Re: [pfSense Support] Traffic shaper question + no parent problem
Thanks Bill! It seems that if i get some free time I'll attempt to fix that function to be recursive, and I'll let you know. Meanwhile the config the wizard generates is a pretty good start for everything. On 10/9/05, Bill Marquette [EMAIL PROTECTED] wrote: On 10/9/05, Szasz Revai Endre [EMAIL PROTECTED] wrote: Okay, so I linked the qWanRoot and qLanRoot to the overallWan and overallWan respectively, each of them being parent queues (parents to the real root queue(hfsc)) but this is the generated config(rules.debug ) altq on fxp1 hfsc queue { qWANRoot } altq on fxp0 hfsc queue { qLANRoot } queue overallLAN bandwidth 100Mb priority 5 hfsc { qLANRoot } queue overallWAN bandwidth 100Mb priority 5 hfsc { qWANRoot } the overallLAN, and overallWAN should have been the parent queues which are only children to the `real root queue(hfsc)` and nothing else. Yep. You and I are getting the same thing. If I were to modify rules.debug by hand, could the system then use that? How would I load that configuration up? pfctl -f /tmp/rules.rules.debug and /sbin/pfctl -a {$queue['name']} -f /tmp/{$queue['name']}.rules on each of the rules files in /tmp. Any reboots and any webgui change will likely blow your manual configs away. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] snmpd and 0.68.4 on wrap
We have a wrap board that runs on failover system. There are about 25 VIP addresses on this system and 8 vlans. We are having problems with snmpd. It does not respond to a snmpwalk. Netstat says it is listening on all ports Top says that it is running. There are no blocks in the firewall denying the traffic there is nothing in the pfstate table. Checked /var/run and there is a .sock a .pid and a .conf for snmpd. All other boxes that we run are running just fine. I am stumped. I am thinking it has something to do with the number of VIPS. As all other sites use vlans and the configuration for snmpd is the same
[pfSense Support] passive ftp
hi, i would like to know how to enable passive ftp transfers thru pfsense because opening 21/tcp and 20/tcp|20/udp seems not to be enough (what about the dynamically open ports to allow such type of connection?) TIA, Rgds, jonathan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] upgrade from 86.2 to 86.4 - howto
Hi, i think the information on the web do not reflect my inquiry but of course i may be wrong. I would like to know how to upgrade my platform from 0.86.2 to 0.86.4. I would appreciate a link or a quick how-to. TIA, Rgds, jonathan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] upgrade from 86.2 to 86.4 - howto
On 10/10/05, Jonathan Gonzalez [EMAIL PROTECTED] wrote: Hi, i think the information on the web do not reflect my inquiry but of course i may be wrong. I would like to know how to upgrade my platform from 0.86.2 to 0.86.4. Download the full update from the website. Login to the web-gui and go to System/Manual update. Enable firmware upload and upload the file you downloaded. This is all! The FW will boot and you have new version. -- Jeroen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: [pfSense Support] upgrade from 86.2 to 86.4 - howto
1. Download the latest full upgradefile from a mirror near you (like ftp://reflection.ncsa.uiuc.edu/pub/pfSense/updates/pfSense-Full-Update-0.86.4.tgz ). You find the mirrors selection at our page under Downloads/Upgrades. 2. Go in your WebGui to generalfirmware and go to tab manual upgrade 3. Hit enable Firmwareupload 4. Search for the file you downloaded and click upload 5. wait for your firewall to do the upgrade. It'll reboot after it's done and will be up after that with your last configuration. Holger -Ursprüngliche Nachricht- Von: Jonathan Gonzalez [mailto:[EMAIL PROTECTED] Gesendet: Montag, 10. Oktober 2005 13:16 An: support@pfsense.com Betreff: [pfSense Support] upgrade from 86.2 to 86.4 - howto Hi, i think the information on the web do not reflect my inquiry but of course i may be wrong. I would like to know how to upgrade my platform from 0.86.2 to 0.86.4. I would appreciate a link or a quick how-to. TIA, Rgds, jonathan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] upgrade from 86.2 to 86.4 - howto
Thanks a lot Holger ;) jonathan On 10/10/05, Holger Bauer [EMAIL PROTECTED] wrote: 1. Download the latest full upgradefile from a mirror near you (like ftp://reflection.ncsa.uiuc.edu/pub/pfSense/updates/pfSense-Full-Update-0.86.4.tgz ). You find the mirrors selection at our page under Downloads/Upgrades. 2. Go in your WebGui to generalfirmware and go to tab manual upgrade 3. Hit enable Firmwareupload 4. Search for the file you downloaded and click upload 5. wait for your firewall to do the upgrade. It'll reboot after it's done and will be up after that with your last configuration. Holger -Ursprüngliche Nachricht- Von: Jonathan Gonzalez [mailto:[EMAIL PROTECTED] Gesendet: Montag, 10. Oktober 2005 13:16 An: support@pfsense.com Betreff: [pfSense Support] upgrade from 86.2 to 86.4 - howto Hi, i think the information on the web do not reflect my inquiry but of course i may be wrong. I would like to know how to upgrade my platform from 0.86.2 to 0.86.4. I would appreciate a link or a quick how-to. TIA, Rgds, jonathan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive ftp
Hi, I've got passive ftp going, here's the relevant rules. I'm trying to get active working and that is not. Thanks. Dave. rules ext_if = rl0 int_if = xl0 int_net=$int_if:network tcp_state=flags S/SA modulate state # translate lan client addresses to that of the external interface nat on $ext_if from $int_if:network to any - ($ext_if) # Redirect lan client FTP requests (to an FTP server's control port 21) # to the ftp-proxy running on the firewall host (via inetd on port 8021) rdr on $int_if inet proto tcp from $int_net to any port 21 - 127.0.0.1 port 8021 # block by default block log all # pass all loopback traffic pass quick on lo0 all # Allow remote FTP servers (on data port 20) to respond to the proxy's # active FTP requests by contacting it on the port range specified in inetd.conf pass in quick on $ext_if inet proto tcp from any port 20 to 127.0.0.1 port 55000 57000 user proxy $tcp_state # Allow ftp-proxy packets destined to port 20 to exit $ext_if # in order to maintain communications with the ftp server pass out quick on $ext_if inet proto tcp from $ext_if to any port 20 $tcp_state # Allow firewall to contact ftp server on behalf of passive ftp client pass out quick on $ext_if inet proto tcp from $ext_if port 55000:57000 to any user proxy $tcp_state # allow ftp connections from lan to proxy pass in quick on $int_if inet proto tcp from $int_net to lo0 port 8021 $tcp_state pass in quick on $int_if inet proto tcp from $int_net to $ext_if port 55000:57000 $tcp_state - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive ftp
Hi Dave [hi all], when i said passive ftp i was thinking in allow passive ftp to work from external clients to my server, which is hosted behind pfsense. I understand that your comment only applies to internal to external connections, isn't it? TIA, Rgds, jonathan On 10/10/05, Dave [EMAIL PROTECTED] wrote: Hi, I've got passive ftp going, here's the relevant rules. I'm trying to get active working and that is not. Thanks. Dave. rules ext_if = rl0 int_if = xl0 int_net=$int_if:network tcp_state=flags S/SA modulate state # translate lan client addresses to that of the external interface nat on $ext_if from $int_if:network to any - ($ext_if) # Redirect lan client FTP requests (to an FTP server's control port 21) # to the ftp-proxy running on the firewall host (via inetd on port 8021) rdr on $int_if inet proto tcp from $int_net to any port 21 - 127.0.0.1 port 8021 # block by default block log all # pass all loopback traffic pass quick on lo0 all # Allow remote FTP servers (on data port 20) to respond to the proxy's # active FTP requests by contacting it on the port range specified in inetd.conf pass in quick on $ext_if inet proto tcp from any port 20 to 127.0.0.1 port 55000 57000 user proxy $tcp_state # Allow ftp-proxy packets destined to port 20 to exit $ext_if # in order to maintain communications with the ftp server pass out quick on $ext_if inet proto tcp from $ext_if to any port 20 $tcp_state # Allow firewall to contact ftp server on behalf of passive ftp client pass out quick on $ext_if inet proto tcp from $ext_if port 55000:57000 to any user proxy $tcp_state # allow ftp connections from lan to proxy pass in quick on $int_if inet proto tcp from $int_net to lo0 port 8021 $tcp_state pass in quick on $int_if inet proto tcp from $int_net to $ext_if port 55000:57000 $tcp_state - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive ftp
As of 0.86.4 there should be a automatic ftp helper that is launched for internet - lan ftp redirections. Make sure you're on the latest version. Scott On 10/10/05, Jonathan Gonzalez [EMAIL PROTECTED] wrote: Hi Dave [hi all], when i said passive ftp i was thinking in allow passive ftp to work from external clients to my server, which is hosted behind pfsense. I understand that your comment only applies to internal to external connections, isn't it? TIA, Rgds, jonathan On 10/10/05, Dave [EMAIL PROTECTED] wrote: Hi, I've got passive ftp going, here's the relevant rules. I'm trying to get active working and that is not. Thanks. Dave. rules ext_if = rl0 int_if = xl0 int_net=$int_if:network tcp_state=flags S/SA modulate state # translate lan client addresses to that of the external interface nat on $ext_if from $int_if:network to any - ($ext_if) # Redirect lan client FTP requests (to an FTP server's control port 21) # to the ftp-proxy running on the firewall host (via inetd on port 8021) rdr on $int_if inet proto tcp from $int_net to any port 21 - 127.0.0.1 port 8021 # block by default block log all # pass all loopback traffic pass quick on lo0 all # Allow remote FTP servers (on data port 20) to respond to the proxy's # active FTP requests by contacting it on the port range specified in inetd.conf pass in quick on $ext_if inet proto tcp from any port 20 to 127.0.0.1 port 55000 57000 user proxy $tcp_state # Allow ftp-proxy packets destined to port 20 to exit $ext_if # in order to maintain communications with the ftp server pass out quick on $ext_if inet proto tcp from $ext_if to any port 20 $tcp_state # Allow firewall to contact ftp server on behalf of passive ftp client pass out quick on $ext_if inet proto tcp from $ext_if port 55000:57000 to any user proxy $tcp_state # allow ftp connections from lan to proxy pass in quick on $int_if inet proto tcp from $int_net to lo0 port 8021 $tcp_state pass in quick on $int_if inet proto tcp from $int_net to $ext_if port 55000:57000 $tcp_state - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive ftp
At 11:13 AM 10/10/2005, you wrote: As of 0.86.4 there should be a automatic ftp helper that is launched for internet - lan ftp redirections. Make sure you're on the latest version. Hmmm, I'm on 0.86.4 now, and it doesn't work for me. I went to an external linux server and ftp'ed back in to my pure-ftp server (on my freebsd 5.4 server) and see this: ftp passive Passive mode on. ftp dir 227 Entering Passive Mode (10,0,0,2,191,87) ftp: connect: No route to host Here are the pftpx processes: # ps ax | grep ftp 565 ?? Ss 0:00.27 /usr/local/sbin/pftpx -g 8021 216.129.135.2 699 ?? Ss 0:00.23 /usr/local/sbin/pftpx -c 21 -f 10.0.0.2 -g 21 Is there anything else you need to see? Rules? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] passive ftp
No route to host seems a little odd. Where did you start the ftp from and where was it going to (lan - dmz)? -Original Message- From: Dan Swartzendruber [mailto:[EMAIL PROTECTED] Sent: Monday, October 10, 2005 10:24 AM To: support@pfsense.com Subject: Re: [pfSense Support] passive ftp At 11:13 AM 10/10/2005, you wrote: As of 0.86.4 there should be a automatic ftp helper that is launched for internet - lan ftp redirections. Make sure you're on the latest version. Hmmm, I'm on 0.86.4 now, and it doesn't work for me. I went to an external linux server and ftp'ed back in to my pure-ftp server (on my freebsd 5.4 server) and see this: ftp passive Passive mode on. ftp dir 227 Entering Passive Mode (10,0,0,2,191,87) ftp: connect: No route to host Here are the pftpx processes: # ps ax | grep ftp 565 ?? Ss 0:00.27 /usr/local/sbin/pftpx -g 8021 216.129.135.2 699 ?? Ss 0:00.23 /usr/local/sbin/pftpx -c 21 -f 10.0.0.2 -g 21 Is there anything else you need to see? Rules? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] passive ftp
Oh sorry I didn't read this very well. I'm guessing the problem has to do with the ftp proxy (pftpx) saying the data channel is on 10.0.0.2. 227 Entering Passive Mode (10,0,0,2,191,87) - 10,0,0,2 -Original Message- From: Dan Swartzendruber [mailto:[EMAIL PROTECTED] Sent: Monday, October 10, 2005 10:24 AM To: support@pfsense.com Subject: Re: [pfSense Support] passive ftp At 11:13 AM 10/10/2005, you wrote: As of 0.86.4 there should be a automatic ftp helper that is launched for internet - lan ftp redirections. Make sure you're on the latest version. Hmmm, I'm on 0.86.4 now, and it doesn't work for me. I went to an external linux server and ftp'ed back in to my pure-ftp server (on my freebsd 5.4 server) and see this: ftp passive Passive mode on. ftp dir 227 Entering Passive Mode (10,0,0,2,191,87) ftp: connect: No route to host Here are the pftpx processes: # ps ax | grep ftp 565 ?? Ss 0:00.27 /usr/local/sbin/pftpx -g 8021 216.129.135.2 699 ?? Ss 0:00.23 /usr/local/sbin/pftpx -c 21 -f 10.0.0.2 -g 21 Is there anything else you need to see? Rules? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] WebConfigurator Username ....
I have just updated from 0.82.4 0.86.4 and find that the webConfigurator (custom) username is still not being used (still uses admin). I found this to be the case in the 0.86 version also. Though upon looking at the config it clearly shown the username change in the config file. Thoughts/fixes/suggestions ... ??? -- David L. Strout - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] WebConfigurator Username ....
Bug. http://cvstrac.pfsense.com/tktview?tn=598,6 Scott On 10/10/05, David Strout [EMAIL PROTECTED] wrote: I have just updated from 0.82.4 0.86.4 and find that the webConfigurator (custom) username is still not being used (still uses admin). I found this to be the case in the 0.86 version also. Though upon looking at the config it clearly shown the username change in the config file. Thoughts/fixes/suggestions ... ??? -- David L. Strout - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] passive ftp
At 11:46 AM 10/10/2005, you wrote: Oh sorry I didn't read this very well. I'm guessing the problem has to do with the ftp proxy (pftpx) saying the data channel is on 10.0.0.2. 227 Entering Passive Mode (10,0,0,2,191,87) - 10,0,0,2 ah, yeah, i didn't notice that either. not enough coffee, i guess :( so it's not being nat'ed correctly? (or at all)? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] WebConfigurator Username ....
Bug. http://cvstrac.pfsense.com/tktview?tn=598,6 So, is there a manual edit I can do to fix this, as the CVS track shows? Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive ftp
Hi, Yes, my comment was internal connections to external servers. Dave. - Original Message - From: Jonathan Gonzalez [EMAIL PROTECTED] To: support@pfsense.com Sent: Monday, October 10, 2005 10:59 AM Subject: Re: [pfSense Support] passive ftp Hi Dave [hi all], when i said passive ftp i was thinking in allow passive ftp to work from external clients to my server, which is hosted behind pfsense. I understand that your comment only applies to internal to external connections, isn't it? TIA, Rgds, jonathan On 10/10/05, Dave [EMAIL PROTECTED] wrote: Hi, I've got passive ftp going, here's the relevant rules. I'm trying to get active working and that is not. Thanks. Dave. rules ext_if = rl0 int_if = xl0 int_net=$int_if:network tcp_state=flags S/SA modulate state # translate lan client addresses to that of the external interface nat on $ext_if from $int_if:network to any - ($ext_if) # Redirect lan client FTP requests (to an FTP server's control port 21) # to the ftp-proxy running on the firewall host (via inetd on port 8021) rdr on $int_if inet proto tcp from $int_net to any port 21 - 127.0.0.1 port 8021 # block by default block log all # pass all loopback traffic pass quick on lo0 all # Allow remote FTP servers (on data port 20) to respond to the proxy's # active FTP requests by contacting it on the port range specified in inetd.conf pass in quick on $ext_if inet proto tcp from any port 20 to 127.0.0.1 port 55000 57000 user proxy $tcp_state # Allow ftp-proxy packets destined to port 20 to exit $ext_if # in order to maintain communications with the ftp server pass out quick on $ext_if inet proto tcp from $ext_if to any port 20 $tcp_state # Allow firewall to contact ftp server on behalf of passive ftp client pass out quick on $ext_if inet proto tcp from $ext_if port 55000:57000 to any user proxy $tcp_state # allow ftp connections from lan to proxy pass in quick on $int_if inet proto tcp from $int_net to lo0 port 8021 $tcp_state pass in quick on $int_if inet proto tcp from $int_net to $ext_if port 55000:57000 $tcp_state - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] WebConfigurator Username ....
Not as of yet. On 10/10/05, David Strout [EMAIL PROTECTED] wrote: Bug. http://cvstrac.pfsense.com/tktview?tn=598,6 So, is there a manual edit I can do to fix this, as the CVS track shows? Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] IPSec tunnel and Remote Desktop
Hi, I've created a site-to-site IPSec tunnel between my home and office. At home I'm using the latest pfsense, 0.86.4, and at work, m0n0wall. I used the basic instructions in the tutorial. The home network is 10.53.x.x/24, the work network is 192.168.x.x/24. Both are NAT'ed. At home I have a dynamic DNS, but that's ok since I only want to be able to connect *to* the office. The tunnel gets established properly, and I can ping machines at the office through the tunnel. I can access the webgui of the office's m0n0wall router without a problem. However, I cannot use remote desktop. When I attempt to connect to a machine, I get a partial connection (the screen starts drawing), but it hangs and never even shows me the login information. I was also hoping to access our office's sql server using the tunnel. I can establish the connection, but queries are never returned, and query analyzer always complains about a broken network connection. I'm guessing this has something to do with having the networks behind NAT. Any ideas? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] IPSec tunnel and Remote Desktop
Hmm do you have any telnet servers you could try to connect to thought the tunnel? I'm wondering if you're running into a MSS/no fragmentation issue. It might be nice to see a tcpdump -ni $lan-if -w output.pcap 'host $your_client_ip' from the firewall. Let it capture for 5 mins while you try the remote desktop session. When your finished just ctrl-c the tcpdump and send it this way. You should know have a output.pcap file from what ever dir you run that command. I'm guessing we might need to do some mss fixup for ipsec tunnels. My 0.02c -Original Message- From: Jason Landry [mailto:[EMAIL PROTECTED] Sent: Monday, October 10, 2005 12:58 PM To: support@pfsense.com Subject: [pfSense Support] IPSec tunnel and Remote Desktop Hi, I've created a site-to-site IPSec tunnel between my home and office. At home I'm using the latest pfsense, 0.86.4, and at work, m0n0wall. I used the basic instructions in the tutorial. The home network is 10.53.x.x/24, the work network is 192.168.x.x/24. Both are NAT'ed. At home I have a dynamic DNS, but that's ok since I only want to be able to connect *to* the office. The tunnel gets established properly, and I can ping machines at the office through the tunnel. I can access the webgui of the office's m0n0wall router without a problem. However, I cannot use remote desktop. When I attempt to connect to a machine, I get a partial connection (the screen starts drawing), but it hangs and never even shows me the login information. I was also hoping to access our office's sql server using the tunnel. I can establish the connection, but queries are never returned, and query analyzer always complains about a broken network connection. I'm guessing this has something to do with having the networks behind NAT. Any ideas? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] snmpd and 0.68.4 on wrap
Are you querying the machine via a virtual ip or via its real ip? On 10/10/05, alan walters [EMAIL PROTECTED] wrote: We have a wrap board that runs on failover system. There are about 25 VIP addresses on this system and 8 vlans. We are having problems with snmpd. It does not respond to a snmpwalk. Netstat says it is listening on all ports Top says that it is running. There are no blocks in the firewall denying the traffic there is nothing in the pfstate table. Checked /var/run and there is a .sock a .pid and a .conf for snmpd. All other boxes that we run are running just fine. I am stumped. I am thinking it has something to do with the number of VIPS. As all other sites use vlans and the configuration for snmpd is the same - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] openvpn certs creation
Please refer to the m0n0wall documentation conerning OpenVPN. This may be helpful: http://m0n0.ch/wall/list/showmsg.php?id=103/47 Scott On 10/9/05, jonathan gonzalez [EMAIL PROTECTED] wrote: hi, i've activated developer menu options to get access to openvpn. i'd need to create the certs, dh-params and keys. I would like to know if i can do this thru the interface (i suppouse that not), and else i'd like to know if sb can provide me a script or code to do it on console, or in any other place but with the distro tools (sorry but i'm starting knowing the system and i don't know all the ins and outs yet). thanks in advance, regards, jonathan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSec tunnel and Remote Desktop
Fleming, John (ZeroChaos) wrote: I'm guessing we might need to do some mss fixup for ipsec tunnels. and you'd be right. I'm not sure where it breaks down, but PMTUD is b0rk over IPsec tunnels. Has always been an issue in m0n0wall. I've looked at it some, but wasn't able to determine anything affirmatively other than it's broken. The MSS clamping in IPF in m0n0wall doesn't differentiate betweeen internet traffic and VPN traffic, and hence doesn't take into account the overhead of IPsec and doesn't solve the problem. The typical solution is to drop the MTU on LAN hosts until it works, people usually set it at 1400 (as a number that works, should be able to squeeze more than that). Depending on the characteristics of your network traffic, this can have a measurable negative impact on network performance, especially on the LAN with large data transfers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] openvpn certs creation
Yes, that would be outstanding. Feel free to mark it up on wiki.pfsense.com Thanks!! On 10/10/05, jonathan gonzalez [EMAIL PROTECTED] wrote: Hi Scott, i will try to do it tomorrow. Are you (the group) interested in have in the wiki a page describing the process, so there's no need to refer to m0n0wall, and will be available from pfsense site? Should you be interested please let me know. I will take note of the process to document it. Cheers, jonathan Scott Ullrich wrote: Please refer to the m0n0wall documentation conerning OpenVPN. This may be helpful: http://m0n0.ch/wall/list/showmsg.php?id=103/47 Scott On 10/9/05, jonathan gonzalez [EMAIL PROTECTED] wrote: hi, i've activated developer menu options to get access to openvpn. i'd need to create the certs, dh-params and keys. I would like to know if i can do this thru the interface (i suppouse that not), and else i'd like to know if sb can provide me a script or code to do it on console, or in any other place but with the distro tools (sorry but i'm starting knowing the system and i don't know all the ins and outs yet). thanks in advance, regards, jonathan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSec tunnel and Remote Desktop
I'll try the suggestions when I get home tonight. Thanks for the help. Jason On 10/10/05, Bill Marquette [EMAIL PROTECTED] wrote: I don't have a box in front of me right now, but from memory, try setting the MTU in the WAN screen - if I remember right, that'll force PF to do MSS fixups. --Bill On 10/10/05, Chris Buechler [EMAIL PROTECTED] wrote: Fleming, John (ZeroChaos) wrote: I'm guessing we might need to do some mss fixup for ipsec tunnels. and you'd be right. I'm not sure where it breaks down, but PMTUD is b0rk over IPsec tunnels. Has always been an issue in m0n0wall. I've looked at it some, but wasn't able to determine anything affirmatively other than it's broken. The MSS clamping in IPF in m0n0wall doesn't differentiate betweeen internet traffic and VPN traffic, and hence doesn't take into account the overhead of IPsec and doesn't solve the problem. The typical solution is to drop the MTU on LAN hosts until it works, people usually set it at 1400 (as a number that works, should be able to squeeze more than that). Depending on the characteristics of your network traffic, this can have a measurable negative impact on network performance, especially on the LAN with large data transfers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] How to Wiki Was: [pfSense Support] openvpn certs creation
and if you (or anyone else) don't know how to use the wiki, it's really very simple once you know a few basic things. Just take a minute and read through the HowToWiki entry I wrote yesterday. http://wiki.pfsense.com/wikka.php?wakka=HowToWiki Scott Ullrich wrote: Yes, that would be outstanding. Feel free to mark it up on wiki.pfsense.com Thanks!! On 10/10/05, jonathan gonzalez [EMAIL PROTECTED] wrote: Hi Scott, i will try to do it tomorrow. Are you (the group) interested in have in the wiki a page describing the process, so there's no need to refer to m0n0wall, and will be available from pfsense site? Should you be interested please let me know. I will take note of the process to document it. Cheers, jonathan Scott Ullrich wrote: Please refer to the m0n0wall documentation conerning OpenVPN. This may be helpful: http://m0n0.ch/wall/list/showmsg.php?id=103/47 Scott On 10/9/05, jonathan gonzalez [EMAIL PROTECTED] wrote: hi, i've activated developer menu options to get access to openvpn. i'd need to create the certs, dh-params and keys. I would like to know if i can do this thru the interface (i suppouse that not), and else i'd like to know if sb can provide me a script or code to do it on console, or in any other place but with the distro tools (sorry but i'm starting knowing the system and i don't know all the ins and outs yet). thanks in advance, regards, jonathan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] passive ftp
At 12:44 PM 10/10/2005, you wrote: This is what the man page says for the -f switch. -f address Fixed server address. The proxy will always connect to the same server, regardless of where the client wanted to connect to (before it was redirected). Use this option to proxy for a server behind NAT, or to forward all connections to another proxy. So what is 10.0.0.2? Is that a nat ip on the firewall or the ftp server you're handing off to? 10.0.0.2 is my freebsd 5.4 server, running pure-ftpd. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] passive ftp
At 04:38 PM 10/10/2005, you wrote: Well I'm not sure to tell you the truth. I wonder if binding it to the inet facing ip would fix it. The only this is this would remove the need for nat as you would have the proxy handle all the hand offs. :/ Try this. Kill pftpx (only the one with the -c 21 -f 10.0.0.2 args) Then run this. (replace $inet-address with your inet facing address) /usr/local/sbin/pftpx -b $inet-address -c 21 -f 10.0.0.2 -g 21 this worked. i also had to delete the nat tunnel for ftp. i'm not sure how to make sure this sticks. e.g. before i had a nat tunnel to the ftp server, and that seems to have created the pftpx process automagically, but it seems to need the '-b WAN' also. scott? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive ftp
File a ticket on cvstrac and I will change the behavior to start the ftp helper using: /usr/local/sbin/pftpx -b $inet-address -c 21 -f 10.0.0.2 -g 21 Scott On 10/10/05, Dan Swartzendruber [EMAIL PROTECTED] wrote: At 04:38 PM 10/10/2005, you wrote: Well I'm not sure to tell you the truth. I wonder if binding it to the inet facing ip would fix it. The only this is this would remove the need for nat as you would have the proxy handle all the hand offs. :/ Try this. Kill pftpx (only the one with the -c 21 -f 10.0.0.2 args) Then run this. (replace $inet-address with your inet facing address) /usr/local/sbin/pftpx -b $inet-address -c 21 -f 10.0.0.2 -g 21 this worked. i also had to delete the nat tunnel for ftp. i'm not sure how to make sure this sticks. e.g. before i had a nat tunnel to the ftp server, and that seems to have created the pftpx process automagically, but it seems to need the '-b WAN' also. scott? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] passive ftp
At 05:04 PM 10/10/2005, you wrote: File a ticket on cvstrac and I will change the behavior to start the ftp helper using: /usr/local/sbin/pftpx -b $inet-address -c 21 -f 10.0.0.2 -g 21 Roger. Thx! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSec tunnel and Remote Desktop
Running PPPoE as the client on Wan?On 10/10/05, Jason Landry [EMAIL PROTECTED] wrote: I tried setting the MTU on the WAN interface in pfsense to 1400 butthat didn't work.I set the MTU on my desktop machine to 1400...and everything works now- sql remote desktop.Thanks for the help! JasonOn 10/10/05, Chris Buechler [EMAIL PROTECTED] wrote: Fleming, John (ZeroChaos) wrote: I'm guessing we might need to do some mss fixup for ipsec tunnels. and you'd be right.I'm not sure where it breaks down, but PMTUD is b0rk over IPsec tunnels.Has always been an issue in m0n0wall.I've looked at it some, but wasn't able to determine anything affirmatively other than it's broken.The MSS clamping in IPF in m0n0wall doesn't differentiate betweeen internet traffic and VPN traffic, and hence doesn't take into account the overhead of IPsec and doesn't solve the problem. The typical solution is to drop the MTU on LAN hosts until it works, people usually set it at 1400 (as a number that works, should be able to squeeze more than that).Depending on the characteristics of your network traffic, this can have a measurable negative impact on network performance, especially on the LAN with large data transfers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CF Installation options limitations
On 10/10/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hello, I've been struggling trying to install pfSense on my system for several days now. My system only has 1 IDE channel. I am planning on running off of a Compact Flash through an IDE adapter. This way, my system will have no moving parts but the Fan on the processor. I have attempted to download the CF image file for the WRAP, but that apparently doesn't boot because it's missing VGA. Then I tried to It won't boot, or you never checked the output on COM1? I've got a handful of boxes with VGA cards in them that boot pfSense off of flash using the WRAP image just fine. install by using a USB CF adapter and CDROM on the IDE channel. I was able to boot off of the CD, however it says that it requires 300 MB to install. I was trying to do the install on a 256 MB CF. So I'm confused as to why the LiveCD install requires so much space in compared to the CF image for the WRAP. Is it possible to create a Generic PC CF image similar to the one that is put out for monowall? I'd prefer not to buy another CF card. Also, I think it makes sense to put space requirements for hard drive installation on the Hardware FAQ page. Probably cause it's impossible to buy a HD that is too small for pfSense? CF isn't HD even if it might look like that to the PC - nor do you want to use a CF as a HD (read the archives for reasons). Am I missing something obvious, or is there no way to install pfSense on a 256 MB CF for a Generic PC. Should be. Read the archives, I know this has been addressed. Also, it would be really nice if it could be installed via either PXE or boot floppy for systems that don't have a CDROM drive. Unlikely to happen any time soon, too many other fires, not enough hands. --Bill
Re: [pfSense Support] IPSec tunnel and Remote Desktop
Well, here's an interesting side effect. I can no longer access the m0n0wall through the LAN address through the tunnel. At home, I'm at 10.53.64.110 The m0n0wall at work is at 192.168.1.1 Before changing the MTU to 1400 on my client machine, I could simply go to 192.168.1.1 in my browser, and the tunnel would connect automatically, but Remote Desktop and SQL didn't work. Now that I've changed the MTU, I can't get to 192.168.1.1, but Remote Desktop and SQL both work. Is this just the nature of the beast? On 10/10/05, Jason Landry [EMAIL PROTECTED] wrote: No, I'm just doing site-to-site with IPSec between a m0n0wall and pfsense. I made no configuration changes at all on client machines until the 1400 MTU suggestion. That did the trick. On 10/10/05, Scott Ullrich [EMAIL PROTECTED] wrote: Running PPPoE as the client on Wan? On 10/10/05, Jason Landry [EMAIL PROTECTED] wrote: I tried setting the MTU on the WAN interface in pfsense to 1400 but that didn't work. I set the MTU on my desktop machine to 1400...and everything works now - sql remote desktop. Thanks for the help! Jason On 10/10/05, Chris Buechler [EMAIL PROTECTED] wrote: Fleming, John (ZeroChaos) wrote: I'm guessing we might need to do some mss fixup for ipsec tunnels. and you'd be right. I'm not sure where it breaks down, but PMTUD is b0rk over IPsec tunnels. Has always been an issue in m0n0wall. I've looked at it some, but wasn't able to determine anything affirmatively other than it's broken. The MSS clamping in IPF in m0n0wall doesn't differentiate betweeen internet traffic and VPN traffic, and hence doesn't take into account the overhead of IPsec and doesn't solve the problem. The typical solution is to drop the MTU on LAN hosts until it works, people usually set it at 1400 (as a number that works, should be able to squeeze more than that). Depending on the characteristics of your network traffic, this can have a measurable negative impact on network performance, especially on the LAN with large data transfers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Traffic shaper question + no parent problem
On 10/8/05, Szasz Revai Endre [EMAIL PROTECTED] wrote: 1) Is it possible, in the traffic shaper - to create another parent queue (parent to HFSC) - and to add some rules to this queue, so that traffic coming andgoing from specific ip adresses would go through this queue (which wouldhave separate bandwidth)?My WAN consists of 2 types of speeds: a separate speed for theinternet and a separate speed to the metropolian area (which is alsoon the internet, public ip addresses) +--+ Internet (256Kb)LAN +--+ PfSense +--++--+ Metropolian area (10Mb)I wanted the Internet to be traffic shaped and the rest of theMetropolian Area to go through a separate queue (10Mb).If this is not possible with the current configuration, just by hand, would there be a possibility to do it somehow with routing? Forexample 2 NICs, 2 public ips. I've been thinking a little more about this. Is the MAN part of your local subnet? IE, if the pfSense WAN interface was on 24.0.0.0/8 is the MAN the same subnet, or is it just something you have to go through? I think I can make an easy change for local subnet on the WAN side of the firewall. --Bill
Re: [pfSense Support] Traffic shaper question + no parent problem
On 10/10/05, Bill Marquette [EMAIL PROTECTED] wrote: I've been thinking a little more about this. Is the MAN part of your local subnet? IE, if the pfSense WAN interface was on 24.0.0.0/8 is the MAN the same subnet, or is it just something you have to go through? I think I can make an easy change for local subnet on the WAN side of the firewall. Never mind...I started to implement this and realized it won't work w/out more queues which I don't want to add right now ;) --Bill
Re: [pfSense Support] CF Installation options limitations
Bill Marquette wrote: Probably cause it's impossible to buy a HD that is too small for pfSense? CF isn't HD even if it might look like that to the PC - nor do you want to use a CF as a HD (read the archives for reasons). or the FAQ, I added an entry on this tonight per someone's suggested question (the original poster, IIRC). thanks to all that have submitted suggested questions for the FAQ, we've had some good question contributions thus far (even if we do have to answer them, getting the question is half the battle). :) Feel free to contribute more good questions, since this is our first real documentation (and by far the most needed), I don't anticipate shooting any down unless they're just downright outrageous. We even answered an outrageous one on installing on an xbox. ;) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]