[pfSense Support] Load Balancer Behaviour
Scott (pfsense support), please help me, when adding a load balancer pool I can't see the interface name (WAN for example) preceding the |(Wan check ip). This is a fresh install with the latest snapshot and I can't figure hot why is going in this sense for me. I tried recreating the pools, but there's no way. Can you please help me? 10x in advance. r3N0oV4 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] OpenVPN problem in 1.2
We are testing the beta 1 of pfSense 1.2 and we have found that the OpenVPN has a problem that it had not in 1.0.1. Trying to create a configuration in the server or client tag, after pressing Save it returns to the OpenVPN with no rules created. The same has been done (exactly the same) in a pfSense 1.0.1 and the rule has been created correctly. a bug? begin:vcard fn;quoted-printable:Pablo Montoro Esca=C3=B1o n;quoted-printable:Montoro Esca=C3=B1o;Pablo org:Amitelo Wireless, S.L., (Amitelo AG Group) adr;quoted-printable;quoted-printable;quoted-printable;quoted-printable:Pol=C3=ADgono Industrial Alameda.;;c/ Marea Baja, n=C2=BA 33.;M=C3=A1laga;M=C3=A1laga;29006;SPAIN email;internet:[EMAIL PROTECTED] title:Telecomunication Engineer tel;work:0034 951 013 026 tel;fax:0034 952 038 390 tel;home:0034 952 038 962 tel;cell:0034 671 621 263 note;quoted-printable:Pablo Montoro Esca=C3=B1o=0D=0A= Telecomunication Engineer=0D=0A= Amitelo Wireless, S.L.=0D=0A= (Amitelo AG Group)=0D=0A= =0D=0A= Phone : 0034 951 013 026=0D=0A= Mobile: 0034 671 621 263=0D=0A= Office: 0034 952 038 962=0D=0A= FAX : 0034 952 038 390=0D=0A= MSN : [EMAIL PROTECTED] Skype : pabloamitelo=0D=0A= Gizmo : pabloamitelo=0D=0A= =0D=0A= Amitelo Wireless, S.L.=0D=0A= c/ Marea Baja, n=C2=BA 33.=0D=0A= Pol=C3=ADgono Industrial Alameda.=0D=0A= 29006 M=C3=A1laga (SPAIN) url:http://www.wireless.amitelo.com version:2.1 end:vcard - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] help with firewall
I seeing this in the system logs imspector: Don't know how to handle connection to 192.168.25.1:16667 -- Brent Bailey CCNA Bmyster LLC Computer Networking and Webhosting Systems Engineer, President [EMAIL PROTECTED] Kipe- The Brotherhood of Metal --RIP Brother Dime-- -- Original Message --- From: Scott Ullrich [EMAIL PROTECTED] To: support@pfsense.com Sent: Mon, 23 Apr 2007 18:54:28 -0400 Subject: Re: [pfSense Support] help with firewall On 4/23/07, Brent [EMAIL PROTECTED] wrote: I have recently setup a pfsense firewall for home use. I have installed the package IMspector. after the installation the package seems to be running but according to their website you have to add the following to your firewall rules to make this redirect traffic to the IMspector. My question is how would you add these rules with pfsense webgui. Im also asumming that the firewall is a iptables or ipf firewall not ipfw. We use PF, not any of the above. Imspector uses a PF anchor to install its rules. There should be nothing that is required to make it work out of the box. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- End of Original Message --- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] help with firewall
I did the install from the packages ..THis is what im seeing in the logs .. imspector: Don't know how to handle connection to 192.168.25.1:16667 any ideas ? thank you -- Brent Bailey CCNA Bmyster LLC Computer Networking and Webhosting Systems Engineer, President [EMAIL PROTECTED] Kipe- The Brotherhood of Metal --RIP Brother Dime-- -- Original Message --- From: Cesar Vergara [EMAIL PROTECTED] To: support@pfsense.com Sent: Mon, 23 Apr 2007 18:09:45 -0500 Subject: RE: [pfSense Support] help with firewall This only works when you install IMspector from the Packages option. Cesar A. Vergara Buenaventura MMP BU Sistemas Tel : (51) 326-4957 Fax : (51) 326-4957 Cel : 95404463 RPM : #221593 http://www.mitsuimaquinarias.com -Mensaje original- De: Brent [mailto:[EMAIL PROTECTED] Enviado el: Lunes, 23 de Abril de 2007 06:06 p.m. Para: support@pfsense.com Asunto: Re: [pfSense Support] help with firewall Ok. However I do not see anything in when you go look under Services / Imspector / Log Viewer. I there something I missed ? It also says its running under Status / Services. Should i be able to see messages that are being sent over ICQ AIM protocals ? thank you for your help -- Brent Bailey CCNA Bmyster LLC Computer Networking and Webhosting Systems Engineer, President [EMAIL PROTECTED] Kipe- The Brotherhood of Metal --RIP Brother Dime-- -- Original Message --- From: Scott Ullrich [EMAIL PROTECTED] To: support@pfsense.com Sent: Mon, 23 Apr 2007 18:54:28 -0400 Subject: Re: [pfSense Support] help with firewall On 4/23/07, Brent [EMAIL PROTECTED] wrote: I have recently setup a pfsense firewall for home use. I have installed the package IMspector. after the installation the package seems to be running but according to their website you have to add the following to your firewall rules to make this redirect traffic to the IMspector. My question is how would you add these rules with pfsense webgui. Im also asumming that the firewall is a iptables or ipf firewall not ipfw. We use PF, not any of the above. Imspector uses a PF anchor to install its rules. There should be nothing that is required to make it work out of the box. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- End of Original Message --- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] La información contenida en este mensaje ha sido emitida para uso exclusivo de su destinatario. Cualquier difusión, copia o distribución de este mensaje, esta prohibido y puede ser ilegal. Si usted ha recibido este correo por error por favor comuníquenoslo inmediatamente y elimínelo del sistema. The information included in this message was mailed for exclusive use of its addresee. Any copy or distribution of this e-mail is forbidden and may be considered ilegal. If you have received this e- mail by mistake, please notify us inmediately and erase it from you system. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- End of Original Message --- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Inbound Loadbalancing problem
Prior to trying to install this into production, I had this entire scenario working perfectly in a test environment. Something, it seems, has changed between testing and production. I have a cluster of 15 web servers which I intend to load balance with a CARP'd cluster. I've created a CARP VIP address which will be the virtual server address and another one on the LAN to serve as the gateway for the server pool. CARP failover has been configured and appears to work properly, although the secondary load balancer, for some odd reason, is always the Master. The problem comes when I try to test web connectivity to the balanced servers. Traffic hits the virtual server address, hits the load balanced pool of servers and that appears to be where things stop. A tcpdump shows that traffic appears to be coming from both pfSense boxes, which seems contrary to the way the load balancer should be working: 10:10:56.089142 IP 192.168.100.3.62747 192.168.100.161.http: S 2531494251:2531494251(0) win 65228 mss 1460,nop,wscale 0,nop,nop,timestamp 7490736 0,sackOK,eol 10:10:56.089220 IP 192.168.100.161.http 192.168.100.3.62747: S 1542065227:1542065227(0) ack 2531494252 win 65535 mss 1460,nop,wscale 1,nop,nop,timestamp 6878409 7490736,nop,nop,sackOK 10:10:56.089780 IP 192.168.100.3.62747 192.168.100.161.http: . ack 1 win 65535 nop,nop,timestamp 7490737 6878409 10:10:56.090036 IP 192.168.100.3.62747 192.168.100.161.http: F 1:1(0) ack 1 win 65535 nop,nop,timestamp 7490737 6878409 10:10:56.090081 IP 192.168.100.161.http 192.168.100.3.62747: . ack 2 win 33304 nop,nop,timestamp 6878409 7490737 10:10:56.090129 IP 192.168.100.161.http 192.168.100.3.62747: F 1:1(0) ack 2 win 33304 nop,nop,timestamp 6878409 7490737 10:10:56.090800 IP 192.168.100.3.62747 192.168.100.161.http: . ack 2 win 1071 nop,nop,timestamp 7490738 6878409 10:10:57.186346 IP 192.168.100.2.60821 192.168.100.161.http: S 4259965474:4259965474(0) win 65228 mss 1460,nop,wscale 0,nop,nop,timestamp 5838503 0,sackOK,eol 10:10:57.186401 IP 192.168.100.161.http 192.168.100.2.60821: S 1151731680:1151731680(0) ack 4259965475 win 65535 mss 1460,nop,wscale 1,nop,nop,timestamp 6878519 5838503,nop,nop,sackOK 10:10:57.186673 IP 192.168.100.2.60821 192.168.100.161.http: . ack 1 win 65535 nop,nop,timestamp 5838504 6878519 10:10:57.186941 IP 192.168.100.2.60821 192.168.100.161.http: F 1:1(0) ack 1 win 65535 nop,nop,timestamp 5838504 6878519 10:10:57.186984 IP 192.168.100.161.http 192.168.100.2.60821: . ack 2 win 33304 nop,nop,timestamp 6878519 5838504 10:10:57.187037 IP 192.168.100.161.http 192.168.100.2.60821: F 1:1(0) ack 2 win 33304 nop,nop,timestamp 6878519 5838504 10:10:57.187747 IP 192.168.100.2.60821 192.168.100.161.http: . ack 2 win 1071 nop,nop,timestamp 5838505 6878519 I'm at a loss trying to figure out what the issue is. -Gary - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Inbound Loadbalancing problem
Both boxes are likely polling the web servers in question, hence the traffic from both machines. You might confirm that you have rules loaded to allow this traffic. --Bill On 4/24/07, Gary Buckmaster [EMAIL PROTECTED] wrote: Prior to trying to install this into production, I had this entire scenario working perfectly in a test environment. Something, it seems, has changed between testing and production. I have a cluster of 15 web servers which I intend to load balance with a CARP'd cluster. I've created a CARP VIP address which will be the virtual server address and another one on the LAN to serve as the gateway for the server pool. CARP failover has been configured and appears to work properly, although the secondary load balancer, for some odd reason, is always the Master. The problem comes when I try to test web connectivity to the balanced servers. Traffic hits the virtual server address, hits the load balanced pool of servers and that appears to be where things stop. A tcpdump shows that traffic appears to be coming from both pfSense boxes, which seems contrary to the way the load balancer should be working: 10:10:56.089142 IP 192.168.100.3.62747 192.168.100.161.http: S 2531494251:2531494251(0) win 65228 mss 1460,nop,wscale 0,nop,nop,timestamp 7490736 0,sackOK,eol 10:10:56.089220 IP 192.168.100.161.http 192.168.100.3.62747: S 1542065227:1542065227(0) ack 2531494252 win 65535 mss 1460,nop,wscale 1,nop,nop,timestamp 6878409 7490736,nop,nop,sackOK 10:10:56.089780 IP 192.168.100.3.62747 192.168.100.161.http: . ack 1 win 65535 nop,nop,timestamp 7490737 6878409 10:10:56.090036 IP 192.168.100.3.62747 192.168.100.161.http: F 1:1(0) ack 1 win 65535 nop,nop,timestamp 7490737 6878409 10:10:56.090081 IP 192.168.100.161.http 192.168.100.3.62747: . ack 2 win 33304 nop,nop,timestamp 6878409 7490737 10:10:56.090129 IP 192.168.100.161.http 192.168.100.3.62747: F 1:1(0) ack 2 win 33304 nop,nop,timestamp 6878409 7490737 10:10:56.090800 IP 192.168.100.3.62747 192.168.100.161.http: . ack 2 win 1071 nop,nop,timestamp 7490738 6878409 10:10:57.186346 IP 192.168.100.2.60821 192.168.100.161.http: S 4259965474:4259965474(0) win 65228 mss 1460,nop,wscale 0,nop,nop,timestamp 5838503 0,sackOK,eol 10:10:57.186401 IP 192.168.100.161.http 192.168.100.2.60821: S 1151731680:1151731680(0) ack 4259965475 win 65535 mss 1460,nop,wscale 1,nop,nop,timestamp 6878519 5838503,nop,nop,sackOK 10:10:57.186673 IP 192.168.100.2.60821 192.168.100.161.http: . ack 1 win 65535 nop,nop,timestamp 5838504 6878519 10:10:57.186941 IP 192.168.100.2.60821 192.168.100.161.http: F 1:1(0) ack 1 win 65535 nop,nop,timestamp 5838504 6878519 10:10:57.186984 IP 192.168.100.161.http 192.168.100.2.60821: . ack 2 win 33304 nop,nop,timestamp 6878519 5838504 10:10:57.187037 IP 192.168.100.161.http 192.168.100.2.60821: F 1:1(0) ack 2 win 33304 nop,nop,timestamp 6878519 5838504 10:10:57.187747 IP 192.168.100.2.60821 192.168.100.161.http: . ack 2 win 1071 nop,nop,timestamp 5838505 6878519 I'm at a loss trying to figure out what the issue is. -Gary - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] OpenVPN problem in 1.2
That was fixed a day or so ago. And please keep in mind this is a PRERELEASE of 1.2-BETA-1. This is NOT 1.2-BETA-1... Scott On 4/24/07, Pablo Montoro Escaño [EMAIL PROTECTED] wrote: We are testing the beta 1 of pfSense 1.2 and we have found that the OpenVPN has a problem that it had not in 1.0.1. Trying to create a configuration in the server or client tag, after pressing Save it returns to the OpenVPN with no rules created. The same has been done (exactly the same) in a pfSense 1.0.1 and the rule has been created correctly. a bug? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Load Balancer Behaviour
You most likely don't run a latest snapshot but a releaseversion which has a different gui. Please make sure you are on a version from http://snapshots.pfsense.com/FreeBSD6/RELENG_1_2/ which has the gui mentioned at http://doc.pfsense.org/index.php/Multi-Wan/Load-Balancing . Holger -Original Message- From: Quirino Santilli [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 24, 2007 10:32 AM To: support@pfsense.com Subject: [pfSense Support] Load Balancer Behaviour Scott (pfsense support), please help me, when adding a load balancer pool I can't see the interface name (WAN for example) preceding the |(Wan check ip). This is a fresh install with the latest snapshot and I can't figure hot why is going in this sense for me. I tried recreating the pools, but there's no way. Can you please help me? 10x in advance. r3N0oV4 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit Version: AVK 17.4197 from 24.04.2007 Virus news: www.antiviruslab.com Virus checked by G DATA AntiVirusKit Version: AVK 17.4207 from 24.04.2007 Virus news: www.antiviruslab.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Inbound Loadbalancing problem - SOLVED
This issue turned out to be primarily a configuration problem, although it serves as a good lesson for others to learn from so I'll post the reply for the sake of posterity. background We currently have 16 web servers in production handling requests. They are sitting behind Cisco Localdirectors. Because of how the LocalDirectors are configured, its not a simple plug-and-play scenario to substitute in the pfSense boxes. In order to make the transition more smooth, a number of machines were multi-homed so as to exist behind the localdirectors and the new pfSense network. /background The astute reader will quickly surmise what happened. Although the web servers were located on both networks, their default route was inadvertently left alone. Thus traffic coming from the pfSense boxes was replied to using the wrong network card, causing the timeout issues. This turned out to be a blessing in disguise because it demonstrated a more gentle way we could transition to the new machines without interrupting service dramatically as DNS propagated to the new cluster. Thanks to the pfSense team for such a great product and their help in figuring out the issue. Bill Marquette wrote: Both boxes are likely polling the web servers in question, hence the traffic from both machines. You might confirm that you have rules loaded to allow this traffic. --Bill On 4/24/07, Gary Buckmaster [EMAIL PROTECTED] wrote: Prior to trying to install this into production, I had this entire scenario working perfectly in a test environment. Something, it seems, has changed between testing and production. I have a cluster of 15 web servers which I intend to load balance with a CARP'd cluster. I've created a CARP VIP address which will be the virtual server address and another one on the LAN to serve as the gateway for the server pool. CARP failover has been configured and appears to work properly, although the secondary load balancer, for some odd reason, is always the Master. The problem comes when I try to test web connectivity to the balanced servers. Traffic hits the virtual server address, hits the load balanced pool of servers and that appears to be where things stop. A tcpdump shows that traffic appears to be coming from both pfSense boxes, which seems contrary to the way the load balancer should be working: 10:10:56.089142 IP 192.168.100.3.62747 192.168.100.161.http: S 2531494251:2531494251(0) win 65228 mss 1460,nop,wscale 0,nop,nop,timestamp 7490736 0,sackOK,eol 10:10:56.089220 IP 192.168.100.161.http 192.168.100.3.62747: S 1542065227:1542065227(0) ack 2531494252 win 65535 mss 1460,nop,wscale 1,nop,nop,timestamp 6878409 7490736,nop,nop,sackOK 10:10:56.089780 IP 192.168.100.3.62747 192.168.100.161.http: . ack 1 win 65535 nop,nop,timestamp 7490737 6878409 10:10:56.090036 IP 192.168.100.3.62747 192.168.100.161.http: F 1:1(0) ack 1 win 65535 nop,nop,timestamp 7490737 6878409 10:10:56.090081 IP 192.168.100.161.http 192.168.100.3.62747: . ack 2 win 33304 nop,nop,timestamp 6878409 7490737 10:10:56.090129 IP 192.168.100.161.http 192.168.100.3.62747: F 1:1(0) ack 2 win 33304 nop,nop,timestamp 6878409 7490737 10:10:56.090800 IP 192.168.100.3.62747 192.168.100.161.http: . ack 2 win 1071 nop,nop,timestamp 7490738 6878409 10:10:57.186346 IP 192.168.100.2.60821 192.168.100.161.http: S 4259965474:4259965474(0) win 65228 mss 1460,nop,wscale 0,nop,nop,timestamp 5838503 0,sackOK,eol 10:10:57.186401 IP 192.168.100.161.http 192.168.100.2.60821: S 1151731680:1151731680(0) ack 4259965475 win 65535 mss 1460,nop,wscale 1,nop,nop,timestamp 6878519 5838503,nop,nop,sackOK 10:10:57.186673 IP 192.168.100.2.60821 192.168.100.161.http: . ack 1 win 65535 nop,nop,timestamp 5838504 6878519 10:10:57.186941 IP 192.168.100.2.60821 192.168.100.161.http: F 1:1(0) ack 1 win 65535 nop,nop,timestamp 5838504 6878519 10:10:57.186984 IP 192.168.100.161.http 192.168.100.2.60821: . ack 2 win 33304 nop,nop,timestamp 6878519 5838504 10:10:57.187037 IP 192.168.100.161.http 192.168.100.2.60821: F 1:1(0) ack 2 win 33304 nop,nop,timestamp 6878519 5838504 10:10:57.187747 IP 192.168.100.2.60821 192.168.100.161.http: . ack 2 win 1071 nop,nop,timestamp 5838505 6878519 I'm at a loss trying to figure out what the issue is. -Gary - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Inbound Loadbalancing problem - SOLVED
On 4/24/07, Gary Buckmaster [EMAIL PROTECTED] wrote: This issue turned out to be primarily a configuration problem, although it serves as a good lesson for others to learn from so I'll post the reply for the sake of posterity. background We currently have 16 web servers in production handling requests. They are sitting behind Cisco Localdirectors. Because of how the LocalDirectors are configured, its not a simple plug-and-play scenario to substitute in the pfSense boxes. In order to make the transition more smooth, a number of machines were multi-homed so as to exist behind the localdirectors and the new pfSense network. /background The astute reader will quickly surmise what happened. Although the web servers were located on both networks, their default route was inadvertently left alone. Thus traffic coming from the pfSense boxes was replied to using the wrong network card, causing the timeout issues. This turned out to be a blessing in disguise because it demonstrated a more gentle way we could transition to the new machines without interrupting service dramatically as DNS propagated to the new cluster. I'm not following what the gentle way of transitioning to the new machines is. Care to elaborate a little? Did you change the default route on part of the farm and disable the interfaces on the machines that should still be going through the LocalDirector? --Bill PS. I'm very happy to see pfSense replace a LocalDirector - I honestly didn't expect to see anyone using the load balancing code when I wrote it, except for the one person that requested it. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]