[pfSense Support] import monowall xml files
i know this has probably been answered in previous posts but i didn't see them. i'm wondering if / how i can move my monowall xml file over to pfsense. i tried to just restore, thinking that i had seen a previous post saying it was ok, it but killed everything and i had to re-install. i would love to try pfsense and most likely will when i have more time. i just really hoped that all my configurations are not lost when moving over. thanks and i apologize if i wasn't detailed enough. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CDROM Version Install
i think, it's the vlan stuffs. if i dont choose to setup vlan, everything went fine. if i choose to setup vlan, it ask to reboot. i think the vlan config is not yet saved when it reboot. so, after reboot, it comes up with vlan setup again... On 9/29/05, Mike <[EMAIL PROTECTED]> wrote: > Well I did everything that the wiki support said to do with no luck. Just > for the record I went ahead and installed M0n0Wall on it with no issues. > I would rather use PFSense and really need to find a fix. I am scheduled to > put this box in place tomorrow so any more help would be greatly > appreciated. > > Thanks, > Mike > -- --- ... but that which cometh out of the mouth, this defileth a man. Mat 15:11 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] 1:1 NAT loopback
I got it to work, but did NOT use Proxy ARP. Just used the 1:1 NAT. Jason J Ellingson From: Simon SZE-To [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 28, 2005 9:43 PMTo: support@pfsense.comSubject: [pfSense Support] 1:1 NAT loopback Hello,I had read the thread at Aug 26 and found that some pfSense's user able to access 1:1 NATTed service in LAN segment, but when I try it today, it's failed.My testing environment:- the public IP xx.xx.xx.46 1:1 NAT to 10.0.138.9- proxy ARP the xx.xx.xx.46- allow any to any access to xx.xx.xx.46 in firewall rule- my workstation IP is 10.0.138.130- pfSense's IP is xx.xx.xx.42I did the following steps:- telnet xx.xx.xx.46 110 (of cos. I have POP3 service listening)- I've got connection failed after around 20sec- the states got the following 2 lines:self tcp 10.0.138.130:1941 -> xx.xx.xx.42:51404 -> xx.xx.xx.46:110 SYN_SENT:CLOSED self tcp xx.xx.xx.46:110 <- 10.0.138.130:1941 CLOSED:SYN_SENT Thanks!Simon SZE-To
[pfSense Support] 1:1 NAT loopback
Hello, I had read the thread at Aug 26 and found that some pfSense's user able to access 1:1 NATTed service in LAN segment, but when I try it today, it's failed. My testing environment: - the public IP xx.xx.xx.46 1:1 NAT to 10.0.138.9 - proxy ARP the xx.xx.xx.46 - allow any to any access to xx.xx.xx.46 in firewall rule - my workstation IP is 10.0.138.130 - pfSense's IP is xx.xx.xx.42 I did the following steps: - telnet xx.xx.xx.46 110 (of cos. I have POP3 service listening) - I've got connection failed after around 20sec - the states got the following 2 lines: self tcp 10.0.138.130:1941 -> xx.xx.xx.42:51404 -> xx.xx.xx.46:110 SYN_SENT:CLOSED self tcp xx.xx.xx.46:110 <- 10.0.138.130:1941 CLOSED:SYN_SENT Thanks! Simon SZE-To
Re: [pfSense Support] Proxy Arp
Hmmm, interesting. I'll look into why it's setting a /27. --Bill On 9/28/05, James Roberson <[EMAIL PROTECTED]> wrote: > Its running for the VIP, vr0 is the wan (I added the x's). > > root 485 0.0 0.3 1192 764 ?? Ss1:30PM 0:00.00 > /usr/local/sbin/choparp vr0 auto xxx.xxx.149.241/27 > > > At 12:51 PM 9/28/2005, you wrote: > >Is choparp running on your system? ps awux | grep chop from a shell > >will tell us. > > > >Scott > > > > > >On 9/28/05, James Roberson <[EMAIL PROTECTED]> wrote: > > > First some background. I have a multinat configuration working in monowall > > > (mutiple wan IP addresses to 1 or many internal IPs) so pfsense is not so > > > foreign to me. I've tried setting up a similar environment in pfSense > > > 0.85.2. For simplicity, I first tried a basic http port forwarding nat > > > configuration. It didn't work. > > > > > > I setup a virtual IP for the external IP using proxy arp (seems like the > > > proxy arp and server nat settings from monowall combined). Under "NAT: > > > Port > > > Forward" I set the newly created VIP to point to the internal IP (checked > > > the box to make the rule). Everything looks like it should work but it > > > doesn't. I also tried 1 to 1 with no luck. > > > > > > An external ethereal cap with monowall shows monowall answering arp > > > requests for the virtual IP. The same external capture with pfsense shows > > > no arp replies from pfsense. Besides the radio button on the virtual IP > > > menu, is there another setting for proxy arp? > > > > > > Thanks > > > > > > > > > James Roberson > > > > > > > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > >- > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Proxy Arp
On Wed, 28 Sep 2005 14:14:32 -0700 James Roberson <[EMAIL PROTECTED]> wrote: > I think I know what's going on. I just noticed the cidr/27. Should > be /32. The subnet is /27, but I'm pretty sure this should be /32 > (255.255.255.255). Yes, aliased IPs allways use /32 if the parent IP is on the same subnet. Marcin. > > At 01:58 PM 9/28/2005, you wrote: > >Well that should be responding to proxy arp.. Weird. If you need > >this working now change the virtual ip to a carp type. In the > >meantime I'll run some tests. > >On 9/28/05, James Roberson <[EMAIL PROTECTED]> wrote: > > > Its running for the VIP, vr0 is the wan (I added the x's). > > > > > > root 485 0.0 0.3 1192 764 ?? Ss1:30PM 0:00.00 > > > /usr/local/sbin/choparp vr0 auto xxx.xxx.149.241/27 > > > > > > > > > At 12:51 PM 9/28/2005, you wrote: > > > >Is choparp running on your system? ps awux | grep chop from a > > > >shell will tell us. > > > > > > > >Scott > > > > > > > > > > > >On 9/28/05, James Roberson <[EMAIL PROTECTED]> wrote: > > > > > First some background. I have a multinat configuration > > > > > working in > > monowall > > > > > (mutiple wan IP addresses to 1 or many internal IPs) so > > > > > pfsense is > > not so > > > > > foreign to me. I've tried setting up a similar environment in > > > > > pfSense 0.85.2. For simplicity, I first tried a basic http > > > > > port forwarding nat configuration. It didn't work. > > > > > > > > > > I setup a virtual IP for the external IP using proxy arp > > > > > (seems > > like the > > > > > proxy arp and server nat settings from monowall combined). > > > > > Under > > "NAT: Port > > > > > Forward" I set the newly created VIP to point to the internal > > > > > IP > > (checked > > > > > the box to make the rule). Everything looks like it should > > > > > work but it doesn't. I also tried 1 to 1 with no luck. > > > > > > > > > > An external ethereal cap with monowall shows monowall > > > > > answering arp requests for the virtual IP. The same external > > > > > capture with pfsense > > shows > > > > > no arp replies from pfsense. Besides the radio button on the > > > > > virtual IP menu, is there another setting for proxy arp? > > > > > > > > > > Thanks > > > > > > > > > > > > > > > James Roberson > > > > > > > > > > > > > > > > > > > > - > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > >- > > > >To unsubscribe, e-mail: [EMAIL PROTECTED] > > > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > >- > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > > > James Roberson > TDI Library Services, Inc. (www.tdico.com) > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Proxy Arp
It was the subnet. Reset Pfsense back to defaults, added rules (shows /32); works now. Thanks At 02:14 PM 9/28/2005, you wrote: I think I know what's going on. I just noticed the cidr/27. Should be /32. The subnet is /27, but I'm pretty sure this should be /32 (255.255.255.255). I'll check. At 01:58 PM 9/28/2005, you wrote: Well that should be responding to proxy arp.. Weird. If you need this working now change the virtual ip to a carp type. In the meantime I'll run some tests. On 9/28/05, James Roberson <[EMAIL PROTECTED]> wrote: > Its running for the VIP, vr0 is the wan (I added the x's). > > root 485 0.0 0.3 1192 764 ?? Ss1:30PM 0:00.00 > /usr/local/sbin/choparp vr0 auto xxx.xxx.149.241/27 > > > At 12:51 PM 9/28/2005, you wrote: > >Is choparp running on your system? ps awux | grep chop from a shell > >will tell us. > > > >Scott > > > > > >On 9/28/05, James Roberson <[EMAIL PROTECTED]> wrote: > > > First some background. I have a multinat configuration working in monowall > > > (mutiple wan IP addresses to 1 or many internal IPs) so pfsense is not so > > > foreign to me. I've tried setting up a similar environment in pfSense > > > 0.85.2. For simplicity, I first tried a basic http port forwarding nat > > > configuration. It didn't work. > > > > > > I setup a virtual IP for the external IP using proxy arp (seems like the > > > proxy arp and server nat settings from monowall combined). Under "NAT: Port > > > Forward" I set the newly created VIP to point to the internal IP (checked > > > the box to make the rule). Everything looks like it should work but it > > > doesn't. I also tried 1 to 1 with no luck. > > > > > > An external ethereal cap with monowall shows monowall answering arp > > > requests for the virtual IP. The same external capture with pfsense shows > > > no arp replies from pfsense. Besides the radio button on the virtual IP > > > menu, is there another setting for proxy arp? > > > > > > Thanks > > > > > > > > > James Roberson > > > > > > > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > >- > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] James Roberson TDI Library Services, Inc. (www.tdico.com) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Proxy Arp
I think I know what's going on. I just noticed the cidr/27. Should be /32. The subnet is /27, but I'm pretty sure this should be /32 (255.255.255.255). I'll check. At 01:58 PM 9/28/2005, you wrote: Well that should be responding to proxy arp.. Weird. If you need this working now change the virtual ip to a carp type. In the meantime I'll run some tests. On 9/28/05, James Roberson <[EMAIL PROTECTED]> wrote: > Its running for the VIP, vr0 is the wan (I added the x's). > > root 485 0.0 0.3 1192 764 ?? Ss1:30PM 0:00.00 > /usr/local/sbin/choparp vr0 auto xxx.xxx.149.241/27 > > > At 12:51 PM 9/28/2005, you wrote: > >Is choparp running on your system? ps awux | grep chop from a shell > >will tell us. > > > >Scott > > > > > >On 9/28/05, James Roberson <[EMAIL PROTECTED]> wrote: > > > First some background. I have a multinat configuration working in monowall > > > (mutiple wan IP addresses to 1 or many internal IPs) so pfsense is not so > > > foreign to me. I've tried setting up a similar environment in pfSense > > > 0.85.2. For simplicity, I first tried a basic http port forwarding nat > > > configuration. It didn't work. > > > > > > I setup a virtual IP for the external IP using proxy arp (seems like the > > > proxy arp and server nat settings from monowall combined). Under "NAT: Port > > > Forward" I set the newly created VIP to point to the internal IP (checked > > > the box to make the rule). Everything looks like it should work but it > > > doesn't. I also tried 1 to 1 with no luck. > > > > > > An external ethereal cap with monowall shows monowall answering arp > > > requests for the virtual IP. The same external capture with pfsense shows > > > no arp replies from pfsense. Besides the radio button on the virtual IP > > > menu, is there another setting for proxy arp? > > > > > > Thanks > > > > > > > > > James Roberson > > > > > > > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > >- > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] James Roberson TDI Library Services, Inc. (www.tdico.com) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Source based routing
In a multi-wan environment on pfSense this can be handled using advanced outbound nat. Scott On 9/28/05, Robo.K. <[EMAIL PROTECTED]> wrote: > > Is the Pfsense capable of source based routing as is described here > http://en.tldp.org/HOWTO/IP-Masquerade-HOWTO/iproute2.html? > /this is only for description of problem, i know that Pfsense is no Linux > :-}/ > > Thank you. > Regards-Robo. > > > > -- > No virus found in this outgoing message. > Checked by AVG Anti-Virus. > Version: 7.0.344 / Virus Database: 267.11.6/111 - Release Date: 23.9.2005 > > > -- > * www.inMail.sk - Vasa emailova adresa na cely zivot ZDARMA > * Zoner Photo Studio 7 - Spoznajte kuzlo digitalnej fotografie! > http://www.zoner.cz/photo-studio > * www.SlovakNET.sk - profesionalny webhosting, domena .SK ZADARMO > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Proxy Arp
Well that should be responding to proxy arp.. Weird. If you need this working now change the virtual ip to a carp type. In the meantime I'll run some tests. On 9/28/05, James Roberson <[EMAIL PROTECTED]> wrote: > Its running for the VIP, vr0 is the wan (I added the x's). > > root 485 0.0 0.3 1192 764 ?? Ss1:30PM 0:00.00 > /usr/local/sbin/choparp vr0 auto xxx.xxx.149.241/27 > > > At 12:51 PM 9/28/2005, you wrote: > >Is choparp running on your system? ps awux | grep chop from a shell > >will tell us. > > > >Scott > > > > > >On 9/28/05, James Roberson <[EMAIL PROTECTED]> wrote: > > > First some background. I have a multinat configuration working in monowall > > > (mutiple wan IP addresses to 1 or many internal IPs) so pfsense is not so > > > foreign to me. I've tried setting up a similar environment in pfSense > > > 0.85.2. For simplicity, I first tried a basic http port forwarding nat > > > configuration. It didn't work. > > > > > > I setup a virtual IP for the external IP using proxy arp (seems like the > > > proxy arp and server nat settings from monowall combined). Under "NAT: > > > Port > > > Forward" I set the newly created VIP to point to the internal IP (checked > > > the box to make the rule). Everything looks like it should work but it > > > doesn't. I also tried 1 to 1 with no luck. > > > > > > An external ethereal cap with monowall shows monowall answering arp > > > requests for the virtual IP. The same external capture with pfsense shows > > > no arp replies from pfsense. Besides the radio button on the virtual IP > > > menu, is there another setting for proxy arp? > > > > > > Thanks > > > > > > > > > James Roberson > > > > > > > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > >- > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Proxy Arp
Its running for the VIP, vr0 is the wan (I added the x's). root 485 0.0 0.3 1192 764 ?? Ss1:30PM 0:00.00 /usr/local/sbin/choparp vr0 auto xxx.xxx.149.241/27 At 12:51 PM 9/28/2005, you wrote: Is choparp running on your system? ps awux | grep chop from a shell will tell us. Scott On 9/28/05, James Roberson <[EMAIL PROTECTED]> wrote: > First some background. I have a multinat configuration working in monowall > (mutiple wan IP addresses to 1 or many internal IPs) so pfsense is not so > foreign to me. I've tried setting up a similar environment in pfSense > 0.85.2. For simplicity, I first tried a basic http port forwarding nat > configuration. It didn't work. > > I setup a virtual IP for the external IP using proxy arp (seems like the > proxy arp and server nat settings from monowall combined). Under "NAT: Port > Forward" I set the newly created VIP to point to the internal IP (checked > the box to make the rule). Everything looks like it should work but it > doesn't. I also tried 1 to 1 with no luck. > > An external ethereal cap with monowall shows monowall answering arp > requests for the virtual IP. The same external capture with pfsense shows > no arp replies from pfsense. Besides the radio button on the virtual IP > menu, is there another setting for proxy arp? > > Thanks > > > James Roberson > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Source based routing
Is the Pfsense capable of source based routing as is described here http://en.tldp.org/HOWTO/IP-Masquerade-HOWTO/iproute2.html? /this is only for description of problem, i know that Pfsense is no Linux :-}/ Thank you. Regards-Robo. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.11.6/111 - Release Date: 23.9.2005 -- * www.inMail.sk - Vasa emailova adresa na cely zivot ZDARMA * Zoner Photo Studio 7 - Spoznajte kuzlo digitalnej fotografie! http://www.zoner.cz/photo-studio * www.SlovakNET.sk - profesionalny webhosting, domena .SK ZADARMO
Re: [pfSense Support] Trouble/Questions about the development version.
Just to trying to sum this up, You installed (1)binary packages from freebsd, (2) binary packages compiled on a separate freebsd machine, or (3) binaries compiled from the pfsense development version via the ports system? That was not clear from the pluses and parenthesis. I would appreciate the config files. I always work better from a good start. :) Robert On Wed, 2005-09-28 at 17:27 -0300, William Armstrong wrote: > I use a squid 2.5.Stable10 ( install from freebsd 6.0-beta3 and ports/ > make package ) + SquidGuard ( install from freebsd 6.0-beta3 and > ports make package ) + DB3 ( install from freebsd 6.0-beta3 and > ports make package ) + bigurlblacklist. > > Work very well for web filtering and I use a rule on pf for block > default traffic to port 80-83 and 8080-8083 and force use a NCSA > authentication from squid. > > and create a list of users from allowed and dennyed types of sites > ( Default ) > > Work fine. > > I use the file editor from pfsense for include or remove a clients > because htpasswd not more include in pfsense install > > If you can try this I send for you my squid .conf and squidGuard.conf > > > my 2 cents. > > > flames > /dev/null > > []'s > > -- > -=-=-=-=-=-=-=-=-=- > William David Armstrong > Bio Systems Security. > ICQ 10253747 MSN [EMAIL PROTECTED] > -- > "Ninguém nasce sabendo de tudo. > Mas tudo pode ser Aprendido; > E principalmente porque tudo pode ser Ensinado" By Bio. > -- > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Trouble/Questions about the development version.
I use a squid 2.5.Stable10 ( install from freebsd 6.0-beta3 and ports/ make package ) + SquidGuard ( install from freebsd 6.0-beta3 and ports make package ) + DB3 ( install from freebsd 6.0-beta3 and ports make package ) + bigurlblacklist. Work very well for web filtering and I use a rule on pf for block default traffic to port 80-83 and 8080-8083 and force use a NCSA authentication from squid. and create a list of users from allowed and dennyed types of sites ( Default ) Work fine. I use the file editor from pfsense for include or remove a clients because htpasswd not more include in pfsense install If you can try this I send for you my squid .conf and squidGuard.conf my 2 cents. flames > /dev/null []'s -- -=-=-=-=-=-=-=-=-=- William David Armstrong Bio Systems Security. ICQ 10253747 MSN [EMAIL PROTECTED] -- "Ninguém nasce sabendo de tudo. Mas tudo pode ser Aprendido; E principalmente porque tudo pode ser Ensinado" By Bio. -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Proxy Arp
Is choparp running on your system? ps awux | grep chop from a shell will tell us. Scott On 9/28/05, James Roberson <[EMAIL PROTECTED]> wrote: > First some background. I have a multinat configuration working in monowall > (mutiple wan IP addresses to 1 or many internal IPs) so pfsense is not so > foreign to me. I've tried setting up a similar environment in pfSense > 0.85.2. For simplicity, I first tried a basic http port forwarding nat > configuration. It didn't work. > > I setup a virtual IP for the external IP using proxy arp (seems like the > proxy arp and server nat settings from monowall combined). Under "NAT: Port > Forward" I set the newly created VIP to point to the internal IP (checked > the box to make the rule). Everything looks like it should work but it > doesn't. I also tried 1 to 1 with no luck. > > An external ethereal cap with monowall shows monowall answering arp > requests for the virtual IP. The same external capture with pfsense shows > no arp replies from pfsense. Besides the radio button on the virtual IP > menu, is there another setting for proxy arp? > > Thanks > > > James Roberson > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Proxy Arp
First some background. I have a multinat configuration working in monowall (mutiple wan IP addresses to 1 or many internal IPs) so pfsense is not so foreign to me. I've tried setting up a similar environment in pfSense 0.85.2. For simplicity, I first tried a basic http port forwarding nat configuration. It didn't work. I setup a virtual IP for the external IP using proxy arp (seems like the proxy arp and server nat settings from monowall combined). Under "NAT: Port Forward" I set the newly created VIP to point to the internal IP (checked the box to make the rule). Everything looks like it should work but it doesn't. I also tried 1 to 1 with no luck. An external ethereal cap with monowall shows monowall answering arp requests for the virtual IP. The same external capture with pfsense shows no arp replies from pfsense. Besides the radio button on the virtual IP menu, is there another setting for proxy arp? Thanks James Roberson - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Trouble/Questions about the development version.
I'm guessing something from gcc is missing. I've seen this error before when include files are missing (/usr/include). See if something very simple will compile. vi test.c #include main (){ printf("hello yorld\n"); } I think that will compile ;) gcc -o test test.c ./test Should spit out "hello yorld" -Original Message- From: Robert Goley [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 28, 2005 12:17 PM To: support@pfsense.com Subject: [pfSense Support] Trouble/Questions about the development version. I have been testing pssense to use it to replace a Firebox we currently have on one of our connections. The Firebox currently does webfiltering. I tried to get this working with pfsense and ran into some issues. I installed the pfsense developer version (84 I think). I loaded the ports info and tried to compile dansguardian. I got a message that I have never seen from gcc. Something to the affect that it could not create an executable. Has something been restricted? What do I need to do to get this comiled properly under pfsense/FreeBSD? Robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Trouble/Questions about the development version.
That's rather bizarre. The developer version is not restricted in any way. If anything it could still be missing bits from FreeBSD but I am not sure about that. Scott On 9/28/05, Robert Goley <[EMAIL PROTECTED]> wrote: > I have been testing pssense to use it to replace a Firebox we currently > have on one of our connections. The Firebox currently does > webfiltering. I tried to get this working with pfsense and ran into > some issues. I installed the pfsense developer version (84 I think). I > loaded the ports info and tried to compile dansguardian. I got a > message that I have never seen from gcc. Something to the affect that > it could not create an executable. Has something been restricted? What > do I need to do to get this comiled properly under pfsense/FreeBSD? > > Robert > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Trouble/Questions about the development version.
I have been testing pssense to use it to replace a Firebox we currently have on one of our connections. The Firebox currently does webfiltering. I tried to get this working with pfsense and ran into some issues. I installed the pfsense developer version (84 I think). I loaded the ports info and tried to compile dansguardian. I got a message that I have never seen from gcc. Something to the affect that it could not create an executable. Has something been restricted? What do I need to do to get this comiled properly under pfsense/FreeBSD? Robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] CDROM Version Install
Well I did everything that the wiki support said to do with no luck. Just for the record I went ahead and installed M0n0Wall on it with no issues. I would rather use PFSense and really need to find a fix. I am scheduled to put this box in place tomorrow so any more help would be greatly appreciated. Thanks, Mike -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 27, 2005 8:19 PM To: support@pfsense.com Subject: Re: [pfSense Support] CDROM Version Install The only thing left to try is: http://wiki.pfsense.com/wikka.php?wakka=BootTroubleShooting Scott On 9/27/05, Mike <[EMAIL PROTECTED]> wrote: > OK I have tried 3 CDROMS and 3 floppy drives with no luck. All the CDROMS > and Floppy drives are good with 1 new of each in that mix. > I have tried a blank floppy and then tried a floppy with a working config > file. > I replaced both the floppy and CDROM cables with no luck :( > > I also tried 74.4, 80.0, 80.4, 85.0 and 85.2 versions with the same error > every time. > > Thanks, > Mike > > > -Original Message- > From: Scott Ullrich [mailto:[EMAIL PROTECTED] > Sent: Tuesday, September 27, 2005 6:23 PM > To: support@pfsense.com > Subject: Re: [pfSense Support] CDROM Version Install > > Yes, s0ren changed tha ATAPI CDRom code recently. :/ > > Scott > > > On 9/27/05, Fleming, John (ZeroChaos) <[EMAIL PROTECTED]> wrote: > > "If you get a chance try a default install (just for testing) of FreeBSD > > Beta 5 (or whatever the latest beta of 6.0 is) and see if you get the > > same issues." > > :) > > > > -Original Message- > > From: Holger Bauer [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, September 27, 2005 5:15 PM > > To: support@pfsense.com > > Subject: AW: [pfSense Support] CDROM Version Install > > > > I'm seeing this problem since 0.85.2. the same cd-rom reader was working > ever since pfsense 0.20 for me :-/ > > > > Holger > > > > -Ursprüngliche Nachricht- > > Von: Fleming, John (ZeroChaos) [mailto:[EMAIL PROTECTED] > > Gesendet: Mittwoch, 28. September 2005 00:12 > > An: support@pfsense.com > > Betreff: RE: [pfSense Support] CDROM Version Install > > > > > > FreeBSD is having love issue (see no) with your cdrom. It could be.. > > 1. bad cdrom drive > > 2. bad cdrom > > 3. bad cable > > 4. sucky IDE chipset. > > 5. FreeBSD bug. > > > > If you get a chance try a default install (just for testing) of FreeBSD > > Beta 5 (or whatever the lastest beta of 6.0 is) and see if you get the > > same issues. > > -Original Message- > > From: Mike [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, September 27, 2005 5:06 PM > > To: support@pfsense.com > > Subject: [pfSense Support] CDROM Version Install > > Importance: High > > > > Hi Guys, > > I am pulling my hair out trying to figure this out. > > I have PFSense now running on several boxes in different locations. > > > > I am building a new firewall for a client and during the install I am > > getting the following error on versions 80.0, 80.4, 85.0 and 85.2. > > > > The error is as follows: > > > > Acd0: Failure_Read_BIG ILLEGAL REQUEST asc=0x64 ascq=0x00 > > error=4 > > > > Letting this run it finally comes up asking if I want to setup my vlan > > now. > > I go through the setup fine add a few rules and reboot and the process > > starts over. > > > > Please help as I am bald enough now and the ole lady hates when I start > > pulling her hair out of her head. > > > > Thanks in Advance, > > > > Mike > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > Virus checked by G DATA AntiVirusKit > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: [pfSense Support] CDROM Version Install
With my machine it just throw out several of these messages but goes through them at once and it's running fine after that. Holger -Ursprüngliche Nachricht- Von: Jeroen Geusebroek [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 28. September 2005 16:34 An: support@pfsense.com Betreff: Re: [pfSense Support] CDROM Version Install On 9/28/05, Scott Ullrich <[EMAIL PROTECTED]> wrote: > The only thing left to try is: > http://wiki.pfsense.com/wikka.php?wakka=BootTroubleShooting > I had the same problem with different machines. Only in my case if i wait (5 minutes or so) it will finally come through. -- Jeroen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CDROM Version Install
On 9/28/05, Scott Ullrich <[EMAIL PROTECTED]> wrote: > The only thing left to try is: > http://wiki.pfsense.com/wikka.php?wakka=BootTroubleShooting > I had the same problem with different machines. Only in my case if i wait (5 minutes or so) it will finally come through. -- Jeroen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPv6 tunnel BUG
On 9/28/05, Scott Ullrich <[EMAIL PROTECTED]> wrote: > Yes, I made some changes to the ipv6 code. I cannot test however so I > am driving blindly here. I'd be happy to test. But you can easily get a free IPv6 tunnel from a broker. Just a suggestion ;) -- Jeroen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 050.2 CARP won't go Master or Backup
You need to update_file.sh /etc/rc.bootup as well. The carp interfacs are brought up at the very end now. Scott On 9/28/05, Frimmel, Ivan (ISS South Africa) <[EMAIL PROTECTED]> wrote: > Ok, so I spent sometime on this, this morning. > > One of the problems I had yesterday during update_file.sh (on 085.4).. it > somehow broke OPT1(sync) and kept making it disabled. So carp would never > come up, once I got this sorted by going to 085.6 I could go forward. > > So .. > 1) I brought router2 back up and did all upgrades and reconfigured CARP; > 2) CARP still behaves badly > 3) Did another update_file.sh after 085.6, CARP haves badly. > > It may go master/backup first time, but when doing disable/enable it stays > init on BOTH routers. > > I dropped to a shell .. and simply did a "ifconfig carp0 up" on both. CARP > comes up in the appropriate mode(master/backup) and virtual IPs work again as > expected. i.e. this fixes the issue. Disable/enable button breaks it again. > i.e. a working server as Master will go back to init after hitting > enable/disable. > > Hope this helps? > Ivan. > > > > -Original Message- > From: Holger Bauer [mailto:[EMAIL PROTECTED] > Sent: Wednesday, September 28, 2005 1:49 AM > To: support@pfsense.com > Subject: AW: [pfSense Support] 050.2 CARP won't go Master or Backup > > ok, I have experienced some strange problems bringing up CARP-Interfaces here > as well (quite reproducable but also a bit sporadic). Scott did several > changes and he finally came up with something that now is running on my > systems without any problems any more (my systems are also syncing via a > crossover-cable, no switch in between). > > Ivan, if you can please crosslink your systems again and do a "update_file.sh > /etc/inc/interfaces.inc" on both system before testing again. > > To have a switch between two machines is needed if you have more than 2 > machines in the cluster but with only two machines it's an additional "point > of failure" if the switch dies or only has powerfailure. Syncing should work > with crosslink-cables too. So if you can give it a try and report back we > would appreciate it. > > Thank you in advance, > Holger > > -Ursprüngliche Nachricht- > Von: Bill Marquette [mailto:[EMAIL PROTECTED] > Gesendet: Dienstag, 27. September 2005 20:20 > An: support@pfsense.com > Betreff: Re: [pfSense Support] 050.2 CARP won't go Master or Backup > > > On 9/27/05, Frimmel, Ivan (ISS South Africa) <[EMAIL PROTECTED]> wrote: > > HI > > > > PPPoe is on WAN .. CARP is on LAN with carp sync on OPT1. > > > > OK so you guys are going to laugh at me. I do feel stupid. As a fault > > finding procedure and just to get connectivity back I halted router2, which > > is UTP crossed over connected to router 1 on OPT1. So OPT1 (carp sync) is > > down. (no link since you need both nic up to have link). CARP will NOT come > > up without link on OPT1. My suggestion in terms of best practice is to have > > a switch on OPT(sync) when using CARP. It has wasted a lot of my time and > > it IS my fault cause I was cheap just using cross over cable. > > Tx all .. > > Hrm...I'll have to test this out at home :-/ At work everything is > always plugged into a switch (the machines are miles apart), but at > home I'm using a crossover cable for the dedicated sync network. But > I didn't think that CARP would stay down forever if the sync interface > was down :-/ > > --Bill > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > Virus checked by G DATA AntiVirusKit > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPv6 tunnel BUG
Yes, I made some changes to the ipv6 code. I cannot test however so I am driving blindly here. Scott On 9/28/05, Jeroen Geusebroek <[EMAIL PROTECTED]> wrote: > On 9/21/05, Scott Ullrich <[EMAIL PROTECTED]> wrote: > > That is a portion that I have not converted as of yet. I don't have > > any type of ipv6 devices to test with, etc. I'll see what I can do > > but this may be feature that is marked for removing. > > Could it be that this is fixed in the latest version? I no longer have > this problem. Hopefully the tunnel will not die on me anymore. > > -- > Jeroen > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPv6 tunnel BUG
On 9/21/05, Scott Ullrich <[EMAIL PROTECTED]> wrote: > That is a portion that I have not converted as of yet. I don't have > any type of ipv6 devices to test with, etc. I'll see what I can do > but this may be feature that is marked for removing. Could it be that this is fixed in the latest version? I no longer have this problem. Hopefully the tunnel will not die on me anymore. -- Jeroen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] unexpected dhcp lease
On Wed, 28 Sep 2005 08:26:28 -0500 Bill Marquette <[EMAIL PROTECTED]> wrote: > Are these two logical networks on the same physical network? I'm > noticing the request came in on both fxp0 and xl0 - that seems kinda > odd. Yes, both network cards are connected to the same switch, but I guess as the "deny unknown clients" option is enabled on both interfaces ("static arp" as well) this shouldn't happen. (Not to mention the netmasks.) > > Sep 28 14:35:03 dhcpd: DHCPREQUEST for 192.168.2.254 (192.168.2.4) > from 00:12:79:ad:c6:fc (TRC-dc5100) via fxp0: wrong network. > Sep 28 14:35:03 dhcpd: DHCPREQUEST for 192.168.2.254 (192.168.2.4) > from 00:12:79:ad:c6:fc (TRC-dc5100) via xl0 > > --Bill > -- This email is made from 100% recycled electrons - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] unexpected dhcp lease
Are these two logical networks on the same physical network? I'm noticing the request came in on both fxp0 and xl0 - that seems kinda odd. Sep 28 14:35:03 dhcpd: DHCPREQUEST for 192.168.2.254 (192.168.2.4) from 00:12:79:ad:c6:fc (TRC-dc5100) via fxp0: wrong network. Sep 28 14:35:03 dhcpd: DHCPREQUEST for 192.168.2.254 (192.168.2.4) from 00:12:79:ad:c6:fc (TRC-dc5100) via xl0 --Bill On 9/28/05, Imre Ispanovits <[EMAIL PROTECTED]> wrote: > Hi, > > I have a problem with pfSense's dhcp server since 0.85.x (I guess it wasn't > an issue in 0.84.6). > I have two lan interfaces and both serves as dhcp server, of course not > overlapping. > My problem is that on lan2 (opt2 - xl0) a dynamic ip address is always issued > despite it > shouldn't be because only fixed leases expected. This is the only address I > have to > configure for the dhcp servers range. What's more strange for that mac > address (00:12:79:ad:c6:fc) > is a fixed lease reserved on the other (fxp0) interface. Which as I see in > the logs once offered, > but the other address picked up. > This never happened on the other interface. > > In syslog I have: > > Sep 28 14:35:04 last message repeated 2 times > Sep 28 14:35:03 kernel: arp: 192.168.2.254 is on xl0 but got reply from > 00:12:79:ad:c6:fc on fxp0 > Sep 28 14:34:49 last message repeated 5 times > Sep 28 14:34:36 dhcpd: send_packet: Invalid argument > > and in dhcp logs: > > Sep 28 14:35:03 dhcpd: DHCPNAK on 192.168.2.254 to 00:12:79:ad:c6:fc via fxp0 > Sep 28 14:35:03 dhcpd: DHCPREQUEST for 192.168.2.254 (192.168.2.4) from > 00:12:79:ad:c6:fc (TRC-dc5100) via fxp0: wrong network. > Sep 28 14:35:03 dhcpd: DHCPACK on 192.168.2.254 to 00:12:79:ad:c6:fc > (TRC-dc5100) via xl0 > Sep 28 14:35:03 dhcpd: DHCPREQUEST for 192.168.2.254 (192.168.2.4) from > 00:12:79:ad:c6:fc (TRC-dc5100) via xl0 > Sep 28 14:35:03 dhcpd: DHCPOFFER on 192.168.0.22 to 00:12:79:ad:c6:fc via fxp0 > Sep 28 14:35:03 dhcpd: DHCPDISCOVER from 00:12:79:ad:c6:fc via fxp0 > Sep 28 14:35:03 dhcpd: DHCPOFFER on 192.168.2.254 to 00:12:79:ad:c6:fc > (TRC-dc5100) via xl0 > Sep 28 14:35:03 dhcpd: DHCPDISCOVER from 00:12:79:ad:c6:fc via xl0 > Sep 28 14:34:51 dhcpd: DHCPRELEASE of 192.168.2.254 from 00:12:79:ad:c6:fc > via fxp0 (found) > Sep 28 14:34:51 dhcpd: DHCPRELEASE of 192.168.2.254 from 00:12:79:ad:c6:fc > (TRC-dc5100) via xl0 (found) > Sep 28 14:34:49 dhcpd: send_packet: Invalid argument > Sep 28 14:34:49 dhcpd: DHCPACK on 192.168.2.254 to 00:12:79:ad:c6:fc > (TRC-dc5100) via fxp0 > Sep 28 14:34:49 dhcpd: DHCPREQUEST for 192.168.2.254 from 00:12:79:ad:c6:fc > (TRC-dc5100) via fxp0 > Sep 28 14:34:49 dhcpd: send_packet: Invalid argument > ## > My two lan inrefaces are as below: > > > fxp0 > 192.168.0.3 > 24 > > > > 100 > Mb > > > LAN2 > xl0 > > > 100 > Mb > 192.168.2.4 > 24 > > > > > > > and dhcp servers : > > > > 192.168.0.250 > 192.168.0.250 > > > > > > > > 00:14:c2:0b:95:49 > 192.168.0.21 > lvc-felsorec > > > 00:08:02:d8:1f:eb > 192.168.0.130 > I.I. nc6000 > > > 00:12:79:ad:c6:fc > 192.168.0.22 > dc5100 teszt > > > > 192.168.1.5 > 192.168.1.1 > > > > 192.168.2.254 > 192.168.2.254 > > > > > > > 00:08:02:d8:ae:23 > 192.168.2.130 > Kris nc6000 > > > > > 192.168.3.3 > 192.168.3.1 > > > > > -- > This email is made from 100% recycled electrons > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PRO
[pfSense Support] unexpected dhcp lease
Hi, I have a problem with pfSense's dhcp server since 0.85.x (I guess it wasn't an issue in 0.84.6). I have two lan interfaces and both serves as dhcp server, of course not overlapping. My problem is that on lan2 (opt2 - xl0) a dynamic ip address is always issued despite it shouldn't be because only fixed leases expected. This is the only address I have to configure for the dhcp servers range. What's more strange for that mac address (00:12:79:ad:c6:fc) is a fixed lease reserved on the other (fxp0) interface. Which as I see in the logs once offered, but the other address picked up. This never happened on the other interface. In syslog I have: Sep 28 14:35:04 last message repeated 2 times Sep 28 14:35:03 kernel: arp: 192.168.2.254 is on xl0 but got reply from 00:12:79:ad:c6:fc on fxp0 Sep 28 14:34:49 last message repeated 5 times Sep 28 14:34:36 dhcpd: send_packet: Invalid argument and in dhcp logs: Sep 28 14:35:03 dhcpd: DHCPNAK on 192.168.2.254 to 00:12:79:ad:c6:fc via fxp0 Sep 28 14:35:03 dhcpd: DHCPREQUEST for 192.168.2.254 (192.168.2.4) from 00:12:79:ad:c6:fc (TRC-dc5100) via fxp0: wrong network. Sep 28 14:35:03 dhcpd: DHCPACK on 192.168.2.254 to 00:12:79:ad:c6:fc (TRC-dc5100) via xl0 Sep 28 14:35:03 dhcpd: DHCPREQUEST for 192.168.2.254 (192.168.2.4) from 00:12:79:ad:c6:fc (TRC-dc5100) via xl0 Sep 28 14:35:03 dhcpd: DHCPOFFER on 192.168.0.22 to 00:12:79:ad:c6:fc via fxp0 Sep 28 14:35:03 dhcpd: DHCPDISCOVER from 00:12:79:ad:c6:fc via fxp0 Sep 28 14:35:03 dhcpd: DHCPOFFER on 192.168.2.254 to 00:12:79:ad:c6:fc (TRC-dc5100) via xl0 Sep 28 14:35:03 dhcpd: DHCPDISCOVER from 00:12:79:ad:c6:fc via xl0 Sep 28 14:34:51 dhcpd: DHCPRELEASE of 192.168.2.254 from 00:12:79:ad:c6:fc via fxp0 (found) Sep 28 14:34:51 dhcpd: DHCPRELEASE of 192.168.2.254 from 00:12:79:ad:c6:fc (TRC-dc5100) via xl0 (found) Sep 28 14:34:49 dhcpd: send_packet: Invalid argument Sep 28 14:34:49 dhcpd: DHCPACK on 192.168.2.254 to 00:12:79:ad:c6:fc (TRC-dc5100) via fxp0 Sep 28 14:34:49 dhcpd: DHCPREQUEST for 192.168.2.254 from 00:12:79:ad:c6:fc (TRC-dc5100) via fxp0 Sep 28 14:34:49 dhcpd: send_packet: Invalid argument ## My two lan inrefaces are as below: fxp0 192.168.0.3 24 100 Mb LAN2 xl0 100 Mb 192.168.2.4 24 and dhcp servers : 192.168.0.250 192.168.0.250 00:14:c2:0b:95:49 192.168.0.21 lvc-felsorec 00:08:02:d8:1f:eb 192.168.0.130 I.I. nc6000 00:12:79:ad:c6:fc 192.168.0.22 dc5100 teszt 192.168.1.5 192.168.1.1 192.168.2.254 192.168.2.254 00:08:02:d8:ae:23 192.168.2.130 Kris nc6000 192.168.3.3 192.168.3.1 -- This email is made from 100% recycled electrons - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] How to configure Pfsense to d what i do wit iptables
First of all, little description of my situation. I am in a Hight school room, where we acces to the lan via dhcp througt a proxy. I have also behind the school connection and adsl connection (ppp0) I am using a Server (connected to the school lan, to the adsl and to my computer) to determine the connection I use. I 've set up iptables rules who works fine for me. I am planning moving to pfsense and i would like to know if he is capable of doing the same thing my iptable's script is capable of. I've installed pfsense in my wrap and want to set up the rules, but i dont find what i want in the nat section (can't put the oubound interface i want to use) In few words, i want to use the adsl for some connections and internal connection for others. I also want to redirect some inbound connection to the adsl connection. Here is my script -- #!/bin/sh #- #eth0--> 00:0C:6E:2B:CF:94 Internal LAN (my Pc to server) IP fixe#eth1--> 00:02:44:29:C7:45 School LAN DHCPD#eth2--> 00:26:54:0C:04:18 ADSL#- # Configuration des routesroute del default gw 10.133.15.254route add -host 10.133.15.254 dev eth1route add -net 10.0.0.0/8 gw 10.133.15.254route add -net 192.168.2.0/24 gw 10.133.15.254route add default gw 84.97.32.1# On efface toutiptables -Fiptables -t nat -F # Regles pour le NATiptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.0.0.0/8 -o eth1-j MASQUERADEiptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 192.168.2.0/24 -oeth1 -j MASQUERADEiptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE # Anti Ping OF Deathiptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit1/s -j ACCEPT#---# ETH1#--# Refuser les ports sur eth1 iptables -A INPUT -i eth1 -m state --state NEW,INVALID -j REJECTiptables -A FORWARD -i eth1 -m state --state NEW,INVALID -j REJECT#Ouverture de portsiptables -I INPUT -i eth1 -p tcp --dport 80 -j ACCEPT iptables -I INPUT -i eth1 -p udp --dport 80 -j ACCEPTiptables -I INPUT -i eth1 -p tcp --dport 20:21 -j ACCEPTiptables -I INPUT -i eth1 -p udp --dport 20:21 -j ACCEPTiptables -I INPUT -i eth1 -p tcp --dport :6670 -j ACCEPT iptables -I INPUT -i eth1 -p tcp --dport 7000 -j ACCEPT#---# PPP0#--# Refuser les ports sur ppp0iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP iptables -A FORWARD -i ppp0 -m state --state NEW,INVALID -j DROP#Ouverture de portsiptables -I INPUT -i ppp0 -p tcp --dport 80 -j ACCEPTiptables -I INPUT -i ppp0 -p udp --dport 80 -j ACCEPTiptables -I INPUT -i ppp0 -p tcp --dport 20:21 -j ACCEPT iptables -I INPUT -i ppp0 -p udp --dport 20:21 -j ACCEPTiptables -I INPUT -i eth1 -p tcp --dport :6670 -j ACCEPTiptables -I INPUT -i eth1 -p tcp --dport 7000 -j ACCEPTiptables -I INPUT -i eth1 -p tcp --dport 4000 -j ACCEPT iptables -I INPUT -i eth1 -p tcp --dport 6112:6119 -j ACCEPTiptables -I INPUT -i eth1 -p udp --dport 4000 -j ACCEPTiptables -I INPUT -i eth1 -p udp --dport 6112:6119 -j ACCEPT#- # Routage Programmes## Partage Direct Connectiptables -I FORWARD -i eth1 -p tcp --dport 4120:4121 -j ACCEPTiptables -I FORWARD -i eth1 -p udp --dport 4120:4121 -j ACCEPTiptables -A PREROUTING -t nat -i eth1 -p tcp --dport 4120 -j DNAT --to 192.168.1.111:4120iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 4121 -j DNAT --to 192.168.1.111:4121iptables -A PREROUTING -t nat -i eth1 -p udp --dport 4120 -j DNAT --to192.168.1.111:4120 iptables -A PREROUTING -t nat -i eth1 -p udp --dport 4121 -j DNAT --to192.168.1.111:4121 # Routage Emule iptables -I FORWARD -i ppp0 -p tcp --dport 4662 -j ACCEPTiptables -I FORWARD -i ppp0 -p udp --dport 4672 -j ACCEPTiptables -I FORWARD -i ppp0 -p udp --dport 4665 -j ACCEPTiptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 4662 -j DNAT --to 192.168.1.111:4662iptables -A PREROUTING -t nat -i ppp0 -p udp --dport 4672 -j DNAT --to 192.168.1.111:4672iptables -A PREROUTING -t nat -i ppp0 -p udp --dport 4665 -j DNAT --to192.168.1.111:4665 # Routage BitTorrentiptables -I FORWARD -i ppp0 -p tcp --dport 6881:6889 -j ACCEPTiptables -I FORWARD -i ppp0 -p udp --dport 6881:6889 -j ACCEPTiptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 6881 -j DNAT --to 192.168.1.111:6881iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 6882 -j DNAT --to 192.168.1.111:6882iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 6883 -j DNAT --to192.168.1.111:6883 iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 6884 -j DNAT --to192.168.1.111:6884iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 6885 -j DNAT --to 192.168.1.111:6885iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 6886 -j DNAT --to 192.168.1.111:6886iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 6887 -j DNAT --to192.168.1.111:6887 iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 6888 -j DNAT --to
RE: [pfSense Support] 050.2 CARP won't go Master or Backup
Ok, so I spent sometime on this, this morning. One of the problems I had yesterday during update_file.sh (on 085.4).. it somehow broke OPT1(sync) and kept making it disabled. So carp would never come up, once I got this sorted by going to 085.6 I could go forward. So .. 1) I brought router2 back up and did all upgrades and reconfigured CARP; 2) CARP still behaves badly 3) Did another update_file.sh after 085.6, CARP haves badly. It may go master/backup first time, but when doing disable/enable it stays init on BOTH routers. I dropped to a shell .. and simply did a "ifconfig carp0 up" on both. CARP comes up in the appropriate mode(master/backup) and virtual IPs work again as expected. i.e. this fixes the issue. Disable/enable button breaks it again. i.e. a working server as Master will go back to init after hitting enable/disable. Hope this helps? Ivan. -Original Message- From: Holger Bauer [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 28, 2005 1:49 AM To: support@pfsense.com Subject: AW: [pfSense Support] 050.2 CARP won't go Master or Backup ok, I have experienced some strange problems bringing up CARP-Interfaces here as well (quite reproducable but also a bit sporadic). Scott did several changes and he finally came up with something that now is running on my systems without any problems any more (my systems are also syncing via a crossover-cable, no switch in between). Ivan, if you can please crosslink your systems again and do a "update_file.sh /etc/inc/interfaces.inc" on both system before testing again. To have a switch between two machines is needed if you have more than 2 machines in the cluster but with only two machines it's an additional "point of failure" if the switch dies or only has powerfailure. Syncing should work with crosslink-cables too. So if you can give it a try and report back we would appreciate it. Thank you in advance, Holger -Ursprüngliche Nachricht- Von: Bill Marquette [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 27. September 2005 20:20 An: support@pfsense.com Betreff: Re: [pfSense Support] 050.2 CARP won't go Master or Backup On 9/27/05, Frimmel, Ivan (ISS South Africa) <[EMAIL PROTECTED]> wrote: > HI > > PPPoe is on WAN .. CARP is on LAN with carp sync on OPT1. > > OK so you guys are going to laugh at me. I do feel stupid. As a fault finding > procedure and just to get connectivity back I halted router2, which is UTP > crossed over connected to router 1 on OPT1. So OPT1 (carp sync) is down. (no > link since you need both nic up to have link). CARP will NOT come up without > link on OPT1. My suggestion in terms of best practice is to have a switch on > OPT(sync) when using CARP. It has wasted a lot of my time and it IS my fault > cause I was cheap just using cross over cable. > Tx all .. Hrm...I'll have to test this out at home :-/ At work everything is always plugged into a switch (the machines are miles apart), but at home I'm using a crossover cable for the dedicated sync network. But I didn't think that CARP would stay down forever if the sync interface was down :-/ --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]