[pfSense] Latency issues with 2.2.25 Release
Good morning list, I recently upgraded to *2.2.5-RELEASE * (amd64) on a VMware stack and noticed that my Wan latency shot up by about 100ms rtt. Nothing else on the box had changed. I reverted to a pre-upgrade snapshot and the latency went back down to 10-12 ms rtt. Anyone seen anything like this with the update to 2.2.5? -W Wade Blackwell Solutions Architect (D) 805.457.8825 (C) 805.400.8485 (S) coc.wadeblackwell ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Strange timezone behavior and then full stop
Thanks Steve. On Aug 26, 2015 9:04 AM, Steve Yates st...@teamits.com wrote: Wade Blackwell wrote on Wed, Aug 26 2015 at 10:27 am: Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /etc/inc/globals.inc on line 64 This is a PHP warning that would show on each page load. Recent PHP versions (5.3+?) require the time zone to be set in php.ini or other PHP-read .ini files. It's just a warning so isn't an indicator of a problem in and of itself. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Strange timezone behavior and then full stop
Good morning PF group, I have *2.2.4-RELEASE * (amd64)running virtually in a VSPhere 5.5 environment. I just recently upgraded from 2.2.3. So I woke up to the network down, console complaining about timezones and no IP addresses on any of the interfaces. I rolled back configs from the console, sequentially, hoping that would at least restore the interface IPs. Not so. I ended up manually configuring the address local to my workstation and only then was I able to restore the latest full backup and bring the pf back up. Curiously I am missing a day worth of logs (8/25 is just not there). The error messages I got are below, some of these were displayed at the top of the web ui, and some in the version section of the status page. Anyone seen any strangeness like this? -W --begin error funk Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /etc/inc/globals.inc on line 64 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /etc/inc/globals.inc on line 64 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/globals.inc:64) in /usr/local/www/guiconfig.inc on line 48 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/globals.inc:64) in /usr/local/www/guiconfig.inc on line 49 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/globals.inc:64) in /usr/local/www/guiconfig.inc on line 50 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/globals.inc:64) in /usr/local/www/guiconfig.inc on line 51 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/globals.inc:64) in /usr/local/www/guiconfig.inc on line 52 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/globals.inc:64) in /usr/local/www/guiconfig.inc on line 55 Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /etc/inc/globals.inc:64) in /etc/inc/auth.inc on line 1359 2Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /etc/inc/globals.inc on line 64 Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /etc/inc/globals.inc on line 64 transparent XML Parsing Error: unexpected parser state Location: jar:file:///C:/Program%20Files/Mozilla%20Firefox/browser/omni.ja!/chrome/browser/content/browser/aboutNetError.xhtml Line Number 389, Column 68: div id=ed_connectionFailureconnectionFailure.longDesc;/div ---^ ---end error funk--- Wade Blackwell Solutions Architect (D) 805.457.8825 (C) 805.400.8485 (S) coc.wadeblackwell ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] PF 2.15 Release (AMD64) Gateway Monitoring with OSPF
Anyone? Bueler? Wade Blackwell Solutions Architect (D) 805.457.8825 (C) 805.400.8485 (S) coc.wadeblackwell On 6 March 2015 at 10:44, Wade Blackwell wa...@bablam.com wrote: Good morning all, I currently have a PF VM being used as my core L3 device for a small site. No static routes being used, just OSPF. I have two devices in front of the core sending default information originate with varying weights to prefer the faster connection, one for each carrier. I'd like to be able to add a gateway monitor, on the core, without a kernel route being installed as it relegates the OSPF routes useless. It appears that even if I uncheck default the kernel route still gets installed. Is this possible? Thanks. -W Wade Blackwell Solutions Architect (D) 805.457.8825 (C) 805.400.8485 (S) coc.wadeblackwell ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Added ntopng.pbi via command line, how do I add to webui?
Good afternoon all, I added ntopng to my platform via command line and restarted the webconfigurator. I was expecting to see the package show up under diagnostics, as it did on my other platform that I installed the package via webui package installer, but it doesn't. Is there a way to add that? Searches on this topic have been inconslusive. Thanks, install looked like this; [2.1.5-RELEASE][r...@firewall.domain.com]/usr/local/pkg(21): pbi_add --no-checksig ntopng-1.1_1-amd64.pbi Verifying Checksum...OK Extracting to: /usr/pbi/ntopng-amd64 Adding group: redis Adding user: redis Installed: ntopng-1.1_1 -W Wade Blackwell Solutions Architect (D) 805.457.8825 (C) 805.400.8485 (S) coc.wadeblackwell ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] RRD Graphs on 2.1.4-RELEASE (i386) nano
Good morning List, The RRD graphs on my nano PF just dissapeared about two days ago. I now only have allgraphs and throughput on the system tab whereas I used to have memory, states, CPU etc. The graphs that do show up have no data in them. I seem to recall this happened a few months back just before I upgraded to 2.1.4. Has anyone else experienced this and is there a workaround? Thanks all. -W Wade Blackwell Solutions Architect (D) 805.457.8825 (C) 805.400.8485 (S) coc.wadeblackwell ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Racoon high CPU 2.1.3-RELEASE (i386) nanobsd (4g) Netgate
Anyone else seeing behavior like this? -W Wade Blackwell Solutions Architect (D) 805.457.8825 (C) 805.400.8485 (S) coc.wadeblackwell On Mon, Jun 16, 2014 at 8:53 AM, Wade Blackwell wa...@bablam.com wrote: Good morning, I have PF running on the platform listed above/below. Last week I put Racoon in debug mode to diag an IPsec tunnel connection issue I'm having with a M0n0wall at a remote location. Since then Racoon is taking up all the available cpu. I have un-checked debug mode in the gui, killed it with a kill -9 and rebooted and still the same issue. Anyone seen this? What can I provide to the PF team for better insight into what's happening in the kernel/modules? Thanks all. uname -a FreeBSD ata-bgw-01.bablam.com 8.3-RELEASE-p16 FreeBSD 8.3-RELEASE-p16 #0: Thu May 1 16:08:49 EDT 2014 root@netgate-8_3-i386.builders.pfsense.org:/usr/obj.i386/usr/pfSensesrc/src/sys/pfSense_wrap.8.i386 i386 Wade Blackwell Solutions Architect (D) 805.457.8825 (C) 805.400.8485 (S) coc.wadeblackwell ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Interesting Road Warrior IPsec Behavior with BBZ10
Ryan good morning, Tweaked yes, I haven't recreated it from scratch no. I'll do that and see if it's repeatable. I'm currently dealing with racoon stealing all available CPU and not negotiating any phase1/2 connections (site to site). The interesting this is when doing packet captures on the ipsec interface and internal interfaces I don't see any traffic engressing. I have a permit any any rule for IPsec traffic and am accepting ESP and isakmp on both wan interfaces. Thanks for the reply Ryan, I hope you enjoyed your vacation ;-) -W Wade Blackwell Solutions Architect (D) 805.457.8825 (C) 805.400.8485 (S) coc.wadeblackwell On Mon, Jun 16, 2014 at 7:33 PM, Ryan Coleman ryanjc...@me.com wrote: Since no one has responded to you and I was on vacation when you sent the first message I will ask the obvious: Have you removed the configuration, recreated and seen it continue? On Jun 16, 2014, at 12:00, Wade Blackwell wa...@bablam.com wrote: Anyone? -W Wade Blackwell Solutions Architect (D) 805.457.8825 (C) 805.400.8485 (S) coc.wadeblackwell On Sun, May 25, 2014 at 11:21 AM, Wade Blackwell wa...@bablam.com wrote: Good morning all, I'm running 2.1.2-RELEASE (i386)nanobsd 4g (Netgate) and the Z10 is running 10.2.1.2228. I used the following link https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0. it appeared to work fabulously until I attempted to pass traffic which I could not. Advanced outbound nat is being used and the road warrior IPsec subnet is included for both Wan interfaces (dual wan setup and working. Another very strange side effect is the Z10 is spawning many IPsec sessions, current count is 212; . Has anyone seen this behavior? I don't see a route to the Road Warrior subnet or client IP when the phone is connected (172.31.2./24 is the subnet allocated). Any feedback would be great, thanks so much! -W Wade Blackwell Solutions Architect (D) 805.457.8825 (C) 805.400.8485 (S) coc.wadeblackwell ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Racoon high CPU 2.1.3-RELEASE (i386) nanobsd (4g) Netgate
Good morning, I have PF running on the platform listed above/below. Last week I put Racoon in debug mode to diag an IPsec tunnel connection issue I'm having with a M0n0wall at a remote location. Since then Racoon is taking up all the available cpu. I have un-checked debug mode in the gui, killed it with a kill -9 and rebooted and still the same issue. Anyone seen this? What can I provide to the PF team for better insight into what's happening in the kernel/modules? Thanks all. uname -a FreeBSD ata-bgw-01.bablam.com 8.3-RELEASE-p16 FreeBSD 8.3-RELEASE-p16 #0: Thu May 1 16:08:49 EDT 2014 root@netgate-8_3-i386.builders.pfsense.org:/usr/obj.i386/usr/pfSensesrc/src/sys/pfSense_wrap.8.i386 i386 Wade Blackwell Solutions Architect (D) 805.457.8825 (C) 805.400.8485 (S) coc.wadeblackwell ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Interesting Road Warrior IPsec Behavior with BBZ10
Anyone? -W Wade Blackwell Solutions Architect (D) 805.457.8825 (C) 805.400.8485 (S) coc.wadeblackwell On Sun, May 25, 2014 at 11:21 AM, Wade Blackwell wa...@bablam.com wrote: Good morning all, I'm running 2.1.2-RELEASE (i386)nanobsd 4g (Netgate) and the Z10 is running 10.2.1.2228. I used the following link https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0. it appeared to work fabulously until I attempted to pass traffic which I could not. Advanced outbound nat is being used and the road warrior IPsec subnet is included for both Wan interfaces (dual wan setup and working. Another very strange side effect is the Z10 is spawning many IPsec sessions, current count is 212; . Has anyone seen this behavior? I don't see a route to the Road Warrior subnet or client IP when the phone is connected (172.31.2./24 is the subnet allocated). Any feedback would be great, thanks so much! -W Wade Blackwell Solutions Architect (D) 805.457.8825 (C) 805.400.8485 (S) coc.wadeblackwell ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Interesting Road Warrior IPsec Behavior with BBZ10
Good morning all, I'm running 2.1.2-RELEASE (i386)nanobsd 4g (Netgate) and the Z10 is running 10.2.1.2228. I used the following linkhttps://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0. it appeared to work fabulously until I attempted to pass traffic which I could not. Advanced outbound nat is being used and the road warrior IPsec subnet is included for both Wan interfaces (dual wan setup and working. Another very strange side effect is the Z10 is spawning many IPsec sessions, current count is 212; . Has anyone seen this behavior? I don't see a route to the Road Warrior subnet or client IP when the phone is connected (172.31.2./24 is the subnet allocated). Any feedback would be great, thanks so much! -W Wade Blackwell Solutions Architect (D) 805.457.8825 (C) 805.400.8485 (S) coc.wadeblackwell ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 802.1q dhcp and pf 2.1 and esxi 5.0
Good morning all from the very dry Central Coast of California, So Still struggling with PF on esxi 5.1 and Charter DHCP responses never being received. Mark I did confirm the cheap SMB switch I have doesn't support DHCP snooping. Sean I did confirm that CDP was disabled on the Charter side. I made 3 changes one at a time and I was hoping that one of them would affect a change, no such luck. Changes in order; moved from a standard virtual switch (esxi 5.1) to a distributed virtual switch changed the interface type in PF to VMXnet2 from e1000 and finally tried trunking all the way down to the OS creating vlan interfaces on the PF (not sure why I thought more abstraction from the hardware would be better) So all that said I can still see allot of layer 2 activity on the interface, Gratuitous arps and dhcp requests and offers being bandied about but I never do see my responses come back. I see them head out never to return. Anyone else seeing this (with any provider) issue with PF in software? I'm fairly remote and ATT PPoE is fine for backup but it's painfully slow for VOIP and every day use. Any suggestions would be fabulous. Thanks all. -W Wade Blackwell Solutions Architect (D) 805.457.8825 (C) 805.400.8485 (S) coc.wadeblackwell On Wed, Oct 30, 2013 at 4:54 PM, Sean Cavanaugh millenia2...@hotmail.comwrote: Make sure to set no cdp enable on the port that's going to your cable modem. A lot of cable companies will shut down connections that broadcast those by default so as not to broadcast the networks together. I had same issue with my Comcast connection until I found out about the CDP issue. -Sean *From:* list-boun...@lists.pfsense.org [mailto: list-boun...@lists.pfsense.org] *On Behalf Of *Wade Blackwell *Sent:* Saturday, October 26, 2013 4:00 PM *To:* list@lists.pfsense.org; supp...@pfsense.org *Subject:* [pfSense] 802.1q dhcp and pf 2.1 and esxi 5.0 Good afternoon all, I have *2.1-RELEASE *(amd64) running on esxi 5.0 with a Cisco managed L2 switch (SG200-26) in between esxi and the charter cable modem. I see my dhcp discovers go out (broadcast) I never see any dhcp traffic come back. Charter's been out a few times, they did determine that they see my discover and they respond though I don't see the reply. With a dedicated interface they can get an address off the modem. ASCII art below; charter cable modem--g24 cisco vlan 5---esxi vlan5--pf em0. I've tried this dedicating a vnic to a standalone vswitch with no 802.1q and I've tried 802.1q on the esxi side. The cable modem port is always an access port in vlan 5. STP has been disabled on the charter modem port. Every port has portfast enabled and the mac timers have been cranked down to the minimum, 10 seconds I believe. I've captured traffic from vlan 5 and g24 (cable modem port) and seen the same thing, dhcp discovers go out, nothing comes back. I'm thinking there has to be a handful of folks on this list who have dealt with this and succeeded. Any advice would be fabulous, I'd like to keep my L3 in software if I can. Thanks so much. -W -- Wade Blackwell Solutions Architect (D) 805.457.8825 X998 (C) 805.400.8485 (S) coc.wadeblackwell ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 802.1q dhcp and pf 2.1 and esxi 5.0
Adam thanks so much, I've performed steps 1-4 6. My current setup is limited to a single physical interface so I have to use 802.1q tagging for all my pf interfaces. This works great with a dedicated nic into the charter modem. Wade Blackwell Solutions Architect (D) 805.457.8825 (C) 805.400.8485 (S) coc.wadeblackwell On Sat, Mar 22, 2014 at 11:20 AM, Adam Thompson athom...@athompso.netwrote: On 14-03-22 01:09 PM, Wade Blackwell wrote: Good morning all from the very dry Central Coast of California, So Still struggling with PF on esxi 5.1 and Charter DHCP responses never being received. Mark I did confirm the cheap SMB switch I have doesn't support DHCP snooping. Sean I did confirm that CDP was disabled on the Charter side. I made 3 changes one at a time and I was hoping that one of them would affect a change, no such luck. Changes in order; moved from a standard virtual switch (esxi 5.1) to a distributed virtual switch changed the interface type in PF to VMXnet2 from e1000 and finally tried trunking all the way down to the OS creating vlan interfaces on the PF (not sure why I thought more abstraction from the hardware would be better) So all that said I can still see allot of layer 2 activity on the interface, Gratuitous arps and dhcp requests and offers being bandied about but I never do see my responses come back. I see them head out never to return. Anyone else seeing this (with any provider) issue with PF in software? I'm fairly remote and ATT PPoE is fine for backup but it's painfully slow for VOIP and every day use. Any suggestions would be fabulous. Thanks all. On Wed, Oct 30, 2013 at 4:54 PM, Sean Cavanaugh millenia2...@hotmail.comwrote: Make sure to set no cdp enable on the port that's going to your cable modem. A lot of cable companies will shut down connections that broadcast those by default so as not to broadcast the networks together. I had same issue with my Comcast connection until I found out about the CDP issue. *From:* list-boun...@lists.pfsense.org [mailto: list-boun...@lists.pfsense.org] *On Behalf Of *Wade Blackwell *Sent:* Saturday, October 26, 2013 4:00 PM *To:* list@lists.pfsense.org; supp...@pfsense.org *Subject:* [pfSense] 802.1q dhcp and pf 2.1 and esxi 5.0 I have *2.1-RELEASE *(amd64) running on esxi 5.0 with a Cisco managed L2 switch (SG200-26) in between esxi and the charter cable modem. I see my dhcp discovers go out (broadcast) I never see any dhcp traffic come back. Charter's been out a few times, they did determine that they see my discover and they respond though I don't see the reply. With a dedicated interface they can get an address off the modem. ASCII art below; charter cable modem--g24 cisco vlan 5---esxi vlan5--pf em0. I've tried this dedicating a vnic to a standalone vswitch with no 802.1q and I've tried 802.1q on the esxi side. The cable modem port is always an access port in vlan 5. STP has been disabled on the charter modem port. Every port has portfast enabled and the mac timers have been cranked down to the minimum, 10 seconds I believe. I've captured traffic from vlan 5 and g24 (cable modem port) and seen the same thing, dhcp discovers go out, nothing comes back. I'm thinking there has to be a handful of folks on this list who have dealt with this and succeeded. Any advice would be fabulous, I'd like to keep my L3 in software if I can. Thanks so much. Start over from first principles, then. 1. Plug a laptop or PC directly into the Charter modem. Verify that it gets a DHCP-assigned IP. 2. Run the pfSense LiveCD or USB image on that same hardware. Verify that it gets an DHCP-assigned IP. 3. Repeat with a different NIC (use another PC/laptop if necessary); maybe Charter limits the # of distinct MAC addresses the modem will learn (my local cableco does this). Rebooting the modem is usually sufficient to clear that, but some carriers require a call to tech support. 4. Connect a dedicated pNIC on the ESXi box to the cable modem; create a dedicated vSwitch and a dedicated vKernel port set to DHCP; verify it gets a DHCP-assigned IP. 5. Remove the vKernel port and create a vNIC; assign that to the pfSense VM. Verify it gets a DHCP-assigned IP. 6. You can also try hardcoding the MAC address of the vNIC to be the same as one of the previously-functional NICs, if it's a #-of-MAC-addresses problem. 7. Lastly, do all this again through the switch. Yes, that's a fair bit of work, but it should show you 100% conclusively where the problem lies. I'm betting the problem will either manifest at step #2 or at step #7. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] multi-WAN in pfsense 2.1
Imran good morning, Have you read this https://doc.pfsense.org/index.php/Multi-WAN_2.0document yet? It will load balance over two links evenly or use one as a standby, the behavior can be configured. Wade Blackwell Solutions Architect (D) 805.457.8825 (C) 805.400.8485 (S) coc.wadeblackwell On Thu, Jan 2, 2014 at 9:43 PM, R. Imran Lodhi rilo...@hotmail.com wrote: Dear All, I am new user of pfsense ver 2.1, i would like to know is any one useing two WAN setup with new ver if yes kindly share with me. if one is down other will take over mean 2nd one will be only use then first is not working. Regards, Imran ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Multi-WAN network access
Walter did you get all your questions answered? I just set this up (Charter ethernet handoff/ATT PPoE) and there are some nuances in the fw rules and routing that were not so intuitive. Let me know if you need a hand. I'd be happy to webex and show you what I have. Hit me off list (wade.blackw...@bablam.com). -W On Wed, Dec 4, 2013 at 2:57 PM, Walter Parker walt...@gmail.com wrote: Hi, I've got a pfSense router with a WAN connection that has 4 interfaces: WAN - A 200 mbs connection. This is on a /20 subnet and the other side is the default route. LAN - This is a static routed /24 network from the company providing the 200 mbs WAN connection COMCAST - This is a static routed /28 network from Comcast. I set the WAN interface with a route back to Provider A, and the COMCAST interface with a route back to the Comcast gateway address. I created two gateway groups, one that the WAN network as Tier1 and COMCAST as Tier2, and another that COMCAST as Tier2 and the WAN network as Tier2. The instructions on the wiki say firewall rules must be add changed to use these groups rather than the system routing. I tried changed the allow all route to use the gateway group (rather than the default of *), but this didn't seem to route packets out the COMCAST link when the WAN link was down. I did a little bit of testing: I used the ping test and was able to ping the outside world when using WAN as the interface, but when I changed the interface to COMCAST, I could only ping the Comcast gateway (as if the packets would not route). From an external host, I was able to do an ICMP ping to the COMCAST interface, but was not able to do a UDP ping or make a TCP connection. Questions: I think I missed a step in the whole add a firewall rule for the gateway group process, which seem more like a solution left as exercise for the reader, what do I need to do to get gateway groups working on the firewall? When using ping, when I pick the interface, does it work like a Cisco, where the source IP is the interface address and the next hop router would be interface's router, in this case the Comcast gateway? When I have squid running a bound to the LAN interface, I'd like the system use which ever WAN/COMCAST interface is currently up and working. I want that to be the WAN interface unless it is down. When the WAN interface is down, I'd like to be able to ssh/https to the COMCAST interface address to see what is gong wrong. Can I set up the system to work like this? Thank you for any ideas as to what I might has done wrong, Walter -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Wade Blackwell Solutions Architect (D) 805.457.8825 X998 (C) 805.400.8485 (S) coc.wadeblackwell ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Unwanted/Unexpected Traffic Redirect for DMX Web Host
Good afternoon all, I have a PFsense host running *2.1-RELEASE * (amd64). I'm running multi-wan (which seems to be working fine). The issue I'm having is PF is redirecting traffic to a tcp port I use for management when I'm attempting to access the Wordpress/apache installation I have on a DMZ host. The DMZ host is 172.31.4.11, apache running on 80/443. Strangely the dmz hosts web services work as expected from the outside world. If a host anywhere on the /16 attached to this PFsense host attempt to access said DMZ host they are redirected to tcp 4230 (mgt port). I've tried enabling and disabling reflection and that made no difference. Any ideas would be apreciated, let me know what additional information I can provide to the group for root cause analysis. Thanks all. -W -- Wade Blackwell www.cupofcompassion.com ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] 802.1q dhcp and pf 2.1 and esxi 5.0
Good afternoon all, I have *2.1-RELEASE * (amd64) running on esxi 5.0 with a Cisco managed L2 switch (SG200-26) in between esxi and the charter cable modem. I see my dhcp discovers go out (broadcast) I never see any dhcp traffic come back. Charter's been out a few times, they did determine that they see my discover and they respond though I don't see the reply. With a dedicated interface they can get an address off the modem. ASCII art below; charter cable modem--g24 cisco vlan 5---esxi vlan5--pf em0. I've tried this dedicating a vnic to a standalone vswitch with no 802.1q and I've tried 802.1q on the esxi side. The cable modem port is always an access port in vlan 5. STP has been disabled on the charter modem port. Every port has portfast enabled and the mac timers have been cranked down to the minimum, 10 seconds I believe. I've captured traffic from vlan 5 and g24 (cable modem port) and seen the same thing, dhcp discovers go out, nothing comes back. I'm thinking there has to be a handful of folks on this list who have dealt with this and succeeded. Any advice would be fabulous, I'd like to keep my L3 in software if I can. Thanks so much. -W -- Wade Blackwell Solutions Architect (D) 805.457.8825 X998 (C) 805.400.8485 (S) coc.wadeblackwell ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] racoon killing CPU, reboot to fix, last from 10 min to 4 hours
Good afternoon folks, I have the following PF version; *2.1-BETA1 * (i386) built on Tue Feb 19 08:35:54 EST 2013 FreeBSD 8.3-RELEASE-p5 https://172.31.0.1:4230/index.php# It's running on an AMD Athlon single core 950mhz. It supports a SOHO, when PF is behaving it's plenty to support this small office. The issue I am having is racoon will randomly spike, stealing all the CPU and the tunnels stay down during this event. There is enough CPU stolen in this process that the physical links on the PF flap. Has anyone seen this? What other information would be useful in determining a root cause? Thanks everyone. -W -- Wade Blackwell (C) - 805.400.8485 (D) - 805.457.8825 X998 (S) - CoC.WadeBlackwell Looking for a Cloud, Security or network engineer? http://www.bablam.com/WadeBlackwell_Current.doc ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Header Checksum 0x0000 over IPsec VPNs
Good afternoon all, So I have 3 sites in a full mesh IPsec VPN. 2 of those sites are PF 2.1-BETA0 (nov 1) and the other is m0n0wall 1.33. Tunnel that is currently affected traverses one PF and the m0n0. I have disabled hardware checksum offload, hardware TCP segmentation offload and hardware large receive offload. I'm seeing a high number of the 0x checksums (50+ percent) and I believe this is causing an AD domain join to fail over the VPN. No traffic filtering over the tunnels or on the interfaces where these hosts live, wide open between one another. Packet capture attached, any insight would be fabulous. Thanks all. -- Wade Blackwell Cell - 805.400.8485 Desk - 805.457.8825 X998 Looking for a Cloud, Security or network engineer? http://www.bablam.com/WadeBlackwell_Current.doc domain-join.pcap Description: Binary data ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Header Checksum 0x0000 over IPsec VPNs
Thanks Chris ill check it out. Wade Blackwell Solutions Architect (D) 805.457.8825 X998 (C) 805.400.8485 On Dec 3, 2012, at 6:03 PM, Chris Buechler c...@pfsense.org wrote: On Mon, Dec 3, 2012 at 5:57 PM, Wade Blackwell w...@bablam.com wrote: Good afternoon all, So I have 3 sites in a full mesh IPsec VPN. 2 of those sites are PF 2.1-BETA0 (nov 1) and the other is m0n0wall 1.33. Tunnel that is currently affected traverses one PF and the m0n0. I have disabled hardware checksum offload, hardware TCP segmentation offload and hardware large receive offload. I'm seeing a high number of the 0x checksums (50+ percent) and I believe this is causing an AD domain join to fail over the VPN. No traffic filtering over the tunnels or on the interfaces where these hosts live, wide open between one another. Packet capture attached, any insight would be fabulous. Thanks all. The direction that has null checksums is normal for hardware checksum offloading being enabled, from that capture it's not actually disabled. I suspect that's not a problem at all. It's far more likely you're having issues because of large packets not getting through. Enabling MSS clamping on the VPN traffic (SystemAdvanced in pfSense, impossible to do in m0n0wall but as long as it's only one endpoint that may be ok) will work around such scenarios. If that's not it, my next guess is Windows firewall, or an AD DNS problem. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] M0n0wall to PFsense IPsec Tunnel drops every hour, Phase1 config change brings it back
Chris good morning, Yes it was 3600 on the m0n0. I changed it to 5000 for phases 1/2 on both sides to see if that makes a difference. My understanding is that the smaller lifetime in phases 1/2 would be negotiated by Isakmp and thus not an issue to have different values on each end or one blank? -W On Tue, Jan 3, 2012 at 11:12 PM, Chris Buechler c...@pfsense.org wrote: On Tue, Jan 3, 2012 at 8:02 PM, Wade Blackwell w...@bablam.com wrote: Good evening all, I have an IPsec tunnel between a M0n0wall (1.33) and a pair of virtualized PFsense boxen running 2.0-RELEASE (amd64). I've never seen this issue in an IPsec implementation before. Short history, before I went to a virtualized pair of PF boxes running CARP this tunnel would stay up for .5 to a couple days. Once I changed to the CAP/VM setup about an hour is all I get. To bring the tunnel back up all I have to do is go into the m0n0 and change phase 1 to another setting and change it back to the original setting and the tunnel comes back for an hour. I can also change any Phase 1 setting on both ends and the tunnel comes up, again only for about an hour. Anyone seen anything like this? My first guess is 3600 is your lifetime on phase 2? And maybe it's not the same on both sides? That's one common cause. Not enough info there to tell you much more, check the SAs on both sides and see how those match up. Logs could be telling if there are any. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Wade Blackwell C - 805.400.8485 D - 805.457.8825 S - CoC.WadeBlackwell www.upcycle-consulting.com ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] M0n0wall to PFsense IPsec Tunnel drops every hour, Phase1 config change brings it back
Good evening all, I have an IPsec tunnel between a M0n0wall (1.33) and a pair of virtualized PFsense boxen running 2.0-RELEASE (amd64). I've never seen this issue in an IPsec implementation before. Short history, before I went to a virtualized pair of PF boxes running CARP this tunnel would stay up for .5 to a couple days. Once I changed to the CAP/VM setup about an hour is all I get. To bring the tunnel back up all I have to do is go into the m0n0 and change phase 1 to another setting and change it back to the original setting and the tunnel comes back for an hour. I can also change any Phase 1 setting on both ends and the tunnel comes up, again only for about an hour. Anyone seen anything like this? -- Wade Blackwell Cell - 805.400.8485 Desk - 805.457.8825 X998 Skype - CoC.WadeBlackwell http://www.upcycle-consulting.com/ ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list