Re: [pfSense Support] can't get to specific site(subaru.com)
When troubleshooting any connection issue, a true harden way, is to start at the device you know works, then work your way back device by device/Cable by Cable until you find the problem. After testing the ISP connection, a PC plugged directly into the pfSense should have been the next step. I've seen so much strange stuff with network equipment i don't take anything for granted anymore. Glad you found the problem though Adam BSD Wiz wrote: i really appreciate your willingness to help me resolve this issue. i just found the culprit. it is the wireless access point that these machines are connecting to. it's netgear wpn824(rangemax). when i plug directly into the router or another switch on my network i can access the sites with no problems. thanks, -phil On Oct 9, 2008, at 8:03 PM, Chris Buechler wrote: On Thu, Oct 9, 2008 at 8:44 PM, BSD Wiz [EMAIL PROTECTED] wrote: so your telling me that 3 hosts machines on my network running mac OS 10.4 and 10.5 tcp/ip stack is messed up? That would appear to be the case, yes. You have to have some sort of non-default settings on those hosts, most of our developers are Mac users and would have run into this long ago. If you can send me some capture files I'll take a look at what's happening on the wire. I'll need one for your inside interface and one for outside. Open two SSH sessions and run: tcpdump -ni fxp0 -s 0 -w /tmp/wan.pcap host 1.2.3.4 replacing fxp0 with your real WAN interface, and 1.2.3.4 with the public IP of the website you're having issues reaching. cisco.com is probably a better one as it has a 1 day TTL and subaru.com has a 5 minute TTL, at least on the responses I'm getting. Hence there's a chance subaru.com will resolve to a different IP at some point during the capture where as cisco.com won't. second tcpdump is the same as above, substituting fxp0 with your LAN interface, and call that file lan.pcap. Then try to access the site from a couple problem machines about 5 times or so, waiting about 30 seconds between. When done, ctrl-c on both the tcpdumps. Then download both those files on the Diagnostics - Command page and email to me offlist. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] multipe remote desktop connections/nat
i need to allow multipe users with private static ip's to remote desktop to multiple machines behind pfsense. this pfsense box is on a private network(double nating). if i simply create a port forward rule only one machine will be accessible behind the pfsense box over port 3389. i want to map each users static ip to a static ip behind the pfsense firewall. so user A can connect to host A behind pfsense box via port 3389 and user B can connect to host B via port 3389 behind the pfsense firewall and so on and so forth. what should be my approach? thanks, -phil
Re: [pfSense Support] any comment or need to worry about the recent TCP/IP DoS found by Outpost24?
and Robert Lee's response to that: In regards to Fyodor's articlehttp://insecure.org/stf/tcp-dos-attack-explained.html : There are some really valid points made; While his article does describe some of how sockstress works and why it is efficient, it does not describe our attacks. Jack would like to stress that turning off server side SYN-Cookie protection will not help and will only make you open to syn flood attacks again (as stated in Fyodor's article). Also, scenarios that lead to systems being resource starved to the point of requiring a reboot is very attack and target specific. It is not as universal as causing a specific service to become unavailable. We have made this clear in all public communications, but it is worth saying again so it looks like we'll need to wait and see what these guys really have when they disclose it on Oct. 17. -phil On Fri, Oct 3, 2008 at 10:19 AM, Eugen Leitl [EMAIL PROTECTED] wrote: On Fri, Oct 03, 2008 at 10:06:15AM -0500, BSD Wiz wrote: And how could the dev team implement a fix if we don't know the specifics of the exploit? This will be something that the freebsd dev Fyodor seems to think it's nothing new. http://insecure.org/stf/tcp-dos-attack-explained.html team will need to fix and I'm sure they will asap. -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Can't connect to subaru.com on port 80
Check with your upstream provider, to make sure they are not blocking it.. Or you can check yourself by bypassing the firewall. Adam BSD Wiz wrote: logging is already turned on for the drop all rule. it doesn't show anything getting blocked when i go to subaru.com. let me try the any to any rule. thanks! -phil On Oct 1, 2008, at 6:19 PM, Tim Nelson wrote: And a big 'Sorry' to the list for not removing that huge chunk of XML from my reply... :-( Tim Nelson Systems/Network Engineer Rockbochs Inc. (218)727-4332 x105 - Tim Nelson wrote: Turn logging on for your last rule on your LAN that drops all otherwise specified traffic. Your logs should show something useful... Or, for gits and shiggles put a nice big Allow all traffic all protocols all ports from anywhere to anywhere rule on your LAN to see if your connectivity to subaru.com changes... and of course don't forget to remove it when you're done... :-) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Vista's DHCP Issues
I've had users complain about this, once i show them XP works fine, I tell them to contact Microsoft. I haven't had any complaints(That I know of) since I started using pfSense, but it was obvious with other Firewall vendors. Adam Tim Nelson wrote: I recently ran into an issue where one of our client's laptops would/could not get an IP address from one of our boxes running pfSense 1.2-RELEASE. Connecting via wireless or wired made no difference and other machines could connect just fine without issue. After doing some searching, I've found that Vista has some issues with DHCP. The full Microsoft Article is here: http://support.microsoft.com/kb/928233/EN-US/ In short, Vista needs to have it's DHCP broadcast flags modified to use DHCP on some routers and some non-Microsoft DHCP servers. I can only assume it is a problem with Vista and not the underlying DHCPD daemons as I don't believe any other OS's have this problem currently. Just thought I'd post this to the list as I'm assuming some of you may run into the same problem at some point. Tim Nelson Systems/Network Engineer Rockbochs Inc. (218)727-4332 x105 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] LiveCD Serial Console Support?
Cristian Ionescu-Idbohrn wrote: On Wed, 6 Aug 2008, Scott Ullrich wrote: On Wed, Aug 6, 2008 at 2:56 PM, Cristian Ionescu-Idbohrn Did anyone look at the code? if ($_POST['enableserial'] == yes) $config['system']['enableserial'] = true; else unset($config['system']['enableserial']); So you want to enable: system enableserial/ I can see that in config.xml, but the beast ignores that att boot :( I can confirm that also.. It's in my config.xml, but doesn't enable the serial port. Adam - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] LiveCD Serial Console Support?
The config.xml on the floppy disk is the exact same config.xml that the Hard Drive install is using. Serial is enabled in advance menu when using the LiveCD, I've tried disabling and enabling, but it seems that no matter what, I can't get the serial console to work on the LiveCD If anyone else wants to try, I use the following commands to copy my HD config.xml to floppy disk. Floppy needs to be formated to FAT prior to this mkdir /floppy mount -t msdos /dev/fd0 /floppy cp /conf/config.xml /floppy/conf/config.xml Now when you boot the LiveCD, your configuration is exactly the same as your HD version. From my testing it works great! I can't find anywhere in the config.xml that references the console serial port. So I'm not even sure how pfSenses saves that setting. Adam Scott Ullrich wrote: On Mon, Aug 4, 2008 at 7:29 PM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I'm currently testing the pfSense LiveCD as a "Recovery CD" In case of a hard drive failure. This is working about 99%, i just can't get the serial console to work on the LiveCD. Searching around a little more, it appears the LiveCD /boot/loader.conf is not present and does not have the line "console=comconsole" to redirect console messages to the serial port. (I understand this is default behavior) I've tried various ways of editing the ISO and adding a /boot/loader.conf file. The custom LiveCD will boot up, but never seems to read /boot/loader.conf, and seems to have trouble booting, hangs in random places (I think this is because of the ISO repackaging, Using MagicISO) Has anyone edited the LiveCD for custom config.xml files or other tweaks? And if so, could you point me in the right direction. Your best bet would be to enable the serial console option in System - Advanced after restore. Take note of the option that gets enabled and add it to config.xml before restoring in an emergency, etc. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] LiveCD Serial Console Support?
I'm currently testing the pfSense LiveCD as a Recovery CD In case of a hard drive failure. This is working about 99%, i just can't get the serial console to work on the LiveCD. Searching around a little more, it appears the LiveCD /boot/loader.conf is not present and does not have the line console=comconsole to redirect console messages to the serial port. (I understand this is default behavior) I've tried various ways of editing the ISO and adding a /boot/loader.conf file. The custom LiveCD will boot up, but never seems to read /boot/loader.conf, and seems to have trouble booting, hangs in random places (I think this is because of the ISO repackaging, Using MagicISO) Has anyone edited the LiveCD for custom config.xml files or other tweaks? And if so, could you point me in the right direction. Thanks, Adam - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Broken RRD Graphs
I'm having a problem with RRD Graphs freezing/crashing on my embedded pfsense boxes. Below is the log, apon restarting RRD, I got a file system full message. I can see that /cf is at 107% capacity. I know that RRD data Graphs are stored in the /var partition and that has plenty of space. I'm not sure if they are related, but maybe someone else can tell. After all of that I deleted all the RRD graphing data following the instruction from a post this month. After one more restart of RRD Graphs, the system log indicates it generated all the RRD graphs again, and now I'm running smoothly with no more crashes. RRD Working!! So it seems that the RRD data files had something to do with the crashes. I had plenty of space where the data files are stored, so I'm not sure what the deal is. Thanks, Adam 1.2-RELEASE Embeded built on Sun Feb 24 17:37:23 EST 2008 Soekris Net5501 scott:~# df Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/ufs/pfSense 113755 59925 44730 57% / devfs 1 1 0 100% /dev /dev/md0 39406 642 35612 2% /tmp /dev/md1 19566 6434 11568 36% /var /dev/ufs/pfSenseCfg 1871 1845 -123 107% /cf devfs 1 1 0 100% /var/dhcpd/dev Jul 8 16:14:10 kernel: pid 53393 (rrdtool), uid 0: exited on signal 11 Jul 8 16:13:08 kernel: pid 52896 (rrdtool), uid 0: exited on signal 11 Jul 8 16:13:08 php: /status_rrd_graph_settings.php: Creating rrd update script Jul 8 16:12:47 kernel: pid 12165 (php), uid 0 inumber 394 on /cf: filesystem full (Restarted RRD Graphs via WebGui) Jul 8 16:12:04 kernel: pid 52327 (rrdtool), uid 0: exited on signal 11 Jul 8 16:10:52 kernel: pid 51624 (rrdtool), uid 0: exited on signal 11 Jul 8 16:09:47 kernel: pid 50964 (rrdtool), uid 0: exited on signal 11 Jul 8 16:08:42 kernel: pid 50550 (rrdtool), uid 0: exited on signal 11 Jul 8 16:07:36 kernel: pid 50135 (rrdtool), uid 0: exited on signal 11 Jul 8 16:06:31 kernel: pid 49484 (rrdtool), uid 0: exited on signal 11 Jul 8 16:05:25 kernel: pid 49070 (rrdtool), uid 0: exited on signal 11 Jul 8 16:04:20 kernel: pid 48409 (rrdtool), uid 0: exited on signal 11 Jul 8 16:03:14 kernel: pid 47995 (rrdtool), uid 0: exited on signal 11 Jul 8 16:02:09 kernel: pid 47332 (rrdtool), uid 0: exited on signal 11 Jul 8 16:01:03 kernel: pid 46917 (rrdtool), uid 0: exited on signal 11 Jul 8 15:59:58 kernel: pid 46235 (rrdtool), uid 0: exited on signal 11 Jul 8 15:58:53 kernel: pid 45820 (rrdtool), uid 0: exited on signal 11 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Broken RRD Graphs
Scott, We use 2gb CF cards. From what i gather you can't change the partition settings in the embedded image because you are basically writing the image of a hard drive to a compact flash card. So if the size of /cf is a set limit, how could i possibly change this ahead of time. (Without building my own image). I'm not a FreeBSD expert but coming from the windows world, resizing a partition is a nasty and avoid at all cost job. If it can be done, I'll figure how to do it, If not, I'll just live without RRD graphs, no problem. Thanks, Adam Scott Ullrich wrote: On Tue, Jul 8, 2008 at 5:50 PM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I'm having a problem with RRD Graphs freezing/crashing on my embedded pfsense boxes. Below is the log, apon restarting RRD, I got a file system full message. I can see that /cf is at 107% capacity. I know that RRD data Graphs are stored in the /var partition and that has plenty of space. I'm not sure if they are related, but maybe someone else can tell. After all of that I deleted all the RRD graphing data following the instruction from a post this month. After one more restart of RRD Graphs, the system log indicates it generated all the RRD graphs again, and now I'm running smoothly with no more crashes. RRD Working!! So it seems that the RRD data files had something to do with the crashes. I had plenty of space where the data files are stored, so I'm not sure what the deal is. Thanks, Adam 1.2-RELEASE Embeded built on Sun Feb 24 17:37:23 EST 2008 Soekris Net5501 scott:~# df Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/ufs/pfSense 113755 59925 4473057%/ devfs 1 1 0 100%/dev /dev/md039406 642 35612 2%/tmp /dev/md119566 6434 1156836%/var /dev/ufs/pfSenseCfg 1871 1845 -123 107%/cf devfs 1 1 0 100%/var/dhcpd/dev Jul 8 16:14:10 kernel: pid 53393 (rrdtool), uid 0: exited on signal 11 Jul 8 16:13:08 kernel: pid 52896 (rrdtool), uid 0: exited on signal 11 Jul 8 16:13:08 php: /status_rrd_graph_settings.php: Creating rrd update script Jul 8 16:12:47 kernel: pid 12165 (php), uid 0 inumber 394 on /cf: filesystem full (Restarted RRD Graphs via WebGui) Jul 8 16:12:04 kernel: pid 52327 (rrdtool), uid 0: exited on signal 11 Jul 8 16:10:52 kernel: pid 51624 (rrdtool), uid 0: exited on signal 11 Jul 8 16:09:47 kernel: pid 50964 (rrdtool), uid 0: exited on signal 11 Jul 8 16:08:42 kernel: pid 50550 (rrdtool), uid 0: exited on signal 11 Jul 8 16:07:36 kernel: pid 50135 (rrdtool), uid 0: exited on signal 11 Jul 8 16:06:31 kernel: pid 49484 (rrdtool), uid 0: exited on signal 11 Jul 8 16:05:25 kernel: pid 49070 (rrdtool), uid 0: exited on signal 11 Jul 8 16:04:20 kernel: pid 48409 (rrdtool), uid 0: exited on signal 11 Jul 8 16:03:14 kernel: pid 47995 (rrdtool), uid 0: exited on signal 11 Jul 8 16:02:09 kernel: pid 47332 (rrdtool), uid 0: exited on signal 11 Jul 8 16:01:03 kernel: pid 46917 (rrdtool), uid 0: exited on signal 11 Jul 8 15:59:58 kernel: pid 46235 (rrdtool), uid 0: exited on signal 11 Jul 8 15:58:53 kernel: pid 45820 (rrdtool), uid 0: exited on signal 11 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] You are running out of space on the /cf partition. RRD Graphs are backed up to /conf on reboot, etc. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Broken RRD Graphs
I figured out what I need to do... http://devwiki.pfsense.org/FlashHowTo Is it a kn own issue that a 128mb card can't handle RRD graphing? I know 128mb isn't much, but the default pfsense image is set for 128mb, and RRD graphs are enabled by default. Adam [EMAIL PROTECTED] wrote: Scott, We use 2gb CF cards. From what i gather you can't change the partition settings in the embedded image because you are basically writing the image of a hard drive to a compact flash card. So if the size of /cf is a set limit, how could i possibly change this ahead of time. (Without building my own image). I'm not a FreeBSD expert but coming from the windows world, resizing a partition is a nasty and avoid at all cost job. If it can be done, I'll figure how to do it, If not, I'll just live without RRD graphs, no problem. Thanks, Adam Scott Ullrich wrote: On Tue, Jul 8, 2008 at 5:50 PM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I'm having a problem with RRD Graphs freezing/crashing on my embedded pfsense boxes. Below is the log, apon restarting RRD, I got a file system full message. I can see that /cf is at 107% capacity. I know that RRD data Graphs are stored in the /var partition and that has plenty of space. I'm not sure if they are related, but maybe someone else can tell. After all of that I deleted all the RRD graphing data following the instruction from a post this month. After one more restart of RRD Graphs, the system log indicates it generated all the RRD graphs again, and now I'm running smoothly with no more crashes. RRD Working!! So it seems that the RRD data files had something to do with the crashes. I had plenty of space where the data files are stored, so I'm not sure what the deal is. Thanks, Adam 1.2-RELEASE Embeded built on Sun Feb 24 17:37:23 EST 2008 Soekris Net5501 scott:~# df Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/ufs/pfSense 113755 59925 4473057%/ devfs 1 1 0 100%/dev /dev/md039406 642 35612 2%/tmp /dev/md119566 6434 1156836%/var /dev/ufs/pfSenseCfg 1871 1845 -123 107%/cf devfs 1 1 0 100%/var/dhcpd/dev Jul 8 16:14:10 kernel: pid 53393 (rrdtool), uid 0: exited on signal 11 Jul 8 16:13:08 kernel: pid 52896 (rrdtool), uid 0: exited on signal 11 Jul 8 16:13:08 php: /status_rrd_graph_settings.php: Creating rrd update script Jul 8 16:12:47 kernel: pid 12165 (php), uid 0 inumber 394 on /cf: filesystem full (Restarted RRD Graphs via WebGui) Jul 8 16:12:04 kernel: pid 52327 (rrdtool), uid 0: exited on signal 11 Jul 8 16:10:52 kernel: pid 51624 (rrdtool), uid 0: exited on signal 11 Jul 8 16:09:47 kernel: pid 50964 (rrdtool), uid 0: exited on signal 11 Jul 8 16:08:42 kernel: pid 50550 (rrdtool), uid 0: exited on signal 11 Jul 8 16:07:36 kernel: pid 50135 (rrdtool), uid 0: exited on signal 11 Jul 8 16:06:31 kernel: pid 49484 (rrdtool), uid 0: exited on signal 11 Jul 8 16:05:25 kernel: pid 49070 (rrdtool), uid 0: exited on signal 11 Jul 8 16:04:20 kernel: pid 48409 (rrdtool), uid 0: exited on signal 11 Jul 8 16:03:14 kernel: pid 47995 (rrdtool), uid 0: exited on signal 11 Jul 8 16:02:09 kernel: pid 47332 (rrdtool), uid 0: exited on signal 11 Jul 8 16:01:03 kernel: pid 46917 (rrdtool), uid 0: exited on signal 11 Jul 8 15:59:58 kernel: pid 46235 (rrdtool), uid 0: exited on signal 11 Jul 8 15:58:53 kernel: pid 45820 (rrdtool), uid 0: exited on signal 11 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] You are running out of space on the /cf partition. RRD Graphs are backed up to /conf on reboot, etc. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Aliases and Traffic Shaper?
I'm having a strange problem, possibly a bug with the traffic shaper GUI If I create a traffic shaping rule with a Aliases in the ports section and save it, it works correctly. It also displays correctly in the rules list. When i go back and edit that rule, the aliases is missing from the port section, and the ports are set to from:any to:any. When i click save it saves it as ports:any to:any. I've rebooted this box a couple of times, and no luck changing the outcome. It always defaults back to any any when editing a rule. This is a Soekris 5501 using the 1.2 embedded version. Thanks, Adam - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load Balancing with Embedded version?
I did a reboot on the box, and was able to add the Pool. I guess it was just hung up. Thanks for the help! Adam Scott Ullrich wrote: On Thu, Jun 26, 2008 at 6:52 PM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Okay, but I'm still having the problem of not being able to add a load balancing pool. I really care more about fail over then load balancing. I'm going to play around with a box that is not on a live network tomorrow, and see if i can get it to work. BTW this is a Soekris 5501 using 1.2 embedded PFsense. There really should be no difference from embedded and full installation in this regard. I would be surprised if this was a bug since 1.2 has been tested pretty thoroughly. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Load Balancing with Embedded version?
Is load balancing supported with the embedded version? I ask because when I try to add a load balancing pool, I hit save and apply changes. But no pool is listed, it's like PFsense is refusing to add it for some reason. I also checked the XML config and did not see it listed anywhere. I was able to make this work on the full version of PFSense, so i know it's not a config issue. Adam - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Load Balancing with Embedded version?
Okay, but I'm still having the problem of not being able to add a load balancing pool. I really care more about fail over then load balancing. I'm going to play around with a box that is not on a live network tomorrow, and see if i can get it to work. BTW this is a Soekris 5501 using 1.2 embedded PFsense. Thanks, Adam Scott Ullrich wrote: On Thu, Jun 26, 2008 at 6:21 PM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Is load balancing supported with the embedded version? I ask because when I try to add a load balancing pool, I hit save and apply changes. But no pool is listed, it's like PFsense is refusing to add it for some reason. I also checked the XML config and did not see it listed anywhere. I was able to make this work on the full version of PFSense, so i know it's not a config issue. Depends on if your incoming or outgoing. Incoming requires an additional item to be setup (virtual server). If you want to load balance outgoing traffic select the load balancing pool on the gateway dropdown of firewall rules. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Two IPs on Lan interface
Will this be a feature in 1.3?? I was actually quite shocked the first time i found out m0n0wall or PFSense didn't support secondary IP Address's. I decided to just use another NIC card for a second LAN subnet and plug both interfaces into the same switch. This will actually scale better, because now we have the option of creating totally separate physical network. Thanks for another work around and script!! Adam Bryan Derman wrote: I've add another IP to the LAN interface by creating an alias on the LAN interface. Via the shell (either use Diagnostics - Command or login via SSH) issue the applicable ifconfig command: e.g., to create an IP alias of 172.16.1.1 for the LAN where the LAN is on the interface xy0: ifconfig xy0 alias 172.16.1.1/24 e.g., to remove an IP alias of 172.16.1.1 from the LAN where the LAN is on the interface xy0: ifconfig xy0 remove 172.16.1.1 Such a setting will disappear upon reboot, but if you create a script and place it in the directory /usr/local/etc/rc.d it'll get executed at the end of the startup: e.g., create a shell script named /usr/local/etc/rc.d/addLANalias.sh that contains --- #!/bin/sh if test $1 = start then /bin/echo -n 'Adding LAN alias to sk0 ... ' /sbin/ifconfig sk0 alias 172.16.1.1/24 echo 'done' fi --- then issue the commands: /bin/chmod 755 /usr/local/etc/rc.d/addLANalias.sh /usr/sbin/chown root:wheel /usr/local/etc/rc.d/addLANalias.sh /etc/rc.d/* files get executed by /etc/rc via /etc/rc.start_packages at bootup. Hope that helps. FYI, on Thu, 7 Feb 2008 04:36:40 -0800 I wrote to this list and asked --- After searching ..., I've not found anything about the best/correct strategy to use to support multiple LAN subnets on a single LAN port. The Questions = - is using address aliases the correct/optimal/best way to create the WAN aliases? - if using address aliases is *not* the best way, what is? ... --- It appeared that my WAN instead of LAN typo in the Questions section was understood. On Thu, 07 Feb 2008 13:36:28 -0500 Chris Buechler posted the response --- I have a document that describes in detail the steps required to accomplish this, though not accessible right now. You're partially right, partially wrong. I'll put it online somewhere later. --- I never received nor found that document but I've used the alias strategy ever since and not encountered any issues other than the fact that the Status - Interfaces web page will report the interface alias instead of the one originally configured. I only mention this because there may be a better way to do this (my level of expertise in this area is only enough to make me _real_ dangerous). Specifically, I don't mean to be critical of Chris as I know how easy it is to miss an email, etc. and the web site (and documentation stuff) was also in much transition at that point in time. There's ample evidence of Chris' excellent responses, including to other questions of mine, and I very much appreciate an respect his key involvement and the results. In fact, there's an all-too-small percentage of commercial software products, let alone open-source projects, that have the overall quality that I've seen with pfSense, its support and even it's overall focus and business. __ Previous message from Matias Surdi on 2008-06-16 at 12:35 PM +0200 -- |Is it possible to add another IP to the LAN interface? | |How must it be done? | |Thanks. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Review New Hardware Setup
Are main CPU hog is the Captive Portal, with 50-100+ people trying to login at the same time, it can eat up the CPU big time. If i turn captiveportal off, are 5501s barely peak over 30% cpu, with it on, I'm seeing 100% spikes all the time. I can't see me ever having a pipe bigger then 50mb/s or a DS3. So I'm pretty sure the box will be able to handle that throughput without a problem. Thanks for the input! Adam Chris Buechler wrote: On Thu, Jun 12, 2008 at 1:40 PM, Paul Mansfield [EMAIL PROTECTED] wrote: from a previous discussion, Opteron processors are best. Not necessarily at this time. The biggest factor in pps throughput is L1 cache size. AMD procs used to have significantly more L1 cache than Intels and hence were much more scalable in pps throughput, but I believe there isn't much if any difference now. Depends on which ones you're comparing. But we're discussing multi-Gbps and 500+ Kpps capable hardware when a relatively puny 5501 is almost adequate now, and only looking to accommodate a 5* increase in load. Any new system you buy today is going to push 20 times what a 5501 will, and have power to spare. Make sure you get Intel PRO/1000 PCI-e cards, even if you just have a 100 Mb network at this time. It's not much more money and gives you significantly more scalability. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Review New Hardware Setup
We are currently using Sokrisis 5501 with the embedded version of PFsense, they work great, but we are noticing that around 150-200 users the CPU starts maxing out. So we need to build a stronger box, here are the specs an employee came up with. With this box we want to have up to 1,000 users. Using captive portal, and traffic shaper. I have already recommend we use a Intel pro 10/100 nic, and not a SMC nic. Anything else that is not supported, or known to be flaky? Also have people had better luck with Intel or AMD based boards? Thanks Adam pfSense High Scalability Platform Dual-Core 1.8GHz Athlon x64 CPUs 1 GB RAM SATA II Hard Disk @ 160GB HARDWARE: - 1 $ 94.99 ARK IPC-4806 Black Steel 4U Server http://www.newegg.com/Product/Product.aspx?item=N82E16811128015 1 $216.99 TYAN S3970G2N-U-RS 1207(F) ServerWorks HT1000 ATX Server Motherboard http://www.newegg.com/Product/Product.aspx?item=N82E16813151071 1 $174.00 AMD Opteron 2210 Santa Rosa 1.8GHz Socket F 95W Dual-Core Processor Model OSA2210GAA6CQ http://www.newegg.com/Product/Product.aspx?item=N82E16819105030 1 $ 34.99 Dynatron F558 77mm 2 Ball CPU Cooler http://www.newegg.com/Product/Product.aspx?item=N82E16835114068 1 $ 59.99 Kingston 1GB (2 x 512MB) 240-Pin DDR2 FB-DIMM DDR2 667 (PC2 5300) ECC Fully Buffered Dual Channel Kit Server Memory Model KVR667D2S8F5K2/1G http://www.newegg.com/Product/Product.aspx?item=N82E16820134340 1 $ 13.99 LITE-ON Black IDE CD-ROM Drive Model DH-52N2P-04 http://www.newegg.com/Product/Product.aspx?item=N82E16827106086 1 $ 7.49 SAMSUNG Black Internal Floppy Drive Model SFD321B/LBL1 http://www.newegg.com/Product/Product.aspx?item=N82E16821103203 2 $ 37.98 SMC SMC9452TX-1 10/ 100/ 1000Mbps PCI EZ Card Copper Gigabit Card http://www.newegg.com/Product/Product.aspx?item=N82E16833129144 1 $ 10.99 ICY DOCK MB449SK-B 5.25 internal Hard drive mobile rack http://www.newegg.com/Product/Product.aspx?item=N82E16817994047 1 $ 41.99 HITACHI Deskstar 7K160 HDS721616PLA380 (0Y30006) 160GB 7200 RPM SATA 3.0Gb/s Hard Drive http://www.newegg.com/Product/Product.aspx?item=N82E16822145162 1 $ 59.99 COOLMAX CP-500T 500W EPS12V Power Supply http://www.newegg.com/Product/Product.aspx?item=N82E16817159040 SOFTWARE: - 1 $ 0.00 FreeBSD/pfSense Free with self-support TOTAL: $753.39 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] PFSense Notes Section
I got into a m0n0wall box the other day, and realized they have a notes section on the homepage. Why was this taken out of PFSense? I would like to request it be added if it's not on the list already. Thanks, Adam - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] cvs checkout: [17:33:57] waiting for root's lock in /home/pfsense/cvsroot/pfSense/usr/local/www/javascript/extjs/build/widgets/form
15 minutes later: same message. did a cvs process forget to clean up? - Thorsten - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] cvs checkout: [17:59:49] waiting for root's lock in /home/pfsense/cvsroot/pfSense/usr/local/www/javascript/extjs/build/widgets/form
does cvs have a problem? - Thorsten - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Example configuration for PC Engines board
Hello, I am trying to avoid getting out a serial cable. I need a working example for a PC Engines board. I have manually changed the interface names to vr0/vr1/vr2 but I'm still not getting activity. Can somebody please show me concrete examples of config.xml that are working for you? -Galen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] config.xml example / avoid serial terminal
I've modified the configuration file to point to vr0/vr1/vr2 as appropriate, however there is no active IP where I expect it, on any of the ports. If anybody could confirm the interface names or provide a working sample of config.xml, it would be much appreciated. -Galen On Jan 26, 2008, at 3:25 PM, [EMAIL PROTECTED] wrote: Ah ha! I knew it was not working. I will see if I can adjust the configuration for the vr0 interface. Also, I would love to see an example of a file like this... -Galen On Jan 26, 2008, at 12:56 PM, Fernando Sanchez wrote: You do have to use the serial port to assign interfaces on ALIX boards, since they were changed to vr0, I wish they would apply the m0n0wall patch which fixes because I don't have any motherboards with serial ports. On Jan 26, 2008 12:53 PM, Vivek Khera [EMAIL PROTECTED] wrote: On Jan 26, 2008, at 10:32 AM, [EMAIL PROTECTED] wrote: I am having trouble with this point and would appreciate a example configurational file that will allow at least one of the ethernet ports to grab an IP via DHCP, or just have a static IP... something... anything. The basic problem is that I don't have a serial cable anywhere! (I thought I was done with such old technologies!) by default, the LAN answers as 192.168.1.1 so just take a laptop or other computer, right it to IP 192.168.1.2, and then configure your box as you see fit. or you can ssh into it and set the IP that way if you prefer. you don't *have* to have the serial port to do the initial config. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Alternative Full Install Installation Methods
Hello, I am trying to do a full install of pfSense onto a CF card. I have tested the card extensively and it works perfectly. I want a full install, not an embedded one, so I can utilize packages. When I boot the live CD in VMWare, it gets stuck while installing. I am using a USB card reader. I have tried ACPI off, removing all unnecessary devices from the virtual machine, using different machines, etc. and the result is always the same. Even after days of sitting there, we're at the exact same percentage (usually 35 or 41) and this command: /usr/local/bin/cpdup -vvv -I -o /usr /mnt/usr Being that I can't seem to find any good work around and nobody on the list has been able to suggest anything that works, I would like to install this software another way. Are there directions on how to execute a full install from inside FreeBSD? I can fairly easily set that up in VMWare, and then I can get a lot more control and access to troubleshoot any issues that occur with installation. -Galen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] config.xml example / avoid serial terminal
Hello, Can anybody share an example of config.xml that is suitable for an ALIX (formerly WRAP) board from PC Engines? I am having trouble with this point and would appreciate a example configurational file that will allow at least one of the ethernet ports to grab an IP via DHCP, or just have a static IP... something... anything. The basic problem is that I don't have a serial cable anywhere! (I thought I was done with such old technologies!) -Galen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Attempting to install pfSense; gets stuck
Sean, I need to do a full installation to a compact flash card. I do not want an embedded install due to the lack of flexibility - e.g. no packages. I also presume the full 2 GB of my CF card would be left largely unusable. Therefore, I am booting the live ISO in VMWare, then installing to the CF card. Because it is stuck, there is no error, no log, the system is totally responsive, just not moving past this command. -Galen On Jan 25, 2008, at 9:09 AM, Sean Cavanaugh wrote: are you trying to use VMware to install straight to the CF card? if so, thats now how you install to them. http://doc.pfsense.org/index.php/HOWTO_Install_pfSense#Embedded_.28Compact_Flash.29_Installation -Sean From: [EMAIL PROTECTED] To: support@pfsense.com Date: Fri, 25 Jan 2008 09:00:33 -0800 Subject: Re: [pfSense Support] Attempting to install pfSense; gets stuck On Jan 25, 2008, at 3:51 AM, Paul M wrote: Scott Ullrich wrote: That portion of the installer takes quite a while depending on speed of the CF card, etc. Give it a bit longer. I presume the CF card is mounted noatime,async (or whatever it is in freebsd, I am thinking linux here)? I found that async makes a huge difference in speed - I had a flash memory card I though was broken as it took so long to write, then I remembered to do async and it was so much faster! I did not do anything special. I booted the live CD under vmware and everything works great, until it gets stuck. I tried booting without ACPI and left it running for 11 hours so far, and it is STILL stuck. Any ideas? -Galen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Need to know the score, the latest news, or you need your HotmailĀ®- get your fix. Check it out.
Re: [pfSense Support] Attempting to install pfSense; gets stuck
On Jan 25, 2008, at 3:51 AM, Paul M wrote: Scott Ullrich wrote: That portion of the installer takes quite a while depending on speed of the CF card, etc. Give it a bit longer. I presume the CF card is mounted noatime,async (or whatever it is in freebsd, I am thinking linux here)? I found that async makes a huge difference in speed - I had a flash memory card I though was broken as it took so long to write, then I remembered to do async and it was so much faster! I did not do anything special. I booted the live CD under vmware and everything works great, until it gets stuck. I tried booting without ACPI and left it running for 11 hours so far, and it is STILL stuck. Any ideas? -Galen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Attempting to install pfSense; gets stuck
Hello, I am attempting to install pfSense on a 2 GB CF card for use on a PC Engines motherboard without video (alix2c3.) I have used the live disc under VMWare and connected the card via USB reader. Everything works great and the install begins, but then hangs forever (overnight at least) at 35%, which is: /usr/local/bin/cpdup -vvv -I -o /usr /mnt/usr I have tested the card and reader extensively; everything works. I have re-attempted the above process several times. How do I work around this? Also, how do I put reasonable settings onto here, so that I can avoid setting up a console with my alix board? I'd prefer to have simple DHCP auto-configuration on at least one NIC and SSH/HTTP admin access working immediately after booting. Thank you! -Galen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Attempting to install pfSense; gets stuck
On Jan 24, 2008, at 1:44 PM, Scott Ullrich wrote: On 1/24/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hello, I am attempting to install pfSense on a 2 GB CF card for use on a PC Engines motherboard without video (alix2c3.) I have used the live disc under VMWare and connected the card via USB reader. Everything works great and the install begins, but then hangs forever (overnight at least) at 35%, which is: /usr/local/bin/cpdup -vvv -I -o /usr /mnt/usr I have tested the card and reader extensively; everything works. I have re-attempted the above process several times. How do I work around this? Also, how do I put reasonable settings onto here, so that I can avoid setting up a console with my alix board? I'd prefer to have simple DHCP auto-configuration on at least one NIC and SSH/HTTP admin access working immediately after booting. That portion of the installer takes quite a while depending on speed of the CF card, etc. Give it a bit longer. Scott How long should I give it? I already gave it roughly 4-6 hours... I can write the whole card full of data in about 15 minutes using the same reader. What in the world is it doing?? -Galen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Pfsense + OpenVPN + Kvpnc with certificates
Hi, did anyone install pfsense with such configuration? I am using it with the Windows GUI (Mathias one, very good indeed) but I am unable to configure it using KVPNC on Fedora. Could anyone help? TIA, Giuseppe Marullo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] re: OpenVPN Practical Application
Curtis, I am building a virtual/remote demo equipment, and I use OpenVPN connectivity to be there using a very simple approach. The availability of a windows client, the reliability of the system (pfsense+openvpn) the hyper-rich feature set of the whole is simply outstanding (compared to price obviously). Giuseppe PS: I refused to use cisco stuff, because I don't know them but I guess there I would have been seriusly limited for my purpose - Original Message - Da : Curtis LaMasters [EMAIL PROTECTED] A : support@pfsense.com Oggetto : [pfSense Support] OpenVPN Practical Application Data : Sat, 24 Nov 2007 20:17:53 -0600 This weekend I've been reading a lot about OpenVPN on pfSense and OpenVPN in general. I guess I still have a few missing parts in my head because I can't connect the dots. Is OpenVPN a viable replacement for the Cisco VPN software and IPSec services on a PIX/ASA or is it not ready for that yet. I will be doing some testing here very soon (I haven't left my house yet) of the OpenVPN software installed on my Ubuntu 7.10 laptop and my pfSense 1.2RC2 firewall with OpenVPN configured. I'll let you know how I come out, I am just curious as to how everybody else has approached it. Thanks. -- Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] L2 Pfsense and bypass units
Hi, I would like to use pfsense but I would be able to switch it off without too much impact on the network. If I install it in layer 2, would it be possible to use some kind of bypass unit? Any experience on it, I have googled for low cost/homebuilt units without success. TIA, Giuseppe Marullo PS: I know that Intel Pro1000 dual lan should have some sort of bypass embedded into the NIC, but I am unable to find the right tools to enable it. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] extreme brdiging with pfsense
Hi, I would like to use a pfsense virtual appliance to connect real physical vlans on a catalyst switch with the vmnets that exists in a vmware server. The idea is to overcome the limitation on non-esx3 vmware installations allowing to bridge the virtual machines to real vlans using a single trunk cable between the switch and the vmware host. I would like to know which are the limits involved in bridging several interfaces in pfsense. Actually I don't have a switch handy so I tried the following setup that seemed to work: realpc--vmnet1--(lan)left_virtual_pfsense(wan on vlan501)--vmnet5--(wan on vlan501)right_virtual_pfsense(lan)--vmnet4--virtualpc The realpc and the virtualpc are on different lans, and the pfsense will talk to each other like there was a trunk between them, this was done beacause of the lack of a .1q switch. The realpc and the virtualpc were able to see each other at L2 level. The question is: will I be able to do it on 8 vlan using 16 nic, 8 on the same interface(wan or other) and the other 8 on each vmnet0-7? TIA, Giuseppe Marullo PS: this thing rocks, dudes - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] OPENVPN Interface
I am following the howto (http://doc.pfsense.org/index.php/Setting_up_OpenVPN_with_pfSense) and I do not have an openvpn interface (tun interface). Is this because I am also using the pptp vpn? or has this part changed in rc2? Thanks Jeb signature.asc Description: OpenPGP digital signature
[pfSense Support] advanced outbound nat interfering with ipsec tunnel?
Hi, I just updated to latest releng_1 and it still has this same problem. I have a carp+dual wan setup and I'm trying to get outbound load balancing to work, but when I make changes to the advanced outbound nat rules to work towards getting load balancing to work, it causes my ipsec tunnel to stop getting packets. What I mean by that is that the ipsec tunnel still extablishes, but traceroutes to the tunnel return addresses on the public internet ( whereas they didn't with the previous outbound nat setting - and when ipsec was actually working ). Without further ado, here's what I changed the outbound nat rules to that caused it to stop working: iface: WAN2 src: 192.168.0.0/24 src port: * dst: ! 192.168.0.0/24 dst port: * nat addr: * ( no carp on WAN2 unfortunately ) nat port: * static port: no iface: WAN src: 192.168.0.0/24 src port: * dst: ! 192.168.0.0/24 dst port: * nat addr: x.x.218.245 ( my public wan carp ip ) nat port: * static port: no I don't have enough public ip's on WAN2 to carp it, however the ipsec tunnel is currently using WAN2's connection ( it's the only ip my client's router - the other end of the tunnel - is configured to accept ) The LAN firewall rule allowing outbound traffic is: iface: lan proto: * source: lan net port: * dest: * dest port: * gateway: x.x.231.154 ( WAN2's gateway - WAN's isp was having trouble yesterday ) I have just restored my router configuration (again) and my ipsec tunnel is working again. Here are the adv outbound nat rules that allow the tunnel to work: iface: WAN2 src: 192.168.0.96/31 src port: * dst: * dst port: * nat addr: * ( no carp on WAN2 unfortunately ) nat port: * static port: no iface: WAN src: 192.168.0.0/24 src port: * dst: * dst port: * nat addr: x.x.218.245 ( my public wan carp ip ) nat port: * static port: no I was told that in order for outbound load balancing to work correctly especially in combination with carp, you have to create two outbound nat rules, one for each wan. However, when I try to do this, it causes my vpn traffic to not get caught by the ipsec tunnel and is instead getting sent to the unencrypted internet ( as evidence by my tracert's ). What am I doing wrong, or have I possibly discovered a bug. Please advise, thank you. mail2web - Check your email from the web at http://mail2web.com/ . - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Upgrade from m0n0 to pfSense?
Crud, that explains a lot... I at least think that I have the outbound NAT entries setup for WAN and OPT1: nat on xl2 from 192.168.1.0/24 to any - (xl2) nat on xl1 from 192.168.1.0/24 to any - (xl1) I seem to be stuck trying to create an outbound rule. Everything I try says pass in in the User-defined rules section of rules.debug. :( On 8/23/05, Bill Marquette [EMAIL PROTECTED] wrote: On 8/23/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: As a test, I tried to create a rule to send all VNC traffic over the OPT1 WAN interface, but it always used the default WAN interface. I must be missing something. How can this be done when the second WAN interface has a static IP? Possibly, possibly not.Check /tmp/rules.debug for the rule that your adding and please post it here to see if the gateway portion is being added correctly for the rule in question. # NAT Inbound Redircts ... rdr on xl2 proto tcp from any to port 5900 - 192.168.1.230 port 5900 rdr on xl1 proto tcp from any to port 5900 - 192.168.1.230 port 5900 # User-defined rules follow ... pass in quick on $WANII proto tcp from any to { 192.168.1.230 } port = 5900 keep state label USER_RULE: NAT Allow VNC to buzz via WAN2 ... That's inbound. The multi-wan code we're talking about is outbound. By default inbound traffic to an IP will return out the interface/gateway it came in on (as long as you have a gateway setup in the interface config). It's up to the user to get the inbound traffic on the right link, via DNS, or IP, or whatever other trick. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]