RE: [pfSense Support] STP on Redundant Transparent Firewalls

[Adam Thompson]

Then STP *is* working. :-)

I’m unclear on how you can have CARP functioning – or even what you’re 
attempting, actually – if the two pfSense boxes are covering different VLANs; 
can you provide more detail on your setup?

Also, what flavour of STP are you using?  STP? RSTP? MSTP? PVSTP?  If you don’t 
know, just tell us what kind of switch(es) are involved.

Lastly, what does your PBX have to do with any of this?

 

-Adam Thompson

 <mailto:athom...@athompso.net> athom...@athompso.net

 

 

From: Austin G. Smith [mailto:aus...@digitalcompass.com] 
Sent: Tuesday, September 06, 2011 13:09
To: support@pfsense.com
Subject: [pfSense Support] STP on Redundant Transparent Firewalls

 

Greetings-

 

We have 2 pfsense machines that are bridged on different vlans operating as a 
transparent firewall.  These machines are setup for CARP replication to each 
other, which is verified functioning.  However, for somereason, the STP is not 
quite functioning on the secondary PBX.  We have to keep one of the interfaces 
down, or we get in a loop situation.  

 

Has anyone experienced this behavior that can advise a work around?  What are 
we missing here?

 

Thank you-

 

Austin Smith, A+, NET+, SMBE, MCSA

Director of Information Techology

Digital Compass

 

(404) 410-2708 direct

(404) 410-2701 fax

949 W. Marietta Street, Suite x104

Atlanta, GA 30318

 

**For immediate assistance please contact our technical team at 888-640-2260**

RE: [pfSense Support] Install NIC Atheros of mainboard

[Adam Thompson]

It doesn’t look like that particular Atheros chipset is supported yet in 
FreeBSD, which means you will not be able to use it with pfSense at all.

(The alc(4) driver supports the Atheros 815x series of devices, but only claims 
to support the AR8151 and AR8152 so far.)

I assume you’re using a BIOSTAR motherboard, since no-one else appears to use 
the AR8158 yet?  This chip is new enough that even Qualcomm/Atheros’ own 
website does not list it!

You might have to wait for pfSense 2.1, which is expected be based on FreeBSD 
9, *if* support for the chip is added to FreeBSD 9 prior to release.  Most 
likely, you’ll have to wait for pfSense 2.2, which might be based on FreeBSD 
9.1 – whenever that happens.  Since FreeBSD 9 is already in beta, I doubt 
support for that chip will be added before release.

 

-Adam Thompson

athom...@athompso.net

(204) 291-7950 - direct

(204) 489-6515 - fax

 

From: Ivanildo Galvão - IT Services [mailto:ivani...@itservices.com.br] 
Sent: Tuesday, September 06, 2011 10:13
To: support@pfsense.com
Subject: [pfSense Support] Install NIC Atheros of mainboard

 

 

Good afternoon, how do I recognize the pfSense an onboard NIC ? Is there any 
command or some way for him to download the driver from the internet via shell?
The card in question is Atheros AR8158 - 10/100 Controller, the offboard 
Realtekhas been recognized and is usually configured as a WAN, the need to 
enable Atheros to be onboard LAN.

 

 

Sds,

 

 

 

Ivanildo Galvão - MCP, MCT, MCSA, VSP

Consultor de Tecnologia

Tel. (84) 3201 2146 | Cel. (84) 9111 8873

ivani...@itservices.com.br| www.itservices.com.br 
<http://www.itservices.com.br/>  

Twitter: @ivanildogalvao 

  

 

 

 

 

 

<>

RE: [pfSense Support] VPN Failover Backup

[Adam Thompson]

The Cisco 3750 does support full layer-3 capability, its OSPF implementation is 
about as complete as you’d find in a x800-series router running IPBASE.  In 
fact, it’s routing speed will be pretty close to what an 1801 router could do – 
i.e., not wonderful.

Some 3750s (not many) come with “LAN-Lite” or “LAN-base” software, however, and 
all L3 functions are disabled in those builds.  From the console, run “show 
version”, and then go to Cisco’s site (or post here) to decode the “image 
name”, which will look something like “c3750-ipbaselmk9-tar.122-55.SE3.tar”.  
If it says “ipbase” or “ipservices” you’re good to run OSPF.  If it also says 
in “k9” you’re able to use encryption (but you won’t want to, as the CPU is 
very slow).

 

-Adam Thompson

 <mailto:athom...@athompso.net> athom...@athompso.net

 

 

From: David Miller [mailto:davi...@gmail.com] 
Sent: Thursday, August 18, 2011 09:42
To: support@pfsense.com
Subject: Re: [pfSense Support] VPN Failover Backup

 

On Thu, Aug 18, 2011 at 1:11 AM, John McDonnell  wrote:

One more question about OSPF routing, am I going to want to remove the
routes from the switches or would it be beneficial to leave them in there,
but  point to the IP of the pfSense box and have it do OSPF routing to
determine if it should go over the normal wireless links or over the VPN?
I'm not sure, but I'd think that having the switches doing the basic routing
to determine if it needs to go across a link would be more efficient and
faster than passing that to the pfSense box and then back to the switch if
it's only in a different subnet at the same building. Not sure how I'd
incorporate QoS on the VOIP in this manner though, perhaps a virtual IP?


Yes for inter-VLAN routing within the building I'd use the switches to get the 
line speed routing available in the switch.  I don't see any reason to send the 
traffic to pfSense just to have it send the traffic back if you don't have to.  
Also I just had a look at the 3750 spec sheet it appears to support OSPF and 
EIGRP (Cisco's proprietary dynamic routing solution).  It's not too common for 
a Layer3 switch to support dynamic routing protocols so I can't say how 
complete this support is but it's there in some form.  I'm not sure what image 
you need to have on the switch to get access to this functionality.  So you 
would have to do some research into if your images support these protocols and 
if they support enough of the protocol to do what you need.  If they do then 
you could keep all the routing on the Cisco switches and just use pfSense to 
setup the VPN tunnel.  Otherwise I would use the hybrid approach and let the 
pfSense boxes route between buildings leaving the switches to route between 
vlans.

Thank you all for your thoughts and I think I'm a bit closer to being ready
to give this a test run once I get some spare time in a couple weeks.


Good luck.  Let us know how it works out.
--
David

RE: [pfSense Support] PPTP Broken in latest AMD 2.0 Snapshots

[Adam Thompson]

> Read the ticket, and the response again. :-)
>
> We tried fixing that, and it broke PPPoE. The fix had to be backed
> out, so now PPTP is broken again but PPPoE works.
>
> Jim

I've re-read the ticket and the email and I still don't see how I would 
come to any other interpretation...

Regardless, you've clarified the situation now, thank you.


-Adam Thompson
 athom...@athompso.net

"This Is Just A Test, Please Ignore The Peanut Panicking Over In The 
Gallery.  Thank You For Your Cooperation."




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] PPTP Broken in latest AMD 2.0 Snapshots

[Adam Thompson]

> From: Chris Buechler [mailto:cbuech...@gmail.com]
> Subject: Re: [pfSense Support] PPTP Broken in latest AMD 2.0
> Snapshots
>
> On Wed, Aug 17, 2011 at 3:38 PM, Adam Piasecki
>  wrote:
> > Same config works with i386, does not work with AMD..
> > PPTP clients on AMD can not send traffic over IPSEC Tunnels or
> traffic
> > out to the internet. PPTP to the local LAN works fine with AMD.
> > I386 works with everything.
>
> That's this.
> http://redmine.pfsense.org/issues/1107
>
> Fixing that broke PPPoE entirely on AMD64, doubt if that gets fixed
> for 2.0.

Do you mean you're willing to put out 2.0-RELEASE with non-functional 
PPPoE on all x64 platforms?

If I had to choose between PPPoE or PPTP support, that's a no-brainer for 
me: PPPoE is far more important.  If PPTP doesn't work, I can put a PPTP 
server behind the pfSense box and tunnel through.  If PPPoE doesn't 
work... I have to replace the firewall.

Assuming I took your response correctly, the workaround would then be: run 
the i386 build instead.

In my experience 32-bit code now provides about 20% less peak bandwidth 
than x86_64 code on the latest Xeons (don't know about Opterons).  That's 
not a very good workaround, IMHO.  (Yes, it's possible that was a 
hardware-specific result, I wasn't doing scientifically valid 
benchmarking.)  And yes, I also realize it's unlikely I'll be pumping 
10Gb/sec of data through the same router that needs to talk PPPoE to an 
ISP, so maybe no-one cares; the 32-bit build runs about as fast as the 
64-bit build in normal cases.  I wonder if there's some difference in DMA 
coalescing, or interrupt handling, in the device driver?  For all I know 
the CPU could be running slower, or IOAT could be disabled or something 
like that in 32-bit mode.  I'm only talking about a single data point 
here.


Still hoping I misunderstood you anyway,

-Adam Thompson
 athom...@athompso.net




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Kingston SSD filesystem corruption

[Adam Thompson]

Even though it’s flash memory under the hood, SSDs are supposed to have 
wear-levelling algorithms baked into the firmware so that they function like a 
normal ATA HDD.  I know of someone else who has deployed the Kingston SSDs into 
Windows XP machines (a *recommended* use case by Kingston), where there is no 
possibility of modifying mount options, and all of his Kingston SSDs have now 
failed, too.  (For what it’s worth, 3M’s SSDs are also not recommended, for the 
same reason.)

 

It appears that lower-price SSD manufacturers don’t do much testing of their 
gear to validate expected service life.  Either that, or their expectations of 
what ‘normal’ disk I/O patterns are doesn’t match reality.

 

So far, the Intel SSDs appear to be the most reliable in general-purpose use 
(i.e. HDD replacement), but you pay a substantial premium: perhaps in the SSD 
world, you really do get what you pay for?

 

Worth noting that there is a reasonably-complete reference chart of which 
vendor uses which parts at  <http://pcper.com/ssd-decoder> 
http://pcper.com/ssd-decoder.  Note that some newer Kingston models use Intel 
controllers, which should help – *IF* Kingston ever gets around to releasing 
firmware updates!  (Or if the Intel f/w updates work on Kingston drives – not 
tested.)

The Sandforce controllers seem to generally have decent service life combined 
with decent performance.

 

FreeBSD 8.2 (apparently) fully supports TRIM for UFS filesystems, so using SSDs 
in long-life applications should become a more viable option if you’re on an 
8.2 or newer kernel.  (IIRC, pfsense2.0 is based on 8.1, while 2.1 is to be 
based on 9.x.)

 

It looks like ad(4) supports BIO_DELETE in 8.1-Release (and therefore pfSense 
2.0), but you have to use newfs(8) to make that happen… not exactly suitable 
for daily use!  That means that during installation of pfSense 2.0, your SSD 
should release all blocks, which will still help somewhat.

 

-Adam Thompson

 <mailto:athom...@athompso.net> athom...@athompso.net

(204) 291-7950 - direct

(204) 489-6515 - fax

 

From: Bao Ha [mailto:b...@hacom.net] 
Sent: Tuesday, August 09, 2011 11:36
To: support@pfsense.com
Subject: Re: [pfSense Support] Kingston SSD filesystem corruption

 

 

On Tue, Aug 9, 2011 at 9:33 AM, Tim Dickson  wrote:

> About a year ago, I switched to running the full pfSense 2.0 (beta something 
> at the time) on a Kingston SS100S2/8G embedded SSD.

I installed the 30G version in 12 systems, all of which failed within 6 months. 
 I moved to Intel 320s and/or WD Greens (depending on budget of the site) so 
we'll see how they hold up.
I also had the 64G version running Untangle systems which failed as well... in 
short I would not recommend the Kingston SSDs at all... it's been a major pain 
having to swap them all out of live systems.

 

SSD is just flash memory.  You will need to mount the filesystem with sync and 
noatime.

 


-- 
Best Regards.
Bao C. Ha
Hacom - Embedded Systems and Appliances
http://www.hacom.net 
voice: (714) 564-9932

RE: [pfSense Support] BGP support in 2.0

[Adam Thompson]

I've been accepting ~ 13k routes inbound  advertising nothing.  So that part 
works, too.
Now you just need confirmation from someone who does both!
-Adam Thompson


Nathan Eisenberg  wrote:

>> Does 2.x have BGP support ?
>> We have 2 providers that we wish to connect to via BGP
>
>It does, and it works great.  Multiple production deployments using it to 
>advertise routes.  All outbound - not accepting any prefixes inbound, so can't 
>speak to how well that works.  If Chris says it works well though, I believe 
>him!
>
>Nathan
>
>-
>To unsubscribe, e-mail: support-unsubscr...@pfsense.com
>For additional commands, e-mail: support-h...@pfsense.com
>
>Commercial support available - https://portal.pfsense.org
>

RE: [pfSense Support] RE: (Update) Pantech UML290

[Adam Thompson]

I don't know if it's possible with the device you're using, but on older 
modems that obeyed the AT command-set it was sometimes possible to tell 
them to not negotiate any speeds higher than a certain value.
If it's possible to convince your 3G or LTE modem to not report speeds in 
excess of 10MBps, it might work as is.  No idea what magic AT command 
would do so, however - I haven't used serial links (never mind Hayes 
command-set modems!) in quite a long while now.

-Adam Thompson
 athom...@athompso.net
 (204) 291-7950 - direct
 (204) 489-6515 - fax



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] RE: (Update) Pantech UML290

[Adam Thompson]

> -Original Message-
> From: Chris Clark [mailto:ch...@belthasar.com]
> Sent: Sunday, July 24, 2011 14:47
> To: support@pfsense.com
> Subject: [pfSense Support] RE: (Update) Pantech UML290
>
> After reading the last two posts in this thread:
> http://forum.pfsense.org/index.php?topic=28649.0
> I'm fairly certain that the problem displayed in the logs below is
> also due the problem described with mpd.  However, I've noticed
> that there are two different mpd binaries present in
> /usr/local/sbin:
> -r-xr-xr-x  1 root  wheel   460256 Jun 21 16:51 mpd4
> -r-xr-xr-x  1 root  wheel   519364 Jun 21 16:51 mpd5
>
> Does anyone know which one is being used and from where it's
> called?


Based on ermal's post to that thread, I would presume 2.0 uses mpd5, and I 
would also presume that the fix will make it into a snapshot in the very 
near future.

I don't think fixing mpd5 could fix the kernel overflow problem suggested 
elsewhere, however, so I suggest you not try to use this in a multilink 
setup for now.

-Adam Thompson
 athom...@athompso.net




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] squid corrupts content

[Adam Thompson]

Although unlikely, that could be symptomatic of bad RAM.  Still amazes me that 
no-one seems to see the necessity for ECC RAM in networking gear.

It's unlikely that such a problem would cause such an isolated,  specific 
symptom, however.

-Adam


Volker Kuhlmann  wrote:

>I've had this happen several times now. Large files end up having
>single-byte corruptions spread through the file. The problem is related
>to squid - turning it off makes the corruptions disappear.
>
>squid configured as transparent proxy, no user authentication.
>
>maximum_object_size_in_memory 32 KB
>memory_replacement_policy heap GDSF
>cache_replacement_policy heap LFUDA
>cache_dir ufs /local/squid/var/squid/cache 3000 32 256
>minimum_object_size 0 KB
>maximum_object_size 25 KB
>offline_mode off
>cache_swap_low 90
>cache_swap_high 95
>
>The disk has no reallocated or pending bad sectors and passes smart
>selftests.
>
>This makes the web cache kind of not very useful :-((
>
>Volker
>
>-- 
>Volker Kuhlmannis list0570 with the domain in header.
>http://volker.dnsalias.net/Please do not CC list postings to me.
>
>-
>To unsubscribe, e-mail: support-unsubscr...@pfsense.com
>For additional commands, e-mail: support-h...@pfsense.com
>
>Commercial support available - https://portal.pfsense.org
>

RE: [pfSense Support] Re: unknown cause of limited throughput

[Adam Thompson]

Are you passing the VLAN tags all the way into the pfSense VM on a single 
vNIC, or are you splitting the VLANs at the vSwitch level and passing them 
into multiple vNICs on the pfSense VM?
I found that every layer of software that inspected VLAN tags diminished 
my throughput by a factor of 10, so allowing ESXi to split the VLANs into 
multiple vNICs was much, much faster than allowing the VLAN tags to 
propagate through to the VM.

-Adam Thompson
 athom...@athompso.net

> -Original Message-
> From: David Burgess [mailto:apt@gmail.com]
> Sent: Thursday, July 14, 2011 01:27
> To: support
> Subject: [pfSense Support] Re: unknown cause of limited throughput
>
> 2.0-RC3 (amd64)
> built on Tue Jul 12 21:23:55 EDT 2011
>
> On Tue, Jul 5, 2011 at 11:52 PM, David Burgess 
> wrote:
>
> > I hope that's not too confusing. To summarize, any two machines,
> real
> > or virtual, get iperf results near wire speed when on the same L2
> > network. Any two machines on different (routed) networks see
> iperf
> > speeds between 320 and 550, which is expected due to the
> limitations
> > of the router. The exception is rip. Of my three virtual hosts,
> which
> > all live on the same ESXi server, only rip is seeing very slow
> iperf
> > speeds (and similar nfs speeds) when acting as server to routed
> hosts.
>
> I did some more testing and was surprised by the results. I created
> a new virtual server "chunk" running Ubuntu Server 10.10 and
> expected that because it was now the same version OS as my other
> servers, it would now exhibit normal routed network speeds. But I
> was wrong. Chunk consistently serves iperf at 12.8 Mbps to a routed
> client.
>
> Intrigued, I moved chunk to a different local vlan/network and
> tested again. The result:
>
> iperf client   vlanserver  vlan   result
> renreal85chunk virtual250  380 Mbps  routed
> renreal85chunk virtual240  12.8 Mbps  routed
> mule real85chunk virtual250  380 Mbps  routed
> mule real85chunk virtual240  12.8 Mbps  routed
> ren   real85 mule   real  240   16.8 Mbps  routed
>
> So it's not the server, it's the vlan or something related to it.
> vlan85 is my LAN, and the only firewall rule on that interface is a
> PASS all rule. There is no floating rule that should touch any of
> this as far as I can tell.
>
> The only thing that distinguishes vlan 240 from the other vlans I'm
> testing (besides being slower) is that the hosts on this vlan have
> publicly routable IP addresses, while the hosts on every other vlan
> are 192.168.x.x addresses. There is no NAT occurring between local
> networks.
>
> I've now ruled out virtualization and OS as being the cause of
> this, and that leaves pfsense and the switch. The switch is not
> slow where the router is not involved, so unless I've misjudged,
> this is a pfsense problem.
>
> Any ideas?
>
> db
>
> ---
> --
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com For
> additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Backing up config file

[Adam Thompson]

> I run a nightly cron for some of my boxen for this handy script:
>
>
> #!/bin/bash
> DATESTAMP=`date +%F-%k%M%S`
> wget -qO /istorage/infrastructure/prod_edgefw03/backup-
> $DATESTAMP.xml --post-data 'Submit=Download' --user=admin --
> password='secretpassword' --no-check-certificate
> "http://HOSTNAME/diag_backup.php";
>
>
> Replace your password and hostname of your box, and it'll download
> your config to a datestamped XML file.
>
> ***CAVEAT*** I'm using this against a handful of pfSense boxes
> running 1.2.2 and 1.2.3. This may not work with the 2.x series. It
> is untested there... ***CAVEAT***

This has been discussed here before.  Any 1.x scripts that require 
authentication will not work with 2.x.  For a simple example of exactly 
this, see 
http://doc.pfsense.org/index.php/Remote_Config_Backup#Pulling_on_2.0


-Adam Thompson
 athom...@athompso.net




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] naive prioritization of VoIP?

[Adam Thompson]

This begs the question of what, exactly  do all those other firewalls DO when I 
set "priority".
...speaking of VoIP, does anyone know if the FreeSwitch packages are ever 
getting updated?  Or if the -dev version really is following HEAD?
-Adam


karlf...@gmail.com wrote:

>I've had great luck with VoIP and pfSense.
>To be clear, there's no such thing as 'real' end-to-end guarantee of 
>quality of service unless you're talking about MPLS or similar 
>technologies.  What you want is called 'traffic shaping'
>
>For ordinary people with ordinary connections, the idea is as follows:
>PART 1 -
>"Starve the pipe!"
>You must utilize your internet connection below its maximum 'guaranteed' 
>throughput, otherwise you will have no control over the upstream buffers 
>(see buffer bloat), and your real-time application, VoIP or otherwise 
>will suffer.  In VoIP, that means that packets will either not arrive, 
>or arrive so late as to exceed the VoIP UA's jitter buffer, and will 
>result in subjective quality factors, technically referred to as "Shitty 
>quality" (Drops, stutters, etc).
>PART 2 -
>Prioritize your real-time packets!
>Now that your pipe is VERY SLIGHTLY underutilized, you have left 
>yourself the ability to instantly insert the VERY NEXT VoIP packet into 
>your data stream if one should happen to arrive (the very NEXT VoIP 
>packet is the one you have to be preemptively ready for).  When that 
>packet arrives, the 'shaper' immediately adjusts TX/RX rates to CONTINUE 
>to keep the pipe slightly underutilized.  This is why you need to know 
>your up/downstream speeds to configure your traffic shaper.  All of the 
>NON real-time stuff can be put 'in line'.  All of that lower-priority 
>stuff essentially must 'wait in line' to get IN or OUT, at that magic 
>rate JUST UNDER the maximum rate to keep the pipe CONSTANTLY SLIGHTLY 
>UNDERUTILIZED. Naturally VoIP packets gets to go to the front of the 
>line in inbound or outbound queue.
>
>That's pretty much it. The 'starve the pipe' business is why it's not as 
>simple as "Simply prioritizing Voip"
>
>PFSense makes it quite simple however.  Just measure your link speed at 
>something like speedtest.speakeasy.net.  Walk through the "traffic 
>shaper wizard" specifiying that VoIP gets top priority, whether that's 
>the internal IP address (or alias) of your VoIP ATA, Astrisk server or 
>VoIP telephone.
>
>Good luck
>-Karl
>
>
>
>
>
>
>
>On 6/2/2011 4:03 PM, Adam Thompson wrote:
>> I’m trying to make sure VoIP has the best possible quality for a small
>> amount of effort.
>>
>> I still don’t understand QoS, even the wizard is baffling to me – for
>> whatever reason QoS is a layer my brain just doesn’t want to accept.
>>
>> What I’ve done in the past on other firewalls is a trivial “priority”
>> setting: without configuring any queues, buckets, shapers, etc., I would
>> simply create a rule matching SIP traffic (either by port, by
>> NBAR-ish/L7 application or by IP address) and set the “priority” to
>> “high”.  I really have no idea what that does under the hood, whether on
>> FortiNet, Cisco,  or PaloAlto.
>>
>> Is there anything that simple that I can do under pfSense?
>>
>> Thanks,
>>
>> -Adam Thompson
>>
>> athom...@athompso.net <mailto:athom...@athompso.net>
>>
>
>-
>To unsubscribe, e-mail: support-unsubscr...@pfsense.com
>For additional commands, e-mail: support-h...@pfsense.com
>
>Commercial support available - https://portal.pfsense.org
>

[pfSense Support] naive prioritization of VoIP?

[Adam Thompson]

I’m trying to make sure VoIP has the best possible quality for a small amount 
of effort.

I still don’t understand QoS, even the wizard is baffling to me – for whatever 
reason QoS is a layer my brain just doesn’t want to accept.

What I’ve done in the past on other firewalls is a trivial “priority” setting: 
without configuring any queues, buckets, shapers, etc., I would simply create a 
rule matching SIP traffic (either by port, by NBAR-ish/L7 application or by IP 
address) and set the “priority” to “high”.  I really have no idea what that 
does under the hood, whether on FortiNet, Cisco,  or PaloAlto.

Is there anything that simple that I can do under pfSense?

 

Thanks,

 

-Adam Thompson

athom...@athompso.net

 

RE: [pfSense Support] DHCP Server with virtual IP (subnets)

[Adam Thompson]

> > DHCP server only supports the primary subnet, no way to do that
> > without hacking the source.
> Ok. I guess you mean through webConfigurator.
> If I modify /var/dhcpd/etc/dhcpd.conf, could achieve my goal? May I
> write a script and hook it with services_dhcp.php to do this?


I think you'd essentially have to overwrite dhcpd.conf every time config 
was regenerated from XML, since the current GUI management for DHCPd 
doesn't understand subnets.  Feel free to rewrite the DHCP configuration 
GUI instead ;-).  That's an ugly enough task that I just put DHCP on a 
separate server instead.  (I spend about 20 minutes looking at the source 
and decided I didn't feel like re-designing it from the ground up, 
especially when so many other things make assumptions about the way DHCP 
works now.)

Good luck,
-Adam Thompson
 athom...@athompso.net




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] IPsec, Multi-WAN Session Setup Problems. (2.0 RC1)

[Adam Thompson]

I'm wondering if I'm seeing something closely-related: I also have a VIP (CARP) 
setup where IPSec will not work properly.  I never thought to examine the 
actual IPs that closely, though... I'll see off I can replicate the problem 
tomorrow.
-Adam


Joshua Schmidlkofer  wrote:

>Dear Support,
>
> I have multiple WANs at one site, and it I have a few different
>places which I am connecting tunnels to.  It appears that creating new
>connections to the end points is a little unpredictable.
>
> I can't seem to control which interface the initial contact packets
>comes from.  I don't know how to explain this, but let's say I have
>two WAN connections.  I have named them CABLE and LEASED.
>
> Several tunnels work fine, but these last two have been completely
>out of control.  No matter what, in one case I am going down the wrong
>line.  According to IPsec policy this tunnel is configured for
>Interface "CABLE", and everything else set properly.   Site-A has two
>lines.  Site-B has only one.   Site-B can instatiate successful VPN
>connection, Site-A cannot.  Site-A persistently, in this one tunnels
>case, is using the wrong line.
>
> I cannot determine a good method for forcibly routing the traffic,
>and racoon doesn't seem to honor the source-interface configuration.
>Racoon is binding to the correct IP addresses.
>
> On the same topic, I was unable to successfully convince racoon to
>bind to a virtual IP as well.  I have been forced to use the Interface
>IPs.
>
> Advice, help, ideas?
>
>Sincerely,
> Joshua
>
>-
>To unsubscribe, e-mail: support-unsubscr...@pfsense.com
>For additional commands, e-mail: support-h...@pfsense.com
>
>Commercial support available - https://portal.pfsense.org
>

RE: [pfSense Support] wrong default gateway set on reboot

[Adam Thompson]

> > In my case using the other gateway as a default route is of no use,
> > and even if the primary was not happy.  I don't see a way in the "Edit
> > gateway" page to disable the upstream check, though I suspect I could
> > put a local interface in the Alternative Monitor IP field.
>
> That is currently the expected behavior, but there is an open ticket to 
> fix
> that so it's optional.
> http://redmine.pfsense.org/issues/1520

In a quite similar situation, my "solution" is to use BGP to learn routes 
to the "other" network.  I just make sure I never learn a default route 
from the secondary network - if my primary GW goes down, I should retain 
connectivity to the other ~13,000 subnets, but I should lose my route to 
the commercial internet.  So far, I think it works... not sure when I 
latest tested this, mind you.
-Adam Thompson
athom...@athompso.net




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] 802.11n AP success?

[Adam Thompson]

> Has anyone had any success in setting up a wireless N AP? According to
> the 2.0-RC1 record of tests on wireless cards, only the Marvell 802.11n
> card works, but the only n card I could find of theirs is mini-PCIe.
> Does anyone have any success to report for other n cards, or any success
> in using the Marvell mini-PCIe card in a mini-PCIe-to-PCIe adapter (for
> use in a tower)?


AFAIK, mini-PCIe to regular PCIe adapters are OS-neutral, they appear as 
merely an additional PCIe bridge.  So barring physical constraints, or 
some REALLY obscure compatibility problem, any miniPCI/miniPCIe cards that 
work, will work just as well in a carrier card.

You would use something like this: 
http://www.hwtools.net/adapter/MP2A.html

-Adam




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Finding the mac of squid users

[Adam Thompson]

This is a frequently asked question both here and elsewhere, including 
squid-specific forums.

The question arises from an imperfect understanding of IP networking.  One of 
the cornerstones of IP is the decoupling of data-link and network layers.  
There is no inherent requirement in IP to even have a MAC address - that is a 
peculiarity of Ethernet (and several other network types).  The ARP protocol 
exists to *prevent* administrators from needing to know MAC addresses!

Any method for tying squid ACLs to MAC addresses relies on several 
unjustifiable assumptions.  One, that MAC addresses are fixed, unique 
identifiers.  They are not - it is trivial to change MAC addresses.  And two, 
that the squid server can know the client's MAC address.  This is only valid in 
the case of a single, unrouted Ethernet LAN.  As soon as an IP packet crosses a 
router, you lose the MAC data.  There are several scenarios where using a 
wireless network will produce untrustable MAC addresses.

Lastly, this concept attempts to directly couple the top and bottom layers of 
the OSI model.  The layers of the OSI model exist precisely so that the Data 
Link layer is fully independent from the Session layer.

The best solution is generally considered to be the use of proxy 
authentication, which ties rules to individual users - this is usually the goal 
anyway!

-Adam


"Shali K.R."  wrote:

>Dear all,
>
>I have a doubt , i am using pfsense with squid and squidguard and my
>different privilege configurations are based on ip address in squidguard but
>some of my users chaning their ips and getting unauthorized access. is there
>any method to trace the mac ids ???
>-- 
>Thanks & Regards
>
>Shali K R
>Server Administrator
>Vidya Academy of Science & Technology
>Thrissur,Kerala.
>Mob:9846303531

[pfSense Support] GRE help needed

[Adam Thompson]

Trying to setup GRE tunnel between two pfSense boxes (both running 2.0RC1).

FW “A” is a single pfSense box.

FW “B” is a pfSense HA cluster.

No NAT exists between their WAN interfaces; both have public IP addresses.

 

On “A”:

Interfaces→(assign)→GRE, create GRE tunnel with 

Parent: WAN

Remote: B’s WAN VIP

GRE local: 10.0.0.1

GRE remote: 10.0.0.2/24

Interfaces→(assign)→Interface assignments,

Created OPT1 on GRE

Interaces→OPT1

Type: static

MAC/MTU/MSS: blank

IP Address: 10.0.0.1/24

Gateway: none

Private network blocking: both OFF

Firewall→Rules→OPT1

Create new allow-all rule for testing.

 

On “B”, almost the same thing except the Parent interface is WAN VIP and the 
GRE local/remote #s are reverse.  OPT1 is configured as 10.0.0.2/24.

 

With the GRE tunnel created but OPT1 not yet assigned an IP address, netstat(1) 
shows a local link route for 10.0.0.1 & 10.0.0.2.  After I create OPT1 and 
assign it an IP address, the route vanishes!

 

Am I doing something really obviously wrong here?

 

(I’m trying to use GRE so I can run a routing protocol; apparently OSPF and 
IPSec tunnels don’t really work together in pfSense.)

 

Thanks,

-Adam Thompson

athom...@athompso.net

 

[pfSense Support] LAGG across all interfaces?

[Adam Thompson]

How would one go about setting up LAGG (LACP, 802.3ad) across _all_ the 
interfaces on a pfSense box?  

It looks like I can’t get rid of the WAN interface, which would prevent me from 
assigning it to a LAG group.

What I want to do is take a dual-ethernet board and run all the interfaces on 
VLANs over LAGG so that I’m protected against cable faults, switchport faults, 
NIC failures, even switch failures if I ever stack these and do cross-stack 
LACP.

Yes, I’m using CARP to create a redundant pair of firewalls, but I’d like to 
maximize hardware redundancy as much as possible.

The other issue is that I’ll be creating more VLANs than I have ports; so if 
I’m using VLANs anyway, I figure I may as well go all the way.

I think what would be needed to make this practical is some way of setting up 
LAGG from the console, since in this particular scenario I would be setting the 
switch up for static LAG and .1Q tagging, so would not normally have any 
network connectivity until I configured pfSense to match.

-Adam Thompson

athom...@athompso.net

 

RE: [pfSense Support] IPSEC and static routes?

[Adam Thompson]

> > I know this has come up more than once in the past, but I can't find
> > it in the archives (i.e. can't figure out the right keywords).
[...]
> http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use
> _syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over
> _IPsec_VPN%3F

...I forgot to search the *website*.  Duh.

That needs some updating for 2.0; who maintains the website?  i.e. should 
I use redmine for submitting updated docs, or is there a better process?

-Adam Thompson
 athom...@athompso.net



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] IPSEC and static routes?

[Adam Thompson]

I know this has come up more than once in the past, but I can’t find it in the 
archives (i.e. can’t figure out the right keywords).

 

If my pfSense box is the endpoint of an IPSec tunnel, all the devices routing 
through it can reach the far side, but traffic originating from the pfSense box 
itself doesn’t get there.

 

I think I remember the solution being to add a static route on the pfSense box, 
but I can’t remember precisely what had to be added.  I also remember that 
doing so would cause an error message to be logged somewhere every time(?) a 
packet was sent through that route.

 

I want my pfSense IPSec tunnel endpoint to talk either OSPF or BGP to the Cisco 
ISR at the other end, as there’s several hundred routes reachable through it 
and I don’t want to manually enter hundreds of phase-2 proposals on both ends!

 

This *is* possible, right?  I’m sure I remember doing something like this 
before…

 

Could someone please jog my memory on exactly what I need to add?

 

(BTW: running 2.0RC1, where that makes a difference)

 

-Adam Thompson

athom...@athompso.net

 

RE: [pfSense Support] Is anyone scraping pfsense pages in 2.0?

[Adam Thompson]

Yes, this has been discussed here recently (check the archives).
cURL will work properly as long as you do a few things:
1. send the POST variables to the login form first,
2. track cookies across multiple cURL calls. 

The alternative that occurs to me is to use snmpbulkget(1) instead, after
installing the SNMPd package for pfSense.
-Adam Thompson
 athom...@athompso.net

[Yes, I know I top-posted.  Trying to figure out how to turn that off in
Outlook right now...]


-Original Message-
From: John Busch [mailto:jbusch...@gmail.com] 
Sent: Friday, April 15, 2011 10:13
To: support@pfsense.com
Subject: [pfSense Support] Is anyone scraping pfsense pages in 2.0?

List,

I upgraded from 1.2.3. to 2.0 yesterday on my home pfsense gateway.

Under 1.2.3, I used a homebrew cURL PHP script on a linux host to scrape
diag_arp.php for pfsense's ARP table in order to help me determine active
hosts on my network.

2.0's user authentication is different than 1.2.3.  My method of using
CURLOPT_HTTPAUTH to authenticate with pfsense no longer works, since
2.0 uses a web form method of authentication.

I am looking at using cURL POST methods to authenticate with the web form.
However, before I spend the time working this method, it looks like after
authentication my cURL script will get redirected to index.php (the
dashboard) instead of diag_arp.php.  Has anyone ran into this problem or am
I incorrect in my assumption?

Do you have any suggestions/methods I could use to automate access to
pfsense 2.0's ARP table?

Thanks much, have a good one, John

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional
commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] excessive CPU utilization when saving changes to Squid config pages

[Adam Thompson]

Running “2.0-RC1 (i386) built on Sun Mar 20 02:20:38 EDT 2011”.

 

When I make any change to the squid configuration (via Services->Proxy Server) 
and click Save, it takes my firewall about five minutes to do …something.  
Something that involves the php process pinned (75%+ util. according to top, in 
“CPU0” state) the whole time, and nothing much else happening on the system.

 

The system is an IBM x220 with dual 1.2GHz P-III,  512Mb RAM, two interfaces 
active (fxp0, em0), two inactive (xl0, em1).

 

I don’t see any similar issues in redmine; I have encountered this before on 
more than one pfSense install, but this is the first time it’s taking _this_ 
long – typical is about 60-120 seconds of CPU processing while doing apparently 
nothing.

 

Thoughts?  Any way to debug what php is doing that takes so long?

 

Thanks,

-Adam Thompson

athom...@athompso.net

 

 

RE: [pfSense Support] www.pfsense.org down?

[Adam Thompson]

> -Original Message-
> From: Fuchs, Martin [mailto:martin.fu...@trendchiller.com]
> Sent: Tuesday, March 29, 2011 09:30
> To: support@pfsense.com
> Subject: AW: [pfSense Support] www.pfsense.org down?
>
> > FWIW, I used to sell a lot of HP ProCurve gear; the only switches
> of
> > theirs I ever had to return were 1800-series switches (and _one_
> 2524,
> > IIRC).  A very small proportion, to be sure, effectively zero
> warranty
> > service rate compared to Cisco, but relatively speaking... I
> suspect
> > it has to do with the fanless design being slightly less robust -
> > IMHO, anyway.
>
> 1800 or 1810?
>
> We never had any problems with 1800 and 1810 until now... both as
> 24G models...
> And we have a lot of them...



Umm, I'm not sure - I recall we were selling the brand-new (some models 
were fanless) 1GbE "web-smart" switch (no CLI), in 2006.  So whichever one 
that was...  I think I remember they came in odd sizes, including a 16- or 
18-port version, not sure if my memory is accurate there or not.  It's 
quite possible we just had issues with some of the first manufacturing 
batches, as these switches had just been introduced.

And of course, a "high" failure rate for ProCurve switches still 
translates to WAY more reliable than most other brands!  I can't think of 
a single Cisco-using customer who hasn't had several port failures, but I 
can think of several 15- to 20-year HP users who have never had a port, or 
module, or switch fail.  Linksys switches seem to be average, NetGear 
switches seem to be slightly better than average.  I think if a 
manufacturer is willing to provide a lifetime warranty, that tells you 
it's made fairly well.

-Adam




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] www.pfsense.org down?

[Adam Thompson]

> The one that failed is a 1800-24G, cheapest managed 24 port gig
> switch
> they make. I bought a E2510G-24 to replace it, will use the 1800-
> 24G
> replacement somewhere less critical. Though I know our customers
> have
> at least 10 of those in production networks and this is the first
> one
> I've heard of failing, I feel better with the enterprise-class
> switch
> in the datacenter.

FWIW, I used to sell a lot of HP ProCurve gear; the only switches of 
theirs I ever had to return were 1800-series switches (and _one_ 2524, 
IIRC).  A very small proportion, to be sure, effectively zero warranty 
service rate compared to Cisco, but relatively speaking... I suspect it 
has to do with the fanless design being slightly less robust - IMHO, 
anyway.
-Adam




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] www.pfsense.org down?

[Adam Thompson]

> Was earlier, switch flaked out. Go figure we replace an ancient
> Cat2924 which are ticking timebombs to fail with a brand new HP
> managed gigabit switch and it flakes out within a month..


I'd really like to know, was this one of the old ProCurve models, or one 
of the old 3Com/H3C models?

Thanks,
-Adam




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] RE: Release all unused DHCP leases.

[Adam Thompson]

Offline leases in the pfSense interface are, I believe, merely a visual guide 
to show you who last got that IP address.  The “offline” part is what I’m not 
100% sure about – if it just means the expiry date is past, or if the lease has 
been released, or if the device isn’t responding to ARP… dunno about that part.

-Adam

 

 

From: Atkins, Dwane P [mailto:atki...@uthscsa.edu] 
Sent: Wednesday, March 23, 2011 13:14
To: 'support@pfsense.com'
Subject: RE: [pfSense Support] RE: Release all unused DHCP leases.

 

So is there no way to edit and get rid of all offline lease that have not 
reached their max lease time?

 

Thank you,


Dwane

 

From: Adam Thompson [mailto:athom...@athompso.net] 
Sent: Wednesday, March 23, 2011 12:47 PM
To: support@pfsense.com
Subject: RE: [pfSense Support] RE: Release all unused DHCP leases.

 

Could you explain, please what you mean by ‘release all unused DHCP addresses’? 
 Once you’ve changed DHCP server parameters, nothing actually changes until the 
client next renews its lease, so what I think you’re after… is an automatic 
process that takes up to 2*previous-max-lease-time.  You could reboot every 
single DHCP client, which barring broken DHCP client implementations (Win95, 
notably) should accomplish your goal.

-Adam

 

 

From: Atkins, Dwane P [mailto:atki...@uthscsa.edu] 
Sent: Wednesday, March 23, 2011 11:27
To: 'support@pfsense.com'
Subject: [pfSense Support] RE: Release all unused DHCP leases.

 

Can I do this by restarting the DHCP services? I  have lowered the default and 
maximum leased times.  Any ideas?

 

From: Atkins, Dwane P [mailto:atki...@uthscsa.edu] 
Sent: Wednesday, March 23, 2011 11:22 AM
To: 'support@pfsense.com'
Subject: [pfSense Support] Release all unused DHCP leases.

 

Is there a way to release all unused DHCP addresses without a reboot?

RE: [pfSense Support] RE: Release all unused DHCP leases.

[Adam Thompson]

Could you explain, please what you mean by ‘release all unused DHCP addresses’? 
 Once you’ve changed DHCP server parameters, nothing actually changes until the 
client next renews its lease, so what I think you’re after… is an automatic 
process that takes up to 2*previous-max-lease-time.  You could reboot every 
single DHCP client, which barring broken DHCP client implementations (Win95, 
notably) should accomplish your goal.

-Adam

 

 

From: Atkins, Dwane P [mailto:atki...@uthscsa.edu] 
Sent: Wednesday, March 23, 2011 11:27
To: 'support@pfsense.com'
Subject: [pfSense Support] RE: Release all unused DHCP leases.

 

Can I do this by restarting the DHCP services? I  have lowered the default and 
maximum leased times.  Any ideas?

 

From: Atkins, Dwane P [mailto:atki...@uthscsa.edu] 
Sent: Wednesday, March 23, 2011 11:22 AM
To: 'support@pfsense.com'
Subject: [pfSense Support] Release all unused DHCP leases.

 

Is there a way to release all unused DHCP addresses without a reboot?

RE: [pfSense Support] can't block https://facebook.com via firefox

[Adam Thompson]

> The way those in general work (not sure on Fortigate specifically)
> is they MITM HTTPS as a proxy, you have to install a certificate
> on all the clients that it uses so they trust the forged certs
> it provides to the internal clients. There are two HTTPS
> connections, one from client to the firewall, one from the
> firewall to the actual site. No open source equivalent that
> I've seen or heard of.

Aye, there's the rub: you *don't* have to install certs on the clients, at 
least with Fortigates.  The last time I tried to use the feature, it 
didn't work very well, but that's like the dancing bear - the amazing 
thing isn't that it dances *well*...

Anyway, getting OT and I don't need to start ranting about Fortinet again.

-Adam




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] can't block https://facebook.com via firefox

[Adam Thompson]

> From: James Bensley [mailto:jwbens...@gmail.com]
> Sent: Tuesday, March 22, 2011 13:36
> To: support@pfsense.com
> Subject: Re: [pfSense Support] can't block https://facebook.com via
> firefox
>
> I don't believe you can filter https traffic can you?
> I know squid wont cache it, it can't, its encrypted! Obviously the
> URL isn't encrypted but the content is so maybe you can filter
> it but I'm not sure, I don't think HAVP supports scanning https
> content either.


The URL is encrypted.  The only information you have at the pf level is IP 
address and port.  The HTTP GET request is only transmitted after SSL/TLS 
channel setup.
It is possible to determine what the CN is of the certificate at that IP 
address - either in an out-of-band process or by snooping on the TLS 
exchange - but AFAIK pfSense doesn't provide any way to do that.
Some commercial firewalls (Fortigate, most notably) claim to filter HTTPS, 
I'm still a bit unclear on how they manage to break SSL that thoroughly 
even with what amounts to a MitM attack...

-Adam




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Problem with pfSense and curl

[Adam Thompson]

I don't doubt that Seth _has_ had success using one technique and not 
another, but I would also like to know what kind of "state" he's talking 
about.
Using the curl functions from inside PHP _should_ be equivalent to 
invoking curl(1) from the command-line.  There may be some difference in 
default options, or perhaps the web UI tracks HTTP REFERER values...?

I'm afraid I don't know much about the m0n0wall GUI.

-Adam


> -Original Message-
> From: Jostein Elvaker Haande [mailto:jehaa...@gmail.com]
> Sent: Sunday, March 20, 2011 16:02
> To: support@pfsense.com
> Subject: Re: [pfSense Support] Problem with pfSense and curl
>
> On 20 March 2011 21:50, Seth Mos  wrote:
> > I use curl from within PHP with cookies and can succesfully login
> to the ui with that. You need something that keeps state and
> cookies won't do.
>
> Now this might be a lack of knowledge from my side, but here goes:
> HTTP in itself is a stateless protocol, and as such, to keep states
> across a session one needed to implement something to keep track of
> this state. And et' voila came the introduction of cookies, to
> store
> session information.
>
> But from what you just said, you say that isn't the case, and to be
> quite honest that confuses me. So if curl with cookies can't keep
> this
> state information, what can (and why can curl within PHP do this,
> and
> not curl from the command line?).
>
> --
> Yours sincerely Jostein Elvaker Haande
> "A free society is a place where it is safe to be unpopular"
> - Adlai Stevenson
>
> http://tolecnal.net -- tolecnal at tolecnal dot net
>
> ---
> --
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] RE: DHCP server settings

[Adam Thompson]

Yes.  Many clients will automatically ask for longer lease times than your 
default.

-Adam

 

 

From: Atkins, Dwane P [mailto:atki...@uthscsa.edu] 
Sent: Tuesday, March 15, 2011 10:36
To: 'support@pfsense.com'
Subject: [pfSense Support] RE: DHCP server settings

 

I am not trying to spam mail, but should we set the maximum lease time as well? 
It is currently at default.

 

Dwane

 

From: Atkins, Dwane P [mailto:atki...@uthscsa.edu] 
Sent: Tuesday, March 15, 2011 10:34 AM
To: 'support@pfsense.com'
Subject: [pfSense Support] DHCP server settings

 

We recently lowered our DHCP lease time to the default of 2 hours. 

 

After a couple hours, I was checking the DHCP leases and see some that have a 
difference of 2 hours from the Start and End time.  However, there are some 
that have a 24 hour difference.  Is there a way to completely clear out the 
DHCP lease time and restart the DHCP server.  These leases started almost 3 
hours after I had modified the default lease time.

 

Thanks


Dwane

RE: [pfSense Support] DHCP server settings

[Adam Thompson]

If you had your DHCP lease times set to 24hrs, lowering them will take a 
minimum of 12hrs (0.5 * least time) to take effect, and many DHCP clients are 
slightly broken and will take a full (lease time) to renew.  Not to mention any 
of the really broken clients who don’t honour changes to the DHCP lease as long 
as they keep getting DHCPACKs – it sounds like this might be what you’re 
experiencing.  The only solution is – usually – to reboot the device.  If you 
have Win95/98 clients, you may have to use regedit to make it forget its old 
lease.

-Adam Thompson

athom...@athompso.net

 

 

From: Atkins, Dwane P [mailto:atki...@uthscsa.edu] 
Sent: Tuesday, March 15, 2011 10:34
To: 'support@pfsense.com'
Subject: [pfSense Support] DHCP server settings

 

We recently lowered our DHCP lease time to the default of 2 hours. 

 

After a couple hours, I was checking the DHCP leases and see some that have a 
difference of 2 hours from the Start and End time.  However, there are some 
that have a 24 hour difference.  Is there a way to completely clear out the 
DHCP lease time and restart the DHCP server.  These leases started almost 3 
hours after I had modified the default lease time.

 

Thanks


Dwane

RE: [pfSense Support] Advice?

[Adam Thompson]

> Subject: [pfSense Support] Advice?
[...]
> and one for my WLAN. I have an HP proliant DL380 (2 dual core XEONS
> 2.8 with 2.5 gb RAM) sitting around and I am planning to have 5
> SCSI drives in RAID5, the 2 embedded NICs (LAN and WLAN) plus
> another NIC in a PCI slot (WAN). The number of clients on the LAN
> is between 150-190 and on the WLAN 600-800. Attached on the WLAN
> side I will have about 15 access points. The access points now are
> different brands.
> Couple of questions: Would this setup be sufficient?
> And does anyone know a way to manage the access points, not
> necessarily though the pfsense but maybe a software or hardware
> solution? Changing the access points is also part of the plan,
> Aerohive, Motorolla or Meru Networks...not sure yet.

Whether that platform is sufficient or not depends on the packet rate, 
packet size, bandwidth used (which is just packet rate * packet size), # 
of firewall rules, simultaneous NAT sessions, etc., etc., etc.

That said, it'll be pretty hard to find a routing platform *better* than 
what you have without spending $70k+ for a high-end Cisco 7600 series. 
Some dedicated routers have ASICs that provide hardware acceleration of 
routing functions; I believe Cisco has this in the 3600 series (or 
whatever has replaced it by now).

I have a Dell PowerEdge 1650, dual PIII (Xeon-class) @ 1.2GHz that can 
almost do wire-speed gigabit between two subnets; the limiting factor 
appears to be overhead and latency, not raw cpu cycles.  Oh, and it's 
running a BGP feed at the same time.  I don't think I've ever seen the 
aggregate CPU usage climb above 20%.

RAM won't be much of an issue unless you're running every single service 
available for pfSense.

I haven't stress-tested NAT functionality, so I can't offer any concrete 
data on that.

I have some limited experience with the Symbol-cum-Motorola wireless 
controller architecture in small deployments (~6 APs), and while I won't 
say the manageability is great, the overall system is quite good: a 
*reasonable* mix of performance, management capability, support, and 
price.

Some people I know who have used Meru equipment have had co-existence 
issues - specifically, the Meru equipment tends to obliterate any other 
WLANs being used in the geographic and/or spectral vicinity.  I don't know 
if this is still a problem for them.  OTOH, Meru networks tend to be 
faster than usual; I remember reading somewhere that these two aspects 
were directly linked.

-Adam Thompson
 athom...@athompso.net




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] IPsec traffic from pfsense not passed?

[Adam Thompson]

> > Am I missing something obvious?
>
> http://doc.pfsense.org/index.php/Why_can't_I_query_SNMP,_use_syslog
> ,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPse
> c_VPN%3F

OK, it was pretty obvious :-)

Does OpenVPN have any similar issues?  If not, this might be a reason to 
finally switch...

-Adam




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] IPsec traffic from pfsense not passed?

[Adam Thompson]

I’m using IPSec to connect two pfSense (2.0B5) boxes together.

Traffic to and from the connected subnets works perfectly.

Neither pfsense box can communication directly with the remote subnet, however 
– and this is now a problem as I need to allow both squid and dnsmasq (on my 
local box) to communicate with the remote firewall and servers behind it.

Am I missing something obvious?

I assumed IPSec was set up correctly since every host *behind* the pfSense 
boxen works fine…

 

Thanks,

-Adam Thompson

athom...@athompso.net

 

RE: [pfSense Support] IPSec VPN Question

[Adam Thompson]

 handle the equal-cost paths so 
the kernel doesn't go insane... like OSPF or BGP.


As I said, there are some over-generalizations here (and probably some 
mistakes too), but I hope that helped.

-Adam Thompson
 athom...@athompso.net



> -Original Message-
> From: Chris Buechler [mailto:cbuech...@gmail.com]
> Sent: Sunday, December 05, 2010 22:58
> To: support@pfsense.com
> Subject: Re: [pfSense Support] IPSec VPN Question
>
> On Sun, Dec 5, 2010 at 6:22 PM, Alex Threlfall 
> wrote:
> > Hi All,
> >
> >Doing some testing here, and this might not be the best
> place to ask
> > but thought I'd start off here!
> >
> >I'm running a pair of pfSense 2.0 Beta 4 LiveCD's back to
> back with
> > a pair of WAN connections between them via x-over cat5's. Fairly
> normal
> > hardware, HP DL360 G3's with a Dual Port Intel FXP Card (onboard
> BGE is lan)
> >
> >I'm trying to prove that I can run two IPSec VPN's between
> the
> > boxes, to provide some fault tolerance, however I can only get
> the VPN's to
> > link up on the WAN interface, despite specifying on both boxes
> that the
> > second VPN should be on OPT1 (or WAN1 which I've named it).
> >
>
> You can't do that with tunnel mode. Either use transport mode + GRE
> or
> gif + OSPF or BGP, or OpenVPN + OSPF or BGP.
>
> ---
> --
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] how to manage 2 subnets for LAN ?

[Adam Thompson]

I think the OP was referring to running two subnets concurrently on the 
same wire, something I often have to do for various reasons, sometimes to 
solve co-existence issues while renumbering a network.  I have no idea how 
to accomplish this in pfSense; apparently I haven't had to do this since I 
started using pfSense!

(An example is when I have a server subnet that's too small - either it 
was undersized to begin with or it grew beyond expectations - and I can't 
widen the subnet mask because I've already used the subnets above and 
below it elsewhere, so I have to at that point run two subnets 
concurrently on the same VLAN until I can get rid of all the old 
addresses.)

-Adam


> -Original Message-
> From: David Burgess [mailto:apt@gmail.com]
> Sent: Thursday, November 18, 2010 13:56
> To: support@pfsense.com
> Subject: Re: [pfSense Support] how to manage 2 subnets for LAN ?
>
> On Thu, Nov 18, 2010 at 12:39 PM, Fred Boiteux 
> wrote:
>
> > The different LAN subnets' trafic aren't VLAN tagged, and all
> traffic
> > comes from one Ethernet port (from the nearest antenna), so I
> don't
> > understand how VLAN could be used there ?
>
> Most carrier-grade radios support tagging packets from the
> management
> interface, so client traffic comes through untagged and management
> happens on the management vlan.
>
> db
>
> ---
> --
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] IPMI under pfSense 2.0?

[Adam Thompson]

Thank you for the suggestion, but none of those packages work as-is.

The “simplest” solution would appear to be: include ipmi(4) in the kernel… I’m 
quite familiar with OpenBSD, but not so much with FreeBSD – and definitely not 
familiar enough with it to want to attempt recompiling my own kernel and 
transplanting it!

 

So… what’re the odds of getting ipmi(4) included in the 2.0 kernel?

 

(ipmitool talks to ipmi(4); the other two pkgs do it their own way – I think – 
but have binary dependencies that are a bit daunting on an ‘embedded’ platform)

 

Thanks, 

-Adam

 

 

From: kohenk...@gmail.com [mailto:kohenk...@gmail.com] On Behalf Of Moshe Katz
Sent: Wednesday, November 10, 2010 18:47
To: support@pfsense.com
Subject: Re: [pfSense Support] IPMI under pfSense 2.0?

 

You can try using pkg_add to install one of these: 
http://www.freebsd.org/cgi/ports.cgi?query=ipmi 
 
&stype=all&sektion=sysutils

 

Moshe




--
Moshe Katz
-- mo...@ymkatz.net
-- +1(301)867-3732





On Wed, Nov 10, 2010 at 7:21 PM, athom...@athompso.net  
wrote:


Is there any way to connect to onboard BMCs through IPMI under pfSense
2.0? I've got a Dell PowerEdge 1650 with an intermittently failing fan (I
think), and I'd like to confirm which fan it is (or even that the problem
is, in fact, a fan) before I take it down and crack it open. I don't have a
redundant firewall sitting there to pick up the slack so downtime is bad...


I believe several IPMI packages have been ported to FreeBSD, but I don't
see any trace of any of them at the command-line.

Suggestions?

Thanks,
-Adam


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

 

RE: [pfSense Support] Swap

[Adam Thompson]

Ah, I had interpreted it as he installed a box without swap and was now 
trying to add it.

He's talking about zeroing-out a partition, though, so adding another swap 
line to fstab should still be a viable option even if there already is a 
swap partition listed there.

Info for all: You can have many swap partitions/files.  FreeBSD attempts 
to balance swap usage across them on the assumption that will increase 
performance - typically only valid if multiple swap partitions are located 
on multiple disks.  If you put multiple swap partitions on a single disk, 
performance should suffer very slightly.  OTOH, if you're running out of 
swap, performance probably suffers not-so-slightly in the first place!

-Adam

> -Original Message-
> From: st41ker [mailto:st41...@st41ker.net]
> Sent: Wednesday, November 10, 2010 12:07
> To: support@pfsense.com
> Subject: Re: [pfSense Support] Swap
>
> If I understood correctly James tried to expand existing swap and
> somehow he can not do it by merging existing and new partitions.
>
> On 10.11.2010 19:47, Adam Thompson wrote:
> > Why not just add the necessary line to /etc/fstab, and let the
> boot-time
> > rc scripts mount it like usual?



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Swap

[Adam Thompson]

Why not just add the necessary line to /etc/fstab, and let the boot-time 
rc scripts mount it like usual?
(Note: I _am_ running 2.0, this might be a useless suggestion under 1.x, I 
don't know.)

The discussion of adding swap in the FreeBSD docs mentioned only covers 
adding auxiliary swap *files*, not swap partitions.

The shortest and clearest example I can find of adding swap to fstab(5) is 
at http://www.freebsd.org/doc/handbook/swap-encrypting.html or possibly 
http://www.freebsd.org/doc/handbook/geom-glabel.html, both of which 
contain extraneous detail - the Handbook assumes sysinstall(8) prepared 
swap space and adjusted /etc/fstab for you during install.  You should be 
able to compare-and-contrast based on those two examples, though.

AFAIK this isn't something pfSense/m0n0wall does differently than 
FreeBSD... the weirdness starts quite a bit later in the boot process.

(I'm curious - why do you need/want more swap on a firewall?)

-Adam


> -Original Message-
> From: st41ker [mailto:st41...@st41ker.net]
> Sent: Wednesday, November 10, 2010 11:25
> To: support@pfsense.com
> Subject: Re: [pfSense Support] Swap
>
> Hello again,
>
> Little fix just add '/sbin' path to binary just to make sure that
> init
> subsystem will run it:
>
> echo "/sbin/swapon /dev/ad1s1" > /usr/local/etc/rc.d/startup.sh ;
> chmod
> +x /usr/local/etc/rc.d/startup.sh; reboot
>
> On 10.11.2010 18:20, st41ker wrote:
> > Hello,
> >
> > echo "swapon /dev/ad1s1" > /usr/local/etc/rc.d/startup.sh ; chmod
> +x
> > /usr/local/etc/rc.d/startup.sh; reboot
> >
> > On 10.11.2010 13:30, James Bensley wrote:
> >> Hey Listee's
> >>
> >> I am trying to add a swap drive to my pfSense box but I'm
> failing to
> >> keep it after a reboot.
> >>
> >> I zero out a spare 512MB partition with dd and chmod'd it as per
> the
> >> this freeBSD doc [0] but then I get stuck. /etc/rc.conf doesn't
> exist?
> >> I can execute 'swapon /dev/ad1s1' and then under swapinfo my new
> swap
> >> drive appears, also in the web interface it shows on the front
> page.
> >> As soon as I reboot it is no longer there and I have to execute
> >> 'swapon' again.
> >>
> >> So how to I complete this process under pfSense?
> >>
> >>
> >> [0] http://www.freebsd.org/doc/handbook/adding-swap-space.html
> >>> 
> >> >
> >
> > -
> 
> > To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> > For additional commands, e-mail: support-h...@pfsense.com
> >
> > Commercial support available - https://portal.pfsense.org
> >
>
>
> ---
> --
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] Bug #958 - still broken for me

[Adam Thompson]

Ermal/Jim/Chris,

Please note that bug #958 is still an issue for me, it does _not_ appear 
to be resolved according to my testing.  (Sorry to say...)

http://redmine.pfsense.org/issues/958

Thanks,
-Adam




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: Re: [pfSense Support] Assign custom Gateway

[Adam Thompson]

On Fri, 2010-11-05 at 22:35 +0100, Seth Mos wrote: 
> Sorry, no, that is currently not possible. I doubt there is much
> demand for this feature.


I would also suspect there's very little demand for this feature, but on
the other hand, it's a fairly simple thing to add if Ryan wants to try
patching it himself.

I've made local modifications to the OpenBGPD config UI, which is a bit
easier because everything's isolated in the package, but I believe this
would consist of adding one extra config field to the page visible at
http://whatever/services_dhcp_edit.php?if=lan&id=0, and then adding the
code to handle writing out an optional gateway directive when
write_config (?) is called.

So a little bit of XML editing and a little bit of PHP coding.  Most of
which can be based on similar optional-value fields already existing
(like IP Address itself, which is apparently optional).

I just can't _find_ the XML and PHP code in question right now...

(And yes, I know, I should post a patch for the OpenBGPD mods I did - I
will, Real Soon Now.)

-Adam Thompson
athom...@c3a.ca







<>-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] *bump* Re: [pfSense Support] WAN reply-to under 2.0?

[Adam Thompson]

*bump*

Ermal, this still doesn't work for me.

How should I setup the rule?

(I need to force all inbound-NAT'd connections to reply via the NAT
session, *not* via the system routing table.)


On Tue, 2010-10-19 at 21:43 +0100, Ermal Luçi wrote: 
> On Tue, Oct 19, 2010 at 9:28 PM, Adam Thompson  wrote:
> > Repeat of the earlier problem under 1.x, I remember Chris saying this
> > would be do-able under 2.0 but it still doesn't work for me.  Most
> > likely I've forgotten the magic trick required... or I just don't
> > understand how WAN reply-to has to be configured under 2.0.
> >
> > (FYI, Chris' original reply was under the subject "Re: 1:1 multi-homed
> > NAT broken?" at 19:10 July 14 2010.)
> >
> > To recap the scenario:
> >
> > SBS (yeah, three guesses...)  sits on em0 at 192.168.232.201.
> > em2 is outbound to MRNet, BGP feed with ~13K routes (*not* including
> > 0.0.0.0/0).
> > em3 is outbound to TeraGo, default route.
> >
> > CARP VIP configured on em3 for 67.226.137.178.
> > 1:1 NAT configured to map 192.168.232.201 to 67.226.137.178.
> > Firewall rule allowing inbound TCP port 25 to 192.168.232.201.
> >
> > Inbound mail works for any sender NOT reachable via em2 but breaks for
> > any senders reachable via em2.
> >
> > Example:
> > Remote host "R" (130.179.31.46) trying to send me mail.  Attempts TCP
> > connection to port 25 @ 67.226.137.178.
> > Pfsense receives packet, translates to 192.168.232.201, forwards to SBS.
> > SBS replies to packet, so far so good.
> > Pfsense receives reply packet and sends it out em2 with the 1:1 NAT
> > address, which promptly gets blackholed by the next-hop router.
> >
> > I've tried adding a policy rule (first rule on em0) that applies to TCP
> > packets from SBS with a source port of 25, forcing the packet out via
> > TeragoGW (i.e. via em3), but that doesn't work - I suspect because PF is
> > already treating this as an "established" connection.
> >
> > Then I tried adding a Gateway to the original allow-inbound-smtp rule,
> > which produced an error message:
> > [[
> > There were error(s) loading the rules: /tmp/rules.debug:170: direction
> > must be explicit with rules that specify routing pfctl: Syntax error in
> > config file: pf rules not loaded - The line in question reads [170]:
> > pass  $GWTeraGOGW  proto tcp  from any to   $SBS port 25  flags S/SA
> > keep state  label "USER_RULE: inbound SMTP to Exchange"
> > ]]
> >
> > I've experimenting with various combinations of in/out and gateway
> > settings, but all I've succeeded on doing so far is breaking ALL smtp
> > connections...
> >
> > Can anyone explain how I use this new feature in 2.0?
> >
> There is nothing more to do regarding configuration but
> just wait for a snapshot build to finish and upgrade to it.
> 
> I fixed it just today because of it having some small issue remaining.
> That new snapshot should work with your setup without glitches.
> 
> > Thanks,
> > -Adam Thompson
> > athom...@c3a.ca
> > (204) 291-7950
> -- 
> Ermal

<>-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: Re: [pfSense Support] networked file systems

[Adam Thompson]

On Wed, 2010-10-27 at 16:08 -0600, David Burgess wrote: 
> I don't plan to access it other than from pfsense. I'm moving it
> external simply because I'm a lot more comfortable handling my SSD
> from Linux that I would be from pfsense. I'm referring specifically to
> TRIM support, IO schedulers and partition alignment. TRIM, I'm pretty
> sure, is not present in pfsense (not sure about FreeBSD). I know
> nothing at all about IO schedulers in FreeBSD. I've done some research
> on partition alignment using fdisk and disklabel, and although it
> appears doable, I'm left not knowing if I've actually done it right in
> pfsense. All these are non-issues for me in Linux.

If you want to take advantage of Linux' TRIM support, you should be
using NFS.  TRIM support (AFAIK) requires underlying knowledge of the
filesystem or at least the block allocation... iSCSI hides all of those
details, as it merely exposes one large chunk of disk blocks to the
client.

-Adam Thompson
athom...@c3a.ca

<>-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] OpenVPN multi-wan in 2.0 - local port re-use?

[Adam Thompson]

Using 2.0 from a few days ago…

In the OpenVPN setup, I can (must) choose which interface each OpenVPN server 
is listening on.  I must also choose a local port number to bind to.

 

If I’m binding a specific port to a specific interface, why can’t I reuse the 
same port# on another interface?

(I tried, the gui complains that the local port is already in use.  Which is 
true, but – I think – shouldn’t matter if it’s bound to specific interfaces.)

 

Thanks,

-Adam Thompson

athom...@c3a.ca

(204) 291-7950

 

[pfSense Support] Win7 PPTP MTU/MSS problem with 2.0?

[Adam Thompson]

Trying to use PPTP from Win7 client on 2.0 system (running last night’s build). 
 Without much luck.

 

1)  No matter what I do, I can’t establish a connection to the secondary 
WAN interface (this worked in 1.x)

2)  There seems to be an MTU/MSS problem, Win7 client believes max MSS is 
1372 but any packets with payload larger than 1368 don’t make it through.  
(Using “ping –f –l 1368 192.168.232.1” works, 1369-1372 doesn’t, 1373+ 
complains [correctly] about DF bit being set.)

 

Workarounds?

Am I doing something wrong?

 

Thanks,

-Adam Thompson

athom...@c3a.ca

 

[pfSense Support] WAN reply-to under 2.0?

[Adam Thompson]

Repeat of the earlier problem under 1.x, I remember Chris saying this
would be do-able under 2.0 but it still doesn't work for me.  Most
likely I've forgotten the magic trick required... or I just don't
understand how WAN reply-to has to be configured under 2.0.

(FYI, Chris' original reply was under the subject "Re: 1:1 multi-homed
NAT broken?" at 19:10 July 14 2010.)

To recap the scenario:

SBS (yeah, three guesses...)  sits on em0 at 192.168.232.201.
em2 is outbound to MRNet, BGP feed with ~13K routes (*not* including
0.0.0.0/0).
em3 is outbound to TeraGo, default route.

CARP VIP configured on em3 for 67.226.137.178.
1:1 NAT configured to map 192.168.232.201 to 67.226.137.178.
Firewall rule allowing inbound TCP port 25 to 192.168.232.201.

Inbound mail works for any sender NOT reachable via em2 but breaks for
any senders reachable via em2.

Example:
Remote host "R" (130.179.31.46) trying to send me mail.  Attempts TCP
connection to port 25 @ 67.226.137.178.
Pfsense receives packet, translates to 192.168.232.201, forwards to SBS.
SBS replies to packet, so far so good.
Pfsense receives reply packet and sends it out em2 with the 1:1 NAT
address, which promptly gets blackholed by the next-hop router.

I've tried adding a policy rule (first rule on em0) that applies to TCP
packets from SBS with a source port of 25, forcing the packet out via
TeragoGW (i.e. via em3), but that doesn't work - I suspect because PF is
already treating this as an "established" connection.

Then I tried adding a Gateway to the original allow-inbound-smtp rule,
which produced an error message: 
[[
There were error(s) loading the rules: /tmp/rules.debug:170: direction
must be explicit with rules that specify routing pfctl: Syntax error in
config file: pf rules not loaded - The line in question reads [170]:
pass  $GWTeraGOGW  proto tcp  from any to   $SBS port 25  flags S/SA
keep state  label "USER_RULE: inbound SMTP to Exchange"
]]

I've experimenting with various combinations of in/out and gateway
settings, but all I've succeeded on doing so far is breaking ALL smtp
connections...

Can anyone explain how I use this new feature in 2.0?

Thanks,
-Adam Thompson
athom...@c3a.ca
(204) 291-7950

<>-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] TinyDNS on 2.0beta4 ?

[Adam Thompson]

Chris/anyone,
Does the TinyDNS package work correctly under 2.0BETA4?
Thanks,
-Adam Thompson
athom...@c3a.ca


<>-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Dual WAN + Firewall Redundancy + UPS Redundancy (?) at entrance

[Adam Thompson]

It’s perhaps overkill for many scenarios, but if you’re truly trying for 
no-single-point-of-failure, buy UPSes from two different vendors, ideally using 
two different technologies.  I’ve seen matched pairs of UPSes knocked out by 
the same power event, and more commonly I’ve seen matched sets of batteries 
fail without warning.  To clarify, there are power events that will kill an APC 
SmartUPS whereas their BackUPS won’t even notice a problem; on the other hand, 
the SmartUPS will protect a power supply against some failure modes that a 
BackUPS cannot.  And a full-online-conversion UPS, while ideal, costs an arm 
and a leg.  All three will tolerate different amounts of input power phase 
mismatch (“Power Factor”).

 

It’s nearly impossible to design truly “uninterruptible” power; anyone who’s 
installed a mainframe can attest to this!  You need capacitors on the circuit 
board to smooth ripples (micro-events), ultracapacitors or batteries to prop up 
the input power during sub-second (or even multi-second) outages, a traditional 
UPS to provide interim power, a generator to cover long outages, and a 
ground-zero-grade blast shelter to put it all in so it stays running in case of 
global thermonuclear war… and even then, we still don’t have a technology to 
work around the power outages anticipated when the heat death of the universe 
occurs.

 

Yes, I’m being silly, but my point is that there’s no point in trying to design 
a “perfect” system.  “Better than normal” is almost always what you’re really 
reaching for.

Having CARP failover is level 1, dual power supplies is level 2, dual UPSes is 
level 3, how far do you plan to take this?  What if your ISP goes down – are 
you also going to multi-home?  Are the devices behind this firewall also 
multiply-redundant?

 

I don’t mean to suggest there’s no point in increasing reliability, but even 
two UPSes is going far beyond the needs of most applications.  “Carrier-grade” 
doesn’t even mean having redundant UPSes… at least, none of the telcos I work 
with in my region have redundant UPSes powering their phone switches!

 

Anyway, like I said – if you’re going to run >1 UPS, use *different* UPSes to 
avoid hitting the identical problem at the identical time on all of them, which 
has actually happened to me.

 

-Adam

 

 

From: Hans Maes [mailto:h...@bitnet.be] 
Sent: Saturday, October 09, 2010 10:02
To: support@pfsense.com
Subject: Re: [pfSense Support] Dual WAN + Firewall Redundancy + UPS Redundancy 
(?) at entrance

 


On 10/08/2010 07:15 PM, Gerald A wrote:



On Fri, Oct 8, 2010 at 4:55 PM, Andy Graybeal  
wrote:

I'll have 2 firewalls, and 2 UPS's one for each firewall.

Each firewall will have:
1. a hot swap raid array (only two HD's set to RAID 1, mirroring).
2. two hot swap power supplies.

Is one UPS per firewall agreeable?  I don't know how to do it otherwise.  I 
can't imagine purchasing 4 UPS's, one for each power supply.  Seems a little 
overkill. I welcome any input.


Plug one hotswap supply from each firewall into both of the UPS boxes you have. 
That way, even if you have to service a UPS, you won't lose a firewall. I 
wouldn't dedicate a UPS to
each firewall, because any UPS issue makes your bring down a box no matter what.


True, but depending on your configuration, another way to hook this up is to 
bypass the UPS for one of the power supplies on each firewall:

FW1 - Power supply 1 -> UPS1
FW1 - Power supply 2 -> straight to power grid

FW2 - Power supply 1 -> UPS2
FW2 - Power supply 2 -> straight to power grid

This way, you would still be up and running if both UPS systems fail for some 
reason. 
I've seen it happen! eg short circuit in a system connected to both UPS 
triggering both UPS to shutdown. 
(Try explaining complete power failure to your boss when all lights are still 
on in the entire building ;-) )

Agreed, during power grid failure, FW1 would go down if UPS1 fails, and FW2 
would go down if UPS2 fails, but you got CARP to fix that.

Just my 2 cents.

Regards,

Hans

RE: [pfSense Support] How do I break down a /22 into smaller subnets to use behind(LAN) side of my pfsense box

[Adam Thompson]

Yeah, oops.  :-)

LOL - I'm sitting in a Microsoft conference geared to large telecom 
operators providing HDTV programming, and they announced that IPv6 is 
*not* on their roadmap because "we haven't heard from customers that 
address exhaustion is a significant problem".  Given that AT&T is the 
biggest customer for this particular product, I have to wonder WTF is 
going on inside both AT&T and Microsoft.

Not on the roadmap.  Geez.  Is there anyone on this list who *hasn't* run 
into issues because of IPv4 address exhaustion yet?

(On an unrelated note - anyone know why I can't send emails to this list 
from my BlackBerry?  Works for other mailman-managed lists elsewhere...)

-Adam


> -Original Message-
> From: Nathan Eisenberg [mailto:nat...@atlasnetworks.us]
> Sent: Monday, October 04, 2010 16:49
> To: support@pfsense.com
> Subject: RE: [pfSense Support] How do I break down a /22 into
> smaller subnets to use behind(LAN) side of my pfsense box
>
> > Let's say you wanted to split your /22 into two /21s.
>
> I can make two /21s out of a single /22?  Sweet jesus, you've
> solved the IP exhaustion crisis!  :-)
>
> Nathan
>
>
> ---
> --
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] How do I break down a /22 into smaller subnets to use behind(LAN) side of my pfsense box

[Adam Thompson]

I'm not sure if this is too low-level an answer, but...

Let's say you wanted to split your /22 into two /21s.
Instead of configuring the LAN interface with the /22, you could configure the 
LAN interface with the first /21 network, and create an OPT1 interface and 
configure it with the second /21.

Suppose you have obtained 10.10.8.0/22.  (Pretend it's publicly-routable 
address space for this explanation.)
Your provider has agreed to route that netblock for you.  (Regardless of which 
one of you advertises it.)
Your provider might assign 192.168.255.252/30 as the link to you, using .253 
for their end and .254 for your end.
Your WAN address will then be 192.168.255.254/30, your default gw would be 
192.168.255.253.

Suppose you needed to split your /22 into four (traditional class "C") /24s.
You might configure the LAN interface as 10.10.8.0/24, OPT1 as 10.10.9.0/24, 
OPT2 as 10.10.10.0/24, and OPT3 as 10.10.11.0/24.

Not sure if that's the level of example you're looking for or not...
-Adam Thompson
 athom...@c3a.ca



From: Chris Flugstad [ch...@cascadelink.com]
Sent: October-04-10 18:32
To: support@pfsense.com
Subject: Re: [pfSense Support] How do I break down a /22 into smaller subnets 
to use behind(LAN) side of my pfsense box

  I know how to make them smaller, but don't i need to set the smaller
subs in pfsense?  i wasnt specific i guess.

i know what smaller subnets would look like, but i'd think id have to
set them up in pfsense, so  I am asking something in which I havent done
before and therefor am lost ;)
-chris

On 10/4/2010 4:23 PM, David Burgess wrote:
> On Mon, Oct 4, 2010 at 5:19 PM, Chris Flugstad  wrote:
>
>> -how to i break up the large block into smaller blocks
> Like this?
>
> http://www.vlsm-calc.net/
>
> db
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: Re: [pfSense Support] multi-wan, multi-lan security

[Adam Thompson]

On Mon, 2010-08-09 at 18:06 +0100, Paul Mansfield wrote:


>> if your provider provides ipv6 as well as ipv4 and devices on your lan
>> are also ipv6, then you're more likely to have a major security
>> breach??
people won't be using NAT in an ipv6 network, so they'll have real IPs
which will contain their MAC addresses, making it much more likely that
the internet at large will be able to connect to them.


The MAC address is only 48 bits out of 128, leaving 80 bits of assigned address 
in comparison to IPv4's 64 assigned bits.
How is stumbling across a (nominally) random 80-bit address easier than 
stumbling across a (nominally) random 64-bit address?

Obviously neither case is truly random, and I would argue that at this stage, 
IPv4 address allocation is more predictable than IPv6 address allocation.
Finding either is bound to be easier than finding a truly random number, as 
there are many real-world constraints, but I believe there are more constraints 
on the 64-bit number than the 80-bit number, which would skew the model towards 
being even easier to find the IPv4 address...

-Adam Thompson
Chief Architect, C3A Inc.
athom...@c3a.ca<mailto:athom...@c3a.ca>
Tel: (204) 272-9628 x8004 / Fax: (204) 272-8291

<>-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] multi-wan, multi-lan security

[Adam Thompson]

> The low-end Cisco ASA 5505 requires VLAN configuration since it is
> just a switch.
> The Cisco ASA 5510 has four Ethernet ports. If you need more, just
> use VLAN.
> Perhaps, Cisco is expecting a firewalled network to use managed
> switches. Is it best practice? Why is there a resistance to VLAN in
> the pfSense community?

You'll note that the *switch* vendors are generally the ones pushing VLANs 
on firewalls: I don't think this is a coincidence.  Of course, every major 
firewall vendor does support VLANs now, and most also support LAGs, 
because many people do use them.

I wouldn't say I put up any "resistance" to VLANs, nor anything I've seen 
in this thread.  It's just that experience has shown many of us (me, 
anyway) that implementing VLANs adds another layer of complexity. 
VLAN-on-LAG adds another layer on top of that.  Every additional layer we 
have to work with increases the possibility of making errors.  (In my 
experience, the occurrence of errors roughly doubles with each layer 
added.)  And in what is usually the most secure device on the network - 
the firewall - you don't want to make errors.  Especially when, more often 
than not, the firewall is the *only* secure device on the network!

As I indicated in my post, using VLANs allows for new and (*cough*) 
interesting failure modes that you just don't have to deal with otherwise.

Note that I do use VLANs and will continue to do so.  The largest network 
I've designed (for a regional ISP) trunks over 100 different VLANs back to 
the core, and there's a Cisco 7206 with >100 subifs managing it all quite 
happily, even their two upstream pipes are trunked in on VLANs, and 
"internal" and "external" networks share the same wire in many places, 
separated only by tags.

Most of my firewall deployments do use VLANs; one must be much more 
careful when doing so.  I have encountered (and caused!) problems that 
would not have occurred in a non-VLAN environment.

So if you don't *need* VLANs, don't use them.  If you *need* VLANs, go 
ahead and use them.  Just like any other technology.


> I sold a Cisco Catalyst 3500XL with 48 Fast Ethernet ports for $35
> a couple of months ago on eBay. I don't think cost is the issue.

I agree.  Chris also pointed this out a few posts ago.

Although it could be argued that GigE "smart" switches still aren't 
negligibly cheap: I think the cheapest one I can get in Canada is around 
$300.  Still not very expensive, especially compared to the firewall 
hardware I'd need to actually route data at over 100Mbps.

-Adam




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] multi-wan, multi-lan security

[Adam Thompson]

Comments from another perspective on the must/should question:

Best practice says to physically segregate networks by trust level and by 
impact of error or breach.

Somewhat self-evidently, this is to mitigate the impact of a) errors, and 
b) security breaches.  Of the two, errors (i.e. human errors) are by far 
the more common problem.

If you have a separate NIC for each network coming in to your firewall, 
the cables are well-identified, the ports are well-identified, and the 
other endpoint of those cables is also well-identified, it's much harder 
to accidentally expose high-trust traffic to a low-trust network. 
Specifically, it's far likelier that someone will notice that the cable 
they're holding has an "AT&T" tag on it but the port they're about to plug 
it into has a "PacBell" label over it.

When you use a switch and VLANs to segregate traffic, you have to worry 
about things like: in a pathological power situation (lightning strike, 
UPS blows up, whatever) if the switch is suddenly reset to factory 
defaults - and I've seen this happen - what will happen?  Every port gets 
reset to VLAN 1 with no filtering, and all your traffic is suddenly being 
propagated to every network segment.

Maybe you're thinking "big deal", but now consider the fairly-typical WAN 
situation where you're running routing protocols across WAN links, say 
RIPv2 without authentication (because you trust all the networks involved, 
right?  It's a point-to-point link, right?).  Your network topology 
suddenly collapses and takes [fixing or unplugging]+2hrs to reconverge.

Or the situation I once found: two smallish WAN providers both (stupidly) 
left STP turned on at the edge... when they were suddenly bridged together 
(by accident, I made a typo when setting up the VLANs) I managed to take 
down most of both providers' networks, and typical of STP both were down 
for +5 minutes.  Obviously I 
wasn't happy, and when we all figured out what had happened they weren't 
very happy with me, either.

As to security breaches, it is extremely difficult to a) know about the 
switch, b) target the switch, and c) hack the switch, but it's 
*infinitely* harder to hack a piece of Cat5 cable than a switch!

Having said all that, many of the firewall modules/blades you can buy for 
chassis-based routers and switches (Cisco 3600 ISR, Catalyst 1, 
Juniper [something], etc.) require you to configure their ports entirely 
using VLANs anyway.

So it's hardly a universal "must", certainly not in the technical sense - 
it's a very, very strong "should" that you should only disregard if a) 
you're overconfident of your own abilities, b) you have no truly private 
data, c) you don't care too much about pissing off your WAN providers (or 
you know they won't even notice!), and d) you don't have enough space to 
mount one or two more switches in the server closet.

Note also that you might be tempted to use 802.1q-over-802.3ad 
(VLAN-over-LAG), which does work... but also generally speaking turns off 
a lot of the hardware acceleration your NIC can do for you.  Many NICs 
(certainly any half-decent one!) can still do IP offload with 802.1q (VLAN 
tagging), but I haven't run into any that can still do IP offload with 
802.3ad (link aggregation, aka "bonding", or "etherchannel").  Bundling 
links together (LAG) actually slowed my router down instead of speeding it 
up.

Another aspect is that if you're going to run your router in a blade 
chassis, say, (virtualized or not) you really won't have much choice but 
to use VLANs for everything - most blade chassis don't give you dedicated 
physical Ethernet ports, certainly not more than two on any I've seen. 
Most of 'em have an embedded NIC (or two, or four...) that plug straight 
into a backplane and are only exposed via a switch module.

(I am also noticing that pfSense 1.2.3 does not have good performance (for 
me, at least) forwarding traffic between "virtual switches" on a VMWare 
ESXi 4 host connected to the switch through a 4x V-in-LAG trunk.  I 
haven't had time to isolate the problem yet, although I observed slightly 
better performance when I let VMWare handle the VLAN tagging instead of 
pfSense (i.e. created 4 untagged virtual e1000 NICs instead of 1 tagged 
vnic).  Performance only seems affected if either ingress or egress 
traffic is local to the ESXi host, I see more-or-less normal performance 
if both src and dst are off-host.)

-Adam Thompson
 athom...@athompso.net




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] pfSense 2.0 Beta4 on

[Adam Thompson]

Given that it's showing up in "system", it's likely something 
interrupt-related.  I would first try turning off all power management in 
the BIOS, and also disabling HPET (High-Precision Event Timer) there if 
you can.  Although it sounds silly, if it's a PS/2-based system, make sure 
there's a keyboard plugged in.  (Some motherboards generate an endless 
stream of interrupts if there's no keyboard, sometimes it's a BIOS setting 
for headless operation.)

Poorly-implemented storage (either the hardware or the drivers) can also 
cause this, but you'd probably see disk I/O in that case.  You aren't in 
the middle of re-mirroring a geom(8) RAID1 set, are you?

-Adam Thompson
 athom...@athompso.net


> -Original Message-
> From: Fabian Abplanalp [mailto:fabian.abplan...@bug.ch]
> Sent: Saturday, July 31, 2010 15:55
> To: support@pfsense.com
> Subject: Re: [pfSense Support] pfSense 2.0 Beta4 on
>
>   Am 31.07.2010 22:52, schrieb Chris Buechler:
> > Maybe. Maybe not. Impossible to say based on your description,
> system
> > is what's using the CPU, so if you're pushing a decent amount of
> > traffic then yeah it's probably normal.
> Current traffic is low (WAN in 56Kbps/out 700kbps)... Even with
> "no"
> traffic, CPU is always at 25%.
>
> How can I find out what's using the 25%?
>
> Fbaian




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Minimal configuration for pfSense.

[Adam Thompson]

That brings up a good question: what sort of hardware *should* I be using to 
forward ~1Gbps of IP traffic between two NICs (or two VLANs, doesn't matter)?  
I'm currently pfSense under VMWare ESXi, on an 8-core Xeon 2.8GHz machine with 
24Gb of RAM and 4x1GbE bonded network(i.e. lots of spare overhead, it's not 
even fully utilized yet) and have noticed a few things:
1. passing all the VLAN tags through to pfSense and setting up VLAN interfaces 
there gives lower performance than configuring 4 x virtual networks in VMware 
and setting up 4 x virtual NICs in the VM.
2. routing between VLANs in VMware seems to provide significantly lower peak 
performance than using dedicated hardware: a dual P-III 1.0GHz running dual 
1GbE on a PCI-X card outperformed the VMware install by a factor of five.  I 
suspect some subtle interaction between my switch, VMware and VLANs.

The numbers: the dual-1GHz-PIII could sustain between 200-300Mbit/sec between 
the two 1Gb ports (untagged).  The VM can only sustain about 10-20Mbit/sec 
between the same two VLANs.

I haven't yet attempted to dedicate one port in VMware to each VLAN in order to 
completely remove tagging.

-Adam Thompson
 Chief Technical Architect, C3A Inc.
 athom...@c3a.ca
 (204) 272-9628 / fax: (204) 272-8291


> -Original Message-
> From: Chris Buechler [mailto:cbuech...@gmail.com]
> Sent: Wednesday, July 14, 2010 2:38 PM
> To: support@pfsense.com
> Subject: Re: [pfSense Support] Minimal configuration for pfSense.
> 
> On Wed, Jul 14, 2010 at 3:33 PM, Laurentiu STEFAN
>  wrote:
> > OKa. I have seen
> > I have 2 connextion 30-100mbps so I need no less than 1.0 GHz CPU
> >
> 
> Yeah that's reasonable, to ensure you aren't going to overload the
> system.
> 
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com For
> additional commands, e-mail: support-h...@pfsense.com
> 
> Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] 1:1 multi-homed NAT broken?

[Adam Thompson]

So... does that mean I can't accomplish this with 1.2.x at all?  I tried 2.0 on 
a spare server, but OpenBGPd didn't seem to inject routes into the kernel at 
all so I didn't pursue it very far.

-Adam Thompson
 Chief Technical Architect, C3A Inc.
 athom...@c3a.ca
 (204) 272-9628 / fax: (204) 272-8291

> -Original Message-
> From: Chris Buechler [mailto:cbuech...@gmail.com]
> Sent: Wednesday, July 14, 2010 12:10 PM
> To: support@pfsense.com
> Subject: Re: [pfSense Support] 1:1 multi-homed NAT broken?
[...]
> Yeah WAN rules in 1.2.x don't have reply-to. They do in 2.0.

RE: [pfSense Support] Bandwdith usage since start of month?

[Adam Thompson]

Sorry, that looks like my fault - the patch I sent inline with my last message 
accidentally included a change that I hadn't actually tested yet... and if Jim 
applied it as-is, well, that's the error you get.

Oops.

-Adam Thompson
 Chief Technical Architect, C3A Inc.
 athom...@c3a.ca
 (204) 272-9628 / fax: (204) 272-8291


> -Original Message-
> From: Jim Pingle [mailto:li...@pingle.org]
> Sent: Tuesday, July 13, 2010 5:24 PM
> To: support@pfsense.com
> Subject: Re: [pfSense Support] Bandwdith usage since start of month?
> 
> On 7/13/2010 6:20 PM, David Burgess wrote:
> > On Tue, Jul 13, 2010 at 4:06 PM, Jim Pingle  wrote:
> >
> >> I committed a fix and updated the package. It should be up shortly.
> >
> >
> > "Parse error: syntax error, unexpected '(' in
> > /usr/local/www/status_rrd_summary.php on line 38"
> >
> > That's version 1.1
> 
> Updated again, but I didn't bump the version this time. Try it in about
> 5 minutes.
> 
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com For
> additional commands, e-mail: support-h...@pfsense.com
> 
> Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Bandwdith usage since start of month?

[Adam Thompson]

Aha!

In /usr/local/www/status_rrd_summary.php, on line 38, the requested resolution 
for $lastmonth is 86400, but the RRD file in question doesn't have anything 
larger than 720*60=43200 (according to "rrdtool info", anyway) and defaults to 
returning not the next-closest resolution, but the *highest* resolution 
instead.  I haven't checked "this month", but the "last month" numbers match my 
ISP bill perfectly if I change "86400" to 720*60:

__BOF__
--- status_rrd_summary.php  2010-07-13 14:18:21.0 -0500
+++ status_rrd_summary.php.orig 2010-07-13 14:05:36.0 -0500
@@ -33,9 +33,9 @@
 $lastmonth = "00 " . date("m/{$startday}/Y", strtotime("-1 month", 
strtotime(date("m/{$startday}/Y";

 $thismonth = fetch_rrd_summary($rrd, $start, "now");
-$lastmonth = fetch_rrd_summary($rrd, $lastmonth, $start, 720*60);
+$lastmonth = fetch_rrd_summary($rrd, $lastmonth, $start, "86400");

-function fetch_rrd_summary($rrd, $start, $end, $resolution=(60*60)) {
+function fetch_rrd_summary($rrd, $start, $end, $resolution="3600") {
$traffic = array();
$rrd   = escapeshellarg("/var/db/rrd/{$rrd}");
$start = escapeshellarg($start);
__EOF__

-Adam Thompson
 Chief Technical Architect, C3A Inc.
 athom...@c3a.ca
 (204) 272-9628 / fax: (204) 272-8291


> -Original Message-
> From: Adam Thompson [mailto:athom...@c3a.ca]
> Sent: Tuesday, July 13, 2010 1:25 PM
> To: 'support@pfsense.com'
> Subject: RE: [pfSense Support] Bandwdith usage since start of month?
> 
> Checking it against my latest ISP bill, the numbers are way out.  ISP is
> billing me for 57.4GBytes, RRD Summary page shows last month as
> In:108921, Out:8602, Total:117523.  I do note that the Total number is
> *almost* double the ISP's number - which seems to correspond with
> David's observations from July 5th (included below).
> 
> -Adam Thompson
>  Chief Technical Architect, C3A Inc.
>  athom...@c3a.ca
>  (204) 272-9628 / fax: (204) 272-8291
> 
> 
> > -Original Message-
> > From: David Burgess [mailto:apt@gmail.com]
> > Sent: Monday, July 05, 2010 6:18 AM
> > To: support@pfsense.com
> > Subject: Re: [pfSense Support] Bandwdith usage since start of month?
> >
> > On Thu, Jun 24, 2010 at 2:12 PM, Jim Pingle  wrote:
> >
> > > Give it a try and see if it's still accurate.
> >
> > Some observations:
> >
> > 1. Using the June 23 nanobsd snapshot, RRD Summary reported
> ~330GB of
> > traffic from June 1 to June 30. On July 3 it reported over 700GB of
> > traffic from the 1st. In other words it appeared that it not only
> > failed to reset its counter on July 1, but it had also somehow doubled
> its count.
> >
> > 2. I just updated to the July 4 snapshot and saw this on the console
> > after the automatic reboot:
> >
> > "
> > Syncing packages: RRD Summary
> > Beginning package installation for ...
> > Removing package...
> > Removing RRD Summary components...
> >
> > Warning: fwrite(): 63 is not a valid stream resource in /etc/inc/pkg-
> > utils.inc on line 816
> >
> > Beginning package installation for ...
> >
> > Syncing packages:.
> > Executing rc.d items...
> >  Starting /usr/local/etc/rc.d/*.sh...done.
> > Bootup complete
> > "
> >
> > When attempting to load the dashboard for the first time it instead
> > loaded one of the package pages where I saw something like "All
> > packages reinstalled", but it appears the RRD Summary package is not
> > installed.
> >
> > 3. I manually installed RRD Summary again from the UI. Now it is
> > reporting 50GB used since the 1st, which is not unlikely, and 772GB
> > for last month, which, as I stated, is more than double the amount it
> > was reporting only a day or two or three from the end of June, and is
> > therefore unlikely.
> >
> > db
> >
> > -
> > To unsubscribe, e-mail: support-unsubscr...@pfsense.com For
> additional
> > commands, e-mail: support-h...@pfsense.com
> >
> > Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Bandwdith usage since start of month?

[Adam Thompson]

Checking it against my latest ISP bill, the numbers are way out.  ISP is 
billing me for 57.4GBytes, RRD Summary page shows last month as In:108921, 
Out:8602, Total:117523.  I do note that the Total number is *almost* double the 
ISP's number - which seems to correspond with David's observations from July 
5th (included below).

-Adam Thompson
 Chief Technical Architect, C3A Inc.
 athom...@c3a.ca
 (204) 272-9628 / fax: (204) 272-8291


> -Original Message-
> From: David Burgess [mailto:apt@gmail.com]
> Sent: Monday, July 05, 2010 6:18 AM
> To: support@pfsense.com
> Subject: Re: [pfSense Support] Bandwdith usage since start of month?
> 
> On Thu, Jun 24, 2010 at 2:12 PM, Jim Pingle  wrote:
> 
> > Give it a try and see if it's still accurate.
> 
> Some observations:
> 
> 1. Using the June 23 nanobsd snapshot, RRD Summary reported ~330GB
> of traffic from June 1 to June 30. On July 3 it reported over 700GB of
> traffic from the 1st. In other words it appeared that it not only failed to
> reset its counter on July 1, but it had also somehow doubled its count.
> 
> 2. I just updated to the July 4 snapshot and saw this on the console after
> the automatic reboot:
> 
> "
> Syncing packages: RRD Summary
> Beginning package installation for ...
> Removing package...
> Removing RRD Summary components...
> 
> Warning: fwrite(): 63 is not a valid stream resource in /etc/inc/pkg-
> utils.inc on line 816
> 
> Beginning package installation for ...
> 
> Syncing packages:.
> Executing rc.d items...
>  Starting /usr/local/etc/rc.d/*.sh...done.
> Bootup complete
> "
> 
> When attempting to load the dashboard for the first time it instead
> loaded one of the package pages where I saw something like "All
> packages reinstalled", but it appears the RRD Summary package is not
> installed.
> 
> 3. I manually installed RRD Summary again from the UI. Now it is
> reporting 50GB used since the 1st, which is not unlikely, and 772GB for
> last month, which, as I stated, is more than double the amount it was
> reporting only a day or two or three from the end of June, and is
> therefore unlikely.
> 
> db
> 
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com For
> additional commands, e-mail: support-h...@pfsense.com
> 
> Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] 1:1 multi-homed NAT broken?

[Adam Thompson]

> -Original Message-
> From: Bill Marquette [mailto:bill.marque...@gmail.com]
> Sent: Monday, July 12, 2010 8:30 PM
> To: support@pfsense.com
> Subject: Re: [pfSense Support] 1:1 multi-homed NAT broken?
> 
> This sounds like a missing reply-to, but I'm not entirely sure why.
> The inbound SMTP rule should be overriding the routing and sending the
> traffic out the right path.  Take a look at /tmp/rules.debug and see if the
> inbound SMTP rule has a reply-to on it.

Looks right to me:
binat on em1 from 192.168.232.201/32 to any -> 67.226.137.178/32
pass in quick on $wan proto tcp from any to  port = 25 keep state  
queue (qwandef, qwanacks)  label "USER_RULE: NAT forward inbound mail"
pass in quick on $OPT1 reply-to (em0 192.139.69.161) proto tcp from any 
to  port = 25 keep state  label "USER_RULE: NAT forward public web sites"

Yes, the comment about "web sites" is misleading - actually it's flat-out 
wrong, I probably cloned the rule from the HTTP rule and forgot to edit the 
comment.

I'm not sure that the binat combined with reply-to actually works - as I said, 
I realize this is a corner case that probably isn't (ever?) often tested.  Is 
there a way to limit binat to only affecting one public interface?

-Adam Thompson
 Chief Technical Architect, C3A Inc.
 athom...@c3a.ca
 (204) 272-9628 / fax: (204) 272-8291

RE: [pfSense Support] pfsense 1.2.3 virtual ip proxy arp

[Adam Thompson]

This sounds like a use for 1:1 NAT, instead of port forwarding.

-Adam Thompson
 Chief Technical Architect, C3A Inc.
 athom...@c3a.ca
 (204) 272-9628 / fax: (204) 272-8291

> -Original Message-
> From: Lluis [mailto:ll...@jad.es]
> Sent: Tuesday, July 13, 2010 6:41 AM
> To: 'support@pfsense.com'
> Subject: [pfSense Support] pfsense 1.2.3 virtual ip proxy arp
> 
> Hi,
> 
> I configured a virtual ip with proxy arp, and now I have to configure a rule
> to outgoing virtual ip traffic. This is the structure:
> 
> 
>  le1: WAN (X.X.X.134)  withVIRTUALIP (X.X.X.135)
>|
>|
> le0:   LAN (192.168.0.1)
>|
>|
>SERVER (192.168.0.2)
> 
> I need to confgiure that the outgoing traffic of port 25 of server goes
> to virtual ip (X.X.X.135)
> The incoming traffic of port 25 from VIRTUALIP is working correct using
> NAT, and NAT returns by virtual ip ok.
> The problem is when the source of traffic starts in the SERVER, because
> the outgoing traffic goes by WAN (X.X.X.134)
> 
> Has someone any solution?
> 
> Thanks.
> 
> --
> Lluís Serra
> www.jad.es
> 
> 
> 
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
> 
> Commercial support available - https://portal.pfsense.org

[pfSense Support] 1:1 multi-homed NAT broken?

[Adam Thompson]

My problem: reply packets to inbound NAT’d connection are being sent back out 
the wrong interface, and being rejected as bogons by the next-hop router.


The setup…
  OPT1(OPT1)   ->   vlan0   ->  192.139.69.168 (/28)
  WAN  ->   vlan1   ->  67.226.137.177 (/29)
  LAN  ->   vlan2   ->  192.168.232.1 (/24)
  OPT2(OPT2)   ->   vlan3   ->  192.168.233.1 (/24)

Virtual CARP IPs are set up on WAN, for 64.226.137.178/32 & .179/32.  (Using 
two different VHID groups, don’t know if that makes any difference.)

1:1 NAT configured on WAN:67.226.137.179/32==192.168.232.201/32 (my mail 
server).  There’s a firewall rule allowing inbound TCP:25 from * to 
192.168.232.201.

A static route is defined on OPT1 for 130.179.0.0/16 via my next-hop; they’re 
actually another BGP hop away from me.  (I was using BGPd, but it just doesn’t 
work for me so back to static routes for now…)

*Outbound* connections from my mail server to mail servers in 130.179.0.0/16 
work just fine – they get NAT’d out the OPT1 interface correctly.

*Inbound* connections from mail servers in 130.179.0.0/16, however do *not* 
succeed – they time out.  Tcpdump(1) reveals why, the return packets are 
leaving via vlan0 (OPT1) instead of vlan1 (WAN).  Interesting to note that they 
appear to have the correct source IP, but of course my next-hop router is 
rejecting these as bogons.  This trace was limited to the mail server for 
cs.umanitoba.ca, one of the affected domains.  This is what happens when it 
attempts to make a connection to my public MX (67.226.137.178) on vlan1 (WAN).

# tcpdump -vvv -i vlan0 host 130.179.28.45
14:41:29.906725 IP (tos 0x0, ttl 127, id 38600, offset 0, flags [none], proto 
TCP (6), length 60) static-67-226-137-178.ptr.terago.net.smtp > 
palladium.cs.umanitoba.ca.32988: S, cksum 0x9eea (correct), 
1485915749:1485915749(0) ack 101392658 win 8192 
14:41:32.92 IP (tos 0x0, ttl 127, id 48922, offset 0, flags [none], proto 
TCP (6), length 60) static-67-226-137-178.ptr.terago.net.smtp > 
palladium.cs.umanitoba.ca.32988: S, cksum 0x9dbf (correct), 
1485915749:1485915749(0) ack 101392658 win 8192 
14:41:38.895122 IP (tos 0x0, ttl 127, id 59241, offset 0, flags [none], proto 
TCP (6), length 56) static-67-226-137-178.ptr.terago.net.smtp > 
palladium.cs.umanitoba.ca.32988: S, cksum 0xcf76 (correct), 
1485915749:1485915749(0) ack 101392658 win 65535 
14:41:50.904802 IP (tos 0x0, ttl 127, id 16983, offset 0, flags [none], proto 
TCP (6), length 40) static-67-226-137-178.ptr.terago.net.smtp > 
palladium.cs.umanitoba.ca.32988: R, cksum 0xfc61 (correct), 
1485915750:1485915750(0) win 0


Have I missed something in my configuration?  Is this configuration so obscure 
it’s never been tested before?

Until I get BGP route injection working properly, this “only” affects about 8 
organizations I deal with… I can manually work around it by adding /32 static 
routes to their mail servers pointing back out vlan1 (WAN), but obviously that 
approach doesn’t scale (and I have to know in advance their outbound mail 
relay’s IP address!).

Any assistance appreciated!

-Adam Thompson
Chief Technical Architect, C3A Inc.
athom...@c3a.ca<mailto:athom...@c3a.ca>
(204) 272-9628 / fax: (204) 272-8291

RE: [pfSense Support] Bandwdith usage since start of month?

[Adam Thompson]

> I put a version of this info into a package for 1.2.3 and 2.0
> called
> "RRD Summary". For now it just shows the current and previous
> month, and
> you can pick which RRD database it uses as well as which day starts
> the
> "month" period.
> 
> Give it a try and see if it's still accurate.
> 
> Jim

Finally got back to the office and tried it - but the numbers do not seem to 
match up.  Don't know why yet, won't have time to diagnose until tomorrow or 
the weekend.  (In fact, the pkg, the command line, and my ISP's billing system 
are all giving me different answers right now.)

-Adam Thompson
 Chief Technical Architect, C3A Inc.
 athom...@c3a.ca
 (204) 272-9628 / fax: (204) 272-8291

[pfSense Support] BGP routes vanish after 60 seconds

[Adam Thompson]

I timed it, and following “bgpctl fib couple”, the routes get inserted into the 
kernel’s routing table for exactly 60 seconds, then they all disappear again.

I have the BGP holdtime set to 65535 seconds, is there a way to find out what 
my peer has negotiated with me?  (I’m not seeing it under bgpctl show 
neighbours, maybe I’m missing something?)  Would that even affect my kernel 
routing table?

Another oddity I noticed is that when running “netstat –rn –f inet” while the 
routes were being populated, I saw a number (at least 10%, not sure exactly) 
where the expiry column contained “=>”.  I can’t find any documentation in 
FreeBSD about what that might mean.

(Yes, I can go look at the source but without any knowledge of BSD networking 
innards [except a bit of IPv6, since I attended that session at BSDCan’10] I 
don’t even know what I’m looking for.  The netstat manpage is unhelpful on this 
subject.)


-Adam Thompson
 Chief Technical Architect, C3A Inc.
 athom...@c3a.ca<mailto:athom...@c3a.ca>
 (204) 272-9628 / fax: (204) 272-8291

RE: [pfSense Support] Bandwdith usage since start of month?

[Adam Thompson]

> -Original Message-
> From: Jim Pingle [mailto:li...@pingle.org]
> Sent: Friday, June 18, 2010 12:37 PM
> To: support@pfsense.com
> Subject: Re: [pfSense Support] Bandwdith usage since start of
> month?
> 
> It wouldn't be too difficult to add this to the GUI if we can
> confirm
> that the results are indeed accurate.


Well, I can tell you that the numbers returned matched up exactly with what my 
ISP wants to bill me for :-)


-Adam Thompson
 Chief Technical Architect, C3A Inc.
 athom...@c3a.ca
 (204) 272-9628 / fax: (204) 272-8291

RE: [pfSense Support] Bandwdith usage since start of month?

[Adam Thompson]

Thank you very much!  I never know how to extract the raw data from rrdlogs, 
now I know it's actually not that hard.

(BTW: the AWK is fine, although you can omit the cut(1) stage in the pipe 
simply by having awk add up $2 and $3 instead of $1 and $2.)

-Adam Thompson
 Chief Technical Architect, C3A Inc.
 athom...@c3a.ca
 (204) 272-9628 / fax: (204) 272-8291


-Original Message-
From: Jim Pingle [mailto:li...@pingle.org] 
Sent: June-18-10 12:23 PM
To: support@pfsense.com
Subject: Re: [pfSense Support] Bandwdith usage since start of month?

On 6/18/2010 12:04 PM, Adam Thompson wrote:
> Is there a way to get this information?

Try this command at the CLI, do the values look right when compared to
the graph? My awk-fu isn't that good, there's probably a better way to
do this:

(This should all be one single line)

rrdtool fetch /var/db/rrd/wan-traffic.rrd AVERAGE -r 3600 -s '00:00
06/01/2010' -e now | grep -v nan | cut -f2 -d':' | awk '{ sum1 +=
$1/(1024*1024); sum2 += $2/(1024*1024) } END { printf "IN: %u Mbytes
OUT: %u Mbytes\n", sum1*3600, sum2*3600; }'

I had to use Mbytes since using bytes made awk roll overflow its integer
type :-)

If you have more than one WAN, you can repeat that with
opt1-traffic.rrd, etc.

Jim

[pfSense Support] Bandwdith usage since start of month?

[Adam Thompson]

I'm trying to determine how much traffic I've transferred since the first of 
the month; the RRD graphs let me see the last month's worth of traffic but I 
can't see any way to specify custom ranges.

I vaguely remember seeing a package that let me select specific ranges on those 
graphs but I can't find it now (and I might be remembering something else 
altogether - who knows).

Is there a way to get this information?

Thanks,

-Adam Thompson
 Chief Technical Architect, C3A Inc.
 athom...@c3a.ca<mailto:athom...@c3a.ca>
 (204) 272-9628 / fax: (204) 272-8291

RE: [pfSense Support] BGP & ARP problems

[Adam Thompson]

This just keeps getting better :-)

Just after I sent the last message, I tried a traceroute that showed packets 
going the wrong way.  To my surprise (not) , the kernel routing table was once 
again emptied of all BGP routes.

# netstat -rn | wc -l ; bgpctl show fib | wc -l
  81 
   10826 

I had "clog -f /var/log/system.log" running in the background on that terminal, 
there were NO messages emitted in the interval.  Of course neither bgpd nor the 
kernel are terribly verbose...

Any ideas what could be happening to cause bgpd (or the kernel) to suddenly 
yank all those routes?

By the time I finished typing this email, it's starting to fill back up:
# netstat -rn | wc -l ; bgpctl show fib | wc -l
 800
   11834

But unless I do a fib decouple/couple (see previous email) it doesn't seem to 
ever grow back to the ~11K it should.

Thanks for the help so far.

-Adam


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] BGP & ARP problems

[Adam Thompson]

I added a simple "custom_options" field to /usr/local/pkg/openbgpd.xml and the 
corresponding code to /usr/local/pkb/openbgpd.inc - although the modifications 
are trivial, is there a correct way to submit a patch?  (BTW: the $config 
mechanism, coupled with the XML description files, looks quite simple - I'm 
very happy it was that easy to customize the configuration page!)


Anyway, after adding "deny from all prefix { 192.139.69.160/28 }" to bgpd.conf, 
I no longer see the particularly bizarre behaviour previously described.  
Instead I now see new bizarre behaviour :-).

Although I have "fib-update yes", the system routing table never fully fills at 
startup.
# netstat -rn | wc -l 
8781
# bgpctl show fib | wc -l
   11147

If I do a "bgpctl fib decouple", wait a minute for bgpd to finish complaining 
about all the routes that "vanished before delete", and then run "bgpctp fib 
couple" things seem to sync up correctly.

Killing and restarting bgpd reproduces the same behaviour - it's not just at 
boot.

After the decouple/couple commands, things look better:
# netstat -rn | wc -l ; bgpctl show fib | wc -l
   10332
   10340

I don't know enough about BSD networking internals to know where to start on 
this one!

Thanks,
-Adam


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] BGP & ARP problems

[Adam Thompson]

Well, I'm seeing something similar but even odder.
The kernel route for the local subnet *appears* to be intact, but various 
diagnostic tools seem to disagree on that.
The pfSense GUI page Diagnostics->Routes shows a fairly small IPv4 routing 
table (20 routes including host routes for the LAN subnet).
Yet "netstat -rn -f inet | wc -l" shows... um... 24.  Oh, this gets better and 
better: my route table is flapping non-stop.  When I started typing this 
message less than 60 seconds ago "netstat -rn -f inet | grep 192.139.69" gave 
me about 4 screenfuls of routes before I hit ^C.

Yet even when I clearly have a connected route (as seen through netstat) the 
kernel refuses to send packets there:
(Whee - 30 seconds later the routes are back!)
# netstat -rn -f inet | grep ^192.139.69 ; ping 192.139.69.161
192.139.69.0/24192.139.69.161 UG1 00  vlan0
192.139.69.2/32192.139.69.161 UG1 00  vlan0
192.139.69.4/30192.139.69.161 UG1 00  vlan0
192.139.69.8/30192.139.69.161 UG1 00  vlan0
192.139.69.12/30   192.139.69.161 UG1 00  vlan0
192.139.69.24/29   192.139.69.161 UG1 00  vlan0
192.139.69.40/30   192.139.69.161 UG1 00  vlan0
192.139.69.48/28   192.139.69.161 UG1 00  vlan0
192.139.69.80/30   192.139.69.161 UG1 00  vlan0
192.139.69.84/30   192.139.69.161 UG1 00  vlan0
192.139.69.88/30   192.139.69.161 UG1 00  vlan0
192.139.69.92/30   192.139.69.161 UG1 00  vlan0
192.139.69.96/27   192.139.69.161 UG1 00  vlan0
192.139.69.100/30  192.139.69.161 UG1 00  vlan0
192.139.69.104/30  192.139.69.161 UG1 00  vlan0
192.139.69.108/30  192.139.69.161 UG1 00  vlan0
192.139.69.112/30  192.139.69.161 UG1 00  vlan0
192.139.69.128/27  192.139.69.161 UG1 00  vlan0
192.139.69.160/28  192.139.69.161 UGC   100   29  vlan0
192.139.69.176/28  192.139.69.161 UG1 00  vlan0
192.139.69.192/27  192.139.69.161 UG1 00  vlan0
192.139.69.255/32  192.139.69.161 UG1 00  vlan0
PING 192.139.69.161 (192.139.69.161): 56 data bytes
ping: sendto: Network is unreachable
ping: sendto: Network is unreachable
^C
--- 192.139.69.161 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
#

And...
# tail /var/log/system.log
Jun 17 14:54:17 pfsense kernel: arplookup 192.139.69.161 failed: host 
is not on local network
Jun 17 14:54:17 pfsense kernel: arpresolve: can't allocate route for 
192.139.69.161
Jun 17 14:54:20 pfsense kernel: arplookup 192.139.69.161 failed: host 
is not on local network
Jun 17 14:54:20 pfsense kernel: arpresolve: can't allocate route for 
192.139.69.161
Jun 17 14:54:23 pfsense kernel: arplookup 192.139.69.161 failed: host 
is not on local network
Jun 17 14:54:23 pfsense kernel: arpresolve: can't allocate route for 
192.139.69.161
Jun 17 14:54:29 pfsense kernel: arplookup 192.139.69.161 failed: host 
is not on local network
Jun 17 14:54:29 pfsense kernel: arpresolve: can't allocate route for 
192.139.69.161
Jun 17 14:54:32 pfsense kernel: arplookup 192.139.69.161 failed: host 
is not on local network
Jun 17 14:54:32 pfsense kernel: arpresolve: can't allocate route for 
192.139.69.16CLOG▒▒|▒#
#

WTF is the garbage at the end of system.log?

One thing I do see (briefly!) in the routing table is a rather anomalous route 
for 192.139.69.160/28 via 192.139.69.161.  Which correlates perfectly with what 
Hans reported... I'm going to try adding a "deny inet prefix { 
192.139.69.160/28 }" to bgpd.conf and will report results.
-Adam


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] BGP & ARP problems

[Adam Thompson]

Yes, it's the next-hop router on OPT1.  It's also my BGP peer.
-Adam

--Original Message--
From: Chris Buechler
To: support list, pfSense
ReplyTo: support list, pfSense
Subject: Re: [pfSense Support] BGP & ARP problems
Sent: Jun 17, 2010 15:46

On Thu, Jun 17, 2010 at 4:02 PM, Adam Thompson  wrote:
> So I've got OpenBGPd up and running fine on my pfSense 1.2.3-REL router (the 
> GUI makes setting things up so ridiculously simple it's amazing! Thanks, 
> guys!) but am now running into a secondary problem of some sort:
>
> arplookup 192.139.69.161 failed: host is not on local network

Is that on a local network?  i.e. it's within the subnet of one of
your interfaces?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Sent from my BlackBerry device on the Rogers Wireless Network
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] BGP & ARP problems

[Adam Thompson]

So I've got OpenBGPd up and running fine on my pfSense 1.2.3-REL router (the 
GUI makes setting things up so ridiculously simple it's amazing! Thanks, guys!) 
but am now running into a secondary problem of some sort:

arplookup 192.139.69.161 failed: host is not on local network
arpresolve: can't allocate route for 192.139.69.161

where 192.139.69.161 is my BGP peer.  These messages appear several dozen times 
in a ~15-minute period.  This started shortly after I imported BGP routes into 
the kernel FIB.  BGPd had received ~11000 routes from my peer, I had the FIB 
import flag set to "no" in the GUI, and used "bgpctl fib couple" to manually 
import them.  Everything seemed to work OK, so I switched the flag to "yes", 
killed and restarted bgpd.  (Didn't want to reboot router in the middle of the 
day.)
Shortly (<2 minutes, I think) thereafter I noticed my routing table shrinking 
from 11k+ to ~270 to ~200 to ... etc.  Noticed these messages in system log.  
Ran tcpdump on that vlan, noticed traffic inbound FROM that host but absolutely 
nothing going out from the pfSense host.

Any idea a) what I did wrong, and b) what I do to fix it?  I probably won't be 
able to reboot until several hours from now.

Thanks,

-Adam Thompson
 Chief Technical Architect, C3A Inc.
 athom...@c3a.ca<mailto:athom...@c3a.ca>
 (204) 272-9628 / fax: (204) 272-8291

<>-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] OPT1 and LAN cannot communicate

[Adam Thompson]

(Going from memory here...)
Check the "Block RFC1918 addresses" checkbox on the Interface configuration 
pages.  It should be set on WAN but not OPT1 or LAN.
-Adam Thompson 

Sent from my BlackBerry device on the Rogers Wireless Network

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] five BGP questions

[Adam Thompson]

I'm running pfSense (v1.2.3-RELEASE) as my gateway router right now.  Being 
located at a University I have a connection available for non-commercial 
traffic that is separate from my default ISP.

I'm currently connecting the WAN interface to the commercial ISP, OPT1 to the 
University, and using static routes to reach "academic" destinations.  (I've 
only set up four /16 static routes that encompass the local campus so far.)  
I'd like to route all traffic destined for CA*Net (and thus CENIC, I2, MREN, 
NLR, etc., etc.) out the secondary connection.

Since maintaining all those static routes by hand seems impossible, the 
university folks are willing to do private BGP peering so I can get the partial 
feed from their CA*Net router, which is about 13K routes.  (That's after 
aggregation, AFAIK.)

So:

1.   I see OpenBGPd in the packages tree, but at v4.2 - is there an 
interaction with pf that is clamping OpenBGPd to 4.2, or is it simply not 
actively maintained?

2.   There have been quite a few fixes in OpenBGPd between 4.2 and 4.6, 
including a few memory leaks and "reliability fixes" - are these likely to 
affect me in real-world use?  (I can live with rebooting the router once a week 
in exchange for not having to buy carrier-grade router!)

3.   OpenBGPd merely inserts the relevant routes into the kernel's FIB; the 
last time I tried running a FIB with ~10K entries (by accident) it wasn't 
pretty.  Of course, that was OpenBSD 2.x, 10 years ago.  Is this a valid 
concern now?  Can pfSense 1.2.3 handle being a "core" router?

4.   I do not want to advertise anything at all; does leaving the 
"Networks" field blank in the UI accomplish this?  I assume the university will 
filter out anything I send them anyway, but I'd rather be a good neighbour.

5.   Do I need to be a BGP guru just to receive a partial feed and do what 
I'm talking about here?  Should I just give up and go home now?  I may be 
"smarter than your average bear" when it comes to basic and intermediate 
networking (up to and including OSPF, IGRP, etc.) but have never needed to use 
BGP before.

FYI, this is moderately important to me because the commercial ISP is 5 Mbps 
and we pay for traffic usage, whereas the university connection is 5 Gbps and 
it's included in the rent.  Obviously I'd rather divert traffic that way if 
it's headed for an academic/research destination!  (Yes, this is quite a 
similar situation to the fellow from South Africa last week, but I already know 
I can use BGP.)

Thank you,

-Adam Thompson
 Chief Technical Architect, C3A Inc.
 athom...@c3a.ca<mailto:athom...@c3a.ca>
 (204) 272-9628 x6004 / fax: (204) 272-8291