Re: [pfSense Support] 1.2.3-RC1-embedded dhcp relay windows XP broadcast flag
On Wed, Aug 26, 2009 at 11:28 AM, Chris Kleeschultechris.kleeschu...@it.libertydistribution.com wrote: I can dhcp relay all my hosts except for Windows-based hosts. I'm forwarding requests from XP SP3 across dhcrelay no problem (FreeBSD 7.1 base OS, comparable to 1.2.3-RC1 - if you're running 1.2.2 or earlier it might be a difference in versions). One of my test systems, a pretty bare install, everything default. So is the proper way to fix this to hack the registry on all the windows machines to nuke out the broadcast flag OR take the easy route and make the pfsense/dhcrelay forward the packet anyway? Since Microsoft has basically made brokenness a standard and they're 90+% of systems whether you like it or not, if dhcrelay and dhcpd can be modified to accommodate this it would probably be good to do so. It's not a configuration option as far as I can see, but I could be missing something. That's not to say someone is going to do the work, but if you provide patches, they would likely be accepted. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Newbie question for CARP, failover, AON and multiple WAN IP's
Greetings. Have a newbie question on carp and fail over setup. I have searched and searched around, but my googlefu must be weak as most of what I've found covers multi-WAN and load balancing, which is not what I'm after. I have looked at the following: http://files.chi.pfsense.org/mirror/tutorials/carp/carp-cluster-new.htm Out of date http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP) Has a lot of info, but doesn't answer all my questions and concerns I'm on a comcast business account, five statics using AON. All five statics have traffic coming from them (DNS, mail, etc). At this time, I have four of the five WAN IP's set up as proxy ARP, with the fifth address assigned to the physical interface itself. If I understand what docs I can find on this, I have to assign the pri and fail over boxes their own IP, both public and private, with one assigned as the default address. To set this up, I have to assign all five WAN addresses as CARP addresses, yes? So instead of four proxy ARP addresses, I will have five CARP Virtual IP addresses defined, am I understanding this correctly? And this will not affect the AON and inbound port forwarding rules, correct? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Newbie question for CARP, failover, AON and multiple WAN IP's
Justin The Cynical wrote: I'm on a comcast business account, five statics using AON. All five statics have traffic coming from them (DNS, mail, etc). At this time, I have four of the five WAN IP's set up as proxy ARP, with the fifth address assigned to the physical interface itself. If I understand what docs I can find on this, I have to assign the pri and fail over boxes their own IP, both public and private, with one assigned as the default address. To set this up, I have to assign all five WAN addresses as CARP addresses, yes? So instead of four proxy ARP addresses, I will have five CARP Virtual IP addresses defined, am I understanding this correctly? And this will not affect the AON and inbound port forwarding rules, correct? I do not know what comcast business account is but two boxes must have their own IPs (not virtual one per box) + as many CARP addresses as you wish (shared between boxes). In all your AON and inbound port forwarding rules you can use CARP addresses, they will be handled by active box. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Load Balancing on vlans
On Thu, Aug 27, 2009 at 12:08 AM, Jesse Vollmarvollm...@gmail.com wrote: Well, when I set the firewall rule to send all traffic to a load balanced gateway (instead of default) stuff just breaks. I can't get to the Internet or I get to anything else on the other vlans. I am using a rule identical to the one I use for the load balancing on LAN except the interface. I tried again this morning to change the allow rule on a vlan interface to send traffic out on a gateway other than default and after about five minutes of working like it should, all traffic stopped. Hosts on that vlan could no longer ping the gateway of that vlan or anything on another network. This is only happening on my vlan interfaces (parent interface is LAN). - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.3-RC1-embedded dhcp relay windows XP broadcast flag
On Aug 27, 2009, at 2:17 AM, Chris Buechler wrote: On Wed, Aug 26, 2009 at 11:28 AM, Chris Kleeschultechris.kleeschu...@it.libertydistribution.com wrote: I can dhcp relay all my hosts except for Windows-based hosts. I'm forwarding requests from XP SP3 across dhcrelay no problem (FreeBSD 7.1 base OS, comparable to 1.2.3-RC1 - if you're running 1.2.2 or earlier it might be a difference in versions). One of my test systems, a pretty bare install, everything default. I am seeing the same thing. One XP SP3 image I have here locally is NOT setting the broadcast flag, but the ones in the office ARE. Bizarre. I compared the windows update levels and they are the same too. I can't imagine that some software that is running on the office computers can alter this behavior. I will get to the bottom of it eventually. Thanks for the feedback on your results. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 11.22.33.44
Quoting luismi asturlui...@gmail.com: Hi all, I just configured a cisco 1841 to create a ipsec vpn against another network (exactly against a PFSense box) and I am seeing a lot messages like So I would like to know if some here saw this message before and maybe can give some clue about what things I should start to look. Quick mode is phase 2 of the IPsec negotiation process. If it's failing, you're not getting an established tunnel at all because (usually) the peers don't agree on all the phase 2 parameters. What are your Cisco and pfSense configurations? They must match exactly for the tunnel to come up. Keenan - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Load Balancing on vlans
On Thu, Aug 27, 2009 at 11:05 AM, Jesse Vollmarvollm...@gmail.com wrote: I tried again this morning to change the allow rule on a vlan interface to send traffic out on a gateway other than default and after about five minutes of working like it should, all traffic stopped. Hosts on that vlan could no longer ping the gateway of that vlan or anything on another network. This is only happening on my vlan interfaces (parent interface is LAN). Sounds like a NIC driver issue. Make sure you are using Intel NICS. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Load Balancing on vlans
On Thu, Aug 27, 2009 at 12:49 PM, Scott Ullrich sullr...@gmail.com wrote: Sounds like a NIC driver issue. Make sure you are using Intel NICS. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I'm using high quality Intel NICs. The vlan tagging works just fine. It appears to be an issue with routing.
[pfSense Support] Ticket #1931: NAT reflection bug
I've recently run into the issue described on ticket #1931 and on the forum thread below: http://cvstrac.pfsense.org/tktview?tn=1931 http://forum.pfsense.org/index.php/topic,16314.0.html Even though we only have about 200 port forwards, we have 6 local interfaces so we've quickly run into this limitation. So a couple questions before I go and tackle this issue: 1. Why the limitation of 1000? Is that more or less arbitrary to keep from too many local ports from being used by the inetd nc rules, or could it be increased some? 2. If I write a patch to limit the number of inetd entries below the above limit, will it be accepted upstream? We should be able to stop the inetd nc port multiplication issue so we will be able to reflect up to 1000 ports, but there will still be $num_interfaces * $num_portforwards NAT redirect rules generated. If the patch is likely to be accepted upstream, I'm more likely to spend time to write a 'proper' solution instead of just hacking it. :-) Thanks Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] ipsec vpn against the carp VIP address?
Hi again, I have the ipsec created between the pfsense (physical ip address) and the remote cisco (public ip address). I would like to know if it is possible to create the vpn against the CARP address, I am not sure, is that possible? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Ticket #1931: NAT reflection bug
On Thu, Aug 27, 2009 at 2:15 PM, David Reesdree...@gmail.com wrote: I've recently run into the issue described on ticket #1931 and on the forum thread below: http://cvstrac.pfsense.org/tktview?tn=1931 http://forum.pfsense.org/index.php/topic,16314.0.html Even though we only have about 200 port forwards, we have 6 local interfaces so we've quickly run into this limitation. So a couple questions before I go and tackle this issue: 1. Why the limitation of 1000? Is that more or less arbitrary to keep from too many local ports from being used by the inetd nc rules, or could it be increased some? Because of some of the issues you outlined in #2. 2. If I write a patch to limit the number of inetd entries below the above limit, will it be accepted upstream? We should be able to stop the inetd nc port multiplication issue so we will be able to reflect up to 1000 ports, but there will still be $num_interfaces * $num_portforwards NAT redirect rules generated. If the patch is likely to be accepted upstream, I'm more likely to spend time to write a 'proper' solution instead of just hacking it. :-) We will gladly accept changes for this. Thanks! Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] ipsec vpn against the carp VIP address?
On Thu, Aug 27, 2009 at 2:58 PM, luismiasturlui...@gmail.com wrote: Hi again, I have the ipsec created between the pfsense (physical ip address) and the remote cisco (public ip address). I would like to know if it is possible to create the vpn against the CARP address, I am not sure, is that possible? Yes. Select it in the drop down on the IPsec edit page. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] potential pfsense hardware
I'm thinking about picking up a Supermicro Atom based system for use with pfSense: http://www.supermicro.com/products/system/1U/5015/SYS-5015A-H. cfm?typ=H Any thoughts on potential issues with running pfSense on this hardware? Thanks in advance, Sterling Windmill The realtek nics they use are not the best. I wish they would use intel. It is an intel board after all. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] potential pfsense hardware
- Original Message - From: Ryan radiote...@aaremail.com To: support@pfsense.com Sent: Thursday, August 27, 2009 4:02:59 PM GMT -05:00 US/Canada Eastern Subject: RE: [pfSense Support] potential pfsense hardware I'm thinking about picking up a Supermicro Atom based system for use with pfSense: http://www.supermicro.com/products/system/1U/5015/SYS-5015A-H. cfm?typ=H Any thoughts on potential issues with running pfSense on this hardware? Thanks in advance, Sterling Windmill The realtek nics they use are not the best. I wish they would use intel. It is an intel board after all. If I only use the realtek NICs for my relatively slow WAN(s) do you think this box would work well with an Intel quad port PCIe NIC handling the interfaces with more traffic?
Re: [pfSense Support] potential pfsense hardware
Ryan wrote: I'm thinking about picking up a Supermicro Atom based system for use with pfSense: http://www.supermicro.com/products/system/1U/5015/SYS-5015A-H. cfm?typ=H Any thoughts on potential issues with running pfSense on this hardware? The realtek nics they use are not the best. I wish they would use intel. It is an intel board after all. I've been looking at something like that, or the MSI IM-945GSE. http://www.orbitmicro.com/global/ms-9830-010-p-9546.html?ref=base The MSI board has 2x Intel gigabit NICs I like the SuperMicro box though, especially the short 1U case, would be perfect for telco/2-post racks. I'd only question the NIC support, and it seems like that might be ok now: http://www.freebsd.org/cgi/query-pr.cgi?pr=123123 That went in before 7.2 was out, so you'd probably need a 1.2.3-RC2 snap. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Ticket #1931: NAT reflection bug
On Thu, Aug 27, 2009 at 11:59 AM, Scott Ullrichsullr...@gmail.com wrote: On Thu, Aug 27, 2009 at 2:15 PM, David Reesdree...@gmail.com wrote: I've recently run into the issue described on ticket #1931 and on the forum thread below: http://cvstrac.pfsense.org/tktview?tn=1931 http://forum.pfsense.org/index.php/topic,16314.0.html Even though we only have about 200 port forwards, we have 6 local interfaces so we've quickly run into this limitation. So a couple questions before I go and tackle this issue: 1. Why the limitation of 1000? Is that more or less arbitrary to keep from too many local ports from being used by the inetd nc rules, or could it be increased some? Because of some of the issues you outlined in #2. OK - I guess what I'm asking is this: I've just checked my particular pfSense box and aside from the nearly 1000 ports it's listening to from 19000+ for my NAT reflection rules, is there anything else keeping us from using a wider port range to allow even more NAT reflection rules to be used? I don't see many other ports in use on localhost except for ssh, dns, pptp and a handful of ports ranging from 8021+ (which I believe are used for the FTP helper). I think that it may be helpful to be able to override the default starting port range and number as well as the maximum number of ports to use for NAT reflection. Bonus points I guess for a patch which does this as well! ;-) 2. If I write a patch to limit the number of inetd entries below the above limit, will it be accepted upstream? We should be able to stop the inetd nc port multiplication issue so we will be able to reflect up to 1000 ports, but there will still be $num_interfaces * $num_portforwards NAT redirect rules generated. If the patch is likely to be accepted upstream, I'm more likely to spend time to write a 'proper' solution instead of just hacking it. :-) We will gladly accept changes for this. Thanks! Cool - I'll try to find some time over the next week to work on this. I assume that working from a recent 1.2.3 snapshot OK? Do you think it will apply to the 2.0 branch as well? I have no idea how much the code there has changed... -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Ticket #1931: NAT reflection bug
On Thu, Aug 27, 2009 at 5:54 PM, David Reesdree...@gmail.com wrote: OK - I guess what I'm asking is this: I've just checked my particular pfSense box and aside from the nearly 1000 ports it's listening to from 19000+ for my NAT reflection rules, is there anything else keeping us from using a wider port range to allow even more NAT reflection rules to be used? There are some foot shooting possibilities if you aren't careful. I don't see many other ports in use on localhost except for ssh, dns, pptp and a handful of ports ranging from 8021+ (which I believe are used for the FTP helper). I think that it may be helpful to be able to override the default starting port range and number as well as the maximum number of ports to use for NAT reflection. Having them configurable in System-Advanced is probably good. I assume that working from a recent 1.2.3 snapshot OK? Do you think it will apply to the 2.0 branch as well? I have no idea how much the code there has changed... This wouldn't be accepted into RELENG_1_2 (1.2.x), that's strictly bug fixes only and this isn't a bug - though not ideal, it works as designed. The patch (preferably merge request in git) would have to be to 2.0. 2.0 is considerably different in many ways, but this particular part of the code base probably isn't much different. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Ticket #1931: NAT reflection bug
On Thu, Aug 27, 2009 at 3:09 PM, Chris Buechlerc...@pfsense.org wrote: On Thu, Aug 27, 2009 at 5:54 PM, David Reesdree...@gmail.com wrote: OK - I guess what I'm asking is this: I've just checked my particular pfSense box and aside from the nearly 1000 ports it's listening to from 19000+ for my NAT reflection rules, is there anything else keeping us from using a wider port range to allow even more NAT reflection rules to be used? There are some foot shooting possibilities if you aren't careful. Any details on those? I don't see many other ports in use on localhost except for ssh, dns, pptp and a handful of ports ranging from 8021+ (which I believe are used for the FTP helper). I think that it may be helpful to be able to override the default starting port range and number as well as the maximum number of ports to use for NAT reflection. Having them configurable in System-Advanced is probably good. I assume that working from a recent 1.2.3 snapshot OK? Do you think it will apply to the 2.0 branch as well? I have no idea how much the code there has changed... This wouldn't be accepted into RELENG_1_2 (1.2.x), that's strictly bug fixes only and this isn't a bug - though not ideal, it works as designed. The patch (preferably merge request in git) would have to be to 2.0. 2.0 is considerably different in many ways, but this particular part of the code base probably isn't much different. Hmm, if I just submit a patch which addresses #1931 and keeps duplicate nc entries out of inetd.conf without adding new features (which IMO is a bug), could that be accepted into the stable branch? Hate to say it, but I don't have a lot of interest in writing code for a release whose release schedule appears to be many, many, months away and I am not yet even testing in the lab. I am much more motivated to write code which has a good chance of seeing production use relatively soon. -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Load Balancing on vlans
On Thu, Aug 27, 2009 at 11:05 AM, Jesse Vollmarvollm...@gmail.com wrote: I tried again this morning to change the allow rule on a vlan interface to send traffic out on a gateway other than default and after about five minutes of working like it should, all traffic stopped. Hosts on that vlan could no longer ping the gateway of that vlan or anything on another network. This is only happening on my vlan interfaces (parent interface is LAN). You shouldn't use the parent interface generally. Don't think that's related though. You losing connectivity from the firewall to the gateway? You're far from uncharted territory, the several boxes I've worked on that have 6-12 WANs all use VLANs as WANs. You may need negate rules for anything not reachable via the specified gateway, when you specify a gateway it forces traffic to that gateway. Those are automatically added generally but you could be doing something that's overriding that. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Ticket #1931: NAT reflection bug
On Thu, Aug 27, 2009 at 6:51 PM, David Reesdree...@gmail.com wrote: There are some foot shooting possibilities if you aren't careful. Any details on those? Binding to things that local services would bind to, and then those fail to start. Hmm, if I just submit a patch which addresses #1931 and keeps duplicate nc entries out of inetd.conf without adding new features (which IMO is a bug), could that be accepted into the stable branch? Yeah that would be acceptable. Hate to say it, but I don't have a lot of interest in writing code for a release whose release schedule appears to be many, many, months away and I am not yet even testing in the lab. I am much more motivated to write code which has a good chance of seeing production use relatively soon. Anything that gets added to RELENG_1_2 must be added to 2.0 first. So you're going to have to accommodate 2.0 either way for it to be accepted. I don't know what your definition of many, many months is, but 2.0 isn't years out or anything, talking a few months to final release maybe, partially dependent on the FreeBSD 8.0 release schedule. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Newbie question for CARP, failover, AON and multiple WAN IP's
On Thu, Aug 27, 2009 at 10:17 PM, Justin The Cynicalcyni...@penguinness.org wrote: Evgeny Yurchenko wrote: I do not know what comcast business account is but two boxes must have Option for statics, no ports blocked. their own IPs (not virtual one per box) + as many CARP addresses as you wish (shared between boxes). In all your AON and inbound port forwarding rules you can use CARP addresses, they will be handled by active box. Right, but what about the addresses assigned to the physical boxes? Example: IP's of 10.0.0.1 through 10.0.0.5 Physical machines assigned 10.0.0.1 and 10.0.0.5 Addresses 10.0.0.2,3, and 4 will be added as CARP addresses, but what about 1 and 5, are they entered in as CARP address as well? No, those are interface addresses. Each firewall has an interface address, plus the CARP IPs that you can use for redundant services. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Newbie question for CARP, failover, AON and multiple WAN IP's
Don't forget to reset your cable modem after changing this. Even the business modem has a way of retaining MAC addresses. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Newbie question for CARP, failover, AON and multiple WAN IP's
On Fri, Aug 28, 2009 at 12:16 AM, Justin The Cynicalcyni...@penguinness.org wrote: Evgeny Yurchenko wrote: Justin The Cynical wrote: So working with the previous example, assume that the single router is using .1 with AON directing traffic out via all the available IP's. If I was to implement a fail over and put a machine on .5, would I still be able to use that address for AON, and if so, does the other install handle the traffic that would be sent out over the failed box, or are the only usable IP's the CARP addresses? To get HA you have to use only CARP addresses in AON (the same is true for portforwarding and 1:1 NAT) Well shoot, that kills off implementing a fail over for me as I make use of all the IP's. You can still use all the IPs, but the two that are tied to the individual firewalls will only function when that firewall is up. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Newbie question for CARP, failover, AON and multiple WAN IP's
Chris Buechler wrote: On Fri, Aug 28, 2009 at 12:16 AM, Justin The Cynicalcyni...@penguinness.org wrote: *snip* Well shoot, that kills off implementing a fail over for me as I make use of all the IP's. You can still use all the IPs, but the two that are tied to the individual firewalls will only function when that firewall is up. Which sort of defeats part of the idea behind a fail over for me. *thinks* However, putting the boxes on the IP's that the DNS servers use would allow for functionality of the domain if one box was down. Or I could try using private IP addresses on the WAN interfaces and CARP everything (not that I would expect that to work). Will have to think on this, thank you again for the information, this is info that I wasn't able to find on any of the available docs. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org