Re: [pfSense Support] Firewall drops all packets after upgrade from 1.2 to 1.2.3
Am 30.03.2010 19:23, schrieb Chris Buechler: [...] Then just go to System Advanced and check Bypass firewall rules for traffic on the same interface. This option was already checked. Nothing changes if I uncheck the option. Do you have any other idea? Regards Bastian - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Firewall drops all packets after upgrade from 1.2 to 1.2.3
Am 26.03.2010 10:54, schrieb Chris Buechler: [...] Probably asymmetric routing. The flags default in newer PF versions in FreeBSD 7.x (pfSense 1.2.1, 1.2.2, 1.2.3) is much more strict than it was in FreeBSD 6.2 (pfSense 1.2). So if the firewall isn't seeing the entire connection (such as only traffic in one direction), it's going to kill that state as it can't properly track the connection state, it looks like spoofed traffic. The fix is to first figure out where the problem is, what's causing the asymmetric routing. Then the solution will depend on the cause. There are many possible causes depending on what's in your network. I think it has to do with the routing. The problem occurs only if the requests came via a static route. Do you have an idea how to find out were the problem with asymmetric routing is? Regards Bastian - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Firewall drops all packets after upgrade from 1.2 to 1.2.3
Hi, since many years I run multiple pfSense Firewalls very successfully. Since 1.2.3-RELEASE was released I started to upgrade all my pfSenses to this release. It works very well an nearly all machines. But on one system I have problems: After the upgrade from 1.2-RELEASE to 1.2.3-RELEASE all TCP-Packets on the WAN-Interface are dropped by the default rule: block drop out log quick all label Default deny rule This is very strange because I have allowed TCP SSH and HTTP/S access on this Interface. The same problem I have also if I upgrade to other 1.2.x releases. If I downgrade back to 1.2-RELEASE everything works fine again. Has somebody an idea how to find out what the problem is? Regards Bastian - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Firewall ignores packets delivered via static routes
Hi, I'm using pfSense as a Firewall and Router. It works very well except one thing: If a packet arrives from a networks via a static route all firewall rules are ignored. Everything passes. :-( If the Packets arrive via the default route it works as expected. The configured static routes are applied to the WAN interface and most of the Interfaces have real public IPs. For this Interfaces NAT is not used. Does anybody knows what's going wrong? Regards Bastian - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Firewall ignores packets delivered via static routes
Hi Keenan, thanks for quick answer. I know that packets don't arrive via static routes. It was only a bad description of the problem. All static routes are created on the WAN interface. I don't know if it is important for this case, but I'm using CARP for all interfaces to create a HA router/firewall. Here are some more details: Interfaces ~~ WAN em0: xxx.xxx.196.108/28 WAN CARP: xxx.xxx.196.110/28 VLAN128 bge0: xxx.xxx.196.130/26 VLAN128 CARP: xxx.xxx.196.129/26 Static routes ~ dev:WAN net:xxx.xxx.92.0/19 gw:xxx.xxx.196.107 dev:WAN net:xxx.xxx.93.0/19 gw:xxx.xxx.196.107 Not working rules ~ WAN: Block, ICMP, src: any, dst: any Regards Bastian Keenan Tims schrieb: If a packet arrives from a networks via a static route all firewall rules are ignored. Everything passes. :-( If the Packets arrive via the default route it works as expected. Packets don't arrive 'from' a static route; the static routes only affect outgoing traffic. Incoming packets will arrive on an interface and have a source and destination (end machine) address that you can use to filter them. As long as the rule is created on the *interface* the traffic arrives on, and has the appropriate filters set, it should apply to any traffic regardless of routing tables. Same goes for outgoing traffic destined to other routers. Is this not what's happening? If not, can you give us more information (what interface it arrives on, what you want to block and address and rule details), as your rules probably just need some tweaks. Keenan - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] TrafficShaper: is it not possible to create a additional parent queue?
Hello, I tried to create a additional parent queue manually but it is not possible for me at the moment. What I'm doing wrong? First I run the Wizzard an then I tired to add a parent queue but if I try that I got this error: --- snip --- php: : There were error(s) loading the rules: /tmp/rules.debug:48: queue q_LAN has no parent /tmp/rules.debug:48: errors in queue definition pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [48]: queue q_LAN bandwidth 100% priority 0 hfsc --- snap --- I don't understand the error message because 'This is a parent queue' was enabled for q_LAN. Is this a bug? Regards Bastian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] HOWTO install pfSense on ALIX board with 2,5 SSD HDD
Hi all, I want to install pfSense 1.2 on a PC Engines ALIX.2C3 board with a 2.5 Solid State Harddisk. The installation of Embedded Version on a CF-Card is no problem. But how to install it on a SSD HDD? It is not possible to boot from CD on the ALIX boards. Any ideas? Regards Bastian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] TrafficShaper configuration for multiple LANs
Chris Buechler schrieb: [...] It may be possible to configure it entirely manually rather than using the wizard, but I've never tried that so I don't know. I tried to configure it manually but it is not possible to create a Parent-Queue. First I run the Wizzard an then I tired to add a parent queue but if I try that I got this error: --- snip --- php: : There were error(s) loading the rules: /tmp/rules.debug:48: queue q_LAN has no parent /tmp/rules.debug:48: errors in queue definition pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [48]: queue q_LAN bandwidth 100% priority 0 hfsc --- snap --- I don't understand the error message because 'This is a parent queue' was enabled for q_LAN. Is this a bug? Regards Bastian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] TrafficShaper configuration for multiple LANs
Hi, I'm very happy with the pfSense Project. Very great job. Thanks to all. But I have some Problems to configure the TrafficShaper for multiple LANs. I installed pfSense 1.2 on a machine with four 10/100-Ethernet interfaces (named WAN, LAN, VoIP and DMZ). | +-+-+ | WAN (2048/512) | | | | pfSense | | | | LAN VoIPDMZ | +--+--+--+--+ | | | The WAN port is connected via PPPoE to a DSL Carrier with 2048 Kbit/s down- and 512 Kbit/s upstream. Connected to the LAN-Interface are all PCs, Fileserver, Printers, ... Connected to the VoIP-Interface are an Asterisk PBX and a lot of IP-Phones. Mail-Server and Web-Server are connected to the DMZ-Interface. Now I have the problem to configure the TrafficShaper. With the Wizzard I only can configere one LAN and one WAN interface but I want to priorize the VoIP-LAN to WAN and WAN to VoIP all other Interfaces. What Queues I have to create? Thanks in advance Bastian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] TrafficShaper configuration for multiple LANs
Chris Buechler schrieb: [...] It's only compatible with two interface systems (LAN and WAN) in 1.2. You'll have to wait for 1.3 for this. Okay. What happens if I configure TrafficShaper only for VoIP-Interface and WAN and a big traffic is going from LAN to WAN? Does it has any effect on LAN to WAN? Bastian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Howto set atacontrol mode ad0 udma4
Hello everybody, I have little trouble to install pfSense properly. My System will only produce no IDE errors when I set the DMA mode to UDMA66. #: atacontrol mode ad0 udma4 In which file I must insert the above atacontrol command, to keep this setting persistent? Cheers Bastian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Install/Boot-problems on SUPERMICRO P8SCT
Hi, I try to install pfSense on a 19 1HE-System with LCD-Display. Inside the case is a SUPERMICRO P8SCT Mainboard (http://www.supermicro.com/products/motherboard/P4/E7221/P8SCT.cfm) with a Intel Celeron 345J (3.06GHz) CPU, 512MB DDR2-RAM, 2× S-ATA 40GB. If I try to boot from the Live-CD through a USB-CD-Drive I get this message: --- snip --- Boot from CD... CD Loader 1.2 [...] BTX Loader 1.0 BTX Version 1.01 [...] [some adresses/numbers] BTX halted --- snap --- What can I do to install pfSense on that system? Regards Bastian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Virtual IPs not working
Chris Buechler schrieb: [...] It looks like the virtual IPs are not existing. If I try to ping e.g. 192.168.3.1 I get Destination Host Unreachable. From the firewall itself? I don't think that'll work (due to loopback issues). If traffic passes in and out just fine, as intended, then you're set. With ping directly from the Firewall itself I got a response like that: --- snip --- # ping -c 5 192.168.3.1 PING 192.168.3.1 (192.168.3.1): 56 data bytes 64 bytes from 192.168.3.1: icmp_seq=0 ttl=253 time=69.730 ms 64 bytes from 192.168.3.1: icmp_seq=1 ttl=253 time=124.443 ms 64 bytes from 192.168.3.1: icmp_seq=2 ttl=253 time=67.473 ms 64 bytes from 192.168.3.1: icmp_seq=3 ttl=253 time=170.599 ms 64 bytes from 192.168.3.1: icmp_seq=4 ttl=253 time=144.830 ms --- 192.168.3.1 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 67.473/115.415/170.599/40.933 ms --- snap --- The response is definitely not from the FW. With traceroute I can trace this response back to a host inside the LAN of my ISP. :-( From a host inside my LAN I got this response: --- snip --- [EMAIL PROTECTED]:~ ping -c 5 192.168.3.1 PING 192.168.3.1 (192.168.3.1) 56(84) bytes of data. From 192.168.3.2: icmp_seq=2 Destination Host Unreachable From 192.168.3.2 icmp_seq=2 Destination Host Unreachable From 192.168.3.2 icmp_seq=3 Destination Host Unreachable From 192.168.3.2 icmp_seq=4 Destination Host Unreachable From 192.168.3.2 icmp_seq=5 Destination Host Unreachable --- 192.168.3.1 ping statistics --- 5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 4000ms, pipe 3 --- snap --- 192.168.3.2 is the IP of my LAN Host. But if I try to setup the virtual IP manualy I get this: # ifconfig rl1 inet 192.168.3.1 netmask 255.255.255.0 alias That's not how virtual IP's work. There are no aliases, it's all proxy ARP'ed in some fashion and handled that way. When you bind IP's to the box like that, the services running on it also tend to want to bind to those IP's, and the whole thing becomes a big mess (not to mention potentially opening up more access to your firewall than you intend). Okay I believe you, but what can I do to solve my Problem with my three LAN subnets: 192.168.0.0/24 (main), 192.168.3.0/24 and 192.168.101.0/24. All of them are located on the same physical interface and in this moment it is not possible to join the subnets. Is there a way to handle that configuration? Regards Bastian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] There were error(s) loading the rules
Hello, I have some problems with pfSense 0.77. I got this message: php: : There were error(s) loading the rules: /tmp/rules.debug:110: syntax error /tmp/rules.debug:111: syntax error /tmp/rules.debug:112: syntax error /tmp/rules.debug:113: syntax error /tmp/rules.debug:114: syntax error /tmp/rules.debug:115: syntax error /tmp/rules.debug:116: syntax error pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [110]: pass quick on rl0 proto esp from 172.16.0.72 to keep state label IPSEC: esp proto The Problem is now: The pfSense will nor route anylonger! From the LAN side it is possible to ping the WAN interface of the FW (172.16.0.72) but it is not possible to ping any other host (e.g. 172.16.0.71) in front of the WAN interface. Directly from the FW (via webinterface) it is possible to ping hosts in front of the WAN interface. What is going wrong? Regards Bastian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
