Re: [pfSense Support] CARP switchover to backup because of high traffic
On 07/10/09 18:47, Evgeny Yurchenko wrote: Has anybody noticed this behavior? The simplest set up: two pfSenses with LAN WAN and CARP on both interfaces (with separate interface for SYNC). When there is little traffic active pfSense sends CARP packets with priority 0 every second, everything is ok. Gradually increasing traffic you reach the point when active pfSense starts sending CARP packets not regularily: 1.5, 2, 3 seconds and finally stops sending them completely. Of course at this point backup pfSense kicks in. When you remove traffic former active pfSense does not restore its active role (does not any CARP packets). what's the CPU load at that time, and how full is the state table? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-Wan Question
On 08/10/09 02:13, Anil Garg wrote: Will something like this work and be secure enough. no. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Static routes
Hello, I have to patch how static routes are applied in pfsense 1.2.3, because it falls over when there are already lots of routes (e.g. on a bgp-speaking router). Specifically, in /etc/inc/system.inc:234 it reads netstat -rn into memory, exhausting the default php memory limit. I would propose to compare the old {$g['vardb_path']}/routes.db to the current set of configured static routes and route delete the superfluous routes. Any comments/objections ? While being at it, I saw $config['staticroutes']['enablefastrouting'] (setting sysctl net.inet.ip.fastforwarding=1) could only be activated when $config['system']['disablefilter'] was set. AFAIK (http://redmine.pfsense.org/search/index/pfsense?q=fastforward, http://www.mail-archive.com/support@pfsense.com/msg07871.html) fast forwarding interferes with IPSec and ICMP redirect/source quench generation (http://www.mail-archive.com/support@pfsense.com/msg07862.html), but basic packet filtering should still work. Notably, there is a hardcoded hack in vpn.inc to set net.inet.ip.fastforwarding=0 if ipsec is enabled. I would propose to document it at both ends in the GUI (VPN/IPSec (disallow enabling if fastforwarding is set) and System/Static Routes (disable enabling if ipsec is enabled)), but let the user still enable fastforwarding even though disablefilter is not set. Comments/objections ? -Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: Static routes
Replying to myself, sorry. On Thu, Oct 8, 2009 at 16:21, Aarno Aukia aarnoau...@gmail.com wrote: I would propose to compare the old {$g['vardb_path']}/routes.db to the current set of configured static routes and route delete the superfluous routes. Any comments/objections ? On a closer look, all previous static routes are removed if they are found in the current routing table. Altough I could rewrite that to use route get, why not try to remove all previous routes and ignoring failure to do so to achieve the same effect ? -Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Static routes
On Thu, Oct 8, 2009 at 11:13 AM, Aarno Aukia aarnoau...@gmail.com wrote: Replying to myself, sorry. On Thu, Oct 8, 2009 at 16:21, Aarno Aukia aarnoau...@gmail.com wrote: I would propose to compare the old {$g['vardb_path']}/routes.db to the current set of configured static routes and route delete the superfluous routes. Any comments/objections ? On a closer look, all previous static routes are removed if they are found in the current routing table. Altough I could rewrite that to use route get, why not try to remove all previous routes and ignoring failure to do so to achieve the same effect ? -Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org You are probably the first person to run into this, that is why.We will happily accept patches for this considering its a bug for 1.2.3. However we also need to fix it in 2.0. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
Paul Mansfield wrote: On 07/10/09 18:47, Evgeny Yurchenko wrote: Has anybody noticed this behavior? The simplest set up: two pfSenses with LAN WAN and CARP on both interfaces (with separate interface for SYNC). When there is little traffic active pfSense sends CARP packets with priority 0 every second, everything is ok. Gradually increasing traffic you reach the point when active pfSense starts sending CARP packets not regularily: 1.5, 2, 3 seconds and finally stops sending them completely. Of course at this point backup pfSense kicks in. When you remove traffic former active pfSense does not restore its active role (does not any CARP packets). what's the CPU load at that time, and how full is the state table? Yesterday it happened twice on one of my production firewalls. CPU load was less than 10%. Did not pay attention at the moment but accoring to RRD number of states was not unusual - 4-5k. I reproduced it in my lab - only test connection, so number of states was less than 100. Evgeny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
On Thu, Oct 8, 2009 at 11:24 AM, Evgeny Yurchenko evg.yu...@rogers.com wrote: Yesterday it happened twice on one of my production firewalls. CPU load was less than 10%. Did not pay attention at the moment but accoring to RRD number of states was not unusual - 4-5k. I reproduced it in my lab - only test connection, so number of states was less than 100. Evgeny. I would lean toward hardware. We regularly push 20 megabit out one of my CARP clusters and I do not see this behavior. If something is preempting the network stack (CARP) from sending its Heartbeats than it's doing what it is designed to do. Probably not what you want to hear but I would look at the hardware closer, interrupts, etc. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
Scott Ullrich wrote: On Thu, Oct 8, 2009 at 11:24 AM, Evgeny Yurchenko evg.yu...@rogers.com wrote: Yesterday it happened twice on one of my production firewalls. CPU load was less than 10%. Did not pay attention at the moment but accoring to RRD number of states was not unusual - 4-5k. I reproduced it in my lab - only test connection, so number of states was less than 100. Evgeny. I would lean toward hardware. We regularly push 20 megabit out one of my CARP clusters and I do not see this behavior. If something is preempting the network stack (CARP) from sending its Heartbeats than it's doing what it is designed to do. Probably not what you want to hear but I would look at the hardware closer, interrupts, etc. Scott Thanks I will. 20 Mbit/s is nothing though... Evgeny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
On Thu, Oct 8, 2009 at 11:42 AM, Evgeny Yurchenko evg.yu...@rogers.com wrote: Thanks I will. 20 Mbit/s is nothing though... I agree but you failed to mention how much traffic you are pushing. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
Scott Ullrich wrote: On Thu, Oct 8, 2009 at 11:42 AM, Evgeny Yurchenko evg.yu...@rogers.com wrote: Thanks I will. 20 Mbit/s is nothing though... I agree but you failed to mention how much traffic you are pushing. Scott Yes, sorry. It was about 100Mb/s - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
On Thu, Oct 8, 2009 at 12:51 PM, Evgeny Yurchenko evg.yu...@rogers.com wrote: Yes, sorry. It was about 100Mb/s During heavy load what does this sysctl show? sysctl net.inet.ip.intr_queue_drops Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
Evgeny Yurchenko wrote: Yesterday it happened twice on one of my production firewalls. CPU load was less than 10%. Did not pay attention at the moment but accoring to RRD number of states was not unusual - 4-5k. I reproduced it in my lab - only test connection, so number of states was less than 100. When this happens, check the output of ifconfig -a on the master when it won't take back over, see what advskew it is advertising. There are certain failure states that cause it to set an advskew of 240 regardless of what it is actually configured to be. Figuring out what caused that, however, can be a bit trickier. I push quite a lot of traffic through my pfSense boxes and have never seen them failover in this manner. Nightly backups push just about wire speed through my CARP pair (100MBit). - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Block rule creates syntax error
I all of a sudden am getting syntax errors in the logs which I don't recall seeing before with respect to a few generic block rules I have on an opt interface. Action: Reject Interface: OPT2 Protocol: Any Source: Any Destination: LAN Subnet I use this to block anything destined to the LAN interface? Is this not the right way to do this? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Block rule creates syntax error
On Thu, Oct 8, 2009 at 6:58 PM, Joseph L. Casale jcas...@activenetwerx.com wrote: I all of a sudden am getting syntax errors in the logs which I don't recall seeing before with respect to a few generic block rules I have on an opt interface. Action: Reject Interface: OPT2 Protocol: Any Source: Any Destination: LAN Subnet I use this to block anything destined to the LAN interface? Is this not the right way to do this? Please switch to raw logs and show us the entry text and syntax error from the alert. Sanitize before-hand if you want. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Block rule creates syntax error
Please switch to raw logs and show us the entry text and syntax error from the alert. Sanitize before-hand if you want. I am not sure if this is what you want, but: php: : There were error(s) loading the rules: /tmp/rules.debug:256: syntax error pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [256]: block return in quick on $OPT2 proto tcp from any to /32 flags S/SA label USER_RULE: Vendor Restrictions Raw is enabled, but this what I see in the System log, not sure there was anything in the Firewall Log relevant. Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Block rule creates syntax error
On Thu, Oct 8, 2009 at 7:09 PM, Joseph L. Casale jcas...@activenetwerx.com wrote: Please switch to raw logs and show us the entry text and syntax error from the alert. Sanitize before-hand if you want. I am not sure if this is what you want, but: php: : There were error(s) loading the rules: /tmp/rules.debug:256: syntax error pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [256]: block return in quick on $OPT2 proto tcp from any to /32 flags S/SA label USER_RULE: Vendor Restrictions That's what happens when you have a rule with an interface that is deleted and you don't remove the rule, though that should never be the case for LAN. Email me a backup of your config. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Strange DNS problem
Hi Everyone, As of late, pfsense somehow maps dns entries intended for remote hosts to my local samba server. When I try to SSH to a clients network I'm logged into my office file server. I'm not sure what else to write here so if you think you can help me just ask questions. Cheers, Phil
Re: [pfSense Support] Strange DNS problem
On Thu, Oct 8, 2009 at 9:00 PM, Philippe LeCavalier supp...@plecavalier.com wrote: Hi Everyone, As of late, pfsense somehow maps dns entries intended for remote hosts to my local samba server. When I try to SSH to a clients network I'm logged into my office file server. I'm not sure what else to write here so if you think you can help me just ask questions. Please supply more details. This is not really a lot of information to start from. Scott
[pfSense Support] FTP proxy
Been banging my head on the FTP proxy for a little while on a box that has a lot of 1:1 NAT - finally did a dump of the PF ruleset, and saw this little gem. What's goin on? ;) How can I... not have this rule? no rdr on fxp0 proto tcp from onetoonelist to any port = ftp [cid:image001.png@01CA4844.64860080] Nathan Eisenberg Sr. Systems Administrator - Atlas Networks, LLC office: 206.577.3078 | suncadia: 206.210.5450 www.atlasnetworks.ushttp://www.atlasnetworks.us/ | www.suncadianet.comhttp://www.suncadianet.com/ inline: image001.png
Re: [pfSense Support] FTP proxy
On Thu, Oct 8, 2009 at 9:23 PM, Nathan Eisenberg nat...@atlasnetworks.uswrote: Been banging my head on the FTP proxy for a little while on a box that has a lot of 1:1 NAT – finally did a dump of the PF ruleset, and saw this little gem. What’s goin on? ;) How can I… not have this rule? That's not related to your problem. FTP proxy can't work with 1:1 NAT.
Re: [pfSense Support] Strange DNS problem
Philippe LeCavalier wrote: On Thu, 2009-10-08 at 21:21 -0400, Scott Ullrich wrote: On Thu, Oct 8, 2009 at 9:00 PM, Philippe LeCavalier supp...@plecavalier.com mailto:supp...@plecavalier.com wrote: Hi Everyone, As of late, pfsense somehow maps dns entries intended for remote hosts to my local samba server. When I try to SSH to a clients network I'm logged into my office file server. I'm not sure what else to write here so if you think you can help me just ask questions. Please supply more details. This is not really a lot of information to start from. Scott Like I said I don't know what other info to supply, when I ssh to a clients network pfsense redirects me to my local server. The strangest thing to me is that even when I use the public IP it does that. If it were just the FQDN I wouldn't really care but this is a true problem for me and I really don't know where to start troubleshooting this. I'm using pfsense 1.2.2 with NAT. The outbound rules are Automatic outbound NAT rule generation. Again, I don't really know what else to post...Everything else works fine, surfing, mail, inbound connections like SSH and FTP. This is a recent problem(about a week or so) and I haven't spent much time troubleshooting it mostly because I have no idea's where to start. Cheers, Phil on the computer you are trying to initiate the ssh session from, telnet hostname. Do you get the correct ip adress? If so, it not a DNS problem.(I would normally advise using dig for troubleshooting dns issues, but I don't know the OS of your computer to know if it already has dig installed) Double check your rules and make sure you are not redirecting outbound port 22 traffic within pfSense back to your internal server. Lyle
Re: [pfSense Support] Dell R200 Working Setup?
On Fri, Oct 9, 2009 at 12:52 AM, Curtis LaMasters curtislamast...@gmail.com wrote: Anyone know what version of OS I need to install to get a Dell R200 working properly? I have 1.2.3-RC3 installed right now and I'm getting the bad hdr length messages in the logs and it's keeping me from passing traffic. Try disabling checksum offloading under System -Advanced. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Dell R200 Working Setup?
Still getting them with that setting enabled. Do I need to reboot? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Thu, Oct 8, 2009 at 11:55 PM, Chris Buechler cbuech...@gmail.com wrote: On Fri, Oct 9, 2009 at 12:52 AM, Curtis LaMasters curtislamast...@gmail.com wrote: Anyone know what version of OS I need to install to get a Dell R200 working properly? I have 1.2.3-RC3 installed right now and I'm getting the bad hdr length messages in the logs and it's keeping me from passing traffic. Try disabling checksum offloading under System -Advanced. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Dell R200 Working Setup?
On Fri, Oct 9, 2009 at 1:10 AM, Curtis LaMasters curtislamast...@gmail.com wrote: Still getting them with that setting enabled. Do I need to reboot? No. Strange this would come up again, last time was about a year ago and I don't recall what the cause was. I know there are a lot of people running 1.2.3 versions, and FreeBSD 7.2, on such hardware. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Dell R200 Working Setup?
I just reinstalled with uniprocessor kernel. I'm passing traffic but still getting lots of errors. Also in the firewall logs, it says i'm blocking traffic that I have permitted. Very strange but hopefully that helps. Can I provide and log / debug info? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Fri, Oct 9, 2009 at 12:15 AM, Chris Buechler cbuech...@gmail.com wrote: On Fri, Oct 9, 2009 at 1:10 AM, Curtis LaMasters curtislamast...@gmail.com wrote: Still getting them with that setting enabled. Do I need to reboot? No. Strange this would come up again, last time was about a year ago and I don't recall what the cause was. I know there are a lot of people running 1.2.3 versions, and FreeBSD 7.2, on such hardware. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org