[pfSense Support] IPSEC DYNDNS names not working ? pfSense 1.2
Hi, I tried to setup pfSense and added some VPN IPSEC tunnels to their DYNDNS name (instead of using an IP), and this seems to give a problem. racoon.conf ke. syntax error the dyndns name was somekind of xxke.dyndns.org Is this possible to overcome somehow ? kind regards, Michel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Load Balancing further info
Thanks Sean for the clarification. One point of clarification.. can you please define exactly what a 'state' is ? Regards, Mike Lever Tenacity Films (Pty) Ltd t/a Velocity Films (T) +2711-807-0100 (F) 086-681-7518 mailto:[EMAIL PROTECTED] http://www.velocityfilms.com http://www.velocityfilms.com CONFIDENTIALITY CAUTION: If you have received this communication in error, please note that it is intended for the addressee only, is privileged and confidential and dissemination or copying prohibited. Please notify us immediately by e-mail and return the original message. Thank you. _ From: Sean Cavanaugh [mailto:[EMAIL PROTECTED] Sent: 04 Mar 2008 07:44 PM To: support@pfsense.com Subject: RE: [pfSense Support] Load Balancing further info load balancing is fairly easy to learn. first step, the user sends a request (i.e. visiting www.cnn.com) his computer will forward the request to the gateway (lets assume pfsense set up with load balanced WAN connections) pfsense will then assign the current connection state to a WAN interface. this should happen with states spread evenly accross all WAN links. as long as information being transmitted between the users computer and www.cnn.com are part of the same stream, it will use the same connection path on the WAN link. if the user goes to www.msnbc.com also, this will start a new state connection on the firewall and would theoretically use a different WAN link than the first connection to www.cnn.com. some issues with this is if the state is set to a very short TTL, then the user will constantly be setting up new states and will be bouncing all over the WAN links. this can make it really bad if theyre trying to use encrypted protocols as it will not be valid and will more than likely be denied a lot. if the value is set to high, states will build up on a WAN interface and persist longer than need be. they will however be more reliable as encrypted protocols will have a nice stable connection. a misconfiguration in how the states are load balanced will lead to one WAN link being more heavily favored than others. this isnt the BEST explanation but should help some. -Sean From: [EMAIL PROTECTED] To: support@pfsense.com Date: Tue, 4 Mar 2008 16:50:26 +0200 Subject: [pfSense Support] Load Balancing further info Hi, Excuse my ignorance on this one. I am having a debate with my boss. Please explain to me the basics of load balancing ? IP address x is accessing www.cnn.com It arrives at the load balancer which at that point in time pings a pre-determined gateway / IP address. Based on that speed, it will then submit the request over that line and wait for the transmission ? How does it actually decide which WAN port to send the packet ? is it constantly pinging on all WAN ports ? How is a typical webpage broken down into packets ? i.e. how many packets are there in a typical page ? Again apologies for the simple ness...just want to get my head around the load balancing / round robin concept. Lastly, looking at usage on the interfaces. My WAN port is showing quite a bit of throughput while my OPT1 and OPT2 aren't. I have setup my system as close to the manual as possible but it doesn't seem to be load balancing correctly. Regards, Mike Lever Tenacity Films (Pty) Ltd t/a Velocity Films (T) +2711-807-0100 (F) 086-681-7518 http://www.velocityfilms.com CONFIDENTIALITY CAUTION: If you have received this communication in error, please note that it is intended for the addressee only, is privileged and confidential and dissemination or copying prohibited. Please notify us immediately by e-mail and return the original message. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ Helping your favorite cause is as easy as instant messaging. You IM, we give. Learn more. http://im.live.com/Messenger/IM/Home/?source=text_hotmail_join
RE: [pfSense Support] Load Balancing further info
image002.jpg
Re: [pfSense Support] Load Balancing further info
take a look at http://en.wikipedia.org/wiki/Stateful_firewall On 3/6/08, Mike Lever [EMAIL PROTECTED] wrote: Thanks Sean for the clarification. One point of clarification.. can you please define exactly what a 'state' is ? Regards, Mike Lever Tenacity Films (Pty) Ltd t/a Velocity Films (T) +2711-807-0100 (F) 086-681-7518 http://www.velocityfilms.com CONFIDENTIALITY CAUTION: If you have received this communication in error, please note that it is intended for the addressee only, is privileged and confidential and dissemination or copying prohibited. Please notify us immediately by e-mail and return the original message. Thank you. From: Sean Cavanaugh [mailto:[EMAIL PROTECTED] Sent: 04 Mar 2008 07:44 PM To: support@pfsense.com Subject: RE: [pfSense Support] Load Balancing further info load balancing is fairly easy to learn. first step, the user sends a request (i.e. visiting www.cnn.com) his computer will forward the request to the gateway (lets assume pfsense set up with load balanced WAN connections) pfsense will then assign the current connection state to a WAN interface. this should happen with states spread evenly accross all WAN links. as long as information being transmitted between the users computer and www.cnn.com are part of the same stream, it will use the same connection path on the WAN link. if the user goes to www.msnbc.com also, this will start a new state connection on the firewall and would theoretically use a different WAN link than the first connection to www.cnn.com. some issues with this is if the state is set to a very short TTL, then the user will constantly be setting up new states and will be bouncing all over the WAN links. this can make it really bad if theyre trying to use encrypted protocols as it will not be valid and will more than likely be denied a lot. if the value is set to high, states will build up on a WAN interface and persist longer than need be. they will however be more reliable as encrypted protocols will have a nice stable connection. a misconfiguration in how the states are load balanced will lead to one WAN link being more heavily favored than others. this isnt the BEST explanation but should help some. -Sean From: [EMAIL PROTECTED] To: support@pfsense.com Date: Tue, 4 Mar 2008 16:50:26 +0200 Subject: [pfSense Support] Load Balancing further info Hi, Excuse my ignorance on this one. I am having a debate with my boss. Please explain to me the basics of load balancing ? IP address x is accessing www.cnn.com It arrives at the load balancer which at that point in time pings a pre-determined gateway / IP address. Based on that speed, it will then submit the request over that line and wait for the transmission ? How does it actually decide which WAN port to send the packet ? is it constantly pinging on all WAN ports ? How is a typical webpage broken down into packets ? i.e. how many packets are there in a typical page ? Again apologies for the simple ness...just want to get my head around the load balancing / round robin concept. Lastly, looking at usage on the interfaces. My WAN port is showing quite a bit of throughput while my OPT1 and OPT2 aren't. I have setup my system as close to the manual as possible but it doesn't seem to be load balancing correctly. Regards, Mike Lever Tenacity Films (Pty) Ltd t/a Velocity Films (T) +2711-807-0100 (F) 086-681-7518 http://www.velocityfilms.com CONFIDENTIALITY CAUTION: If you have received this communication in error, please note that it is intended for the addressee only, is privileged and confidential and dissemination or copying prohibited. Please notify us immediately by e-mail and return the original message. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Helping your favorite cause is as easy as instant messaging. You IM, we give. Learn more. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Re: routing unreliable
I would try that but if you have an upper limit set on all traffic - I assume that LAN to LAN will be limted to that speed (2 Mbit for us). Thats what I experience, and slower because of all the internet traffic competing to the point of unusable connections to local servers for file storage. We are trying to avoid the router being the pipe for that kind of traffic, but we need it to work anyway for certain situations only. So if I have my own rule can it be made not to be part of the overall traffic shaping speed limit (bypass queue) since it really isn't heading to WAN at all. THanks Sangye On 05/03/2008, Ngawang Sangye [EMAIL PROTECTED] wrote: I have been preparing to shift my network to a new bigger subnet. I have routing set up between old 192.168.2.* and new 10.10.*.* subnet. I have been evaluating pfsense for a while. Its routing of local LAN to LAN subnets is not reliable. At times it was great, but I feel that having traffic shaping on tends to affect it, yet there were times when transfers to a samba server in the old subnet from the new subnet, via pfsense routing performed as one would hope. I have 4 intel gigbit NICs installed - all are fine. In the last weeks, inexplicably I can't make a transfer work without a drop-out - if it is routed through pfsense like this. I just updated firmware (I am a disk based system) to 1.2 release - which seems ok so far. The problem hasn't changed. Are there any rules I can do to make the traffic shaper ignore LAN to LAN subnet traffic - assuming it is the culprit. Once we rollout the new subnet and have all our servers moved there, we will still have alias IPs in the old subnet. That will help in the transition and people will still be able to get to their favourite old addresses in the LAN until we can deal with them. So having stable routing is really important. I feel I have done my best to make sure this isn't something I can figure out. I have been watching the support and trying to help people but I don't notice this topic come up much. I feel that pfsense routing is fairly useless if there is no work around, which is a shame because otherwise it beats the other firewalls I evaluated. thanks for your help Sangye
RE: [pfSense Support] Message repeating in System Log, can't find the reason
I am trying to use DHCP on both, and I think that may be a reasonable explanation. If I pull a lease by other methods and then plug that info in as static, would that likely work? I still have a problem with Gateways though. I can't seem to pull a new IP/Gateway like I used to, by changing my spoofed MAC and at the moment, both modems are pulling IPs with the same gateway. Only other solution is the double NAT right (or something a bit more tricky like 1:1 NAT)? Thanks for the help. I expected this to be a common occurrence, but the response I've seen (aside from yours) says otherwise. _ From: Curtis LaMasters [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 05, 2008 10:05 PM To: support@pfsense.com Subject: Re: [pfSense Support] Message repeating in System Log, can't find the reason Seperate interfaces should work. BSR is nothing more than broadband services router. I think Cox uses the AMT / Motorola BSR64000. Are you using DHCP on both interfaces. I may be mistaken but I though pfSense only supported 1 DHCP connection on the WAN, the other has to be a static. Don't quote me on that though. Curtis
Re: [pfSense Support] Message repeating in System Log, can't find the reason
I may be mistaken but I though pfSense only supported 1 DHCP connection on the WAN It was my understanding that only the interface designated 'WAN' could do PPPoE, but the others in a multi-WAN setup could do DHCP or static. Of course, DHCP may cause problems with balancing/routing, but I've not experimentally proven that. Can anyone else with direct experience (or one of the devs) come to bear on what WAN combinations should [not?] work? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Trouble installing on old Dell 6450
Has anyone else attempted to install pfsense on a Dell 6450? booting from the CD in normal mode it will freeze durring hardware lookup and booting with ACPI turned off it gets a kernel trap 12 error almost immediately. worth a shot. doesn't have to happen. -Sean
Re: [pfSense Support] Trouble installing on old Dell 6450
Sean Cavanaugh wrote: Has anyone else attempted to install pfsense on a Dell 6450? booting from the CD in normal mode it will freeze durring hardware lookup and booting with ACPI turned off it gets a kernel trap 12 error almost immediately. Google found a suggestion from someone to enable OS install mode in the BIOS for the initial install (which limits the accessible RAM), do the install, then turn that back off after confirming you can successfully boot the install. Someone did get stock FreeBSD installed successfully this way. Also I'd make sure it has the latest BIOS on it, I've seen many various pieces of Dell hardware do weird stuff on FreeBSD and/or pfSense with old BIOS revisions when they work flawlessly on the latest. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Message repeating in System Log, can't find the reason
RB wrote: I may be mistaken but I though pfSense only supported 1 DHCP connection on the WAN It was my understanding that only the interface designated 'WAN' could do PPPoE, but the others in a multi-WAN setup could do DHCP or static. That is correct. There are at least a couple people using 5 or more WANs on one box all configured for DHCP. I personally use multiple DHCP WANs on my home network. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Re: Squid using RAM disk
Thanks for the help. Just to let you know, you are both right. I am trying to eliminate the common point of failure - the hard drive, and i suspected that it would be much faster using ram instaed of a hard drive. as far as the price, I already have 10 or so 2 gig ram chips laying around. I don't have any extra hard drives though. So the cost is nothing out of my pocket. Thanks for the info RB. I am gonna play with the idea more this weekend. I kinda though more people would have been doing this. I definatly love PFsense. Greatest firewall I have ever used. Thanks to all who contribute. You Rock. -Original Message- From: news [mailto:[EMAIL PROTECTED] Behalf Of Ugo Bellavance Sent: Wednesday, March 05, 2008 10:11 PM To: support@pfsense.com Subject: [pfSense Support] Re: Squid using RAM disk David Rees wrote: On Wed, Mar 5, 2008 at 6:05 PM, Curtis LaMasters [EMAIL PROTECTED] wrote: Hard drives are cheap, RAM isn't. What are you actually trying to achieve? Parsing the logs on a disk isn't very time consuming. Interesting idea though. I suspect that he is trying to eliminate a commonly failed part - the hard drive. -Dave I suspect that he needs speed. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ NOD32 2926 (20080306) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] FreeRADIUS Package
Is there a better place to post/email this stuff? I don't seem to be getting much in the way of responses. I have some nice additions to the FreeRADIUS package that I want to submit, but I would like to add the logging support before I do. Trying to contribute! Thanks, Dimitri Rodis Integrita Systems LLC -Original Message- From: Dimitri Rodis [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 04, 2008 2:55 PM To: support@pfsense.com Subject: RE: [pfSense Support] FreeRADIUS Package Any hints on how to add logging support? I would really like to add this feature to the package, but I haven't been able to find any information. I've looked at practically every .xml file in http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/tools/packages/ , and I haven't found a package with logging support yet. I've also looked at the CoreGUI docs at http://devwiki.pfsense.org/CoreGUI , but there is no mention of adding logging support anywhere. Can anyone provide some docs/input on how to do this? Having to ssh into the pfSense box and tail -f /var/log/radius.log is a pain, and I would rather just go to a web based log. Also, when using a textarea widget, is there a way to preserve the carriage returns in the data when it is subsequently received? It isn't affecting any of the functionality that I've added, it would just be nice if it would preserve the formatting so that when the data for that field is subsequently retrieved, it looks the same way it did when I put it in. Again, I didn't see anything in the CoreGUI docs that says whether or not this is possible. Thanks, Dimitri Rodis Integrita Systems LLC -Original Message- From: Dimitri Rodis Sent: Thursday, February 14, 2008 2:45 PM To: support@pfsense.com Subject: RE: [pfSense Support] FreeRADIUS Package I installed Squid (per Martin to see the syntax for some of the XML), but when I go to the Package Logs page, I get: No packages with logging facilities are currently installed. Also, would you happen to know the options you guys would want me to use with diff using cygwin so I can send up my changes so far? (I did the VLAN support already, figured I'd send that up now and then follow up with the logging stuff). Thanks, Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 10:24 AM To: support@pfsense.com Subject: Re: [pfSense Support] FreeRADIUS Package On 2/11/08, Dimitri Rodis [EMAIL PROTECTED] wrote: The FreeRadius log seems to be located at /var/log/radius.log. According to the current package, there is no logging set up in the package, so you basically have to ssh into pfSense to look at the log. What's involved in web enabling the FreeRADIUS log? (looked in the forums, didn't find much.) Does it take something more than just adding a reference to the location of the log in the .xml file somewhere? I believe the squid package makes usage of this. Cannot recall 100% but I do know one of our packages has this implemented that should be a good guide. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Message repeating in System Log, can't find the reason
Now that the broadband is very reliable, why would anyone use more than one WAN at home. What are the benefits you have seen or desired in multiple dhcp wan at home. Chris Buechler [EMAIL PROTECTED] wrote: RB wrote: I may be mistaken but I though pfSense only supported 1 DHCP connection on the WAN It was my understanding that only the interface designated 'WAN' could do PPPoE, but the others in a multi-WAN setup could do DHCP or static. That is correct. There are at least a couple people using 5 or more WANs on one box all configured for DHCP. I personally use multiple DHCP WANs on my home network. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Disable the userland FTP-Proxy application
Is there any harm in Disable the userland FTP-Proxy application ?? Any pointers or lead to read somewhere else would be appreciated. Thanks
Re: [pfSense Support] Trouble installing on old Dell 6450
I can install FreeBSD on it with zero issue. don't even have to disable ACPI. pfsense freezes right after it sees the raid array as a viable HDD. -Sean -- From: Chris Buechler [EMAIL PROTECTED] Sent: Thursday, March 06, 2008 2:22 PM To: support@pfsense.com Subject: Re: [pfSense Support] Trouble installing on old Dell 6450 Sean Cavanaugh wrote: Has anyone else attempted to install pfsense on a Dell 6450? booting from the CD in normal mode it will freeze durring hardware lookup and booting with ACPI turned off it gets a kernel trap 12 error almost immediately. Google found a suggestion from someone to enable OS install mode in the BIOS for the initial install (which limits the accessible RAM), do the install, then turn that back off after confirming you can successfully boot the install. Someone did get stock FreeBSD installed successfully this way. Also I'd make sure it has the latest BIOS on it, I've seen many various pieces of Dell hardware do weird stuff on FreeBSD and/or pfSense with old BIOS revisions when they work flawlessly on the latest. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Message repeating in System Log, can't find the reason
Now that the broadband is very reliable, why would anyone use more than one WAN at home. What are the benefits you have seen or desired in multiple dhcp wan at home. I'm not sure where you are that you have such reliable internet access, but such is not the case for many (esp. large) North American providers, especially for the typical consumer. I'd even say most of the attitudes I've seen are pretty cavalier toward private consumers. Nearly every benefit of multi-WAN configurations can be useful at the home: throughput, availability, and cost, among others. However, don't forget that many of us run offices and/or servers at home, and that a sizeable chunk of pfSense use is in fact commercial in nature (ISPs to enterprises, and many in between). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] FreeRADIUS Package
On 3/6/08, Dimitri Rodis [EMAIL PROTECTED] wrote: Is there a better place to post/email this stuff? I don't seem to be getting much in the way of responses. I have some nice additions to the FreeRADIUS package that I want to submit, but I would like to add the logging support before I do. Trying to contribute! I would imagine that is broken and you will need to roll your own log viewer. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Message repeating in System Log, can't find the reason
Anil Garg wrote: Now that the broadband is very reliable, why would anyone use more than one WAN at home. What are the benefits you have seen or desired in multiple dhcp wan at home. Very reliable depends on your provider, your definition of reliable, and even more, your tolerance for downtime. My tolerance for downtime is 0. I work a significant amount out of my home office, largely on servers, routers, firewalls, switches, etc. in remote locations where I must have an Internet connection. My primary 15 Mb cable connection is down around 4 hours a month on average, and once a year or so for 48+ hours straight or longer. While that's no big deal for your typical residence, it's critical for me and *always* happens to me at the worst times. When you have clients that rely on you being accessible to assist any time, the money spent on the backup DSL connection is well worth it and a relatively insignificant cost. When I'm doing something critical after hours, I don't want to be stuck driving into the office or elsewhere with a working Internet connection at 3 AM to finish the job. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Message repeating in System Log, can't find the reason
My reasons are two-fold. One is as Chris said, I work from home AND have servers in the home that need to remain accessible to my hosted servers. The 2nd is because I do a significant amount of off-site backups in 2 directions so a 2nd line allows me to saturate one with file transfers without affecting my more casual activities. I'd like to thank everyone for engaging in this dialog and helping out. I'm still having the same problem though. My 2nd WAN interface refuses to pull an IP via DHCP and by testing with the 1st interface, and other devices I know that the modem is more than happy to hand one out. How do I go about troubleshooting this? -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Thursday, March 06, 2008 2:12 PM To: support@pfsense.com Subject: Re: [pfSense Support] Message repeating in System Log, can't find the reason Anil Garg wrote: Now that the broadband is very reliable, why would anyone use more than one WAN at home. What are the benefits you have seen or desired in multiple dhcp wan at home. Very reliable depends on your provider, your definition of reliable, and even more, your tolerance for downtime. My tolerance for downtime is 0. I work a significant amount out of my home office, largely on servers, routers, firewalls, switches, etc. in remote locations where I must have an Internet connection. My primary 15 Mb cable connection is down around 4 hours a month on average, and once a year or so for 48+ hours straight or longer. While that's no big deal for your typical residence, it's critical for me and *always* happens to me at the worst times. When you have clients that rely on you being accessible to assist any time, the money spent on the backup DSL connection is well worth it and a relatively insignificant cost. When I'm doing something critical after hours, I don't want to be stuck driving into the office or elsewhere with a working Internet connection at 3 AM to finish the job. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Message repeating in System Log, can't find the reason
I'm hoping the log entries below will help because I'm not familiar with tcpdump yet (spoiled GUI user where packet-capturing is concerned). Mar 5 21:34:01 kernel: arpresolve: can't allocate route for 192.168.0.1 Mar 5 21:34:01 kernel: arplookup 192.168.0.1 failed: host is not on local network Mar 5 21:33:43 dhclient[80556]: bound: renewal in 27102 seconds. Mar 5 21:33:42 dhclient[80556]: Trying recorded lease 192.168.0.2 -- This looks interesting Mar 5 21:33:42 dhclient[80556]: No DHCPOFFERS received. Mar 5 21:33:31 last message repeated 3 times Mar 5 21:33:12 kernel: arpresolve: can't allocate route for 192.168.0.1 Mar 5 21:33:12 kernel: arplookup 192.168.0.1 failed: host is not on local network Mar 5 21:33:00 kernel: arpresolve: can't allocate route for 192.168.0.1 Mar 5 21:33:00 kernel: arplookup 192.168.0.1 failed: host is not on local network Mar 5 21:32:58 dhclient[80556]: DHCPDISCOVER on sk0 to 255.255.255.255 port 67 interval 11 Mar 5 21:32:48 dhclient[80556]: DHCPDISCOVER on sk0 to 255.255.255.255 port 67 interval 10 Mar 5 21:32:43 dhclient[80556]: DHCPDISCOVER on sk0 to 255.255.255.255 port 67 interval 5 Mar 5 21:32:41 dhclient[80556]: DHCPDISCOVER on sk0 to 255.255.255.255 port 67 interval 2 Mar 5 21:32:34 last message repeated 3 times Mar 5 21:32:28 php: : Not a valid interface action Mar 5 21:32:28 php: : Processing - Mar 5 21:32:28 php: : Not a valid interface action Mar 5 21:32:28 php: : Processing start - Mar 5 21:32:28 php: : HOTPLUG: Configuring optional interface - opt Mar 5 21:32:28 php: : DEVD Ethernet attached event for sk0 Mar 5 21:32:28 php: : Processing sk0 - start Mar 5 21:32:28 check_reload_status: rc.linkup starting Mar 5 21:32:26 dhclient[80556]: DHCPREQUEST on sk0 to 255.255.255.255 port 67 Mar 5 21:32:26 kernel: sk0: link state changed to UP Mar 5 21:32:24 kernel: sk0: link state changed to DOWN Mar 5 21:32:19 syslogd: kernel boot file is /boot/kernel/kernel -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Thursday, March 06, 2008 3:27 PM To: support@pfsense.com Subject: Re: [pfSense Support] Message repeating in System Log, can't find the reason Michael Richardson wrote: My reasons are two-fold. One is as Chris said, I work from home AND have servers in the home that need to remain accessible to my hosted servers. The 2nd is because I do a significant amount of off-site backups in 2 directions so a 2nd line allows me to saturate one with file transfers without affecting my more casual activities. I'd like to thank everyone for engaging in this dialog and helping out. I'm still having the same problem though. My 2nd WAN interface refuses to pull an IP via DHCP and by testing with the 1st interface, and other devices I know that the modem is more than happy to hand one out. How do I go about troubleshooting this? tcpdump on the interface and see what's really happening. Also I haven't read the entirety of this really long thread, if you've already sent logs from dhclient please re-send them. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Message repeating in System Log, can't find the reason
I see how multiple WANs from different providers (assuming they use different link-level sources and/or technology) can provide backup for outgoing access, but I haven't figured out how this can help for incoming access to servers. I.E., let's say I have 2 WAN connections with public IPs; 98.76.54.231 via a cable-based ISP and 123.45.67.89 via DSL-based ISP. Now say I run a web server, www.mydomain.com, that has a DNS-resolvable public IP address of 123.45.67.89 (i.e., the DSL-based WAN). If my DSL-based WAN goes down and pfSense nicely re-routes everything through the cabled-based WAN, how does one (re)route the traffic coming into www.mydomain.com to target the cable-based WAN at 98.76.54.231? The only way I can see of doing this would be to have a DNS server that provides fail-over but, given that DNS servers are highly distributed and employ timed caching, such a fail-over would take considerable time to propagate (likely more time than the typical ISP's outage, or so one would hope?). Is there something I'm missing, here? FYI, for us this is a real problem that I'd like to solve. __ Previous message from Chris Buechler on 2008-03-06 at 4:11 PM -0500 -- |Anil Garg wrote: | Now that the broadband is very reliable, why would anyone use more | than one WAN at home. What are the benefits you have seen or desired | in multiple dhcp wan at home. | |Very reliable depends on your provider, your definition of reliable, |and even more, your tolerance for downtime. My tolerance for downtime is |0. I work a significant amount out of my home office, largely on |servers, routers, firewalls, switches, etc. in remote locations where I |must have an Internet connection. My primary 15 Mb cable connection is |down around 4 hours a month on average, and once a year or so for 48+ |hours straight or longer. | |While that's no big deal for your typical residence, it's critical for |me and *always* happens to me at the worst times. When you have clients |that rely on you being accessible to assist any time, the money spent on |the backup DSL connection is well worth it and a relatively |insignificant cost. When I'm doing something critical after hours, I |don't want to be stuck driving into the office or elsewhere with a |working Internet connection at 3 AM to finish the job. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Message repeating in System Log, can't find the reason
Bryan Derman wrote: I see how multiple WANs from different providers (assuming they use different link-level sources and/or technology) can provide backup for outgoing access, but I haven't figured out how this can help for incoming access to servers. I.E., let's say I have 2 WAN connections with public IPs; 98.76.54.231 via a cable-based ISP and 123.45.67.89 via DSL-based ISP. Now say I run a web server, www.mydomain.com, that has a DNS-resolvable public IP address of 123.45.67.89 (i.e., the DSL-based WAN). If my DSL-based WAN goes down and pfSense nicely re-routes everything through the cabled-based WAN, how does one (re)route the traffic coming into www.mydomain.com to target the cable-based WAN at 98.76.54.231? The only way I can see of doing this would be to have a DNS server that provides fail-over but, given that DNS servers are highly distributed and employ timed caching, such a fail-over would take considerable time to propagate (likely more time than the typical ISP's outage, or so one would hope?). Not with an adequately low TTL on your DNS records. There are companies doing exactly this with pfSense and the tinydns package. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Message repeating in System Log, can't find the reason
Michael Richardson wrote: I'm hoping the log entries below will help because I'm not familiar with tcpdump yet (spoiled GUI user where packet-capturing is concerned). go to a command line (enable SSH if you haven't already or do it at the actual console), and run: tcpdump -i fxp0 -s 1515 -w /tmp/wandhcp.pcap replacing fxp0 with whatever the real interface of your second WAN is. Then hit release/renew 3-4 times on your second WAN on the Status-Interfaces page, wait a minute or two, and hit ctrl-c to break out of the tcpdump. In the Command page under Diagnostics, you can download the file /tmp/wandhcp.pcap and email it to me offlist. It looks like from the logs below you're getting something unacceptable from DHCP but I'm not sure. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] FreeRADIUS Package
The pfSense log viewer is broken? Dimitri Rodis Integrita Systems LLC -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Thursday, March 06, 2008 1:02 PM To: support@pfsense.com Subject: Re: [pfSense Support] FreeRADIUS Package On 3/6/08, Dimitri Rodis [EMAIL PROTECTED] wrote: Is there a better place to post/email this stuff? I don't seem to be getting much in the way of responses. I have some nice additions to the FreeRADIUS package that I want to submit, but I would like to add the logging support before I do. Trying to contribute! I would imagine that is broken and you will need to roll your own log viewer. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Re: routing unreliable
Ngawang Sangye wrote: I would try that but if you have an upper limit set on all traffic - I assume that LAN to LAN will be limted to that speed (2 Mbit for us). Thats what I experience, and slower because of all the internet traffic competing to the point of unusable connections to local servers for file storage. This type of setup is not compatible with the traffic shaper in 1.2 because it only properly supports two interface deployments (LAN and WAN). It's already been rewritten in 1.3 to accommodate these types of networks. Your only option with 1.2 is to use a perimeter firewall for your Internet connection and traffic shaping, and another as an internal router. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense VPN X Nortel Contivity
Bill Marquette wrote: Not sure on hardware, but I wouldn't be the least bit surprised if boards as low powered as the new pcengines ALIX boards could do 14mbit encrypted (that's really not alot of traffic). I've heard from people who have tested ALIX hardware to max out at about 10 Mbps IPsec throughput with 3DES. DES and 3DES are significantly slower than any other encryption algorithm we support. With AES, Blowfish or CAST128 you can probably get around 15 Mb through an ALIX. If you require 3DES you'll likely need something with 1 GHz CPU to push that much and have adequate power to spare for other traffic and services. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Message repeating in System Log, can't find the reason
Not to discredit Chris on his way of doing this but for the GUI users, go to the Diagnostics menu -- Packet Capture -- Change the interface the one you are having issues with, change the number of packets to 1000, and change the level to full. Start the capture, and when finshed, download the pcap file and open it with Wireshark or then send it to Chris. This method is easier for me (fat fingers) :). Verify your packet output with the DHCP RFC http://www.networksorcery.com/enp/rfc/rfc2131.txt Curtis