Re: [pfSense Support] Multiple Subnets From ISP Same Interface
On Mon, Aug 17, 2009 at 5:33 PM, Jesse Vollmarvollm...@gmail.com wrote: Hey guys, after googling this for a while, I'm not finding any clear instructions for doing this. I currently have a multi-wan scenario with failover configured. I just purchased another static IP block from one of the ISPs and they are now routing those to me (so they say). I would like to use this new subnet in concurrence with my old subnet, both on the same interface (OPT1). The subnets do not share the same gateway. What is the proper way to configure this? Depends on exactly how they're routing them to you, and how you want to use them. If you want to use them with NAT, and you aren't using CARP, just add them as Other VIPs. IPs that are routed to you do not need ARP. If you're using CARP, add them as Other VIPs and make sure the ISP is routing that new subnet to a CARP VIP. If you want to directly assign the public IPs on inside systems, add another interface for the new subnet, whether physical or VLAN (this has nothing to do with the ISP, it's your internal network). Alternatively you can put both subnets on the same inside interface, but I would avoid that. http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiple Subnets From ISP Same Interface
On Tue, Aug 18, 2009 at 1:52 AM, Chris Buechlerc...@pfsense.org wrote: On Mon, Aug 17, 2009 at 5:33 PM, Jesse Vollmarvollm...@gmail.com wrote: Hey guys, after googling this for a while, I'm not finding any clear instructions for doing this. I currently have a multi-wan scenario with failover configured. I just purchased another static IP block from one of the ISPs and they are now routing those to me (so they say). I would like to use this new subnet in concurrence with my old subnet, both on the same interface (OPT1). The subnets do not share the same gateway. What is the proper way to configure this? Depends on exactly how they're routing them to you, and how you want to use them. If you want to use them with NAT, and you aren't using CARP, just add them as Other VIPs. IPs that are routed to you do not need ARP. If you're using CARP, add them as Other VIPs and make sure the ISP is routing that new subnet to a CARP VIP. If you want to directly assign the public IPs on inside systems, add another interface for the new subnet, whether physical or VLAN (this has nothing to do with the ISP, it's your internal network). Alternatively you can put both subnets on the same inside interface, but I would avoid that. http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org So, in a way I was right...sometimes I get nervous speaking in English. -- Linux User #452368 http://twitter.com/vpadro Manifiesto por una cultura libre: http://culturalibre.org/ Doing a thing well is often a waste of time. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiple Subnets From ISP Same Interface
Depends on exactly how they're routing them to you, and how you want to use them. If you want to use them with NAT, and you aren't using CARP, just add them as Other VIPs. IPs that are routed to you do not need ARP. If you're using CARP, add them as Other VIPs and make sure the ISP is routing that new subnet to a CARP VIP. If you want to directly assign the public IPs on inside systems, add another interface for the new subnet, whether physical or VLAN (this has nothing to do with the ISP, it's your internal network). Alternatively you can put both subnets on the same inside interface, but I would avoid that. http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I'm not using CARP and I would like to use them with NAT. According to that, your reccomendation would be to use other VIPs. My only question is, will they route properly since the ISP has this new subnet using a different gateway address than the first subnet. On my interface the gateway is defined, but it isn't be the gateway for my new VIPs. I think they would need a different route. This makes me think that I either have to add another interface, or do multiple subnets on the same interface. Am I right? Thanks for the help everyone!
[pfSense Support] Triple CARP setup
How should I configure pfsync if I want to use three machines? ## Synchronize to IP Enter the IP address of the firewall you are synchronizing with. ## Should I list there all IP-s I want to sync to? Separated by commas or spaces? -- Veiko - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] XMLRPC debugging
Hello, I just noticed that my two pfSense boxen aren't syncing anymore. In the logs, I see: An error code was received while attempting XMLRPC sync with username admin https://192.168.8.1:443 - Code 2: Invalid return payload: enable debugging to examine incoming payload How can I enable XMLRPC debugging and run it from the CLI? Thanks, Ian - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Triple CARP setup
Veiko Kukk wrote: How should I configure pfsync if I want to use three machines? ## Synchronize to IP Enter the IP address of the firewall you are synchronizing with. ## Should I list there all IP-s I want to sync to? Separated by commas or spaces? As far as I know carp + pfsync(states) communication goes on using multicast addresses no matter what you configure in pfSync sync peer IP field. Not sure what happens when you change rule on active. Probably in this case destination IP is taken from Synchronize to IP field. Eugene. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Triple CARP setup
On Tue, Aug 18, 2009 at 10:28 AM, Veiko Kukkveiko.k...@krediidipank.ee wrote: How should I configure pfsync if I want to use three machines? ## Synchronize to IP Enter the IP address of the firewall you are synchronizing with. ## Should I list there all IP-s I want to sync to? Separated by commas or No. Put the next cluster member in this box (only one host). On the next host put the next members IP in creating a chain. Cluster Primary - Backup - Tertiary Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Using a different gateway reply-to IP in PF rules
Hello, I've got a WAN rule that allows traffic from a specific subnet in our university's private network direct access to our LAN. We're basically bridging two LANs across a WAN interface. The generated rule looks like this, where 1.2.3.4 is our default gateway: pass in log quick on $wan reply-to (em2 1.2.3.4) proto { tcp udp } from { 10.11.143.0/24 } to { 10.0.8.0/23 } keep state label USER_RULE: Outside LAN The problem we have is that we're using a static route to access the gateway to this outside LAN, let's say that's 1.2.3.5. What we need is for traffic that comes in from 1.2.3.5 for our LAN to go back out to 1.2.3.5, not to the default route. We do have the static route defined: default1.2.3.4 UGS 0 5766491em2 snip 10.11.143.0/24 1.2.3.5 UGS 0 384em2 From the rule editing page, it appears that a gateway can be defined, but I'm only given the option of using default or my default route (1.2.3.4). The description below says Leave as 'default' to use the system routing table, but with the way the rules are generated by pfSense, all of our WAN traffic is sent back out the default gateway instead of the more precise match. I understand that the solution to this is to change the above generated rule to use reply-to (em2 1.2.3.5) or to omit the reply-to altogether. Is there any way to accommodate this rather obscure use- case in pfSense? Can we add additional routes to the Gateway drop- down? Thanks, Ian - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Using a different gateway reply-to IP in PF rules
On Tue, Aug 18, 2009 at 6:44 PM, Ian Levesquei...@crystal.harvard.edu wrote: Hello, I've got a WAN rule that allows traffic from a specific subnet in our university's private network direct access to our LAN. We're basically bridging two LANs across a WAN interface. The generated rule looks like this, where 1.2.3.4 is our default gateway: pass in log quick on $wan reply-to (em2 1.2.3.4) proto { tcp udp } from { 10.11.143.0/24 } to { 10.0.8.0/23 } keep state label USER_RULE: Outside LAN The problem we have is that we're using a static route to access the gateway to this outside LAN, let's say that's 1.2.3.5. What we need is for traffic that comes in from 1.2.3.5 for our LAN to go back out to 1.2.3.5, not to the default route. We do have the static route defined: default 1.2.3.4 UGS 0 5766491 em2 snip 10.11.143.0/24 1.2.3.5 UGS 0 384 em2 From the rule editing page, it appears that a gateway can be defined, but I'm only given the option of using default or my default route (1.2.3.4). The description below says Leave as 'default' to use the system routing table, but with the way the rules are generated by pfSense, all of our WAN traffic is sent back out the default gateway instead of the more precise match. I understand that the solution to this is to change the above generated rule to use reply-to (em2 1.2.3.5) or to omit the reply-to altogether. Is there any way to accommodate this rather obscure use-case in pfSense? Can we add additional routes to the Gateway drop-down? What you're seeing is this: http://redmine.pfsense.org/issues/show/14 Gateway is for route-to, there is no way to specify reply-to, as that's handled automatically. 1.2.3 does have a checkbox under System - Advanced to disable adding reply-to entirely, which is a solution as long as you aren't using multi-WAN (you can just comment out the reply-to line in /etc/inc/filter.inc too). We don't have a solution for multi-WAN cases combined with WAN static routes to something other than your gateway on that interface at this time. Either the static route won't work for traffic initiated from that router, or you disable reply-to and break reply routing for multi-WAN. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Using a different gateway reply-to IP in PF rules
On Aug 18, 2009, at 6:51 PM, Chris Buechler wrote: On Tue, Aug 18, 2009 at 6:44 PM, Ian Levesquei...@crystal.harvard.edu wrote: snip From the rule editing page, it appears that a gateway can be defined, but I'm only given the option of using default or my default route (1.2.3.4). The description below says Leave as 'default' to use the system routing table, but with the way the rules are generated by pfSense, all of our WAN traffic is sent back out the default gateway instead of the more precise match. I understand that the solution to this is to change the above generated rule to use reply-to (em2 1.2.3.5) or to omit the reply-to altogether. Is there any way to accommodate this rather obscure use-case in pfSense? Can we add additional routes to the Gateway drop-down? What you're seeing is this: http://redmine.pfsense.org/issues/show/14 Gateway is for route-to, there is no way to specify reply-to, as that's handled automatically. 1.2.3 does have a checkbox under System - Advanced to disable adding reply-to entirely, which is a solution as long as you aren't using multi-WAN (you can just comment out the reply-to line in /etc/inc/filter.inc too). Hi Chris - thanks for the reply. I'm still on 1.2.1 and am waiting to upgrade with the final 1.2.3 release. If I make a change to /etc/inc/filter.inc now, it would be lost when I upgraded pfSense, correct? I just want to avoid getting hit with this again after the 1.2.3 release is installed (at which point, this network bridging will be live). We don't have a solution for multi-WAN cases combined with WAN static routes to something other than your gateway on that interface at this time. Either the static route won't work for traffic initiated from that router, or you disable reply-to and break reply routing for multi-WAN. Indeed, I knew that the solution would break multi-WAN so I wasn't hopeful that there'd even be a solution in pfSense. I'm happy to hear that you've added the ability to effectively disable reply-to. Many thanks, I've been recommending pfSense heartily for the past year and I'm glad that I can continue to use it for our needs. Ian - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Using a different gateway reply-to IP in PF rules
On Tue, Aug 18, 2009 at 7:07 PM, Ian Levesquei...@crystal.harvard.edu wrote: I'm still on 1.2.1 and am waiting to upgrade with the final 1.2.3 release. If I make a change to /etc/inc/filter.inc now, it would be lost when I upgraded pfSense, correct? I just want to avoid getting hit with this again after the 1.2.3 release is installed (at which point, this network bridging will be live). Yes, it will be lost. It's reasonably easy to pull in that diff though. https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/efefb2a1e860d082a6024b7c6b67c646b1e8aa6e actually just need that one line filter.inc change and manually add disablereplyto/ line under filter to your config. The filter.inc will get overwritten when you upgrade, but with the same thing so it won't matter. Indeed, I knew that the solution would break multi-WAN so I wasn't hopeful that there'd even be a solution in pfSense. I'm happy to hear that you've added the ability to effectively disable reply-to. Many thanks, I've been recommending pfSense heartily for the past year and I'm glad that I can continue to use it for our needs. We'll have a solution of some sort in case anyone needs to combine static routes like that and multi-WAN, that's a rare scenario though, and not an easy nut to crack, so it'll be 2.0 at soonest. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiple Subnets From ISP Same Interface
On Tue, Aug 18, 2009 at 8:59 AM, Jesse Vollmarvollm...@gmail.com wrote: I'm not using CARP and I would like to use them with NAT. According to that, your reccomendation would be to use other VIPs. My only question is, will they route properly since the ISP has this new subnet using a different gateway address than the first subnet. Is it really a gateway address, i.e. they have it assigned on their router, or are they actually routing you the entire IP block? Ideally it will be the latter, they can and should be routing additional space to one of your existing addresses. Then you can setup the full subnet on an internal interface or VLAN without any ARP, or use it in combination with NAT using Other VIPs. If they insist on having the gateway IP on their equipment (they shouldn't, I would refuse that if it were my ISP), you're probably stuck bridging an internal interface or VLAN to WAN, though proxy ARP might work depending on how they have things setup. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] LSI boot issues - liveCD not booting
Hi all, I'm wondering if you could provide some help with an issue i'm having installing pfsense on an IBM HS20 blade system, both the 1.2.2 and 1.2.3RC1 snapshots hang when booting.. (it stalls after mounting the filesystem from cdrom) - booting in verbose mode, it seems to get an unrecoverable error, and deadlocks. I read on the forums there was a few MTP patches that may fix this issue, is there a recent build that incorporates these fixes? Cheers, Leon. -- *Leon Strong *| Technical Engineer *DDI:* +64 9 950 2203 *Fax:* +64 9 302 0518 *Mobile:* +64 21 0202 8870 *Freephone:* 0800 SMX SMX (769 769) Level 11, 290 Queen Street, Auckland, New Zealand | SMX Ltd | smx.co.nz http://smx.co.nz SMX | Business Email Specialists The information contained in this email and any attachments is confidential. If you are not the intended recipient then you must not use, disseminate, distribute or copy any information contained in this email or any attachments. If you have received this email in error or you are not the originally intended recipient please contact SMX immediately and destroy this email. __ This email has been scrubbed for your protection by SMX. For more information visit http://smx.co.nz __
Re: [pfSense Support] Multiple Subnets From ISP Same Interface
On Tue, Aug 18, 2009 at 8:39 PM, Chris Buechler c...@pfsense.org wrote: Is it really a gateway address, i.e. they have it assigned on their router, or are they actually routing you the entire IP block? Ideally it will be the latter, they can and should be routing additional space to one of your existing addresses. Then you can setup the full subnet on an internal interface or VLAN without any ARP, or use it in combination with NAT using Other VIPs. If they insist on having the gateway IP on their equipment (they shouldn't, I would refuse that if it were my ISP), you're probably stuck bridging an internal interface or VLAN to WAN, though proxy ARP might work depending on how they have things setup. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Part of the problem is that I am not exactly sure how they are delivering the IPs. The ISP is Charter. I purchased from them a static 5 pack which is a /29 routed subnet according to them. Here is what they sent me (I replaced the actual numbers): Ok got the 5pack on the router: IP 66.188.xx.b to .c *Subnet 255.255.255.248 Gateway 66.188.xx.a* I am going to ask that technician about it tomorrow and see what exactly he configured. Just to recap though, that IP info above doesn't line up with the ranges from my other subnet. The info for the other subnet has a different Gateway address than that one.
Re: [pfSense Support] LSI boot issues - liveCD not booting
On Tue, Aug 18, 2009 at 9:30 PM, Leon Strongleon.str...@smx.co.nz wrote: Hi all, I'm wondering if you could provide some help with an issue i'm having installing pfsense on an IBM HS20 blade system, both the 1.2.2 and 1.2.3RC1 snapshots hang when booting.. (it stalls after mounting the filesystem from cdrom) - booting in verbose mode, it seems to get an unrecoverable error, and deadlocks. I read on the forums there was a few MTP patches that may fix this issue, is there a recent build that incorporates these fixes? Not sure what you're referring to, but try the FreeBSD 7.2 based 1.2.3 snapshots at http://snapshots.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] LSI boot issues - liveCD not booting
Leon Strong wrote: Hi all, I'm wondering if you could provide some help with an issue i'm having installing pfsense on an IBM HS20 blade system, both the 1.2.2 and 1.2.3RC1 snapshots hang when booting.. (it stalls after mounting the filesystem from cdrom) - booting in verbose mode, it seems to get an unrecoverable error, and deadlocks. I read on the forums there was a few MTP patches that may fix this issue, is there a recent build that incorporates these fixes? Cheers, Leon. -- *Leon Strong *| Technical Engineer *DDI:* +64 9 950 2203 *Fax:* +64 9 302 0518 *Mobile:* +64 21 0202 8870 *Freephone:* 0800 SMX SMX (769 769) Level 11, 290 Queen Street, Auckland, New Zealand | SMX Ltd | smx.co.nz http://smx.co.nz SMX | Business Email Specialists The information contained in this email and any attachments is confidential. If you are not the intended recipient then you must not use, disseminate, distribute or copy any information contained in this email or any attachments. If you have received this email in error or you are not the originally intended recipient please contact SMX immediately and destroy this email. This email has been scrubbed for your protection by SMX. For more information visit smx.co.nz http://smx.co.nz/scrubbed Hi, Actually, I believe it was my post you were reading, as I was the one to ask to patch the recent version. Anyway, I never had the chance to install pfsense on HS20, but I did install on multiple x335 and x3550 and it works without a problem. I also think it's the same controller. By the way, the 1.2.2 version didn't have this problem at all, it started with 1.2.3 (FreeBSD 7.1 I think). But the current version of 1.2.3 does include those patches (approximately since 1.7.09). So unless it's a different controller, maybe you should start digging in other direction. Lenny.
Re: [pfSense Support] Multiple Subnets From ISP Same Interface
On Tue, Aug 18, 2009 at 10:08 PM, Jesse Vollmarvollm...@gmail.com wrote: Part of the problem is that I am not exactly sure how they are delivering the IPs. The ISP is Charter. I purchased from them a static 5 pack which is a /29 routed subnet according to them. Here is what they sent me (I replaced the actual numbers): Ok got the 5pack on the router: IP 66.188.xx.b to .c Subnet 255.255.255.248 Gateway 66.188.xx.a I am going to ask that technician about it tomorrow and see what exactly he configured. Just to recap though, that IP info above doesn't line up with the ranges from my other subnet. The info for the other subnet has a different Gateway address than that one. On cable you may be stuck with no other option than NAT or bridging, cable ISPs tend to be much less flexible with routing. Proxy ARP + NAT should work, you can disregard the gateway in that case assuming it's an IP alias on your current WAN gateway. If you bridge, you're going to need extra routing setup to get from the public IP hosts on the bridge to the other networks behind the firewall, since Charter isn't going to route your internal networks back to your firewall and your gateway is going to be that IP on your cable modem. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiple Subnets From ISP Same Interface
On cable you may be stuck with no other option than NAT or bridging, cable ISPs tend to be much less flexible with routing. Proxy ARP + NAT should work, you can disregard the gateway in that case assuming it's an IP alias on your current WAN gateway. If you bridge, you're going to need extra routing setup to get from the public IP hosts on the bridge to the other networks behind the firewall, since Charter isn't going to route your internal networks back to your firewall and your gateway is going to be that IP on your cable modem. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org NAT is fine with me, but that gateway isn't a VIP on my WAN. Are you saying that I would need to add it?
Re: [pfSense Support] Multiple Subnets From ISP Same Interface
On Tue, Aug 18, 2009 at 10:39 PM, Jesse Vollmarvollm...@gmail.com wrote: NAT is fine with me, but that gateway isn't a VIP on my WAN. Are you saying that I would need to add it? Ignore the gateway, you just need proxy ARP VIPs for the usable IPs. The gateway is just an alias on your cable modem, same as your WAN gateway, so you don't need it. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org