Re: [pfSense] Diagnosing DNS Resolver SERVFAIL issues
Is the pfSense set to forward DNS requests? Maybe the ISP on the VPN side is blocking DNS requests that leave their network to a third-party DNS server? I have seen that before, over the years. -- Steve Yates ITS, Inc. -Original Message- From: List <list-boun...@lists.pfsense.org> On Behalf Of Antonio Sent: Thursday, May 24, 2018 11:41 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] Diagnosing DNS Resolver SERVFAIL issues Hi, I've been happily using the "Outgoing Network Interfaces" set to my VPN interface to prevent DNS leaks and its been working pretty well until today when all of a sudden it stopped resolving DNS requests. In fact, [fri may25, 03:04 ][user@1:~]nslookup www.google.com Server: 192.168.2.1 Address: 192.168.2.1#53 ** server can't find www.google.com: SERVFAIL 192.168.2.1 is my pfSense box hooked to DSL modem. As soon as I set "Outgoing Network Interfaces" to my WAN, then it all works again. However, this means that although my traffic is vehicle through VPN, the DNS Resolver is routing requests via ISP instead of VPN. I don't understand how all of a sudden the VPN server stopped allowing DNS requests to be passed from my pfSense maching. Does this seem plausible and how do you think I can diagnose this? The is no way i can get ubound to work unless i set "Outgoing Network Interfaces" to WAN. This was not the case until yesteday. Any clues? Thanks -- Respect your privacy and that of others, don't give your data to big corporations. Use alternatives like Signal (https://whispersystems.org/) for your messaging or Diaspora* (https://joindiaspora.com/) for your social networking. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Custom pass entries for Suricata for all rules, for inline mode
I know Bill (bmeeks) hangs out in the web forums but since they're offline, does anyone know if it is possible to allow an IP for Suricata when it's in Inline mode? I see lots of examples like: pass ip 1.2.3.4 any <> any any (msg:"pass all traffic from/to 1.2.3.4"; sid:10;) ...but I gather that is tied to the specific rule/sid? The use case is it seems to be triggering on our Nagios monitoring of our web servers and I'd like to just whitelist our office IPs rather than trying to manage bunch of rules. (for those unaware, Pass Lists will be removed from Inline mode: https://webcache.googleusercontent.com/search?q=cache:VUgCeE4j3yQJ:https://forum.pfsense.org/index.php%3Ftopic%3D135331.0+=1=en=clnk=us=firefox-b-1-ab https://webcache.googleusercontent.com/search?q=cache:6eT7PljragcJ:https://forum.pfsense.org/index.php%3Ftopic%3D145257.0+=4=en=clnk=us=firefox-b-1 ) Thanks, Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Syntax error in rules.debug for lagg0 (WAN) after upgrade to 2.4.3_1
Finally found https://redmine.pfsense.org/issues/8518 which is this bug (the extra incomplete gateway line). Fix seems to be to delete/comment out three lines in /etc/inc/filter.inc: https://redmine.pfsense.org/projects/pfsense/repository/revisions/c9159949e06cc91f6931bf2326672df7cad706f4/diff/src/etc/inc/filter.inc?utf8=%E2%9C%93=inline A poster on that report says "When I try and add an IPv6 IP Alias VIP the error seems to appear" which would explain why we didn't see it on other 2.4.3_1 updates that have only IPv4 VIPs. I did try changing off the LAGG to just the one interface on WAN and that had the same symptom with the interface in the message. -- Steve Yates ITS, Inc. -Original Message----- From: Steve Yates Sent: Wednesday, May 23, 2018 10:34 PM To: 'pfSense Support and Discussion Mailing List' <list@lists.pfsense.org> Subject: Syntax error in rules.debug for lagg0 (WAN) after upgrade to 2.4.3_1 After upgrading our HA routers from 2.4.2_1 to 2.4.3_1, every few minutes they are logging: There were error(s) loading the rules: /tmp/rules.debug:242: syntax error - The line in question reads [242]: pass out route-to ( lagg0 64.79.96.145 ) from to !/ tracker 105913 keep state allow-opts label "let out anything from firewall host itself" 64.79.96.145 is our WAN gateway. We have the WAN configured to use a one-interface LAGG to allow sharing CARP states if we ever use a different router with a different interface name. Searching /tmp/rules.debug for "lagg0" I see three lines at the top of the output: pass out route-to ( lagg0 64.79.96.145 ) from 64.79.96.149 to !64.79.96.144/29 tracker 105911 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( lagg0 64.79.96.145 ) from 64.79.96.150 to !64.79.96.144/29 tracker 105912 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( lagg0 64.79.96.145 ) from to !/ tracker 105913 keep state allow-opts label "let out anything from firewall host itself" .149 is the WAN IP, .150 the CARP shared IP. Given the first two are there, I'm not sure what the third is supposed to be? Re-applying the firewall rules does not clear it, though does appear to trigger it (presumably due to the rules reload). Suggestions? Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Syntax error in rules.debug for lagg0 (WAN) after upgrade to 2.4.3_1
I found Suricata won't start, and I'm guessing the error Suricata is logging when it terminates (leaving its .pid file behind), "23/5/2018 -- 22:42:18 - -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - alert-pf: Could not validate pf table: snort2c, module init failed." ...is related to this...? -- Steve Yates ITS, Inc. -Original Message----- From: Steve Yates Sent: Wednesday, May 23, 2018 10:34 PM To: 'pfSense Support and Discussion Mailing List' <list@lists.pfsense.org> Subject: Syntax error in rules.debug for lagg0 (WAN) after upgrade to 2.4.3_1 After upgrading our HA routers from 2.4.2_1 to 2.4.3_1, every few minutes they are logging: There were error(s) loading the rules: /tmp/rules.debug:242: syntax error - The line in question reads [242]: pass out route-to ( lagg0 64.79.96.145 ) from to !/ tracker 105913 keep state allow-opts label "let out anything from firewall host itself" 64.79.96.145 is our WAN gateway. We have the WAN configured to use a one-interface LAGG to allow sharing CARP states if we ever use a different router with a different interface name. Searching /tmp/rules.debug for "lagg0" I see three lines at the top of the output: pass out route-to ( lagg0 64.79.96.145 ) from 64.79.96.149 to !64.79.96.144/29 tracker 105911 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( lagg0 64.79.96.145 ) from 64.79.96.150 to !64.79.96.144/29 tracker 105912 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( lagg0 64.79.96.145 ) from to !/ tracker 105913 keep state allow-opts label "let out anything from firewall host itself" .149 is the WAN IP, .150 the CARP shared IP. Given the first two are there, I'm not sure what the third is supposed to be? Re-applying the firewall rules does not clear it, though does appear to trigger it (presumably due to the rules reload). Suggestions? Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Syntax error in rules.debug for lagg0 (WAN) after upgrade to 2.4.3_1
After upgrading our HA routers from 2.4.2_1 to 2.4.3_1, every few minutes they are logging: There were error(s) loading the rules: /tmp/rules.debug:242: syntax error - The line in question reads [242]: pass out route-to ( lagg0 64.79.96.145 ) from to !/ tracker 105913 keep state allow-opts label "let out anything from firewall host itself" 64.79.96.145 is our WAN gateway. We have the WAN configured to use a one-interface LAGG to allow sharing CARP states if we ever use a different router with a different interface name. Searching /tmp/rules.debug for "lagg0" I see three lines at the top of the output: pass out route-to ( lagg0 64.79.96.145 ) from 64.79.96.149 to !64.79.96.144/29 tracker 105911 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( lagg0 64.79.96.145 ) from 64.79.96.150 to !64.79.96.144/29 tracker 105912 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( lagg0 64.79.96.145 ) from to !/ tracker 105913 keep state allow-opts label "let out anything from firewall host itself" .149 is the WAN IP, .150 the CARP shared IP. Given the first two are there, I'm not sure what the third is supposed to be? Re-applying the firewall rules does not clear it, though does appear to trigger it (presumably due to the rules reload). Suggestions? Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Upgrades to 2.4.3.x failing after updating metadata
FWIW I upgraded our SG-4860 pair and saw the same behavior, fails after the metadata update. I waited 5 minutes and it did not restart and saw no indication in system log it was going to, or upgrading. -- Steve Yates ITS, Inc. -Original Message- From: Steve Yates Sent: Wednesday, May 16, 2018 9:14 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: RE: [pfSense] Upgrades to 2.4.3.x failing after updating metadata Huh, I should remember to look there first. So used to this list. The "sort of scary" part is comments like "Same thing here. The page reported the upgrade had failed. We waited about two minutes and the page refreshed and we logged in. The upgrade had worked after all." Like it's running in the background despite the failure? And I ran it a second time during this? That's what "KPA" posted last night: "The WebGUI upgrade still seems to suffer from the same problem as it did a while ago which is that it gets disconnected from the real upgrade run and reports a failure when the upgrade is actually running successfully in the background." -- Steve Yates ITS, Inc. -Original Message- From: List <list-boun...@lists.pfsense.org> On Behalf Of John Kline Sent: Tuesday, May 15, 2018 10:29 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] Upgrades to 2.4.3.x failing after updating metadata Many of us a e seeing this. See:https://forum.pfsense.org/index.php?topic=147853.0 On Tuesday, May 15, 2018, 7:53 PM, Steve Yates <st...@teamits.com> wrote: I upgraded two routers from 2.4.2 to 2.4.3 and today to 2.4.3_1. One is an SG-3100 and one is a PC. On both, both times, the upgrade almost immediately fails, but if I try again it works. I click the pending-update icon on the dashboard to go to System Update and it detects the update. I start and I get: ">>> Updating repositories metadata... done. 2.4.3_1 version of pfSense is available" Then a red bar at the top of the page, "System update failed!" If I click the already-highlighted System Update tab again, confirm the update, it then immediately installs. Is anyone else seeing this? -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Bandwidth Mismatch between pfSense and Data Center Provider...
I don't have a straight answer for you, but are you sure the DC is counting all traffic and not just HTTP/SMTP/etc? I would think they are, but... Something that may help...the firewall/rules page tracks data usage in the States column. I'm assuming from when it was last booted. Perhaps make an allow rule for each server and/or service and see what is tracked? -- Steve Yates ITS, Inc. -Original Message- From: List <list-boun...@lists.pfsense.org> On Behalf Of Chuck Mariotti Sent: Wednesday, May 23, 2018 12:57 PM To: list@lists.pfsense.org Subject: [pfSense] Bandwidth Mismatch between pfSense and Data Center Provider... We've run into a data overage situation at a datacenter... We get charged a premium per GB over 500GB (yes I know, stupid). Their reporting system seems to indicate significantly less data usages vs pfSense's RRD reporting... their billing system seems to be indicating overage similar to their reporting... Uploads seem to be growing significantly. Any idea why the pfSense box seems to be counting differently than the datacenter's metrics? We need to track down where this usage is happened, but I know users have only grown ~5% over that same period of time. Here are stats for each month: JanuaryFebruary March April May (to 23rd) Datacenter (Upload/Download): 618.95GB/76.01GB 365.25/47.15GB799.92/79.81GB801.67/105.01GB 581.57/76.26GB pfSense RRD (Upload/Download):1372.41GiB/148.91GiB 1388.65/149.60GiB 1697.71/152.24GiB1706.53/200.86GiB 1177.95/139.55GiB Any suggestions how or why there is a mismatch? Regards, Chuck ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How could I block messages trying to pass as from my net?
The "EHLO 190.6.79.98" greeting is not looked at by the firewall so that can be ignored. Can you enable logging on the rule allowing port 25, and verify where the packets are actually coming from? In most cases we set our clients up with our spam filter and the inbound port 25 rule allows connections only from the spam filter server IP ranges... -- Steve Yates ITS, Inc. -Original Message- From: List <list-boun...@lists.pfsense.org> On Behalf Of Alberto José García Fumero Sent: Friday, May 18, 2018 11:52 AM To: list@lists.pfsense.org Subject: Re: [pfSense] How could I block messages trying to pass as from my net? El vie, 18-05-2018 a las 16:24 +0000, Steve Yates escribió: > I think your rule should work. Are you sure there is not > another rule above that one in the list of rules, that allows the > inbound connection? In other words the block rule has to be above > the rule allowing traffic on port 25 to your mail server. > > -- > > Steve Yates > ITS, Inc. > That rule is the third in the WAN section, after the one blocking rfc 1918 networks and the one blocking bogon networks. Could I create a rule saying, for instance: "reject packets originating (apparently!) from the WAN address and directed to my WAN address? (as they are trying to forge identity) Should that work? -- M.Sc. Alberto García Fumero Usuario Linux 97 138, registrado 10/12/1998 http://interese.cubava.cu No son las horas que pones en tu trabajo lo que cuenta, sino el trabajo que pones en esas horas. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How could I block messages trying to pass as from my net?
I think your rule should work. Are you sure there is not another rule above that one in the list of rules, that allows the inbound connection? In other words the block rule has to be above the rule allowing traffic on port 25 to your mail server. -- Steve Yates ITS, Inc. -Original Message- From: List <list-boun...@lists.pfsense.org> On Behalf Of Alberto José García Fumero Sent: Friday, May 18, 2018 9:42 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] How could I block messages trying to pass as from my net? Hi all. I use PfSense 2.2.1. Of course I know it would very convenient to upgrade, but right now it isn't possible. Im trying to block spam (for instance, from 185.234.217.232). As far as I know, it's trying to pass as a message from my very net: Transcript of session follows. De: Mail Delivery System <mailer-dae...@partagas.ettpartagas.co. cu> Para: Postmaster <postmas...@ettpartagas.co.cu> Asunto: Postfix SMTP server: errors from unknown[185.234.217.232] Fecha: Fri, 18 May 2018 10:10:39 -0400 (CDT) Out: 220 partagas.ettpartagas.co.cu ESMTP Partagas In: EHLO 190.6.79.98 Out: 250-partagas.ettpartagas.co.cu Out: 250-PIPELINING Out: 250-SIZE 1524 Out: 250-ETRN Out: 250-STARTTLS Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: AUTH LOGIN Out: 503 5.5.1 Error: authentication not enabled Session aborted, reason: lost connection For other details, see the local mail logfile but the MTA correctly rejects it as a fake. I have created an alias list (rechaza) in the menu Firewall/Aliases, where I put all the addresses known to be spammers, and tried to reject them with the rule in Firewall/Rules/WAN Action: Block Interface: WAN TCP/IP version: IPV4 Protocol: TCP Source: (single hots or alias) rechaza Destination: 190.6.79.98 Destination port range: any but I can not stop the spam right in the WAN interface. How could I create a convenient rule? TIA, Fumero -- M.Sc. Alberto García Fumero Usuario Linux 97 138, registrado 10/12/1998 http://interese.cubava.cu No son las horas que pones en tu trabajo lo que cuenta, sino el trabajo que pones en esas horas. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Upgrades to 2.4.3.x failing after updating metadata
I've used the console in the recent past...there was something around the 2.3.3 upgrade where you had to switch it to the development branch and back again to get it to work: https://forum.pfsense.org/index.php?topic=125873.msg695386#msg695386 Overall seems like the GUI should work... -- Steve Yates ITS, Inc. -Original Message- From: List <list-boun...@lists.pfsense.org> On Behalf Of WebDawg Sent: Wednesday, May 16, 2018 9:50 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] Upgrades to 2.4.3.x failing after updating metadata I upgrade via the console now. Not to say that the GUI is broken, but I must have been a victim of when it was. I have seen what kpa is talking about in that forum thread too. It is why I always ssh in and update from console. On Wed, May 16, 2018 at 10:13 AM, Steve Yates <st...@teamits.com> wrote: > Huh, I should remember to look there first. So used to this list. > > The "sort of scary" part is comments like "Same thing here. The page > reported the upgrade had failed. We waited about two minutes and the page > refreshed and we logged in. The upgrade had worked after all." Like it's > running in the background despite the failure? And I ran it a second time > during this? That's what "KPA" posted last night: "The WebGUI upgrade still > seems to suffer from the same problem as it did a while ago which is that it > gets disconnected from the real upgrade run and reports a failure when the > upgrade is actually running successfully in the background." > > -- > > Steve Yates > ITS, Inc. > > -Original Message- > From: List <list-boun...@lists.pfsense.org> On Behalf Of John Kline > Sent: Tuesday, May 15, 2018 10:29 PM > To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> > Subject: Re: [pfSense] Upgrades to 2.4.3.x failing after updating metadata > > Many of us a e seeing this. > See:https://forum.pfsense.org/index.php?topic=147853.0 > > > > > On Tuesday, May 15, 2018, 7:53 PM, Steve Yates <st...@teamits.com> wrote: > > I upgraded two routers from 2.4.2 to 2.4.3 and today to 2.4.3_1. One is an > SG-3100 and one is a PC. On both, both times, the upgrade almost immediately > fails, but if I try again it works. I click the pending-update icon on the > dashboard to go to System Update and it detects the update. I start and I > get: > > ">>> Updating repositories metadata... done. > 2.4.3_1 version of pfSense is available" > > Then a red bar at the top of the page, "System update failed!" > > If I click the already-highlighted System Update tab again, confirm the > update, it then immediately installs. > > Is anyone else seeing this? > > -- > > Steve Yates > ITS, Inc. > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Upgrades to 2.4.3.x failing after updating metadata
Huh, I should remember to look there first. So used to this list. The "sort of scary" part is comments like "Same thing here. The page reported the upgrade had failed. We waited about two minutes and the page refreshed and we logged in. The upgrade had worked after all." Like it's running in the background despite the failure? And I ran it a second time during this? That's what "KPA" posted last night: "The WebGUI upgrade still seems to suffer from the same problem as it did a while ago which is that it gets disconnected from the real upgrade run and reports a failure when the upgrade is actually running successfully in the background." -- Steve Yates ITS, Inc. -Original Message- From: List <list-boun...@lists.pfsense.org> On Behalf Of John Kline Sent: Tuesday, May 15, 2018 10:29 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] Upgrades to 2.4.3.x failing after updating metadata Many of us a e seeing this. See:https://forum.pfsense.org/index.php?topic=147853.0 On Tuesday, May 15, 2018, 7:53 PM, Steve Yates <st...@teamits.com> wrote: I upgraded two routers from 2.4.2 to 2.4.3 and today to 2.4.3_1. One is an SG-3100 and one is a PC. On both, both times, the upgrade almost immediately fails, but if I try again it works. I click the pending-update icon on the dashboard to go to System Update and it detects the update. I start and I get: ">>> Updating repositories metadata... done. 2.4.3_1 version of pfSense is available" Then a red bar at the top of the page, "System update failed!" If I click the already-highlighted System Update tab again, confirm the update, it then immediately installs. Is anyone else seeing this? -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Upgrades to 2.4.3.x failing after updating metadata
I upgraded two routers from 2.4.2 to 2.4.3 and today to 2.4.3_1. One is an SG-3100 and one is a PC. On both, both times, the upgrade almost immediately fails, but if I try again it works. I click the pending-update icon on the dashboard to go to System Update and it detects the update. I start and I get: ">>> Updating repositories metadata... done. 2.4.3_1 version of pfSense is available" Then a red bar at the top of the page, "System update failed!" If I click the already-highlighted System Update tab again, confirm the update, it then immediately installs. Is anyone else seeing this? -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Firewall rules on OpenVPN interface
What is the purpose of the VPN? For instance if you are only accessing one remote network you could set up a rule to allow only the remote subnet. Blocking private subnets would block 10.x.x.x, 192.168.x.x, etc. Blocking bogons blocks unassigned IP ranges that shouldn't have traffic yet. -- Steve Yates ITS, Inc. -Original Message- From: List <list-boun...@lists.pfsense.org> On Behalf Of Antonio Sent: Sunday, May 6, 2018 4:34 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] Firewall rules on OpenVPN interface Hi, I was wondering is the "*Block private networks and loopback addresses*" and "*Block bogon networks*" shoudl be ticked for the interface I have created for my OpenVPN client? Do I need to allow incoming requests on that interface? I copied the configuration from the internet to connect to my VPN provider but it gave no detail around these options. You would expect the link to be secure and I guess the only risk is if the VPN provider sends requests to my internal network? Thanks -- Respect your privacy and that of others, don't give your data to big corporations. Use alternatives like Signal (https://whispersystems.org/) for your messaging or Diaspora* (https://joindiaspora.com/) for your social networking. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] DNS configurazione under VPN
I'm not sure I understand how a web page can tell where DNS responses to the OS are coming from, but I suspect what you may want is the DNS Resolver checkbox for "Enable Forwarding Mode" which will force pfSense to forward the query on, rather than try to resolve the query against the root servers. Then it would use your OpenDNS servers, and where those servers are is up to OpenDNS. I assume they're big enough to have them worldwide...? -- Steve Yates ITS, Inc. -Original Message- From: List <list-boun...@lists.pfsense.org> On Behalf Of Antonio Sent: Thursday, May 3, 2018 2:29 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] DNS configurazione under VPN Hi folks, I'm trying to understand why I get DNS leaks. I am connecting to VPN italian server from UK and when I go to www.dnsleaktest.com, the main page says I'm connecting from Italy but then, when I do the advanced or standard tests, these say I'm located in the UK. I have: 2.4.3-RELEASE (amd64) built on Mon Mar 26 18:02:04 CDT 2018 FreeBSD 11.1-RELEASE-p7 Installed on a mini PC that is connected via WAN on a DLS modem (setup in pass through mode, not router mode). pfSense is acting as a DNS Resolver even though I have have OpenDNS set in the GENERAL tab (I believe these are not being used because I'm connected via DNS Resolver). Would it be best to configure pfSense as DNS FOrwarder? ALthough I'm not sure that this is going to resolve my DNS leak problem. All clients are confirgured with a DNS set to the IP of the pfSEnse machine. Any suggestions on what is the best way to configure DNS on pfSense where occasionally I fire up my OpenVPN connection? Many thanks -- Respect your privacy and that of others, don't give your data to big corporations. Use alternatives like Signal (https://whispersystems.org/) for your messaging or Diaspora* (https://joindiaspora.com/) for your social networking. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] DNS over TLS config for pfSense 2.2.6
Wild guess, but did you try it in 2.4.x? -- Steve Yates ITS, Inc. -Original Message- From: List <list-boun...@lists.pfsense.org> On Behalf Of Bryan D. Sent: Wednesday, April 4, 2018 8:01 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] DNS over TLS config for pfSense 2.2.6 Re: https://www.netgate.com/blog/dns-over-tls-with-pfsense.html --- Applying the suggested "Custom Options" to the Unbound/DNS Resolver configuration in pfSense 2.2.6 does not work, with logs indicating that "forward-ssl-upstream" is invalid. I tried various incantations using "server:ssl-upstream: yes" with and without "ssl-port: 853" and, although the unbound service would then run, a DNS/host query always indicated that no hosts were found. Does anyone know a configuration that will work with pfSense 2.2.6? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Nat between vlans
Wouldn't it be easier to just create a firewall rule to allow the Guest VLAN to the printer IP:port? It would be the same thing...they can only access that IP:port? -- Steve Yates ITS, Inc. -Original Message- From: List <list-boun...@lists.pfsense.org> On Behalf Of Yilmaz Bilgili Sent: Friday, March 30, 2018 10:33 AM To: list@lists.pfsense.org Subject: [pfSense] Nat between vlans Dear all, I have a multi vlan setup and I want to give access to my printer on corp vlan from guest vlan. There is no access from guest vlan to corp vlan at the moment (and will never be). Can I use an IP address from guest vlan and nat it to printer's IP address on the corp network? My box is an up to date 2.4.2. Thanks in advance. Best regards. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Failed to Configure OpenVPN to Work With LAN Clients.
It looks like you are obfuscating/hiding the IP addresses. The two networks need two different subnets, and the OpenVPN network between them needs a third subnet. Did you add firewall rules to and from the OpenVPN interface? Overall, we followed the steps in the pfSense/Netgate "book" (https://portal.pfsense.org/docs/book/, you get access if you bought from Netgate as I recall) and didn't have any issues setting up OpenVPN on IPv4. -- Steve Yates ITS, Inc. -Original Message- From: List <list-boun...@lists.pfsense.org> On Behalf Of Fadhili Ngalawa Sent: Friday, March 23, 2018 9:30 AM To: list@lists.pfsense.org Subject: [pfSense] Failed to Configure OpenVPN to Work With LAN Clients. Hello fellow Pfsense Users, I have tried and failed many times to configure OpenVPN using Pfsense to work in this situation I will explain below. In my office we have a financial information system that should be accessed only using a network IP addresses of 192.168.200.0 which is only used by Finance Department. Based on this condition, I reserved a subnet 192.168.200.32/27 and configured VPN server using Pfsense to use this local address using CIDR as required. The local address of the whole LAN is 192.168.192.0/20. When a user connects to Pfsense server using the Public IP, it gives IP address to VPN users as required . But the problem comes users can not connect to the Financial Information System server 192.168.200.10 or access any server that is in the LAN. But it works when I put any other full address let's say 192.168.0.1/24 as the VPN server clients IP released addresses. I tried to add firewall rules, it still failed but based on the time allocated for this task, I could not experiment more so I chose Endian Firewall to finalize the work. I really need to use Pfsense server because it is our gateway server, and it will spare the IP address used by Endian VPN for now. Based on the explanations above, I kindly request for your help on this. Thanks in advance. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forwards don't work on one machine
I would think "exposed host" is what I am calling DMZ, from your description. If you have a firewall rule you can set it to log traffic (pass or block I believe). Under status/system logs/settings there is a checkbox to log packets blocked by the default block rule. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Marco Sent: Monday, February 12, 2018 3:10 PM To: list@lists.pfsense.org Subject: Re: [pfSense] Port forwards don't work on one machine On Mon, 12 Feb 2018 20:45:55 +0000 Steve Yates <st...@teamits.com> wrote: > Just to double check the config, so the pfSense router is set as the > DMZ of the ISP router? No clue if the ISP device has a concept of DMZ. I configure it as “Exposed Host”, so all communication is actually forwarded to the pfSense box. I've set up numerous of those devices in different locations and that was always sufficient. > Have you tried deleting the rule and re-adding? On the ISP device? No, not yet. I guess tomorrow I'll clear the ISP devices' config and also start off with a vanilla pfSense config. I'm not really used to debugging with pfSense, especially the logging features. What's the best way to check if that packet is blocked by pfSense somehow? I tried Status → System Logs → Firewall → Normal View → Advanced Log Filter I checked “Block”, then entered Port: 8000 and “Apply Filter” and it shows “No logs to disply”. That means that the packet is not blocked by an implicit or explicit firewall rule, right? Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forwards don't work on one machine
Just to double check the config, so the pfSense router is set as the DMZ of the ISP router? Have you tried deleting the rule and re-adding? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Marco Sent: Sunday, February 11, 2018 1:13 PM To: list@lists.pfsense.org Subject: [pfSense] Port forwards don't work on one machine Hi, I have set up port forwarding multiple times in the past and it has always worked. But I now have a machine that fails to forward a port. No clue why. Maybe I'm missing the obvious here. My network: Internet -> ISP provided “NAT device” -> pfSense (2.4.2-RELEASE-p1) For debugging purposes I simplified the setup, turned off IDS, pfBlockerNG, used IPs instead of aliases. 1) The port forward from the WAN to 10.0.30.21 is set up. https://i.imgur.com/V8vlN1Z.png 2) A corresponding WAN rule is created as well: https://i.imgur.com/N7ulwha.png On another machine this already is enough to get it working. But not on this one. Nmap shows “filtered”. 3) Confirming the port 8000 is actually open on 10.0.30.21: https://i.imgur.com/KcaSP6T.png Yes, it is. 4) Now testing from the external IP: https://i.imgur.com/QnWQuIO.png Nope! Again using an external service: https://i.imgur.com/v4KaivE.png No, James! 5) States: https://i.imgur.com/Rf1kjbf.png 6) Packet capture: https://i.imgur.com/xT3qFXW.png I read: https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting > Common Problems > > 1. NAT and firewall rules not correctly added (see How can I forward ports > with pfSense?) I guess it's all correct, works on another machine. > Hint: Do NOT set a source port not set > 2. Firewall enabled on client machine nope > 3. Client machine is not using pfSense as its default gateway pfSense is the default gateway > 4. Client machine not actually listening on the port being forwarded It is, see https://i.imgur.com/KcaSP6T.png > 5. ISP or something upstream of pfSense is blocking the port being forwarded I guess the states table and packet capture should be empty if that's the case, right? > 6. Trying to test from inside the local network, need to test from an outside > machine Tested both, see https://i.imgur.com/QnWQuIO.png https://i.imgur.com/v4KaivE.png > 7. Incorrect or missing Virtual IP configuration for additional public IP > addresses No clue, haven't configured anything virtual. > 8. The pfSense router is not the border router. If there is something else > between pfSense and the ISP, the port forwards and associated rules must be > replicated there. True, pfSense is not the border router, ISP provided “NAT gateway” is. Device is configured to forward everything to the pfSense box, though. > 9. Forwarding ports to a server behind a Captive Portal. An IP bypass must be > added both to and from the server's IP in order for a port forward to work > behind a Captive Portal. nope > 10. If this is on a WAN that is not the default gateway, make sure there is a > gateway chosen on this WAN interface, or the firewall rules for the port > forward would not reply back via the correct gateway. WAN is default gateway > 11. If this is on a WAN that is not the default gateway, ensure the traffic > for the port forward is NOT passed in via Floating Rules or an Interface > Group. Only rules present on the WAN's interface tab under Firewall Rules > will have the reply-to keyword to ensure the traffic responds properly via > the expected gateway. didn't configure floating rules > 12. If this is on a WAN that is not the default gateway, make sure the > firewall rule(s) allowing the traffic in do not have the box checked to > disable reply-to. not the case > 13. If this is on a WAN that is not the default gateway, make sure the master > reply-to disable switch is not checked under System > Advanced, on the > Firewall/NAT tab. not the case > 14. WAN rules should NOT have a gateway set, so make sure that the rules for > the port forward do NOT have a gateway configured on the actual rule. see https://i.imgur.com/N7ulwha.png > 15. If the traffic appears to be forwarding in to an unexpected device, it > may be happening due to UPnP. Check Status > UPnP to see if an internal > service has configured a port forward unexpectedly. If so, disable UPnP on > either that device or on the firewall. UPnP is not used I guess I'm missing the obvious here, since port forwards are rather straightforward in pfSense and have never given me troubles in the past. A nudge in the right direction is appreciated. Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold _
Re: [pfSense] Bug found: Remote Logging Options and IPv6
There is a bug tracker at https://redmine.pfsense.org/projects/pfsense -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Christoph Haas Sent: Tuesday, February 6, 2018 8:11 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] Bug found: Remote Logging Options and IPv6 Dear list, I dare say that I have found a bug in version 2.4.2-RELEASE (amd64). When setting up syslog forwarding in the "Remote Logging Options" I can choose IPv6 as "IP Protocol" but when I save the field switches back to IPv4 and logging fails to the given IPv6 address. Should I report that somewhere? Kind regards Christoph ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Error in NAT --> Port Forward --> Edit
This came up on this list in October with 2.4 and 2.4.1, but with Outbound NAT rules. I don't have a saved email with a posted solution...? If you export/save your config file does it have odd characters in it? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of David Kleiner Sent: Thursday, January 11, 2018 10:57 AM To: list@lists.pfsense.org Subject: [pfSense] Error in NAT --> Port Forward --> Edit Folks, I am all of a sudden unable to edit or add new port forwards in my firewall. The exact error message is: - Invalid characters detected "00". Please remove invalid characters and save again. This comes up when I try to either edit an existing rule or add a new port forward rule. I am running 2.4.2_1. Any thoughts or recommendations? -- David Kleiner Apogee Research ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 'Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign • The Register - patch to pfsense?
I'm not a developer but I would think it's dependent on FreeBSD releasing the update, plus testing by pfSense/Netgate. However, I would think there's not much concern with PCs running pfSense, since raw code would not normally be running on the pfSense box...? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen Sent: Wednesday, January 3, 2018 10:47 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] 'Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign • The Register - patch to pfsense? https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/ is there patch soon available on pfsense kernel? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Slow/impossible updates to 2.4?
Check to see if your DNS is running properly. If it isn't the DNS timeouts will take forever. I had that happen once after an update. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of David C. Jenner Sent: Tuesday, December 26, 2017 10:10 PM To: list@lists.pfsense.org Subject: [pfSense] Slow/impossible updates to 2.4? I updated successfully to 2.4. Then I tried to update to 2.4.2. It took many minutes for System/Update/System Update to get to the point of asking me to confirm the update. Then the update was excruciatingly slow, it took 1/2 hour or more. It finally succeeded. Now I am trying to update to 2.4.2_p1. Again it takes many minutes to get to the request for confirming the update. After confirming, it takes many minutes for an error "System update failed!" to appear, and Updating System says: done. 2.4.2_1 version of pfSense is available. All this is on an SG-2440: Version 2.4.2-RELEASE (amd64) built on Mon Nov 20 09:10:42 CST 2017 FreeBSD 11.1-RELEASE-p4 CPU TypeIntel(R) Atom(TM) CPU C2358 @ 1.74GHz 2 CPUs: 1 package(s) x 2 core(s) AES-NI CPU Crypto: Yes (active) The current installation of 2.4.2 appears to be running OK. What is the problem with updating? Thanks, Dave ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] SSH Bruteforce
I think you're looking for the Suricata or Snort packages for detecting malicious traffic at pfSense. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Sent: Wednesday, December 20, 2017 4:53 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] SSH Bruteforce Hi there, anyone now how to prevent SSH Bruteforce attackes in my network? I wanted to have a Firewall which counts SSH Connections from the same IP and when it reach the defined limit the IP will be block. I know I can change the SSH port but I also want to know is there is an option to limit such kind of attacks. Cheers Daniel ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense crashing
I had been following that one since we had been using limiters and had the "pfsync_undefer_state" issue, though thankfully no crashes. Post #44 on that page has a workaround. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen Sent: Monday, December 18, 2017 6:03 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] pfsense crashing this long standing issue: https://redmine.pfsense.org/issues/4310 :( Eero 2017-12-18 10:07 GMT+02:00 Eero Volotinen <eero.voloti...@iki.fi>: > looks like turning pfsync from on to off resolved this issue. > > -- > Eero > > 2017-12-17 20:11 GMT+02:00 Joseph L. Casale <jcas...@activenetwerx.com>: > >> -Original Message- >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero >> Volotinen >> Sent: Sunday, December 17, 2017 11:02 AM >> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> >> Subject: Re: [pfSense] pfsense crashing >> >> > Need to test that tomorrow. Just wondering how to attach remote debugger >> > or >> > similar to get root cause of crash. >> >> Page 13 in the SG-8860 manual. >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold >> > > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] DHCPv6 working but no gateway
Apparently pfSense 2.4.2 fixed a bug with RA not working on the SG-3100 router model: https://forum.pfsense.org/index.php?topic=139953.0 -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Steve Yates Sent: Friday, December 8, 2017 12:13 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] DHCPv6 working but no gateway I set up a couple of 3100s at a client and their branch office, with OpenVPN connecting them together. With the LAN set to "track interface" IPv6 addresses are acquired and DHCPv6 is working. RA doesn't seem to be working since Windows PCs don't get a gateway. I know I picked modes Managed or Assisted. If I set a static IP in that range with a gateway I can get out, so IPv6 is routing. If I configure the VPN for IPv6 I can even ping across the VPN to the other router. My understanding was if RA was enabled and everything at defaults/blank it should "just work"...am I missing something that needs configuring? I did try putting in a subnet, even though the RA page says that's not necessary. Thanks, Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense ha issues
I get the actual LAN IP back from a traceroute also so that's normal. In the sense of "that's the router handling the packet" that makes sense. Do you get packet loss if you ping out from the pfSense? Steve -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen Sent: Tuesday, December 12, 2017 2:01 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] pfsense ha issues Well, I did traceroute 8.8.8.8 and that shows traffic via 192.168.1.7 which is primary firewall lan address. DHCP gives default route to 192.168.1.1 which is the carp vip. I got only continuos packet loss to internet not to .1 (vip) or .7 addresses and carp status is stable. (ie. primary firewall is master on all carp addresses) Eero 2017-12-12 21:55 GMT+02:00 Steve Yates <st...@teamits.com>: > They aren't swapping master/backup are they? If you turn off one of the > two what happens? > > Not sure how you're determining traffic going to the .7 IP...? The > gateway on a device on the LAN should be .1 (the "CARP" LAN IP). > > Are you getting packet loss if you ping the .1 address? The .7 address? > Or just out to the Internet? > > -- > > Steve Yates > ITS, Inc. > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero > Volotinen > Sent: Tuesday, December 12, 2017 1:03 PM > To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> > Subject: [pfSense] pfsense ha issues > > Hi, > > installed pfsense ha system on office. it works, but experiencing about 25% > packet loss. any idea why? switch issue? failover works fine. > > VIP lan gw ip is .1 but looks like traffic is going to .7 ip (normal ip of > fw) even dhcp offers .1 as gw. is this normal? > > Eero > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense ha issues
They aren't swapping master/backup are they? If you turn off one of the two what happens? Not sure how you're determining traffic going to the .7 IP...? The gateway on a device on the LAN should be .1 (the "CARP" LAN IP). Are you getting packet loss if you ping the .1 address? The .7 address? Or just out to the Internet? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen Sent: Tuesday, December 12, 2017 1:03 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] pfsense ha issues Hi, installed pfsense ha system on office. it works, but experiencing about 25% packet loss. any idea why? switch issue? failover works fine. VIP lan gw ip is .1 but looks like traffic is going to .7 ip (normal ip of fw) even dhcp offers .1 as gw. is this normal? Eero ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] DHCPv6 working but no gateway
I set up a couple of 3100s at a client and their branch office, with OpenVPN connecting them together. With the LAN set to "track interface" IPv6 addresses are acquired and DHCPv6 is working. RA doesn't seem to be working since Windows PCs don't get a gateway. I know I picked modes Managed or Assisted. If I set a static IP in that range with a gateway I can get out, so IPv6 is routing. If I configure the VPN for IPv6 I can even ping across the VPN to the other router. My understanding was if RA was enabled and everything at defaults/blank it should "just work"...am I missing something that needs configuring? I did try putting in a subnet, even though the RA page says that's not necessary. Thanks, Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.3.5 to 2.4.2 on SG-2440 failed accessing repository
Ah, I misread your message, sorry. Per the other posters, check to see if your DNS resolver or forwarder service is running. At one point I had DNS stop working during an upgrade and it caused problems. I want to say it was when updating the second (primary) router, because the DNS on the other took its 2 seconds to time out after every request. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Pete Boyd Sent: Monday, December 4, 2017 2:29 PM To: list@lists.pfsense.org Subject: Re: [pfSense] 2.3.5 to 2.4.2 on SG-2440 failed accessing repository On 04/12/2017 20:11, Steve Yates wrote: > If you ssh to the device and pick the option to update from its console menu, > does it update there? No, those package repository errors are what I'm seeing when doing that. I tried the swapping to different repositories in the GUI, trying update from console, back and forth, as described in the page you linked to, but that hasn't helped, each time it has the same repository errors. -- Pete Boyd Open Plan IT - http://openplanit.co.uk The Golden Ear - http://thegoldenear.org ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.3.5 to 2.4.2 on SG-2440 failed accessing repository
That sounds like what I saw a couple of times now. If you ssh to the device and pick the option to update from its console menu, does it update there? Also see: https://forum.pfsense.org/index.php?topic=135078.msg739919#msg739919 ...in which I linked to: https://forum.pfsense.org/index.php?topic=125873.msg695386#msg695386 -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Pete Boyd Sent: Monday, December 4, 2017 1:19 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] 2.3.5 to 2.4.2 on SG-2440 failed accessing repository Hi. I upgraded a production SG-2440 running pfSense 64-bit 2.3.5 to 2.4.2 using the web GUI. There were no packages installed. It appeared to update OK, and rebooted afterwards. However it came back as version 2.3.5 and now says it's on the latest version, despite going to the update page and re-saving. Choosing "Update from console" gives the following: "Updating pfSense-core repository catalogue... pkg-static: Repository pfSense-core load error: access repo file(/var/db/pkg/repo-pfSense-core.sqlite) failed: No such file or directory pkg-static: https://firmware.netgate.com/pkg/pfSense_factory-v2_4_2_amd64-core/meta.txz: No address record repository pfSense-core has no meta file, using default settings pkg-static: https://firmware.netgate.com/pkg/pfSense_factory-v2_4_2_amd64-core/packagesite.txz: No address record Unable to update repository pfSense-core Updating pfSense repository catalogue... pkg-static: Repository pfSense load error: access repo file(/var/db/pkg/repo-pfSense.sqlite) failed: No such file or directory pkg-static: https://firmware.netgate.com/pkg/pfSense_factory-v2_4_2_amd64-pfSense_factory-v2_4_2/meta.txz: No address record repository pfSense has no meta file, using default settings pkg-static: https://firmware.netgate.com/pkg/pfSense_factory-v2_4_2_amd64-pfSense_factory-v2_4_2/packagesite.txz: No address record Unable to update repository pfSense Error updating repositories! If I run "pkg update -f" I get this error: Shared object "libssl.so.8" not found, required by "pkg" These commands give the same repository error messages as aobve: pkg-static update –f pkg-static upgrade –f I don't have physical access to the device. So far, ostensibly, it appears to be running OK; I'm VPNd in. Has anyone any ideas that might help please? Thanks -- Pete Boyd Open Plan IT - http://openplanit.co.uk The Golden Ear - http://thegoldenear.org ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] single pfsense to ha conversion
I don't think it would qualify as "simple" since it involves setting up an additional interface on each as well as the CARP virtual IPs. If you're asking about linking your old router to a new router, the routers have to use the same hardware interface (NIC) names in order to sync firewall states (em0 to igb0 won't sync). -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen Sent: Saturday, December 2, 2017 11:04 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] single pfsense to ha conversion Hi List, I just bought two pieces of sg-8860 netgate devices and planning to convert old unit to ha solution. Is there simple way to convert units to ha with a bit editing xml backup? -- Eero ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?
In System/Update/Update Settings I think you can choose a 2.3 branch...? I haven't had any issues with installing the upgrade, but in two cases after the GUI updated the repository for 2.4 it wouldn't proceed with the upgrade, and I had to connect via SSH and run the update at the console/shell, where it installed fine. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen Sent: Friday, December 1, 2017 2:08 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] pfsense 2.3 -> 2.4 upgrade? inplace upgrade from 2.3 to 2.4 looks fragile. is there way to upgrade system to latest 2.3.* series without reinstalling? online upgrade wants to update 2.4.2.. Eero 1.12.2017 16.27 "Alberto Moreno" <ports...@gmail.com> kirjoitti: > The last version from 2.3.x is 2.3.5 u can stick with latter u can test > 2.4.2 upgrade. > > > On Sun, Nov 26, 2017 at 4:04 AM, Eero Volotinen <eero.voloti...@iki.fi> > wrote: > > > just planning to upgrade my sg-8860 from pfsense 2.3 to 2.4. is there any > > known issues? > > > > it's not so complex setup, but running as our hq main firewall. so, some > > ipsec and openvpn connections are running against it. > > > > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Using LAGG interfaces with CARP to allow future router replacements
Thanks for the assist/validation. It is a bit awkward to set up because one can’t put an active NIC into a LAGG so there’s a bit of round robin to get igb0 into a LAGG and assigned to WAN again. But it does work as long as one has a spare interface. I think it’d be difficult if not impossible to configure remotely but we can config a replacement router and take it to the data center. Once I did it here and could export the config, it was much easier to just edit the to-be-replaced router’s config file and paste in the LAGG section and update the interface names, and it gets set up all at once upon restore. -- Steve Yates ITS, Inc. From: Adam Thompson [mailto:athom...@athompso.net] Sent: Wednesday, November 29, 2017 3:03 PM To: Steve Yates <st...@teamits.com> Subject: RE: [pfSense] Using LAGG interfaces with CARP to allow future router replacements Yeah, in theory that should work. I've never need to care *that* much about downtime, so haven't tested it. -Adam On November 29, 2017 1:42:29 PM CST, Steve Yates <st...@teamits.com<mailto:st...@teamits.com>> wrote: OK thanks for the observations. Fortunately the 4860 has a bunch of ports but dedicating one to a management port would seem to require 4 in our case, instead of 3. My thought would be that in the future we could edit a saved config file to change interface names and just restore it to the new hardware, and have it sync states with the LAGGs. Hopefully that’s not going to happen for many years, but… -- Steve Yates ITS, Inc. From: Adam Thompson [mailto:athom...@athompso.net] Sent: Tuesday, November 28, 2017 5:29 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org<mailto:list@lists.pfsense.org>>; Steve Yates <st...@teamits.com<mailto:st...@teamits.com>> Subject: Re: [pfSense] Using LAGG interfaces with CARP to allow future router replacements Yes, there's downtime to set up LAGs. So this won't help avoid all downtime. Since the SG-2440 just went EOL, I would expect the SG-4860 will also go EOL soon, perhaps next quarter (Q1’18). There is a small performance hit. It's not large - certainly not large enough that I ever cared to measure it. Unless you are pinning the CPU regularly, I expect it would be undetectable. There is a much bigger hit in complexity, since you still can't set up LAGs during initial setup, necessitating a dedicated mgmt interface to avoid certain types of "oops, oh shit" problems. -Adam On November 28, 2017 5:08:48 PM CST, Steve Yates <st...@teamits.com<mailto:st...@teamits.com>> wrote: We had two routers set up using CARP and unfortunately had some issues with them, and currently have a temporary router in place. We will be replacing the temp router with a SG-4860 1U HA however that unfortunately has different interface names, so state sync won't work, and the cutover won't be transparent. I understand from https://doc.pfsense.org/index.php/Redundant_Firewalls_Upgrade_Guide#pfSense_2.2.x_and_pfsync that using LAGGs can work around this. My question is, is it worth setting up LAGGs just to allow for future proofing to have the state sync working on disparate devices if we ever replace a router down the road? Is there any sort of performance penalty or significant complexity? Note we have five CARP interfaces, IPv4 and IPv6 for WAN and LAN, and a LAN IPv4 on a second subnet. So as a first run-through on LAGGs, it seems like we would need at least four LAGGs for the WAN and LAN interfaces (we can ignore the secondary LAN for this purpose)? So we would set up four LAGG interfaces using Failover (?) with one interface each, and have WAN and LAN use those? Avoiding downtime would be really nice, but I don't think we can get around that at this point (for this router replacement) since LAGGs apparently can't be set on an interface that is in use already and thus there would be downtime to set up LAGGs on our temp router anyway. -- Steve Yates ITS, Inc. pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfSense can get to Internet but LAN cannot
1) we're not using NAT 2) ...which means this is the answer because the router on the WAN side doesn't know to route that subnet back to the pfSense. D'oh! Adding a manual NAT rule lets it work. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Holger Bauer Sent: Thursday, November 30, 2017 4:19 PM To: pfSense support and discussion <list@lists.pfsense.org> Subject: Re: [pfSense] pfSense can get to Internet but LAN cannot Hi Steve, Any chance outbound nat got messed up, when setting up carp? Check the settings there and check diag>states if nat works. Holger Am 30.11.2017 10:43 nachm. schrieb "Steve Yates" <st...@teamits.com>: Short version: a PC on the LAN cannot ping the router's gateway, though the router can ping it and get to the Internet. Routing table looks OK, default firewall rule isn't blocking packets (rule to allow LAN to any is in place), and it's not a private IP address. Looking for suggestions? We are replacing two routers using CARP with two 4860s. I edited the saved configuration files to add two LAGGs, and changed the interfaces to match the new hardware. As I said ping/traceroute/nslookup from the pfSense to the Internet works fine. Route table shows the proper gateway IP as the default. We have tried changing off the LAGGs, no difference. A traceroute from the PC shows the pfSense router LAN IP as expected but not the gateway which is the next hop. It's as if the routing isn't sending packets out the WAN? I have rebooted the routers, and disabled CARP and disconnected the second router (and changed the PC gateway accordingly). Changing the PC to an IP on the WAN side and plugging it into the gateway router works fine to get past the gateway. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfSense can get to Internet but LAN cannot
A couple clarifications...the ping from LAN to the WAN gateway is timing out, not saying "unreachable" or something like that. I can ping the router's WAN IP (and CARP WAN IP) from the LAN, as allowed by firewall rule. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Steve Yates Sent: Thursday, November 30, 2017 3:44 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] pfSense can get to Internet but LAN cannot Short version: a PC on the LAN cannot ping the router's gateway, though the router can ping it and get to the Internet. Routing table looks OK, default firewall rule isn't blocking packets (rule to allow LAN to any is in place), and it's not a private IP address. Looking for suggestions? We are replacing two routers using CARP with two 4860s. I edited the saved configuration files to add two LAGGs, and changed the interfaces to match the new hardware. As I said ping/traceroute/nslookup from the pfSense to the Internet works fine. Route table shows the proper gateway IP as the default. We have tried changing off the LAGGs, no difference. A traceroute from the PC shows the pfSense router LAN IP as expected but not the gateway which is the next hop. It's as if the routing isn't sending packets out the WAN? I have rebooted the routers, and disabled CARP and disconnected the second router (and changed the PC gateway accordingly). Changing the PC to an IP on the WAN side and plugging it into the gateway router works fine to get past the gateway. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] pfSense can get to Internet but LAN cannot
Short version: a PC on the LAN cannot ping the router's gateway, though the router can ping it and get to the Internet. Routing table looks OK, default firewall rule isn't blocking packets (rule to allow LAN to any is in place), and it's not a private IP address. Looking for suggestions? We are replacing two routers using CARP with two 4860s. I edited the saved configuration files to add two LAGGs, and changed the interfaces to match the new hardware. As I said ping/traceroute/nslookup from the pfSense to the Internet works fine. Route table shows the proper gateway IP as the default. We have tried changing off the LAGGs, no difference. A traceroute from the PC shows the pfSense router LAN IP as expected but not the gateway which is the next hop. It's as if the routing isn't sending packets out the WAN? I have rebooted the routers, and disabled CARP and disconnected the second router (and changed the PC gateway accordingly). Changing the PC to an IP on the WAN side and plugging it into the gateway router works fine to get past the gateway. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?
It would help if someone updated the pfSense doc page to clarify that, then, since I asked that question on this list in July and got a different answer than yours. https://doc.pfsense.org/index.php/Upgrade_Guide#Packages -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Ryan Coleman Sent: Wednesday, November 29, 2017 1:54 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] pfsense 2.3 -> 2.4 upgrade? Anything that isn’t a maintenance release (2.x.y … the “y” here) should be considered a major release. macOS 10.11 is a major release. 10.11.1 is not. — Ryan > On Nov 29, 2017, at 1:37 PM, Steve Yates <st...@teamits.com> wrote: > > Does it work if you uninstall haproxy first? I know pfSense recommends > uninstalling packages for "major" version upgrades but (per my past thread > here ) I would think point versions are minor upgrades. > > -- > > Steve Yates > ITS, Inc. > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen > Sent: Wednesday, November 29, 2017 12:02 PM > To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> > Subject: Re: [pfSense] pfsense 2.3 -> 2.4 upgrade? > > yes. looks like very similar problem :) > > Eero > > 2017-11-29 18:59 GMT+02:00 Tom Müller-Kortkamp <tmu...@kommunity.net>: > >> Did you had any packages installed? >> I filed this bug 2 Days ago: >> https://redmine.pfsense.org/issues/8135 >> >>> Am 29.11.2017 um 00:11 schrieb Steve Yates <st...@teamits.com>: >>> >>> https://redmine.pfsense.org/ is the bug tracker. >> https://www.netgate.com/support/contact-support.html for tech support. >>> >>> -- >>> >>> Steve Yates >>> ITS, Inc. >>> >>> -Original Message- >>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero >> Volotinen >>> Sent: Monday, November 27, 2017 12:37 AM >>> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>; >> j...@netgate.com >>> Subject: Re: [pfSense] pfsense 2.3 -> 2.4 upgrade? >>> >>> Hi, >>> >>> Looks like "online" upgrade (2.3.5 -> 2.4.2) trashes sg-8860 unit to >>> "non-working state". (ie. ssl libraries missing and so on) >>> >>> Where I can file critical bug ticket? :D >>> >>> -- >>> Eero >>> >>> 2017-11-26 19:53 GMT+02:00 Daniel <dan...@linux-nerd.de>: >>> >>>> I Updates 3 Firewalls all without any problems. >>>> >>>> >>>> >>>> Am 26.11.17, 13:04 schrieb "List im Auftrag von Eero Volotinen" < >>>> list-boun...@lists.pfsense.org im Auftrag von eero.voloti...@iki.fi>: >>>> >>>> just planning to upgrade my sg-8860 from pfsense 2.3 to 2.4. is there >>>> any >>>> known issues? >>>> >>>> it's not so complex setup, but running as our hq main firewall. so, >>>> some >>>> ipsec and openvpn connections are running against it. >>>> >>>> >>>> > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?
Does it work if you uninstall haproxy first? I know pfSense recommends uninstalling packages for "major" version upgrades but (per my past thread here ) I would think point versions are minor upgrades. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen Sent: Wednesday, November 29, 2017 12:02 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] pfsense 2.3 -> 2.4 upgrade? yes. looks like very similar problem :) Eero 2017-11-29 18:59 GMT+02:00 Tom Müller-Kortkamp <tmu...@kommunity.net>: > Did you had any packages installed? > I filed this bug 2 Days ago: > https://redmine.pfsense.org/issues/8135 > > > Am 29.11.2017 um 00:11 schrieb Steve Yates <st...@teamits.com>: > > > > https://redmine.pfsense.org/ is the bug tracker. > https://www.netgate.com/support/contact-support.html for tech support. > > > > -- > > > > Steve Yates > > ITS, Inc. > > > > -Original Message- > > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero > Volotinen > > Sent: Monday, November 27, 2017 12:37 AM > > To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>; > j...@netgate.com > > Subject: Re: [pfSense] pfsense 2.3 -> 2.4 upgrade? > > > > Hi, > > > > Looks like "online" upgrade (2.3.5 -> 2.4.2) trashes sg-8860 unit to > > "non-working state". (ie. ssl libraries missing and so on) > > > > Where I can file critical bug ticket? :D > > > > -- > > Eero > > > > 2017-11-26 19:53 GMT+02:00 Daniel <dan...@linux-nerd.de>: > > > >> I Updates 3 Firewalls all without any problems. > >> > >> > >> > >> Am 26.11.17, 13:04 schrieb "List im Auftrag von Eero Volotinen" < > >> list-boun...@lists.pfsense.org im Auftrag von eero.voloti...@iki.fi>: > >> > >>just planning to upgrade my sg-8860 from pfsense 2.3 to 2.4. is there > >> any > >>known issues? > >> > >>it's not so complex setup, but running as our hq main firewall. so, > >> some > >>ipsec and openvpn connections are running against it. > >> > >> > >> ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfSense 2.4.2 release
They emailed partners, since we got an email yesterday afternoon. It just came out since I upgraded a router to 2.4.1 overnight Monday night. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Ryan Coleman Sent: Wednesday, November 22, 2017 10:50 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] pfSense 2.4.2 release Tis. And it works. I’m surprised I didn’t get a notification. > On Nov 22, 2017, at 3:30 AM, Doug Lytle <supp...@drdos.info> wrote: > > I just noted that it's out. > > pfSense 2.4.2 > <https://www.netgate.com/blog/pfsense-2-4-2-release-now-available.html> > > Doug > > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfSense 2.4 consistently crashes daily
Any chance it had a 32 bit install and you manually upgraded to 64? I believe pfSense recommends a wipe and reinstall in that case. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Liwei Sent: Wednesday, November 22, 2017 8:08 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] pfSense 2.4 consistently crashes daily On Tue, 21 Nov 2017 at 01:08 WebDawg <webd...@gmail.com> wrote: > It should work though. A great many people virtualize pfSense: > > https://doc.pfsense.org/index.php/PfSense_on_VMware_vSphere_/_ESXi > > Here is some more information: > > https://doc.pfsense.org/index.php/VirtIO_Driver_Support > https://doc.pfsense.org/index.php/Lost_Traffic_/_Packets_Disappear > https://doc.pfsense.org/index.php/Virtualizing_pfSense_on_Proxmox > > I know what it is like to ask for support and see people stop helping > because something is virtualized. I have seen bad code fail in > virtualization situations only to here 'do not virtualize'. > > From what I know, BSD has trouble with NIC interfaces and such. Do > you have any limiters or QOS installed? I would take a look at the > nic interfaces first. Can you actively monitor the log to look for > errors once the VM is booted? > > I virtualized pfSense on proxmox about a year ago and BSD hated the > cpu timers and such. I would get so many issues from it until I > figured it out but everything was plain as day in the kernel messages > that were outputted. > > There is an ova file available via the gold subscription: > > https://doc.pfsense.org/index.php/VMware_Appliance > > You need to get more information for me to help further. It would be > great to get a copy of some logs. > > Here is a XenServer thread: > https://forum.pfsense.org/index.php?topic=88467 > > Last time I virtualized the big deal was hvm nic vs pvhvm NIC. You > could do limiters on one (I think hvm) but the NIC's become CPU bound > because of how HVM works. I could only push like 10-30 mbits out of > an i3 processor. > > I do not know if this has been solved, or if it is solvable. pfSense > follows FreeBSD so most of the fixes for this come from FreeBSD, > though pfSense had/has some of its own kernel hacks. > > > Hi Vick, thanks for the assistance, nonetheless! Hi WebDawg, Yeah, I guessed as much that the problem should be on my side, because something this fatal should already be widely reported. I don't have any limiters or QoS set. I've set up logging of the serial port so at least I know what are the events leading up to the crash. Nothing interesting though, it just... happens. How do I set up log monitoring? My guess is I'll probably have to turn on remote syslog and log over. Will set up when I get the chance. The odd thing is this is a 7+ years old setup (but we did do a fresh install of 2.3 when we upgraded hardware 1+ years ago), and we never had any serious issues. In fact it was purring along nicely on 2.3 since it was first installed, until we upgraded to 2.4. I'm pretty confident of the hardware since it is only a year old, the other VMs are not having any issues, and reverting to 2.3 works fine. Thus based on a hunch I decided to remove a couple of bridge interfaces (bridging our oVPN tap interfaces to the main and private LANs) when I sent my first email to the list. The crashes haven't occurred since then for 2 days. I'm not sure if it is a coincidence or not, but it does seem like my configuration may be triggering some bug. Or I may have mis-configured something. I'll continue to iterate things around to narrow down the problem, but given that I have to wait a few days after each change to be sure on whether it crashes or not, any suggestion is very welcome! Warm regards, Liwei -- Clear Skies,LiweiCo-Founder, CTO TinyMOS <http://tinymos.com/> <https://www.facebook.com/thetinymos/> <https://www.instagram.com/thetinymos/> <https://twitter.com/thetinymos> 21 Heng Mui Keng Terrace, Level 1 The Hangar, Singapore 119613 ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense ipv6 not working
Ah yes, System/Advanced/Networking, Allow IPv6. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Sent: Tuesday, November 21, 2017 12:42 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] pfsense ipv6 not working You also need to enbale it in the Setting.. tick te IPv6 Box. Am 21.11.17, 19:38 schrieb "List im Auftrag von Steve Yates" <list-boun...@lists.pfsense.org im Auftrag von st...@teamits.com>: Starting at the top level, do you have a firewall rule allowing ICMP for IPv6? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen Sent: Monday, November 20, 2017 1:01 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] pfsense ipv6 not working Hi List, Running ipv6 with dhcpv6 from isp and it works on my laptop without pfsense, but on pfsense shell, I cannot even ping other network addresses that gw: ping6 fe80::208:20ff:fe4e:1c1b PING6(56=40+8+8 bytes) fe80::ae1f:6bff:fe43:a993%igb3 --> fe80::208:20ff:fe4e:1c1b 16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=0 hlim=64 time=0.573 ms 16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=2 hlim=64 time=0.578 ms 16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=3 hlim=64 time=0.518 ms and when trying to ping google: ping6 2a00:1450:4001:820::200e PING6(56=40+8+8 bytes) fe80::ae1f:6bff:fe43:a993%igb3 --> 2a00:1450:4001:820::200e ^C --- 2a00:1450:4001:820::200e ping6 statistics --- 7 packets transmitted, 0 packets received, 100.0% packet loss Wan configuration is using DHCPv6 ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense ipv6 not working
Starting at the top level, do you have a firewall rule allowing ICMP for IPv6? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen Sent: Monday, November 20, 2017 1:01 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] pfsense ipv6 not working Hi List, Running ipv6 with dhcpv6 from isp and it works on my laptop without pfsense, but on pfsense shell, I cannot even ping other network addresses that gw: ping6 fe80::208:20ff:fe4e:1c1b PING6(56=40+8+8 bytes) fe80::ae1f:6bff:fe43:a993%igb3 --> fe80::208:20ff:fe4e:1c1b 16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=0 hlim=64 time=0.573 ms 16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=2 hlim=64 time=0.578 ms 16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=3 hlim=64 time=0.518 ms and when trying to ping google: ping6 2a00:1450:4001:820::200e PING6(56=40+8+8 bytes) fe80::ae1f:6bff:fe43:a993%igb3 --> 2a00:1450:4001:820::200e ^C --- 2a00:1450:4001:820::200e ping6 statistics --- 7 packets transmitted, 0 packets received, 100.0% packet loss Wan configuration is using DHCPv6 -- Eero ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Packetloss
I don't have a specific answer but if you know the setting you can try the System > Advanced, System Tunables page. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Sent: Thursday, November 16, 2017 6:36 AM To: pfSense support and discussion <list@lists.pfsense.org> Subject: [pfSense] Packetloss Hi there, as some of you guys know i had a lot of packetloss. It is/was because the WAN Interface runs full of traffic. Normaly behavour is the no packets gets droped. They get queued as I understand and the ping RTT increase extremely. It seems I need to increase in TCP Buffer size. Is there anyway in Pfsense to increase the Buffer Size? Cheers Daniel ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] FreeNAS Jail Connection
Try turning on logging of the default block rules to see if it is in fact being blocked. Alternatively, if you add firewall rules allowing all traffic to/from the NAS does it work? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Travis Hansen Sent: Saturday, November 11, 2017 11:09 AM To: PfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] FreeNAS Jail Connection I cannot get pfSense to 'talk' to a jail running on a FreeNAS machine. If I recall correctly a while back I did some tcpdumps in the jail and saw both incoming and outgoing icmp traffic but pfSense seems to ignore/throw it away or something. I know I'm not the only one who's seen this because someone on the #freenas mentioned they had the same thing. Anyone have any ideas on how it might be resolved? Travis hansentravisghan...@yahoo.com ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] CARP Demotion Not Working
Are you using the "enter persistent maintenance mode" here? I'm trying to remember when I looked at this a couple years ago but overall if we shut down node A, node B takes over, and when A boots up it becomes Master again. However if I enter maintenance mode first (forcing B to Master) then B stays as Master after A comes up again. I have seen the occasional situation where we exit maintenance mode and the IPv6 CARP WAN IP ends up with *both* routers showing as Master, but at that point I restart node B and it clears out (we have CARP IPs for two LANs and a WAN, and both IPv4 and IPv6, on two virtualized routers). -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Andrew Kester Sent: Friday, November 3, 2017 10:49 AM To: list@lists.pfsense.org Subject: Re: [pfSense] CARP Demotion Not Working An update on this, if the master node is rebooted during a failure, the secondary node takes cover correctly and remains the master as would be expected. This makes me think that the priority is set correctly but the second node for some reason isn't honoring the advskew set by the master correctly. To illustrate what I mean- --- | Node A | Node B | --- | M M| B B| Normal, Node A is master on all CARP IP's | M X| B M| Failure, incorrect though. Node B should be master. | - -| M M| Node A Offline, B takes over as master correctly | B X| M M| After restart, correct behavior. Node B is master. --- M - Master X - Down B - Backup I've also ran through the CARP troubleshooting guide here to no avail. https://doc.pfsense.org/index.php/CARP_Configuration_Troubleshooting Let me know if you need more information or clarification, I'm not sure the best way to illustrate / communicate my problem. --- Thanks, Andrew Kester The Storehouse https://sthse.co On 11/1/17 3:30 PM, Andrew Kester wrote: > Hi List, > > I'm having an issue with CARP preempt. I have two pfSense machines > running 2.4.1-RELEASE. CARP fails over all individual IPs correctly, > but doesn't preempt correctly in the case of a single failure. > > On both machines, I've checked that net.inet.carp.preempt is enabled. > The master appears to be detecting the demotion, as it sets > net.inet.carp.demotion to 240 during a failure, but ifconfig still > reports advskew as 0. > > I'm not 100% sure if that number should update, or if the demotion > number is added to the advskew reported by ifconfig. > > Relevent sysctl, ifconfig, and log output taken from the master firewall > during a failure is attached. > > Any help is greatly appreciated! > > --- > Thanks, > > Andrew Kester > The Storehouse > https://sthse.co > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] malformed packets
I saw your question but didn't see an answer... Have you considered Suricata or Snort to see if they can detect and block off the traffic? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of mad.scientist.at.la...@tutanota.com Sent: Friday, October 20, 2017 7:24 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] malformed packets is there any way i can block malformed packets and drop them rather than being used for a ddos attack? this is related to LEGAL torrents, i.e. copy left etc. even running deluge there is a storm of malformed packets with spoofed ip addrs, which then makes my machine send out many, many malformed packets to people who didn't even send them. Gee, i thought doing a ddos on people was illegal, not that it matters in most countries. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] CARP Interface doese not sync
A few thoughts... When upgrading pfSense recommends upgrading the backup router first. For the states to sync the interfaces have to have the same names, i.e. same NICs in both. An XML sync error is usually seen when saving changes on the primary router and it tries to connect to the backup. That's different than the interfaces not syncing state. Ensure you're using the username "admin" to sync...even though there is a field for the username in the CARP sync settings, pfSense apparently uses a hardcoded "admin" instead and ignores the field. Are you using Suricata or any other packages? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Sent: Monday, October 30, 2017 7:33 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] CARP Interface doese not sync Hi there, i run 2 Pfsense boxed which are connected directly on the Sync interface. Pf1 Version is 2.4.1 and pf2 Version is 2.4.0 I created now CARP interfaces wich are not synced to pf1 automaticly. I get some XML errors (Syntax Error in XML) Is there anyway to start the Sync process manually to check logs or so? Cheers Daniel ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] openvpn restarts when running on secondary node and sync updates comes from primary
We also get that message logged at the daily rule update for Suricata. I think it just happens when pfSense senses certain types of updates... :-/ -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eugenio Modesti Sent: Thursday, October 19, 2017 6:21 AM To: list@lists.pfsense.org Subject: [pfSense] openvpn restarts when running on secondary node and sync updates comes from primary Hi, i've got two pfsense box with HA. openvpn server is listening on a CARP ip. I assigned the vpn to an interface to set up specific rules and add it to an existing interface group. Everything works when running on the primary node. When i put the master in maintenance the secondary takes over correctly and openvpn clients reconnect to that node. Everything continue to works as expected. The problem is that every time i modify something on the primary the secondary restarts all the packages, dropping the vpn connections. The first time i noticed while assigning interfaces, but it triggers on every update (alias, rules). In the log i see something like: /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - 192.168.11.129 -> 192.168.11.129 - Restarting packages. Why is it restarting even if there was no ip change? Is there a reason to not check if $oldip != $curwanip? // rc.newwanip function restart_packages() { global $oldip, $curwanip, $g; /* restart packages */ log_error("{$g['product_name']} package system has detected an IP change or dynamic WAN reconnection - $oldip -> $curwanip - Restarting packages."); send_event("service reload packages"); } thanks, Eugenio ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] HTTP/HTTPS filtering with Pfsense+Squid+Squidguard for cell phones
Lurking on by...if you ever want traffic stats by IP address, without a proxy, check out the BandwidthD package. https://doc.pfsense.org/index.php/How_can_I_monitor_bandwidth_usage -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Adam Cage Sent: Wednesday, October 11, 2017 3:06 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] HTTP/HTTPS filtering with Pfsense+Squid+Squidguard for cell phones ... Squid also let me have web traffic statistics with its logs. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfSense virtualisation
What Lars wrote. https://doc.pfsense.org/index.php/VirtIO_Driver_Support https://forum.pfsense.org/index.php?topic=88467.0 YMMV...with Virtuozzo 7 (KVM) I found VirtIO worked but I could not get the Intel or Realtek drivers to pass traffic. The opposite of Virtuozzo 6 as I recall. Also perhaps specific to Virtuozzo was that I had to use some special startup parameters to get pfSense to install and boot. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Lars Wuerfel Sent: Wednesday, October 11, 2017 8:38 AM To: list@lists.pfsense.org Subject: Re: [pfSense] pfSense virtualisation Hi Daniel, On 10/10/2017 09:51 PM, Daniel wrote: > Hi there, > > i thing about to remove my 2 Hardware Firewalls and virtualize them with KVM > on different Host-Servers. I have several pfSense instances running on KVM/QEMU for two years now successfully, but no HA at the moment. I had to "Disable hardware checksum offload", "Disable hardware TCP segmentation offload" and "Disable Large Receive Offloading" otherwise the performance is very poor. HTH Lars ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Every so often I am seeing "[zone: pf frag entries] PF frag entries limit reached" on my monitor attached to my pfsense box.
Not having run into this I searched out of curiosity. Suggests fixing the issue rather than upping the limit: https://forum.pfsense.org/index.php?topic=92495.0 and https://forum.pfsense.org/index.php?topic=109601.0 mentions "MSS clamping may be required to reduce the effective MTU of the VPN" from https://doc.pfsense.org/index.php/IPsec_Troubleshooting#Packet_Loss_with_Certain_Protocols. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Hillie Sample Sent: Monday, October 2, 2017 3:57 PM To: list@lists.pfsense.org Subject: [pfSense] Every so often I am seeing "[zone: pf frag entries] PF frag entries limit reached" on my monitor attached to my pfsense box. Every so often I am seeing "[zone: pf frag entries] PF frag entries limit reached" on my monitor attached to my pfsense box. I increased System > Advanced, Firewall & NAT tab, "Firewall Maximum Fragment Entries" to 8192 from the default value of 5000 (Thanks Jim Pingle for the tip). I rebooted and unfortunately I am still having the message appear every so often. Should I increase the limit even higher? Memory, CPU ans swap use is all very low. 2.3.4-RELEASE-p1 (amd64) built on Fri Jul 14 14:52:43 CDT 2017 FreeBSD 10.3-RELEASE-p19 Intel(R) Core(TM) i5-2500 CPU @ 3.30GHz Current: 3300 MHz, Max: 3301 MHz 4 CPUs: 1 package(s) x 4 core(s) 4GB Ram I am using openvpn. Any advice/suggestions appreciated. Thanks, Hillie ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Open ports between subnets
Do you have the option to block private networks on both interfaces turned off? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Antonio Sent: Saturday, September 30, 2017 7:05 PM To: list@lists.pfsense.org Subject: [pfSense] Open ports between subnets Hi, I have a media app called EMBY on my android phone that is installed on androide 7.1 mobile connected via pfsense wifi network (192.168.3.x). It should try to connect to my server on the wired LAN at 192.168.2.X but doesn't appear to do so for some reason. I inspected firewall logs and it says that packets from 192.168.3.7: (phone) to 192.168.3.1 are blocked. Its almost as if the packets couldn't get past the WIFI gateway into the 192.168.2.X subnet even though I have a rule set up in the wifi that: a) allows a PASS for IPV4* packtes with source "LAN net" to destination * -> "Default allow LAN to any rule" b) allow IPV4 from 192.168.3.X any port to 192.168.2.2 any port There must be something that I am missing but can't get my head around it. Note that DHCP server on pfsense is assigning 192.168.3.7 to phone as default via MAC address identification so its not a DHCP problem Any clues on what I could be missing? why are the packets getting blocked at 192.168.3.x? in the logs, there appear to be a lot of requests from random ports on the mobile device to port 53. Note that I have another device on the wifi network (a little Adafruit ESP device logging temperature) that is not having these problems and is getting to the server no problem. I hope you guys can help me work out what is wrong. Thanks Antonio -- Respect your privacy and that of others, don't give your data to big corporations. Use alternatives like Signal (https://whispersystems.org/) for your messaging or Diaspora* (https://joindiaspora.com/) for your social networking. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Multi-WAN and HA. Established connections through a not default gateway are broken when I disable CARP in the master unit.
So you have both dual WAN and CARP? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of dayer Sent: Wednesday, September 27, 2017 2:43 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] Multi-WAN and HA. Established connections through a not default gateway are broken when I disable CARP in the master unit. 2017-09-27 20:29 GMT+02:00 Steve Yates <st...@teamits.com>: > I'm not sure if I am following you correctly, but the WAN CARP IP has > to be the same on both routers. So router1 has a WAN of a.a.a.a and CARP of > a.a.a.b, and router2 has a WAN of a.a.a.c and CARP of a.a.a.b. Same thing > with the LAN IPs. > > -- > > Steve Yates > ITS, Inc. > > -Original Message- >> If I had to guess: Are you using a CARP address for outbound NAT? If >> not then the connections *will* break on failover. > > > Thanks for your reply, Jon :) > > Yes, I'm using CARP addresses from each WAN for outbound NAT: > - WLAN1 CARP, for WLAN1 > - WLAN2 CARP, for WLAN2 > > In addition, when the *new* master unit routes the established > traffic, it continues doing the previous NAT according to the state > synchronised from the previous master. So it continues doing outbound > NAT with the WLAN2 CARP address, but trying to route through WLAN1. > This proves that the new master unit has the synchronised states, but > it try to route the established connections according to routing table > and not to firewall rules. Hi Steve! Exactly. It doesn't matter, I know this behavior is some difficult to explain. In my example, according to the diagram from [1]: PC: - LAN: 192.168.2.1 - GW: 192.168.2.10 Pfsense1: - LAN: 192.168.2.11 - LAN CARP: 192.168.2.10 - WAN1: 192.168.56.11 - WAN1 CARP: 192.168.56.10 - GW1: 192.168.56.1 (default) - WAN2: 192.168.57.11 - WAN2 CARP: 192.168.57.10 - GW2: 192.168.57.1 Pfsense2: - LAN: 192.168.2.12 - LAN CARP: 192.168.2.10 - WAN1: 192.168.56.12 - WAN1 CARP: 192.168.56.10 - GW1: 192.168.56.1 (default) - WAN2: 192.168.57.12 - WAN2 CARP: 192.168.57.10 - GW2: 192.168.57.1 Outbound NAT settings, something like: - LAN→WAN1→WAN1 CARP - LAN→WAN2→WAN2 CARP Initially (Pfsense1 master; Pfsense2 backup; Traffic from LAN is routing through GW2 according to a firewall rule): SSH from PC → LAN → WAN2 (NAT with WAN2 CARP) → GW2 If I disable CARP in Pfsense1, Pfsense2 is the new master and: - The *established* connections do this path (wrong): PC → LAN → WAN1 (WAN2 CARP) → GW1 - The *new* connections do this path (right): PC → LAN → WAN2 (WAN2 CARP) → GW2 Regards, [1]: https://forum.pfsense.org/index.php?topic=136739.msg749477#msg749477 ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Multi-WAN and HA. Established connections through a not default gateway are broken when I disable CARP in the master unit.
I'm not sure if I am following you correctly, but the WAN CARP IP has to be the same on both routers. So router1 has a WAN of a.a.a.a and CARP of a.a.a.b, and router2 has a WAN of a.a.a.c and CARP of a.a.a.b. Same thing with the LAN IPs. -- Steve Yates ITS, Inc. -Original Message- > If I had to guess: Are you using a CARP address for outbound NAT? If > not then the connections *will* break on failover. Thanks for your reply, Jon :) Yes, I'm using CARP addresses from each WAN for outbound NAT: - WLAN1 CARP, for WLAN1 - WLAN2 CARP, for WLAN2 In addition, when the *new* master unit routes the established traffic, it continues doing the previous NAT according to the state synchronised from the previous master. So it continues doing outbound NAT with the WLAN2 CARP address, but trying to route through WLAN1. This proves that the new master unit has the synchronised states, but it try to route the established connections according to routing table and not to firewall rules. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPv6?
IPv6 has multiple configuration protocols and I'm not sure I have my head around them all either. Generally speaking, addressing is handled by a router because it's supposed to be handing out an address assigned by an upstream router, so IPs are assigned geographically making large router tables unnecessary. IPv6 doesn't have NAT so every PC gets a public IP and the firewall blocks traffic to/from the outside world. So in your case pfSense should be getting an IPv6 from Comcast, and requesting a subnet from Comcast to assign to PCs on your LAN. So if your goal is to have a private IPv6 range on your LAN you should probably give up on that and just disable IPv6 on pfSense and you're done. That way PCs can use the Windows domain controller for DNS. Windows has DHCP for IPv6 but the short version is it won't work...as I vaguely recall, the spec is something like: because it's not a router, it can only assign a /128 address and mask, so no PC can talk to other PCs on the LAN. IPv6s would have to be entered on the PCs manually, or let them get IPv6 from pfSense...but then you're back to needing DNS to point to the Windows server. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Michael Munger Sent: Wednesday, September 20, 2017 11:48 AM To: list <list@lists.pfsense.org> Subject: [pfSense] IPv6? TL;DR - I think pfSense should be blocking DHCP6 requests (or responding directly), but I am still getting my ISPs IPv6 address for DNS on machines behind the pfSense firewall. This causes lookup problems since their DNS server is not reliable. I suspect I have a bad config in my pfSense firewall (user error), and need guidance on how to resolve this. Background: I have severe problems with IPv6. Most of the IPv6 requests time out, forcing anything that is IPv6 enabled to fall back to IPv4. There's nothing wrong with IPv4, but, the timeout is supremely annoying. NOTE: I understand there is a difference between pfSense and DHCP requests from a client machine. My IPv6 skills are not as strong as my IPv4 skills, so my solution has been to disable IPv6 on any machine that has a problem. But that's a bandaid, and not a good solution. Symptoms: I seem to be getting a DNS server of 2603:3001:3805:10f0:223:7dff:fe3b:73ac, which is my ISP's DNS Server (Comcast). I cannot figure out where this is coming from. It appears to be coming from Comcast, THROUGH pfSense. How is this DHCP request traversing pfSense to the WAN? I have a local Windows server, with an fe80:: address, which is a DNS server also. Not sure why this is not being set as DNS via DHCP6 (different issue). What I want: I need to stop the timeouts by controlling where the lookups go (which servers are getting served in the DHCP6 requests), which cause the network to bottleneck and request to take forever. Is there an IPv6 guide / tutorial that I have been unable to find with Google? I would like to be able to configure pfSense to ignore / block any upstream DNS servers when DHCP6 requests go out. Or, in the alternative, control where they go so I can point them at wither my Windows DNS or a bind9 server (or even the resolver in pfSense). Perhaps pfSense is forwarding the requests upstream instead of responding itself? -- Michael Munger, dCAP, MCPS, MCNPS, MBSS High Powered Help, Inc. Microsoft Certified Professional Microsoft Certified Small Business Specialist Digium Certified Asterisk Professional mich...@highpoweredhelp.com <mailto:mich...@highpoweredhelp.com> ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] bandwithd
For what it's worth we installed this package yesterday and had no issues. All we did was Enable BandwidthD, and set "Subnet(s) for Statistics Collection" to LAN. I noticed the package installation does have a warning at the end that no one is maintaining bandwidthd (the FreeBSD package, I think) anymore. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Sent: Tuesday, August 22, 2017 5:15 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] bandwithd Hi there, i installed BandwithD thought the Package Manager. After setup BandwithD I got an error when I try to access bandwithD: Fatal error: Call to undefined function read_package_configurationfile() in /usr/local/www/guiconfig.inc on line 1053 Call Stack: 0. 226984 1. {main}() /usr/local/www/diag_bandwidthd.php:0 0.0243 3592344 2. add_package_tabs() /usr/local/www/diag_bandwidthd.php:29 PHP ERROR: Type: 1, File: /usr/local/www/guiconfig.inc, Line: 1053, Message: Call to undefined function read_package_configurationfile() Is there any known issue? I am looking for an issue to Count traffic for each IP. -- Grüsse Daniel ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Routing Vlan
On the interface(s) is "Block private networks" checked? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of WolfSec-Support Sent: Thursday, August 17, 2017 3:31 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] Routing Vlan Hi, - does the Testclient .50.20 has as Standard gateway the .50.1 ? - does the L3 switch know in routing table that the 192.168.0.0/24 network is behind .50.2 - check pfsense NAT setup - may NAT on pfsense causes this ? try to disable nat here for a test - also check routes on pfsense BR Stephan 2017-08-17 0:00 GMT+02:00 Getzan Avila <get...@gmail.com>: > Hi List, > > I will appreciate all your help. > > I'm setting up a VLAN Scenario with a L3 Switch, create a VLAN50 (Voice) > with IP 192.168.50.1 in the switch. The PFsense LAN is the 192.168.0.1 and > the PFSense VLAN50 IP is 192.168.50.2, I can ping que host in the VLAN50 > and viceversa. But when a tried to access the Server in the LAN IP > 192.168.0.201. received this error > > VLAN50 udp 192.168.50.20:9301 -> 192.168.0.201:9300 NO_TRAFFIC:SINGLE > 1.207 > K / 0 165 KiB / 0 B > > I setup in the firewall i the LAN interface,accept all IPV4 traffic for the > VLAN50 and the same for VLAN50 to LAN. > > > Thks in advance. > > regards > > Getzan > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.3.2 upgrade only offers 2.3.3_1
What happens if you try the fix for my "Update to 2.3.4(_1) fails (Not Found)" thread? "https://forum.pfsense.org/index.php?topic=125873.msg695386#msg695386 I did that procedure as stated (switch to dev, check for update via SSH, cancel, switch to stable) and the update installs now." I am wondering if the update check is not always picking up newer update info for some reason. To answer your question I know I've skipped revisions before. I am fairly certain I've skipped minor versions also. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Brian Candler Sent: Friday, July 28, 2017 3:43 AM To: pfSense support and discussion <list@lists.pfsense.org> Subject: [pfSense] 2.3.2 upgrade only offers 2.3.3_1 I have an instance of 2.3.2, and when I ask for system updates it only tells me that 2.3.3_1 is available - whereas I know 2.3.4_1 has been released. Is that expected? That is, do I need to go stepwise to 2.3.3_1, reboot, and then upgrade again? Or should I have been offered the direct upgrade? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Update to 2.3.4(_1) fails (Not Found)
FWIW, I just updated two others from 2.3.3_1 to 2.3.4_1 without this issue. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Steve Yates Sent: Tuesday, July 25, 2017 5:35 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] Update to 2.3.4(_1) fails (Not Found) I tried again today and it failed. I found this post https://forum.pfsense.org/index.php?topic=134042.0 which referred to: https://forum.pfsense.org/index.php?topic=125873.msg695386#msg695386 I did that procedure as stated (switch to dev, check for update via SSH, cancel, switch to stable) and the update installs now. Log shows: [1/75] Fetching pfSense-rc-2.3.4_1.txz: . done Looks like it was maybe stuck looking for 2.3.4 and should have been looking for 2.3.4_1? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Steve Yates Sent: Monday, July 24, 2017 12:39 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] Update to 2.3.4(_1) fails (Not Found) This happened last week so I thought I'd wait a bit and try again. I'm updating from 2.3.3_1 to 2.3.4_1. Error: pkg: https://pkg.pfsense.org/pfSense_v2_3_4_amd64-core/All/pfSense-rc-2.3.4.txz: Not Found ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Update to 2.3.4(_1) fails (Not Found)
I tried again today and it failed. I found this post https://forum.pfsense.org/index.php?topic=134042.0 which referred to: https://forum.pfsense.org/index.php?topic=125873.msg695386#msg695386 I did that procedure as stated (switch to dev, check for update via SSH, cancel, switch to stable) and the update installs now. Log shows: [1/75] Fetching pfSense-rc-2.3.4_1.txz: . done Looks like it was maybe stuck looking for 2.3.4 and should have been looking for 2.3.4_1? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Steve Yates Sent: Monday, July 24, 2017 12:39 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] Update to 2.3.4(_1) fails (Not Found) This happened last week so I thought I'd wait a bit and try again. I'm updating from 2.3.3_1 to 2.3.4_1. Error: pkg: https://pkg.pfsense.org/pfSense_v2_3_4_amd64-core/All/pfSense-rc-2.3.4.txz: Not Found Remembering earlier conversations, pfSense uses an SRV record for downloading, so: ; <<>> DiG 9.10.3-P4 <<>> srv _https._tcp.pkg.pfsense.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54700 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;_https._tcp.pkg.pfsense.org. IN SRV ;; ANSWER SECTION: _https._tcp.pkg.pfsense.org. 60 IN SRV 10 10 443 files00.netgate.com. _https._tcp.pkg.pfsense.org. 60 IN SRV 10 10 443 files01.netgate.com. ;; ADDITIONAL SECTION: files00.netgate.com.3471IN A 162.208.119.41 files00.netgate.com.3471IN 2610:1c1:0:6::41 files01.netgate.com.3231IN A 162.208.119.40 files01.netgate.com.3231IN 2610:1c1:0:6::40 However https://files00.netgate.com/pfSense_v2_3_4_amd64-core/All/pfSense-rc-2.3.4.txz shows a 404 error? https://files00.netgate.com/pfSense_v2_3_4_amd64-core/All/ does not list that file...it lists several 2.3.4_1 files. Should a version upgrade from 2.3.3_1 to 2.3.4 and then to 2.3.4_1, which is what I recall from earlier upgrades? Or straight to 2.3.4_1 in which case the upgrader seems to be looking for an old file...? Update Settings is using Stable (Default) branch. Log shows: >>> Updating repositories metadata... Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. >>> Unlocking package pfSense-kernel-pfSense... done. >>> Downloading upgrade packages... Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. Checking for upgrades (129 candidates): .. done Processing candidates (129 candidates): . done The following 76 package(s) will be affected (of 0 checked): Installed packages to be UPGRADED: (...long list...) Installed packages to be REINSTALLED: (...15 packages...) Number of packages to be upgraded: 61 Number of packages to be reinstalled: 15 The process will require 1 MiB more space. 68 MiB to be downloaded. pkg: https://pkg.pfsense.org/pfSense_v2_3_4_amd64-core/All/pfSense-rc-2.3.4.txz: Not Found >>> Locking package pfSense-kernel-pfSense... done. Failed -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Update to 2.3.4(_1) fails (Not Found)
Hmm, OK, if my theory is correct those will see the patch OK, but it is the 2.3.4 file that is missing. I had just started updating from 2.3.3 but saw that 2.3.4_1 was coming out shortly and thought I'd do them together (well, in sequence, but one set of reboots) like I have in the past. So I have one I can do from 2.3.4 but not until out of hours. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Doug Lytle Sent: Tuesday, July 25, 2017 2:28 PM To: pfSense <list@lists.pfsense.org> Subject: Re: [pfSense] Update to 2.3.4(_1) fails (Not Found) >>> Hmm, has anyone been able to upgrade from 2.3.x or earlier to 2.3.4_1 since >>> its release Thursday? Or perhaps everyone on this list was on 2.3.4 >>> already... :) All of my systems are currently 2.3.4, I'll be doing updates tonight when I get home Doug ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Update to 2.3.4(_1) fails (Not Found)
Hmm, has anyone been able to upgrade from 2.3.x or earlier to 2.3.4_1 since its release Thursday? Or perhaps everyone on this list was on 2.3.4 already... :) -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Steve Yates Sent: Monday, July 24, 2017 12:39 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] Update to 2.3.4(_1) fails (Not Found) This happened last week so I thought I'd wait a bit and try again. I'm updating from 2.3.3_1 to 2.3.4_1. Error: pkg: https://pkg.pfsense.org/pfSense_v2_3_4_amd64-core/All/pfSense-rc-2.3.4.txz: Not Found Remembering earlier conversations, pfSense uses an SRV record for downloading, so: ; <<>> DiG 9.10.3-P4 <<>> srv _https._tcp.pkg.pfsense.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54700 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;_https._tcp.pkg.pfsense.org. IN SRV ;; ANSWER SECTION: _https._tcp.pkg.pfsense.org. 60 IN SRV 10 10 443 files00.netgate.com. _https._tcp.pkg.pfsense.org. 60 IN SRV 10 10 443 files01.netgate.com. ;; ADDITIONAL SECTION: files00.netgate.com.3471IN A 162.208.119.41 files00.netgate.com.3471IN 2610:1c1:0:6::41 files01.netgate.com.3231IN A 162.208.119.40 files01.netgate.com.3231IN 2610:1c1:0:6::40 However https://files00.netgate.com/pfSense_v2_3_4_amd64-core/All/pfSense-rc-2.3.4.txz shows a 404 error? https://files00.netgate.com/pfSense_v2_3_4_amd64-core/All/ does not list that file...it lists several 2.3.4_1 files. Should a version upgrade from 2.3.3_1 to 2.3.4 and then to 2.3.4_1, which is what I recall from earlier upgrades? Or straight to 2.3.4_1 in which case the upgrader seems to be looking for an old file...? Update Settings is using Stable (Default) branch. Log shows: >>> Updating repositories metadata... Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. >>> Unlocking package pfSense-kernel-pfSense... done. >>> Downloading upgrade packages... Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. Checking for upgrades (129 candidates): .. done Processing candidates (129 candidates): . done The following 76 package(s) will be affected (of 0 checked): Installed packages to be UPGRADED: (...long list...) Installed packages to be REINSTALLED: (...15 packages...) Number of packages to be upgraded: 61 Number of packages to be reinstalled: 15 The process will require 1 MiB more space. 68 MiB to be downloaded. pkg: https://pkg.pfsense.org/pfSense_v2_3_4_amd64-core/All/pfSense-rc-2.3.4.txz: Not Found >>> Locking package pfSense-kernel-pfSense... done. Failed -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Update to 2.3.4(_1) fails (Not Found)
This happened last week so I thought I'd wait a bit and try again. I'm updating from 2.3.3_1 to 2.3.4_1. Error: pkg: https://pkg.pfsense.org/pfSense_v2_3_4_amd64-core/All/pfSense-rc-2.3.4.txz: Not Found Remembering earlier conversations, pfSense uses an SRV record for downloading, so: ; <<>> DiG 9.10.3-P4 <<>> srv _https._tcp.pkg.pfsense.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54700 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;_https._tcp.pkg.pfsense.org. IN SRV ;; ANSWER SECTION: _https._tcp.pkg.pfsense.org. 60 IN SRV 10 10 443 files00.netgate.com. _https._tcp.pkg.pfsense.org. 60 IN SRV 10 10 443 files01.netgate.com. ;; ADDITIONAL SECTION: files00.netgate.com.3471IN A 162.208.119.41 files00.netgate.com.3471IN 2610:1c1:0:6::41 files01.netgate.com.3231IN A 162.208.119.40 files01.netgate.com.3231IN 2610:1c1:0:6::40 However https://files00.netgate.com/pfSense_v2_3_4_amd64-core/All/pfSense-rc-2.3.4.txz shows a 404 error? https://files00.netgate.com/pfSense_v2_3_4_amd64-core/All/ does not list that file...it lists several 2.3.4_1 files. Should a version upgrade from 2.3.3_1 to 2.3.4 and then to 2.3.4_1, which is what I recall from earlier upgrades? Or straight to 2.3.4_1 in which case the upgrader seems to be looking for an old file...? Update Settings is using Stable (Default) branch. Log shows: >>> Updating repositories metadata... Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. >>> Unlocking package pfSense-kernel-pfSense... done. >>> Downloading upgrade packages... Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. Checking for upgrades (129 candidates): .. done Processing candidates (129 candidates): . done The following 76 package(s) will be affected (of 0 checked): Installed packages to be UPGRADED: (...long list...) Installed packages to be REINSTALLED: (...15 packages...) Number of packages to be upgraded: 61 Number of packages to be reinstalled: 15 The process will require 1 MiB more space. 68 MiB to be downloaded. pkg: https://pkg.pfsense.org/pfSense_v2_3_4_amd64-core/All/pfSense-rc-2.3.4.txz: Not Found >>> Locking package pfSense-kernel-pfSense... done. Failed -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Upgrading versions - uninstall packages?
Ah, I see, thanks. I read right over that word I guess! -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of J. Hellenthal Sent: Thursday, July 20, 2017 6:26 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] Upgrading versions - uninstall packages? Ah that makes sense major upgrade I wasn’t considering for this but I’d consider major in this case to be from 1.x to 2.x to 3.x as x=minor in accordance with FreeBSD development. Hope that clears that up. Major.Minor.Revision_PatchLevel -- Onward!, Jason Hellenthal, Systems & Network Admin, Mobile: 0x9CA0BD58, JJH48-ARIN On Jul 20, 2017, at 17:02, Steve Yates <st...@teamits.com> wrote: I figured they were probably harmless but this may be my first time upgrading with pfBlockerNG installed. https://doc.pfsense.org/index.php/Upgrade_Guide#Packages To save a click, the entire section's text: "It is always safest to remove packages before upgrading to a new major release. Packages will be reinstalled afterward, but are frequently a source of problems. To ensure a smooth upgrade, note the installed packages, remove them, perform the upgrade, and then reinstall whichever packages are necessary." -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of J. Hellenthal Sent: Thursday, July 20, 2017 4:54 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] Upgrading versions - uninstall packages? I for one have not had to do this thus far. But those pfB messages are harmless and more of an alert that you will need to reload the IP tables afterwards but that’s trivial. Keep in mind that I have not done that upgrade yet in a test environment before a maintenance window I have on Saturday. Curious do you have a link of where it states to remove those ? I’d like to review the reason why as I can’t see anything other than they just don’t want you to block IP comm to the update servers. -- Onward!, Jason Hellenthal, Systems & Network Admin, Mobile: 0x9CA0BD58, JJH48-ARIN On Jul 20, 2017, at 16:27, Steve Yates <st...@teamits.com> wrote: I started to upgrade from 2.3.3_1 to 2.3.4_1 today and as instructed by the docs I uninstalled Suricata and PFBlockerNG first. I immediately got a flood of alerts like "Unresolvable source alias 'pfB_GeoIPUSv4' for rule ...". Those are of course popular packages. Do you all normally uninstall and reinstall either or both of those two packages during version upgrades? Thanks, Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Upgrading versions - uninstall packages?
I figured they were probably harmless but this may be my first time upgrading with pfBlockerNG installed. https://doc.pfsense.org/index.php/Upgrade_Guide#Packages To save a click, the entire section's text: "It is always safest to remove packages before upgrading to a new major release. Packages will be reinstalled afterward, but are frequently a source of problems. To ensure a smooth upgrade, note the installed packages, remove them, perform the upgrade, and then reinstall whichever packages are necessary." -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of J. Hellenthal Sent: Thursday, July 20, 2017 4:54 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] Upgrading versions - uninstall packages? I for one have not had to do this thus far. But those pfB messages are harmless and more of an alert that you will need to reload the IP tables afterwards but that’s trivial. Keep in mind that I have not done that upgrade yet in a test environment before a maintenance window I have on Saturday. Curious do you have a link of where it states to remove those ? I’d like to review the reason why as I can’t see anything other than they just don’t want you to block IP comm to the update servers. -- Onward!, Jason Hellenthal, Systems & Network Admin, Mobile: 0x9CA0BD58, JJH48-ARIN On Jul 20, 2017, at 16:27, Steve Yates <st...@teamits.com> wrote: I started to upgrade from 2.3.3_1 to 2.3.4_1 today and as instructed by the docs I uninstalled Suricata and PFBlockerNG first. I immediately got a flood of alerts like "Unresolvable source alias 'pfB_GeoIPUSv4' for rule ...". Those are of course popular packages. Do you all normally uninstall and reinstall either or both of those two packages during version upgrades? Thanks, Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Upgrading versions - uninstall packages?
I started to upgrade from 2.3.3_1 to 2.3.4_1 today and as instructed by the docs I uninstalled Suricata and PFBlockerNG first. I immediately got a flood of alerts like "Unresolvable source alias 'pfB_GeoIPUSv4' for rule ...". Those are of course popular packages. Do you all normally uninstall and reinstall either or both of those two packages during version upgrades? Thanks, Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.3.4-RELEASE (amd64) - Kernel Panics
Are you running limiters in an HA configuration by chance? There's a known issue there. (https://forum.pfsense.org/index.php?topic=87541.new;topicseen#new) -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of WebDawg Sent: Wednesday, July 12, 2017 8:44 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] 2.3.4-RELEASE (amd64) - Kernel Panics Hello, I just upgraded 2.3.something to 2.3.4 and immediately upon reboot experienced kernel panics/crash dumps over and over. The system would cycle over and over. I stopped the process thinking I had a bad raid but upon a fresh install of 2.3.4 I experienced the same thing, except this time the system rebooted 2 times with the panics: <118>Synchronizing user settings... Fatal trap 12: page fault while in kernel mode cpuid = 4; apic id = 04 fault virtual address= 0x0 fault code= supervisor read data, page not present instruction pointer= 0x20:0x80d716ee stack pointer= 0x28:0xfe0467c5ea00 frame pointer= 0x28:0xfe0467c5ea20 code segment= base 0x0, limit 0xf, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags= interrupt enabled, resume, IOPL = 0 current process= 12 (swi1: pfsync) And then fixed itself. I proceeded to reboot it a few times with no more panics. I submitted a crash dump to pfsense but has anyone seen this on x64 intel hardware? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] MBR restore
Restoring the config will install packages on the new device, also, as I recall. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of WebDawg Sent: Friday, June 30, 2017 10:15 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] MBR restore To pile on. The config is manually editable also. In fact sometimes you have to edit it when moving to new hardware because the interface names are not the same. It is by far the best way to move a pfsense install... On Fri, Jun 30, 2017 at 10:35 AM, Steve Yates <st...@teamits.com> wrote: > If you can log into the old one, use Diagnostics/Backup & Restore to > download the config. Restore it to the new one and it will prompt to remap > the interfaces (WAN=em0, etc). > > Searching, it looks like the file on disk is /conf/config.xml? > > -- > > Steve Yates > ITS, Inc. > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Nicola > Ferrari (#554252) > Sent: Friday, June 30, 2017 9:31 AM > To: list@lists.pfsense.org > Subject: Re: [pfSense] MBR restore > > On 30/06/2017 16:20, Steve Yates wrote: > > Even if the config wasn't exported (the original died) it might be > faster to copy the file off the drive from wherever it lives? > > > > Thanks Steve for your suggestion. > I'm not an expert in PfSense.. What file(s) do we need to trasfer from > the original install, to restore config in a new one? > > N > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] MBR restore
If you can log into the old one, use Diagnostics/Backup & Restore to download the config. Restore it to the new one and it will prompt to remap the interfaces (WAN=em0, etc). Searching, it looks like the file on disk is /conf/config.xml? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Nicola Ferrari (#554252) Sent: Friday, June 30, 2017 9:31 AM To: list@lists.pfsense.org Subject: Re: [pfSense] MBR restore On 30/06/2017 16:20, Steve Yates wrote: > Even if the config wasn't exported (the original died) it might be faster to > copy the file off the drive from wherever it lives? > Thanks Steve for your suggestion. I'm not an expert in PfSense.. What file(s) do we need to trasfer from the original install, to restore config in a new one? N ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] MBR restore
Agreed that is likely the easiest way. Installation is fast and config restore trivial. Even if the config wasn't exported (the original died) it might be faster to copy the file off the drive from wherever it lives? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Kostas Backas Sent: Friday, June 30, 2017 6:17 AM To: list@lists.pfsense.org; pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] MBR restore Maybe install a fresh version and restore a backup? Kostas Sent from my iPhone From: List <list-boun...@lists.pfsense.org> on behalf of Nicola Ferrari (#554252) <nick-li...@posteo.eu> Sent: Friday, June 30, 2017 2:02:47 PM To: list@lists.pfsense.org Subject: [pfSense] MBR restore Hi guys! I'm writing here since one of my collegues had to move a pfsense install to new hardware, so imaged the pfsense using clonezilla but forgot to enable the option to save MBR also. So, after restoring the image, pfSense is no more able to boot. What's the best way to restore the MBR on an existing and already-configured pfSense install? Thanks to everybody! Nick ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] bulk update of multiple aliases & rules
On the off chance they're coming from another pfSense, perhaps export the configs and copy/paste. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Lee Damon Sent: Thursday, June 29, 2017 4:17 PM To: list@lists.pfsense.org Subject: [pfSense] bulk update of multiple aliases & rules I need to add roughly 200 aliases and 100 rules to a new (redundant) firewall set. They're currently set up so any alias or rule added to one via the GUI shows up on the other one automagically. However, instead of sitting there and manually creating every alias and every rule I would really like to do a bulk update. I'm reasonably sure the alias-url option is "one alias with lots of entries" as opposed to "lots of aliases" so I'm looking for alternatives. Any suggestions on easy and reliable methods of doing mass updates like this? thanks, nomad ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Network interruption on pfSense Firewall
>> Can you try to set disable hardware offloading in pfsense advanced. >What would that do? In Xen, at least, it's basically necessary to get usable throughput from VirtIO adapters. It also solved a slew of false positives in our Suricata setup on our previous virtualization, and I want to say on at least one physical server also since we have it disabled there. Worst case it uses a bit more CPU and you can turn it back on pretty easily. https://doc.pfsense.org/index.php/Lost_Traffic_/_Packets_Disappear https://doc.pfsense.org/index.php/Tuning_and_Troubleshooting_Network_Cards#TSO.2FLRO ( https://doc.pfsense.org/index.php/VirtIO_Driver_Support Xen/KVM networking will not work using default hypervisor settings!: https://forum.pfsense.org/index.php?topic=88467.0 ) -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Restoring at remote location before deployment
We did something similar when setting up our data center routers. Added a public subnet on the LAN side of our own pfSense, NATted to the Internet. It works because of the NAT so the public IPs don't leave our office. The data center routers had another public subnet on their LAN side (since we have a /25 block routed to us), so as I recall there were a few routing configuration changes to ensure traffic for those IPs was routed back inside our office and didn't go out to the Internet. But for just one public IP that isn't necessary. So I suppose a workaround would be to put the WAN gateway IP in your own pfSense and the new router would talk to it. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Mark Wiater Sent: Thursday, May 18, 2017 8:27 AM To: list@lists.pfsense.org Subject: Re: [pfSense] Restoring at remote location before deployment On 5/17/2017 3:44 PM, Steven Spencer wrote: > All, > > When restoring a configuration for a site, we often do so from the home > office and then deploy after we are sure hardware is working as > expected. That means that we are restoring a backup and then on reboot, > their is no active WAN (because the WAN IP is set for the remote > location on restore) I do the same, build up the system in the home office for testing. I've created a separate environment within the home office that allows for the unit under test to hit the internet after getting natted to the home office's ip addr. esses. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How To install MySQL on Pfsense 2.4
Supposedly one can just install FreeBSD packages (https://doc.pfsense.org/index.php/Installing_FreeBSD_Packages ) along with manually installing any dependencies, but as the page says it "may break the firewall." -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Sean Cavanaugh Sent: Tuesday, May 16, 2017 4:59 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] How To install MySQL on Pfsense 2.4 Best practice is to run as few services as possible on a firewall to reduce the possible attack footprint. The more services you run on the firewall, the more vulnerable it becomes to being broken into. That is why the recommendation to virtualize the box and at least logically partition the services away from affecting the firewall. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of rai...@ultra-secure.de Sent: Tuesday, May 16, 2017 8:04 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] How To install MySQL on Pfsense 2.4 Am 2017-05-16 13:30, schrieb Sean Cavanaugh: > The only sane way to do this on a single box would be by installing a > hypervisor on the server ( such as VMware ESXi) and running pfsense as > a virtual machine within it as well as a second virtual machine to > host any other non-firewall related applications (MySQL, FreeRADIUS). > > There is obviously going to be a performance hit from sharing the > resources but should be minimal if all you are doing is hosting a user > database and RADIUS server for pfSense. While it may not be the most clever idea, technically it should be possible, right? I'm not too familiar with the inner workings of pfSense - but I assume there is a partition or directory in the installation that (provided pfSense is installed on a HD and not a read-only medium) persists data over reboots. One would need to start it with that directory as dbdir. It's possible to run Snort, haproxy. So, why not MySQL? OP will have to learn how to create packages, and store the configuration: https://doc.pfsense.org/index.php/Developing_Packages ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] uncomplete update to 2.3.4, no route to host
They're missing the DNS record for pkg.pfsense.org. Per the SOA ad...@netgate.com is the contact; I've bcc'd this there. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Stefan Fuhrmann Sent: Thursday, May 11, 2017 11:18 AM To: list@lists.pfsense.org Subject: [pfSense] uncomplete update to 2.3.4, no route to host Hello all, I did an update via console and there are some packages open: Enter an option: 13 >>> Updating repositories metadata... Updating pfSense-core repository catalogue... pkg: Repository pfSense-core load error: access repo file(/var/db/pkg/repo- pfSense-core.sqlite) failed: No such file or directory pkg: https://pkg.pfsense.org/pfSense_v2_3_4_i386-core/meta.txz: No route to host repository pfSense-core has no meta file, using default settings pkg: https://pkg.pfsense.org/pfSense_v2_3_4_i386-core/packagesite.txz: No route to host Unable to update repository pfSense-core Updating pfSense repository catalogue... pkg: Repository pfSense load error: access repo file(/var/db/pkg/repo- pfSense.sqlite) failed: No such file or directory pkg: https://pkg.pfsense.org/pfSense_v2_3_4_i386-pfSense_v2_3_4/meta.txz: No route to host repository pfSense has no meta file, using default settings pkg: https://pkg.pfsense.org/pfSense_v2_3_4_i386-pfSense_v2_3_4/ packagesite.txz: No route to host Unable to update repository pfSense Error updating repositories! *** Welcome to pfSense 2.3.4-RELEASE (i386 full-install) on border *** a dig shows: ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45499 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;pkg.pfsense.org. IN A ;; AUTHORITY SECTION: pfsense.org.300 IN SOA ns1.netgate.com. admin.netgate.com. 201608310 3600 7200 1209600 3600 ;; Query time: 193 msec ;; SERVER: 10.100.100.10#53(10.100.100.10) ;; WHEN: Thu May 11 18:09:16 CEST 2017 ;; MSG SIZE rcvd: 101 there is no such host pkg.pfsense.org and I can not find any pfSense- core.sqlite on the system. Can someone help? Tia Stefan ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Traffic shaping setup for one IP
Goal: limit traffic from one LAN server to a certain remote IP:port for an rsync connection. Have that traffic be lower priority and perhaps have a bandwidth limit, although the docs say ALTQ can't set limits and to use limiters. All other traffic can be "normal" or equal. If I run the shaping wizard choosing HFSC and one random thing to limit, then it creates a floating rule I can use as a sample to create a new one for the target IP:port. I get that part. On the page to edit the created queue qOthersLow, what is the Bandwidth percentage (default 5%) used for? Especially, given there are max and min bandwidth rows right below that? In my case I'm fine with the rsync using up to 60% of the outgoing bandwidth as long as it's a lower priority (minimum 1%). Do I set Bandwidth to 60%? Or set Bandwidth to 1% and Max Bandwidth For Queue to m1=60%? Thanks, Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Limiter on LAN side not applying to NATted connection
https://doc.pfsense.org/index.php/Limiters#Known_limitations "On pfSense 2.2 and 2.3, limiters cannot be used on firewall rules residing on interfaces where NAT applies. This limits their use to LAN-type interfaces only, and not WANs, in most circumstances. This has been fixed on pfSense 2.4. Bug #4326" -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of WebDawg Sent: Wednesday, April 19, 2017 2:33 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] Limiter on LAN side not applying to NATted connection On Wed, Apr 19, 2017 at 2:46 PM, Steve Yates <st...@teamits.com> wrote: > I suppose. From the states/traffic recorded next to each rule, It > looks like the WAN firewall rule applies and the LAN firewall rule does > not. Per the docs WAN side limiters will work (again?) in pfSense 2.4 but > not 2.2-2.3. > > -- > > Steve Yates > ITS, Inc. > > > Steve, > > Is this an ingress vs egress question? > > http://pfsensesetup.com/egress-filtering-with-pfsense/ > > That is if you are trying to limit something 'in' you would need to put the > rule on the WAN side? > > > ___ > I do not know about the docs but since it is a single TCP stream in will not just the WAN rule apply? What docs are you talking about? I would figure limiters would work on any interface. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Limiter on LAN side not applying to NATted connection
I suppose. From the states/traffic recorded next to each rule, It looks like the WAN firewall rule applies and the LAN firewall rule does not. Per the docs WAN side limiters will work (again?) in pfSense 2.4 but not 2.2-2.3. -- Steve Yates ITS, Inc. Steve, Is this an ingress vs egress question? http://pfsensesetup.com/egress-filtering-with-pfsense/ That is if you are trying to limit something 'in' you would need to put the rule on the WAN side? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Limiter on LAN side not applying to NATted connection
I understand it's ideal to have limiters on the sending end. It's a long story but I'm trying to set them on the receiving end of an rsync copy. I understand in 2.2-2.3 one should have them on the LAN interface. This is on 2.3.3_1. In this scenario the remote server is x.x.x.x and the LAN computer is 10.1.2.12:22, and we have a NAT rule forwarding port to 22. Firewall rule: IPv4 TCP/UDPx.x.x.x * 10.1.2.12 22 (SSH) Two limiters are set on in/out. This firewall rule shows zero traffic in or out. No other firewall rules show traffic from * to LAN. Diagnostics/States shows: LAN tcp x.x.x.x:46098 -> 10.1.2.12:22 (and shows traffic) Is the rule+limiter not being applied because the port is NATted to 22? Or because the NAT happens on the WAN side and the LAN rule isn't even used? Thanks, Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPv6 (CARP and DHCPv6 failover)
Yes we don't have any DHCP in our CARP environment. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of hamid ashraf Sent: Thursday, March 23, 2017 6:01 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] IPv6 (CARP and DHCPv6 failover) Dear Steve, Thanks for taking time to see my email. Yes you can say I have two issues but both are inter-related in my case. As CARP does not advertise it self as Gateway in case of DHCPv6 and in my case I have configured DHCPv6 which is not replicated to backup firewall and in case master goes down...in vein. So you are static assignment in your case for IPv6? Regards Hamid ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPv6 (CARP and DHCPv6 failover)
Interesting...we have not seen that problem with IPv6 and CARP. I just looked and the backup is showing Backup for all IPs. I do occasionally, like after our 2.3.2 to 2.3.3_1 upgrade, where one IP does get stuck as Master on the backup after the primary is updated and restarts. I am fairly certain it was an IPv4 address though, and is not a new issue. Restarting fixes it. Hamid, are you saying you have two issues, that IPv6 is not being synced and that DHCPv6 is not being synced? We aren't using DHCPv6 but have not seen any issues with IPv6 and CARP. IPv6 connectivity shouldn't be related to whether DHCPv6 is running, as long as the PCs have addresses...? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jochen Becker Sent: Wednesday, March 22, 2017 1:25 PM To: hamid ashraf <moonlight20082...@yahoo.com>; pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] IPv6 (CARP and DHCPv6 failover) Hi Hamid, can you check whether your IPv6 CARP Addresses are in agood condition after 10-15 minutes of uptime? I have a problem with multiple setups where CARPv6 changes to dual master after 10 minutes. IPv6 connectivity is nearly impossible with that setup. However IPv4 and CARP with v4 are working as they should. Those problems appeared short after the update to 2.3.3p1. See also the forum post: https://forum.pfsense.org/index.php?topic=127342.0 Cheers Jochen On 22.03.2017 19:16, hamid ashraf wrote: > Hi, > > I have 2 pfsense FW 2.3.3 p1 version, one is Master and Second is Backup. > CARP configured between both firewalls for IPv4 and all the configurations > are successfully syncing. When I configured the DHCPv6 on master firewall, > that configuration didn't replicated to the backup one and everything works > perfectly from outside to inside and vice versa on master. When firewall > failover IPv6 connectivity is gone. My questions: > > 1. Does pfsense does not support IPv6 Failover? > 2. Does pfsense does not support DHCPv6 failover as I observed nothing has > been synced to backup firewall, related to DHCPv6? > 3. Please suggest a design to get IPv6, IPv4 workig together in failover with > DHCPv6 synced between them and if the firewall failover it should be seemless. > Diagram attached for your reference. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Netgate Firmware
Note despite the thread subject, the affected models are: SG-2220 SG-2440 SG-4860 SG-8860 SG-4860-1U SG-8860-1U However, what is the symptom? We have a handful of these in service at various clients but have not noticed any issues that we're aware of. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jon Gerdes Sent: Tuesday, March 21, 2017 12:57 PM To: list@lists.pfsense.org Subject: Re: [pfSense] Netgate Firmware Topic: SG-2440 bios upgrade: https://forum.pfsense.org/index.php?topic=127418.msg703237#msg703237 On Mon, 2017-03-20 at 19:49 -0500, Richard A. Relph wrote: > OK, now you guys have me curious… > > I have a Netgate SG-2440 purchased directly from Netgate. I’ve > received no emails. I don’t frequent the forums. But I am aware of an > “alleged” chip issue, which I believe my unit is susceptible to. > > Can someone provide a link to a relevant forum thread? > > Thanks, > Richard > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Client doesn't work if there are multiple network interfaces
I am not sure I understand the configuration, however, if you forward a port via NAT, pfSense should default to adding a matching firewall rule for it. If you are trying to access the WAN IP from inside the LAN, you will need to enable NAT reflection. You will also need firewall rules allowing traffic between interfaces. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Manh Nguyen Tien Sent: Saturday, March 11, 2017 4:19 AM To: list@lists.pfsense.org Subject: [pfSense] Client doesn't work if there are multiple network interfaces Hello everyone. I've been stuck for a couple of days setting up a network using virtual machines. Could anyone give me some suggestions? I couldn't access my application if the box has multiple network interfaces. It has one interface (virtualbox internal network) to connect to pfSense box. Another interface is for bridged adapter so my computer can talk to it via LAN. My application port can't be reached through pfSense although I forward it correctly. I check with another box having only one net interface to pfSense and it runs without problems. My client can connect to the service using pfSense's IP and forwarded port. The real production network has the same schema, only app server stays behind pfsense for public clients and it also need LAN network to communicate with other LAN only servers. So I have some questions: Q1: Do I need to force all the machines to communicate via pfSense router only? Q2: If multiple network interfaces do cause problems, what can I do to investigate more? Or maybe someone could share experiences about deploying on Linode.com with resemble architecture (public app servers with pfSense, Linode's private LAN for databases), I would very appreciate that. Thank you in advance. Manh. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] small problem with squid
If I'm following, you're using a public IP:port. Did you set up NAT Reflection? (System/Advanced/Firewall & NAT) -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Steve Berg Sent: Monday, February 13, 2017 3:45 PM To: list@lists.pfsense.org Subject: [pfSense] small problem with squid Just set up a new pfsense box, my own hardware running the latest release, 2.3.2-RELEASE-p1. So far it's been pretty smooth but I just ran into one glitch I can't quite figure out. I've got two NAT rules that redirect incoming ports 80xx and 80xy to two different web servers internal to my network. My external IP is resolved using DynDNS and everything works nicely from my iPad when I'm off the local network. But using the same hostname:port when I'm connected to the WiFi I get no response and the squid Real Time page shows a "TCP_DENIED/403" entry for one of the systems, and "TCP_MISS_ABORTED/000" for the other. Using the local IP when on the WiFi works as expected and I see 13.02.2017 15:43:00 10.x.x.x TCP_MISS/200 http://10.x.x.x/path/to/webpage - 10.x.x.x I'm fairly new to pfsense and squid so I've probably missed something simple but I'd appreciate a tip or pointer to where to go to fix this issue. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] SG-1000 and VPN
> It currently does 21mbps IPsec (aes-gcm-128), in a lab environment, because > there is no driver for the crypto core (yet). > OpenVPN is slightly slower (19 Mbps). Thanks. That is probably sufficient for most applications since one or both ends is likely limited by Internet upload speed anyway. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] PFsense 2.3.2-P1 dies
That's interesting, we had a drive that kept dropping out and we couldn't figure out why as all tests passed. We replaced the drive and then found the "Hard disk standby time" setting was set. Turned that off and it's been fine. That setting has been my suspicion... At the time the console would show a stream of errors that pointed to the drive, don't recall them now of course. -- Steve Yates ITS, Inc. -Original Message- I had an issue at one point with hard disks dropping out because of the idle time set on my Western Digital drives. You say you just upgraded. >From what version? I did not see it until v2. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] SG-1000 and VPN
That's what I'm trying to ask, if the SG-1000 would work for that. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of A Mohan Rao Sent: Tuesday, January 24, 2017 11:41 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] SG-1000 and VPN better u can use site to site vpn is best solution. On Wed, Jan 25, 2017 at 11:08 AM, WebDawg <webd...@gmail.com> wrote: > On Tue, Jan 17, 2017 at 10:16 AM, Steve Yates <st...@teamits.com> wrote: > > > We have a client who wants to set up one remote user (in a > > fixed > > location) with a hardware VPN connection back to the office. The > > office has about 5 active PCs at any given time. This would be the > > only VPN > user. > > > > Has anyone used one of the new micro SG-1000 units with a > > VPN yet? Either as a remote site or as a SOHO router + VPN host? > > Just wondering how the ARM CPU would stack up. The specs say 200k > > active > > (non-VPN) connections... > > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] SG-1000 and VPN
We have a client who wants to set up one remote user (in a fixed location) with a hardware VPN connection back to the office. The office has about 5 active PCs at any given time. This would be the only VPN user. Has anyone used one of the new micro SG-1000 units with a VPN yet? Either as a remote site or as a SOHO router + VPN host? Just wondering how the ARM CPU would stack up. The specs say 200k active (non-VPN) connections... -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Aliases grouping
2.2 and earlier colored the field/text box background red if it would take an alias, as I recall. Looks like that was removed with the new GUI in 2.3? If you start typing it will "autocomplete" with matching aliases. Agreed, the Firewall/Aliases/Edit page should probably say that we can type in an alias. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc Paulin Sent: Wednesday, December 7, 2016 1:56 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] Aliases grouping Great .. thanx all ... At first it's not obvious that we can enter "name" in those box. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense + carp + ha
System/High Availability Sync page shows checkboxes for what to sync. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen Sent: Wednesday, November 16, 2016 1:05 AM To: pfSense Support and Discussion Mailing ListSubject: Re: [pfSense] pfsense + carp + ha ok. does it also sync all settings like ipsec and openvpn keys? Eero ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense + carp + ha
Any hardware should work fine. They recommend a separate NIC/port for the sync traffic since if syncing states there can be a lot of traffic (if not syncing state there is probably very little). I don't think it needs to be identical hardware but the rules would need to copy over so it would need the same ports. One gotcha that caught me...under "System/High Availability Sync/Configuration Synchronization Settings (XMLRPC Sync)" there is a "Remote System Username" field. That field is ignored, and "admin" is always used. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen Sent: Tuesday, November 15, 2016 2:20 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] pfsense + carp + ha Hi List, What are requirements for pfsense ha clustering? does any of x86 hardware work with ha? does hardware need to be identical? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] rules cleanup and approval process
Not sure. Router restart? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc Paulin Sent: Friday, October 21, 2016 11:08 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] rules cleanup and approval process hoo yeah .. sorry I didn't pay enough attention to that column... So when are those number get reset ? How can I manually reset those number? -- ! ( o o ) --oOO(_)OOo-- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster 2016-10-21 10:35 GMT-04:00 Steve Yates <st...@teamits.com>: > The Rules page logs traffic for the rule, in bytes, in the > States column. You can also set allow rules to log traffic but that > will be a lot of log entries. > > -- > > Steve Yates > ITS, Inc. > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc > Paulin > Sent: Friday, October 21, 2016 9:27 AM > To: pfSense Support and Discussion Mailing List > <list@lists.pfsense.org> > Subject: [pfSense] rules cleanup and approval process > > Hi, > I am in the final stage to review pfsense and I was wondering if > there's a way to do the following > > 1. Is there way to enable an approval process. For exmaple let say I > added rule ABC, then in order that the rules can be apply, the change > must be approve by someone else. > 2. How can we know which rule is mostly use and which are unused? Is > theres some kind of way to create a report of the top 10 less use rules ? > > Thanx for your help > > -Luc > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] rules cleanup and approval process
The Rules page logs traffic for the rule, in bytes, in the States column. You can also set allow rules to log traffic but that will be a lot of log entries. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc Paulin Sent: Friday, October 21, 2016 9:27 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] rules cleanup and approval process Hi, I am in the final stage to review pfsense and I was wondering if there's a way to do the following 1. Is there way to enable an approval process. For exmaple let say I added rule ABC, then in order that the rules can be apply, the change must be approve by someone else. 2. How can we know which rule is mostly use and which are unused? Is theres some kind of way to create a report of the top 10 less use rules ? Thanx for your help -Luc ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsync_undefer_state: unable to find deferred state
I thought I'd post again to see if anyone has an idea of how to fix "pfsync_undefer_state: unable to find deferred state"? I found an August blog post http://phil.lavin.me.uk/2016/08/solved-pfsense-pfsync_undefer_state-unable-to-find-deferred-state/ which says to turn off HA state syncing completely. I haven't gone that far but did check "No pfSync" on the firewall rule per the below, to no avail. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Steve Yates Sent: Friday, July 8, 2016 4:30 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] pfsync_undefer_state: unable to find deferred state I found thread https://forum.pfsense.org/index.php?topic=87541.60 ...and posted there but it's old and references 2.1.x and 2.2.x versions. After upgrading from 2.2.6 to 2.3.1_5 we get a long spew of this logged during a Limiter-limited rsync each night (it also shows on the console screen): Jul 8 02:47:36 kernel defer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred state Jul 8 02:47:36 kernel _undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_und efer_state: unable to find deferred statepf Jul 8 02:47:36 kernel ync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: unable to find deferred statepfsync_ undefer_state: unable to find deferred stat It continues while traffic that triggers the limiter rule is in effect and ends immediately upon traffic's end. The Limiter set up is only using Firewall\Traffic Shaper\Limiters: LimitBackupUpLAN 50Mbit/sOvernight [Mon - Sun / 0:00-6:45] 15Mbit/sDay LimitBackupUpLAN 50Mbit/sOvernight 15Mbit/sDay The limiter is on a rule on the LAN interface, with "In / Out pipe" set. It only matches to one IP. Neither checking "No pfSync" nor setting "State type" to None seem to have any effect. I think that's the equivalent of what they mentioned in the [forum.pfsense.org] thread... 'unchek the flag "State Type" to "NO pfsync".' I can duplicate this at will...in this case an "rsync --dry-run" is plenty. It doesn't seem to have any effect on traffic since the copy works fine, it appears to just be a logging issue. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Change WAN interface
Interfaces/(assign) page should have drop downs to pick the interface. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc Paulin Sent: Friday, October 14, 2016 1:16 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] Change WAN interface How can I assign the wan interface to another interface ... Let say I initally assign WAN to bge0, but then I need to move WAN to bge3 How can this be done Look like we can't delete the assign WAN interface. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense in ha - sync interface rule disapear
The rules should sync at every rule change. (alias, etc.) If states are syncing those are in real time. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc Paulin Sent: Thursday, October 13, 2016 12:00 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] pfsense in ha - sync interface rule disapear I think I am good now .. I have delete the sync interface and then recreate it ... All look good now and system is syncing beetween each-other. One more question, can we change the frequency of the sync ? Look like the default is ~10min -Luc -- ! ( o o ) --oOO(_)OOo-- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster 2016-10-13 12:13 GMT-04:00 Steve Yates <st...@teamits.com>: > What version pfSense? We are on 2.3.2 without the latest patch > (2.3.2_1), using CARP/sync, since whatever version was in spring 2015, > and haven't had this issue. > > -- > > Steve Yates > ITS, Inc. > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc > Paulin > Sent: Thursday, October 13, 2016 10:11 AM > To: pfSense Support and Discussion Mailing List > <list@lists.pfsense.org> > Subject: Re: [pfSense] pfsense in ha - sync interface rule disapear > > Rule is disapearing on the slave only ... > Yes both firewall's interface's description are the same and assign to > the same interface... > > -Luc > > > > > > -- > ! >( o o ) > --oOO(_)OOo-- >Luc Paulin >email: paulinster(at)gmail.com >Skype: paulinster > > > 2016-10-13 11:00 GMT-04:00 Steve Yates <st...@teamits.com>: > > > Are your rules disappearing on the slave, the master, or both? > > > > Brainstorming, do both have the same name for the pfsync interface? > > Meaning the slave isn't named PFSYNC-SLAVE or something like that? > > > > -- > > > > Steve Yates > > ITS, Inc. > > > > -Original Message- > > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc > > Paulin > > Sent: Thursday, October 13, 2016 9:10 AM > > To: list@lists.pfsense.org > > Subject: [pfSense] pfsense in ha - sync interface rule disapear > > > > Hi Everyone, > > I am new to pfsense and I have to say to that I am very impressed to > > see all the feature available out of box. > > > > I am currently testing it to see how well it work and perform for > > our environement. We would like to replace our HA linux firewall > > running IPTable/fwbuiler scripts. Currently trying to setup the HA > > but having hard time to make it work properly. I am following the > > wiki guide ( https://doc.pfsense.org/index.php/Configuring_pfSense_ > > Hardware_Redundancy_(CARP) > > ). > > > > The issue that I have is that the rule I added on both firewall to > > allow SYNC interface to communicate keep disapear on the slave > > firewall once the connection got established. So XMLRPC did copy > > rules from master to slave, but the PFSYNC interface rules disapear, > > therefore this cause communication issue after > > (/rc.filter_synchronize: New alert found: A communications error > > occurred while attempting XMLRPC sync with username admin > > https://172.16.199.2:443.) > > > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense in ha - sync interface rule disapear
What version pfSense? We are on 2.3.2 without the latest patch (2.3.2_1), using CARP/sync, since whatever version was in spring 2015, and haven't had this issue. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc Paulin Sent: Thursday, October 13, 2016 10:11 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] pfsense in ha - sync interface rule disapear Rule is disapearing on the slave only ... Yes both firewall's interface's description are the same and assign to the same interface... -Luc -- ! ( o o ) --oOO(_)OOo-- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster 2016-10-13 11:00 GMT-04:00 Steve Yates <st...@teamits.com>: > Are your rules disappearing on the slave, the master, or both? > > Brainstorming, do both have the same name for the pfsync interface? > Meaning the slave isn't named PFSYNC-SLAVE or something like that? > > -- > > Steve Yates > ITS, Inc. > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc > Paulin > Sent: Thursday, October 13, 2016 9:10 AM > To: list@lists.pfsense.org > Subject: [pfSense] pfsense in ha - sync interface rule disapear > > Hi Everyone, > I am new to pfsense and I have to say to that I am very impressed to > see all the feature available out of box. > > I am currently testing it to see how well it work and perform for our > environement. We would like to replace our HA linux firewall running > IPTable/fwbuiler scripts. Currently trying to setup the HA but having > hard time to make it work properly. I am following the wiki guide ( > https://doc.pfsense.org/index.php/Configuring_pfSense_ > Hardware_Redundancy_(CARP) > ). > > The issue that I have is that the rule I added on both firewall to > allow SYNC interface to communicate keep disapear on the slave > firewall once the connection got established. So XMLRPC did copy > rules from master to slave, but the PFSYNC interface rules disapear, > therefore this cause communication issue after > (/rc.filter_synchronize: New alert found: A communications error > occurred while attempting XMLRPC sync with username admin > https://172.16.199.2:443.) > > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense in ha - sync interface rule disapear
Are your rules disappearing on the slave, the master, or both? Brainstorming, do both have the same name for the pfsync interface? Meaning the slave isn't named PFSYNC-SLAVE or something like that? -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc Paulin Sent: Thursday, October 13, 2016 9:10 AM To: list@lists.pfsense.org Subject: [pfSense] pfsense in ha - sync interface rule disapear Hi Everyone, I am new to pfsense and I have to say to that I am very impressed to see all the feature available out of box. I am currently testing it to see how well it work and perform for our environement. We would like to replace our HA linux firewall running IPTable/fwbuiler scripts. Currently trying to setup the HA but having hard time to make it work properly. I am following the wiki guide ( https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP) ). The issue that I have is that the rule I added on both firewall to allow SYNC interface to communicate keep disapear on the slave firewall once the connection got established. So XMLRPC did copy rules from master to slave, but the PFSYNC interface rules disapear, therefore this cause communication issue after (/rc.filter_synchronize: New alert found: A communications error occurred while attempting XMLRPC sync with username admin https://172.16.199.2:443.) ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfSense 2.3.2-p1 RELEASE Now Available
I'm curious if you removed all packages before upgrading? The instructions recommend that. We usually have done so and not had an issue. The packages we've used have a setting to keep settings, for instance Suricata's "Settings will not be removed during package deinstallation" and pfBlockerNG's "Keep settings." I have run into an issue at one point where the DNS service on the pfSense wasn't working so DNS requests were failing or timing out causing lots of issues during downloading. I didn't pay too much attention at the time, since it was solved quickly, but if DNS isn't working that could be an issue. In other words if DNS is running then 127.0.0.1 will always be the first DNS server used. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Holger Bauer Sent: Friday, October 7, 2016 7:58 AM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] pfSense 2.3.2-p1 RELEASE Now Available I found an older post to the list regarding the same issues with a different version, however this solution worked for me on my testsystem just fine: Run from the console (ssh or local console) Option 8 to go to the shell. Then enter the following commands: pkg clean pkg update pkg upgrade reboot After that the system come up fine with the new release. I'll try that on some production systems this evening. Regards Holger 2016-10-07 14:51 GMT+02:00 Pete Boyd <petes-li...@thegoldenear.org>: > Same for me, failure first time on a full install: > > Fetching pfSense-kernel-pfSense-2.3.2_1.txz: . done > pkg: > https://pkg.pfsense.org/pfSense_v2_3_2_i386-core/All/ > pfSense-kernel-pfSense-2.3.2_1.txz: > Operation timed out > >>> Locking package pfSense-kernel-pfSense... done. > Failed > > > > > -- > Pete Boyd > > Open Plan IT - http://openplanit.co.uk The Golden Ear - > http://thegoldenear.org ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold