om 16:02: Hi All, Does anyone have his site behind pfsense and cloudflare? I have the problem that my pfsense only see the ipadresses of the cloudflare servers not the original ip of the client. Does anyone have a solution for that problem? I cannot find a solution online for Pfsense 2.2 icm cloudflare That's how cloudflare works, it's basically a great box Varnish (proxy) box, so yes, you will only see the cloudflare servers. If you want any meaningful address information you need to look at the headers that the proxy service provides you. Regards, Seth ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.2-RELEASE now available!
Sorry to reply to myself here, but 2.2 in combination with the Intel X540-2 card isn't very stable. The card keeps dropping the Phy which is fine on 2.1.5. I've just reverted and reinstalled 2.1.5 with a backup config. Although the nmbclusters change did make the 2nd port of the ix card power on it eventually hung the network after half an hour or so. Due diligence. Regards, Seth Seth Mos schreef op 26-1-2015 om 11:12: Chris Buechler schreef op 24-1-2015 om 3:24: Details on the blog: https://blog.pfsense.org/?p=1546 2 Upgrades done so far, one had a different Architecture autoupdate URL, that one updated from AMD64 to i386, please don't do that. Also, I have issues with the Intel X540-2 10G card now, it's throwing a few errors. Port 0 goes into a flapping state while port 1 never comes up. [zone: mbuf_jumbo_9k] kern.ipc.nmbjumbo9 limit reached ix1: Could not setup receive structures That didn't happen on 2.1.5 at all, apparently the limits have changed. In FreeBSD 10 these changes need to into loader.conf during boot, different from before. https://pleiades.ucsc.edu/hyades/FreeBSD_Network_Tuning kern.ipc.nmbclusters=262144 kern.ipc.nmbjumbop=262144 kern.ipc.nmbjumbo9=65536 kern.ipc.nmbjumbo16=32768 Regards, Seth ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.2-RELEASE now available!
Chris Buechler schreef op 24-1-2015 om 3:24: Details on the blog: https://blog.pfsense.org/?p=1546 2 Upgrades done so far, one had a different Architecture autoupdate URL, that one updated from AMD64 to i386, please don't do that. Also, I have issues with the Intel X540-2 10G card now, it's throwing a few errors. Port 0 goes into a flapping state while port 1 never comes up. [zone: mbuf_jumbo_9k] kern.ipc.nmbjumbo9 limit reached ix1: Could not setup receive structures That didn't happen on 2.1.5 at all, apparently the limits have changed. In FreeBSD 10 these changes need to into loader.conf during boot, different from before. https://pleiades.ucsc.edu/hyades/FreeBSD_Network_Tuning kern.ipc.nmbclusters=262144 kern.ipc.nmbjumbop=262144 kern.ipc.nmbjumbo9=65536 kern.ipc.nmbjumbo16=32768 Regards, Seth ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Road Warrior open vpn
A Mohan Rao schreef op 22-1-2015 om 10:18: someone more .. Are you sure that the devices on the LAN are using the same gateway as the pfSense machine, could be assymetric routing. Regards, Seth ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Road Warrior open vpn
A Mohan Rao schreef op 21-1-2015 om 11:30: Hello, successfully configured Road Warrior OpenVpn also vpn client is connected from remote area but not able to access server end LAN or server's. Add firewall allow rules on the OpenVPN Server interface Thanks Mohan ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 4 Byte ASN
Adam Thompson schreef op 8-1-2015 om 17:24: On 15-01-08 10:02 AM, Seth Mos wrote: To clarify this a bit better. You speak BGP to your ISP from each pfSense node and generally use CARP as the router address on the internal side. You still need to exchange routes between both pfSense nodes. The moment CARP fails over you drop your BGP session anyhow, so both pfSense nodes need the routing tables (Unless you use default only). Uh... https://doc.pfsense.org/index.php/OpenBGPD_package says it better than I can. Note that there have been a ton of bug-fixes relating to set nexthop and CARP in the last year or so, which don't appear to have made it into the FreeBSD port yet. I run a pair of BGP routers using CARP to an upstream peer who only wants to configure a single IP address and a single session. Works OK in practice under OpenBSD, not sure how well the pfSense package (FreeBSD port) handles it. Yep, that's a good reason to use CARP, but you might drop some traffic on reconfiguration depending on the amount of routes you have. Regards, Seth ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 4 Byte ASN
Bryant Zimmerman schreef op 8-1-2015 om 17:22: *From*: Seth Mos seth@dds.nl *Sent*: Thursday, January 8, 2015 11:02 AM *To*: list@lists.pfsense.org *Subject*: Re: [pfSense] 4 Byte ASN Jim Thompson schreef op 8-1-2015 om 16:52: On Jan 8, 2015, at 9:23 AM, Seth Mos seth@dds.nl wrote: You do not want to use CARP with with BGP in any situation. Each node needs it's own session with the remote BGP peer. You need to use iBGP between the nodes instead. We run a pair of c2758s behind each link and CARP between these, announcing the routes out via BGP. (Technically this occurs on a different pair (R200) boxes that play the role of router (one per link). To clarify this a bit better. You speak BGP to your ISP from each pfSense node and generally use CARP as the router address on the internal side. You still need to exchange routes between both pfSense nodes. The moment CARP fails over you drop your BGP session anyhow, so both pfSense nodes need the routing tables (Unless you use default only). Regards, Seth What my current design is. 3 Routers in a CARP stack at each location. A single fiber link. We have a fiber vlan between the locations. I was thinking of BGP announcing from the CARP stack in the event of a router failure the next unit in line should take on the load for the firewall and BGP. We don't want to drop existing connection if possible. Now I know if a connection goes down hard we may drop while it switches over to the alternate site. I just don't want to drop due to an internal router failure. Am I approaching this the wrong way? You will drop the BGP session because only one pfSense node will have a connected session from the openbgpd. A virtual IP is nice, but that only applies for traffic traveling through the firewall, not a process running *ON* the firewall. Depending if you do default, customer only or full routing, both pfSense nodes need the same routing table. Since openbgpd takes care of inserting routes into the routing table, this needs to happen on both nodes. If you bind openbgpd to the CARP address, node B will setup a new session on failover, exchange routes, install routes during which time you will drop traffic with destination unreachable. Hopefully the remote peer has soft-reconfiguration inbound. Cheers, Seth ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 4 Byte ASN
Bryant Zimmerman schreef op 8-1-2015 om 15:28: We are working on getting our own ASN with ARIN so we can get our own blocks of address. We are doing this because we are using multiple ISP's and want to announce our own addresses, For better fail over. It's so much nicer then multi-wan, I don't regret it in the least. We are currently using pfSense boxes with CARP at both our locations. Will the open BGP package available for pfSense work correctly with --4 Byte ASN's Yes --Does carp function correctly with Open BGP for fail over. You do not want to use CARP with with BGP in any situation. Each node needs it's own session with the remote BGP peer. You need to use iBGP between the nodes instead. Regards, Seth ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 4 Byte ASN
Jim Thompson schreef op 8-1-2015 om 16:52: On Jan 8, 2015, at 9:23 AM, Seth Mos seth@dds.nl wrote: You do not want to use CARP with with BGP in any situation. Each node needs it's own session with the remote BGP peer. You need to use iBGP between the nodes instead. We run a pair of c2758s behind each link and CARP between these, announcing the routes out via BGP. (Technically this occurs on a different pair (R200) boxes that play the role of router (one per link). To clarify this a bit better. You speak BGP to your ISP from each pfSense node and generally use CARP as the router address on the internal side. You still need to exchange routes between both pfSense nodes. The moment CARP fails over you drop your BGP session anyhow, so both pfSense nodes need the routing tables (Unless you use default only). Regards, Seth ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] APU and SSD: full install or NanoBSD
Jim Thompson schreef op 30-10-2014 16:33: On Oct 30, 2014, at 9:28 AM, Jeppe Øland jol...@gmail.com mailto:jol...@gmail.com wrote: 3 year old Kingston SSDs are not like new Kingston SSDs. Agreed. On the other hand, I tend to distrust manufacturers that shipped completely unreliable drives without any thought. Kingston/OCZ/Crucial are all in this boat for me. I’m sure I’ve been burned at least as badly by these, and others, and I still buy from them. Samsung 840s are the darling of the “cheap, fast SSD” and they turn out to suck, too: http://www.pcper.com/news/Storage/Samsung-Germany-acknowledges-840-Basic-performance-slow-down-promises-fix We have about 70 Dell optiplex desktops that have a Samsung 830 in them that appears to be doing fine. None has failed yet. We also have 300 cash registers running the Intel 320 series 80GB and so far 3 have failed in 8MB mode, eventhough they do have the correct firmware. It's basically the way it tells you something went wrong. We are very picky about our Intel SSD models, only a few have power protection circuits. Basically only the models with the in-house Intel controller have this. (X25-M, Intel 320, Intel S3500/S3700). We did have 1 OCZ Vertex 2 that predictably died just after the 1st year in a developers laptop, that was a train wreck waiting to happen, and it did. Another production box is a 12 disk Raid 6 (~2TB) with 300GB Intel 320 series, it's been fine on a light write workload. (70/30). Cheers, Seth ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] LAN: IPv6 static configuration
Erik Anderson schreef op 10-10-2014 3:51: Any thoughts on this? Unfortunately, all of the examples and documentation I can find on IPv6 configures with pfSense are geared towards consumer-class circuits using DHCP-PD, and I've not found anything about proper static configuration. Well, mine is proper static configuration since I started, but I've not run into this case. However, do keep in mind that I configured all this in the 2.1 development cycle and never tried this on 2.1 RELEASE or later. My setup is 2 sequential carp clusters complete with ip4 and ip6 configuration including ip6 carp addresses. I have never run into this issue before. What you do might want to check on the firewall is the routing. I've seen a few cases where any changes to the gateways after 2.1.1 results in all sorts of hilarious behaviour except properly adding and removing routes. I was also not amused when this broke my HE.net tunnel at home, tunneled interfaces after 2.1.1 are apparently very different gateway wise now. The end result being that I can't properly switch gateways now when you have 2 tunnels and NPt. So check your routing with netstat -r before and after changing and see if you lost your default gateway. Regards, Seth Again, I thought this would be simple, but at least during my first attempt at configuration, I ran into major issues. Thank you all! -Erik On Wed, Oct 8, 2014 at 2:19 PM, Erik Anderson erike...@gmail.com wrote: Good afternoon- This is in regards to pfsense-2.1.4-RELEASE. This morning my ISP (finally) turned on IPv6 on our circuit. They assigned a /126 P2P link for the WAN and are routing a /48 to us. I have the WAN interface configured without issue, and am able to ping6 from the router itself to external addresses. The problem arose when I added the static IPv6 configuration to my LAN interface. I chose an arbitrary /64 subnet for the LAN and assigned an IP to the interface. When I applied this configuration, *all* traffic to and through the router (both v4 and v6) stopped. I couldn't ping the v4 address of the router, etc. I ended up having to attach to the serial console and restore a previous config file in order to restore connectivity. My questions are: 1) How was adding v6 addressing information to the LAN interface able to affect v4 traffic? 2) How can I add static v6 configuration to the LAN interface sucessfully? This all seemed like it should be a very simple task, but apparently I'm missing something. Thank you! -Erik ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] v2.1.5: OpenVPN + IPv6. Any success?
Erik Anderson schreef op 16-9-2014 6:32: I recently got IPv6 turned up on my Comcast cable circuit. They're delegating a /60 to my router. I have successfully configured interface tracking on the LAN interface and that is working great. Next, I'd like to get the OpenVPN server configured to enable v6 communication with mobile VPN clients. Has anyone had success with this? When configuring the LAN interface, it is set to track the WAN interface, and I can set a prefix ID to provide a unique subnet to LAN clients. As far as I've seen, there's no equivalent configuration available for OpenVPN, correct? Sure, I could probably pick an arbitrary subnet from the block delegated to me and assign IPs from that to OpenVPN clients, but what happens if my delegated block changes? Then everything breaks. I'm not certain that Comcast will always assign the same block. Good question, I never envisioned it this way but it does make sense. Using a arbitrary subnet is your best solution for now. I have ~40 dual stacked laptops hanging off my OpenVPN with the Viscosity client on windows. Is there a graceful way to handle this situation? What you need isn't in 2.1.5 and it needs to be made. So no, i'm afraid. The same method we built for other interfaces could be applied to OpenVPN server interfaces, so it's not too different. Probably about 2 days to build and a day to test. Cheers, Seth ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Upgrade from 2.1 to 2.1.3 RA misses subnet
Hi, Maybe it was just my install, but when I upgraded from 2.1 to 2.1.3 the RADVD settings changed. I did not explicitly setup a subnet to announce for radvd, it previously just picked up the interface subnet. I was wondering where my IPv6 went off to. Kind regards, Seth ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Problems with gateways on IPv6 Tunnels?
Hi, I just upgraded to 2.1.3 at home and tried to switch my IPv6 default gateway around. Unfortunately, when I try to set my HE.net tunnel gateway as the default it throws an error that the gateway address is not in the interface subnet. I’ve set the prefix length in both the GIF interface settings and the OPT4 Interface settings to /120. Unfortunately it still throws that error. Strangely enough the gateway status widget and status page tell me the gateway is reachable fine and with proper response time. This makes no sense. Anybody else seeing this? Kind regards, Seth ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] ICMPv6 filtering recommendations with pfSense?
On 21-5-2014 9:11, Olivier Mascia wrote: Le 14 mai 2014 à 03:37, Chris Buechler c...@pfsense.com mailto:c...@pfsense.com a écrit : IMO, I agree that it's best to let ICMP flow free on IPv6. ICMP has had a bad reputation for a long time, and it's mostly undeserved in recent times. Jim How should I interpret the code you pointed to? That pfSense do let ICMPv6 flow freely (at least most of it deemed to be required for IPv6 correct behavior) by default, and it then is not dropped by the default block rule? The ICMPv6 traffic that's considered required for things to function properly is automatically allowed. Excellent. Thanks! The rules should automatically allow ICMP6 echo, packet to big and neighbor discovery on the link-local addresses so that basic functionality works. Iirc ICMP6 echo is not allowed from the internet using the GUA addresses, but ND, RA and RS is for normal operation. The rules are specifically higher in the ruleset to prevent accidentally blocking (and breaking) your IPv6 internet. To be fair, we could make the RA and RS rules a bit more fine grained for ICMP6, but those would apply to the link-local scope and are of limited reachability (atleast not from the internet). We already toggle a sysctl if we want to accept a RS for a given interface, so that would be of limited use. Regards, Seth ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] vzw uml290
On 18-4-2014 0:49, Ryan Coleman wrote: I’ve found many devices do not honor this. +1 There is a AT command to reset the device, but this has the unfortunate side effect that it can cause FreeBSD to kernel panic. I noticed this when I was working on the 3G support. Regards, Seth On Apr 17, 2014, at 2:40 PM, Vick Khera vi...@khera.org wrote: On Thu, Apr 17, 2014 at 1:23 PM, Oliver Hansen oliver.han...@gmail.com wrote: Hi Vick, I don't think I have much information for you but I have seen those similar logs before. I don't use mine as a backup but as a mobile router for events and only a couple of times a year. Usually in my experience it has been when there is not a strong signal that I see these problems. Because yours has worked just fine in the same place this may not be the cause. I managed to get someone to physically unplug and re-insert the device. Once I re-saved the PPP config, it connected immediately. Clearly the usbcontrol power_off/power_on was not sufficient. I hope this is not a regular occurrence :( ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1.2 is released
On 15-4-2014 7:41, Chris Buechler wrote: On Sun, Apr 13, 2014 at 7:33 AM, Doug Lytle supp...@drdos.info wrote: Jim Thompson wrote: pfSense release 2.1.2 is now available. pfSense release 2.1.2 follows less than a week after pfSense release 2.1.1, and is primarily a security release. Okay, I've just upgraded from 2.1.1 to 2.1.2, now I notice that my firewall logs are being spammed with IPV6 ICMP notifications. The now I notice being the key part there. Nothing related to that's changed. If you don't check Allow IPv6 under SystemAdvanced, you have a block all rule on IPv6 with logging. Things on your LAN will have link local addresses and spew multicast stuff. Probably want to configure some block rules for v6 with no logging. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list To be extra clear here, if you check Allow IPv6, it won't automatically allow IPv6 traffic, it just means you can now create rules for IPv6 traffic instead of the default IPv6 deny all. Also, iirc, when the Allow IPv6 is checked the default deny rule will log IPv6 as it will IPv4. And if you don't check Allow IPv6 it will silently drop IPv6 traffic as it did previously. Also, if you've been using the 2.1 snapshots in 2012 and 2013 the config will had that setting enabled, which corresponds with your firewall logs. Maybe you have a upgraded config. 2.1-RELEASE and later do *not* set that on upgrade though, it was primarily for people tracking the snapshots at the time. Kind regards, Seth ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Remote office redundancy
On 9-4-2014 16:50, Vick Khera wrote: I just dug up this old thread to implement IPsec and OpenVPN failover coming to my main office from a remote location. The main office already has a gateway group for the two different ISPs, so my first step is to set up a dynamic DNS for it. This is where I get stuck... the RFC2136 client portion of the dynamic DNS configurator does not let me monitor the failover group -- only LAN, WAN, and WAN2. The DynDNS client config does offer the gateway group. Is this a limitation of RFC2136 client or just an oversight in the UI? Uhm, yeah, oversight on my part when I built this. Also, I didn't have a RFC2136 server to talk to. So instead of adding something broken I didn't add it at all. Presuming I get past this part, on my remote clients, I just configure IPsec and OpenVPN to use this dynamic host name as the end point and then it just works to failover automatically when WAN goes down and fails over to WAN2 at the office? Is it really that simple? Should be. Running pfSense 2.1 (waiting for 2.1.2 to hit before upgrading to minimize downtime.) ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] IPSEC bug in 2.1
On 12-12-2013 10:48, Jon Gerdes wrote: There exists an IPSEC bug in pfSense 2.1 When the router's modem is restarted, the IPSEC tunnel fails to come back up. The problem exists if you have IPsec tunnels with the hostname, the reload process fails to reload the firewall filters so IPsec never negotiates. edit /etc/rc.newipsecdns and add the line: filter_configure(); near the end, this causes firewall rules to reload properly. We had this issue too on 2 seperate clusters with about 300 tunnels. Kind regards, Seth This bug is documented in the following places by numerous people: https://redmine.pfsense.org/issues/3321 http://forum.pfsense.org/index.php/topic,69235.0.html http://forum.pfsense.org/index.php/topic,68776.0.html http://forum.pfsense.org/index.php/topic,67929.0.html http://forum.pfsense.org/index.php/topic,67625.0.html Regards, Christian Borchert Christian I run an awful lot of IPSEC tunnels and I generally don't get the problem you describe in your trouble ticket which is not the same as the fault that is barely described in the first forum posting you link. The rest are TL;DR for me. Please try disabling DPD at both ends and set the address that you ping to any address other than those on the other end's router - that address doesn't even have to exist, it just has to be within the remote subnet but not one that is bound to the router doing the IPSEC. Incidentally your report in Redmine does not describe what the other end actually is - is it another pfSense box or something else? Cheers Jon Registered Address : Blueloop House, Ilchester Road, YEOVIL, BA21 3AA Registered England Wales - 3981322 CONFIDENTIAL INFORMATION This e-mail and any files attached with it are confidential and for the sole use of the intended recipient(s). If you are not the intended recipient(s) you are prohibited from using, copying or distributing this or any information contained in it and should immediately notify the sender and delete the message from your system. Internet communications are not secure and Blueloop Limited is not responsible for unauthorised use by third parties nor for alteration or corruption in transmission. Furthermore, while Blueloop Limited have taken reasonable precautions to minimise the risk of software viruses, it cannot accept liability for any damage which you may suffer as a result of such viruses, and we therefore recommend you carry out your own virus checks on receipt of any e-mail. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] naive suggestion: conform to US laws
On 11-10-2013 11:57, Adrian Zaugg wrote: Dear all After having read the whole NSA thread on this list, it came up to my mind that pfsense web GUI could declare itself conform to US laws upon the point when there are known backdoors included or otherwise the code was compromised on pressure of govermental authorities. It would be the sign for the users to review the code and maybe to fork an earlier version and host it in a free country, where the protection of personal data is a common sense and national security is not so much an issue. ? And which country would that be? I mean the Brittish MI4? tapped the Belgian telecom network for over a year to listen into the EU politicians... I don't see the point in this. I've been a developer since november 2005 and since that time I have never seen any evidence that this is the case. Not to downplay the trust issue, it is always good to do a background check on what we put into pfSense (which we do). Pretty much everything we have in pfSense is checked in the version control system. Even in the beginnings (0.83) with CVS. Even our builder scripts are in a RCS system, and it verifies all checksums on external (mostly FreeBSD ports) software we download for the build. The most realistic way to get a backdoor in pfSense would have to come from a upstream source. And FreeBSD generally has this properly in order and a security team that acts properly. The way the most intelligence agencies these days perform the wire tapping is by getting a switch mirror port at a internet exchange. Even fiber optics can be tapped without too much problems. In .NL all large ISPs have a mandatory wiretap in place that stores datetime stamped headers of the internet traffic for discovery purposes from the authorities. The best part of this, it is paid for by the customers, since the ISP needs to pay for the system and storage. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] naive suggestion: conform to US laws
On 11-10-2013 11:57, Adrian Zaugg wrote: Dear all After having read the whole NSA thread on this list, it came up to my mind that pfsense web GUI could declare itself conform to US laws upon the point when there are known backdoors included or otherwise the code was compromised on pressure of govermental authorities. It would be the sign for the users to review the code and maybe to fork an earlier version and host it in a free country, where the protection of personal data is a common sense and national security is not so much an issue. ? And which country would that be? I mean the Brittish MI4? tapped the Belgian telecom network for over a year to listen into the EU politicians... I don't see the point in this. I've been a developer since november 2005 and since that time I have never seen any evidence that this is the case. Not to downplay the trust issue, it is always good to do a background check on what we put into pfSense (which we do). Pretty much everything we have in pfSense is checked in the version control system. Even in the beginnings (0.83) with CVS. Even our builder scripts are in a RCS system, and it verifies all checksums on external (mostly FreeBSD ports) software we download for the build. The most realistic way to get a backdoor in pfSense would have to come from a upstream source. And FreeBSD generally has this properly in order and a security team that acts properly. The way the most intelligence agencies these days perform the wire tapping is by getting a switch mirror port at a internet exchange. Even fiber optics can be tapped without too much problems. In .NL all large ISPs have a mandatory wiretap in place that stores datetime stamped headers of the internet traffic for discovery purposes from the authorities. The best part of this, it is paid for by the customers, since the ISP needs to pay for the system and storage. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] RRD traffic lost after 2.0.3 - 2.1
On 7-10-2013 21:23, petes-li...@thegoldenear.org wrote: What you can try is dumping the old 2.0 config with RRD data, and then restore that after upgrade. Try that. It should also retrigger a config upgrade at that point and upgrade the databases. Thanks for your suggestion. I tried backing up just RRD data and restoring that, and a complete config backup including RRD data and restoring that, neither of which caused the issue to fix itself. Obviously this is all post-upgrade, having already upgraded 2.0.3 to 2.1. Have you any more suggestions please? No, you need to supply the 2.0 config with RRD data, otherwise it won't work. The 2.1 config is of no use as it considers the data to already be upgraded. You should have a full backup from before you started the upgrade, right? Alternatively you can try this: Go to the command prompt page include(shaper.inc) include(upgrade_config.inc) include(rrd.inc) upgrade_080_to_081(); Make sure to backup beforehand. Kind regards, Seth No idea why it isn't doing that for you. I only know of issues on nanobsd. I'm seeing this on the 7 upgrades I've done so far. Thanks ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] RRD traffic lost after 2.0.3 - 2.1
On 1-10-2013 9:47, petes-li...@thegoldenear.org wrote: Hi. After upgrading 2.0.3 to 2.1.0 on an x86 full install, RRD Graphs - Traffic says There has been an error creating the graphs. Please check your systemlogs for further details. This is from the log: php: rc.bootup: The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool update /var/db/rrd/ovpns1-packets.rrd N:U:U:U:U:U:U:U:U' returned exit code '1', the output was 'ERROR: expected 4 data source readings (got 8) from N:U:U:U:U:U:U:U:U' That means the RRD database was not upgraded during boot. It should have 8 fields now, instead of 4. What you can try is dumping the old 2.0 config with RRD data, and then restore that after upgrade. Try that. It should also retrigger a config upgrade at that point and upgrade the databases. No idea why it isn't doing that for you. I only know of issues on nanobsd. Cheers, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] RRD traffic lost after 2.0.3 - 2.1
On 1-10-2013 11:45, petes-li...@thegoldenear.org wrote: Additionally, I'm now seeing this in the log: php: /status_rrd_graph_img.php: Failed to create graph with error code 1, the error is: ERROR: No DS called 'inpass6' in '/var/db/rrd/wan-traffic.rrd'/usr/bin/nice -n20 /usr/local/bin/rrdtool graph /tmp/wan-traffic.rrd-day.png --start 1380526543 --end 1380612943 --step 300 --vertical-label bits/sec --color SHADEA#ee --color SHADEB#ee --title `hostname` - WAN :: Traffic - 1 day - 5 minutes average --height 200 --width 620 DEF:wan-in_bytes_pass=/var/db/rrd/wan-traffic.rrd:inpass:AVERAGE:step=300 DEF:wan-out_bytes_pass=/var/db/rrd/wan-traffic.rrd:outpass:AVERAGE:step=300 DEF:wan-in_bytes_block=/var/db/rrd/wan-traffic.rrd:inblock:AVERAGE:step=300 DEF:wan-out_bytes_block=/var/db/rrd/wan-traffic.rrd:outblock:AVERAGE:step=300 DEF:wan-in6_bytes_pass=/var/db/rrd/wan-traffic.rrd:inpass6:AVERAGE:step=300 DEF:wan-out6_bytes_pass=/var/db/rrd/wan-traffic.rrd:outpass6:AVERAGE:step=300 DEF:wan-in6_bytes_block=/var/db/rrd/wan-traffic.rrd:inblock6:AVERAGE:step=300 DEF:wan-out6_bytes_block=/var/d Correct, you are requesting fields that are not in the RRD file, because it wasn't upgraded. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] IPv6 - Subnetting/Routing with HE?
On 27-9-2013 18:13, Adam Thompson wrote: I firmly agree with previous posts that outline why this allocation policy is suboptimal. However, I do *not* want to be renumbering my IPv6 hosts down the road simply because I wanted to be the most efficient guy on the block. Nor do I want to be the guy who can't run protocol XYZ because I didn't use /64s. Wait, what? Renumbering in IPv6 is different from IPv4 how? I had to renumber my IPv4 connections 6 times in the past decade, and I mean in the globally routed way, not the internal LAN. Now the size here is a fair bit of external servers, and those have public addresses, firewall rules and/or NAT mappings. Then there is the host config etc. I finally bit the bullet and signed up for PI space with a ASN and hopefully that's that. In retrospect, I should have done that ages ago. It would have saved the company tons of money in labor. You see, cheaping out with the smaller plans seemed like a good idea (cheap multiwan) but it turns out to be far more expensive in the long run with migration. Renumbering is cumbersome but it's really no different now then it was before. For all that it matters, I expect this not to happen so much with IPv6, because the default /48 allocation is so much larger. It's easy to do some aggregated routing without ending up with /29's everywhere. A IPv4 /24 was effectively 254 hosts, until you wanted to do routing and the effective number of hosts go downhill very fast from there. I had to renumber twice in IPv4 alone because I got a larger netblock. This because you needed to provide a reasonable requirement, and you can't get larger without a decent motivation and actually using those addresses. I think the default IPv6 size of /48 is well chosen. The moral is: If your company is Multiwan and has about 100 desktops, apply for a ASN and get BGP connections. It is the right business decision. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] IPv6 - Subnetting/Routing with HE?
On 30-9-2013 10:53, Chris Bagnall wrote: On 30/9/13 7:56 am, Seth Mos wrote: I finally bit the bullet and signed up for PI space with a ASN and hopefully that's that. Worth mentioning here that no more IPv4 PI ranges will be allocated - at least not within RIPE jurisdiction (conservation rules kicked in when we started on the last /8). Other RIRs might be different. On that note: This is a last call to people in the US to get one before they are stuck in a hard place. We got ours just in time before the last /8 policy in RIPE land. Like the whole IPv6 migration, better plan ahead then get stuck between a rock and a hard place. Cheers, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.1 on WRAP
On 20-9-2013 9:45, Odette Nsaka wrote: First of all, thanks to the developers for the new fantastic 2.1 release. I've been using Alix by PC Engines (WRAP's successor) succesfully for a lot of time. I was just wandering about PC Engines not releasing new versions of Alix. And it seems to me they are going to be soon too old for next pfSense releases. So I was asking: - the system requirement will be enough so the development of pfSense will continue for a reasonable ammount of time on Alix ? - Has already been designed the new successor for our dear grandma Alix? Or a suggested platform for embedded solutions? The main limitation here is RAM, if your Alix has 256 MB it should be fine really. The forwarding rate is limited to about 70 mbit, so if you need more only the newer Soekris 6500 series would work. Kind regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Optimal Setup
On 19-9-2013 11:52, Joseph W. Joshua wrote: Hello all, Currently, my internet comes in through a linksys router, in which I have set up the above rules. However, we would like to introduce a proxy server, and also internet use monitoring and banning of excessive users. Squid with ldap or ntlm auth works well, block default outbound 80 and 443 so people actually use the proxy server. Find out that Silverlight does not work with authenticated proxy servers. (Really MS?) It does stop some malware in it's tracks though. I have tried setting up pfSense as follows: --el0 as LAN Interfase (192.168.0.1) --el1 as WAN Interface (ISP IP) --My laptop pointed to 192.168.0.1 as Router and DNS --The pfSense installation has internet access, but my laptop cannot get online. What could I be doing wrong? Make sure that the private networks rule is not active on your WAN. Am I safe to assume that you are not using the linksys in front of the pfSense WAN and the public IP terminates on pfSense directly? Assymetric routing doesn't work, and overlapping subnets does not either. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.1 on WRAP
On 19-9-2013 15:22, Ugo Bellavance wrote: Hi, My old PC Engines WRAP is still surviving, and I'd like to install 2.1 on it. Are these instructions still valid for 2.1? https://doc.pfsense.org/index.php/NanoBSD_on_WRAP Anyone built a WRAP-compatible image for 2.1? There is a nasty RRD file upgrade bug that might affect you. When upgrading on embedded the temporary files are not removed causing /tmp to fill up. The fix was easy, but you need a re-done image for nanoBSD. Not sure if that is planned yet. Cheers, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] captive portal with sms for registration
On 18-9-2013 10:54, budi wibowo wrote: Hi have situation like this: - user register via web portal and password sent via sms any module in pfsense for this? as i used before the captive portal not have registration page Not impossible to do if there is a 3G dongle connected to pfSense. You can send SMS with those via the controle port. It's not standard functionality though. Cheers, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense and Cable Modem Throughput
On 12-9-2013 19:16, Bas van Dieren wrote: Greetings, Most cable providers rate limit only when there are too many states at high speeds. It clould be a combination of the two. I know at least 2 cable providers who rate limit (drop packets) when you have over 5k of sessions at 1Gbit speed and don't if the speed is at 100mbit. Try setting the speed and duplex to 100mbit full duplex and see how it goes with a lot of states. That reminds me of the Arris cable modems in .nl where eMule or torrent traffic with a upload over 1 mbit (of 2) would cause the actual voip port to fail and unable to call. Intruiging failure before that one was acknowledged, they ended up rolling out the Motorola Surfboard. So eventhough the cable modem is effectively a bridge, it did actually keep state causing hard to diagnose failures and issues. Also, maybe just a strange thought, but did you check the pfSense LAN port as well? It could be either port causing the issues, since all traffic flows through it. Although IRQ conflicts should really be gone by now, you might try seating the card in a different slot (if that is possible). Cheers, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense and Cable Modem Throughput
On 12-9-2013 17:28, Adam Piasecki wrote: First I'm almost certain this is a cable modem/provider problem. We have a 20mb ethernet circuit that works fine with the same pfSense. We upgraded to a 100/10mb cable modem, when we put this on the WAN of the pfsense, we are getting major packet loss during peak times, and speed test sites that won't even load. Non-peak times we get no packet loss, good speed tests (50+mb) The problem I'm having is that when we take the pfSense out and plug a PC directly into the cable modem, the speedtests look fine and the dropped packets go away. Both during peak times and non-peak. My thought is the number of packets going over the cable modem with the pfSense is a lot greater then just one PC doing a speedtest, and the cable modem can't handle it. We have about 100 clients behind the pfSense trying to access the internet during peak times. The traffic graphs on pfSense only indicate we are doing 5-10mbs download and 1-5 upload, so we are no where near maxing out the cable modem bandwidth wise. I've checked wan ethernet settings 1gig full duplex, no collisions or errors on the pfSense side. I don't see any problems in the log, we are not doing any traffic shaping. The cable modem provider says if you plug a PC into the modem and you get a good speed test, then it's your firewall. I tend to agree with him, but the firewall works fine with the 20mb Ethernet circuit, and it also works fine during non-peak times when not many users are on. Has anyone run into a problem like this before, or have any tips to prove what could be the problem. Try a different cable, no really. Gigabit ethernet can be picky, also try a longer. Cheers, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] insert a pfsense box to handle high network load (botnet attack)
On 6-9-2013 2:56, Roberto Nunnari wrote: Hi all. I have a problem with my home internet connection. Aha! My vdsl router gets on the wan interface about 40-50 requests per second on port 80 and when I configure it so that it forwards that traffic to my web server, the router can't bear the load and freezes after a few seconds. All that traffic is not normal.. it's a botnet attack.. on my server I have scripts that examines the logs and adds the violator IPs as DROP in iptables. After a week, this morning I counted over 140'000 unique IP DROP entries! The server seems to face well the attack.. but when the load it's so high, the vdsl router just freezes. It's running out of ram, all 8MB of it. So, I thought I may configure the vdsl router as a bridge and put a pfsense box in between the bridge and my home network. Sane choice. Apart from the fact that yet I don't know how the router will behave when configured as a bridge (will it bear the network load? what will Yes, it will work fine, it does not need to maintain any state that consumes memory for forwarding traffic. happen to the four lan ports? only one will be left active?), I would That depends entirely on the software in the modem, often all 4 stay active, but you can only build one pppoe session. like to know how should I configure the pfsense box.. I mean.. would it be enough to just move the configuration from the vdsl router to the pfsense box? The vdsl router is now configured with PPPoE over PTM (POTS).. would it be fine if I configure pfsense as PPPoE on the wan interface? Just PPPoE is fine. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] A unique problem requires a unique solution. PFsense behind shorewall
On 5-9-2013 13:09, Asim Ahmed Khan wrote: Hi, Let me first briefly explain my setup. I have redundant internet link from two ISPs. Before pfsense, I was using two gateway boxes. One for each internet link. Each box is CentOs, with Shorewall + Squid. I have certain rules imposed on each box. Each box has two NIC, one for public IP from is, and one for LAN. Now to implement failover and few other things, i setup a pfsense box. Now network is like : Both Gateway boxes' public interface has been reconfigured on different subnet which is being shared by pfsense's local NIC. i.e. Both old gateways get internet from pfsense instead of ISPs. Now what I need to do (or at least know if possible), is to be able to see who from my LAN is consuming most bandwidth. pfsense provide bandwidthd for that. But the problem is, pfsense only see the two clients connecting to it and those are public interfaces of gateway boxes. So I can't get the real picture. Is there anyway, pfsense can see who actually is sending request to pfsense through public interface of gateway ? Maybe I'm mistaken here, but the shorewall devices are behind your pfSense firewall and they perform NAT making only those 2 addresses visible. If that is the case you need to set up static routes on pfSense and drop the NAT on the gateway boxes. I'm not understanding too well why you don't put everything into one box, or maybe add carp for failover. This seems very convoluted. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Dibbler-client PD under PfSense
On 29-5-2013 10:13, Slawomir Kosowski wrote: Thanks for your reply. Following the advice, we've configured WAN in SLAAC, and then tried to do track interface on LAN, but there was no interface in roll-down menu. Not sure why (probably done something wrong - what ?). Isn't it caused by function get_configured_interface_with_descr() - line 1863 in interfaces.php ? Normally on 2.1, you select DHCP6 on the WAN interface and select the correct prefix size provided by the ISP. Then, you can set the LAN interface to track the WAN interface and enter 0 for the prefix ID. This should automatically configure the LAN interface and setup RA and a DHCP6 service on the LAN for hosts. If the prefix size from the ISP is large enough the DHCP6 service should automatically configure internal DHCP-PD as well for downstream routers. The Wide dhcp6c client should just work. Regards, Seth We've tried to use DHCPv6-PD to get our PD from ISP and uncommented lines 1768 to 1784 in interfaces.php, however, our ISP provides 10 byte-long DUID which was not compatible (not sure how it goes with RFC 3315). Maybe it's due to our ISP's configuration, but they're using Cisco to deliver IPv6. Anyway, we've only managed dibbler-client to run with that, so this is why we compiled it to run on PfSense. We're always keen on seeing a simpler solution. Working in limited time with open-source is sometimes hectic ... BTW: any news about: http://forum.pfsense.org/index.php?topic=40186.0 ? Best Slawomir Kosowski ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense as a datacentre router (was: dual ISP BGP)
On 29-5-2013 11:05, Chris Bagnall wrote: On 29/5/13 9:39 am, Eugen Leitl wrote: Which hardware are you using? If you're pushing 5 GBit/s you might be running into hardware limitations. There was a thread about it on nanog a week or two ago. I'm quite impressed Mikrotik hardware is able to sustain 5Gbps with full BGP tables from multiple transits to be honest. Is anyone using pfSense's BGP package with 2.1 and v6 support? Given our usage in this case is a great deal less than 5Gbps, I'm seriously considering giving it a try - it would certainly make management a lot easier, and mean they wouldn't need to call me every time they want to change a VLAN config :-) But v6 is a requirement. I couldn't in all good conscience deploy something that isn't v6 capable these days. It works for me. Keep Listen on IP blank (a v4 here causes issue), fill in Router IP Add both networks v4 or v6 in the networks rows. Configure the IPv4 and IPv6 neighbors. In the neighbor config, configure the remote neighbor v6 address and the add a row for Remote AS with the remote AS. Add a row Local Address, fill in the local v6 address here. It's been connected dual stack here for about 7 weeks now, but it's a test box not passing traffic. Cheers, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Remote office redundancy
On 23-5-2013 17:17, Peter Milazzo wrote: Hi All, I have a remote office running version 2.0.3 with a T1 that has been stable for years and recently added a Cable connection on a second WAN port for faster web browsing etc... both connections are setup for failover. There is also an IPsec tunnel that is configured to connect this office with our main office for VOIP calls between offices and access to servers, etc... My questions are, do I need to setup a second IPsec tunnel for the cable connection (which I believe you can't do) if it fails over and what will the routing look like? Is there a better way to set this up to accomplish the redundancies? In 2.1 you can make the IPsec endpoint a gateway group for failover. If you also create a dynamic DNS entry with that same failover group the remote can automatically reconfigure if needed. I currently use this on 1 site with 2.1. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Need advise or best practice for pfsense NAT
On 22-5-2013 6:27, Makara wrote: Hi List, We are using pfsense for NAT purpose, around 1000 customers concurrent and the bandwidth is around 500MBPS. We have problem the pfsense is stuck around 1 or 2 week always. HW: Dell Optiplex 7010 OS: Pfsense 2.0-RC3(We downgrade the latest version because it's too many problem that this version) When pushing that much traffic with that amount of customers I recommend purchasing 2 real servers with Intel network cards and ECC memory and setting up a carp cluster. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] SOHO Router for VPN to pfSense
On 29-4-2013 16:01, j...@millican.us wrote: On 4/29/2013 9:35 AM, j...@millican.us wrote: Hello, Thank You, JohnM Forgot to add that I have been looking at the Buffalo WZR-300HP. Any opinions? We almost exclusively use Draytek Vigor routers with IPsec tunnels and pfSense. We use Dell PowerEdge R310 servers as the endpoint. We have about 300 tunnels, we always had the Draytek Vigor 2800VGI model, but are now moving forward with the Draytek Vigor 2850 model, it is a ADSL/VSDL combo modem, supports 3G/4G via USB stick (We use the Huawei E392) and also Ethernet WAN using port 4 of the gigabit LAN ports. It's a very versatile model. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Shell Logout time
On 26-4-2013 10:48, Odhiambo Washington wrote: I am using ShellGuard as the ssh client. My ssh sessions don't time out with other hosts except my pfSense box. My pfSense box is connected to the same switch as my workstation PC so I am lost as to what causes these timeouts. BTW, I think it's just with this 2.0.3 box i am seeing the timeouts. If you have state killing actived and/or connecting to the external address of the pfsense box this could cause it. If you have nat reflection enabled and/or a nat forward you are connecting through (interface set to any) could cause this too. Cheers, Seth On 26 April 2013 11:32, Espen F. Johansen pfse...@gmail.com wrote: Try turning on tcp-keepalive in your ssh client this fixes it for putty f.ex. Espen F. Johansen Sent with AquaMail for Android http://www.aqua-mail.com On 25. april 2013 21:57:23 Jerome Alet jerome.a...@univ-nc.nc wrote: Hi, On Thu, Apr 25, 2013 at 12:37:36PM -0400, Jim Pingle wrote: On 4/25/2013 11:20 AM, Odhiambo Washington wrote: Whenever I am logged into my pfSense box via SSH, I always get logged out within some time, even when I am running something. Where can I change that timeout value? As others have mentioned there is no timeout value. pfSense will leave active connections open, even if idle, for 24 hours at least. A WAN getting disconnected would flush its states, or there could be something else involved cutting them off. I've noticed the very same problem when connecting through ssh directly from my PC to our slave pfSense in our cluster of two : automatic disconnect from the slave after maybe one minute or even less. If I first connect to the master pfSense from my PC, then from there to the slave, there's no disconnection. I've never noticed such a problem when connecting to the master. bye -- Jérôme Alet - jerome.a...@univ-nc.nc - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Dandy pfSense appliance
On 24-4-2013 20:18, Chris Bagnall wrote: On 24/4/13 7:05 pm, Mathieu Simon wrote: Depends what you think about high specs many 1 GE ports or even 10 GE, lots of cores etc? FWIW, we've been using the ALIX boards for several years, and despite their apparently low spec, they'll happily route an FTTC 80Mbps/20Mbps connection without breaking too much of a sweat. +1 60/6 Ziggo cable internet Also worth mentioning that in my experience, WiFi is best done with a separate access point (or access points). It enables you to position it in the best location for signal dispersion, which might not be the same location as your internet connection's ingress. +1 I use 2 linksys e3000 units with DHCP disabled as a 4 port Gigabit switch with AP. One in the living room, and another upstairs. 5Ghz doesn't get through concrete ceilings very well, but the speed is excellent. Cheers, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Dandy pfSense appliance
On 25-4-2013 10:30, Odhiambo Washington wrote: What I meant with high specs is to do with CPU, Disk Storage and RAM. Why? For instance in the particular case I went to address, there was a DDoS issue. Some app installed on one of the computers on that LAN was sending millions of HTTP GET requests to www.ffssc.net. In just about 5 minutes, my squid log file had grown to 50MB! If this was a small appliance, I am thinking it would have given up on service in no time.. So high specs for me means something like 256MB or more storage, 1GHz+ CPU and say, 1GB+ RAM - but still small enough in size to fit into my backpack. That would be my Swiss Knife for network troubleshooting when needed Find a nice Intel Atom board with dual gigabit nics, vlans are optional but should atleast suffice for a quick replacement. We recommend Intel SSD drives, these have failed the least for me atleast. A 40GB thingy should suffice for pfSense easily. There are quite a few smallish portable cases for the mini itx boards. Cheers, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Dandy pfSense appliance
On 25-4-2013 10:42, Odhiambo Washington wrote: Hi Seth, Any pointers to these Intel Atom boards with dual NICs?? Gigabit or otherwise, I think I am looking for something like that. I see the Lexcom Brik with 4x lan. Or a Lanner LEC2055 http://www.lannerinc.com/DM/LEC-2055_DM.pdf We use a FW7535 at work, and it's been fine so far. It has 1GB of ram and a laptop disk. Cheers, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Dandy pfSense appliance
On 25-4-2013 11:39, Odhiambo Washington wrote: Hi Seth, Did you install pfSense (or other OS) in these? I am looking for how to connect the Display:) pfSense 2.1 with serial console. On 25 April 2013 11:53, Seth Mos seth@dds.nl wrote: On 25-4-2013 10:42, Odhiambo Washington wrote: Hi Seth, Any pointers to these Intel Atom boards with dual NICs?? Gigabit or otherwise, I think I am looking for something like that. I see the Lexcom Brik with 4x lan. Or a Lanner LEC2055 http://www.lannerinc.com/DM/LEC-2055_DM.pdf We use a FW7535 at work, and it's been fine so far. It has 1GB of ram and a laptop disk. Cheers, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] help
On 24-4-2013 18:24, Chris Bagnall wrote: Some ISPs that are particularly stingy with IPs and bad at routing have been doing this. I might be missing something, but it does seem like a pretty awful, and at best very temporary 'solution' to IPv4 shortage. I must admit if I were the OP, I'd probably be looking for a new DSL provider. Roll on widespread v6 adoption and NAT64 for access to the 'legacy internet' :-) It looks like 464xlat is one of the better things that has come forth, however, it needs to be implemented on the client. Till that time, DNS64 and NAT64 will have to do. And it ain't pretty. Dual stack if you can folks! The water is fine! Cheers, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] native IPv6 static
On 2-4-2013 23:58, Fuchs, Martin wrote: have an installation in suisse with native IPv6 with a /48 net. It's needed to configure it with static IPv6 on the WAN interface, i too can ping the externam WAN IPv6 address. The ISP should have set up a static route for the delegated /48 to the external WAN address, just like routed subnets in IPv4 (with a /30 uplink). Some of the ISPs will route the delegated /48 network per default to WANprefix::2 which should be your WAN Address. Other ISPs use the 1st all zeros prefix from the /48 for the WAN and route to PDprefix::2 which should be your WAN address. The drawback from this is that you can never user the all zeros prefix on your LAN, which is a shame because it is shorter to write. For the LANs you set up static routing, DHCPv6 and RA just like you would previously. It is not required to route both IPv4 and IPv6 in the same pfSense install (Dual Stack), but it is the most common. Since IPv6 is an entirely new and different network you can setup different CARP clusters for IPv4 and IPv6, we actually have some of those installs still working today within the pfSense project as part of the early deployment. People should be thinking of this as migrating off IPX ;) Kind regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense reload config.xml problems
On 27-3-2013 2:43, Simon tiong wrote: Dear All, I am Simon from Malaysia. I faced a error, which I manually edit the config.xml, and my concern is without any reboot firewall needed. Basically I changed, the IP address for my LAN Interface from 10.2.28.1 to 10.10.10.1. I have committed : 1) rm /tmp/config.cache 2) /etc/rc.reload_all Whereby the commands above will refresh and reload all firewall configuration. But I found that the new IP does not update on the widget DashBoard, but it does changed inside the LAN configuration, under interface.php. This is exactly why it is not supported, I'd say edit and save the LAN interface and see if that fixes it without reboot. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] HA and bgp
On 20-3-2013 0:29, Zach Underwood wrote: I am setting up a pair of pfsense servers in front of a web hosting setup. I have two firewalls, two network switches(layer 3 stacked), and two isp links using BGP. I plan on using OSPF on the network switches to pass the routeing tables to pfsense. The way I am think of doing is this way https://docs.google.com/drawings/d/1AE-Uif6n0qrFxnDp6JkxUPaYEwVZJoa69pnCMAIW-4E/edit?usp=sharing . Is this the best way or there a better way. Indeed it looks right from here. The situation will be as follows, you setup a iBGP or OSPF between the 2 pfSense hosts. Careful with OSPF that you don't accidentally export internal routes to BGP. Each pfSense node should have 1 session with a BGP peer but a shared LAN CARP address. You should never tie the BGP session to a CARP address, and often that isn't even possible because you get a unrouteable /30 uplink anyhow. - If a pfSense node fails, internal BGP/OSPF will re-route the traffic out the other pipe. - If a BGP session drops, internal BGP/OSPF will re-route the traffic. - LAN hosts always use the CARP address as the gateway. - You can not stateful firewall on the pfSense nodes, traffic is inherently asymmetric when using BGP. (e.g. traffic goes out BGP1 but returns on BGP2) Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Blocking Websites
On 1-3-2013 22:44, Kevin Hayes wrote: Hello, I am trying something that I thought would be fairly simple but is turning out to be more confusing than I had hoped. We have several computers that are considered critical and I would like to block the internet except for a short list of approved websites that may be accessed from those desktops. What would be the easiest suggestion on how to do this. I’ve been looking at pfBlocker and it seems by its description to do what I need, I found where I can block whole countries but not specific sites on specific ip addresses. A proxy server is well suited for this purpose. Block outbound traffic and setup a transparent proxy. If that's not possible a manually configured proxy also works, the trick is to make sure they can't access 80 and 443 without going through the proxy. That's what a firewall rule on the LAN accomplishes. It's a good policy in larger corporate networks to block outbound traffic per default. You have very granular controls on what people can access through the proxy. Because it also accomplishes this for https. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] firewall rules: destination host or network
Op 18-9-2012 8:23, Vieri schreef: Hi, I'm having trouble understanding a very simple concept. Suppose I have several interfaces, eg. lan, wan, dmz, corp2. Most public IP addresses are in 'wan' but some may be accessible through 'corp2'. Let's say I would like to add a firewall rule for a specific destination. I can create an alias or specify a network or single host but how do I apply a rule from lan to a specific host in wan? eg. lan single host 10.215.144.48/32 can access 8.8.8.8/32 through 'corp2' but cannot access 8.8.8.8/32 through 'wan'. Should that be done only through static routing? Firewall rules are top down. Make a allow rule for that single host and a block rule below that. Cheers ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.0.1-RELEASE, Restoring partial config.xml does not work
Good news. Support for just that and a few other items have been included in pfSense 2.1 Regards, Seth Stefan Baur newsgroups.ma...@stefanbaur.deschreef: Am 23.07.2012 15:10, schrieb Oliver Hansen: Hi Stefan, I can't be sure but I think I have run into this before. Have you tried uploading a config with ONLY those parts that you want to change? I think it is intended to be restored from a backup that only contained those parts. While it indeed does work that way, it doesn't really make sense to me. If I cannot import selected sections from a full config.xml, what would the select menu be good for? And if I only have a partial config, say, I saved the aliases, then obviously I would want to restore the aliases from it and not the (non-existent) firewall rules. IMO, this is a bug that needs to be fixed. -Stefan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] wan interface losing ip address
Op 18-7-2012 0:30, b...@bitrate.net schreef: Jul 17 07:55:30 gw1 kernel: ue0: link state changed to DOWN Jul 17 07:55:30 gw1 kernel: ue0: link state changed to UP I see a few occasions of your ethernet link flapping, could be a modem rebooting or something else, bad cable, maybe. Although it should really recover from this when the link is back. I've noticed similar behaviour to dhcp on wireless. I have not managed to debug that further. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Forwarding Protocol 41 for 1:1 IP Addresses
Good question, Op 27 jun 2012, om 20:53 heeft Yehuda Katz het volgende geschreven: I would like add a HE IPv6 tunnel to two of my servers without adding a tunnel for the whole network. I was looking at adding an option for each 1:1 to forward protocol 41 just for that public IP. (maybe a checkbox on the 1:1 create/edit page) Is there any reason this would not work? Theoretically not impossible. A port forward might be a better match though, rdr is a forward, binat is a 1:1, don't think binat allows for protocol selection. If I understand the code correctly, a rule would look something like: rdr on {$natif} proto ipv6 from any to {$dstaddr} - {$target} binat on {$natif} proto 41 from {$endpoint} to {$dstaddr} Perhaps, patched accepted. Cheers, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Possible bug in gateway monitoring in 2.1 snapshot (Sat Jun 16 08:16:08 EDT 2012)
Hi, Op 22 jun 2012, om 04:30 heeft Moshe Katz het volgende geschreven: On Wed, Jun 20, 2012 at 4:50 PM, Jerome Alet jerome.a...@univ-nc.nc wrote: Hi there, While playing with gateways and monitoring alternative IP addresses, I've noticed a problem. When you add an alternative IP address to monitor, a static route is added between the gateway address and the address to monitor. But when you delete this alternative IP address, click on save and then on apply changes, the static route is not removed as can be seen with netstat -nr. This is a clear bug, it's supposed to delete the route to that host. Is this a v4 or v6 monitor ip, I could see the delete command failing for ipv6 here. Cheers, Seth I opened an issue in the pfSense Redmine to track this: http://redmine.pfsense.com/issues/2513 Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Question about failover setup
Op 20-6-2012 5:34, Jerome Alet schreef: Hi, On Tue, Jun 19, 2012 at 08:35:38AM +0200, Seth Mos wrote: Op 18-6-2012 23:26, Jerome Alet schreef: So now that I'm trying to replicate the OpenBSD configuration on my pfSense 2.1 boxes, I'm wondering if I really need 3 distinct IP addresses on each vlan and what are the consequences of using only one on the carp interface ? For pfSense you definitely need 3 addresses per vlan. Thanks for your answer. No, maybe a stupid question... Is it mandatory that all three addresses are in the same subnet, or is it possible to have the virtual one in a different subnet than the two real ones (still all three would be on the same vlan, but on different subnets) ? Mandatory, how would the pfSense firewall itself reach the internet for DNS and updates? It can't source everything from the CARP vip. Although theoretically the traffic going through the firewall should be unaffected. It's a crapshoot though that generally does not work too well. We hope that the CARP overhaul that is included in FreeBSD9 will help us in this case, but we can't guarantee that it will work this way either. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Question about failover setup
Op 18-6-2012 23:26, Jerome Alet schreef: Hi there, So now that I'm trying to replicate the OpenBSD configuration on my pfSense 2.1 boxes, I'm wondering if I really need 3 distinct IP addresses on each vlan and what are the consequences of using only one on the carp interface ? For pfSense you definitely need 3 addresses per vlan. You can not set it up without. Maybe the OpenBSD cluster used carpdev which FreeBSD does not have. Cheers, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] CARP with public IP's and managed GW
Not with bridging, no. Cheers, Seth Op 12 jun 2012, om 23:55 heeft bsd het volgende geschreven: Hello, I have an ISP which is providing me a bloc of public IP's /27and a GW (managed GW inside the given bloc). Generally in order to filter in such situation, I create a bridge on the WAN and filter on the bridged if. I wanted to know if It was possible to use CARP in such situation and how to proceed ? Sincerely yours. G.B. –– - Grégory Bernard Director - --- www.osnet.eu --- -- Your provider of OpenSource appliances -- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] High interrupt load on LAGG with LACP
Op 5-6-2012 3:53, Glenn Kelley schreef: Good to know. For us we just need 100-300mbps in the sky (literally 300 foot up a tower) The soekris net6501 may be a good fit, it can do PoE iirc. It's a 600-1.6Ghz Intel Atom. I've benchmarked the faster Intel Atom 1.8 Dual core in a Lanner Inc FW7535 at 220mbit full duplex. Cheers, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] HEADSUP: 2.1 snaps currently broken
Under investigation, please hold off. More later. Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Duplicate icmp echo
Hi, Op 1 jun 2012, om 23:03 heeft David Miller het volgende geschreven: I have pfsense 2.01-release, built Mon Dec 12 17:53:52 EST 2011 running on a soekris 6501. The WAN port is seeing duplicate icmp echo requests, and it happens bi-directionally: tcpdump run on the pfsense box shows duplicate incoming packets. This only happens on the WAN port. Where do I look for why this is occuring? I have seen this occuring in multiple places, but often wireless or something else with large buffers. The latency doesn't seem too bad though. Cheers, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] modern hardware selection
Op 29-5-2012 15:50, Vick Khera schreef: Also, I have three IPsec VPNs connecting to other data centers and the main office, which need to push at peak 40Mbps for a couple of hours a day during backups. I use Dell PowerEdge 860 servers with a Core i3 3.2Ghz and I can flatten my 100mbit pipe with it over IPsec. Cheers, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] OpenVPN: offsite configuration
Hi, To make sure things stay working as it is. I have a hostname in the remote access list so that even if the main office needs to relocate (DR) i can still access the remote machine. I also ship routers with a dyndns name that every now and then will turn up a rfc1918 ip but i can still see where the host came from. It has served me well over the years. Cheers, Seth typed on a tiny touchscreen, why exactly? Gavin Will gavin.w...@exterity.comschreef: I have shipped pfSense boxes before. What I do is setup remote access to the web configurator (only allowing the source address of our main office) and then post the box. If the WAN is dhcp then you are all set, get a person at remote office to do a what is my ip or http://forum.pfsense.org/ip.php and get them to tell you the remote ip Connect up via https://remoteip Only issue would be if it is PPOE or static but in theory you should know this before the service is live and can preconfigure. The nature of Open VPN you have a client and a server. The client IP can be dynamic so you can configure the OpenVPN before shipping and it will connect as soon as it has a public IP. Gavin -Original Message- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of runi...@gmail.com Sent: 25 April 2012 08:54 To: pfSense support and discussion Subject: [pfSense] OpenVPN: offsite configuration I'm new to pfSense and OpenVPN but my questions cross both products. Is it conceivable to ship a pfSense system to a remote office location and have the onsite systems tech set the public IP address using some simple instructions? Can OpenVPN be configured in such a way that the same shipped system, as above, be pre-configured as a client with the OpenVPN server (PSK) address pre-set so once the public IP address is added the VPN connection will come up? Once again, the pfSense system will be shipped to a remote office with an inexperienced local technician required to install on the internet. I am hoping to do as much of the configuration before shipping to minimize what the technical guy at the remote site will have to do to bring the office online. I hope these questions make sense to the group. Thanks, R ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense product support lifecycle?
Op 24-4-2012 9:13, Stefan Baur schreef: Hi list, The thing is, I rolled out 2.0.1 (upgrading from 1.2.3) between November 2011 and February 2012, IIRC. I'd prefer to stay on 2.0.1 for a while, as I don't need the IPv6 features of 2.1 just yet. I'm just wondering how long after June 6, 2012 it will be safe to do so. Well, we currently only really support the last one. The product mostly evolves through repetition. There's a lot of other fixes unrelated to IPv6 in 2.1 that you'll find which you will probably like. Ofcourse we don't immediately drop the old release the moment a new one arrives. But at all efforts go into the last one mostly. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] IPv6 configuration in a delegated /64
Op 23-4-2012 9:53, bsd schreef: Le 23 avr. 2012 à 07:38, Seth Mos a écrit : So do you think I could manage to have a full IPv6 support on LAN by using DHCPv6 on WAN ? How would you manage to achieve this ? If you want to use DHCP6, select it on the WAN, Select a Prefix Delegation size. The smallest prefix delegation you can request is /64, which is length 0. If this is set to None, pfSense will only request an address, not a prefix. You can configure the LAN interface as Track Interface for IPv6 and it should automatically configure the LAN interface appriopriately. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Upgrade 2.0.1 to 2.1
Op 23-4-2012 11:02, Eugen Leitl schreef: On Sun, Apr 22, 2012 at 10:54:51PM -0400, Chris Buechler wrote: On Sun, Apr 22, 2012 at 10:47 PM, Drew Lehmandleh...@digitatech.com wrote: Apparently the Git option is not longer valid to upgrade 2.0.1 to 2.1 since so much has changed. Does anyone know if there is an upgrade image someplace or do I need to backup the settings and wipe it all? There are snapshots. http://forum.pfsense.org/index.php/topic,47540.0.html Is it realistic to expect 2.1 with full IPv6 support by 6th June? Define Full. If you want to get onto the IPv6 internet, then yes, most of the things work. Static IPv6, DHCP6, PPPoE+DHCP6, 6to4 (Tunnel), 6rd (Tunnel, limitations) and 6in4 (Tunnel). Those are confirmed working. Theoretically PPtP with DHCP6 should work but don't have access to. Basic firewalling is not a issue, if you run packages you'll find that almost none support it yet. This is partly outside of our control. CARP clusters work as long as you use static addressing and not advertise the router. We can not yet advertise the CARP addresses which is required for that. If you have CARP and you want to server clients with this the only workaround for this currently is running only a router advertisement on the Master and not the backup. This will be fixed before 2.1-RELEASE On the server side it's a bit less, PPPoE Server and PPtP server don't support it. Pushed off for 2.2 OpenVPN server works, as does the Windows Client. Both Viscosity and Tunnelblick don't support it either yet. IPsec works for both IPv4 and IPv6 tunnels. I've attached a PDF that might help. We hope to release 2.1 before June 6th still. Cheers, Seth pfSense IPv6 Status.pdf Description: Adobe PDF document ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Upgrade 2.0.1 to 2.1
Op 23-4-2012 14:30, Chris Bagnall schreef: Are there any plans to incorporate something like NAT64 (or another 4-to-6 translation method) to allow v6-only networks? Yes, for 2.2 at it's earliest. There is a patch for pf in OpenBSD in circulation but that's not useful right now. http://redmine.pfsense.org/issues/2358 Any NAT that translates from one address family to another is a huge pain since any sort of handle it is obscured. It combines with DNS64 which translates A records into crafted records, you can probably see where this is going from here. Then another NAT64 gateway downstream which puts it back on the IPv4 internet. It doesn't make for a good medium. And you still have double NAT. So with that in mind I'd rather have CGN/LSN double NAT for IPv4 in the future and a clean IPv6 path. NAT444 is already convoluted, and with NAT64 it only gets worse from there. It might change in the future. I now have a IPv6 only internet at work and it's barely useful at all. I mean, pfSense works fine with it, and I can do auto firmware updates just like normal. But that's because we have our infrastructure online on both IPv4 and IPv6. People that only have IPv6 will run into things like gitsync not working, which is pain because I now can't check out code on the box I'm developing on. I've contacted github but their response is lukewarm at best. A lot of companies seem to be in the position that this somehow is not a issue for them. If you operate a website and only have it reachable through IPv4 you _are_ going to run into people that only have IPv6 and thus can not reach your website. I'm using GitHub here because that's what the pfSense project uses, and lot's of people check out the tree using the gitsync playback in pfSense. Also useful to know is that GitHub does have issues to work through DNS64 and NAT64. So much for that. In the mean time I've setup a haproxy instance in the DC that listens on github.iserv.nl which has both v4 and v6 and talks to github.com over v4. That way people can still gitsync. Obviously I can't do that for every website. Cheers, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Pfsense Ipad / Iphone - Android - Smartphone App
Op 23-4-2012 16:28, justino garcia schreef: Hi Group, I noticed Checkpoint, Cisco, Sonicwall, and bunch of other firewalls have a App for SmartPhones and Tabelts. Any idea for Pfsense, IPSEC ssl vpn app??? I would like simple setup for vpn Thanks, There is a OpenVPN app in the works for Android 4.0 devices, but it's not finished yet. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] IPv6 configuration in a delegated /64
Hi, Op 22 apr 2012, om 22:03 heeft bsd het volgende geschreven: Hello my friends, My ISP is providing a full /64 network which looks similar to 2a01:e35:2436:7e20::/64 That's the limitation you get with the Free.fr, they only subnet a single /64. That means it's impossible to put a IPv6 router behind it. They don't give you the option anywhere to request more then 1 single /64 which is downright silly. Even 6to4 gives you a /48 per default, and most dutch ISPs are giving you a /48 or /56. The smallest i've seen so far is /60, which atleast gives you 16 networks so you can easily place a router behind your connection. By activating the DHCP6 on my WAN I have an IPv6 attributed immediately… But on the WAN if ! Yeah, there is no going around that, and NPt won't help you either, because you don't have a prefix to translate. If you have a public IPv4 address, or if their CPE allows for it, request a tunnel from HE.net. Although that is probably not the answer you wanted. If the CPE has a bridge mode you could configure the WAN in pfSense and configure the delegated /64 on your lan. Theoretically. Cheers, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] IPv6 configuration in a delegated /64
Hi, Op 23 apr 2012, om 00:38 heeft bsd het volgende geschreven: If the CPE has a bridge mode you could configure the WAN in pfSense and configure the delegated /64 on your lan. Theoretically. The CPE has a bridge mode (which I am using since a very long time for IPv4), It allows me to have the IPv4 WAN address on my WAN interface of pfSense. I have configured the /64 on my WLAN, but this doesn't really seem to work… Make sure to configure the WAN for 6rd, which is what Free.fr uses. Enter their prefix and their tunnel broker address and you should be able to configure the 6rd prefix on your LAN interface, and that should work really. Afaict they do not use DHCP6 on the WAN but I could be mistaken. Unless they do both 6rd and DHCP6 simultaneously, which is not impossible. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] issues with 2.1 snapshot
Op 3-4-2012 8:33, Brian Henson schreef: Yes i have it set to managed. I pulled the branch down when i was on 2.0 RC3 and got it working. but this is a fresh install of 2.0 upgraded to 2.0.1 Don't you mean 2.1? IPv6 support is only available there. In 2.0 the global IPv6 disable flag would drop all ipv6 traffic. Regards, Seth On Tue, Apr 3, 2012 at 2:33 AM, Seth Mos seth@dds.nl mailto:seth@dds.nl wrote: Op 3-4-2012 8:20, Brian Henson schreef: I have checked the /64 and the wan is on the wan and the Lan is setup right. Files and info requested are below. I had this setup perfectly before its just not wanting to work now. Yeah, your config file and configuration check out. I wasn't aware that this setup worked previously. I see that your network is set to managed, is that correct? We only just switched out rtadvd for radvd and don't know all the possible error messages it can throw. And more importantly, for what reason. Regards, Seth _ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org http://lists.pfsense.org/__mailman/listinfo/list http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snapshots are back
On 23-3-2012 11:47, Eugen Leitl wrote: On Thu, Mar 22, 2012 at 09:48:54PM -0400, Jim Pingle wrote: FYI- 2.1 snapshots are going again. http://snapshots.pfsense.org/ Great. How stable are they? Useful for limited production? There are a couple of tickets open, a bunch related to IPv6 and some others. There are issues if you are running CARP with IPv6 or CP, and CARP is currently moving entirely so hold off on that. For home use with DHCP-PD, Static IPv6 or IPv6 tunnels they work fine. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Parallel setup for testing/migration
Op 23 mrt 2012, om 19:08 heeft Ugo Bellavance het volgende geschreven: Hi, During my Checkpoint to pfSense transition, I'll have, during a few days, two ISP active at the same time at the office. The firewall is the only router of the organisation, but has several networks attached to it. Would it be possible to have the two firewalls active at the same time and migrate my services one by one? It doesn't matter if I can't migrate all of my services without interruptions, but if I could test a few things on the new setup before the cutover, it would be nice. Sure, take care of assymetric routing which breaks traffic, but if you have the free external public addresses in place it should be as simple as changing the lan hosts gateway to the new firewall. This can frequently go very wrong though, do take care of assymetric routing or IP conflicts. Rebuild the entire network with VMs in ESX, vswitches and all, then bring up vms on various vswitches for testing, ping, tcp, udp etc. I rebuilt my entire production work network in ESX, carp et all so I can perform upgrade testing. Fire is bad m'kay Cheers, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense error, maybe hard drive?
On 21-3-2012 18:08, Adam Piasecki wrote: What hard drive is recommended for pfSense. Or can someone tell me what your running. Any ide or sata drive should do. If you really want a SSD drive I recommend the Intel 320 series SSD drives. These have a capacitor inside which means it will survive a power failure gracefully. We have 12 of those in a raid 6 (LSI Sas HBA, external enclosure), and another few in a raid 10 (Dell R610). We also have another 10 or so in various laptops and desktops and have had zero issues yet. We are planning to upgrade about 35 more desktops with the 120GB variant and 350 cash registers with the 80GB variant. We have about 70 Dell Optiplex 790 desktops which ship with the Samsung 830 series SSD drives which appear to work well too. For reference, I have a Corsair P256 (Samsung OEM SSD) which is still working well in my laptop. That's from the looks of it from july 2009 so it's now over 2 years old. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense error, maybe hard drive?
On 21-3-2012 18:40, Jeppe Øland wrote: I deployed about a dozen Kingston 64G SSDs about a year and a half ago (in laptops and desktops) and I've seen about a quarter of them fail with different symptoms in each case. Garbage Totally agree. I have gone through 2 Kingston 4GB industrial SSDs so far - and it didn't take long either. They fail fast! (Now I'm using the 3rd one with an embedded install ... it seems to stay alive when nobody is writing to it). The dirty little secret from Kingston is that they do not manufacture anything themselves. The situation with SD/CF and microSD cards is horrific. You can easily end up with cards without proper production information indicating it's either from a test production runup or overtime production. Neither of which you want. http://www.bunniestudios.com/blog/?page_id=1022 The intel drives are a bit more coherent since they take a far different approach to manufacturing, they have used either their own 10 channel controller design (X25-M/320 series) or the Marvell controller (520 series). They coupled that with their own joint venture IMFT flash. That is a very tightly coupled process. Samsung does it very similar. The PB22J was a own design and memory, as was the 430 and 830 series. Which is probably the biggest reason for it's success with the large OEMs like Dell and Apple. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] icmp best practices
Hi, Op 19 mrt 2012, om 19:16 heeft Adam Thompson het volgende geschreven: Denying ICMP is mainly only useful in the Security By Obscurity model. There are many valid reasons to allow ICMP, especially from the inside, and in my opinion we all may as well get used to allowing it, since blocking ICMPv6 will effectively not be possible. in 2.1 we allow echo for link-local always on all interfaces. It is also impossible to block a few other ICMPv6 types in 2.1 because it would cause general network issues. We don't allow echo requests for global addresses per default though. But blocking ICMPv6 outright is bad m'kay It never worked properly in v4 either. I have a rather large LAN but I have a blanket icmp allow rule as well. If your network is larger then a few nets it's not worth the effort. I do have icmpv6 block echo rules for incoming traffic though. But that's about it. Cheers, Seth -Adam Ugo Bellavance u...@lubik.ca wrote: Hi, The system I inherited of denies all ICMP requests by default, even internally. Is that a good idea? I think that echo/reply should at least be allowed internally. Opinions? Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] schrappen
On 10-2-2012 12:08, Michel Servaes wrote: Goede middag, Kan u dit mail adres schrappen om te mailen aub. Hartelijke groeten, ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list Ik stel voor dat U het bovenstaande linkje gebruikt om U uit te schrijven. met vriendelijke groet, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Request for help: Seeking pfSense user with access to 6RD IPv6 WAN
Op 1-2-2012 16:41, Chris Bagnall schreef: On 1/2/12 2:15 pm, Seth Mos wrote: I am seeking a user(s) that has access to a 6RD IPv6 connection so we can test our development 6RD code. Out of curiosity (and this is more aimed at ISPs than end users), is implementing the various IPv6 'workarounds' - for want of a better word - actually any easier/cheaper than just implementing proper native IPv6? There are just so many factors here. Let me see if I can explain some of it. The short summary, no, it's cheaper to deploy native then it is to implement workarounds. Except for: - You are a ISP and you didn't put IPv6 as a hard demand on the equipment you purchased in 2008. Buying a new 120K euro core router is not a option, you only make x euros profit per year per user. If they call the helpdesk once it's gone. - The vendor sold the equipment in 2008 promising a firmware update supporting IPv6 soon. Now 4 years later the vendor still hasn't shipped firmware. - Vendors asking new licenses for IPv6 to get feature parity to actually deploy to users. Seems really stupid, but it happens. It's not something that should be licensed, that's stupid. - The 2008 Equipment has the features and the licenses but they encountered a show stopping bug that brings the chassis to it's knees and it's so ingrained in the hardware that it can't be solved except for forklift upgrades. - Backend systems for deployment, provisioning and billing don't support it, this is pretty much true on the larger ISPs where these are very heavily integrated. - Time to deploy using 6RD is just very fast from a ISP standpoint. Considering the 1st impact in europe might be somehwere this summer this is another factor. It's basically ISP controlled 6to4 with added smarts. I can't help but think that if half the effort that has gone into developing workarounds had gone into native IPv6 implementation, we'd (as an industry) be a lot further on than we are. Yes we would, like starting in 2002 instead of waiting to next year. Whenever that is. And now we need it this summer for real and it sucks, because that just got you 5 months and a hard deadline. To be fair, I only started the IPv6 work in pfSense in december 2010, that's over a year ago and I'm finally getting round to this. We did have dhcp-pd summer 2011 which is a actual native solution and static addressing in feb 2011. 6RD is fast to deploy because you can bring up a big 6RD broker on your huge ass chassis with multiple 10GE pipes. Each client enables the 6RD knob and presto they can use a /60 (in the case of Swisscom) on their own router. Everything in between can be ignored from the ISP standpoint. Swisscom communicated with me that this platform will be here for the next 5 years. Which I don't believe because the will run out of their public IPv4 allocation way before then and that stops 6RD from working iirc. Tunneling is still one of the more native connections. You get good throughput because the tunnel goes over the same pipe as your v4 path. And you have control of where it terminates. The current CPE situation is absolutely quite horrid right now. The amount of support in stuff they still sell is almost nonexistant. Some support IPv6 in the 100~200 euro models but no such luck in the 35 euro devices everybody ships with the dsl subscription they just got. As far as workarounds go, 6RD is not bad. It's quite usable. Some other dynamic tunneling options are highly disapproved of. Like 6to4 or Teredo. Sure those work too, but any sort of performance guarantees can't be given for those. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] IPv6 and v2.1
Quoting Oliver Schad ad...@automatic-server.com: Hello, can somebody estimate when version 2.1 with IPv6 support will be released? One month, 6 months, 1 Year? If all goes according to plan, somewhere this spring. Which sounds vague but should be before may and definitely before World IPv6 day. You can install a pfSense 2.1 snapshot from http://files.pfsense.org/jimp/ipv6/ That is the last IPv6 snapshot we made and it's in relatively large use for people that needed IPv6 support. I have atleast 3 carp clusters in active production with IPv6 on this version. 2.1 is mostly a 2.0 with IPv6 support though, don't expect as big a leap as 1.2.3 to 2.0 was. I would like to use the IPv6 stuff and don't like the idea to patch v2.0.1 manually. We have the snapshots for that. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] rrd error
On 24-1-2012 11:19, İhsan Doğan wrote: Hi, I'm running the NanoBSD version of pfSense, Version 2.0.1. This system was upgraded from 1.2.3 through 2.0. The initial 2.0 did not correctly upgrade the RRD files from 1.2.3. A fix is in 2.0.1 so that upgrades from 1.2.3 work. However, if you have already upgraded from 1.2.3 to 2.0 you will need to reset the RRD data or attempt to upgrade the files manually when on 2.0.1. Please so ticket http://redmine.pfsense.org/issues/1758 for the manual upgrade instructions if you are now on 2.0.1. Regards, Seth When I try to access the traffic graph page, I'm getting this error in the system log: php: /status_rrd_graph_img.php: Failed to create graph with error code 1, the error is: ERROR: No DS called 'inpass' in '/var/db/rrd/wan-traffic.rrd'/usr/bin/nice -n20 /usr/local/bin/rrdtool graph /tmp/wan-traffic.rrd-4year.png --start 1200910447 --end 1327400047 --vertical-label bits/sec --color SHADEA#ee --color SHADEB#ee --title `hostname` - WAN :: Traffic - 4 years - 1 day average --height 200 --width 620 DEF:wan-in_bytes_pass=/var/db/rrd/wan-traffic.rrd:inpass:AVERAGE DEF:wan-out_bytes_pass=/var/db/rrd/wan-traffic.rrd:outpass:AVERAGE DEF:wan-in_bytes_block=/var/db/rrd/wan-traffic.rrd:inblock:AVERAGE DEF:wan-out_bytes_block=/var/db/rrd/wan-traffic.rrd:outblock:AVERAGE CDEF:wan-in_bits_pass=wan-in_bytes_pass,8,* CDEF:wan-out_bits_pass=wan-out_bytes_pass,8,* CDEF:wan-in_bits_block=wan-in_bytes_block,8,* CDEF:wan-out_bits_block=wan-out_bytes_block,8,* CDEF:wan-in_bytes=wan-in_bytes_pass,wan-in_bytes_block,+ CDEF:wan-out_bytes=wan-out_bytes_pass,wan-out_bytes_block,+ How can I fix this? Ihsan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Soekris 6501 installation question
Hi, Op 23 jan 2012, om 18:21 heeft David Miller het volgende geschreven: Is it plugged in questions are welcome, I'm probably missing something about that simple. It's my first time with a soekris, and first time trying to boot pfsense off the memstick image. The soekris was set to 19200. I tried 9600 on it as well (boot, ctrl-P, set ConSpeed=9600, reboot) to no avail. Also 115200. The soekris or alix is either 19200 or 38400 stock, we are still using 9600,n,8,1 for all our embedded builds. If this is a memstick image you should not expect serial output iirc. Only the nanobsd images have serial, the nanobsd images with VGA even have VGA instead. Maybe I've missed something, but I believe this is the case. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Fatal trap 12 page fault
Hi, On 4-1-2012 12:53, Hiren Joshi wrote: And another one: http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560450091_525x290.jpg http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560450095_525x291.jpg http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560450097_525x294.jpg We're not upgrading to pfsence 2.0 and will change the memory over soon... A bit late to chip in here, but is there a clogged fan or a busted capacitor? That was a huge issue in a lot of computer equipment produced in 2007. I've seen a number of random crashes by faulty power supplies too. Ram is always the most obvious, but consider the other options, the good news is that you easily replace the entire firewall by just restoring a config file on another machine. Regards, Seth Thanks for all the pointers so far. Josh. -Original Message- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Russell Howe Sent: 03 January 2012 17:44 To: list@lists.pfsense.org Subject: Re: [pfSense] Fatal trap 12 page fault On 02/01/12 06:45, Russell Howe wrote: I've managed to get screen captures of two crashes, with backtraces: Crash #1 http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560312285.png http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560312283.png Crash #2 http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560312282.png http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560312286.png http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560312287.png Any ideas as to what might be going on? I've also see the secondary node reboot when it takes over the CARP addresses, although that doesn't happen every time. I assume it's crashing but I'm not prepared to put the debug kernel on both nodes at the same time. We had another occurrence: http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560367903.png http://sysops2.moonfruit.com/communities/4/004/009/843/874/images/4560367904.png We ran memtest for a few hours on this machine back in October when we first began to have these resets and it came back clean, although I know some memory errors can be quite hard to reproduce with memtest. Still, new RAM is on order so we'll see if that makes any difference. We're also going to try an upgrade to 2.0.x ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] relayd fails to start after 2.0.1 upgrade
On 27-12-2011 9:31, Andrew Mitchell wrote: lbpool/ lbaction/ lbprotocol/ it's these tags that cause it. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] particular site not working
Hi, Op 17 dec 2011, om 05:19 heeft Guruprasad R het volgende geschreven: action taken: - i disabled transparent proxy and configured 3128 as my proxy port in browser as well as pfsense - i stopped the squid/squidguard services - i tried different browsers from different systems behind the firewall. but all in vain observation: - i could ping bsnl.co.in which responds back with its static ip. Set the MTU to something like 1400 and try again, could be that there is a MTU issue along the way causing larger packets to fail. Does a telnet to the host port 80 connect? If so, that likely be the issue. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Blackberry Playbook VPN and Connecting up to PFSense
On 12-12-2011 16:35, Gavin Will wrote: Hi there, Curious if anyone has setup a VPN for a Blackberry Playbook to connect to a PFsense Box. Playbook supports many commercial devices such as Juniper / Cisco. The only option I feel I can use is Generic IKEv2 VPN Server Is Pfsense classed as such a thing? I would presume It can handle IKEv2 IPsec. ' The current IPsec daemon in pfSense only supports IKE version 1. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Silly question - using a PC + pfsense + dual ethernet NIC + wlan PCI card as wifi router
On 8-12-2011 9:21, Chris Buechler wrote: Though that'd be pretty ugly too given the 11 Mb limit of USB 1.x you'd find on such a box, aside from the fact USB NICs tend to be ugly in general driver-wise, and I can't recall seeing a USB wifi card whose chipset supported hostap mode. Ralink usb chipsets do work, but they default to 1Mbit unless you force them to use 54Mbit. I've used them as wireless access points in a cinch but they fell over in about a day of use. Maybe the OP's best bet is getting a WRT54G off ebay (can be had for ~$20 USD shipped in the US at least, generally cheaper than any wifi NIC you're going to find), and use it for wifi only. Considering that the placement of your Wifi antenna is pretty critical for good coverage I second this. Getting a old wifi router on the cheap is easy, some people even give you the old one, you might even have one laying around. Disable the dhcp server on it, plug the cable into the LAN port and you get a 4 port switch as a bonus. I have mine in the living room below the TV. This makes wifi in the living room excellent (where I use it most) and I use the extra ports for the media player and xbox. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Silly question - using a PC + pfsense + dual ethernet NIC + wlan PCI card as wifi router
Hi, Op 8 dec 2011, om 18:07 heeft ernst het volgende geschreven: How expensive is your electricity? When you look at it from a 1-2 year total cost of ownership of keeping that old PC running 24/7, you are (eventually) further ahead to buy one of those embedded computers (Alix / Soeokris) or that shiny new router at Best Buy. Experience has taught me that shiny new router at store will likely drop long lasting idle connections like ssh or irc because they run out of memory. And not provide the coverage you need^W want. (e.g. backyard, upstairs, garage, bedroom, etc.) Prices have been going down steadily for all flash chips, so for the same money you would get more memory. That's not the goal of the manufacturers, instead, they make the same model for less. So we still get routers with 4 or 8 MB ram and they still need to actively prune connections to stop the thing from running out of memory. And a expensive router with wifi is roughly 70 to 120 euros. A Alix 2D3 is about a 100 euros. This nets me more (general) processing power and 256MB of ram and a couple of USB2 ports. It also uses just 5 Watts idle or so. I'm still using the same Alix I got over 3 years ago. I have since replaced the wifi accesspoints multiple times. From 11b to 11g, then to 11n dual band. Going to dual band was the single largest leap forward, 2.4 Ghz is getting way to crowded. 200KB/s on a 2.4Ghz 11n network is a clear indicator that something is up. I also need 2 wireless accesspoints so I have reception upstairs, which is a pretty common issue for the most of us. So 2 cheap wireless routers of ebay will net you far better coverage and speed then 1 expensive router. Cheers, Seth___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Forwarding stopped between two local networks.
HI, Op 8 dec 2011, om 18:27 heeft Joshua Schmidlkofer het volgende geschreven: Yesterday, for no discernible reason, new connections ceased, in one direction between two local subnets. I have two interfaces, alc0 to 10.2.0.0/16 (BuildingA), and re2 to 10.3.0.0/16 (BuildingB). My pfSense box is a single box, with multiple internet uplinks, and is the default gateway for both networks. We have no filtering between 10.3.0.0 and 10.2.0.0. They are in another building and connected to us via high speed wireless. At some point yesterday, 10.3.0.0 stopped being able to initiate connections to hosts on 10.2.0.0. BuildingA may create new connections to BuildingB without incident. BuildingB may not connect to BuildingA at all. The packets enter PFsense, I can't get them to log at all, tcpdump shows them. Once in, they never come out. There is no log of them going anywhere. They simply cease. Added a firewall rule with a gateway for policy routing without making a exception rule for the directly connected building A? You need to make sure that there is a rule without a gateway to building A and vice versa. This is one of the fixes in 2.0.1. Cheers, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Ipad Road Warrior + VPN (secure connection) to my home network??
Hi, Op 8 dec 2011, om 22:55 heeft justino garcia het volgende geschreven: I want to gain secure (VPN) access on the road, to my home network from my ipad, Anyone setup PFsense for this, or do you recomend something else (OpenVPN and Ipad support???) The built in ipsec client in the iPad works with pfSense mobile ipsec vpn on 2.0. That's how we use it at work. You will need to create a local user on pfSense in the user manager and assign the xauth attribute. Then in the Ipsec VPN you can create a mobile ipsec policy. Cheers, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Any suggestions on how filter in pfSense for SQL Injections?
Hi, Op 7 dec 2011, om 00:26 heeft Chuck Mariotti het volgende geschreven: At our datacenter managed to not get hit. However, I guess I would like to ask for suggestions on how to stop this type of attack at the pfSense firewall and what/how to implement something that would allow us to manage such attacks. There is no magic button that filters out sql injection attacks, without it tools like phpmyadmin would also instantly fail to work. These send sql queries via the web too in plain text. Since it's supposed to do that. This is a application issue where people forgot or just never considered input validation. The snort approach is not guaranteed to prevent this since people can be very crafty. It's hard to get right. Just make sure that you web apps are kept up to date. Ask your vendors about SQL injection attacks, demand this in writing facing penalties, install the next update they release shortly afterwards. And if you have a datacenter you would better have a really good box to make sure that none of your HTTP traffic takes a hit from being processed through snort. Some other IDS'es note the event, then block. Which can still leave you with a broken database if they succeed on the 1st shot. It also just blocks a IP, which is easily circumventable. One can wish for the world. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 3G USB Modem installation on PFSENSE
Hi, Op 4 dec 2011, om 20:51 heeft Oliver Hansen het volgende geschreven: There are actually quite a few modems that work with pfSense 2.0. It's not plug and play but if you follow the documentation it's not too hard to set up. I don't know if your specific modem is supported but I suggest looking at the documentation: http://doc.pfsense.org/index.php/Known_Working_3G-4G_Modems One issue is that they don't come online when booting after a power failure. A warm reboot or a save on the wan interface fixes it. I added a ticket for it. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Replacing CheckPoint Firewall-1 with pfSense
On 23-11-2011 19:34, Ugo Bellavance wrote: Hi, We're thinking about replacing our CheckPoint Firewall-1 by pfSense. We are using only those features on Firewall-1 (R65): - Security (default deny on everything) Delete the LAN - any rule on the LAN interface and you are good to go. The rest is default deny. - NAT (inbound (for internet-facing hosts) and outbound (selective, workstations go out through a proxy, other selected hosts are NAT'd based on destination host and port(s)) Well, you can assign multiple VIPs on the WAN and create manual outbound NAT rules to tie different LAN hosts to different external addresses. This aside from things like 1:1 NAT. - We do have some security rules defined in their SmartDefense, but it is a nightmare to configure without having many false positives. I'm pretty sure we could go without or simply add Snort to pfSense Unfamiliar with that. I scrapped a watchguard Firebox years ago before UTM was a common thing. We had a project of roaming users VPN but it's on the ice right now. We Use OpenVPN. Install the client exporter package, it includes a windows client and config files for 2 Macintosh clients. Do you need the AD auth as well? I am using it against a radius server though. are using SSH tunnels to connect home user's PC to the corporate network and we will need a solution for the few corporate laptops to connect to the corporate network. However, I guess that with all the options available in pfSense regarding VPN, I don't think this would be a problem. IPsec vpns are commonly used for site-site tunnels. OpenVPN tunnels can work too. - Our Firewall-1 version is not supported anymore so we have to upgrade anyway +2 Watchguard Fireboxes. - Service contracts are a lot cheaper Is it a service contract if they take 8 months to fix a issue? - We would have to pay extra $$ for a redundant setup (CARP pfSense is free) Getting gigabit, we have new shiny model you can buy for some randomly generated 5 figure price. - Server load balancing can be used for simple HA setups Inbound as well as outbound if you have multiwan. - DHCP server on the firewall (no need for DHCP relay) These can be made redundant too, that's what I have here for the past few years. - Other interesting packages OpenVPN client exporter is very popular. We are thinking about running a redundant (CARP) setup with one pfSense on our VMWare cluster, and one on a physical, separate machine. Don't. Either do both in a VM or both physical. I tried and it burned. For ~1k euro you get a Dell R310 with 6 gig nics. 1- NAT Reflexion - We don't have a split-DNS setup. CheckPoint does seem to manage NAT Reflexion perfectly. For 1:1 NAT you need to add port forwards on top of your 1:1 and it will work. 2- Ease to migrate the configuration to pfSense - I would set a pfSense VM in parallel and start migrating all the rules manually, but I'm scared about missing some or seeing a situation where the Firewall-1 can do it and not pfSense. You will need to write one to convert various bits of config to the pfSense XML format. 3- Backups. Are automated backups (of the config, at least) possible even w/o a service contract? Some use SSH/rsync with public keys. If you have a support contract you can use the ACB package. It comes with the subscription. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list