[pfSense] CoDel QOS

[WebDawg]

Can someone tell me the proper way to apply CoDel QoS?

http://en.wikipedia.org/wiki/CoDel

https://forum.pfsense.org/index.php?topic=88162.0

I am getting conflicting answers on how it is applied.

>From what I have read, you just turn it on, that is it.  No
parameters.  I was trying to find just the commands to apply it on a
normal freebsd box so I could understand if any of the options offered
along with it on the pfSense QoS form matter.  I did not have luck and
I assume I was just looking in all the wrong places.

Like I mentioned before everything I read says that it is
parameter-less.  But in the same reading it talked about RED and the
fact that it was built off of RED.  I can see how parameter-less means
that RED has many 'knobs and such'  but CoDel has none (excluding BW).
Still I think that this could be wrong though.

>From what I read, it just needs enabled and only is concerned about
buffer times.  No BW, etc.

Last question:  In that forum post it was stated interface speed vs
connection speed would make a difference.  While I understand that
this does effect other types of QoS, from what I read, it does not
effect CoDel.

Can someone please explain this stuff?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Visual seperators?

[WebDawg]

That would be cool.

On Tue, Feb 10, 2015 at 6:44 AM,   wrote:
> Hi,
>
> Is there any possibility to create "groups" or otherwise have seperators
> between rules on the firewall page? Basically what I'm trying to do is make
> it easier to see which rules are "connected" could be based on host or
> service. So it would be nice to have some sort of visual seperator to create
> a "group".
>
> -kp
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Firewall Reboots at Halt

[WebDawg]

You mean this:  https://doc.pfsense.org/index.php/Halt_System

?

The fact that it reboots instead of halting?

On Tue, Feb 10, 2015 at 1:25 AM, pratap koppal  wrote:
> Hi All,
>
> Configured Firewall+Squid+Squidguard on Pfsense version 2.1.3. Everything is
> working well exept, when i Halt Firewall it reboots. Please help.
>
> Regards,
> Pratap Koppal
>
>
>
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Migrating from RouterOS to PFSense

[WebDawg]

On Tue, Feb 10, 2015 at 1:41 AM, Tiernan OToole
 wrote:
> Good morning all.
>
> For the year or so, i have been running Microtik Router OS on either their
> own hardware or my own hardware, and all has mostly been good, bar the fact
> the OS wont see more than 2Gb of ram and my machine has 8...
>
> Anyway, i decided to install PFsense 2.2 on a new hard drive and plugged in
> into my existing hardware, but now i have some questions about getting this
> fully working the same way it worked on RouterOS.
>
> First, some background. The machine in question is an old HP Proliant ML110
> G5 server with an Intel Core2Quad, 8Gb ram, i think its a 500Gb hdd (just
> grabbed the first one i could fix) and a mix of network cards giving a total
> of 12 GigE connections.  There are 3 WAN connections (2 Cable modems at
> 200/20 and a VDSL at 100/20, closer to 70ish.) The cable modems give out
> public IPs (they are in Bridged mode) and the machine gets an IP via DHCP.
> The VDSL is PPPoE.
>
> I have managed to get a somewhat basic load balancing setup working, and it
> does seem to work grand. Speedtest.net, which now seems to be multithreaded,
> is giving me download speeds of anywhere from 420 - 480mb/s.
>
> Now, the real question:
>
> In RouterOS i could do the following:
>
> Any incoming traffic (from the LAN) from a given IP address, could be routed
> though a given upstream connection, be that a specific WAN connection or a
> VPN connection.

You should be able to do this with firewall rules and specifying gateways.
*https://doc.pfsense.org/index.php/Multi-WAN#Overview

> Any Incoming traffic (from the LAN) to a given IP address or network (for
> example BBC) could be routed though a given upstream provider, again WAN or
> VPN

I think you would need to use floating rules for this.

Firewall rules on Interface and Group tabs process traffic in the
Inbound direction and are processed from the top down, stopping at the
first match. Where no user-configured firewall rules match, traffic is
denied. Only what is explicitly allowed via firewall rules will be
passed.
*https://doc.pfsense.org/index.php/Firewall_Rule_Basics


Floating Rules are advanced Firewall Rules which can apply in any
direction and to any or multiple interfaces. Floating Rules are
defined under Firewall > Rules on the Floating tab.
*https://doc.pfsense.org/index.php/What_are_Floating_Rules


> All incoming requests that come from a particular WAN connection (eg, web
> web request on port 80) will return over that connection, so traffic
> requested on port 80 on WAN 1 will be returned to the client on WAN1.
>
Would this not just be NAT in general?
https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

I guess I could see how things may get mixed depending on your configuration.


> I think thats all the major issues i have... I think (but could be wrong) i
> have the second one working, but i would like to know if there is a better
> way of doing it then as follows:
>
> Firewall, Rules, LAN and i have a connection that says Dest is ,
> dest port *, source is LAN Net,  source IP is *, gateway is  to send to>.
Seems right, your are going to need floating for the other gateway direction.

>
> This is the top option, and at the bottom are the standard allow everything
> out connections...
It processes rules from top to bottom and when matching one stops.

>
> Am i doing this right?
>
> Thanks again!
>
> --Tiernan
>
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Triggering VPN connections

[WebDawg]

I had to do something like this at one point except my VPN box was
separate.  Using firewall rules to specify gateways to use with
destination ips and such.

You want to see what ip is on an interface first and then decide to
connect or not?  Please explain more.

On Mon, Feb 9, 2015 at 11:05 PM, Cheyenne Deal  wrote:
> Is there a way that pfsense can auto connect a VPN connection on connection
> of a specific network by seeing what ip address is assigned to it?
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Triggering VPN connections

[WebDawg]

I do not know if there are any auto detection network stuff but it
sounds like you could do this somehow with some firewall rules.  You
could have some block rules setup to block the VPN out through x
network.  It would still keep trying to connect but would not when it
cannot get out because it is on blocked networks.

You could use separate interfaces.  It looks like you can select which
interface to use to connect out now with openvpn clients.

After that I would think you should look at doing some scripting.  It
may be just simpler to figure out how to enable and disable clients
via the command line/save settings and restart the openvpn service.
You could setup a cronjob to check networks and act accordingly every
1 min.


On Tue, Feb 10, 2015 at 11:26 PM, Cheyenne Deal  wrote:
> I am looking at making a ESX machine that I move from place to place at
> times for lan parties. I use vsphere to manage the machine when it is
> connected to my home and shop network. I would like to be able to have the
> pfsense vm detect if it is on my home, shop or outside network and auto
> connect a vpn to the other networks if it is not directly connected to the
> said networks.
> Is this possible?
>
> On Tue, Feb 10, 2015 at 10:27 AM, WebDawg  wrote:
>>
>> I had to do something like this at one point except my VPN box was
>> separate.  Using firewall rules to specify gateways to use with
>> destination ips and such.
>>
>> You want to see what ip is on an interface first and then decide to
>> connect or not?  Please explain more.
>>
>> On Mon, Feb 9, 2015 at 11:05 PM, Cheyenne Deal 
>> wrote:
>> > Is there a way that pfsense can auto connect a VPN connection on
>> > connection
>> > of a specific network by seeing what ip address is assigned to it?
>> >
>> > ___
>> > pfSense mailing list
>> > https://lists.pfsense.org/mailman/listinfo/list
>> > Support the project with Gold! https://pfsense.org/gold
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Design Best Practice Question

[WebDawg]

On Fri, Mar 6, 2015 at 2:16 PM, Tim Hogan  wrote:

> I am looking for some advice from the group about the best way to put
> pfSense in my environment so that it can filter all traffic. The cable
> provider that I use has given me a /29 of static IP address and one of
> those addresses is assigned to the cable modem. When I asked about putting
> the modem into bridging mode I found out that their idea of bridging is to
> disable the firewall and DHCP service on the modem.  So this is what I have
> come up with so far.
>
> Cable Modem: 70.70.70.94
> pfSense WAN: 70.70.70.93 (also my NAT address for the LAN)
> pfSense LAN: 10.100.100.1/24
> pfSense OPT1: bridged to WAN interface, no IP address
>
> The OPT1 interface is connected to a switch that has the other devices
> with the remaining IP address in the 70.70.70.89/29 space and I have the
> firewall rules for this space on the WAN interface. It seems to work but I
> am wondering if I am using the bridging feature correctly. Any thoughts?
>
> Thanks,
> Tim
>
>
I do not understand the question.  Using the bridge feature correctly?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Issue with OpenVPN certificate depth validation and long certificate subjects

[WebDawg]

On Sat, Mar 7, 2015 at 2:32 PM, David Durrleman <
david.durrle...@shift-technology.com> wrote:

> [I am not subscribed to this list; please kindly copy me on any answer]
>
> Hi,
>
> I believe I have found a bug in pfsense. I am reporting it here per
> https://doc.pfsense.org/index.php/Bug_reporting
> Please let me know if this is the wrong channel.
>
> There seems to be an issue in pfsense's custom certificate depth
> verification for OpenVPN connections. When long certificate subjects are
> used, the validation fails. Here is how to repro:
>
> Create three certificate with subjects:
>
>  A) C=US, ST=New York, L=New York City, O=Acme Inc, emailAddress=
> myem...@mylongdomainname.com, CN=*myvpn*.
> mylongsubdomainname.mylongdomainname.com
>  B) C=US, ST=New York, L=New York City, O=Acme Inc, emailAddress=
> myem...@mylongdomainname.com, CN=*myclient*.
> mylongsubdomainname.mylongdomainname.com
>  C) C=US, ST=New York, L=New York City, O=Acme Inc, emailAddress=
> myem...@mylongdomainname.com, CN=*myclient2*.
> mylongsubdomainname.mylongdomainname.com
>
> Create a vpn server using certificate A, turn on depth validation, and try
> to authenticate with clients using certificates B and C. Certificate B will
> be recognized by the server, but certificate C won't.
> If depth validation is turned off, both certificates will be recognized
> correctly.
>
> I have tracked this down to a failure to
> execute /usr/local/sbin/ovpn_auth_verify. My intuition (not verified) is
> that /usr/local/sbin/fcgicli doesn't like it when the url parameters are
> too long. But here, "long" is less than 250 chars, which is a pretty low
> limit.
>
> Thanks
>
> *David Durrleman*
> Co-founder & CTO
> SHIFT TECHNOLOGY
>
> www.shift-technology.com
>
>
I suppose the only thing I would do after this, if you do not get
responses, is post the bug here:
https://redmine.pfsense.org/projects/pfsense
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] pfSense FreeBSD Version

[WebDawg]

I have an issue with the version of BSD used in pfSense and my hardware.  I
was given the following advice to fix some hardware I use with pfSense and
I would like to try it:

Please try a snapshot of HEAD.  It should try to allocate a PCI bus number
for
your second device which is currently failing on 10.1.  Note that if a HEAD
snapshot doesn't work out of the box, please try setting
'hw.pci.clear_buses=1'
in the loader before booting a HEAD kernel.

Can I use this version of FreeBSD with pfSense?  Is the next version going
to use it?

Where is this tracked.  I remember I used to be able to install the next
version of pfSense, can I still do this?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Router on a stick limiting

[WebDawg]

On Wed, Mar 11, 2015 at 7:16 AM, Jon Munford  wrote:

> I am running a standard router on a stick setup with pfsense as the router
> and a l3 switch doing the vlan routing.  Im trying to do a limiter on those
> routes in my LAN firewall of PFsense but it's not working like i think it
> should.  Is there a trick to get this to work?
>
> Thanks!
>
> --
> Jonathan Munford
> Director of Technology
> New London School District
> New London, IA  52645
> Office:  (319) 367-0512  x102
> jon.munf...@nlcsd.org 
> http://www.new-london.k12.ia.us
>

Just a bit more details?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense FreeBSD Version

[WebDawg]

On Thu, Mar 12, 2015 at 12:20 AM, Jim Thompson  wrote:

>
> We’ve recently made a -CURRENT, but not -HEAD.   Not all of the patches
> apply cleanly to -CURRENT, though it’s close.
>
> More information about which hardware you’re having trouble with might
> help, too.
>
> jim
>
>
I am looking for the solution to the BUG here:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=197076
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense FreeBSD Version

[WebDawg]

That seems pretty clear to me that the fix to the driver is only in the
HEAD branch, and could theoretically be merged back to 10.x branch by
copying the diffs from commit 261790. So what you need to do is try booting
the bleeding edge HEAD branch of the kernel and if it detects the second
NIC you say so on that bug report, and it will give more incentive for the
devs to merge the patch back to 10.x line.

>
> Now, getting that patch applied to pfSense may take some more work. It
> will likely involves you setting up the pfSense build environment and
> hand-patching the kernel with those driver fixes.
>
>
Thanks for the great response.  I am going to take your advice and I will
update the bug report.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] connecting from LAN network to pfsense WAN IP?

[WebDawg]

On Sun, Mar 15, 2015 at 7:54 PM, Maik Heinelt  wrote:

>
> Hello,
> I have multiple IPs running on my pfsense 2.1 router.
> Sometimes a server from LAN needs to connect to a WAN IP of the same
> pfsense router, but this doesn't seems to work.
>
> For example mail server (LAN 11.11.11.1, but WAN 221.186.114.*24*) wants
> to send mail to a domain on mail server (LAN 22.22.22.2, but WAN
> 221.186.114.*25*).
> This doesn't seems to work, as I also cannot SSH to any of the assigned
> global IPs on that router.
>
>
> Maybe there is a setting to make it working?
>
>
> Maik
>
>

It sounds  like you should look here:


https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2.1-RELEASE sudo issues?

[WebDawg]

On Tue, Mar 17, 2015 at 1:48 PM, Manojav Sridhar 
wrote:

> Just upgraded my pfsense to 2.2.1-RELEASE,
>
> [2.2.1-RELEASE][user@host]/usr/lib: sudo
> Shared object "libintl.so.9" not found, required by "sudo
>
> Cant seem to fin the libintl.so.9, this breaks the sudo package. Anyone
> else run into this?
>
> Thanks
>
>
>
Did the upgrade complete and did the system reboot?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] "Packages are currently being reinstalled in the background." since last night... nothing showing on the console...

[WebDawg]

On Wed, Mar 18, 2015 at 1:12 PM, Tiernan OToole 
wrote:

>  A reboot seems to have solved the problem here… I had Sarg, Squid3 and a
> few others installed. I did notice that before the reboot, if I went into
> system/packages, I got a message saying packages where being installed…
>
>
>
> The packages I have are:
>
>
>
> Bandwidthd
>
> Ntopng
>
> OpenVPN client Export utility
>
> Sarg
>
> Snort
>
> Squid3
>
> Squidguard
>
> TFTP
>
>
>
> --Tiernan
>
>
>
> I remember an upgrade that took many hours because of the huge amount of
sarg reports I had.  Anyone know why the entire file system is scanned
before upgrade?  Or am I just wrong this is why.  I deleted the sarg
reports, started again, and it was smooth.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] "Packages are currently being reinstalled in the background." since last night... nothing showing on the console...

[WebDawg]

> 2015-03-18 17:32 GMT-03:00 Ryan Clough :
>
>> On my box there was a very long running "rm" process while packages were
>> being reinstalled.
>>
>>
I seem to remember something similiar, I figured it was doing something...I
just really wonder why it was doing anything to the huge number of files in
a log/report directory that do not matter at all to pfSense core.

Does anyone know why it would do this?  I supposed I would have to look at
the upgrade script.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] freak vulnerable for pfsense

[WebDawg]

On Thu, Mar 19, 2015 at 8:58 AM, Vick Khera  wrote:

> pfsense < 2.2 have a split-brain openssl. so to test the version that
> you're getting with the openvpn service, you need to check the openssl
> linked to it. In this case "/usr/lcoal/bin/openssl version" will tell you
> it is newer.
>
> However, as everyone says, update to newest version of pfSense is your
> best move. Disabling export grade ciphers is also good advice.
>
>
This is most likley the wrong place to ask this but I figure some would
know.  Why are EXPORT ciphers still written into the suite?  I thought the
EXPORT rules were gone?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] blocking torrents and web based https proxies

[WebDawg]

May I ask why you would like to block it all?
On Mar 24, 2015 3:12 AM, "Rizwan Saeed"  wrote:

> Hi Guys,
>
>
>
> I am managing a 1000+ university network. pfsense is working fine. The
> only problem I have is that the students bypass all the security with web
> vpn’s and free https proxies. So I would like to know that if there is an
> effective way to block https web proxies, web based VPN and encrypted
> torrent traffic?
>
>
>
> Regards,
>
> Riz
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Assign IP Address with /32 Mask on WAN Interface

[WebDawg]

On Mon, Mar 30, 2015 at 6:14 AM, Vick Khera  wrote:

>
> On Sat, Mar 28, 2015 at 11:42 AM, day knight  wrote:
>
>> I see the configuration script doesn't allow you to pick /32 address when
>> configuring an interface as my default gateway is not in the same subnet. I
>> have limited IPs and run pfsense from vmware. How can i override and assign
>> /32 ip address to wan interface.
>>
>
> How exactly does your computer talk to anything *not* on the same network?
>
>
Your default gateway HAS to be on the same subnet.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Bundling multiple OVPN client connection into one fat pipe...

[WebDawg]

On Mon, Mar 30, 2015 at 3:01 AM, Tiernan OToole 
wrote:

>  Morning all..
>
>
>  Stupid(ish) question for you...
>
>
>  I have a PFSense box in the house with 3 internet connections (2x240/24
> cable modems and a 70ish/20mb VDSL line). I am wondering if i setup 3 OVPN
> connections to a single (large) Cloud or Dedicated box, can I bundle the 3
> connections into a single large connection?
>
>
>  Again, might be pie-in-the-sky stuff here, but just a question...
>
>
>  Thanks.
>
>
>  --Tiernan
>
I have done this, there is overhead involved, and bonding tap connections.
I tried this with very latent and slow connections, and I did not have good
luck with it, and while my notes are not detailed/organized as well as they
should be you can have a look here:

http://wiki.hackspherelabs.com/index.php?title=Connection_and_VPN_Bonding

I did have some luck with stable connections, but I still had to hurry
though it, so no official information.

I really think you may have better luck bonding the symmetric connections.
There is also different types of bonding you can experiment with.

Web...
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Bundling multiple OVPN client connection into one fat pipe...

[WebDawg]

On Wed, Apr 1, 2015 at 5:38 AM, Chris Bagnall 
wrote:

As I understand it, the problem is usually packets arriving out of order at
the far end leading to retransmissions of the apparently 'missing' packets.


That is basically what I figured with the latent connections.  Considering
what the type of bonding we are talking about is really used for, packet
order/sync would seem to be a need.

If I remember correctly you can do failover with bonding also.  I wonder
how that compares to the other layer 3 options.  Still overhead with
OpenVPN.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] testing email

[WebDawg]

Same here,

>
> Viruses being detected by my ASSP spam filter coming in from the list and
> denying delivery.  Had to re-enable my account this AM.
>
> Doug
>
> --
> Ben Franklin quote:
>
> "Those who would give up Essential Liberty to purchase a little Temporary
> Safety, deserve neither Liberty nor Safety."
>
>
>
I am on gmail and I received an email to follow to re enable my account.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pppoe

[WebDawg]

On Fri, May 1, 2015 at 6:25 AM, lathes  wrote:

> Hi,
>
> Has has anyone had any trouble getting pppoe working in pf sense? I have
> the modem set up in bridge mode and it dose work fine plug in into a
> laptop. The PPP logs in pfsense shows that a connection is made and ipv4 ip
> address allocated but then seems to request ipv6 address fails and then
> disconnects. I have ipv6 disabled on the wan interface. I have never had
> this problem before.
> Anyone else seen any thing like this?
>
> Regards
> Jerry
> ___
>


What modem hardware?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] load balancing between multiple IPSec tunnels

[WebDawg]

On Wed, May 20, 2015 at 7:06 AM, Tiernan OToole 
wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Morning all.
>
> Might be a stupid question (or even idea) but i will ask anyway.
>
> I have a server in Germany with a PFSense VM on it. I also have a
> PFSesne machine in Dublin. The machine in Germany has a 1Gb uplink,
> and the machine in Dublin has 2 cable modems at 240 down 24 up and a
> VSDL link at "about" 100 down 20 up.
>
> I have managed to get a single IPSec tunnel working between 1 of the
> Cable modems and the German box, but now i am wondering about getting
> 2 more (one for each connection) running and balancing all three...
> Since they would be hitting the same machine, could it work?
>
> Before anyone shouts, i know there is an overhead on IPSec tunnels,
> but given that the upstream of a single connection i have maxes out at
> 24mb, and the upstream between 3 should (theoretically) be 68, even
> with an overhead, it should (hopefully) be more than 24mb/s...
>
> So, is any of this possible? or practical?
>
> Thanks.
>
> - --Tiernan
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVXJTrAAoJECWDUKjOk5r1KjkQAJmfAC6q/d1HJwIxbMFTEuzn
> nZO2lAqALM/kBIMZTMlZxa9z3mupH1hZJhejwS5D/npijwOZ7F6TdXD81iAdliOY
> 2HwxtsQ2LWx0hRAXF0zvfJ96IymQaCbdqXQ4N2/mDRaKYO/WbD0QBuS5zHnx2vve
> Ag9GweOW/kdH6fzzzQECfNKARzIigjYYvYAukGri3P3OJjREgtvCmGdyqDLUySXU
> sVbCvgbAQT5RGTwTpQhuQpeqcQbeZtNSYe4Y8RJBqC2LgdIEvZYLN1xmndHyI/fm
> CaMuWucHfotoGxM4CWH8sFszqW6ID+UwJ8EeOvTh2Bry4xeOE+Z+2oJDYKMQ/e+d
> JXeMj1wMP8DQV4DrabjM9bmw/ZY+U/uocQBNizfHA4eG5MrsBh9KAPLg3BuRiy0b
> ZIiYcjCDOvDipO/g885AtVN443Gm+0EUhQGMLJ/OQZV5gl/160wAy2g4PlYoYP9P
> W9MdfwUKQ9s7gqnZ1VcErjUWCLAlb+lYvokcRMdWtXfPVAtAomfAobW5cCKx1I2r
> o6UUenDIRp0nAW2B98NPDEsm1BdHq9M0aMo8Qu/Bf3MVZeGBgo575i4VU4y3i+Ks
> OBQUMlABPZTxOES0MiC9CI6Xv5+1J2G4InjWRCDGCRvylUtYxS30tX4/9GOKNQUx
> S9H/PlHQD/WipcWHXyYI
> =XxNE
> -END PGP SIGNATURE-
> __
>


Do you plan to bond the connections at layer2 or is this a layer3 thing?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] load balancing between multiple IPSec tunnels

[WebDawg]

On Wed, May 20, 2015 at 7:54 AM, Tiernan OToole 
wrote:

>
>
> if i a reading correctly, i would be thinking Layer 2 would
> essentially be at a frame level, so it would be closer to Link
> Aggregation with Ethernet connections...
>
> - --Tiernan
>
>
People have done it.  I have tried it with OpenVPN and while I got it
working, the connections I used were the not the best type of connections
to the scenario.  They were wireless.  I have yet to see any tests posted
from other people doing it.

The connections that I used were very latent.  I did it all manually with
Debian boxes.

I think latency is a big problem because of how layer2 bonding works and
how it handles packets.  If I remember correctly it likes symmetric
connections too.  Or at least two connections with the same upstream and
downstream.

You could try it but optimally you would want to stick with layer three as
this is totally different then bonding two T1's or DSL modems together.
They are not tunnelling Layer2 over Layer3.

Fail over with this tunnelling method worked very well though when I tried
it.  But so would layer3.

The test results I remember from my experiment were only marginally faster
but it really would have been nice to try on some wired connections that
have some stability and I would think may be able to sync at some level.

I am by no means a bonding expert.  I documented some of my journey here if
you are interested:
http://wiki.hackspherelabs.com/index.php?title=Connection_and_VPN_Bonding
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Weird issue not sure if it's PFSense or not

[WebDawg]

On Tue, May 26, 2015 at 1:04 PM, Mamun Ahmed  wrote:

> Thanks Adam for your response, I have to say I didn't think of that,
> bearing in mind that the other devices seem fine on my network, and the
> funny thing is that Amazon devices can browse everywhere except for the
> secure (https) pages on the Amazon website but only when connected to my
> home network.
>
> If I connect them to a local wifi hotspot they work fine so it's
> definitely confined to my home network, but I can't figure out what it
> might be?
>
> Mamun
>
> Sent from my iPhone
>
> > On 26 May 2015, at 18:35, Adam Thompson  wrote:
> >
> > This could be the Android IPv6 problem, if the amazon devices are using
> v5.0 or newer base software.
> > -Adam
> >
> >> On May 26, 2015 12:28:51 PM CDT, Mamun Ahmed 
> wrote:
> >> Hi everyone,
> >>
> >> I am at a loss as to why this has recently started happening? My setup
> is as follows:
> >>
> >> BT infinity broadband vdsl router connecting into my PFSense firewall.
> The firewall is then connecting into switch which is connected to some BT
> black routers (that are acting as wireless access points).
> >>
> >> My problem:
> >> My laptops/iPhones/iPads all seem to connect fine via the above setup
> however all my amazon devices, Kindle Fire HDX, Kindle Fire phone, Kindle
> Paperwhite, are also able to connect everywhere but with the one exception,
> which seems to be their own secured pages on the amazon website.
> >>
> >> My setup has been like this for the last couple of years however at the
> start of this year (and my guess that after the last two updates) it
> stopped working. When I say it stopped working, I mean, that I am able to
> browse everywhere except stream movies from amazon's prime website via both
> the prime app on the HDX or using
> >> the prime website on those devices - it works fine from the other
> wireless devices (iPhone, iPad, laptop etc) though. I am hoping that I am
> not the only one in this situation?
> >>
> >> Looking forward to your help and advice.
> >>
> >> Many thanks,
> >>
> >> Mamun
> >>
> >> pfSense mailing list
> >> https://lists.pfsense.org/mailman/listinfo/list
> >> Support the project with Gold! https://pfsense.org/gold
> >
> > --
> > Sent from my Android device with K-9 Mail. Please excuse my brevity.
> ___
>


Did you check the ipv6 issue?

Is this the one everyone is talking about?:

https://www.growse.com/2012/11/03/android-really-doesn-t-like-broken-ipv6-networks/
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Loading pfSense on Netgate 1U rack mount server c2758

[WebDawg]

On Thu, Jul 2, 2015 at 11:31 AM, Paul Upson 
wrote:

> I recently purchased this device and am now trying to load pfSense onto it
> using a usb stick. Each time the load fails with the following error.
> Mounting from cd9660:/dev/iso9660/PFSENSE fails with error 19. I found a
> post that said to add the command "set kern.cam.boot_delay="1" but it
> doesn't change the result. I need a resolution soon.
>
> Thanks
>
> *Paul Upson*
> IT Support Manager
> Westmoreland Museum of American Art @rt 30
> 4764 State Route 30, Greensburg, PA 15601
> 724-261-9982
> thewestmoreland.org
>
> 
>


What image are you using?  Did you verify it was a good image? When does it
fail?

Web...
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Access Point Recommendations?

[WebDawg]

On Thu, Jul 23, 2015 at 8:46 AM, Karl Fife  wrote:

> Your point about having a one-off solution is a great one. Installing a
> single UniFi AP would be unnecessarily complex.
>
> The TP-Link TL-WA801nd is a BGN-only device.  Do you (or anyone) have a
> preferred stand-alone AC access point?
>
>
> On 7/22/2015 8:10 PM, Adrian Zaugg wrote:
>
>>   TP-Link TL-WA801nd
>>
>
> ___
>


I was looking at building a custom access point because I really do not
like not knowing what is on my hardware.  I did a bit of research and
started to realize how weird the chipset/driver/ap environment is out
there.  I think I ended up finding a chipset and driver combo that would
both use x86 but I quickly realized why AP makers use two differnet archs
anymore.  Usually arm and x86, or at least arm.

I have limited testing but I really did not like the DLINK wireless access
points that support AC.  They did meet the fire code stuff though.

I just had two Ubiquiti Wireless AC access points installed somewhere
because the other ones I chose were out of stock at a vendor and they seem
decent.  The Ubiquiti ones require server software to run and stay up all
the time though for some of the advanced features and that seemed really
lame to me.  I ended up putting there UNIFI software on a debian raspberry
pi 2 (java and monodb) for a 'controller'.

Not to trash all the hard work these guys do with building these access
points but I really think it is BS that there is not a wireless AC driver
out there that is not fully opensource.  They all at least have binary
blobs.  I hate the deals these guys make to make sure to drive out
competition.

When the new Linksys 1900 AC router came out I was hopeful because they
heavily marketed it as being opensource.  Linksys or Linksys's marketing
lied and is seems like they just assumed that a driver with a blob in it
would meet standards.  They did not contact the openwrt people or even
submit code to the openwrt community the right way.  It was and still to
this day is a mess.

It still has that blob in it and it is obviously not POE or 'enterprisy'.

Anyways, I hope you know that the way all of the vendors advertise their
speeds.  I was confused here:
https://community.ubnt.com/t5/UniFi-Wireless/UAP-AC-TWO-CABLES-NEEDED/td-p/1189281

That thread ended up being interesting as it talked about future second
wave AC stuff.

Sorry I did not answer any questions, I wanted to input some information.
The only way I have found to get good wireless equipment was to do the
coverage research, purchase an access point, and do a proper wireless site
survey with it.  Enterprise vendors will help you with this, and I have
heard of huge WIFI installs that support thousands and thousands in
stadiums and conferences all at once so I am sure you can find a solution.

Web...
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Signed Images/Sums

[WebDawg]

I see that the sha256 sum is listed with the download of pfSense but are
there any digital signatures available?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] client VPN on IOS

[WebDawg]

On Tue, Sep 15, 2015 at 9:04 AM, Jan Tichý  wrote:
>
> Setup of the server was a bit tricky, but after that no any issues for
three years. Search for tutorial on YouTube - plenty hits.
>
> On iOS you need install App "OpenVPN" others might work too.
>
> Use Client Export Utility to generate setting, than transfer by iTunes or
just mail it {security concerns} to the iPhone.
>
> Cheers

It does not require a jailbreak anymore?  Interesting.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Routing some trafic throught OpenVPN

[WebDawg]

On Wed, Sep 16, 2015 at 1:39 AM, Andrej Ferčič [PCklinika] <
and...@pcklinika.si> wrote:
>
> Hello!
>
> I am sure that this issue has been already discussed, but I can not find
any arhive. So, please give me some directions where to search or any link
to thread containig the following:
>
> 1. Is there any routing throught IPSec VPN possible? (IpSec is solved in
kernel as I know)
> 2. How to use OpenVPN to route a specific trafic throught VPN? Let me
explain what I want to solve:
>
>
> Site A (branch office) <> IPSec <> Site B (main office)
>
>
> Site A has two WANs. First, lets name it WAN1 is for all Internet access,
WAN2 is dedicated for some special services and uses private IPs
172.x.x.x./16
>
> From main office (Site B) is this special service reachable, but I should
reach this WAN2 network, from my branch offices to (Site A)
>
> Has anybody any idea how to solve this with current IPSec VPNs or
changing to OpenVPN if first is no go ?!
>
> Thanks,
>
> Andrej


I would use OpenVPN unless you need IPSec for any specific reason.  I have
read a few posts to this list where others are having trouble with IPSec
VPNs in the current and some past releases (pfsense).

These two VPN services are more then adequate to achieve what you would
like to do.

The concept is:

Site A has a OpenVPN server setup.
-This server has a rule (definable in the web interface) that says it has
access to and therefore can route,vand will route, traffic addressed to
Site B.

Site B has a OpenVPN client setup that connects to Site A.
-This client has a rule (definable in the web interface) that says that it
has access to and therefore can route, and will route, traffic addressed to
Site A.

I suggest that both networks use different subnets and that you use the TUN
method in OpenVPN.

TUN transports layer 3.

TAP transports layer 2.

Another choice you have to make is UDP vs TCP.  You can get some guidance
here:
https://www.bestvpn.com/blog/7359/openvpn-tcp-vs-udp-difference-choose/

If you use UDP, you should make sure to setup a tls-auth key (really fo TCP
too) as OpenVPN will drop any UDP packets without that authentication
method.

Good Luck.

It is fairly basic but I am sure you will have to play with the
configuration on both sides to figure it out.  I think pfSense has a wizard
that will help you too.  Here is a guide also:
https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site


Web...
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Routing some trafic throught OpenVPN

[WebDawg]

On Wed, Sep 16, 2015 at 10:09 AM, Andrej Ferčič [PCklinika] <
and...@pcklinika.si> wrote:

> Tnx, for reply
>
> VPN with OpenVPN is not a problem at all. I have problems resolving route
> in OpenVPN. If I add additional interface based on openvpnc, becouse I will
> need it later when defining gateways, vpns stops. There is stil active
> connection, but ECHO request does not reply anymore.
>
> Here is a guide to set all traffic From Site A over VPN to Site B >
> Internet
> https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_OpenVPN-connection_in_PfSense_2.1
> , but I want only my destination 172.29.0.0/16 throught the tunnel,
> everything else should use local GW.
>
> Regards,
>
> Andrej
>
>
It sounds like you are setting it up wrong completely and do not understand
how it works.  Your English is broken and I am having trouble understanding
what specifically you are asking.  I would follow that guide, get it
working, and go from there.

Web..
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense + AD not resolving DNS

[WebDawg]

On Oct 1, 2015 9:01 PM, "Yukiteru Amano"  wrote:
>
> Hi everybody, I have installed a box using pfSense 2.2.4 with this
> configuration:
>
> 1 x CPU Core 2 Duo (2.66 Ghz)
> 2 Gb de RAM (DDR800)
> 1 x HDD WD 500 GB
> 1 x Intel 100/1000 Gbps for WAN (em0) (configure for DHCP ISP)
> 1 X Realtek 8169 for LAN (re0) (192.168.0.1/24)
> Squid3 with SSL Bump and Cache.
> Firewall (default rules for now)
> DHCP and DNS turn off in pfSense box, because I use a old Windows
> Server DHCP and DNS services for AD
> DHCP Relay turn on.
> No DNS services.
>
> In my first tests using Squid3 with SSL Bump work without problems, I
> can surf on the Web without problem, and the block rules work
> perfectly. In this test, the pfSense box it was connected as part of
> the network and not as a gateway, and DHCP and DNS services still active.
>
> Now well, connecting pfSense as gateway, disabling DHCP and DNS in
> pfSense and activating DHCP Relay for that Windows Server handle all
> that ( DHCP and DNS) , I get this:
>
> 1.- The LAN network work without problems. Folders and Resources
> Shares Printers, Scanners) all are accessibles. IP (DHCP) and DNS
> (192.168.0.2) are configured correctly for Windows Server in each machine.
>
> 2.- The WAN network don't work. No access to Internet using or not,
> DNS service in pfSense box. ping, traceroute, dig directly from
> pfSense box not work.
>
> What could be the problem here ? Because I have no connection to the
> Internet being that are configured IP and DNS? Currently, I have a
> simple router doing the same role as gateway without DHCP and DNS, and
> works perfectly. I would appreciate any light on the subject, thank
> you very much .
>
>
> --
> Dios en su Cielo, todo bien en la Tierra
> 
> ___
> pfSense mailing list

What are you passing as your gateway on the Windows box?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense IP stack crashing.

[WebDawg]

On Oct 12, 2015 2:27 PM, "Bryant Zimmerman"  wrote:
>
> I have two routers in an CARP stack.
>  The primary yesterday started crashing it's IP stack.
>  Things run for a bit of time and then all IP's become unresponsive. The
> secondary pfSense box takes over the VIP's and things keep running. Now
for
> some reason the 1st box will reboot some times. Other times it just hangs
> there. If I connect in via IPMI I can see the box is still up I can get
> console access. I can reboot the box and it comes back up until it hangs
> again.
>
>  I ran a spin rite on the DOM running the OS and ran a memory and mother
> board test, and am not coming up with any errors there.
>  I am on 2.2.4-Release (nano bsd)
>
>  Any ideas would be appreciated. This units has been stable for 3 years
> only rebooted when upgrades occur. This is so out of character for this
box
> and I need to figure this out ASAP.
>
>  Thanks for any ideas you can offer.
>
>  Bryant

When you ipmi in...and get shell access.  No messages in the logs?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense IP stack crashing.

[WebDawg]

On Thu, Oct 15, 2015 at 7:45 AM,  wrote:

> Hmh,
>
> 3 things you could try come up to my mind.
>
> 1. I'd try another SD-Card (if you are using nanoBSD, my guess is, that
> you use an SD-Card?). Put the Master in permanent maintenance mode and shut
> it down, take out the SD-Card and check for errors. Even if there are none,
> copy the card and use the new one.
> 2. Freezing normally could mean bad memory. Did you try a live CD and a
> mem stress test for at least 24 hours? If not, do that too.
> 3. Unusual and also very unlikely but maybe your box got hacked somehow?
> Turn on the remote logging feature and log your messages to another
> syslogd-Server and see what you get when the system gets unresponsive.
>
> HTH,
>
> Jens Simmoleit
> Senior Linux Systems Administrator
>
> infoscore Profile Tracking GmbH
> part of arvato Financial Solutions
> Kaistrasse 7
> 40211 Düsseldorf
>
> Phone:  +49 211 50 66 51- 88
> Fax:+49 211 50 66 51- 93
> Mobile: +49 160 97 80 46 94
>
>
Better yet, can you post the specs/detailed hardware of the system?  Is it
SD or CF media?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Bandwidth graph

[WebDawg]

On Fri, Oct 16, 2015 at 1:11 AM, Walter Parker  wrote:

> Years ago, there was a package for pfSense that graphed total bandwidth for
> the Day, Month, Year using bar charts. It would show the top days with
> bandwidth and total usage for the month.
>
> It was not bandwidthD or the RRD graphs. I can't find it anymore. What was
> it called and why was it removed?
>
>
> Walter
>
> --
> The greatest dangers to liberty lurk in insidious encroachment by men of
> zeal, well-meaning but without understanding.   -- Justice Louis D.
> Brandeis
> __



Was it darkstat?  https://unix4lyfe.org/darkstat/

Packages are maintained by independent coders.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Has anybody experiance with installing on Openstack?

[WebDawg]

On Wed, Oct 21, 2015 at 9:52 PM, Frank Lowe 
wrote:

> I am trying to do this now. I have Pfsense working in proxmox. I now have
> an Openstack cloud controller running comput and neutron(single host) I am
> now trying to figure out how to
> have pfsense on the tenant network with an external (openstack floating
> network) this would be the inside interface. All of this is easy, just need
> to figureout how to link in the WAN interface. Needs to be direct to the
> Internet.
>
>
>
I was going to virtualize my instance but there was all this nonsense about
limiters not working with the xen network cards.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Has anybody experiance with installing on Openstack?

[WebDawg]

On Thu, Oct 22, 2015 at 11:16 PM, Chris Buechler  wrote:

> On Thu, Oct 22, 2015 at 4:19 PM, WebDawg  wrote:
> > On Wed, Oct 21, 2015 at 9:52 PM, Frank Lowe 
> > wrote:
> >
> >> I am trying to do this now. I have Pfsense working in proxmox. I now
> have
> >> an Openstack cloud controller running comput and neutron(single host) I
> am
> >> now trying to figure out how to
> >> have pfsense on the tenant network with an external (openstack floating
> >> network) this would be the inside interface. All of this is easy, just
> need
> >> to figureout how to link in the WAN interface. Needs to be direct to the
> >> Internet.
> >>
> > I was going to virtualize my instance but there was all this nonsense
> about
> > limiters not working with the xen network cards.
>
> Limiters have no NIC restrictions. ALTQ/traffic shaper isn't supported
> with xn. Every other hypervisor's NIC types support ALTQ.
> ___
>

So just to clarify.  ALTQ is the only shaper that does not work with xen
network interfaces?  I was planning on using the latest xenserver.

Have you heard of any other issues?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Backup/Restore to another router

[WebDawg]

On Mon, Oct 26, 2015 at 12:26 PM, Edward Holcroft 
wrote:

> Hello list
>
> I am setting up my second pfSense box, with a view to eventually replacing
> 20 Pelink Balance routers on my network.
>
> The first one works great and I have IPSec tunnels working between it and
> all the Peplink sites. Now since I am lazy, I was hoping to be able to
> backup the IPSec tunnels on the first one and simply restore it on the
> second and subsequent routers, to save myself some effort. Naturally I
> edited the content of the xml file to match the new router. However, I have
> now noticed that there is an entry for each tunnel called  which
> is, well, unique.
>
> Does this mean I have to create each and every tunnel manually? Or can I
> use the existing backup with that same uniqid on a different router? Or is
> there some way to generate uniqid's if that's what it requires?
>
> cheers
> ed
>
> --
> Edward Holcroft | Madsen Kneppers & Associates Inc.
> 11695 Johns Creek Parkway, Suite 250 | Johns Creek, GA 30097
> O (770) 446-9606 | M (770) 630-0949
>
>
>
Did you figure out what that uniquid id was for?  is it just a ref for the
web interface/pfsense code?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Virtualized pfsense virtio net limiter issue

[WebDawg]

On Mon, Nov 9, 2015 at 1:29 PM, Luis G. Coralle  wrote:
> Hello all.
>
> I have a kvm virtualized pfsense 2.2.4 amd64 on Proxmox 3.3-1 with virtio
> bus disk and virtio network devices.
> In pfsense settings, I have two limiters 1 MB each, to limit up and down
> LAN respectively.
> My speed tests not work properly. After changing network devices viritio to
> Intel e1000, the limiters are working properly.
> Someone had this problem?
>
> Thank you
>
> --
> Luis G. Coralle
> ___

The last thing I got back from this list about this:

Chris Buechler | 23 Oct 06:16 2015

Re: Has anybody experiance with installing on Openstack?

Chris Buechler 
2015-10-23 04:16:19 GMT

On Thu, Oct 22, 2015 at 4:19 PM, WebDawg  wrote:
> On Wed, Oct 21, 2015 at 9:52 PM, Frank Lowe 
> wrote:
>
>> I am trying to do this now. I have Pfsense working in proxmox. I now have
>> an Openstack cloud controller running comput and neutron(single host) I am
>> now trying to figure out how to
>> have pfsense on the tenant network with an external (openstack floating
>> network) this would be the inside interface. All of this is easy, just need
>> to figureout how to link in the WAN interface. Needs to be direct to the
>> Internet.
>>
> I was going to virtualize my instance but there was all this nonsense about
> limiters not working with the xen network cards.

Limiters have no NIC restrictions. ALTQ/traffic shaper isn't supported
with xn. Every other hypervisor's NIC types support ALTQ.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Disable DHCP domain-name request

[WebDawg]

On Fri, Nov 20, 2015 at 2:05 AM, Marco  wrote:
> We receive the interface network configuration on the WAN via DHCP.
> This works, however somehow our ISP or the modem pushes a domain
> name to the pfSense box which is undesirable.
>
> I assume that the DHCP client requests the domain name. I have set
> our domain name in
>
>   System → General Setup → Domain
>
> But it still keeps appearing in the network. So the solution would
> be to remove the “domain-name” part from the requests list. There is
> the form field
>
>   Interfaces → WAN → DHCP client configuration → Advanced → Request Options
>
> What I want to do is to remove “domain-name” from this list. But
> it's empty. Therefore I assume it's using some default values.
>
> How can I remove the “domain-name” from the DHCP request list
> without altering anything else? Or if this is the wrong approach,
> how to ignore the domain being pushed on the network by the ISP?
>
> Marco
> ___

Where does it appear?  You can specify domain names on each interface
served by the pfSense DHCP server...
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Shutdown Interface?

[WebDawg]

On Mon, Dec 7, 2015 at 10:40 AM, Joshua Young  wrote:
> We have recently been the target of DDoS attacks.  The same interface is
> targeted each time.  Is there any way we can shut down this interface
> automatically when this happens?  Is there a way to maybe set a threshold
> for traffic and, when it reaches that threshold, automatically shut the
> interface down?  When this happens, the pfSense is overwhelmed and our
> entire WAN loses Internet connectivity.  I figure if we can shut the one
> interface that is being targeted down before the traffic gets to the point
> of saturating our bandwidth, then just that one network would be down
> rather than our entire WAN.
>
> --
> -
> "The number one benefit of information technology is that it empowers
> people to do what they want to do. It lets people be creative. It lets
> people be productive. It lets people learn things they didn't think they
> could learn before, and so in a sense it is all about potential."
>
>
>   - Steve Ballmer
> -
>
> Josh Young
> Educational Technology Coordinator
>
> *Mount Desert Island Regional School System - AOS 91*
> 1081 Eagle Lake Road, Mt. Desert, ME 04660
> P.O. Box 60, Mt. Desert, ME 04660
> Phone: (207) 288-5049 | Fax: (207) 288-5071
> ___



Can we have more details on the DDoS attack?  Are you sure their are
no other solutions then shutting it down?  Why would it freeze?  Is a
service hosted by pfSense being attacked?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] VPN client

[WebDawg]

On Tue, Dec 8, 2015 at 11:15 PM, Ted Byers  wrote:
> Is it possible to use pfsense as a client, replacing a Checkpoint
> UTM-1 Edge W with AES256 ?  You see, I have one of these Checkpoint
> routers that has failed, and it had been used as a client to a VPN.  I
> know I can use pfsense to provide VPN access to machines behind it.  I
> have done this, and use OpenVPN to connect to to the machines
> protected by pfsense.
>
> I suppose I could use OpenVPN as the client, and will investigate
> that.  But I need to know if pfsense can function as both a server and
> as a client (for the unrelated purpose of configuring clusters of LANs
> each of which is protected by pfsense, so that regardless of which LAN
> fails, the others in the cluster can take over operation of the VPN
> connecting them all).
>
> Thanks
>
> Ted
>
> --
> R.E.(Ted) Byers, Ph.D.,Ed.D.
> ___


Yes, you can do this.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Shutdown Interface?

[WebDawg]

On Fri, Dec 11, 2015 at 3:33 PM, Doug Lytle  wrote:
> It would appear you're just interested in being confrontational.  I have you 
> have a nice day.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

You guys just need to relax.  I too hate the fact that everyone pushes
google on people now too.  This is a support list for pfSense stuff
and not your ideals though.  Everyone is entitled to post anything
they think would help.

Is not that the reason this list exists?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Shutdown Interface?

[WebDawg]

On Fri, Dec 11, 2015 at 9:03 AM, Robert Obrinsky  wrote:
> I am sorry to hear of the distributed responsibilities for the network, and
> that only makes your job harder.
>
> Any possibility of using a protocol analyzer (Wireshark) to see what is
> going out and where it is going? If you have managed switches with port
> mirroring capabilities, you can strategically place the protocol analyzer to
> see what kind of traffic (i.e. - services) is leaving your network, and also
> see what kind of traffic is coming in.
>
> I don't think pfSense has live logs (I am still fairly new to this product),
> but I have used other firewall products that do have this feature. The live
> logs have been very useful in determining what IP addresses are being
> contacted, what services are being requested, and who is attempting to do
> reconnaissance (port scanning) on your network from outside. Other than
> that, you will need to analyze the existing logs - not a task I ever look
> forward to. This is also one reason I like protocol analyzers, but for some
> reason, most IT departments won't spend the time to learn them and use them.
>
> At some point, you may need to consider hardware. It is possible that the
> WAN interface is defective and just shuts down under moderate to heavy
> traffic.Have you been able to assess the packets/second hitting your WAN on
> this interface during the attacks? There are many on the forums who maintain
> that Intel and Broadcom NICs are robust and perform best in pfSense, and
> that Realtek NICs are problematic at best. I cannot confirm those opinions
> and just don't have the setup to make a definitive test. I use Realtek NICs
> in my firewalls, but my office is unlikely to see the variety and
> utilization that your networks do.
>
>

pfSense can do tcpdumps on any interface.  I get that ddos attacks are
meant to shut a WAN connection down, my biggest thing about this issue
was that the firewall was freezing.  Is not that one of the parts
about getting the correct hardware and configuring a firewall
correctly?

I would go with the cronjob suggestion that was posted a while back if
you are looking to shutdown the interface overall.  I think it is a
good idea to check what is doing it though (causing the freeze), it is
nothing to get some bandwidth anymore to do these attacks and while
your WAN connection will not work, a firewall should not freeze.

It makes me want to ddos my own boxes.

Wireshark is just the tip of the iceburg anymore, they have entire web
based suites that are dedicated to protocol inspection.  Even live
stuff.

In your firewall rule sets, are you droping or rejecting?  I only
reject when I know systems need that reject back.  Like when some
software waits and waits and waits for a timeout because the automatic
update for specific software cannot connect to home.  Even then, this
is on the LAN side.  This is just basic stuff.

It sounds like you have a nice pipe coming into your pfSense box.

It would help this list if you could say what type of attack it is,
and what traffic they are sending your way.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Lost limiter config after upgrade

[WebDawg]

I just tried a limiter through the wizard and it killed all traffic
out the wan.  Just talked to someone on #pfsense @freenode and they
had the same issue.

On Tue, Dec 15, 2015 at 1:32 AM, Chris L  wrote:
> Yeah there’s a difference between the upgrade fails and the upgraded system 
> just doesn’t work with limiters.
>
> It seems either traffic just doesn’t flow or limiters don’t limit.
>
> I am really looking forward to this being fixed. Until then, 2.1.5 rules the 
> roost.
>
> It’s a pretty sad state.
>
>> On Dec 14, 2015, at 8:26 AM, Ryan Clough  wrote:
>>
>> Might also depend on how the limiters are being used and how the rest of
>> the router is configured. I have been up against this bug for at least six
>> months:
>> https://redmine.pfsense.org/issues/4326
>>
>> ___
>> ¯\_(ツ)_/¯
>> Ryan Clough
>> Information Systems
>> Decision Sciences International Corporation
>> 
>> 
>>
>> On Sun, Dec 13, 2015 at 5:29 PM, ED Fochler 
>> wrote:
>>
>>> Limiters work on 2.2.4, I’m using them.  But I didn’t upgrade, I created
>>> the limiters on 2.2.4.  Are you asking if limiters work?  Or are you just
>>> noting that they don’t cleanly upgrade?  If you create them through the GUI
>>> and link them in with the firewall rules, do they work now?
>>>
>>>ED.
>>>
 On 2015, Dec 12, at 1:43 PM, Ugo Bellavance  wrote:

 Hi,

 We upgraded from 2.0.1-RELEASE to 2.2.4-RELEASE and the limiter that
>>> worked on 2.0.1 stopped working.  This limiter (and sub-limiters) is
>>> located on an inside interface and its role is to limit the traffic that
>>> can come in.  This firewall is at a remote site and we replicate backups
>>> there.  We use this limiter because the bandwidth at the remote site is
>>> higher than at our main site.  Using this limiter avoids saturating our
>>> main site's WAN link and cause slowdowns.

 Looking at the config diffs, it looks like the  tags have
>>> changed during the upgrade.  It looked like ?1 and ?2 and now it looks like
>>> labels.  Also, the  tag seem to include more stuff now.

 It was 28 and now it looks like
  
  
  28
  Mb
  none
  
  


 Thanks,

 Ugo

 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
>>>
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>>>
>>
>> --
>> This email and its contents are confidential. If you are not the intended
>> recipient, please do not disclose or use the information within this email
>> or its attachments. If you have received this email in error, please report
>> the error to the sender by return email and delete this communication from
>> your records.
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FTP trouble.

[WebDawg]

On Thu, Feb 11, 2016 at 1:25 PM, J. Echter
 wrote:
> Hi,
>
> i have a tool which uodates its data by ftp. Nothing sepcial...
>
> But, i cant use it as i get errors like 'no data', error 227 'entering
> passive mode' and so on.
>
> As far as i know should passive mode be working without any afford.
>
> Where can i have a look what is going wrong?
>
> I read about FTP helper and FTP CLient Proxy, but imho FTP Helper isn't
> in 2.2 anymore and was more for ftp servers behind pfsense.
>
>
> Please, any hints are welcome :)
>
> Thanks.
>
> Juergen


PASV mode requires you opening ports on the firewall so when a client
needs to transfer data it can use these ports to connect to the FTP
server and start the transfer.  It is specifically built like this so
you CAN host a ftp server across NAT.

You usually have to configure the FTP server to utilize a range of
ports for its PASV mode based on the amount of active clients at one
time on a server.  You then forward those ports to the internal
address of the box with the FTP server on it.

You may also have to configure a PASV ip address in the FTP server
because by default the ftp server will pass the ip it is on and the
port to the client telling it to connect there.

So if you do not do both, you are going to have issues connecting to a
FTP server behind a NATed box.

You should not be using just plain FTP anymore as it is insecure.  You
should be using SFTP (ssh) or FTP with TLS enabled.  You still have to
configure a group of PASV ports and a PASV ip in this instance.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FTP trouble.

[WebDawg]

On Fri, Feb 12, 2016 at 11:24 AM, J. Echter
 wrote:
> Hi,
>
> dont laugh. it was the f. antivirus
>
> thanks for your inrerest :)
>


AV on the server system?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Problem with new Unit

[WebDawg]

On Thu, Feb 18, 2016 at 7:30 PM, David Ross  
wrote:
> Current device is an xxx running pfSense 2.0.1-RELEASE
>
> New device is an SG-2440 running pfSense 2.2.6-RELEASE
>
> I decided that trying to reload the configuration file with that big of a
> gap in versions was asking for trouble so I built the new configuration by
> hand. It wasn't that complicated.
>
> But no luck. We have a bock of 15 static IPs. with 5 of them currently
> mapped via NAT1:1 to 4 internal systems. Everything seemed to work except
> for DNS. Our mail server could receive and send as long as the DNS lookups
> were not required for new items.
>
> We have a DNS server in house for all of the machines on our LAN to use. I
> really don't want the pfSense device to do anything but pass DNS queries out
> and get the responses back to our in house server.
>
> DNS seems to have changed a lot in the release gap I'm crossing. Any quick
> thoughts before I dig in deeper.
>
> I have disabled the DNS forwarder.
>
> I have also disabled the DNS resolver.
>
> I have looked at the various rules (not that many) and interface settings
> and don't see anything obvious.
>
> Any pointers on what to check out.
>
> Thanks
> David Ross
> ___


So you are using a DNS server on your WAN for clients internal?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] recover vnstat data

[WebDawg]

On Thu, Feb 18, 2016 at 6:39 PM, Nenhum_de_Nos  wrote:
> Hi,
>
> I just installed a new pfsense here as a test, it worked well so far, so now 
> I would like to take there the vnstat database files. I can't write them, the 
> fs os RO. I would not like to open the case and shut them both down. Is there 
> a way for it ?
>
> thanks,
>
> matheus
>
> --
> "We will call you Cygnus,
> the God of balance you shall be."
> ___


What hardware platform?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] PFSense for high-bandwith environments

[WebDawg]

On Thu, Feb 18, 2016 at 11:29 AM, Rainer Duffner  wrote:
>
>> Am 18.02.2016 um 19:13 schrieb Walter Parker :
>>
>> There is an optimization coming for pfsense. There is a new user space
>> routing daemon. netmap I think, that can reach line rate on 10G NICs (14.88
>> Mpps). There was a BSDCon that talked about a future version of pfsense
>> using this system. It uses ipfw, so there a bit a work to adapt it to
>> pfsense.
>
>
>
>
> Also, AFAIK, chelsio NICs are better in the 10G space.
>
> ESF uses them in some of their appliances (see the shop).
> Netflix uses them, too, in their FreeBSD cache-boxes.
>
> They aren’t really that much more expensive than Intel NICs.
>
> I have no experience using them myself.
>
> ___


Man I was looking at the price point on used 10Gbit nics and I think
it is time for a bit of an upgrade.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Broke my NAT reflection

[WebDawg]

On Wed, Mar 23, 2016 at 7:14 PM, Ryan Coleman  wrote:
> And it would appear to be fixed again… clueless, I am.
>
>
>> On Mar 23, 2016, at 6:14 PM, Ryan Coleman  wrote:
>>
>> So I moved my server and firewall to a new location and am trying to get a 
>> sliced network set up for the new location (trading gigabit internet for 
>> electricity… great deal!) and I am having some issues with the NAT 
>> reflection on my 1:1.
>>
>> Everything going out is OK but I everything is resolving internally and I’m 
>> clueless as to what I broke.
>>
>> At this point I’m completely lost so any direction of what you’d expect 
>> please let me know.
>>
>> Thanks!
>> ___


I have had problems with openvpn routing not working until a reboot.

Could be what happened to you?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSnese 2.3 unresponsive on

[WebDawg]

On Wed, Apr 13, 2016 at 6:11 PM, Rosen Iliev  wrote:

> Hi guys,
>
> Just upgraded my embedded pfsense to 2.3.
> I have problems getting to the box (web or ssh) it just time outs.
> On the web I sometime I get Nginx 504, sometime, just nothing.
> Eventually I got logged in, try to check what's going on.
> I have open Diagnostics->System Activity page, and start monitoring the
> network traffic.
>
> There is Java Script that updates the page content every 2.5, but actual
> response in my case was more then 15 sec.
> So I ended up with +20 pending requests to /diag_system_activity.php.
>
> I don't think that setInterval is a good option here. Especially when you
> don't know how long it will take for the request to complete.
>
> My suggestion is to use setTimeout like this:
>
> 
> // function getcpuactivity() {
> $.ajax(
> '/diag_system_activity.php',
> {
> method: 'post',
> data: {
> getactivity: 'yes'
> },
> dataType: "html",
> success: function (data) {
> $('#xhrOutput').html(data);
> +  setTimeout('getcpuactivity()', 2500);
> },
> }
> );
> }
>
> events.push(function() {
> -setInterval('getcpuactivity()', 2500);
> +   setTimeout('getcpuactivity()', 2500);
> getcpuactivity();
> });
> //]]>
> 
>
> Regards,
>
> Rosen
>
>
What device are you using?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Upgrade from 2.2.x to 2.3 - upgrading formware since almost 7 hours.

[WebDawg]

On Thu, Apr 14, 2016 at 1:53 PM, J. Echter <
j.ech...@echter-kuechen-elektro.de> wrote:

> Am 14.04.2016 um 19:32 schrieb J. Echter:
> > Hi,
> >
> > here, everything works as expected. :)
> >
> > But i have a upgrade running since round about 7 hours...
> >
> >
> > I didn't check full backup before upgrade.
> >
> > 7 hours seem long... :)
> >
> > Is this still expected behaviour?
> >
> > Thanks
> >
> > J.
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
>
> seems normal, i have a reboot mail now :D
>
>
I think I had this problem when I had a bunch of sarge reports and stuff.
For some reason one of the upgrade steps was to look through the entire FS.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense on vmware ESXi 6.0

[WebDawg]

On Thu, Apr 14, 2016 at 4:40 PM, Olivier Mascia  wrote:
>
> Hello,
>
> I'm looking for advices and best practices when running pfSense (this
time it will be 2.3) in a vmware VM.  I'm offered to move some resources to
a virtual datacenter made of dedicated hardware hosts in clusters, running
ESXi 6.0 and vSphere.  I have access to such an infrastructure for the next
3 weeks.  I have used pfSense in a number of devices and hosts, but never
inside a VM, except for experimenting with configurations of pfSense itself.
>
> I could build up a pfSense 2.3 VM without real difficulties.  Installing
the integration tools was easy through the included package.  Now, what are
the pitfalls I should look for?  Any shared vmware experience from you will
undoubtedly help fine tuning this.
>
> For now the pfSense VM I configured has these resources: OS declared to
vSphere is FreeBSD 10.3 64 bits, 1 socket, 2 cores, 2 GHz reserved, 2 GB
RAM, 10 GB HD, 2 network adapters. I'm generally resources-conservative but
I could allow much more if it makes sense.
>
> For these adapters I have the choice between E1000, VMXNET 2, VMXNET 3.
I have set them for VMXNET 3 but without background about this being the
right-thing-to-do or not. At least it seems to work but I still need to
stress test the VM (traffic-wise) a little bit.
>
> Are there tunings inside pfSense which you could recommend / not live
without, based on your experience inside vmware virtual machines?
>
> Network interfaces settings? All are set for their default pfSense
values, which means TCP segmentation offloading and large receive
offloading are disabled. Would it make sense to enable those?
>
> Thanks for any insight you might want to share.
>
> --
> Meilleures salutations, Met vriendelijke groeten, Best Regards,
> Olivier Mascia, integral.be/om
>

https://blog.pfsense.org/?p=1716

They have an appliance you can purchase now.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense on vmware ESXi 6.0

[WebDawg]

On Thu, Apr 14, 2016 at 6:02 PM, Olivier Mascia  wrote:

> > Le 14 avr. 2016 à 23:54, WebDawg  a écrit :
> >
> > https://blog.pfsense.org/?p=1716
> >
> > They have an appliance you can purchase now.
>
> Eyes blinking.
> And it's available through the pfSense Gold subscription which I have
> signed for and renewed since it existed. Will check this.
>
> --
> Meilleures salutations, Met vriendelijke groeten, Best Regards,
> Olivier Mascia, integral.be/om
>
>
> ___
>

I plan to throw pfSense into xen.  I would like to know the answers to the
questions you are asking anyways heh.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] openvpn topology subnet with pfsense 2.2.6 server/2.3 client

[WebDawg]

On Apr 15, 2016 4:39 PM, "Joseph L. Casale" 
wrote:
>
> Does a facility exist to bypass the UI and invoke a static config for an
openvpn server?
> I do not see a means through the web ui to create a configuration which
permits static
> addressing in subnet mode?
>
> Thanks,
> jlc
> ___

This!

They need to let this happen for all packages!
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pf2ad update to pfSense 2.3

[WebDawg]

On Fri, Apr 15, 2016 at 12:39 PM, Luiz Gustavo S. Costa <
luizgust...@luizgustavo.pro.br> wrote:

> Hello,
>
> Who wants to go now testing the pf2ad update to pfSense 2.3 can now
> apply the script with the following command:
>
> fetch -q -o - http://projetos.mundounix.com.br/pfsense/2.3/samba3/pf2ad.sh
> | sh
>
> The code versioning, can be followed:
>
> https://gitlab.mundounix.com.br/pfsense/pf2ad
>
> I have the support of the crowd with stipend (paypal) and/or time to
> coding.
>
> More info: http://pf2ad.mundounix.com.br/en/index.html
>
> Regards
>
> --
> Luiz Gustavo Costa (Powered by BSD)
> *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+
> ICQ: 2890831 / Gtalk: gustavo@gmail.com
> Blog: http://www.luizgustavo.pro.br
> ___
>
>
I never knew about this, any reason it is not in the official packages?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Upgrade from 2.2.x to 2.3 - upgrading formware since almost 7 hours.

[WebDawg]

On Fri, Apr 15, 2016 at 10:17 AM, J. Echter <
j.ech...@echter-kuechen-elektro.de> wrote:

> Hi,
>
> maybe the squid cache was a reason for this.
>
> 7 hours was really lomg, i had to stop myself from 'interrupting' it :D
>
> But now all runs smooth.
>
> Keep up the good work!
>
> Greetings
>
> Juergen
>
>
Would be nice to know what did it or why it scans the entire cache.  I did
an update once thinking max 20 mins, 2 hours if something broke and ran
into the same thing.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] HA and OpenVPN

[WebDawg]

On Mon, Apr 25, 2016 at 2:12 PM, Steve Yates  wrote:

> I missed that also, way back when, thanks.  We had been connecting to
> either router1 or router2's WAN IP.  If router2 is not the CARP master, you
> can connect to it, but it will try to send the response back out through
> router1 so one can't get bi-directional communication.
>
> --
>
> Steve Yates
> ITS, Inc.
>
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Olivier
> Mascia
> Sent: Monday, April 25, 2016 1:49 PM
> To: pfSense Support and Discussion Mailing List 
> Subject: Re: [pfSense] HA and OpenVPN
>
> > Le 25 avr. 2016 à 20:04, Travis Hansen  a
> écrit :
> > Did you select the carp IP as the 'interface' in the openvpn server
> config? or do you just have WAN selected?
>
>
> > Le 25 avr. 2016 à 20:21, Brady, Mike  a
> écrit :
> > Did you change the OpenVPN configured Interface to be the VIP rather
> than the WAN?
>
>
> No, I didn't. :(  That was the stupid mistake I was looking after.
> Thank you Brady and Travis.
>
> --
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>

OpenVPN I think has failover, multiple hostnames, can you utilize that?
Configure both systems at once?  Two different ports?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Fw: new message

[WebDawg]

On Tue, Apr 26, 2016 at 8:49 AM, Randy Morgan  wrote:

> This is not a group for advertising weight loss products, I hope this is
> not going to become a discussion group that allows advertising of this type.
>
> Randy
>
> Randy Morgan
> CSR
> Department of Chemistry and Biochemistry
> Brigham Young University
> 801-422-4100
>
>
>
I think its spam.

I do not think this list is moderated.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Long delay before DHCP issued leases appear n the DHCP lease table

[WebDawg]

On 04/28/2016 11:06 PM, Karl Fife wrote:

> I've been 'subdividing' some growing networks into multi-lan; guest,
> management networks etc.
>
> On every occasion I've observed that it has taken considerable time
> (perhaps 10 to 20 minutes) after the DHCP server begins issuing new
> leases (to hosts moved from the other interface) before they show in
> the DHCP lease table.These hosts are successfully being issued  IP
> addresses in the new range, and their MAC's and IP's show up in the
> pfSense ARP table, plus I can see the activity in the DHCP log.   
> Restarting DHCPD doesn't seem to have an immediate effect.   So far,
> it seems most correlated with the passage of time.
>
> Naturally all of the hosts in all scenarios were moving from a
> different interface on the same router.  Some even had static
> reservations (that were deleted).   These have all been 2.2.6
> installations.  I may have the opportunity to re-factor as above on a
> 2.3 installation later this month.
>
> Any ideas what's happening here?  Am I waiting for ARP expiration or
> something?  Any way to speed up this process?
>
>
>

I was having issues like this but I thought that 2.2.6 fixed that.  I do
not see it in 2.3 anymore.  I would usually have to reboot.



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] PFSense breaks TCP-Sessions

[WebDawg]

On 05/01/2016 08:15 AM, Jens Kühnel wrote:
> Hi,
>
> I'm a very satisfied PFSense User for a very long time, but I'm running
> into a problem that I can not fix, even after a long time of searching.
>
> To get a real IPv4-Address to my home with only a DSLite connection. I'm
> using PFSense with OpenVPN via UDP6 to transport a real IP-Address from
> my Hosting Provider (Hetzner) to my home. The problem occurs with
> PFSense 2.2 and 2.3. The opposite side (at Hetzner) is a Centos7 with
> openvpn-2.3.10-1.el7.x86_64.
>
> I can create the tunnel and ping without any problem. Sometimes I can
> also use TCP without a problem. But most of the time not. The Problem
> happens only from the internet to my home and without a detectable
> pattern. (time, load on the link, source/destionation ip, Port)
> tcpdump show a lot of TCP ACKed unseen segment, TCP Retransmition and
> TCP Dup Acks.
> From my homenetwork to the Internet there is no problem.
>
>
> My first Idea was MTU, but decrease the MTU did not help. Also the
> option mut-test shows on both sides:
>  Empirical MTU test completed [Tried,Actual] local->remote=[1584,1584]
> remote->local=[1584,1584]
>
> My second idea (or that of a friend) was bad offloading. So I disabled
> all kinds of offloading with this:
> ifconfig em0 -rxcsum -txcsum -rxcsum6 -txcsum6 -tso -lro -vlanhwtag
> -vlanhwfilter -vlanhwtso
> ifconfig em1 -rxcsum -txcsum -rxcsum6 -txcsum6 -tso -lro -vlanhwtag
> -vlanhwfilter -vlanhwtso
> Without any help.
>
> Yesterday I freed up another IP and configured a Linux-Machine as a
> replacement of the PFSense. With iptables and openvpn and here
> everything works without any problems.
>
> So the problem is PFsense or my misconfiguration of PFSense.
>
> I really would like to continue to use PFSense, so can anyone give a
> hint how to fix this or at least what it can be and where to search.
>
> CU
> Jens
>
> P.S.:
>
> My setup:
>
> The PFSense has a IPV6 Addresse and gets the IPV4 address via the
> openvpn tunnel. This is also the default IPv4 GW. I have 3 Networks (in
> 192.168.*) in 3 VLANS and use NAT via the Public IP.
> PFSense forwards 443 to a internal HTTPS Server and a High Port to a
> SSH-Server.
>
> This setup (without the OpenVPN Tunnel) was working without a problem
> for 2 Years before I moved to a new City with this new setup.
>
> ___
>


Did you increase the verbosity of OpenVPN logging and see what OpenVPN
is reporting?  Can you?  Pastebin?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPsec: tunneling both IPv4 and IPv6 between two sites

[WebDawg]

On 05/01/2016 02:35 AM, Olivier Mascia wrote:
>> Le 1 mai 2016 à 04:26, Jim Pingle  a écrit :
>>
>> On 4/30/2016 6:57 AM, Olivier Mascia wrote:
>>> Sorry for having asked this question.
>>> While I had tried to find the answer before posting, I finally found the 
>>> answer seconds later.
>>>
>>> https://doc.pfsense.org/index.php/IPv6_and_VPNs
>>>
>>> "Currently IPv6 with IPsec is functional, but traffic cannot be mixed 
>>> families in a tunnel. Meaning, IPv6 traffic can only be carried inside a 
>>> tunnel which has IPv6 endpoints, and IPv4 traffic can only be carried over 
>>> a tunnel using IPv4 endpoints. A single tunnel cannot carry both types of 
>>> traffic."
>> That page is a little out of date in one respect: You can't mix traffic
>> with IPsec using IKEv1, but you can with IKEv2. So long as both sides
>> support IKEv2 you can carry IPv6 and IPv4 in P2 entries.
>>
>> FWIW, You can also tunnel both at once using OpenVPN.
> I have had a performance issue with OpenVPN recently (though I used OpenVPN a 
> lot in the past for remote access VPN and some point to point link over slow 
> links). I started using IPsec for those two new links with higher performance 
> and the results are excellent. Indeed I configured IKEv2 on both endpoints. 
> So I should push the experience of adding a second phase2 for tunneling IPv6.
>
> Thanks !
>
What kind of performance issues?  Highspeed links?  Just wondering.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] USB3 to ethernet adaptor

[WebDawg]

On May 2, 2016 1:56 AM, "Frans Meulenbroeks" 
wrote:
>
> Hi,
>
> Has anyone experience using USB3 to ethernet adapters ? I need an extra
> interface but my HW (Intel NUC) does not have room for another card).
> Anything recommendable?
>
> Best regards, Frans.
> ___

If you can skip the USB stuff and enable vlans...in my opinion it is worth
it.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] USB3 to ethernet adaptor

[WebDawg]

Before anyone goes out and purchases one of the GS switches from netgear
please look at these posts:

http://seclists.org/fulldisclosure/2016/Jan/77

http://seclists.org/fulldisclosure/2016/Mar/25

I was also very interested in those switches for the very same reason that
Frans is.  Honestly, if you are looking for an inexpensive gigabit switch
with VLAN capability you want something used...

For instance the Dell Powerconnect 5324 can be had on the US ebay for
something like $55.00.  This is a 24  The only effort you should do is to
reflash any switch you purchase with the latest firmware.  Which is why I
avoid some Cisco products because some of the firmware is paywalled.

The eight port variant is a Dell PowerConnect 2808.  Just because it is
half the size does not mean it is half the price but looking right now on
ebay they are around $55.

I have used both of these switches.  The only limitation I could find on
the 2808 is that you cannot change what VLAN the web interface is on, I
ended up solving that with a short cable from port to port on the same
switch one port the default vlan in Access and with the VLAN that I wanted
it on in Access.

I do not know if v3 has the same vulnerabilities that are talked about in
the links that I provided.  They look like serious issues that have not
been fixed yet.

On Tue, May 3, 2016 at 5:47 AM, Philipp Tölke  wrote:

> A Netgear Prosafe GS-108E (or 105E) is reasonably cheap (~$50) and
> manageable; try to get the version 3, it has a web-interface. Version 2 is
> only configurable using a Windows-Software.
>
>
> > -Original Message-
> > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Frans
> > Meulenbroeks
> > Sent: 3 May, 2016 10:39
> > To: list@lists.pfsense.org
> > Subject: Re: [pfSense] USB3 to ethernet adaptor
> >
> > Thanks for all the replies on the USB adapter
> >
> > I know VLAN's would work but unfortunately my switches are unmanaged
> > (this
> > is a home setup).
> >
> > Reason for asking is that I want to install on an Intel NUC. This one
> > only
> > has one physical network interface. I'm running vmware esx on it and
> > on top
> > of that a VM with pfsense with two virtual NIC's, one for WAN, one
> > for LAN.
> >
> > This works, I can bridge the cable modem to the WAN interface.
> > However the
> > LAN then is on the same physical interface. I would prefer to split
> > that,
> > hence my question.
> >
> > (or of course I could use other hardware than this NUC; I'm open to
> > suggestions as long as they are affordable for a home user and low
> > power).
> >
> > Best regards, Frans
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] USB3 to ethernet adaptor

[WebDawg]

I hate when people push other options but if you do invest some time and
money into VLANs it will pay off.  You could give that Intel NUC so many
more interfaces then just two.

If you want to try USB stuff check here:

https://www.freebsd.org/releases/10.3R/hardware.html#usb

Click the "[amd64, i386, ia64, pc98] USB Ethernet adapters can be found in
the section listing Ethernet interfaces
."

ASIX Electronics AX88178A/AX88179 USB Gigabit Ethernet adapters (axge(4)
 driver)

You would want USB 3.0 support if you want to support Gigabit speeds.  I
never got to get that far into USB testing.

The last time I tried messing with USB adapters they kept falling out of
the system and were unstable.

The only other thing that I do not know is if the USB drivers from FreeBSD
10.3 are even on pfSense...there has been talk about missing kernel modules
for some devices so support for a certain device may not be there.

On Tue, May 3, 2016 at 3:39 AM, Frans Meulenbroeks <
fransmeulenbro...@gmail.com> wrote:

> Thanks for all the replies on the USB adapter
>
> I know VLAN's would work but unfortunately my switches are unmanaged (this
> is a home setup).
>
> Reason for asking is that I want to install on an Intel NUC. This one only
> has one physical network interface. I'm running vmware esx on it and on top
> of that a VM with pfsense with two virtual NIC's, one for WAN, one for LAN.
>
> This works, I can bridge the cable modem to the WAN interface. However the
> LAN then is on the same physical interface. I would prefer to split that,
> hence my question.
>
> (or of course I could use other hardware than this NUC; I'm open to
> suggestions as long as they are affordable for a home user and low power).
>
> Best regards, Frans
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense on watchguard XTM 810

[WebDawg]

On Tue, May 3, 2016 at 2:08 AM, Eero Volotinen 
wrote:

> Hi,
>
> Does anyone has instructions how to install pfsense on watchguard XTM 810?
> which image is requires? is console cable required? what type of console
> cable is needed?
>
> --
> Eero
> ___
>


https://doc.pfsense.org/index.php/PfSense_on_Watchguard_Firebox
https://forum.pfsense.org/index.php?topic=61970.0
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] PFSense breaks TCP-Sessions

[WebDawg]

Did you try ipv6 inside the tunnel also?

On Tue, May 3, 2016 at 1:56 PM, Jens Kühnel 
wrote:

> Am 01.05.2016 um 18:29 schrieb WebDawg:
> >
> >
> > On 05/01/2016 08:15 AM, Jens Kühnel wrote:
> >> Hi,
> >>
> >> I'm a very satisfied PFSense User for a very long time, but I'm running
> >> into a problem that I can not fix, even after a long time of searching.
> >>
> >> To get a real IPv4-Address to my home with only a DSLite connection. I'm
> >> using PFSense with OpenVPN via UDP6 to transport a real IP-Address from
> >> my Hosting Provider (Hetzner) to my home. The problem occurs with
> >> PFSense 2.2 and 2.3. The opposite side (at Hetzner) is a Centos7 with
> >> openvpn-2.3.10-1.el7.x86_64.
> >>
> >> I can create the tunnel and ping without any problem. Sometimes I can
> >> also use TCP without a problem. But most of the time not. The Problem
> >> happens only from the internet to my home and without a detectable
> >> pattern. (time, load on the link, source/destionation ip, Port)
> >> tcpdump show a lot of TCP ACKed unseen segment, TCP Retransmition and
> >> TCP Dup Acks.
> >> From my homenetwork to the Internet there is no problem.
> >>
> >>
> >> My first Idea was MTU, but decrease the MTU did not help. Also the
> >> option mut-test shows on both sides:
> >>  Empirical MTU test completed [Tried,Actual] local->remote=[1584,1584]
> >> remote->local=[1584,1584]
> >>
> >> My second idea (or that of a friend) was bad offloading. So I disabled
> >> all kinds of offloading with this:
> >> ifconfig em0 -rxcsum -txcsum -rxcsum6 -txcsum6 -tso -lro -vlanhwtag
> >> -vlanhwfilter -vlanhwtso
> >> ifconfig em1 -rxcsum -txcsum -rxcsum6 -txcsum6 -tso -lro -vlanhwtag
> >> -vlanhwfilter -vlanhwtso
> >> Without any help.
> >>
> >> Yesterday I freed up another IP and configured a Linux-Machine as a
> >> replacement of the PFSense. With iptables and openvpn and here
> >> everything works without any problems.
> >>
> >> So the problem is PFsense or my misconfiguration of PFSense.
> >>
> >> I really would like to continue to use PFSense, so can anyone give a
> >> hint how to fix this or at least what it can be and where to search.
> >>
> >> CU
> >> Jens
> >>
> >> P.S.:
> >>
> >> My setup:
> >>
> >> The PFSense has a IPV6 Addresse and gets the IPV4 address via the
> >> openvpn tunnel. This is also the default IPv4 GW. I have 3 Networks (in
> >> 192.168.*) in 3 VLANS and use NAT via the Public IP.
> >> PFSense forwards 443 to a internal HTTPS Server and a High Port to a
> >> SSH-Server.
> >>
> >> This setup (without the OpenVPN Tunnel) was working without a problem
> >> for 2 Years before I moved to a new City with this new setup.
> >>
> >> ___
> >>
> >
> >
> > Did you increase the verbosity of OpenVPN logging and see what OpenVPN
> > is reporting?  Can you?  Pastebin?
> Hi,
>
> Here I run it with verb 4 on both sides. But nothing fancy is shown.
>
> The output can be found here:
>
> https://paste.fedoraproject.org/362219/46229582/
>
>
> Thanks for the help.
> CU
> Jens
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] USB3 to ethernet adaptor

[WebDawg]

What USB adapter where you using?

On Thu, May 5, 2016 at 5:09 PM, Sean Pohl  wrote:
> As a general note, I have had trouble with them if I run the adapter through a
> USB3 hub and then connect to an Ethernet cable.  The system would periodically
> kernel panic and once I plugged it directly into the USB3 slot on the box, 
> then
> the problems went away.
>
> On Mon, May 02, 2016 at 09:56:49AM +0200, Frans Meulenbroeks wrote:
>> Hi,
>>
>> Has anyone experience using USB3 to ethernet adapters ? I need an extra
>> interface but my HW (Intel NUC) does not have room for another card).
>> Anything recommendable?
>>
>> Best regards, Frans.
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.3_1 ntpd isn't restarting

[WebDawg]

Anything in the logs?

On Fri, May 6, 2016 at 3:42 PM, J. Echter
 wrote:
> Hi,
>
> i did the 2.3_1 update and all seemed fine, but my ntpd service isn't
> coming back up.
>
> I even rebooted the machine and it still doesn't start.
>
> There's also nothing in the logs.
>
> sockstat -l | grep 123 shows nothing.
>
> Where is the ntpd binary located? I found nothing.
>
> Where should i look at next?
>
> Thanks
>
> Juergen
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.3_1 ntpd isn't restarting

[WebDawg]

I would try running ntpd from shell and see what happens.

On Fri, May 6, 2016 at 3:45 PM, J. Echter
 wrote:
> Am 06.05.2016 um 22:43 schrieb WebDawg:
>> Anything in the logs?
>>
>> On Fri, May 6, 2016 at 3:42 PM, J. Echter
>>  wrote:
>>> Hi,
>>>
>>> i did the 2.3_1 update and all seemed fine, but my ntpd service isn't
>>> coming back up.
>>>
>>> I even rebooted the machine and it still doesn't start.
>>>
>>> There's also nothing in the logs.
>>>
>>> sockstat -l | grep 123 shows nothing.
>>>
>>> Where is the ntpd binary located? I found nothing.
>>>
>>> Where should i look at next?
>>>
>>> Thanks
>>>
>>> Juergen
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
>
> No, theres nothing, only gui says ntpd is restarted, nothing else.
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Fwd: [Openvpn-announce] New OpenVPN 2.3.10 Windows installers (I604/I003) released

[WebDawg]

How do we get an update for the export util?


-- Forwarded message --
From: Samuli Seppänen 
Date: Wed, May 4, 2016 at 4:02 AM
Subject: [Openvpn-announce] New OpenVPN 2.3.10 Windows installers
(I604/I003) released
To: "openvpn-de...@lists.sourceforge.net"
,
openvpn-us...@lists.sourceforge.net,
openvpn-annou...@lists.sourceforge.net


Hi all,

New OpenVPN Windows installers have been released. The I003 and I604
installers bundle OpenSSL 1.0.1t which fixes some security
vulnerabilities. The I604 installers also bundle a new tap-windows6
driver (9.21.2) which has dual authenticode signatures (SHA1/SHA2) for
the best possible compatibility across Windows versions (Vista ->
Windows 10). In addition, the 9.21.2 driver fixes a security
vulnerability which, however, required local admin rights to be
exploitable. OpenVPN-GUI has also seen minor changes.

Best regards,

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
___
Openvpn-announce mailing list
openvpn-annou...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-announce
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Aggregated WAN traffic

[WebDawg]

On Tue, May 10, 2016 at 9:29 AM, FrancisM  wrote:
> On Tuesday, 10 May 2016, Vick Khera  wrote:
>
>> On Tue, May 10, 2016 at 9:45 AM, Randy Morgan > > wrote:
>>
>> > Having said that there is some question in my mind as to how this
>> actually
>> > works.  Some of what I read indicates that the aggregation actually
>> causes
>> > the LAGG port to, effectively, operate on QOS functionality, meaning that
>> > it cycles between the two links based on available bandwidth.
>> >
>>
>> From my understanding, a single connection will not use both links, but
>> multiple connections will be load balanced among them. Thus, don't expect a
>> single file download to be able to use all 20Mbps of the bandwidth.
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
>
> Does this means if Im doing concurrent download in torrent the two link
> will be both active in use because it uses multiple connections to
> different destinations?
>
> Im eager to test this feature however I do not have time yet to rewire my
> network to connect in my VM pfsense v2.3 maybe this weekend will try it.
> ___


You can bond two connections together.  This is a layer 2 thing though
and some have tried over OpenVPN TAP (layer 2) connections.  Bonding
requires two equal connections and the OpenVPN way I describe adds
overhead, how much I have never been able to calculate.  Layer 2
Bonding also is not meant to handle connection lag to well.

I think some DSL providers can Bond modems at there level but a lot of
ISPs are useless.

Remember bonding is Layer 2.

If I remember correctly LAGG does not combine connections ever.  If
you have a LAGG trunk with 4 connections then it does not bond them
together, instead it uses them as a fail over and to do 4 different
connections between PORTs at once.  I am not even sure that it
monitors speed and it is usually part of a switching topology.

The only way QOS will speed anything up is if you use it to eliminate
bufferbloat.  If an ISP is using QOS upstream it allows you to control
the QOS.  The big part with QOS is that if you get it to the point
where you are in control of your connection you can control what
protocols take priority (VOIP, HTTPS, etc, based on layer 3 (ports,
tcp, udp, not layer 7) and you can also control your ACKs.

I have a site with a variable speed connection and I have huge issues
with connection overload.  I cannot do anything about it because it is
a variable speed connection.  I cannot tell pfSense to measure the
current speed somehow.  Some consumer routers have this functionality
but I do not know how good it works.  Usually the only thing that you
can do in this situation is put your connection at its lowest setting
and control the connection from there.  The problem with this is that
the connection will always be this lowest speed.

Your best bet for torrents on two connections may be to try and use
the power of the protocol.  Try a layer 3 round robin setup.  This
sometimes does not work with https sites because they track which IP
the connection is coming from so if you connect via 1 ip address to a
https site and then take the same session from a second ip then the
webserver will log you out.  There is a setting for sticky https
connections somewhere to avoid this.

But with torrents this should be different.  I do not know how the
reporting of your local connectable host and port would work though.
That is, people connecting to you to get data from your or to your
(NAT routed port in) but your connections out should be round robin-ed
at layer three like every other layer 3 protocol.  Connection speed
may not be distributed evenly across both connections because it round
robins them, not measure how a link is saturated and use the less
saturated link.  This also may not matter with torrents though because
the way the p2p protocol works with enough available connections it is
just going to connect and connect out and eventually, with enough
time, the client server data model that is present should saturate
both of those links.

It will saturate though and your connection will hardly work (except
for the active torrents) because the torrents are saturating that
link.  The only way you can fix this is by limiting all torrent
traffic on the router by some creative QOS.

That is if you know that you down speed is 10mbit...set QOS at 9.5
mbit, test for bufferbloat (there are some tests here:
https://www.internetsociety.org/blog/tech-matters/2015/04/measure-your-bufferbloat-new-browser-based-tool-dslreports
) and verify that you are not in control of your connection and then
setup some rules to only allow p2p protocols to take up X amount of
BW.


Good luck.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! 

Re: [pfSense] Aggregated WAN traffic

[WebDawg]

On Tue, May 10, 2016 at 12:14 PM, WebDawg  wrote:
> On Tue, May 10, 2016 at 9:29 AM, FrancisM  wrote:
>> On Tuesday, 10 May 2016, Vick Khera  wrote:
>>
>>> On Tue, May 10, 2016 at 9:45 AM, Randy Morgan >> > wrote:
>>>
>>> > Having said that there is some question in my mind as to how this
>>> actually
>>> > works.  Some of what I read indicates that the aggregation actually
>>> causes
>>> > the LAGG port to, effectively, operate on QOS functionality, meaning that
>>> > it cycles between the two links based on available bandwidth.
>>> >
>>>
>>> From my understanding, a single connection will not use both links, but
>>> multiple connections will be load balanced among them. Thus, don't expect a
>>> single file download to be able to use all 20Mbps of the bandwidth.
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>>>
>>
>> Does this means if Im doing concurrent download in torrent the two link
>> will be both active in use because it uses multiple connections to
>> different destinations?
>>
>> Im eager to test this feature however I do not have time yet to rewire my
>> network to connect in my VM pfsense v2.3 maybe this weekend will try it.
>> ___
>
>
> You can bond two connections together.  This is a layer 2 thing though
> and some have tried over OpenVPN TAP (layer 2) connections.  Bonding
> requires two equal connections and the OpenVPN way I describe adds
> overhead, how much I have never been able to calculate.  Layer 2
> Bonding also is not meant to handle connection lag to well.
>
> I think some DSL providers can Bond modems at there level but a lot of
> ISPs are useless.
>
> Remember bonding is Layer 2.
>
> If I remember correctly LAGG does not combine connections ever.  If
> you have a LAGG trunk with 4 connections then it does not bond them
> together, instead it uses them as a fail over and to do 4 different
> connections between PORTs at once.  I am not even sure that it
> monitors speed and it is usually part of a switching topology.
>
> The only way QOS will speed anything up is if you use it to eliminate
> bufferbloat.  If an ISP is using QOS upstream it allows you to control
> the QOS.  The big part with QOS is that if you get it to the point
> where you are in control of your connection you can control what
> protocols take priority (VOIP, HTTPS, etc, based on layer 3 (ports,
> tcp, udp, not layer 7) and you can also control your ACKs.
>
> I have a site with a variable speed connection and I have huge issues
> with connection overload.  I cannot do anything about it because it is
> a variable speed connection.  I cannot tell pfSense to measure the
> current speed somehow.  Some consumer routers have this functionality
> but I do not know how good it works.  Usually the only thing that you
> can do in this situation is put your connection at its lowest setting
> and control the connection from there.  The problem with this is that
> the connection will always be this lowest speed.
>
> Your best bet for torrents on two connections may be to try and use
> the power of the protocol.  Try a layer 3 round robin setup.  This
> sometimes does not work with https sites because they track which IP
> the connection is coming from so if you connect via 1 ip address to a
> https site and then take the same session from a second ip then the
> webserver will log you out.  There is a setting for sticky https
> connections somewhere to avoid this.
>
> But with torrents this should be different.  I do not know how the
> reporting of your local connectable host and port would work though.
> That is, people connecting to you to get data from your or to your
> (NAT routed port in) but your connections out should be round robin-ed
> at layer three like every other layer 3 protocol.  Connection speed
> may not be distributed evenly across both connections because it round
> robins them, not measure how a link is saturated and use the less
> saturated link.  This also may not matter with torrents though because
> the way the p2p protocol works with enough available connections it is
> just going to connect and connect out and eventually, with enough
> time, the client server data model that is present should saturate
> both of those links.
>
> It will saturate though and your connection will hardly work (except
> for the active torrents) because the torrents are saturating that
> link.  The only way you can f

Re: [pfSense] Limiters on LAN, WAN

[WebDawg]

On Thu, May 12, 2016 at 11:52 AM, Steve Yates  wrote:
> A question on where to set up a limiter...if it is set on a LAN rule 
> and has in/out limiters set, will the limiter only apply to outbound traffic 
> matching the rule (from __ to any)?  Or would that match, say, the response 
> to an outbound HTTP request?  Up until now I've only had occasion to use a 
> limiter on a LAN upload.
>
> I did see the known issue that limiters don't currently work on 
> NATted interfaces so don't have them set up on the WAN side.
>
> Thanks,
>
> Steve Yates
> ITS, Inc.
>
> ___


Normal firewall rules are only ingress, they can check source and dest
from a packing coming in to the interface.

I limit both upload and download of clients.

Limiters:

UPLOAD:
Some Limit Set
Mask:  Source Address
Bits:  32 and 128

DOWNLOAD:
Some Limit Set
Mask:  Destination Address
Bits:  32 and 128

pfsense firewall rule:
Pass some source address
Advanced Settings:
In / Out pipe:
UPLOAD FIRST
DOWNLOAD SECOND

It it would take matched traffic from a firewall rule and put it in
the limiter.  I have not tried using egress rules but with the any
directive all traffic to and from the system gets limited.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Limiters on LAN, WAN

[WebDawg]

On Thu, May 12, 2016 at 1:11 PM, Steve Yates  wrote:
> I have the limiters configured as you show.  But are you saying you would 
> normally set your limiter on rules on both the LAN and WAN?  Basically, I 
> should set it on LAN for now and when the bug is fixed set it on WAN also?
>
> --
>
> Steve Yates
> ITS, Inc.

No, I only set a limiter on LAN to match the host that I want to
limit.  I did not know if you were talking about matching outgoing
traffic from all hosts.  It would be a bit different I think.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Limiters on LAN, WAN

[WebDawg]

On Thu, May 12, 2016 at 1:42 PM, Steve Yates  wrote:
> To explain my need it's for limiting traffic for several tenants of 
> an office building, so each gets up to "n" amount of bandwidth.  Each has a 
> static IP and their own router.
>
> Maybe I was just overthinking it.  Having a limiter on the WAN side 
> would therefore limit the connection if a tenant was, let's say, hosting a 
> web server and a remote user uploaded a file into the building.
>
> --
>
> Steve Yates
> ITS, Inc.
>

I understand what you are talking about.  See I do not let any traffic in...

Are you running the firewall transparent then?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Limiters on LAN, WAN

[WebDawg]

I think you would have a solution with placing an overall limiter on
the the wan side with the dest as the public ip.  I do not do 1:1 nat
but this would be my first guess.

Since you use NAT and private ips that could be handled by LAN rules I
would think.

On Thu, May 12, 2016 at 2:46 PM, Steve Yates  wrote:
> No we're actually using NAT and private IPs inside the building.  We use 1:1 
> NAT if a tenant needs a public IP.
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of WebDawg
> Sent: Thursday, May 12, 2016 2:38 PM
> To: pfSense Support and Discussion Mailing List 
> Subject: Re: [pfSense] Limiters on LAN, WAN
>
> On Thu, May 12, 2016 at 1:42 PM, Steve Yates  wrote:
>> To explain my need it's for limiting traffic for several tenants of 
>> an office building, so each gets up to "n" amount of bandwidth.  Each has a 
>> static IP and their own router.
>>
>> Maybe I was just overthinking it.  Having a limiter on the WAN side 
>> would therefore limit the connection if a tenant was, let's say, hosting a 
>> web server and a remote user uploaded a file into the building.
>>
>> --
>>
>> Steve Yates
>> ITS, Inc.
>>
>
> I understand what you are talking about.  See I do not let any traffic in...
>
> Are you running the firewall transparent then?
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] What might be throttling my wireless?

[WebDawg]

So much information and I still do not think we know enough!

Do you have a UniFi controller installed somewhere?   Are the units
upgraded fully?  Are you using VLAN networks on the unifi devices to
do more then one network.

You could start by not doing the internet speed test first.  I would
go from unifi to closest server first...something on the same unifi
network (like the mangement server) and do an iperf test as suggested
to that.

I would then move closer and closer to the outside of your internal
network and test all connection points utilizing iperf the entire time.



On Sun, May 15, 2016 at 3:08 PM, Ryan Coleman  wrote:
> I have a bit of an odd setup, but it is working thus far.
>
> I have fiber -> GbE service from USInternet in Minneapolis
>
> That goes into my 28-port GbE managed switch.
>
> That is VLAN'd for safety and feeds my SuperMicro ESXi box (not the 
> FiberVLAN) and my SuperMicro 1U firewall (FiberVLAN) which then feeds back 
> into the switch for servicing the ESXi and LAN.
>
> I get speed tests from Windows 7 through the default/global VLAN of 600x300 
> (below rated but not the worry right now) from my management PC - this is my 
> benchmark test location.
>
> I have a pfSense VM running that is routing through the real pfSense server 
> and is getting the rated speed through the firewall on the VLAN. When I 
> isolate a PC VM to the VLAN601/602 networks it gets speeds similar to that of 
> the Management PC (different computer).
>
> For radios I have just installed Ubiquiti UniFi AC LITEs (just installed). 
> They are the ones giving between 30mbps and 60mbps rated performance. This is 
> well below 50% of their link speed (1000mbps), and about 10% of the confirmed 
> throughput speed from both the isolated VM.
>
> Items of note:
> • They are linked to the switch at 1000mbps
> • There is no listed throttling on them
> • TrendNET 653APs I had before (100mbps links) were similarly 
> underperforming HOWEVER I attributed that to 300mbps wireless over 100mbps 
> wired connections.
>
> I'm a little lost on where I might have a hangup. I have to go the 
> double-firewall route for sanity purposes.
>
> If I was having issues solely in the second firewall then I might have an 
> idea as to what is going on but instead I'm flabbergasted. I'd like to tell 
> the customer that it's OK to start pushing customers over to the new network 
> but without this piece working at the speed I am attempting to provide it's 
> proving difficult.
>
> Thoughts?
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

[WebDawg]

On Wed, May 18, 2016 at 6:14 PM, Steve Yates  wrote:

> We have an application with a Comcast-provided SMC router and two pfSense
> routers (Comcast <- building <- tenant).  The building router (v2.3.0) gets
> an IPv6 address and can ping out.  However in its DHCP logs I see:
>
> dhcp6c  invalid prefix length 64 + 4 + 64
> dhcp6c  XID mismatch (several of these)
>
> Am I correct that "invalid prefix length" means the Comcast router isn't
> delegating a /60 properly?  I have it set:
>
> DHCPv6 Prefix Delegation size   60
> Send IPv6 prefix hint   checked
>
> If I as for a /56 I get "invalid prefix length 64 + 8 + 64."
>
> My second question was going to be about getting IPv6 to the PCs inside
> the tenant router but unless I'm mistaken I need a couple more /64 networks
> for that (what a waste of IPs...I know there's a lot but still...).
>
> Thanks,
>
> Steve Yates
> ITS, Inc.
>
> ___
>
>
Am I correct to assume that you are putting this device in bridge mode?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

[WebDawg]

On Fri, May 20, 2016 at 11:06 AM, Moshe Katz  wrote:

> If you have static IPs from Comcast, you cannot put the device in bridge
> mode. The way that Comcast static IPs work is that your Comcast device
> advertises itself to the rest of Comcast's network as the route to your
> static addresses. In effect, just pretend that this Comcast device is in
> Comcast's central office and that you can't change anything about it.
>
> Moshe
>

Wow.

No wonder there are issues.  I have only seen a few good modems as of late
from any cable provider.

Are there people having the same issues with the newer Arris Cable Modem?
I see the responses in the thread, will they issue static ip addresses with
just modems/Arris?

Really, they will not let you bring your own device with a compatable Arris
modem?

I hate the all in one devices that they give out.  I had issues with one
until I put it into bridge mode.  It would not NAT correctly.

At another location, I demanded a modem.  I was paying for their fastest
internet 100M down at the time and there was no way I was going to add all
that overhead to the connection and depend on garbage firmware.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

[WebDawg]

On Fri, May 20, 2016 at 1:31 PM, Moshe Katz  wrote:

> On Fri, May 20, 2016 at 12:19 PM, WebDawg  wrote:
>
> > On Fri, May 20, 2016 at 11:06 AM, Moshe Katz 
> wrote:
>
> They will not let you bring your own modem if you have a static IP.
>
> I wrote the last message on my tablet, so I had to keep it short, but I can
> explain further now.
>
> Basically, when you get static IPs from Comcast, they do not want to set up
> the routing for them upstream in the central office (like most other ISPs
> would do).
> Instead, they assign your "Business IP Gateway" device (which is a
> modem/router/firewall combination) a dynamic IP that is in the same block
> of IPs that the entire rest of your neighborhood has.  After the Business
> IP Gateway has received its dynamic address, it advertises itself (I
> believe using RIP) as the next hop to the IP addresses that have been
> allocated to you.
>
> Additionally, the Gateway runs a DHCP server in the 10.x.x.x range. Any
> computer on your network that requests an address on DHCP will receive a
> private address from the Gateway and the Gateway will perform NAT.
>
> In effect, this allows you to have your public addresses and private
> addresses on a single connection to the Internet, with the public addresses
> routed and the private addresses NAT'ed.
>
> To make a long story short, not only will Comcast not allow you to use a
> simple Arris Surfboard modem for static IPs, the way their system is set up
> would not even work if you tried to use a plain modem, because your modem
> wouldn't be able to claim the addresses.
> In theory, Comcast could just allow you to set up your own RIP
> advertisements from your own hardware. I'm guessing that the reason they
> don't want to do that is because they'd rather have full control.
>
> Moshe
>
> --
> Moshe Katz
> -- mo...@ymkatz.net
> -- +1(301)867-3732
>
>
Hmm,

That would be the solution then?  Setup RIP.  Has anyone asked?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Update 2.3_1 to 2.3.1 failed

[WebDawg]

On Tue, May 24, 2016 at 11:34 AM, Chris Buechler  wrote:

> On Tue, May 24, 2016 at 5:33 AM, OSN | Marian Fischer  wrote:
> > Hi list,
> >
> > when i try to update one carp member from 2.3_1 to the latest update
> (2.3.1) it fails after
> >
> > # snip
> > Updating pfSense-core repository catalogue...
> > Unable to update repository pfSense-core
> > Updating pfSense repository catalogue...
> > # snip
> >
> > the other member did the update well. Both are running on 4GB  CF nano
> install.
> >
> > any solution out there?
>
> Diag>NanoBSD, set to permanent rw, and reboot for good measure. It work
> then?
> ___
>


I have a few pfSense devices that I purchased, do I need to set permanent
rw on them for 2.3.1?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Update 2.3_1 to 2.3.1 failed

[WebDawg]

On Tue, May 24, 2016 at 2:18 PM, Chris Buechler  wrote:

> On Tue, May 24, 2016 at 1:28 PM, WebDawg  wrote:
> > On Tue, May 24, 2016 at 11:34 AM, Chris Buechler 
> wrote:
> >
> >> On Tue, May 24, 2016 at 5:33 AM, OSN | Marian Fischer 
> wrote:
> >> > Hi list,
> >> >
> >> > when i try to update one carp member from 2.3_1 to the latest update
> >> (2.3.1) it fails after
> >> >
> >> > # snip
> >> > Updating pfSense-core repository catalogue...
> >> > Unable to update repository pfSense-core
> >> > Updating pfSense repository catalogue...
> >> > # snip
> >> >
> >> > the other member did the update well. Both are running on 4GB  CF nano
> >> install.
> >> >
> >> > any solution out there?
> >>
> >> Diag>NanoBSD, set to permanent rw, and reboot for good measure. It work
> >> then?
> >> ___
> >>
> >
> >
> > I have a few pfSense devices that I purchased, do I need to set permanent
> > rw on them for 2.3.1?
>
> If you have problems with them, yes. Once upgraded to 2.3.1, they'll
> be set permanent rw with no option to go ro.
>


So if I already have them up to 2.3.1, I am fine.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to manually update 2.3 onwards?

[WebDawg]

On Wed, May 25, 2016 at 4:18 AM, Wue Bob 
wrote:

>
> On 24/05/16 15:08, Pete Boyd wrote:
> > I see the release notes say "Removed "full update" or "full slice"
> > upgrade for systems on 2.3 to later versions" - is this what I am seeing?
> >
> > How do I manually update pfSense now please?
>
> Good question. Upgrade images are still available so there must be some
> way, I suppose. But I haven't found out either.
>
> Upgrading via shell [
> https://doc.pfsense.org/index.php/Upgrading_via_Shell_(old) ] does no
> longer seem to work either.
>
> So I would be glad to get some hints, too. Direct updates from
> pfsense.org may not be suitable in some managed corporate environments.
>
> Regards,
> Bob
> ___
>
>
Is there anyway to clone the repo and change the repo to the local one?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] USB3 to ethernet adaptor

[WebDawg]

On Mon, May 2, 2016 at 1:56 AM, Frans Meulenbroeks <
fransmeulenbro...@gmail.com> wrote:

> Hi,
>
> Has anyone experience using USB3 to ethernet adapters ? I need an extra
> interface but my HW (Intel NUC) does not have room for another card).
> Anything recommendable?
>
> Best regards, Frans.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>


https://redmine.pfsense.org/issues/4494

Might work better now.  Someone needs to test.  Every time I test I am let
down :/
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] USB3 to ethernet adaptor

[WebDawg]

On Thu, May 26, 2016 at 11:14 AM, RB  wrote:

> On Wed, May 25, 2016 at 6:25 PM, Volker Kuhlmann
> > I disagree. While it'll work, its security is nowhere near the same. It
> > depends on the VLAN switch's firmware being bugfree (we all know about
> > how likely that is), it adds complexity, and it mixes physically
> > separate networks together on one cable. Perhaps it might be acceptable
> > to merge networks of the same security level, merging LAN and WAN
> > networks doesn't sound like a good idea to me.
>
> Entertain me, it's been literally a decade since I last saw someone
> imply that switch VLAN implementations were generally of dubious
> nature.  Can you perhaps point me to a recent VLAN-crossing
> vulnerability, or documented VLAN crosstalk?  We all know about the
> old CAM table overflows, but that's been long fixed.
> ___
>


I posted this a while ago:


http://seclists.org/fulldisclosure/2016/Jan/77

http://seclists.org/fulldisclosure/2016/Mar/25

I love VLANs, I use the heck out of them but I cannot wait until we get
more and more into software switching and it becomes a reality that my
switch firmware is open-source.

Also, just because a vulnerability has not been reported or discovered,
does not mean it does not exist.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to manually update 2.3 onwards?

[WebDawg]

On Wed, May 25, 2016 at 2:00 PM, Chris Buechler  wrote:

> On Tue, May 24, 2016 at 8:08 AM, Pete Boyd 
> wrote:
> > I have a pfSense 2.3.0_1 which has had an issue connecting to
> > pfsense.com to check for updates for years. That's not the issue, as far
> > as I believe. Perhaps its LAN and WAN are mistakenly the wrong way
> > around. It routes between two LANs. Anyway I always update it manually
> > by downloading a tgz file.
> >
> > With 2.3.0_1 it appears to offer no means of manually updating, giving
> > these error messages on the System > Update screen [1].
> > I see the release notes say "Removed "full update" or "full slice"
> > upgrade for systems on 2.3 to later versions" - is this what I am seeing?
> >
> > How do I manually update pfSense now please?
> >
>
> There currently is no means of doing so, the system must be online.
>
> The errors from pkg you posted make it seem like the box is behind a
> captive portal maybe, so it's fetching a portal page rather than the
> pkg files.
> ___
>
>
Is there anyway to clone the pfSense pkg repo?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense store router positioning

[WebDawg]

On Sun, Jun 5, 2016 at 11:25 AM, Walter Parker  wrote:

> Hi,
>
> I've be doing a bit of remodeling in the household and I noticed an
> interesting issue with the temperature of the the router (an SG-2220). If I
> put the router flat, it heated up to 53 Celsius (9AM mid 70's Fahrenheit
> room temp). WHen I turned the router in the side, it dropped from 53 to 46
> in 20 minutes and if the last experiment holds it should level out at 41).
>
> Have other people send the temp on the router higher when it is flat then
> when it is on the side?
>
>
> Walter
>
> --
> The greatest dangers to liberty lurk in insidious encroachment by men of
> zeal, well-meaning but without understanding.   -- Justice Louis D.
> Brandeis
> ___

ooo

That is interesting, I want some decompression testing done next.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] USB3 to ethernet adaptor

[WebDawg]

On Mon, Jun 6, 2016 at 9:00 AM, RB  wrote:
>
> On Sun, Jun 5, 2016 at 7:02 PM, Volker Kuhlmann
>  > This is a laughable argument!
>
> I'm not here to argue, you are.  More specifically, you're here to
> press your personal point for open switch firmware.  Your paranoia,
> it's showing.
> ___



All of this arguing aside and all of these points made I still cannot wait
until there is nothing stopping me from examining the code that runs on my
switches.  I know some of these is off topic but I am going to post this
anyways:


j...@netgate.com wrote:

"Open Source is more about sharing than security."

Open source is way more then both of these topics but even in the sentence
that you wrote, you even agree that it could be a little bit of both.  It
seems like groups are moving towards openness in general and it is going to
be really cool when I can cheaply take something like Open vSwitch, some
hardware, and an open vSwitch accelerator (
http://www.6wind.com/products/6wind-virtual-accelerator/) and forget about
Cisco, Juniper and the lot.

It sucks, it really does.  I would think Open Source is more about lowering
the entry level for any topic.  It is easier to audit if you need it
secure, it is easier to work with when you need to share or bits and pieces
of it, etc.

When I was a child I wanted something like the raspberry pi so very bad, or
an Arduino.  The closest thing I could find in my environment at the time
was about $400+ and the programming software was very proprietary, the
device was limited in its capabilities, it was closer to SCADA.

I do not think anyone here wants to argue Some Company vs OpenSource, when
you look at the fabric switches that Cisco any other companies offer it is
obvious how money can motivate a company/organization to build new tech.
But then take a look at something like the Raspberry Pi and see where it is
and what it is doing.  Part of OpenSource is removing the grip the
companies have on these technologies and giving it away, this especially
helps when you live in an environment when the bar for getting things that
are not OpenSource is high for whatever reasons.

On Sun, Jun 5, 2016 at 7:02 PM, Volker Kuhlmann wrote:

Your paranoia, it's showing.

"Paranoia is a thought process believed to be heavily influenced by anxiety
or fear, often to the point of delusion and irrationality."

If you believe there are not malicious actors trying to influence and hack
technologies for there own benefit, I do not know what to say, but someone
not trusting some software does not sound all that crazy.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] unbound DNS and pfSense failover

[WebDawg]

I am trying to figure out how to make unbound stop using my DNS server that
is on my backup internet.  I never want it to hit it ever unless the main
WAN goes down.

So the DNS forwarder can do this:

Query DNS servers sequentially If this option is set, pfSense DNS Forwarder
(dnsmasq) will query the DNS servers sequentially in the order
specified (*System
- General Setup - DNS Servers*), rather than all at once in parallel.

If I used the forwarder instead of the resolver, this might help, it should
get results from my two WAN DNS servers first.

Could I have the forwarder ask the resolver first and just configure the
resolver to query the WAN interface? Then branch from there?  Virtual
Interfaces?

I would like to stick with the resolver...any ideas?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Question about OpenVPN Point-to-Multi-Point Setup

[WebDawg]

On Jun 8, 2016 1:31 PM, "Vick Khera"  wrote:
>
> On Wed, Jun 8, 2016 at 2:41 PM, Jeremy Bennett <
jbenn...@hikitechnology.com>
> wrote:
>
> > If you won't have mobile users, IPSec could be a viable option.
> >
>
> iPhone mobile VPN works great with IPSec, no additional software needed.
It
> is all built in. Do not know about Android.
> ___

I think this is the additional software part but they have open VPN connect
for Android and iOS. The additional software works great and it even has
settings to keep the connection alive or resume the connection after device
wake it is more integrated into iOS at least then it was before
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] add Blocking in suricata just for some IPs

[WebDawg]

On Mon, Jun 20, 2016 at 1:27 PM, Daniel Eschner 
wrote:

> Hi to everyone,
>
> is it possible to add blocking mode just to some IPs from a /24 Network?
> I want to run that in test mode to see who much false positiv i will see ;)
>
> Cheers
>
> Daniel
>
>
> __
>


What?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Wifi

[WebDawg]

On Sun, Jul 17, 2016 at 4:09 PM, Volker Kuhlmann 
wrote:

> On Fri 15 Jul 2016 16:58:34 NZST +1200, Alexandre Paradis wrote:
>
> > You could put a regular nic, then plug a regular home wifi router (with
> > dhcp disabled) on one of the lan port.
>
> This is probably the best bet. It makes the location of the AP (antenna
> position) independent of the location of the pfsense hardware. Putting a
> wifi card into a pfsense box has all sorts of problems, missing/useless
> Freebsd wifi drivers being a big one.
>
> It doesn't seem soeasy to find a reliably good AP though, at least for a
> resonable budget. Vodafone New Zealand gave out Netcomm NP805N do-it-all
> home rubbish^H^H^Hrouters. Yes you can disable dhcp on the wifi side,
> but the thing is too dumb to forward wifi dhcp requests to pfsense so
> Net-no-comm's only use is as a dust-collector.
>
> I have a USB wifi AP running (Tenda W322U), well sort of.
> pfsense/freebsd's driver isn't very good and doesn't run the hardware at
> full speed (54M only). Then make sure the USB thingie is always plugged
> in and doesn't fail, because if it isn't present, pfsense doesn't even
> boot any more... so you can't even fix the rules or plug a new one in.
>
> Volker
>
> --
> Volker Kuhlmann is list0570 with the domain in header.
> http://volker.top.geek.nz/  Please do not CC list postings to me.
> ___
>

UniFi AP-AC-Pro is a great AP.  Though to control it you have to run the
controller software on a server, does not need to stay active all the time
unless you need to use some of the active features.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Wifi

[WebDawg]

On Sun, Jul 17, 2016 at 4:24 PM, Paul Galati  wrote:

> Find a decent router ($20 Netwgear WNR3500u with gigabit ports) or similar
> that supports Tomato or DD-WRT.  Routers that support these OSes are good
> routers, just have not so good factory software on them.
>
> Paul
>

If you go with Paul's suggestion and want wireless AC make sure to do the
research.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Lightning strike

[WebDawg]

On Mon, Jul 25, 2016 at 9:10 PM, Moshe Katz  wrote:

> From the picture, those are definitely surface-mount. I don't think I'd
> recommend trying it yourself unless you have experience and comfort working
> with SMD components.
>
> That said, if you do have the experience, it looks like the parts don't
> cost more than a few dollars.
>
> Moshe
>
>
You could outsource the repair.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Cloning pfSense Repo

[WebDawg]

Should I be able to clone the pfSense repo and host it locally?  Should I
be able to set the repo url in pfSense to point to this?

Also,  I have no experience making package but sometimes I have to hack an
init.d script in, can I do that with a package?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Mini-USB console on new pfSense certified hardware

[WebDawg]

On Mon, Aug 1, 2016 at 7:03 PM, Jeremy Porter  wrote:

> There is an on-board UART to USB converter on the
> RCC-VE/DFFv2/4860/8880/2440/2220.   This is wired directly to the
> chipset uart on the Rangely, at system voltage levels, not at RS232
> levels.  (The USB convert chip is cost comparable to a RS-232 voltage
> driver chip in cost, and has a smaller board footprint.)  Additionally
> the connect takes up less back-panel space.
>
> There are no test points brought out, if there were you would need a
> level shifter, and an isolator to protect the SOC.
>
> Most modern systems have USB Host ports, which is all that is required
> for the USB serial interface to work.  Any small system, can manage
> quite a few hosts with a powered usb hub.  (We actually use Beaglebone
> black as terminal servers).  We actually switched all our remaining
> terminal server systems over to these types, by getting a rack-mount 32
> port USB to RS-232 converter.
>
>
Can you explain to me the last statement?  You now use a Beaglebone as the
server, and manage the rest of your RS-232 terminal types with the
Beaglebone too.  With the 32 port USB to RS-232 converter?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Unicast Flood

[WebDawg]

On Tue, Aug 16, 2016 at 11:08 PM, Karl Fife  wrote:
> Answering my own question:
>
> Unicast flooding is fundamental.  Unicast flooding in response to a null
> switching table is the only way for a frame to reach the intended host, say,
> if the switching table had an entry which expired before it could be
> re-populated with the host's arp reply.
>
>
>
> On 8/16/2016 2:19 PM, Karl Fife wrote:
>>
>> Hey all.  I'm trying to get to the bottom of an Ethernet concept:
>>
>> If an Ethernet switch has no switching/forwarding table entry for a given
>> MAC, does it flood/broadcast BY DESIGN (e.g. to behave like a good
>> old-fashioned Ethenet HUB) or is unicast flooding an accidental
>> characteristic of the way Ethernet switches work (i.e. down on the metal)?
>>
>> For example, I could imagine an Ethernet switch design which the switch
>> always returns null in the switching table for FF:FF:FF:FF:FF:FF, triggering
>> a broadcast/flood, thus other bona-fide null (expired) lookups also happen
>> to flood, BUT that this behavior is not strictly required to function.
>>
>> Clarification on this detail would be much appreciated.
>>
>>
>>
>>
>>
>
> ___


Thanks for answering this question.  So many things go unanswered anymore!
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold