Re: [pfSense] Open VPN configure ( Urgent)

[Steve Yates]

Amit Saxena wrote on Sun, Mar 22 2015 at 12:40 pm:

 Mypfsense has 2 nic
 Wan  192.168.1.4
 Lan 192.168.2.1
 
 Client machine
 Xp lan 192.168.2.4
 
 First I created server certificate

If your client PC is on the LAN, to what network are you VPNning on the 
pfSense router?  (if your client PC is on a different network and you are 
trying to get to the LAN, you need a different subnet on the client end 
otherwise packets won't route)

Some pitfalls: wildcard certs don’t work.  Real certs don't seem to 
work, it wants to use one created on your pfSense box.  Therefore you must 
export your pfSense's CA (cert. authority) certificate and import it as a 
Trusted Root Certificate on your machine (that's what Windows calls it anyway). 
 The IPv4 Tunnel Network needs to be something not used on either end, such as 
10.9.8.0/24.  Add firewall rules to the OpenVPN interface on pfSense.

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] ARP for CARP

[Steve Yates]

I'm testing a setup inside our office that will eventually drop into a 
data center, so for now have our office router (also pfSense) set up with a 
virtual IP (64.79.96.145) and a gateway and static route to direct 
64.79.96.144/29 to the new router's WAN IP of 64.79.96.149.  That setup works 
from within my office, and I can ping 64.79.96.149 and 64.79.96.150 which I 
plan to use as the shared CARP IP.

However when I update the office router's gateway and hence route above 
to use the .150 CARP IP, the office router cannot find the .150 address, and 
pinging .150 yields Destination host unreachable since it doesn't think it 
has anywhere to send the routed traffic.  I noticed our office router does not 
detect an ARP entry for the CARP IP.  Is there a reason and/or a way to force 
that?  Does it take more than a few minutes?  It detects an ARP entry for 
64.79.96.149 just fine.  It also doesn't  have an ARP entry for 64.79.96.148 
which is the WAN IP of the second router.

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ARP for CARP

[Steve Yates]

Steve Yates wrote on Wed, Mar 18 2015 at 7:02 pm:

 and pinging .150 yields Destination host unreachable since it doesn't think 
 it
 has anywhere to send the routed traffic.  I noticed our office router does not
 detect an ARP entry for the CARP IP.  

Turns out there was a stray static route defined for that IP block that 
was already being handled by the IP alias I'd attached to the LAN interface.  
Works better now.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Running as a VM, multiple WAN subnets

[Steve Yates]

Chris L wrote on Fri, Feb 27 2015 at 12:10 pm:

 Hopefully the provider can just route the additional subnet to your existing
 WAN IP.  Then you don’t need to do anything with CARP/HA except make sure
 primary and secondary are both set up to deal with the routed traffic.

I think sleep deprivation gets worse after 40...due to 1 year old in my 
case.  After I straightened out some things in my head, the above is what we're 
pursuing with the DC.  It will take a /29 block for the WAN (to get 3 IPs) plus 
a separate block for the LAN side.  I'm also looking at using one of the 
unused IPs from the /29 to provide NAT to a separate network on private IPs.

--
Thanks all,

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] CARP sync of skew results in blank Status on backup router, breaking failover

[Steve Yates]

Steve Yates wrote on Wed, Mar 25 2015 at 1:22 pm:

   In my other thread, diagnosing why failback only moved back the WAN
 IPs, if the physical host had its network restarted underneath my router VM.

Sorry, had that backwards FWIW; it only moved back the LAN.  Again, not 
a normal situation but I had added IPv6 settings and shortcutted a full 
restart, then chased this issue when I lost access to my testbed despite having 
two routers running.

--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.2.1 HA setup does not sync states

[Steve Yates]

Raimund Sacherer wrote on Fri, Mar 27 2015 at 4:33 am:

 Because I can´t believe that what I see (State sync not applying, Gateways not
 correctly showing up in pftop/state diagnostic) is general in 2.2(.1). Others
 would have noticed in Beta/long before me.

States seem to be syncing just fine for me.  Is your firewall log set 
to show packets logged by the default block rule?

--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] newbie question

[Steve Yates]

Pol Hallen wrote on Mon, Mar 23 2015 at 5:09 am:

 adsl -- server1 -- WAN pfsense (2 NICs) LAN -- internal lan
 
 (I known that pfsense should be after adsl modem)
 
 does ipsense runs correctly with this configuration?
 
 WAN to server1
 LAN1 to internal lan
 
 or I must add a third NIC and connect LAN1 to server1 and LAN2 to
 internal lan?

Is pfSense running on server1?  Or is server1 supposed to be in a DMZ?  
If pfSense is separate from server1, then yes you will need another NIC.  
Otherwise all Internet traffic will go to server1 and not get to pfSense.

Or, if server1 connects to the Internet directly, and pfSense connects 
to the Internet separately (so they are in parallel), and you have two WAN IP 
addresses, that will work.

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Running as a VM, multiple WAN subnets

[Steve Yates]

  Using CARP implies that you care about reliability during edge cases and 
 partial failures.  If so, then you need to do it right and use 3 IPs where 
 you want 1 carp.

I hear you. I guess part of me just dislikes the possibility of wasting 12 or 
18 IPs (6 per subnet) a few years down the road, and yet getting a block of 128 
that might never get used is possible also...  Just wanted to make sure I 
wasn't missing something. 

Steve
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Running as a VM, multiple WAN subnets

[Steve Yates]

Steve Yates wrote on Mon, Mar 2 2015 at 1:05 am:

 the scenario is: no NAT, multiple public IPs in use on the LAN side
 from two different subnets, and pfSense acting as a firewall.  

I received an email directly...to perhaps shorten my example, if we 
have two public subnets 1.1.1.0/28 and 2.2.2.0/28, I would like to use both of 
those subnets on different servers, use pfSense as the firewall, and use CARP.  
Is there a way to do that and minimize the number of IPs used?

The easy/default way it seems to be would be to use 6 public IPs from 
each subnet, 3 for CARP on the WAN side, 3 for CARP on the LAN side, and 
duplicate that for the second subnet.

--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Running as a VM, multiple WAN subnets

[Steve Yates]

Steve Yates wrote on Mon, Mar 2 2015 at 9:09 am:

   I received an email directly...to perhaps shorten my example, if we
 have two public subnets 1.1.1.0/28 and 2.2.2.0/28, I would like to use both of
 those subnets on different servers, use pfSense as the firewall, and use CARP.
 Is there a way to do that and minimize the number of IPs used?

Having had more coffee...by on different servers let's assume 8 IPs 
in each subnet would be in use.

I'm trying to plan for a couple years down the road when we need more 
IPs from the data center, to see if it's better to get a larger block now even 
though it won't all be used for a while.

--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Running as a VM, multiple WAN subnets

[Steve Yates]

Steve Yates wrote on Fri, Feb 27 2015 at 12:29 pm:

 Two WAN IP, two LAN IP, and two more for sync.

And reading this, I didn't write what I meant, so to just correct it 
all, 3 WAN, 3 LAN, and 2 for sync.

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Running as a VM, multiple WAN subnets

[Steve Yates]

Chris L wrote on Fri, Feb 27 2015 at 3:34 pm:

 On Feb 27, 2015, at 12:37 PM, Steve Yates wrote:
 
 Chris L wrote on Fri, Feb 27 2015 at 12:10 pm:
 
 Hopefully the provider can just route the additional subnet to your
 existing WAN IP.  Then you don’t need to do anything with CARP/HA
 except make sure primary and secondary are both set up to deal with
 the routed traffic.
 
  Would that require three LAN side public IPs for the two firewalls out
 of that second subnet also?
 
 It depends on what you want to do with them.
 
 If pfSense just routes them to another IP address, then no.  You only need 3 
 IPs
 when you have to create a pfSense interface with HA.


It's been a long weekend and I'm missing something that's probably 
obvious...the scenario is: no NAT, multiple public IPs in use on the LAN side 
from two different subnets, and pfSense acting as a firewall.  Subnet 1 would 
need a shared CARP IP and officially two others for WAN on both firewalls (but 
see below) and the same thing duplicated on the LAN side.  The servers on 
subnet 1 would use the CARP LAN IP from subnet 1 as their gateway.  

If subnet 2 is routed by the data center to subnet 1's CARP IP, then 
the way I read the docs it will get to pfSense if I set up an Other virtual IP 
type, correct?  Does pfSense then need to use a public IP Alias from subnet 2 
on its LAN side CARP interface to be the gateway for subnet 2?  Or if I read 
the IP Alias section a few more times, does it mean that it would still need 
the three public IPs for three LAN side aliases (aliases on the two interfaces 
plus a third alias for the CARP LAN interface).


I found this forum thread which points out that, as you suggested in 
another message, using three public IPs on the WAN side (and hopefully the LAN 
side) is apparently not required in v2.2.
https://forum.pfsense.org/index.php?topic=87546.0

However I found another post which says in part, Without valid IPs on 
both, the secondary will not be able to independently check for updates or 
install packages. There would also be no way to directly manage the secondary 
from a remote location. It couldn't do DNS resolution to a remote DNS server, 
or even sync its clock to a remote time server.
https://forum.pfsense.org/index.php?topic=73584.msg404834#msg404834

...So those are good points.  However does that mean only the second firewall 
would need a WAN side public IP? (presumably the master would use the CARP WAN 
IP for its communication, while it is online.).  Regarding remote management, 
my tentative plan was to VPN to the CARP IP so access the firewalls from the 
LAN side.

--

Steve Yates
ITS, Inc.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] CARP authentication requires user admin?

[Steve Yates]

Steve Yates wrote on Wed, Mar 18 2015 at 4:49 pm:

   If enable the HA sync setting for Synchronize Config to IP with the
 backup node's IP, and Remote System Username and Password for the backup,
 I get errors on the master like:
 
 [ An authentication failure occurred while trying to access
 https://10.20.1.102:443 (pfsense.host_firmware_version).]
 
   On the backup, I get a message in the system log that xmlrpc
 authentication failed for user admin but I disabled admin and the web GUI
 uses the username/password I entered as Remote System Username and
 Password on the master.  Is it hard coded to use admin?  Or is the error
 message hard coded to display admin?

Also, it appears to sync the states just fine.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] CARP authentication requires user admin?

[Steve Yates]

Steve Yates wrote on Wed, Mar 18 2015 at 4:49 pm:

 Is it hard coded to use admin?  

Never mind, I reread the docs again.  Enter admin for the Remote 
System Username (other usernames will not work
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] CARP failover works but it only fails back the LAN

[Steve Yates]

I am not sure this is related but it is weird/bad...I got around to 
setting the skew back to 0 for all CARP IPs on router1.  pfSense (2.2.1) syncs 
the change to router2 so those skews change from 101 to 100.  However 
afterwards router1 shows all five as Status of Master, and router2 shows all 
five with a blank Status.  I must edit each of the five, save (without making 
changes) and only once changes are Applied the Status shows as Backup.  That 
sounds like a configuration sync bug?  I did see this when setting the skew 
from 0 to 1 earlier today and passed it off as I was clicking around a lot, but 
it seems to be repeatable.

--
Steve


Steve Yates wrote on Mon, Mar 23 2015 at 2:50 pm:

 Just ran into an odd scenario in my testbed...if pfSense (router1) is in a VM
 (Parallels Cloud/Virtuozzo), and I run service network restart on the host 
 for
 that VM, pfSense fails over the WAN interface but does not fail over the LAN
 interface.  At that point external communication is lost because one router is
 handling LAN and one WAN.  It does not seem to recover afterwards until the
 host is restarted (we're also using VLANs on the host level for the pfSense VM
 to use for its interfaces, so that may be a factor in having the host 
 restart).
 
 Per http://www.freebsd.org/cgi/man.cgi?query=carpsektion=4, if
 net.inet.carp.preempt=1 then the CARP interfaces should fail over together.
 Running sysctl net.inet.carp on pfSense shows net.inet.carp.preempt=1.  If I
 reload the CARP status page on router2 quickly, I can see that the WAN and
 LAN interfaces correctly fail over so router2 is Master, however it almost
 immediately reverts so router2 is Master for WAN but router2 is Backup for
 LAN, and router1 is Master for LAN.
 
 How can I ensure they fail back together?
 
 Note that when I simply boot the host for router1, pfSense does fail over and
 back correctly!  So something is making it not fail back on the network 
 restart?
 
 For what it's worth we have a IPv4 and IPv6 CARP IPs for WAN, and an IPv4, an
 IPv4 alias, and IPv6 CARP IP for LAN.
 
 I found an OpenBSD (which I know is different OS, but...) FAQ page on CARP
 that says By default all carp(4) interfaces are added to the carp group.
 However if I run ifconfig -v on pfSense no groups are listed for em0 and 
 em1,
 only lo0, enc0, and ovpns1.  I created a pfSense interface group carpgroup 
 for
 LAN and WAN, but had the same symptoms.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Requiring TLS 1.1 for OpenVPN

[Steve Yates]

PCI scanning is now failing TLS 1.0 connections.  Is it as simple as 
adding tls-version-min 1.1 (or 1.2) to the OpenVPN: Server/Advanced 
configuration/Advanced text box?

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Pfsense + Cloudflare

[Steve Yates]

Seth Mos wrote on Thu, Apr 30 2015 at 10:09 am:

 If you want any meaningful address information you need to look at the
 headers that the proxy service provides you.

I was going to point that out (CloudFlare sends the IP in HTTP request 
headers) but that won't help at the firewall/packet level.  At that point 
(theoretically) I suppose CloudFlare would have to have functionality to act as 
a firewall?  And pfSense configured to only allow traffic from it.

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IKEv2 agile VPN from Win7/Win8 to pfSense 2.2.2

[Steve Yates]

Ermal Luçi wrote on Wed, Jun 17 2015 at 10:22 am:

 On Wed, Jun 17, 2015 at 4:40 PM, Steve Yates st...@teamits.com wrote:
 OpenVPN requires a self-signed cert.
 
 
 Can you report the issue with OpenVPN on self-signed cert?

It's been a few months but if I recall correctly, on page 
Services/OpenVPN, While Server Certificate allows others to be chosen, Peer 
Certificate Authority (i.e., pfSense's CA) is a required field.

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Suricata alert suppression

[Steve Yates]

For posterity, I found references in the web forum that the stream 
rules basically don't work the way IDS is set up on pfSense so should be 
disabled.  I believe the issue is that it looks at the traffic in parallel so 
packets might be processed out of order.

Still not sure why it wasn't honoring the Suppress instruction.

--

Steve Yates
ITS, Inc.


Steve Yates wrote on Mon, Jul 13 2015 at 3:16 pm:

   I got Suricata installed and operating.  I found, oddly, that the 
 highest
 volume of packet errors alerted was to/from Symantec IPs.  I added that
 subnet as trusted but apparently that doesn't take effect unless automatic
 blocking is also enabled.  I have not had much luck having it actually 
 suppress
 the alerts though...  I edited the Suppress rules to use a subnet, which seems
 to be allowed, like so:
 
 #SURICATA STREAM Packet with invalid ack
 suppress gen_id 1, sig_id 2210045, track by_dst, ip 143.127.136.0/24
 
 ...and then disabled and re-enabled Suricata on the WAN interface.  However,
 IPs from within that /24 still show in the Alerts tab?

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] CARP development testing within our network -- broadcast storm?

[Steve Yates]

I'm not sure I follow...the 192.168.50.x subnet would use 192.168.50.1 as its 
gateway and 10.10.10.111 would be the NATted WAN IP.  I don't see how that's a 
problem for other PCs in 10.10.10.x?  Unless 10.10.10.111-113 are in use on it?

This reads like you added the computer and server to the WAN side of pfSense, 
so they would not be using pfSense at all.

You can't connect the networks through pfSense and around it at the same time...

--

Steve Yates
ITS, Inc.



Justin Edmands wrote on Mon, Jul 27 2015 at 3:53 pm:

 I have setup a dual gateway setup I have created to test a future project
 of adding another gateway to our production setup. I added two computers
 next to me connected to a switch and the WAN IPs are IPs from our regular
 subnet. The LAN is a subnet that we don't use normally.
 
 my computer - 10.10.10.58
 random server - 10.10.10.43
 
 devpfsense WAN CARP IP - 10.10.10.111
 devpfsense1 WAN - 10.10.10.112
 devpfsense2 WAN - 10.10.10.113
 
 devpfsense LAN CARP IP - 192.168.50.1
 devpfsense1 LAN - 192.168.50.10
 devpfsense2 LAN - 192.168.50.11
 
 
 I connect all of this up. CARP works just fine. I edit a few things and
 everything syncs over to the secondary gateway. The problem is that the
 WAN IPs being set are wreaking havoc on my regular network where the
 10.10.10.XXX IPs reside.
 
 It is as if I am creating some form of a loop or broadcast storm.
 
 Am I supposed to enable something like HSRP or VVRP to tell my regular
 network that these two WAN IPs work together and form 10.10.10.111?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] CARP development testing within our network -- broadcast storm?

[Steve Yates]

Justin Edmands wrote on Mon, Jul 27 2015 at 4:57 pm:

 These computers in the 10.10.10.XXX lose all access to the internet when I
 plug in the 10.10.10.112 and 10.10.10.113 pfsense boxes.

Can you explain the cabling?  pfSense should just be another device on 
the network at that point, with the LAN computers behind it.

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] bsd/pfsense equivalent to fail2ban

[Steve Yates]

I think you're looking for Snort or Suricata.  Presumably someone would 
have detections for asterisk by now?

--

Steve Yates
ITS, Inc.


mayak wrote on Sat, Jul 25 2015 at 7:31 am:

 hi all,
 
 i have a number of asterisk instances behind pfsense -- 5060 is open to the
 public, and of course, i have incessant attempts to make free calls.
 
 for the moment, i use an iptables rule:
 
 iptables --append local-external --protocol udp -m udp --sport 5060 -m string 
 --
 string SIP/2.0 403 Forbidden \
 --algo bm --to 66 -j LOG --log-ip-options --log-prefix SIP ABUSE: 403: 
 
 
 which inspects udp packets to discern who is trying to hack. enough errors in
 the log, and the ip gets banned (digging into the packet is only way to 
 correctly
 eliminate spoofing)


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Primer for AP/bridge setup? (based on Re: Access Point Recommendations?)

[Steve Yates]

Kenward Vaughan wrote on Fri, Jul 24 2015 at 10:00 am:

 We have a laser printer down the hall to which I attached an old home
 wifi router (don't recall the brand) making it accessible to people.
 Thought it would be nice to have this also bridge to the LAN

Usually devices can be access points, wireless clients, or bridges, but 
not more than one.  I would expect if you connect the printer to the LAN, then 
anyone using the printer would need to connect to the LAN's AP instead of 
directly to the printer.

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Steve Yates]

Ted Byers wrote on Fri, Jul 24 2015 at 3:51 pm:

 First, the scanner complains that TLS1 is supported and we need to restrict
 it to TLS1.2.

 Second, it appears that ssh-server on pfsense is version 6.6 

Is this an internal scan or external?  Hopefully those aren't exposed 
externally.  If internal, can access be limited to certain IPs?

This probably isn't the forum to discuss, but the TLS 1.0 one is a fun 
one...that will catch Remote Desktop Services, and Vista and below don't 
support TLS 1.1+ period, and Windows 7 with IE10 or earlier don't have TLS 1.1+ 
enabled by default.

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Primer for AP/bridge setup? (based on Re: Access Point Recommendations?)

[Steve Yates]

Kenward Vaughan wrote on Fri, Jul 24 2015 at 11:00 am:

 I currently use the older router wired to the laserjet because I
 expected it to have more range, and honestly haven't tried setting up a
 printer's wifi connection before.  So it is a standalone system right
 now.  Would that printer work directly with the LANs AP as a bridge,
 getting its IP address, etc, from there?  I don't want unlimited access
 to it.

If the printer has wireless you can connect the printer to any access 
point.  That is the same as plugging in a cable so that wouldn't limit access.  
However bridging it to the network doesn't limit access either unless the 
bridge has some sort of security set up.  I was just skimming this thread but I 
think to use pfSense you'd have to have the printer on a different subnet or in 
some way have pfSense do the routing so it could have firewall rules set up.

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Suricata alert suppression

[Steve Yates]

I got Suricata installed and operating.  I found, oddly, that the 
highest volume of packet errors alerted was to/from Symantec IPs.  I added that 
subnet as trusted but apparently that doesn't take effect unless automatic 
blocking is also enabled.  I have not had much luck having it actually suppress 
the alerts though...  I edited the Suppress rules to use a subnet, which seems 
to be allowed, like so:

#SURICATA STREAM Packet with invalid ack
suppress gen_id 1, sig_id 2210045, track by_dst, ip 143.127.136.0/24

...and then disabled and re-enabled Suricata on the WAN interface.  However, 
IPs from within that /24 still show in the Alerts tab?

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Help with provider assigning multiple IP addresses over PPPoE

[Steve Yates]

> I don't have any trouble adding NAT
> rules that forward the .217 through to my internal network.  

If that works, it sounds like .217 is your IP, and not your gateway as 
they documented.  What is the gateway on your WAN connection?
--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] 2.2.5 upgrade - failed to open openvpn-client-export-2.3.6.tgz

[Steve Yates]

Upgraded two routers today from 2.2.1 to 2.2.5.  Both showed this at the end of 
the upgrade (pasting from system log):

Nov 8 14:49:19  php: rc.bootup: Finished reinstalling all packages.
Nov 8 14:49:19  php: rc.bootup: Finished installing package OpenVPN Client 
Export Utility
Nov 8 14:49:19  php: rc.bootup: Successfully installed package: OpenVPN Client 
Export Utility.
Nov 8 14:49:19  check_reload_status: Syncing firewall
Nov 8 14:49:18  kernel: tar: Error opening archive: Failed to open 
'/usr/local/pkg/openvpn-client-export-2.3.6.tgz'
Nov 8 14:49:18  kernel: 100%
Nov 8 14:49:15  kernel:  90% 100%
...
Nov 8 14:48:17  php: rc.bootup: Beginning package installation for OpenVPN 
Client Export Utility .
Nov 8 14:48:16  php: rc.bootup: Reinstalling package OpenVPN Client Export 
Utility
Nov 8 14:48:16  php: rc.bootup: Finished uninstalling package OpenVPN Client 
Export Utility
...
Nov 8 14:47:48  php: rc.bootup: Uninstalling package OpenVPN Client Export 
Utility
...
Nov 8 14:47:48  php: rc.bootup: List of packages to reinstall: OpenVPN Client 
Export Utility


1) OpenVPN: Client Export Utility page displays fine?  Install finished per the 
log above...can I ignore the error?

2) System/Packages shows v1.2.20 installed.  Looking at its changelog page, it 
looks like 2.3.6 is the OpenVPN version?


--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FTP issues on 1:1

[Steve Yates]

ED Fochler wrote on Tue, Jul 7 2015 at 1:10 pm:

 FTP is a nasty beast.  There’s active, passive, and extended passive
 connections.  You may need a client that does extended passive (epsv?) to work
 properly.  Standard passive will hand back the server’s IP  data port over 
 the
 control connection, so unless PFSense is altering the packets as they leave, 
 or
 ProFTPd knows that it needs to respond to that IP range with a masqueraded
 IP, standard passive will get hung up.

http://www.proftpd.org/docs/directives/linked/config_ref_MasqueradeAddress.html

Basically that should hand out the public IP for the passive connection, 
instead of the server's LAN IP.  However (not tested) that may well break 
internal FTP, unless perhaps requests to the WAN IP are reflected back inside.  
I think I would even expect internal FTP users to have to connect via the WAN 
IP also.

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FTP issues on 1:1

[Steve Yates]

Ryan Coleman wrote on Thu, Jul 9 2015 at 5:24 pm:

 I switched it to port 21 and it’s still not working externally, either.

Not sure if you said what FTP client you're using.  FileZilla has some 
debug logging modes that might help narrow down the issue.

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FTP issues on 1:1

[Steve Yates]

Ryan Coleman wrote on Tue, Jul 7 2015 at 4:48 pm:

 http://www.proftpd.org/docs/directives/linked/config_ref_MasqueradeAddress.html

 Yep - I’m using that.

 Command:  PORT 10,20,1,49,214,167

Pretty sure this would be IP 10.20.1.49, not the public one...is 
10.20.1.x on your WAN?

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Unbound DNS Resolver doesn't listen on IP aliases even when selected in settings

[Steve Yates]

Paul Mather wrote on Thu, Nov 12 2015 at 1:38 pm:

> Unfortunately, with this configuration, unbound does not listen on the
> IP aliases: it only listens on the primary IP addresses of LAN,
> INTERNAL, and localhost.

I don't have quite the same configuration, but with a CARP shared LAN 
IP, it listens on that alias.  Did you check your firewall log/rules?

--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Strange timezone behavior and then full stop

[Steve Yates]

Wade Blackwell wrote on Wed, Aug 26 2015 at 10:27 am:

 Warning: date(): It is not safe to rely on the system's timezone settings.
 You are *required* to use the date.timezone setting or the
 date_default_timezone_set() function. In case you used any of those methods
 and you are still getting this warning, you most likely misspelled the
 timezone identifier. We selected the timezone 'UTC' for now, but please set
 date.timezone to select your timezone. in /etc/inc/globals.inc on line 64

This is a PHP warning that would show on each page load.  Recent PHP 
versions (5.3+?) require the time zone to be set in php.ini or other PHP-read 
.ini files.  It's just a warning so isn't an indicator of a problem in and of 
itself.

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense + AD not resolving DNS

[Steve Yates]

> 2.- The WAN network don't work. No access to Internet using or not,
> DNS service in pfSense box. ping, traceroute, dig directly from
> pfSense box not work.

If you can't ping/traceroute by IP address, it's not a DNS issue.

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Shutdown Interface?

[Steve Yates]

pfse...@douwifi.com wrote on Tue, Dec 8 2015 at 4:41 pm:

>> Doug what doese that link have to do with Pfsense and how does it help
>> him configure pfsense.

It has advice and instructions for configuring pfSense to mitigate 
DDOS, with screenshots. :)  Including rate limiting on firewall rules which the 
OP specifically asked about and I'll admit I didn't realize pfSense had.

I couldn't find a "part 2" though...?

>> A quick Googling came up with this:
>> 
>> http://www.wedebugyou.com/2012/11/how-to-prevent-and-mitigate-ddos-part1/


--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Lost limiter config after upgrade

[Steve Yates]

Chris L wrote on Tue, Dec 15 2015 at 1:32 am:

> Yeah there’s a difference between the upgrade fails and the upgraded system
> just doesn’t work with limiters.
> 
> It seems either traffic just doesn’t flow or limiters don’t limit.
> 
> I am really looking forward to this being fixed. Until then, 2.1.5 rules the 
> roost.

Per that bug report (https://redmine.pfsense.org/issues/4326), it 
sounds like it's only an issue if NAT is being used, correct?  They work if NAT 
is not in use?

--

Steve Yates
ITS, Inc.



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Multiple SSIDs

[Steve Yates]

Steve Yates wrote on Tue, Nov 24 2015 at 9:28 am:
>   We haven't used wireless with pfSense yet.  The manuals for the
> hardware models don't seem to mention how to set up the optional
> wireless. The doc site suggests not using wireless in pfSense?
> (https://doc.pfsense.org/index.php/Should_I_use_pfSense_as_my_access_poi
> nt)  It also says that some cards can handle multiple SSIDs
> (https://doc.pfsense.org/index.php/Wireless_Interfaces).  Does anyone
> know if pfSense's hardware models support multiple SSIDs?
> 
>   The scenario is a client would use pfSense for routing but has a "demo
> room" they would like to keep isolated.  Can we set up a second SSID that
> would connect to that room's network?  Or should we just get an access point
> for that room?
>

Or, for other/future reference, a "guest" SSID that would be isolated 
from the rest.  I'd expect that to be possible as long as it supports multiple 
SSIDs, and just be a matter of the routing setup...

--

Steve Yates
ITS, Inc.



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Suricata sync crashes WebConfigurator, and other issues

[Steve Yates]

I've been working on implementing Suricata (package 2.1.9.1) on a CARP 
dual router setup, and Suricata is set to sync to router2 as well.  I have 
several issues, the worst of which ends with me unable to connect to router2 
via a browser (and of course sync fails).

1) Agonizingly slow page loads.
I'm trying to enable only certain emerging-web_specific_apps.rules rules. I 
disabled all rules, and am going through and enabling certain ones that apply.  
There are several thousand rules in that category, so it is a big page*.  If I 
enable a rule, sometimes the page reloads in a few seconds. Sometimes it takes 
several minutes.  Sometimes I can enable 20 in a row, fast, and then it slows 
down again.  I don't understand the discrepancy.  It is so slow I can watch the 
table draw if I scroll to the bottom of what's loaded.  While it's loading, 
other pages from the router load fine, e.g. the index.php page loads 
immediately and shows 0% CPU usage, 30% memory usage (it's a 4 CPU VM with 2 GB 
RAM, on a 100 Mbps connection).  Other connections *through* this router are 
normal.

2) I have found that despite two Apply buttons on the "Suricata: Interface WAN 
- Rules: " page it syncs every change to router2 anyway, every time a rule 
is enabled.  It seems slightly faster to turn off syncing but not several 
minutes faster (and then enable it at the end, which immediately syncs).

3) CARP syncs at every Suricata rule enable also , even though Suricata has its 
own sync.  QUESTION: do I need the Suricata sync enabled if the CARP sync is 
enabled?

4) If I disable the CARP configuration sync (leaving state sync enabled) the 
super slow page loads go away for a while.  However they come back so it does 
not 100% fix the problem of the several-minute page loads.

5) Occasionally, clicking on the Enable icon sends me directly to the router's 
index.php page as if something crashed.  I would say it is rare, but just now 
it happened 4 times inside of a few minutes.  It can happen even if I wait a 
couple minutes after the page loads before clicking an Enable icon.  What would 
cause this redirect?  Shouldn't pfSense show an error page if an error is 
happening?

6) I started on pfSense 2.2.5 and upgraded both routers to 2.2.6 since it said 
it fixed some sync issues.  On at least two occasions, with 2.2.6, I start 
getting "unread notice" alerts for sync errors, and can't connect to the web 
GUI on router2.  Connecting to its console and choosing "Restart 
webConfigurator" (option 11) fixes both issues, as if the web browser crashed.

7) I don't know if this is relevant but when each and every CARP sync happens, 
router2 logs the following.  The 192.168.199.1 IP address is in the tunnel 
network for OpenVPN, which is not connected.

Jan 12 00:39:47 php-fpm[26893]: /rc.start_packages: Restarting/Starting 
all packages.
Jan 12 00:39:46 check_reload_status: Starting packages
Jan 12 00:39:46 php-fpm[26893]: /rc.newwanip: pfSense package system 
has detected an IP change or dynamic WAN reconnection - -> 192.168.199.1 - 
Restarting packages.
Jan 12 00:39:46 check_reload_status: Reloading filter
Jan 12 00:39:46 php-fpm[26893]: /rc.newwanip: rc.newwanip: on (IP 
address: 192.168.199.1) (interface: []) (real interface: ovpns1).
Jan 12 00:39:46 php-fpm[26893]: /rc.newwanip: rc.newwanip: Info: 
starting on ovpns1.
Jan 12 00:39:45 check_reload_status: rc.newwanip starting ovpns1
Jan 12 00:39:45 kernel: ovpns1: link state changed to UP
Jan 12 00:39:44 check_reload_status: Reloading filter
Jan 12 00:39:44 kernel: ovpns1: link state changed to DOWN
Jan 12 00:39:44 php-fpm[19360]: /xmlrpc.php: Resyncing OpenVPN 
instances.
Jan 12 00:39:44 php-fpm[19360]: /xmlrpc.php: ROUTING: setting IPv6 
default route to [IPv6 WAN gateway]
Jan 12 00:39:44 php-fpm[19360]: /xmlrpc.php: ROUTING: setting default 
route to [IPv4 WAN gateway]
Jan 12 00:39:44 check_reload_status: Reloading filter
Jan 12 00:39:44 check_reload_status: Syncing firewall




* small JavaScript tip: define a function for document.getElementById like so 
and it will save a lot of repeated text on a page that big:
function x() {
return document.getElementById(arguments[0]);
}

--

Steve Yates
ITS, Inc.



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPSec nat issue

[Steve Yates]

Jumping in midway through, 193.168.1.0/24 belongs to Universite du Luxembourg.  
If that's not you then the other end could be routing packets there.

--

Steve Yates
ITS, Inc.
-Original Message-
> On Wed, May 25, 2016 at 8:54 PM, Lyle <l...@lcrcomputer.net> wrote:
> 
>> The other end has a conflict with our LAN addressing(192.168.1.0/24).  
>> So in phase 2, we setup a Tunnel IPv4 using 193.168.1.0/24
>> 
>> for the local Network.  NAT/BINAT network of 192.168.85.0/24.  Their 
>> remote network is 192.168.75.0/24.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Snort or Suricata

[Steve Yates]

See if disabling the stream-events.rules ruleset helps.  The web forum had some 
references about that being incompatible with the pfSense implementation.  If 
memory serves, it's because Snort/Suricata see copies of packets not the actual 
stream so they are often processed out of order.

When I looked a while back it seemed like Snort and Suricata were similar but 
Snort was single thread and Suricata could multi-thread.

https://github.com/Snorby/snorby/wiki/Snort-vs-Suricata-vs-Sagan
http://wiki.aanval.com/wiki/Snort_vs_Suricata

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Eschner
Sent: Sunday, June 12, 2016 1:57 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] Snort or Suricata

Hi there,

i installed Snort and let it run with snort Community Rules and ET Rules.
I get ton als Fals positiv alters.

Maybe is suricata better? What are the difference?

It Seems that only the ET rules has no or veryl less fals positivs.

Cheers

Daniel
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Snort or Suricata

[Steve Yates]

When we first started experimenting with Suricata we had pfSense running on a 
very old PC...XP era probably, and I'd guess 10-15 years old.  When running, 
Suricata did seem OK and not too CPU or RAM intensive but Suricata did simply 
stop working now and again.  That hasn't happened since using newer hardware 
with a faster CPU, though we've also upgraded pfSense since then.  We haven't 
had any such issue elsewhere.

I would expect that higher traffic would definitely benefit from 
multithreading, hence our choice of Suricata over Snort.

The one issue we had with Suricata is on a CARP setup, where the sync would 
fail and crash the web service and/or PHP on the second router.  I had tried to 
disable a lot of rules (some of the rulesets have hundreds) that didn't apply, 
and that took forever since it tried to sync each time.  Later I found all 
those rules were enabled again, and we haven't had the problem lately.  My 
guess is the more individual rules that one disables, the longer it takes to 
sync, and the larger sync info is.  Then at some point something crashed and 
reset the rules to not have any disabled, after which the sync is smaller.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Karl Fife
Sent: Monday, June 13, 2016 2:12 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] Snort or Suricata

With as many rules as an IDS/IPS would evaluate for each packet, it seems that 
a multi-threaded option would be an obvious choice, especially on modern 
multi-core quasi-embedded systems (e.g. 
Rangely/Atom) with lower absolute clock speeds.  Otherwise it seems you might 
become effectively CPU bound given modern uplinks and applications (e.g. 
captive portal, multi-lan etc), thus introducing jitter and reduced throughput.

Is this consistent with anyone's real-world observation/testing?


On 6/13/2016 9:28 AM, Steve Yates wrote:
> See if disabling the stream-events.rules ruleset helps.  The web forum had 
> some references about that being incompatible with the pfSense 
> implementation.  If memory serves, it's because Snort/Suricata see copies of 
> packets not the actual stream so they are often processed out of order.
>
> When I looked a while back it seemed like Snort and Suricata were similar but 
> Snort was single thread and Suricata could multi-thread.
>
> https://github.com/Snorby/snorby/wiki/Snort-vs-Suricata-vs-Sagan
> http://wiki.aanval.com/wiki/Snort_vs_Suricata
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel 
> Eschner
> Sent: Sunday, June 12, 2016 1:57 PM
> To: pfSense Support and Discussion Mailing List 
> <list@lists.pfsense.org>
> Subject: [pfSense] Snort or Suricata
>
> Hi there,
>
> i installed Snort and let it run with snort Community Rules and ET Rules.
> I get ton als Fals positiv alters.
>
> Maybe is suricata better? What are the difference?
>
> It Seems that only the ET rules has no or veryl less fals positivs.
>
> Cheers
>
> Daniel
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to determine supported packages without installing

[Steve Yates]

I suspect package compatibility is not maintained on per-pfSense-version basis. 
 Meaning, packages worked on 2.x up until the package changes on 2.3, and 
probably will work on into the future until the next breaking change.

https://doc.pfsense.org/index.php/Upgrade_Guide#pfSense_2.3_Upgrade_Guide has 
text:
See Package Port List for a list of packages currently available on 2.3.
Links to -> https://doc.pfsense.org/index.php/Package_Port_List

Also, from the blog entry on the 2.3.1 release:
https://doc.pfsense.org/index.php/2.3_Removed_Packages


--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Bryan D.
Sent: Friday, June 17, 2016 5:18 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] How to determine supported packages without installing

On 2016-Jun-17, at 2:35 PM, compdoc <comp...@hotrodpc.com> wrote:
> I think this is complete:
> <snip'd>

Thanks.  Looks like I can proceed with an update to 2.3.

Regardless, I still think there should be a way to authoritatively determine 
this info via the pfSense web site -- ideally, for all releases, minimally for 
the current release.  Perhaps the generation of such a page could be added to 
the build/release tools?  Alternatively, porting pfSense's packages pages to 
run on the pfSense site could provide the current-release info.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] add Blocking in suricata just for some IPs

[Steve Yates]

You should be able to go the other direction and set up a  pass list 
that allows everything but these IPs.  Remember to add the pass list to the 
interface though.

However if you just enable the alerting and select to not automatically 
block the bad traffic that may be easier.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Eschner
Sent: Monday, June 20, 2016 1:28 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] add Blocking in suricata just for some IPs

Hi to everyone,

is it possible to add blocking mode just to some IPs from a /24 Network?
I want to run that in test mode to see who much false positiv i will see ;)

Cheers

Daniel


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Lost limiter config after upgrade

[Steve Yates]

Steve Yates wrote on Tue, Dec 15 2015 at 5:04 pm:
>   Per that bug report (https://redmine.pfsense.org/issues/4326), it 
> sounds like it's only an issue
> if NAT is being used, correct?  They work if NAT is not in use?

To follow up I set up a limiter on our data center router, for one IP 
doing an rsync backup to our office.  No NAT.  No issues yet after a week or 
two.  I didn't use the wizard, though I started it a few times to try to see 
what it was doing.  I just wanted the limiter.  The time of day scheduling is 
great for long running rsyncs since I drop the bandwidth down during the day.

Ugo Bellavance wrote on Tue, Dec 15 2015 at 11:02 pm:
> I had one of 28 mbps and 3 children to set the weight.  Before, it
> prevented traffic from going over 28 mbps.  Now I had to lower the
> partent limiter to 26 because it looks like some traffic goes over the
> 26 mbps.

A couple ideas based on what I read about setting up limiters...

1) did you create two limiters, one for upload and one for download?
2) in the limiter settings, did you pick a Mask setting or leave at None?  Mask 
will create multiple pipes, one per IP address.

I haven't watched the traffic graph that closely to see if it ever goes 
over a little bit.  If you're saying you set it to 28 and sometimes see 35 
Mbps, I am not seeing that.

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Slow speed on 100Base TX full duplex.

[Steve Yates]

Muhammad Yousuf Khan wrote on Mon, Jan 11 2016 at 12:23 am:

> - iperf speed test for LAN, between is 50Mbps  up and down
> - but iperf test on WAN showing 10Mbps down and 5Mbps up.
> - however my client is saying that assigned speed from colo is 100Mbps.

"full duplex" means the card sends and receives at the same time, so 
you normally want that on.

You said the colo port speed is 100 Mbps.  This is not necessarily the 
speed they have allowed for him, or the available bandwidth at the facility.  
If we imagine he is paying for a 50 Mbps connection the Ethernet port speed is 
still going to be 100 because the only choices are 10, 100, 1000, or 10 Gbit.

Likewise, if the colo has a lot of traffic, he may not get a 100 Mbps 
download speed when testing.

--

Steve Yates
ITS, Inc.



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Suricata sync crashes WebConfigurator, and other issues

[Steve Yates]

I don't like leaving things not fully stable so I bit the bullet and 
clicked "Remove Enable/Disable changes in the current Category" so it would at 
least sync.  To my surprise it did not help, even after doing it on router2 as 
well.  Then I noticed the CARP sync was also starting to fail.

After thinking about it a bit I restarted router2 and syncing 
immediately worked again.  That implies something was wrong with the XMLRPC 
sync that wasn't fixed by restarting webConfigurator and/or PHP-FPM.  Notably 
there was a config sync fix included in pfSense 2.2.6...

I noticed another interesting tidbit.  The first Suricata sync after 
the restart I used a hostname (to router2's LAN IP).  The sync took 4 seconds.  
I then changed to an IP address.  It succeeded but took just shy of 3 minutes.  
Back to the hostname...1 second.  Back to the IP...timeouts and "Code 2: 
Invalid return payload."  At that point I had to restart router2 again.

I can't imagine using a hostname makes any practical difference.  I had 
started with an IP for the Suricata sync because the High Availability Sync 
page says to use an IP.

I did notice that the pfSense config sync triggers a route reload and 
down/up of the OpenVPN interface (which isn't connected), and the OpenVPN 
down/up logs, in order:

/rc.newwanip: rc.newwanip: Info: starting on ovpns1.
/rc.newwanip: rc.newwanip: on (IP address: 192.168.199.1) (interface: []) (real 
interface: ovpns1).
check_reload_status: Reloading filter
php-fpm[49144]: /rc.newwanip: pfSense package system has detected an IP change 
or dynamic WAN reconnection - -> 192.168.199.1 - Restarting packages.
check_reload_status: Starting packages
/rc.start_packages: Restarting/Starting all packages.

...maybe "restarting packages" is interfering with the Suricata sync?

Or possibly the default Suricata sync timeout of 150 seconds needs to 
be a *lot* higher?

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Suricata sync crashes WebConfigurator, and other issues

[Steve Yates]

Steve Yates wrote on Tue, Jan 12 2016 at 1:25 am:

> 6) I started on pfSense 2.2.5 and upgraded both routers to 2.2.6 since it 
> said it
> fixed some sync issues.  On at least two occasions, with 2.2.6, I start 
> getting
> "unread notice" alerts for sync errors, and can't connect to the web GUI on
> router2.  Connecting to its console and choosing "Restart webConfigurator"
> (option 11) fixes both issues, as if the web browser crashed.

It happened just now and the General log on router2 shows:

Jan 15 18:37:23 kernel: pid 17318 (lighttpd), uid 0: exited on signal 
11 (core dumped)

...however that usually doesn't get logged, and I just see my restart 
("lighttpd[33922]: (log.c.194) server started").

At this point, if I open the Suricata Sync tab, click Save, and within 
a minute or so router2's web GUI crashes again.  Interestingly, the last few 
times if I restart webConfigurator I still can't connect but if I restart 
PHP-FPM I instantly get a 500 - Internal Server Error page. Does that imply a 
PHP problem?

I am thinking it can't handle having most of the rules in 
emerging-web_specific_apps.rules disabled...too many things to update?  A 
memory limit somewhere? (PHP's is 256 MB)

Does anyone know if "Enable all rules in the current Category" will 
reset the rule state back to default, or mark them all enabled (which won't 
help any, if my theory is correct)?  Is there a way to set "Disable all rules 
in the current Category" back to the default but keep any changes?  " Remove 
Enable/Disable changes in the current Category" sounds like it will undo all my 
changes.  :-/

--

Steve Yates
ITS, Inc.





___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Suricata sync crashes WebConfigurator, and other issues

[Steve Yates]

Chris Buechler wrote on Sat, Jan 16 2016 at 2:23 am:

> The fact you're hitting at least one lighttpd crash makes me think
> there's some other issue there, though no one else has seen any issues
> in 2.2.6, the issue in 2.2.5 wasn't replicable in most cases either.
> There's a reason nginx is now the web server in 2.3.
> 
> That could be an issue in the Suricata package, given the web server
> only crashed once it appears. Since you end up in a situation where
> you're stuck until restarting php-fpm, that points to the issue being
> in PHP, though an issue in lighttpd could impact PHP.

If I step back and look at the big picture it kind of got worse over 
time.  It started off that restarting webConfigurator seemed to fix it, at 
least letting me log in to the web GUI and syncing for a while afterwards.  
Then restarting webConfigurator had no effect and restarting PHP-FPM would 
immediately yield an HTTP error (usually 500).  And then Friday night it seemed 
like I had to restart the entire router to get to the web GUI.

Is it conceivable that a temporary problem would survive restarting 
webConfigurator and PHP-FPM?  I don't understand how.  I'd guess Suricata was 
left running but the log says "Restarting/Starting all packages" at every 
firewall sync.

I'd ask if someone with a couple of routers/VMs could install Suricata, 
enable some rule sets, disable all the rules in 
emerging-web_specific_apps.rules and try to duplicate it, but un-disabling them 
didn't fix the problem.  Although I probably had not yet restarted our router2 
at that point either, come to think of it.

It's even weirder that a "successful" sync can be 1-4 seconds or 3 
minutes.  It does make me think the issue is with Suricata, but ideally 
whatever the issue is shouldn't block access to the web GUI.  Luckily I can get 
to the router's console.

Is there a way to get lighttpd to log errors?  I was poking around 
while logged into the console but its log was blank (as I recall now).

> Not sure offhand whether Suricata is even usable in 2.3, but that
> might be worth a shot.

Hmmm, we don't have a long history with packages.  I was kind of 
assuming it would just work with new versions. :)  Will have to test it out 
first.  Usually I don't hurry to upgrade without a reason but I've never had a 
problem upgrading 2.x versions.  That said I read the changelog-in-progress for 
2.3 and it looks like a big overhaul.

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Suricata sync crashes WebConfigurator, and other issues

[Steve Yates]

> Not sure offhand whether Suricata is even usable in 2.3, but that
> might be worth a shot.

Given that we're using CARP, if we install it on our router2 to test, how long 
would you recommend running router2 on 2.3 and router1 on 2.2.6?  Generally 
I've not waited more than a few minutes between upgrading, though we've usually 
upgraded our office router first and tested there.

Another question...for syncing Suricata, and/or the configuration sync, would 
you recommend using the pfSync interface, or the LAN interface?  Or does it 
matter?  I've tried both and it didn't help my issue...

Steve Yates
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop

[Steve Yates]

Romain Lapoux wrote on Thu, Feb 11 2016 at 4:36 pm:

> I did some test and does not work

Since you're listing things, what are your firewall rules for traffic 
to/from the FTP server?

If you create rules allowing all traffic to and from that IP address, 
do FTP connections work?

--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FTP trouble.

[Steve Yates]

J. Echter wrote on Thu, Feb 11 2016 at 1:25 pm:

> But, i cant use it as i get errors like 'no data', error 227 'entering
> passive mode' and so on.

So the FTP client is in your location and the FTP server is somewhere 
on the Internet?  We've not had any issues with that under pfSense 2.x, and 
specifically 2.2.x for Kevin.  I looked at the link he posted and I'm guessing 
you are hitting this:

"Passive mode on the client will require access to random/high ports outbound, 
which could run afoul of a strict outbound ruleset. Environments with a 
security policy that requires strict outbound firewall rules likely would not 
be using FTP anyhow, as it transmits credentials without encryption."

In other words if you are allowing port 21 outbound but blocking outbound ports 
over 1000, that would allow the initial connection and then fail on the data 
connection(s).  The FTP server would tell the client what port to use for the 
data connection but then the client is blocked by the firewall.  Try (in 
Status: System logs: Settings) setting your firewall log to "Log packets 
matched from the default block rules put in the ruleset" and see if that shows 
the block in your firewall log.  And just to over clarify, it is the FTP server 
that tells the client what port to use, so you can't control that unless you 
control the FTP server.


--

Steve Yates
ITS, Inc.



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfblockerng

[Steve Yates]

>>> "Finally, I think that this list, mentionned in the doc, should not be
>>> used: http://feeds.dshield.org/top10-2.txt.  This one should:
>>> http://feeds.dshield.org/block.txt;
>> 
>> The top10-2.txt file has last been updated in July 2015 according to my
>> curl command and is not auto-documented.
>> 
>> http://feeds.dshield.org/block.txt is updated frequently (as of now, its
>> most recent generation is 5 minutes ago), it is auto-documented.
>> 
>> Also, https://www.dshield.org/xml.html states "We offer one blocklist,
>> and one blocklist only (http://www.dshield.org/block.txt)."
> 
> Is anyone using pfblockerng with this list?  Would someone want me to
> try to update the obsolete doc?

We do, though technically we're using a different method to get that 
list.  Unfortunately, for a Google search for "dshield feed pfSense" it's the 
first result, and there are plenty of other pages referencing the other lists.  
I had found the top10-2 list is outdated, but I don't recall where now.  I had 
realized the other method we use wasn't updating and thought it was me but it 
was pulling old Bluetack lists from I-Blocklist, and those lists still exist 
online also but also stopped updating a while back...apparently Bluetack closed 
or something.

Anyway it's confusing for newbies if one never sees the list update, 
and bad if someone thinks they have a working list and aren't protected at all 
after it is months or years old.

Why they wouldn't set up a redirect for 
http://feeds.dshield.org/top10-2.txt to http://feeds.dshield.org/block.txt, or 
take the old list down, is beyond me.

Also note the list is available at https://www.dshield.org/block.txt 
and  https://secure.dshield.org/block.txt either of which are probably better 
to use/list since they use HTTPS.

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Sync problem betweens 2 nodes

[Steve Yates]

So the configuration is sync'd successfully, but the next time the sync happens 
the slave loses its rules?

Is the slave also set to sync to the master?  That should not be the case.

My initial problem was there is a field to type a username for syncing but that 
is ignored and pfSense is hardcoded to use "admin"...but it sounds like you get 
a successful sync so that can't be it.

Now I only have issues with the Suricata package sync occasionally causing the 
web GUI (I think PHP-FPM really, which prevents the GUI from working) on the 
slave to stop responding.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Raphaël RIGNIER
Sent: Friday, April 1, 2016 10:23 AM
To: List@lists.pfsense.org
Subject: [pfSense] Sync problem betweens 2 nodes

Hi community.
I'm trying to sync 2 SG-8860 nodes for high avaibality.
Relase 2.2.6-RELEASE
I've read the doc on HA from portal.pfsense.org but I'm having an issue.

Configuration sync from master to slave is almost working.
But SYNC interface's Firewall rules are cleared on slave each sync attempt.
If I add a temp allow all rule on slave's SYNC interface, as describe in doc, 
it is cleared on the next sync event.
Even if the allow rule is present on master.

I Haven't seen anithing insterstoing in log files.

Does someone  have an idea ?

Thank you.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.3 show stopper - bind package missing -- don't install if you need bind!

[Steve Yates]

The release blog post led me to the upgrade notes which have:

https://doc.pfsense.org/index.php/Upgrade_Guide#Package_System

"Packages require significant conversion for use on 2.3, currently only the 
most popular and supported packages are present on 2.3, so be aware that some 
packages are not available. See Package Port List for a list of packages 
currently available on 2.3."

https://doc.pfsense.org/index.php/Package_Port_List

--

Steve Yates
ITS, Inc.


-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jeff H
Sent: Wednesday, April 13, 2016 2:08 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] 2.3 show stopper - bind package missing -- don't install 
if you need bind!

On Wed, Apr 13, 2016 at 11:48 AM, Steve Yates <st...@teamits.com> wrote:

> The release notes don't mention specific package compatibility but a 
> lot of that's third party.  In System: Package Manager does the "platform: 
> 2.2"
> mean the package is compatible with only 2.2?  Or is that because I'm 
> looking at a v2.2 installation?  Is there a package compatibility list 
> for 2.3.x?
>
> --
>
> Steve Yates
> ITS, Inc.


I'm not sure about the listing in Package manger. For a list of removed 
packages in 2.3 see here:
https://doc.pfsense.org/index.php/2.3_Removed_Packages

Jeff
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.3 show stopper - bind package missing -- don't install if you need bind!

[Steve Yates]

The release notes don't mention specific package compatibility but a lot of 
that's third party.  In System: Package Manager does the "platform: 2.2" mean 
the package is compatible with only 2.2?  Or is that because I'm looking at a 
v2.2 installation?  Is there a package compatibility list for 2.3.x?

--

Steve Yates
ITS, Inc.


-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of mayak
Sent: Wednesday, April 13, 2016 5:17 AM
To: pfSense support and discussion <list@lists.pfsense.org>
Subject: [pfSense] 2.3 show stopper - bind package missing -- don't install if 
you need bind!

hi all,

upgraded to 2.3 and found that the bind package is missing.

my whole network depends on its presence ...

does anyone know when it might be available?

thanks

m
-- 

Markets can remain irrational longer than you can remain solvent.

— John Maynard Keynes

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Soeckris Net5501 SSD

[Steve Yates]

The Intel S37xx is their data center line right?  We've had some weird stuff in 
Windows and Linux servers get fixed by drive firmware updates.  There have been 
multiple updates since fall 2015.  Weird as in the Intel software in Windows 
showed both drives in a RAID 1 failed, though Windows could still read and 
write to that drive letter.  Based on the Linux errors I suspect the drives 
were temporarily dropping out and/or taking too long to access.

That said, I know you were asking for real world experience, but Intel does 
list reliability and drive write life specs for their SSDs if you open the PDFs 
on their site.  They do list compressed read and write speeds for some drives 
so be careful what table you're reading.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Karl Fife
Sent: Wednesday, May 18, 2016 1:18 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] Soeckris Net5501 SSD

Ed, you said it well here:  "wear leveling work is in SATA and DOM"

I think this is an important point, because If I understand correctly, there is 
nothing inherent to DOM or SATA to make it more or less suitable to the 
excellent implementations we've seen of over-provisioning, wear-leveling etc. 
in the other storage form factors. 
As you say though, that's were the work is taking place, so if you want it, DOM 
and SATA appear to be the devices to use. Funny how that works, but it appears 
to be market forces only, not technology which informs this detail.

Thanks too for the info on the Soekris 6501.  I have one in the feild, also 
with an MSata module.  I'm really glad I didn't try to upgrade that in place, 
or I might be talking ethyl the 60-year-old office manager through 
router-resurrection.  Fun.  You just saved my bacon.  Thanks for that.

In the realm of SSD's I have been using Intel S37xx's as ZFS intent log 
accelerators for as long as they've been available. Great devices.  Some 
installs have seen many terabytes of writes per week for years without issue.  
For a pfSense install, it's an absurd amount of overkill.  
Still, as you say, 'pro grade' SSD's are a mere $50, so 'pro' SSD's start to 
become an economical choice.

In particular, I see the Intel S35x0 ~80GB for $60.  Do you know if the 
reliability is in the same league as the s3700 series, it would be an easy 
choice given the high cost of downtime in a remote install.  Any experience 
with that series of devices in particular?

Thanks a lot Ed.  Your input was exactly what I was looking for!
-Karl

On 5/18/2016 10:11 AM, ED Fochler wrote:
> Karl,
>   There are numerous other similar answers to be found, but here’s mine:
>
> Get away from CF if you can.  The modern performance and wear leveling work 
> is in sata and DOM, those are better devices.  Abandon the nano-BSD and just 
> find the miscellaneous checkbox to put /tmp and /var in ram.  That’s the bulk 
> of the benefit without the separate distribution.  Although that is seldom 
> necessary any more either.
>
> My Soekris 6501 still doesn’t like the upgrade to PFSense 2.3 on mSata, but 
> I’m running one from a Sata disk on 2.3 just fine.  This problem seems 
> Soekris specific, but my summary is still that sata seems to be where the 
> support is.  And with SSD, I don’t see any benefit to staying away from sata 
> even if you are allergic to spinning disks.  Market forces have made 100GB 
> SSD’s available for less than $50, and that’s some wild over-provisioning for 
> an install that is happy in < 4GB.  You can get a nice Intel or “pro” samsung 
> for a little more if you want more insurance against having to visit those 
> devices.  I’m generally a fan of the SSDs with metal cases for heat 
> dissipation.
>
>   ED.
>
>
>
>
>
>> On 2016, May 17, at 6:09 PM, Karl Fife <karlf...@gmail.com> wrote:
>>
>> I have about 15 Net5501's OR Lanner FW-7541D's in the field running 
>> embedded/Nano on CF cards.  There's not enough space on a 1GB  CF to 
>> upgrade to v2.3.  Of course I can upgrade to larger CF cards, however 
>> the eventual phase-out of NanoBSD makes me wonder if it's better to 
>> install a SATA SSD (or SATA DOM) which would possibly eliminate the 
>> need to re-re-factor storage in the near future (e.g with the release 
>> of v 2.4, and the phase-out of NanoBSD: 
>> https://doc.pfsense.org/index.php/Upgrade_Guide#Planning_for_the_Futu
>> re )
>>
>> Question:
>> I'd like to ask what solid-state storage others are using on non-NanoBSD 
>> installs.  If running the "full" version of pfSense, Is it sufficient 
>> 'simply' to use a quality wear-leveling SATA DOM, or is it recommended to 
>> use something with even better write endurance?  I wouldn't h

[pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

[Steve Yates]

We have an application with a Comcast-provided SMC router and two pfSense 
routers (Comcast <- building <- tenant).  The building router (v2.3.0) gets an 
IPv6 address and can ping out.  However in its DHCP logs I see:

dhcp6c  invalid prefix length 64 + 4 + 64
dhcp6c  XID mismatch (several of these)

Am I correct that "invalid prefix length" means the Comcast router isn't 
delegating a /60 properly?  I have it set:

DHCPv6 Prefix Delegation size   60
Send IPv6 prefix hint   checked

If I as for a /56 I get "invalid prefix length 64 + 8 + 64."

My second question was going to be about getting IPv6 to the PCs inside the 
tenant router but unless I'm mistaken I need a couple more /64 networks for 
that (what a waste of IPs...I know there's a lot but still...).

Thanks,

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Limiter on WAN based on time?

[Steve Yates]

The schedules are created under Firewall/Schedules and then can be applied to a 
limiter.  On a limiter you'd need at least two Bandwidth entries, one for each 
schedule (day/night).

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Ryan Coleman
Sent: Tuesday, May 24, 2016 10:00 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] Limiter on WAN based on time?

So I’ve tried floating rules (blocks all traffic outside of schedule) and LAN 
rules (limits 24/7 or blocks outside of schedule).

How do I throttle WAN from 9am to 10pm, say, and then open it up after hours? 


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

[Steve Yates]

I neglected to mention it but I did find and read many articles on 
Comcast modem support.  As a whole the posts were rather conflicting and 
confused so it seemed that it may or may not work...older posts were more 
likely to say it wasn't working.

We do have a static IPv4 block.  Sadly a few years ago when we tried to 
increase speeds we were down for a time because their other non-SMC modem 
couldn't handle static IPs reliably and they had to scrounge for an SMC box for 
us.  I inferred the techs knew this but Comcast was switching modems anyway.  
So, I'm hesitant to ask for a different one.  :-/  Maybe it is different now.

I don't see anything in the SMC interface about a firmware update.  
It's Comcast branded so I assume their firmware.  Maybe we'd have to call.  It 
has v 3.1.6.57 now.

The SMC does show an IPv6 address, LAN DHCPv6 enabled with a range, and 
has an "External Router Delegated Prefix" section that is empty.  The building 
router gets its IP from that range.  The SMC has a different WAN IPv6 address 
in 2001:558:...::/64.  At the bottom of its Gateway Summary/Network tab I see:

LAN IPv6 Prefixs Delegations2601:249::::/64

...with the LAN IP range.  (yes, it is spelled "prefixs")

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Moshe Katz
Sent: Wednesday, May 18, 2016 10:10 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix 
length, XID mismatch

On Wed, May 18, 2016 at 7:14 PM, Steve Yates <st...@teamits.com> wrote:

> We have an application with a Comcast-provided SMC router and two 
> pfSense routers (Comcast <- building <- tenant).  The building router 
> (v2.3.0) gets an IPv6 address and can ping out.  However in its DHCP logs I 
> see:
>
> dhcp6c  invalid prefix length 64 + 4 + 64
> dhcp6c  XID mismatch (several of these)
>
> Am I correct that "invalid prefix length" means the Comcast router 
> isn't delegating a /60 properly?  I have it set:
>
> DHCPv6 Prefix Delegation size   60
> Send IPv6 prefix hint   checked
>
> If I as for a /56 I get "invalid prefix length 64 + 8 + 64."
>
> My second question was going to be about getting IPv6 to the PCs 
> inside the tenant router but unless I'm mistaken I need a couple more 
> /64 networks for that (what a waste of IPs...I know there's a lot but 
> still...).
>
> Thanks,
>
> Steve Yates
> ITS, Inc.
>
>

Comcast's support documents claim that "Business IP Gateway" devices (a.k.a. 
your SMC modem/router) are allocated a /56. However, there seem to be 
indications on Comcast's forums and other networking forums that they aren't 
doing that properly on certain models with certain firmware. (One example is
http://forums.businesshelp.comcast.com/t5/IPV6/Dual-Stack-on-SMC-D3GCCR-and-Cisco-DPC3939B/td-p/20504/page/2
is from over a year ago, but that could still be an issue now given the speed 
which these companies release firmware updates.)

Can you check if there is a firmware update for the SMC box?

Is there any way to check in the settings of the SMC box to see what it got 
from Comcast? None of my customers are using that model at the moment, so I 
can't tell you where to look.

If you do not have static IPs from Comcast, your best option is probably to 
replace the Comcast-provided router with a Motorola/Arris Surfboard modem and 
have the building pfSense talk directly to Comcast through that.
However, for some reason that defies all logical explanation, Comcast will not 
let you BYOM if you use static IPs.

Some people (also mentioned in the forum link above) have gotten prefix 
delegation to work by asking Comcast to switch their SMC router for a Netgear 
one.

--
Moshe Katz
-- mo...@ymkatz.net
-- +1(301)867-3732
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

[Steve Yates]

Is there a way to force pfSense to do NAT for IPv6?  If so then we could make 
it work.  I understand that's not the point of IPv6 but...

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Moshe Katz
Sent: Thursday, May 19, 2016 2:13 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix 
length, XID mismatch

I'm going to have to guess that you are out of luck for IPv6 then.

If you find anyone at Comcast who is 1) capable of understanding technical 
feedback, 2) receptive to such feedback, and 3) high enough up the chain of 
command to make things happen, I'd be happy to join a campaign to convince that 
person to get this fixed.

Moshe

P. S. Something tells me that we will have moved on to IPv6 or IPv8 (or maybe 
even abandoned IP entirely for something else) by the time anything happens to 
get this fixed. This is Comcast we're talking about after all, a multi-year 
winner and runner-up of Consumerist's "Golden Poo Award" for worst company in 
America.

--
Moshe Katz
-- mo...@ymkatz.net
-- +1(301)867-3732

On Thu, May 19, 2016 at 2:49 PM, Steve Yates <st...@teamits.com> wrote:

> I neglected to mention it but I did find and read many 
> articles on Comcast modem support.  As a whole the posts were rather 
> conflicting and confused so it seemed that it may or may not 
> work...older posts were more likely to say it wasn't working.
>
> We do have a static IPv4 block.  Sadly a few years ago when we 
> tried to increase speeds we were down for a time because their other 
> non-SMC modem couldn't handle static IPs reliably and they had to 
> scrounge for an SMC box for us.  I inferred the techs knew this but 
> Comcast was switching modems anyway.  So, I'm hesitant to ask for a different 
> one.
> :-/  Maybe it is different now.
>
> I don't see anything in the SMC interface about a firmware 
> update.  It's Comcast branded so I assume their firmware.  Maybe we'd 
> have to call.  It has v 3.1.6.57 now.
>
> The SMC does show an IPv6 address, LAN DHCPv6 enabled with a 
> range, and has an "External Router Delegated Prefix" section that is 
> empty.  The building router gets its IP from that range.  The SMC has 
> a different WAN IPv6 address in 2001:558:...::/64.  At the bottom of 
> its Gateway Summary/Network tab I see:
>
> LAN IPv6 Prefixs Delegations    2601:249::::/64
>
> ...with the LAN IP range.  (yes, it is spelled "prefixs")
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Moshe 
> Katz
> Sent: Wednesday, May 18, 2016 10:10 PM
> To: pfSense Support and Discussion Mailing List 
> <list@lists.pfsense.org>
> Subject: Re: [pfSense] IPv6 with Comcast and two pfSense - invalid 
> prefix length, XID mismatch
>
> On Wed, May 18, 2016 at 7:14 PM, Steve Yates <st...@teamits.com> wrote:
>
> > We have an application with a Comcast-provided SMC router and two 
> > pfSense routers (Comcast <- building <- tenant).  The building 
> > router
> > (v2.3.0) gets an IPv6 address and can ping out.  However in its DHCP
> logs I see:
> >
> > dhcp6c  invalid prefix length 64 + 4 + 64
> > dhcp6c  XID mismatch (several of these)
> >
> > Am I correct that "invalid prefix length" means the Comcast router 
> > isn't delegating a /60 properly?  I have it set:
> >
> > DHCPv6 Prefix Delegation size   60
> > Send IPv6 prefix hint   checked
> >
> > If I as for a /56 I get "invalid prefix length 64 + 8 + 64."
> >
> > My second question was going to be about getting IPv6 to the PCs 
> > inside the tenant router but unless I'm mistaken I need a couple 
> > more
> > /64 networks for that (what a waste of IPs...I know there's a lot 
> > but
> still...).
> >
> > Thanks,
> >
> > Steve Yates
> > ITS, Inc.
> >
> >
>
> Comcast's support documents claim that "Business IP Gateway" devices 
> (a.k.a. your SMC modem/router) are allocated a /56. However, there 
> seem to be indications on Comcast's forums and other networking forums 
> that they aren't doing that properly on certain models with certain 
> firmware. (One example is
>
> http://forums.businesshelp.comcast.com/t5/IPV6/Dual-Stack-on-SMC-D3GCC
> R-and-Cisco-DPC3939B/td-p/20504/page/2
> is from over a year ago, but that could still be an issue now given 
> the speed which these companies release firmware updates.)
>
> Can you check if there is a firmwar

Re: [pfSense] Routing Issue

[Steve Yates]

I'm a bit confused whether the /25 is your LAN subnet or another interface.  
The OpenVPN tunnel network has to be a subnet that is on no other interfaces 
including the remote PC's LAN.  For example we have our data center using a /29 
for WAN, a /25 for LAN, 10.20.1.0/24 for PFSYNC, and 192.168.199.0/24 for 
OpenVPN.  192.168.199.0/24 is just used to route packets from the remote PC to 
behind the router.

You wrote "/130" for the CARP WAN alias...I'm assuming that's a typo and should 
be "/29" like the others.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Eschner
Sent: Tuesday, May 10, 2016 2:32 PM
To: list@lists.pfsense.org
Subject: [pfSense] Routing Issue

Hi there,

i try to configure 2 PFsense Firewalls as the Following Setup:

My ISP gave me a /29 ans Transfer-Network. I Setup the IPS as the following:

x.x.x.131/29 PF1
x.x.x.132/29 PF2
x.x.x.130/130 CARP Interface (Redundant)

After that i added x.x.x.2/25 and to another interface and created also a CARP 
Interface with IP 1 (default gateway for Clients)

Now i want to route the /25 thought the .130 IP for example that openvpn have 
the IP from the /25 network.
When i establish a BPN Connection it shows me always the IP .131

Can it be changed for example change Outbound NAT or so that the .1 is shown in 
the Interface?
All IPs are Public IPs

Hope you understand what i mean ;)

Cheers

Daniel
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2.6 HA to 2.3 Upgrade Advice

[Steve Yates]

https://doc.pfsense.org/index.php/Upgrade_Guide#Upgrading_High_Availability_Deployments

"Generally the recommended path for upgrading a High Availability cluster is to 
first upgrade the secondary node."

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Mike Montgomery
Sent: Tuesday, May 10, 2016 3:55 PM
To: pfsense mail list <list@lists.pfsense.org>
Subject: [pfSense] 2.2.6 HA to 2.3 Upgrade Advice

I have two servers, setup in high availability that are currently running 
2.2.6.  I have been running 2.3 at home and my test servers and am ready to 
upgrade the office to 2.3 as well.  I have been reading several upgrade guides, 
as to which one to upgrade first, but would like to see if anyone has upgraded 
a HA setup yet successfully?

What I am looking at doing, is disable carp, and upgrade the master after I 
make backups, and take a snapshot of the machines to roll back to if needed 
(they are vm's).  Then once everything is upgraded on master, allow carp to 
switch back, then upgrade secondary.

Should this work?  Going from 2.2.6 to 2.3, if I do the master first, do I need 
to disable the sync from master until the secondary is upgraded as well?  Have 
not seen much specified for 2.3, only 2.1 to 2.2 upgrades.

Thanks
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Routing Issue

[Steve Yates]

You should not have to route anything manually.  Your data center or ISP routes 
the /25 to 212.168.31.130.  In essence, packets are sent there for you.  
PfSense then "knows" the LAN side is the /25 and sends them to the LAN.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Eschner
Sent: Tuesday, May 10, 2016 3:13 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] Routing Issue

Let my try to explain it completely ;)

i configured something like that in my first Router.
I think CARP etc. is not the problem here:


WAN (wan)   -> igb0   -> v4: 212.168.31.131/29
FCSE_PUB (lan)  -> igb1   -> v4: 212.168.31.2/25
HA_SYNC (opt1)  -> igb3   -> v4: 10.0.0.1/24

The /29 Network is just a transfer-Net for the /25 Subnet.
So i have to route the /25 thought the /29. In my Case it should be the .130 
(CARP IP)

I configured openVPN-Server to listen on one IP from the /25 Network (.1 CARP 
IP) VPN-Clients get a IP from 10.0.1.0/24 Network - that should be fine anyway.

Connection etc. is working but when i make connections thought the VPN i will 
always see the IP from the WAN Interface but /25 are Public IPs so i want to 
have the  (.1 CARP IP) show on remote Servers like google.com and so on.
In Linux i just can setup the next hop like:

ip r a 212.168.31.2/25 via 212.168.31.130 dev igb0

When it set the route with route add 212.168.31.0/25 212.168.31.130 i am not 
able to reach anythink.

NAT is not needed i think because we use public IPs. So thats the reason why i 
am confused.

traceroute -i igb1 web.de
traceroute: Warning: web.de has multiple addresses; using 82.165.229.138 
traceroute to web.de (82.165.229.138), 64 hops max, 40 byte packets
 1  * * *
 2  * * *


On the Router-Site from my ISP all traffic to the /25 is routed to the .130 on 
my site.



> Am 10.05.2016 um 21:57 schrieb Steve Yates <st...@teamits.com>:
> 
> I'm a bit confused whether the /25 is your LAN subnet or another interface.  
> The OpenVPN tunnel network has to be a subnet that is on no other interfaces 
> including the remote PC's LAN.  For example we have our data center using a 
> /29 for WAN, a /25 for LAN, 10.20.1.0/24 for PFSYNC, and 192.168.199.0/24 for 
> OpenVPN.  192.168.199.0/24 is just used to route packets from the remote PC 
> to behind the router.
> 
> You wrote "/130" for the CARP WAN alias...I'm assuming that's a typo and 
> should be "/29" like the others.
> 
> --
> 
> Steve Yates
> ITS, Inc.
> 
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel 
> Eschner
> Sent: Tuesday, May 10, 2016 2:32 PM
> To: list@lists.pfsense.org
> Subject: [pfSense] Routing Issue
> 
> Hi there,
> 
> i try to configure 2 PFsense Firewalls as the Following Setup:
> 
> My ISP gave me a /29 ans Transfer-Network. I Setup the IPS as the following:
> 
> x.x.x.131/29 PF1
> x.x.x.132/29 PF2
> x.x.x.130/130 CARP Interface (Redundant)
> 
> After that i added x.x.x.2/25 and to another interface and created 
> also a CARP Interface with IP 1 (default gateway for Clients)
> 
> Now i want to route the /25 thought the .130 IP for example that openvpn have 
> the IP from the /25 network.
> When i establish a BPN Connection it shows me always the IP .131
> 
> Can it be changed for example change Outbound NAT or so that the .1 is shown 
> in the Interface?
> All IPs are Public IPs
> 
> Hope you understand what i mean ;)
> 
> Cheers
> 
> Daniel
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Limiters on LAN, WAN

[Steve Yates]

A question on where to set up a limiter...if it is set on a LAN rule 
and has in/out limiters set, will the limiter only apply to outbound traffic 
matching the rule (from __ to any)?  Or would that match, say, the response to 
an outbound HTTP request?  Up until now I've only had occasion to use a limiter 
on a LAN upload.

I did see the known issue that limiters don't currently work on NATted 
interfaces so don't have them set up on the WAN side.

Thanks,

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Limiters on LAN, WAN

[Steve Yates]

To explain my need it's for limiting traffic for several tenants of an 
office building, so each gets up to "n" amount of bandwidth.  Each has a static 
IP and their own router.

Maybe I was just overthinking it.  Having a limiter on the WAN side 
would therefore limit the connection if a tenant was, let's say, hosting a web 
server and a remote user uploaded a file into the building.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of WebDawg
Sent: Thursday, May 12, 2016 1:17 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] Limiters on LAN, WAN

On Thu, May 12, 2016 at 1:11 PM, Steve Yates <st...@teamits.com> wrote:
> I have the limiters configured as you show.  But are you saying you would 
> normally set your limiter on rules on both the LAN and WAN?  Basically, I 
> should set it on LAN for now and when the bug is fixed set it on WAN also?
>
> --
>
> Steve Yates
> ITS, Inc.

No, I only set a limiter on LAN to match the host that I want to limit.  I did 
not know if you were talking about matching outgoing traffic from all hosts.  
It would be a bit different I think.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Limiters on LAN, WAN

[Steve Yates]

No we're actually using NAT and private IPs inside the building.  We use 1:1 
NAT if a tenant needs a public IP.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of WebDawg
Sent: Thursday, May 12, 2016 2:38 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] Limiters on LAN, WAN

On Thu, May 12, 2016 at 1:42 PM, Steve Yates <st...@teamits.com> wrote:
> To explain my need it's for limiting traffic for several tenants of 
> an office building, so each gets up to "n" amount of bandwidth.  Each has a 
> static IP and their own router.
>
> Maybe I was just overthinking it.  Having a limiter on the WAN side 
> would therefore limit the connection if a tenant was, let's say, hosting a 
> web server and a remote user uploaded a file into the building.
>
> --
>
> Steve Yates
> ITS, Inc.
>

I understand what you are talking about.  See I do not let any traffic in...

Are you running the firewall transparent then?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Limiters on LAN, WAN

[Steve Yates]

I have the limiters configured as you show.  But are you saying you would 
normally set your limiter on rules on both the LAN and WAN?  Basically, I 
should set it on LAN for now and when the bug is fixed set it on WAN also?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of WebDawg
Sent: Thursday, May 12, 2016 12:47 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] Limiters on LAN, WAN

On Thu, May 12, 2016 at 11:52 AM, Steve Yates <st...@teamits.com> wrote:
> A question on where to set up a limiter...if it is set on a LAN rule 
> and has in/out limiters set, will the limiter only apply to outbound traffic 
> matching the rule (from __ to any)?  Or would that match, say, the response 
> to an outbound HTTP request?  Up until now I've only had occasion to use a 
> limiter on a LAN upload.
>
> I did see the known issue that limiters don't currently work on 
> NATted interfaces so don't have them set up on the WAN side.
>
> Thanks,
>
> Steve Yates
> ITS, Inc.
>
> ___


Normal firewall rules are only ingress, they can check source and dest from a 
packing coming in to the interface.

I limit both upload and download of clients.

Limiters:

UPLOAD:
Some Limit Set
Mask:  Source Address
Bits:  32 and 128

DOWNLOAD:
Some Limit Set
Mask:  Destination Address
Bits:  32 and 128

pfsense firewall rule:
Pass some source address
Advanced Settings:
In / Out pipe:
UPLOAD FIRST
DOWNLOAD SECOND

It it would take matched traffic from a firewall rule and put it in the 
limiter.  I have not tried using egress rules but with the any directive all 
traffic to and from the system gets limited.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] firewall rules with fqdn-alias

[Steve Yates]

Are you using dots in your FQDNs?  Those aren't valid alias names... 'The name 
of the alias may only consist of the characters "a-z, A-Z, 0-9 and _".'

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Martin Fuchs
Sent: Tuesday, May 17, 2016 9:26 AM
To: list@lists.pfsense.org
Subject: [pfSense] firewall rules with fqdn-alias

Hi !

 

We're using pfSense 2.3_1 here in a CARP-cluster.

We are using rules with fqdn-aliases and those rules do not work.

When i look under diagnostics -> tables i see the tables filled with the 
correct IPs.

When I change the rule not to use the alias, but the IP instead, the rules 
works immediately.

 

It's really weired.

 

Does anyone have some idea for me ?

 

Regards,

martin !

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] firewall rules with fqdn-alias

[Steve Yates]

Is there a length limit for alias names?

If it's an invalid alias I would think one of the logs should show something 
when the firewall rules are applied...I recall seeing errors in there before...

--

Steve Yates
ITS, Inc.
-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Martin Fuchs
Sent: Wednesday, May 18, 2016 4:22 AM
To: 'pfSense Support and Discussion Mailing List' <list@lists.pfsense.org>
Subject: Re: [pfSense] firewall rules with fqdn-alias

Hi !

Sounds reasonable, but there's no dot at the end ...

Regards,
martin

-Ursprüngliche Nachricht-
Von: List [mailto:list-boun...@lists.pfsense.org] Im Auftrag von WolfSec-Support
Gesendet: Mittwoch, 18. Mai 2016 09:26
An: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Betreff: Re: [pfSense] firewall rules with fqdn-alias

Hi Martin

Do you have a dot at the end of the fqdn like in bind configs ?

Pfsense doesnt like a dot at the end.
With e.g.
host.domain.tld
It works fine

With
host.domain.tld.
It works not

So if you use a dot at the end please remove it

Br
Stephan
Am 18.05.2016 00:12 schrieb "Martin Fuchs" <mar...@fuchs-kiel.de>:

> Hi, Steve !
> No dots in the alias, yurt in the fqdn-address, the lookup works fine, 
> so the resolved fqdn are visible in the tables, but it seems as if the 
> rule is not applied.
> But there is no error...
> Any diagnostic hints ?
> Regards,
> Martin
>
> > Are you using dots in your FQDNs? Those aren't valid alias names... 
> > 'The
> name of the alias may only
> > consist of the characters "a-z, A-Z, 0-9 and _".'
> >
> > --
> >
> > Steve Yates
> > ITS, Inc.
> >
> > -Original Message-
> > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of 
> > Martin
> Fuchs
> > Sent: Tuesday, May 17, 2016 9:26 AM
> > To: list@lists.pfsense.org
> > Subject: [pfSense] firewall rules with fqdn-alias
> >
> > Hi !
> >
> > We're using pfSense 2.3_1 here in a CARP-cluster.
> >
> > We are using rules with fqdn-aliases and those rules do not work.
> >
> > When i look under diagnostics -> tables i see the tables filled with 
> > the
> correct IPs.
> >
> > When I change the rule not to use the alias, but the IP instead, the
> rules works immediately.
> >
> > It's really weired.
> >
> > Does anyone have some idea for me ?
> >
> > Regards,
> >
> > martin !
> >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold 
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.3-REL, HA, WAN CARP IPv6 MAC seen as active on both NICs

[Steve Yates]

"IPv6 does not seem to get proper advertisements from peer and both think 
they're MASTER"

Are you only syncing in one direction?

fe80::250:56ff:febf:3ca5 is a link-local address which looks a bit strange in 
my skimming of the below.

Overall, we have two IPv6 ranges for the routing:
WAN CARP IP: 2607:ff50::12/125
WAN IP router 1: 2607:ff50::17/125
WAN IP router 2: 2607:ff50::16/125
LAN block: 2607:ff50:0:4c::0/64

2607:ff50:0:4c::0/64 is routed to 2607:ff50::12 by our data center.  CARP syncs 
over IPv4 and we've not had a problem.  We're on 2.2.6.

"CARP is not permitted on their equipment"

Is that even possible?  How would they prevent that other than tying the IP 
address to a MAC address?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Olivier Mascia
Sent: Wednesday, May 4, 2016 5:12 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] 2.3-REL, HA, WAN CARP IPv6 MAC seen as active on both 
NICs


> Le 3 mai 2016 à 11:17, Olivier Mascia <o...@integral.be> a écrit :
> 
>> Le 3 mai 2016 à 09:49, Chris Buechler <c...@pfsense.com> a écrit :
>> 
>>> Or would it be that my BACKUP (according to /status_carp.php) do also 
>>> advertise (which it shouldn't as BACKUP)?
>> 
>> That's the problem. I'm seeing that in some cases and not others with
>> IPv6 CARP in 2.3, with no apparent reason as to why. It seems like it 
>> continues to work fine in that circumstance for me, but that could 
>> definitely affect switch CAM tables and cause issues like packet loss 
>> in some environments. I need to look at it closer tomorrow.
> 
> It's a relief to read your comment. :)
> 
> As I clearly have a system where this happen, what would you need from me or 
> my system to maybe help you pinpoint what's the cause?
> Could this possibly be a NIC drivers issue?
> Those are vmware VMs using VMXNET3 (underlying physical NICs on the cluster 
> hosts are 10 Gbe).
> Would it be worth trying to downgrade to E1000 and see if it helps? Or a 
> probable pure loss of time?
> 
> Also, from your comment, am I right assuming this is not known to happen with 
> <2.3 releases?
> So that I could consider rebuilding those VMs using 2.2.6 for instance?
> And upgrade to 2.3.x later?
> 
> Thanks!

I'm lost trying to get CARP / IPv6 working, including on 2.2.6 (I setup two new 
VM using 2.2.6 to compare results with those I had with 2.3).
CARP works for IPv4 and IPv6 on my LAN side.
On WAN side, only IPv4 is OK. IPv6 does not seem to get proper advertisements 
from peer and both think they're MASTER.

The ports on which my WAN interfaces are plugged in are managed by the hosting 
provider and I tend to think they light have something setup wrong on their 
side.  By default, CARP is not permitted on their equipment and I have to 
trigger (once) a GUI command to "activate CARP" on each of my interfaces facing 
their equipment.  To my understanding it probably allows the required multicast 
to flow between both ports.  I fear their setup might not work for the ff02::12 
traffic.

Capturing on IPv4, I see :

FW1: 11:54:38.719091 IP 51.254.87.130 > 224.0.0.18: VRRPv2, Advertisement, vrid 
104, prio 0, authtype none, intvl 1s, length 36 ...
and
FW2: 11:54:38.723415 IP 51.254.87.130 > 224.0.0.18: VRRPv2, Advertisement, vrid 
104, prio 0, authtype none, intvl 1s, length 36 ...

That looks good and understandable to me.
State MASTER or BACKUP switch properly from one box or the other, when I 
shutdown one of the others, and restore properly to FW1 MASTER and FW2 BACKUP 
when both are online. Therefore, the IPv4 CARP VIP works properly which can be 
easily tested.

Capturing on IPv6, I see :

FW1: 11:59:13.379073 IP6 fe80::250:56ff:febf:3ca5 > ff02::12: ip-proto-112 36 
...
and
FW2: 11:59:13.202384 IP6 fe80::250:56ff:febf:37a3 > ff02::12: ip-proto-112 36 
...

And both FW switch to MASTER.

This same behavior with 2.3 and 2.2.6.

I'll talk again to my supplier who have the control of those ports, insisting 
on checking IPv6 multicast. But I feel sad not really knowing if I'm hit by a 
bug their side or my side on pfSense level.

If someone has CARP on IPv6 working, would you be so kind to check what you can 
capture about it (IPv6)? Does it differ from the scheme I'm seeing?

Thanks!!
--
Meilleures salutations, Met vriendelijke groeten, Best Regards, Olivier Mascia, 
integral.be/om



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense on vmware ESXi 6.0

[Steve Yates]

I don't have VMWare-specific insight.  But, we're doing this on another 
platform, with CARP syncing between the pfSense VMs.  I would consider using a 
VLAN to isolate the Internet traffic from the servers.  Depending on the amount 
of traffic there are settings for the number of firewall states and such but 
unless you're expecting a super high number of connections I would probably 
just turn it on and check the settings periodically.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Olivier Mascia
Sent: Thursday, April 14, 2016 4:41 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] pfSense on vmware ESXi 6.0

Hello,

I'm looking for advices and best practices when running pfSense (this time it 
will be 2.3) in a vmware VM.  I'm offered to move some resources to a virtual 
datacenter made of dedicated hardware hosts in clusters, running ESXi 6.0 and 
vSphere.  I have access to such an infrastructure for the next 3 weeks.  I have 
used pfSense in a number of devices and hosts, but never inside a VM, except 
for experimenting with configurations of pfSense itself.

I could build up a pfSense 2.3 VM without real difficulties.  Installing the 
integration tools was easy through the included package.  Now, what are the 
pitfalls I should look for?  Any shared vmware experience from you will 
undoubtedly help fine tuning this.

For now the pfSense VM I configured has these resources: OS declared to vSphere 
is FreeBSD 10.3 64 bits, 1 socket, 2 cores, 2 GHz reserved, 2 GB RAM, 10 GB HD, 
2 network adapters. I'm generally resources-conservative but I could allow much 
more if it makes sense.

For these adapters I have the choice between E1000, VMXNET 2, VMXNET 3.  I have 
set them for VMXNET 3 but without background about this being the 
right-thing-to-do or not. At least it seems to work but I still need to stress 
test the VM (traffic-wise) a little bit.

Are there tunings inside pfSense which you could recommend / not live without, 
based on your experience inside vmware virtual machines?

Network interfaces settings? All are set for their default pfSense values, 
which means TCP segmentation offloading and large receive offloading are 
disabled. Would it make sense to enable those?

Thanks for any insight you might want to share.

--
Meilleures salutations, Met vriendelijke groeten, Best Regards, Olivier Mascia, 
integral.be/om


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPV6 WAN/LAN routing

[Steve Yates]

To rule out any missing firewall rules, on Status: System logs: Settings, check 
"Log packets matched from the default block rules put in the ruleset" and see 
if it starts logging your pings from the LAN.

--

Steve Yates
ITS, Inc.


-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Olivier Mascia
Sent: Wednesday, April 20, 2016 11:39 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] IPV6 WAN/LAN routing

Dear all,

I must be tired or something but I have a strange thing with IPv6 on a new box 
I just setup.

Have a x:y:z:d800::/56 routed to me.
WAN is static IPv6 on x:y:z:d800::1/64, gateway is 
x:y:z:d800::::: (not a nice one but that is what they gave me).
LAN is static IPv6 on x:y:z:d801::1/64, no gateway as usual for LAN interface.

>From a host on the LAN side, at x:y:z:d801::100 (or any other), I can reach pf 
>LAN interface on x:y:z:d801::1, I can also reach pf WAN interface on 
>x:y:z:d800::1, but I can't get a packet to go further.

Yet, from pf itself, I can reach (ping for instance) www.google.com (IPv6) from 
WAN interface, but not from LAN interface.

I would have thought "ok I miss a pass rule on the LAN interface", but there is 
one. This by far is not my first pfSense box, and they all have various kind of 
IPv6 links. Not that I couldn't be awfully wrong somewhere. So what obvious 
detail am I overlooking here? If you have any idea?

This is 2.3-RELEASE by the way. Other boxes (on other networks) are still 2.2.x.

--
Meilleures salutations, Met vriendelijke groeten, Best Regards, Olivier Mascia, 
integral.be/om


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.3 show stopper - bind package missing -- don't install if you need bind!

[Steve Yates]

I should restate/clarify that I was looking at the 
https://doc.pfsense.org/index.php/2.3_New_Features_and_Changes page which 
mentions the package system changed but doesn't specifically mention the below, 
which is on the https://doc.pfsense.org/index.php/Upgrade_Guide#Package_System 
page that I mentioned in another message.

The New Features and Changes page is what is linked from 
https://doc.pfsense.org/index.php/Category:Releases (on the doc Main Page: 
"pfSense Release Versions - Change logs and other information for past and 
present releases")

Also by "specific" I meant, say, the bind package the OP asked about, which was 
covered in other messages also.

Steve

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris Buechler
Sent: Wednesday, April 13, 2016 5:02 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] 2.3 show stopper - bind package missing -- don't install 
if you need bind!

On Wed, Apr 13, 2016 at 1:48 PM, Steve Yates <st...@teamits.com> wrote:
> The release notes don't mention specific package compatibility

Yes it does.

"Packages

The list of available packages in pfSense 2.3 has been significantly trimmed.  
We have removed packages that have been deprecated upstream, no longer have an 
active maintainer, or were never stable. A few have yet to be converted for 
Bootstrap and may return if converted. See the
2.3 Removed Packages list for details."
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DNS Forwarder # exception

[Steve Yates]

I'm just brainstorming here but for your specific example could you do 
something like delegate wildcard record *.example.com to the public DNS 
servers?  Or mail.example.com, etc.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Karl Fife
Sent: Friday, July 22, 2016 3:41 PM
To: ESF - Electric Sheep Fencing pfSense Support <list@lists.pfsense.org>
Subject: [pfSense] DNS Forwarder # exception

DNS Forwarder had a domain override *exception* feature that I don't see in DNS 
Resolver.  I'm looking for a equivalent/workaround.

Obviously, In both dnsmasq and unbound, I can create a domain override, e.g.

DomainIP
example.com10.243.0.1

However, I Don't want the override to answer queries for certain hosts, e.g. 
mail.example.com, vpn.example.com, because queries to those domains will fail 
if 10.243.0.1 is not available (e.g. mail.example.com) or not available JUST 
YET (e.g. vpn.example.com).

With dnsmasq, I could create an exception with # so those queries would just 
fall through to the public DNS, e.g.

vpn.example.com#
mail.example.com  #
sip.example.com   10.55.47.1

Certainly I can create a HOST override that resolves the host's public IP, but 
that breaks when the public IP changes.  What's the best way to accomplish 
these domain override exceptions these days (in unbound/DNSResolver)?

Thanks
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] looking for perfect pfsense box for home?

[Steve Yates]

I'm being serious but what is your rationale for not using pfSense's/NetGate's?

https://www.pfsense.org/products/

The "cheap" part (< $299)?  We tried a "build our own" approach and it's tough 
to get a small package.  Any old PC will do just fine if one adds an SSD but as 
someone pointed out that may use far more power in the long run.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen
Sent: Wednesday, August 3, 2016 2:37 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] looking for perfect pfsense box for home?

Any ideas where to find perfect pfsense box for home usage.

Must be cheap and silent? netgate device? shuttle box?

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsync_undefer_state: unable to find deferred state

[Steve Yates]

This may or may not be related but after he upgrade to 2.3.1 I did find a 
continual stream of checksum error alerts in Suricata.  As found online, 
disabling Hardware Checksum Offloading fixed it, even though this is on a 
virtual machine.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Steve Yates
Sent: Friday, July 8, 2016 4:30 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] pfsync_undefer_state: unable to find deferred state

I found thread
https://forum.pfsense.org/index.php?topic=87541.60
...and posted there but it's old and references 2.1.x and 2.2.x versions.  
After upgrading from 2.2.6 to 2.3.1_5 we get a long spew of this logged during 
a Limiter-limited rsync each night (it also shows on the console screen):

Jul 8 02:47:36  kernel  defer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred state

Jul 8 02:47:36  kernel  _undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_und
 efer_state: unable to find deferred statepf

Jul 8 02:47:36  kernel  ync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_
 undefer_state: unable to find deferred stat


It continues while traffic that triggers the limiter rule is in effect and ends 
immediately upon traffic's end.

The Limiter set up is only using Firewall\Traffic Shaper\Limiters:
LimitBackupUpLAN
50Mbit/sOvernight [Mon - Sun / 0:00-6:45]
15Mbit/sDay
LimitBackupUpLAN
50Mbit/sOvernight
15Mbit/sDay

The limiter is on a rule on the LAN interface, with "In / Out pipe" set.  It 
only matches to one IP.  Neither checking "No pfSync" nor setting "State type" 
to None seem to have any effect.  I think that's the equivalent of what they 
mentioned in the forum thread... 'unchek  the flag "State Type" to "NO pfsync".'

I can duplicate this at will...in this case an "rsync --dry-run" is plenty.

It doesn't seem to have any effect on traffic since the copy works fine, it 
appears to just be a logging issue.

--

Steve Yates
ITS, Inc.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] pfsync_undefer_state: unable to find deferred state

[Steve Yates]

I found thread
https://forum.pfsense.org/index.php?topic=87541.60
...and posted there but it's old and references 2.1.x and 2.2.x versions.  
After upgrading from 2.2.6 to 2.3.1_5 we get a long spew of this logged during 
a Limiter-limited rsync each night (it also shows on the console screen):

Jul 8 02:47:36  kernel  defer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred state

Jul 8 02:47:36  kernel  _undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_und
 efer_state: unable to find deferred statepf

Jul 8 02:47:36  kernel  ync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_
 undefer_state: unable to find deferred stat


It continues while traffic that triggers the limiter rule is in effect and ends 
immediately upon traffic's end.

The Limiter set up is only using Firewall\Traffic Shaper\Limiters:
LimitBackupUpLAN
50Mbit/sOvernight [Mon - Sun / 0:00-6:45]
15Mbit/sDay
LimitBackupUpLAN
50Mbit/sOvernight
15Mbit/sDay

The limiter is on a rule on the LAN interface, with "In / Out pipe" set.  It 
only matches to one IP.  Neither checking "No pfSync" nor setting "State type" 
to None seem to have any effect.  I think that's the equivalent of what they 
mentioned in the forum thread... 'unchek  the flag "State Type" to "NO pfsync".'

I can duplicate this at will...in this case an "rsync --dry-run" is plenty.

It doesn't seem to have any effect on traffic since the copy works fine, it 
appears to just be a logging issue.

--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Xinetd error message repeating every 15 minutes

[Steve Yates]

I noticed the issue desscribed here:
https://www.reddit.com/r/PFSENSE/comments/4lb287/xinetd_error_message_repeating_every_15_minutes/

...after updating from 2.2.6 to 2.3.1 then immediately 2.3.1_5.  To save you 
some reading, we get this logged every 15 minutes:

Jul 5 12:00:00  xinetd  16277   Reconfigured: new=0 old=1 dropped=0 (services)
Jul 5 12:00:00  xinetd  16277   readjusting service 6969-udp
Jul 5 12:00:00  xinetd  16277   Swapping defaults
Jul 5 12:00:00  xinetd  16277   Starting reconfiguration

It sounds like it's a known/expected issue from the cron job running 
/etc/rc.filter_configure_sync.

My question is, is there an accepted way to hide that info?  It fills up the 
system logs/General page...

--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] add Blocking in suricata just for some IPs

[Steve Yates]

pfBlockerNG blocks by country, which is what your image showed.

One caveat to country blocking is Microsoft has started using IPv4 blocks 
allocated to it in other countries for its Azure service, since they ran out.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Eschner
Sent: Monday, June 20, 2016 4:41 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] add Blocking in suricata just for some IPs

pfblocker is a L7 IDS/IPS Protection?



> Am 20.06.2016 um 22:26 schrieb Ducky BUNG <ducky.b...@gmail.com>:
> 
> Use pfblocker package for this.
> 
> 
> 
> On 06/20/2016 08:27 PM, Daniel Eschner wrote:
>> Hi to everyone,
>> 
>> is it possible to add blocking mode just to some IPs from a /24 Network?
>> I want to run that in test mode to see who much false positiv i will see ;)
>> 
>> Cheers
>> 
>> Daniel
>> 
>> 
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> 
> 
> -- 
> Markets can remain irrational longer than you can remain solvent.
> 
>  John Maynard Keynes
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] NAT from WAN to LAN

[Steve Yates]

I'm not sure I follow your NAT rule.  The WAN and LAN have to be different 
subnets.  The NAT rule is normally a source address of * (to allow any IP to 
connect) or perhaps in your case 195.160.1.0/24 (that entire subnet).

However 195.160.1.0/24 and 195.160.2.0/24 are in a public IP range allocated to 
Hewlett-Packard...?  That might also be interfering with your routing.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Antonio
Sent: Sunday, August 14, 2016 3:55 AM
To: list@lists.pfsense.org
Subject: [pfSense] NAT from WAN to LAN

Hello,

you'll have to forgive my newbie question but that where we are start at some 
point. I'm really keen to understand more about networking hence my desire to 
learn through pfSense.

This is my setup:

OpenWRT Router on the ADSL which has the 195.160.1.0 network on the LAN side 
and a pfSense linked to the 195.160.1.2 address on the routers LAN (so 
connected to pfSense WAN side). On the LAN side of the pfSense, I have 
195.160.2.0 network with 195.160.2.1 on the LAN side. I have a server on the 
LAN on pfSense which I want isolate from all the wireless traffic that is going 
on the 195.160.1.0 (lots of guest accounts). But I also have a multimedia 
client on the 195.160.1.0 network that I want to allow access to the media 
server (195.160.2.2:8096) on the 195.160.2.0 network.

I've set up a NAT port forward rule on pfSense like this:

InterfaceProtocolSourceAdd.SourcePortDestAdd   
DestPortNATip   NATport

WAN   TCP   **   
195.160.2.28096195.160.2.28096   


I allowed pfSense to create the firewall rule automatically so this should be 
fine?


Why do i not see traffic from the media client being logged (basically, the 
client does appear to be routed to the server through between the two subnets) 
but I do see traffic from the media client on the
195.160.1.0 being logged to the whole 195.160.1.0 network (I see UDP traffic 
from 195.160.1.4 to 195.160.1.255 being logged for netbios on
138) as blocked traffic. When I try to ping the pfSense WAN port on 
195.160.1.2, it does get logged on pfSense but when I try to ping the LAN side 
of the pFSense from the WAN side, nothing gets logged. HAs this got to do with 
the default rules set up during setting up the WAN interface on PfSense:

a) Blocks traffic from IP addresses that are reserved for private networks per 
RFC 1918 (10/8, 172.16/12, 192.168/16) and unique local addresses per RFC 4193 
(fc00::/7) as well as loopback addresses (127/8).
This option should generally be turned on, unless this network interface 
resides in such a private address space, too.

b) Blocks traffic from reserved IP addresses (but not RFC 1918) or not yet 
assigned by IANA. Bogons are prefixes that should never appear in the Internet 
routing table, and so should not appear as the source address in any packets 
received.Note: The update frequency can be changed under System->Advanced 
Firewall/NAT settings.

I have them both ticked but I thought the NAT rule would take precedence?

Thanks

geotux


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] SG-1000 and VPN

[Steve Yates]

We have a client who wants to set up one remote user (in a fixed 
location) with a hardware VPN connection back to the office.  The office has 
about 5 active PCs at any given time.  This would be the only VPN user.

Has anyone used one of the new micro SG-1000 units with a VPN yet?  
Either as a remote site or as a SOHO router + VPN host?  Just wondering how the 
ARM CPU would stack up.  The specs say 200k active (non-VPN) connections...

--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] SG-1000 and VPN

[Steve Yates]

> It currently does 21mbps IPsec (aes-gcm-128), in a lab environment, because 
> there is no driver for the crypto core (yet).
> OpenVPN is slightly slower (19 Mbps).

Thanks.  That is probably sufficient for most applications since one or both 
ends is likely limited by Internet upload speed anyway.

--

Steve Yates
ITS, Inc.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] SG-1000 and VPN

[Steve Yates]

That's what I'm trying to ask, if the SG-1000 would work for that.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of A Mohan Rao
Sent: Tuesday, January 24, 2017 11:41 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] SG-1000 and VPN

better u can use site to site vpn is best solution.

On Wed, Jan 25, 2017 at 11:08 AM, WebDawg <webd...@gmail.com> wrote:

> On Tue, Jan 17, 2017 at 10:16 AM, Steve Yates <st...@teamits.com> wrote:
>
> > We have a client who wants to set up one remote user (in a 
> > fixed
> > location) with a hardware VPN connection back to the office.  The 
> > office has about 5 active PCs at any given time.  This would be the 
> > only VPN
> user.
> >
> > Has anyone used one of the new micro SG-1000 units with a 
> > VPN yet?  Either as a remote site or as a SOHO router + VPN host?  
> > Just wondering how the ARM CPU would stack up.  The specs say 200k 
> > active
> > (non-VPN) connections...
> >
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] PFsense 2.3.2-P1 dies

[Steve Yates]

That's interesting, we had a drive that kept dropping out and we couldn't 
figure out why as all tests passed.  We replaced the drive and then found the 
"Hard disk standby time" setting was set.  Turned that off and it's been fine.  
That setting has been my suspicion...

At the time the console would show a stream of errors that pointed to the 
drive, don't recall them now of course.

--

Steve Yates
ITS, Inc.

-Original Message-

I had an issue at one point with hard disks dropping out because of the idle 
time set on my Western Digital drives.  You say you just upgraded.
>From what version?  I did not see it until v2.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] small problem with squid

[Steve Yates]

If I'm following, you're using a public IP:port.  Did you set up NAT 
Reflection?  (System/Advanced/Firewall & NAT)

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Steve Berg
Sent: Monday, February 13, 2017 3:45 PM
To: list@lists.pfsense.org
Subject: [pfSense] small problem with squid

Just set up a new pfsense box, my own hardware running the latest 
release, 2.3.2-RELEASE-p1.  So far it's been pretty smooth but I just 
ran into one glitch I can't quite figure out.

I've got two NAT rules that redirect incoming ports 80xx and 80xy to two 
different web servers internal to my network.  My external IP is 
resolved using DynDNS and everything works nicely from my iPad when I'm 
off the local network.

But using the same hostname:port when I'm connected to the WiFi I get no 
response and the squid Real Time page shows a "TCP_DENIED/403" entry for 
one of the systems, and "TCP_MISS_ABORTED/000" for the other.

Using the local IP when on the WiFi works as expected and I see

13.02.2017 15:43:00 10.x.x.x TCP_MISS/200 
http://10.x.x.x/path/to/webpage - 10.x.x.x

I'm fairly new to pfsense and squid so I've probably missed something 
simple but I'd appreciate a tip or pointer to where to go to fix this issue.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense really slow

[Steve Yates]

I saw something similar once after an upgrade, installing packages, when 
pfSense's DNS wasn't running.  Linux doesn't really do a round-robin or 
last-known-good DNS search, it just keeps trying the failing ones.  I don't 
recall noticing it on the main screen though.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Robison, Dave
Sent: Friday, September 2, 2016 5:40 PM
To: list@lists.pfsense.org
Subject: Re: [pfSense] pfsense really slow

Figured it out.

Had to enter a few hosts into the local DNS resolver, including a CNAME for one 
of our LDAP authentication servers. The delay was DNS waiting to time out/fail 
on the local DNS records before pointing off to our other, canonical, internal 
DNS servers.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] nat or routing?

[Steve Yates]

In Status/System Logs/Settings check the "Log packets matched from the default 
block rules in the ruleset" option and see if the firewall log shows blocked 
packets.

Are the interfaces set to block private networks, since you are using those on 
all interfaces?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Pol Hallen
Sent: Friday, September 9, 2016 10:53 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>; 
mo...@ymkatz.net
Subject: Re: [pfSense] nat or routing?

Hi Moshe,
thanks for all your advices about security :-) Very kind!

> All you need to do is create rules on each LAN interface that allow 
> incoming traffic from the other LAN.
>
>- Rule on LAN1 interface:
>   - Action: "Pass"
>   - Source: "LAN1 net"
>   - Destination: "LAN2 net"
>- Rule on LAN2 interface:
>   - Action: "Pass"
>   - Source: "LAN2 net"
>   - Destination: "LAN1 net"

some problem: I can ping lan1 from lan2 (and vice-versa) but traceroute doesn't 
work and if I try to connect to local webserver no reply.

Any idea to solve the problem?

thanks for help!

Pol
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense Aliases / firewall rule with an FQDN and multiple entries

[Steve Yates]

When editing an alias the Hint line shows, "FQDN hostnames are periodically 
re-resolved and updated. If multiple IPs are returned by a DNS query, all are 
used."

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of WolfSec-Support
Sent: Friday, October 7, 2016 9:56 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] pfSense Aliases / firewall rule with an FQDN and multiple 
entries

Hello,


what is doing a pfense with an rule which contains an alias.
this alias is a FQDN - which for sure will resoluted by DNS

This A record has multiple entries.
e.g. 1.1.1.1 and 2.2.2.2 and 3.3.3.3

So, is pfsense applying this rule to ALL IP's in this record, or round robin ?

Kind regards
Stephan
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] bind DNS question

[Steve Yates]

It will eventually be stored in the .db but not immediately.

http://serverfault.com/questions/560326/ddns-bind-and-leftover-jnl-files

Before you get worried about the question, read comment "...even if the change 
is only in the jnl file, it should always resolve correctly."

Also, " Restarting named will flush updated data from .jnl files back to the 
zone file."

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Satish Patel
Sent: Thursday, September 22, 2016 1:55 PM
To: m...@fuckaround.org; pfSense Support and Discussion Mailing List 
<list@lists.pfsense.org>
Subject: Re: [pfSense] bind DNS question

Does that means dynamic update will stored in Journal file right? it won't be 
visible in Zone.DB file

On Thu, Sep 22, 2016 at 2:35 PM, Pol Hallen <pfsens...@fuckaround.org> wrote:
>> Does dynamic DNS stored in .jnl file?
>
>
> It's a journal file: The journal file is used not only for replaying 
> updates not yet committed in the zone file, but also to provide the 
> data for incremental zone transfers (IXFR).
>
> Pol
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] bind domain specific forwarder

[Steve Yates]

I don't know if you need forwarding for this.  Can you just add an NS record to 
the example.com zone for site2.example.com pointing to 10.0.10.1 (well, a 
hostname that points to that IP)?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Satish Patel
Sent: Thursday, September 22, 2016 2:54 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] bind domain specific forwarder

I have two office connected over VPN, and both sites has own bind running in 
Pfsense. now i site1 client can resolve their DNS entries but i want site1/2 
both can resolve each other entires. in short i want to tell DNS if you see 
site2.example.com then forward that query to site2 DNS server.  I have tired 
couple of stuff but didn't work. I have disabled DNS resolver/ DNS forwarder 
services. I am only using bind server, it has enable DNS Forwarding but if do 
that it didn't start my bind service.


site1 ---VPN-site2


I want something like this in bind but don't know how do i add this?

zone "site2.example.com" IN {
type forward;
forwarders {
10.0.10.1;
};
};
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Pfsense lan config

[Steve Yates]

If you want the pfSense to be between your laptop and the Internet your laptop 
would need to be on the LAN side of the pfSense.

Why are you using a public IP range on the LAN side of your router?  That will 
also cause problems.  Did you mean to write (or use) 172.16.30.10?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Alfredo Tapia 
Sabogal
Sent: Sunday, August 28, 2016 8:11 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] Pfsense lan config

Hello everyone
Im using virtual box on my laptop which is connected directly to my WAN router 
when i installed the pfsense i choose my wan ip address 192.168.0.33 and my lan 
176.16.30.10 the problem is that everytime i type on my internet explorer 
176.16.30.10 i can login to pfsense but only for 10 seconds coz took me off so 
i change my lan ip address to the same wan ip range with no problem and is not 
supposed to be like that or is because my laptop have only one nic card ...i 
also configured two nic cards on my virtual box the first for my wan as a 
gateway adapter the lan adapter as internal network and that one doesnt work to 
configured my pfsense coz cant access with my lan ip from my laptop should i 
buy another router or how should i resolve this issue?
Please i need help or i should change my laptop ip address


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] how does on create a DNS blacklist with aout 1000 or so entries?

[Steve Yates]

A package like pfBlockerNG will maintain such a list for you.

An alternative, maybe, is that one can set up a "firewall URL alias" that pulls 
its data from a URL.  For instance pfBlockerNG sets them up on our router and 
then refers to them as 
"https://127.0.0.1:443/pfblockerng/pfblockerng.php?pfb=pfB_Africa_v4.;  So you 
could keep your list somewhere else on a web server.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of qmail
Sent: Friday, September 30, 2016 10:30 AM
To: list@lists.pfsense.org
Subject: [pfSense] how does on create a DNS blacklist with aout 1000 or so 
entries?

i's like to blacklist all of mainland china, russia, korea, ..
i could have done it by creating a DNS with just those entries.
I dont see a way to add in BULK a list of bad boys of the internet.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] how does on create a DNS blacklist with aout 1000 or so entries?

[Steve Yates]

Basically, but doing it directly would avoid dealing with the package.  
I guess it's just down to how often the chosen list is updated.  And, if it's 
just via allocation, aren't they done allocating IPv4 blocks...

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Vick Khera
Sent: Friday, September 30, 2016 2:19 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] how does on create a DNS blacklist with aout 1000 or so 
entries?

On Fri, Sep 30, 2016 at 12:57 PM, Doug Lytle <supp...@drdos.info> wrote:
> On 09/30/2016 11:53 AM, Steve Yates wrote:
>>
>> So you could keep your list somewhere else on a web server.
>
>
> This is what I do.
>
> And I grab the list from
>
> http://www.wizcrafts.net/chinese-iptables-blocklist.html
>
> Once a month
>

Isn't this more or less what pfBlockerNG does for you automatically?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.3.2-p1 RELEASE Now Available

[Steve Yates]

I'm curious if you removed all packages before upgrading?  The instructions 
recommend that.  We usually have done so and not had an issue.  The packages 
we've used have a setting to keep settings, for instance Suricata's "Settings 
will not be removed during package deinstallation" and pfBlockerNG's "Keep 
settings."

I have run into an issue at one point where the DNS service on the pfSense 
wasn't working so DNS requests were failing or timing out causing lots of 
issues during downloading.  I didn't pay too much attention at the time, since 
it was solved quickly, but if DNS isn't working that could be an issue.  In 
other words if DNS is running then 127.0.0.1 will always be the first DNS 
server used.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Holger Bauer
Sent: Friday, October 7, 2016 7:58 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] pfSense 2.3.2-p1 RELEASE Now Available

I found an older post to the list regarding the same issues with a different 
version, however this solution worked for me on my testsystem just fine:

Run from the console (ssh or local console) Option 8 to go to the shell.
Then enter the following commands:
pkg clean
pkg update
pkg upgrade
reboot

After that the system come up fine with the new release. I'll try that on some 
production systems this evening.

Regards
Holger

2016-10-07 14:51 GMT+02:00 Pete Boyd <petes-li...@thegoldenear.org>:

> Same for me, failure first time on a full install:
>
> Fetching pfSense-kernel-pfSense-2.3.2_1.txz: . done
> pkg:
> https://pkg.pfsense.org/pfSense_v2_3_2_i386-core/All/
> pfSense-kernel-pfSense-2.3.2_1.txz:
> Operation timed out
> >>> Locking package pfSense-kernel-pfSense... done.
> Failed
>
>
>
>
> --
> Pete Boyd
>
> Open Plan IT - http://openplanit.co.uk The Golden Ear - 
> http://thegoldenear.org 
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsync_undefer_state: unable to find deferred state

[Steve Yates]

I thought I'd post again to see if anyone has an idea of how to fix 
"pfsync_undefer_state: unable to find deferred state"? I found an August blog 
post 
http://phil.lavin.me.uk/2016/08/solved-pfsense-pfsync_undefer_state-unable-to-find-deferred-state/
 which says to turn off HA state syncing completely.  I haven't gone that far 
but did check "No pfSync" on the firewall rule per the below, to no avail.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Steve Yates
Sent: Friday, July 8, 2016 4:30 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] pfsync_undefer_state: unable to find deferred state

I found thread
https://forum.pfsense.org/index.php?topic=87541.60
...and posted there but it's old and references 2.1.x and 2.2.x versions.  
After upgrading from 2.2.6 to 2.3.1_5 we get a long spew of this logged during 
a Limiter-limited rsync each night (it also shows on the console screen):

Jul 8 02:47:36  kernel  defer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred state

Jul 8 02:47:36  kernel  _undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_und
 efer_state: unable to find deferred statepf

Jul 8 02:47:36  kernel  ync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_
 undefer_state: unable to find deferred stat


It continues while traffic that triggers the limiter rule is in effect and ends 
immediately upon traffic's end.

The Limiter set up is only using Firewall\Traffic Shaper\Limiters:
LimitBackupUpLAN
50Mbit/sOvernight [Mon - Sun / 0:00-6:45]
15Mbit/sDay
LimitBackupUpLAN
50Mbit/sOvernight
15Mbit/sDay

The limiter is on a rule on the LAN interface, with "In / Out pipe" set.  It 
only matches to one IP.  Neither checking "No pfSync" nor setting "State type" 
to None seem to have any effect.  I think that's the equivalent of what they 
mentioned in the [forum.pfsense.org] thread... 'unchek  the flag "State Type" 
to "NO pfsync".'

I can duplicate this at will...in this case an "rsync --dry-run" is plenty.

It doesn't seem to have any effect on traffic since the copy works fine, it 
appears to just be a logging issue.

--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] rules cleanup and approval process

[Steve Yates]

Not sure.  Router restart?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc Paulin
Sent: Friday, October 21, 2016 11:08 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] rules cleanup and approval process

hoo yeah .. sorry I didn't pay enough attention to that column...  So when are 
those number get reset ? How can I manually reset those number?

--
 !
   ( o o )
 --oOO(_)OOo--
   Luc Paulin
   email: paulinster(at)gmail.com
   Skype: paulinster


2016-10-21 10:35 GMT-04:00 Steve Yates <st...@teamits.com>:

> The Rules page logs traffic for the rule, in bytes, in the 
> States column.  You can also set allow rules to log traffic but that 
> will be a lot of log entries.
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc 
> Paulin
> Sent: Friday, October 21, 2016 9:27 AM
> To: pfSense Support and Discussion Mailing List 
> <list@lists.pfsense.org>
> Subject: [pfSense] rules cleanup and approval process
>
> Hi,
> I am in the final stage to review pfsense and I was wondering if 
> there's a way to do the following
>
> 1. Is there way to enable an approval process. For exmaple let say I 
> added rule ABC, then in order that the rules can be apply, the change 
> must be approve by someone else.
> 2. How can we know which rule is mostly use and which are unused? Is 
> theres some kind of way to create a report of the top 10 less use rules  ?
>
> Thanx for your help
>
>   -Luc
> 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] rules cleanup and approval process

[Steve Yates]

The Rules page logs traffic for the rule, in bytes, in the States 
column.  You can also set allow rules to log traffic but that will be a lot of 
log entries.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc Paulin
Sent: Friday, October 21, 2016 9:27 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] rules cleanup and approval process

Hi,
I am in the final stage to review pfsense and I was wondering if there's a way 
to do the following

1. Is there way to enable an approval process. For exmaple let say I added rule 
ABC, then in order that the rules can be apply, the change must be approve by 
someone else.
2. How can we know which rule is mostly use and which are unused? Is theres 
some kind of way to create a report of the top 10 less use rules  ?

Thanx for your help

  -Luc


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense + carp + ha

[Steve Yates]

System/High Availability Sync page shows checkboxes for what to sync.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen
Sent: Wednesday, November 16, 2016 1:05 AM
To: pfSense Support and Discussion Mailing List 
Subject: Re: [pfSense] pfsense + carp + ha

ok. does it also sync all settings like ipsec and openvpn keys?

Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense + carp + ha

[Steve Yates]

Any hardware should work fine.  They recommend a separate NIC/port for 
the sync traffic since if syncing states there can be a lot of traffic (if not 
syncing state there is probably very little).  I don't think it needs to be 
identical hardware but the rules would need to copy over so it would need the 
same ports.

One gotcha that caught me...under "System/High Availability 
Sync/Configuration Synchronization Settings (XMLRPC Sync)" there is a "Remote 
System Username" field.  That field is ignored, and "admin" is always used.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen
Sent: Tuesday, November 15, 2016 2:20 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] pfsense + carp + ha

Hi List,

What are requirements for pfsense ha clustering? does any of x86 hardware work 
with ha? does hardware need to be identical?

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense in ha - sync interface rule disapear

[Steve Yates]

Are your rules disappearing on the slave, the master, or both?

Brainstorming, do both have the same name for the pfsync interface?  Meaning 
the slave isn't named PFSYNC-SLAVE or something like that?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc Paulin
Sent: Thursday, October 13, 2016 9:10 AM
To: list@lists.pfsense.org
Subject: [pfSense] pfsense in ha - sync interface rule disapear

Hi Everyone,
I am new to pfsense and I have to say to that I am very impressed to see all 
the feature available out of box.

I am currently testing it to see how well it work and perform for our 
environement. We would like to replace our HA linux firewall running 
IPTable/fwbuiler scripts.  Currently trying to setup the HA but having hard 
time to make it work properly. I am following the wiki guide (
https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)
).

The issue that I have is that the rule I added on both firewall to allow SYNC 
interface to communicate keep disapear on the slave firewall once the 
connection got established.  So XMLRPC did copy rules from master to slave, but 
the PFSYNC interface rules disapear, therefore this cause communication issue 
after  (/rc.filter_synchronize: New alert found: A communications error 
occurred while attempting XMLRPC sync with username admin
https://172.16.199.2:443.)


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold