[pfSense Support] HEADS UP: this mailing list has moved
The mailing list has moved to l...@lists.pfsense.org. This list server is being decommissioned. Your email address on this list has been subscribed to the new list, and you will receive a welcome message on that list shortly. The old support@ and discussion@ emails will bounce. Feel free to continue existing threads, but you'll have to change the to address to l...@lists.pfsense.org. Chris - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to block the bit torrent
On Fri, Sep 2, 2011 at 12:23 PM, Glenn Kelley gl...@typo3usa.com wrote: There is a PFSense 2 book available for the Kindle or paperback - in Amazon Store - just search for PFSENSE Not official, and poorly done. Wouldn't recommend it, our 1.2.x book is more helpful with 2.0. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Block Website
On Thu, Sep 1, 2011 at 1:02 PM, suresh suresh suresh.notion...@gmail.com wrote: Hi All, How to block the website in pfsense 1.2.3 http://lmgtfy.com/?q=block+website+site%3Adoc.pfsense.org Please, before you bombard over 1000 people on this mailing list with the most basic of FAQs, much less 20 times a day, search. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PPTP not working after update on Tuesday
On Thu, Sep 1, 2011 at 1:31 PM, Vick Khera vi...@khera.org wrote: Office firewall has been running 2.0-RC2 from some time in May. PPTP was working fine and dandy from iOS devices. Just click the vpn on and off you went. Yesterday I updated the firewall to the latest snapshot of RC3 (Aug 30 18:45:48). Since this time, after the PPTP connect succeeds. The pfSense logs show full success and assignment of the IP address to the client, yet no traffic will pass. The only two tools to test on the iOS device are mail and the browser, and neither makes a connection to the server inside the office. The PPTP firewall filter tab has the allow rule. No other changes were made to the configuration other than running the upgrade. If I ping back from the inside host to the assigned IP, it replies sendto: Host is down *immediately*. Normally pinging a dead IP takes a while before it responds with that. That's from a kernel patch that was in one day's snapshots, it's since been reverted. Downgrade to something from the 29th, or early on the 30th, or upgrade to the one that'll come out in the next few hours. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] ntop crashes
On Wed, Aug 31, 2011 at 6:38 AM, Nick Upson n...@telensa.com wrote: Hi, running pfsense 1.2.3, ntop 3.3.8. after a few mins ntop crashes with the following message in syslog kernel: pid 43126 (ntop), uid 0: exited on signal 11 (core dumped) Welcome to the wonderful world of ntop. It has problems in general that cause it to crash repeatedly for many users on FreeBSD, though a lot of people never have an issue. In general, if you do, you may not be able to use it. Some have hacked in a monitoring script to restart it after it crashes. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Subnets in same NIC
On Tue, Aug 30, 2011 at 8:39 PM, Ivanildo Galvão - IT Services ivani...@itservices.com.br wrote: Yeah, I know it works with VLAN, but wanted to implement something simpler, the problem is that the customer had this scenario before working with Proxywith Linux and pfSense he wants to have the same solution, on Linux it had asingle NIC which was subdivided into 03 virtual eth, eth each subnet representsa ranger, according to the MAC filter stations put Linux on their respective networks. I downloaded the version of pfSense RC3 today, here in VMware Workstationinstalled to see if I can find some option, but so far I see nothing that addressesthis need. That's what IP alias virtual IPs are for. It's generally not a good practice to do so as having multiple subnets on a single broadcast domain is ugly, largely pointless, and considered poor network design, but you can.
Re: [pfSense Support] DHCP scope,
On Mon, Aug 29, 2011 at 4:04 PM, greg whynott greg.whyn...@gmail.com wrote: Hi, Is it possible to have the pfSence fw provide DHCP services to a network which lives one hop beyond the pfsence's INSIDE directly connected network? On the router i configured an ip-helper address, i then went to configure the pfsecne's DHCP service but it is complaining about the network not matching that of the network which the INSIDE interface is within. is there a way around that? (is it ok to edit files manually without breaking things).. OUTSIDE==[pfS-FW]==[router]==[network requiring DHCP] i've already brought up a DHCP server elsewhere, but thought i'd ask about this anyway. having scopes which don't match an interface connected to the DHCP server(pfsence) doesn't seem like an uncommon thing, i just wanted to make sure i wasn't missing a config option somewhere, and ask... Not possible. Not uncommon to have deployments like that, but first I've heard of anyone with a network like that wanting to run DHCP on the firewall, generally those networks have a DHCP server in place elsewhere. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] syslog messages
On Fri, Aug 26, 2011 at 11:56 AM, k_o_l k_...@hotmail.com wrote: My syslog server is being filled with the following generated by pfsense-2.0-RC3 169.254.1.213.56971 169.254.1.255.5000: UDP, length 12 Some device on your LAN with that autoconfigured 169.254.1.213 (which, unless that's your LAN subnet, means a machine that can't get a DHCP lease) is sending out broadcast UDP 5000 traffic. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Happy Birthday Chris
On Thu, Aug 18, 2011 at 1:18 AM, Glenn Kelley gl...@typo3usa.com wrote: Happy Birthday Chris Thanks! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Restrict bandwidth for a virtual ip
On Thu, Aug 18, 2011 at 6:35 AM, Shibashish shi...@gmail.com wrote: Hi, I have pfSense Version2.0-RC1 (i386) which runs multiple websites and acts as a load balancer too. I have a website which is eating up all my bandwidth. I want to restrict that ip to use 10Mbps of my bandwidth and keep the rest for others. How do I restrict that one ip to not eat all my bandwidth? The easiest way to just limit one host is to create two limiters for that host, one for upload and one for download. Then create firewall rules that pass traffic to/from that host only and specify the limiter on those rules. You can go through the process of setting up the traffic shaper in its entirety, but that's quite a bit more effort than necessary if the above is all you want to accomplish. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PPTP Broken in latest AMD 2.0 Snapshots
On Wed, Aug 17, 2011 at 3:38 PM, Adam Piasecki apiase...@midatlanticbb.com wrote: Same config works with i386, does not work with AMD.. PPTP clients on AMD can not send traffic over IPSEC Tunnels or traffic out to the internet. PPTP to the local LAN works fine with AMD. I386 works with everything. That's this. http://redmine.pfsense.org/issues/1107 Fixing that broke PPPoE entirely on AMD64, doubt if that gets fixed for 2.0. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PPTP Broken in latest AMD 2.0 Snapshots
On Wed, Aug 17, 2011 at 3:54 PM, David Burgess apt@gmail.com wrote: On Wed, Aug 17, 2011 at 1:49 PM, Chris Buechler cbuech...@gmail.com wrote: http://redmine.pfsense.org/issues/1107 Fixing that broke PPPoE entirely on AMD64, doubt if that gets fixed for 2.0. Can you please clarify? Are you saying that folks who use PPPoE on the WAN should not update to the newer 2.0 snaps until this is resolved post-2.0? That was only an issue for a couple days back in July, PPPoE was broken on AMD64, and that particular PPTP issue was fixed. It's been back to normal (PPTP in some circumstances on AMD64 broken, PPPoE works fine) for ~3 weeks. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Monitor IP in gateway, strange behavior
On Wed, Aug 17, 2011 at 5:45 PM, Diego Barrios s...@techsystem.com.br wrote: Hi folks, I`m not sure if this could be a bug, but i`ve just installed a new PFSense 2.0RC3 (latest snapshop) with 3 NICs, 1 LAN + 2 WAN When i use the same monitor IP on both WANs You can't do that. The GUI prevents configuring that and it works correctly as far as I've seen, the GUI let you configure that? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Imspector
Cleber, I've always configured the imspector package to log to a remote mysql server. IMSpector is also capable of logging to a local SQLite database, but I don't know whether the pfSense package has implemented this. Chris From: Cleber L. Medina [mailto:clebermed...@gmail.com] Sent: Tuesday, August 16, 2011 1:38 PM To: support@pfsense.com Subject: [pfSense Support] Imspector I´m using a imspector 0.9-4, my pfsense is 2.0-RC3 (amd64) , but it log nothing, I just set Enable IMSpector I need to set other option? I need to use a mysql server? How I install mysql on a pfsense machine? Thanks Cleber
RE: [pfSense Support] MAC ADDRESS
Suresh, Please clarify your question. Are you asking about MAC cloning or something else? Chris From: suresh suresh [mailto:suresh.notion...@gmail.com] Sent: Tuesday, August 16, 2011 3:35 PM To: support@pfsense.com Subject: [pfSense Support] MAC ADDRESS HI, how to add the mac address please help me thank you,
Re: [pfSense Support] Imspector
On Tue, Aug 16, 2011 at 6:22 PM, Cleber L. Medina clebermed...@gmail.com wrote: If I install a freebsd mysql package on pfsense It can work.. its is possible? You don't need it, and don't want to do that regardless. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] VPN Failover Backup
On Sat, Aug 13, 2011 at 11:04 PM, David Miller davi...@gmail.com wrote: I may have spoken too quickly last time as what I said made a lot, probably too may, assumptions about your network. So lets start over and say as with most networking things it depends. You've mentioned that the wireless links are bridges but you also said that you believe that the switches are layer 3 and may be used for routing. So the first thing you need to figure out is if the traffic is being passed between buildings are just forwarded between buildings using layer 2 mechanisms or is the traffic being routed by a router, which may be a layer 3 switch in your case. So if you're dealing with a network that's routing traffic between the buildings then my original reply stands. Yeah that's the usual scenario for multiple buildings, you have one or several IP subnets per building, with everything routed between. Then accomplishing failover with a VPN and OSPF is pretty straight forward. If it's all one big or several big broadcast domains across buildings, that's not the best design and makes failover to VPN difficult to impossible to accomplish regardless of what network equipment you're using. Aside from other reasons you generally want to keep broadcast domains limited to one physical location in such networks, like isolating layer 2 problems to a single building, limiting broadcast traffic, etc. May need a pretty considerable change to make VPN failover reasonable if everything is bridged together. This sounds like the kind of scenario where you could benefit greatly from a few hours of our time to go over your entire network design and implement an appropriate solution. We have numerous customers in similar scenarios, responsible for a thousand different things with minimal time to work on such projects, and we can make your life a lot easier in that regard and save you a bunch of time. Also an in-depth network review is generally beyond what you'll be able to get thorough assistance with on a mailing list as it's time consuming (and probably more than you want to publicly divulge). See commercial support link in the footer for info. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] policy routing issue : stumped : more
On Fri, Aug 12, 2011 at 9:54 AM, mayak-cq ma...@australsat.com wrote: hi again, i am now wondering why it is necessary to have gateway defined in the WAN interface ... Because that's what determines for NAT purposes whether something is treated as a WAN. if in the gateway definition, a gateway is flagged as the default, that should be enough, no? That's where your Internet traffic that doesn't match policy routing goes. what appears to be happening is that policy routes as defined in LAN rules are being overwritten by the gateway as defined in the WAN interface. It does not, policy routing rules override the system routing table. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] BGP support in 2.0
On Tue, Aug 9, 2011 at 8:02 AM, Dan Candea dan.can...@quah.ro wrote: On 04.08.2011 00:11, Chris Buechler wrote: On Wed, Aug 3, 2011 at 7:43 AM, Adam Thompson athom...@athompso.net wrote: I've been accepting ~ 13k routes inbound advertising nothing. So that part works, too. Now you just need confirmation from someone who does both! I setup one that does both last week, gets full Internet routing table, ~360K routes each, from two providers. And advertises their AS. could you tell us the hardware configuration? Depends on how much bandwidth you're using, and how many routing tables you're getting. Two full Internet routing tables, a total of around 730K routes, was taking up somewhere around 400-500 MB RAM. The other hardware sizing factors are no different from any other install, see the hardware sizing guide on www.pfsense.org. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Cannot access the http://forum.pfsense.org/
On Tue, Aug 9, 2011 at 7:16 AM, TKOAK liugann...@gmail.com wrote: Right, the *.pfsense.org is not blocked by the Chinese GFW. At present, I can visit any sub-domain at pfsense.org directly(without proxy), except the forum.pfsense.org. Your account hasn't triggered any bans on the forum in almost a month as far as we can tell. If you're still having issues, go to http://pfsense.org/ip.php and email me directly with what that's showing as your IP. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Cannot access the http://forum.pfsense.org/
On Tue, Aug 9, 2011 at 1:55 AM, Bart Grefte b...@ravenslair.nl wrote: You need a proxy just to open websites like pfSense.org and YouTube? They do block quite a few things, but not any of our sites currently (they used to block our blog when it was hosted on blogspot, but *.pfsense.org sites were fine). We see a couple thousand visits a week to our forum alone from IPs in China, I haven't heard of any *.pfsense.org sites being inaccessible there. That proxy is indeed banned for abuse at some point in the past, though I don't see any recent hits on it aside from this person's attempts. Oddly though, I can't seem to find the ban in SMF (though their ban GUI isn't all that great for finding a specific ban when you have thousands of them). I'll have to dig through the database manually at some point to find it, probably be a few days before I have time. In the mean time, accessing directly without the proxy should work just fine. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Cannot access the http://forum.pfsense.org/
On Mon, Aug 8, 2011 at 9:24 AM, TKOAK liugann...@gmail.com wrote: I got the Sorry Guest, you are banned from using this forum! message often... Can somebody help me to solve this problem! I don't see an account under this email address so not sure. It probably means you have an IP that a spammer previously had, in which case I can probably remove that ban. Otherwise if you're using a shady VPN or proxy provider of some sort, you'll just have to stop using that, too much abuse from some of those. Send me your account info and IP off-list and I'll check into it. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Fwd: Squid uninstall/install problem
On Sun, Aug 7, 2011 at 11:20 AM, Carlos Vicente cjpvice...@gmail.com wrote: Hi again, this problem is on a production pfSense. Is there a way of removing any reference of squid on GUI? I think it's uninstalled from system. I need to reinstall the package. Backup the config, manually remove anything related to it, and restore is one way. Could be something easier but not sure what you're seeing there. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] BGP support in 2.0
On Wed, Aug 3, 2011 at 2:20 AM, Typo3 on Gmail gl...@typo3usa.com wrote: Does 2.x have BGP support ? Yes, and considerably improved from 1.2.3 where you have a full Internet routing table or two as we've done some tweaks there to prevent PHP from running out of memory with very large routing tables. Chris - tried to shoot you a msg via skype about a quote - if you can hit me up off list - that be great as well :-) Send me the info you mentioned offlist. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] BGP support in 2.0
On Wed, Aug 3, 2011 at 7:43 AM, Adam Thompson athom...@athompso.net wrote: I've been accepting ~ 13k routes inbound advertising nothing. So that part works, too. Now you just need confirmation from someone who does both! I setup one that does both last week, gets full Internet routing table, ~360K routes each, from two providers. And advertises their AS. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] php: : Could not open /usr/local/etc/snort/suppress/ for writing.
On Wed, Aug 3, 2011 at 1:11 PM, Ernst den Broeder erns...@gmail.com wrote: I am seeing this message in the system logs: php: : Could not open /usr/local/etc/snort/suppress/ for writing. Here's the version info: pfsense 2.0-RC3 (i386) (hard disk installation) snort 2.8.6.1 pkg v. 1.34 That's an old version of the package, a huge number of fixes went in this week. Uninstall and reinstall the package and that shouldn't be an issue. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] BGP support in 2.0
On Wed, Aug 3, 2011 at 6:19 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: I setup one that does both last week, gets full Internet routing table, ~360K routes each, from two providers. And advertises their AS. What about IPv6? ;) Should work on the 2.1 branch with manual bgpd.conf configuration, haven't tried it though. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Dual WAN with cable modem (dhcp) and ADSL (pppoe) with static IP (and IPv6)
On Mon, Aug 1, 2011 at 10:06 AM, Eugen Leitl eu...@leitl.org wrote: I'm running a pfSense 2.0RC3 (with 4 physical NICs) at home with cable modem on WAN assigned by DHCP. Works well -- unless it's down. I'm thinking about adding an ADSL line and run dual-WAN for redundancy and load-leveling. The ADSL is PPPoE with static IP but also offers IPv6 (local provider MNet). Latter appears to require some modifications http://carsten.schoene.cc/2011/03/natives-ipv6-auf-einem-m-net-dsl-anschluss/ (ppp, pppoe, wide-dhcpv6, radvd, etc.). 1) Will pfSense be able to handle the simple case (dual-WAN with load-leveling, one interface DHCP, another PPPOE)? Yes, no problem. 2) Any chances with getting IPv6 with ADSL working, given above complications? Depends on how your IPv6 is delivered (assuming it's native, if a tunnel it's fine). If it's statically routed, definitely not a problem. I'm not sure offhand the status of the various dynamic IPv6 WANs, I know some work remains to be done there in general. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] To integrate AD users to specific rule groups
Isamar, The captive portal in m0n0wall/pfSense isn’t capable of direct LDAP queries, unless something has changed recently. However, it is capable of RADIUS authentication. Since you have an Active Directory environment, it’s a trivial matter to setup IAS (2003) or NPS (2008) to handle RADIUS requests on one of your domain controllers. I’m not aware of a method to accomplish item two. Chris From: Isamar Maia [mailto:isa...@gmail.com] Sent: Saturday, July 30, 2011 7:15 AM To: support@pfsense.com Subject: [pfSense Support] To integrate AD users to specific rule groups Hi Folks, Is there any way with PfSense to integrate AD authenticated users with rules groups. I mean, we wish to: 1) Integrate the Captive portal functionality to authenticate users to the Windows AD server 2) Attach specific users to specific firewall and squid filtering rules. Like: HR departament users can access only HR related sites,etc. Is that currently possible ? -- Isamar Maia Cel. VIVO SSA: (55) 71-9146-8575 Cel. TIM SSA: (55) 71-9185-5264 Fixo: (55) 71-4062-8688 日本: +81-(0)3-4550-1212 Skype ID: isamar.maia
RE: [pfSense Support] Fwd: GB-1200
Brian, Have you tried the method to resolve such an issue described here: http://forum.pfsense.org/index.php?topic=21194.msg109995#msg109995 ? If you haven't and have a spare pfSense/FreeBSD box, give it a try. -Original Message- From: Brian Henson [mailto:marin...@gmail.com] Sent: Friday, July 29, 2011 2:45 AM To: support@pfsense.com Subject: [pfSense Support] Fwd: GB-1200 I have a problem booting both 1.2.3 and 2.0 rc3 on the GB-1200. It hangs each time on Trying to mount root from ufs:/dev/ufs/pfsense0. below is the boot log up until that point. thank you in advance 1 FreeBSD 2 FreeBSD Boot: 1 /boot.config: -h Consoles: serial port BIOS drive C: is disk0 BIOS 639kB/129984kB available memory FreeBSD/i386 bootstrap loader, Revision 1.1 (sullrich@FreeBSD_7.2_pfSense_1.2.3_snaps.pfsense.org, Mon Dec 7 23:00:35 EST 2009) Loading /boot/defaults/loader.conf /boot/kernel/kernel text=0x739788 data=0x13cf6c+0x51c80 / \ Hit [Enter] to boot immediately, or any other key for command prompt. Booting [/boot/kernel/kernel]... Copyright (c) 1992-2009 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 7.2-RELEASE-p5 #0: Mon Dec 7 23:21:27 EST 2009 sullrich@FreeBSD_7.2_pfSense_1.2.3_snaps.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_wrap.7.i386 Timecounter i8254 frequency 1193182 Hz quality 0 CPU: Intel(R) Celeron(TM) CPU 1200MHz (1196.12-MHz 686-class CPU) Origin = GenuineIntel Id = 0x6b1 Stepping = 1 Features=0x383f9ffFPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real memory = 134152192 (127 MB) avail memory = 117354496 (111 MB) wlan: mac acl policy registered cryptosoft0: software crypto on motherboard padlock0: No ACE support. acpi0: IntelR AWRDACPI on motherboard acpi0: [ITHREAD] acpi0: Power Button (fixed) acpi0: reservation of 0, a (3) failed acpi0: reservation of 10, 7ef (3) failed Timecounter ACPI-fast frequency 3579545 Hz quality 1000 acpi_timer0: 24-bit timer at 3.579545MHz port 0x4008-0x400b on acpi0 acpi_button0: Power Button on acpi0 pcib0: ACPI Host-PCI bridge port 0xcf8-0xcff,0x4000-0x40f7 on acpi0 pci0: ACPI PCI bus on pcib0 pcib1: PCI-PCI bridge at device 1.0 on pci0 pci1: PCI bus on pcib1 pcib2: ACPI PCI-PCI bridge at device 30.0 on pci0 pci2: ACPI PCI bus on pcib2 fxp0: Intel 82559ER Embedded 10/100 Ethernet port 0xa800-0xa83f mem 0xd7081000-0xd7081fff,0xd704-0xd705 irq 12 at device 4.0 on pci2 miibus0: MII bus on fxp0 inphy0: i82555 10/100 media interface PHY 1 on miibus0 inphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto fxp0: Ethernet address: 00:d0:68:04:a4:0e fxp0: [ITHREAD] fxp1: Intel 82559ER Embedded 10/100 Ethernet port 0xa000-0xa03f mem 0xd708-0xd7080fff,0xd700-0xd701 irq 11 at device 5.0 on pci2 miibus1: MII bus on fxp1 inphy1: i82555 10/100 media interface PHY 1 on miibus1 inphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto fxp1: Ethernet address: 00:d0:68:04:a4:0f fxp1: [ITHREAD] fxp2: Intel 82559ER Embedded 10/100 Ethernet port 0xa400-0xa43f mem 0xd7083000-0xd7083fff,0xd702-0xd703 irq 10 at device 6.0 on pci2 miibus2: MII bus on fxp2 inphy2: i82555 10/100 media interface PHY 1 on miibus2 inphy2: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto fxp2: Ethernet address: 00:d0:68:04:a4:10 fxp2: [ITHREAD] pcib3: PCI-PCI bridge at device 7.0 on pci2 pci3: PCI bus on pcib3 dc0: Intel 21143 10/100BaseTX port 0x9000-0x907f mem 0xd600-0xd60003ff irq 10 at device 4.0 on pci3 miibus3: MII bus on dc0 ukphy0: Generic IEEE 802.3u media interface PHY 1 on miibus3 ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto dc0: Ethernet address: 00:50:c2:11:ff:5f dc0: [ITHREAD] dc1: Intel 21143 10/100BaseTX port 0x9400-0x947f mem 0xd6001000-0xd60013ff irq 9 at device 5.0 on pci3 miibus4: MII bus on dc1 ukphy1: Generic IEEE 802.3u media interface PHY 1 on miibus4 ukphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto dc1: Ethernet address: 00:50:c2:11:ff:60 dc1: [ITHREAD] dc2: Intel 21143 10/100BaseTX port 0x9800-0x987f mem 0xd6002000-0xd60023ff irq 12 at device 6.0 on pci3 miibus5: MII bus on dc2 ukphy2: Generic IEEE 802.3u media interface PHY 1 on miibus5 ukphy2: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto dc2: Ethernet address: 00:50:c2:11:ff:61 dc2: [ITHREAD] dc3: Intel 21143 10/100BaseTX port 0x9c00-0x9c7f mem 0xd6003000-0xd60033ff irq 11 at device 7.0 on pci3 miibus6: MII bus on dc3 ukphy3: Generic IEEE 802.3u media interface PHY 1 on miibus6 ukphy3: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto dc3: Ethernet address: 00:50:c2:11:ff:62 dc3: [ITHREAD] fxp3: Intel 82559ER Embedded 10/100 Ethernet port 0xac00-0xac3f mem 0xd7082000-0xd7082fff,0xd706-0xd707 irq 9 at device 10.0 on pci2 miibus7: MII bus on fxp3
RE: [pfSense Support] how to make dvd
Nick, The image file you downloaded is to be written to a 1 GB flash card, not a DVD. This is the file which is to be written to optical media: ftp://reflection.ncsa.uiuc.edu/pub/pfSense/downloads/pfSense-2.0-RC3-i386-20110621-1650.iso.gz However, it hardly warrants a DVD, since it won't even occupy an entire CD. From: Nick Upson [mailto:n...@telensa.com] Sent: Friday, July 29, 2011 11:03 AM To: support pfsense Subject: [pfSense Support] how to make dvd I know I'm not totally daft but this is getting me stuck right now, I've downloaded pfSense-2.0-RC3-1g-i386-20110621-1821-nanobsd.img.gz and gunzipped it but how do I make that .img into a DVD (dvd writers available are on winXP or WIN7) -- Nick Upson (01799 533252)
RE: [pfSense Support] pfSense change logging
Authentication events should be recorded in the system log. -Original Message- From: Scott Benson [mailto:sben...@a-1networks.com] Sent: Friday, July 29, 2011 11:41 AM To: support@pfsense.com Subject: [pfSense Support] pfSense change logging Is there a way to see who(based on IP) made a change to the webgui causing a new /cf/conf/backup/ to be created? is it something in that file, or logged anywhere? -- Scott Benson A1 Networks (707)570-2021 x203 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] which version
On Fri, Jul 29, 2011 at 1:08 AM, Vick Khera vi...@khera.org wrote: Loading the 1.2.3 backup mostly works. We had to manually copy the bits for the OpenVPN certificates -- for some reason they did not load in properly. I think one other thing had to be manually reconfigured, but it was easy because we still had the old box for comparison. I suspect that's been a while ago. I've upgraded some really complex, exotic configs recently with 0 issues. All the config upgrade issues we've ever seen have been fixed for at least a couple months. We just fixed one issue this week where you can hit a bug in PHP itself that causes it to crash with certain 1.2.3 configs (only 2 in existence we're aware of though). - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Intermitten Wireless
On 7/26/2011 10:29 PM, bsd wrote: Adding a rule such as this one will do you no harm and might help you solve your problem (at least for DHCP): Proto Source PortDestination PortGateway Queue UDP 0.0.0.0 68 255.255.255.255 67 * none Thanks OK, I added your suggested to the Wireless ruleset, no change though :/ http://home.xaerolimit.net:2500/~chris/backup/images/screenshots/screenshot.52.png -- Chris Brennan -- A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting frowned upon? http://xkcd.com/84/ | http://xkcd.com/149/ | http://xkcd.com/549/ GPG: D5B20C0C (6741 8EE4 6C7D 11FB 8DA8 9E4A EECD 9A84 D5B2 0C0C) 0xD5B20C0C.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
[pfSense Support] Re: Intermitten Wireless
On 7/27/2011 4:34 PM, Damien Dupertuis wrote: Hello, you should check this forum post... http://forum.pfsense.org/index.php/topic,31185.msg180104.html#msg180104 tell us if your problem is similar... regards... The situation described there is similar to mine, but I am not so sure it's the same one. In /var/log/system.log, I see the following (most recent) entries: Jul 22 14:00:29 pfSense hostapd: ath0: STA 00:21:00:12:48:86 IEEE 802.11: associated Jul 22 14:00:29 pfSense hostapd: ath0: STA 00:21:00:12:48:86 IEEE 802.11: deassociated Jul 22 14:00:45 pfSense hostapd: ath0: STA 00:21:00:12:48:86 IEEE 802.11: associated Jul 22 14:00:45 pfSense hostapd: ath0: STA 00:21:00:12:48:86 IEEE 802.11: deassociated Jul 22 14:01:18 pfSense hostapd: ath0: STA 8c:7b:9d:c6:55:32 WPA: group key handshake completed (CLOGMT|▒^C I tried the suggestion on the forum too, applied the key rotation and master key rotation changes and disabled, then re-enabled the wireless card. 1) My iPod Touch 4G and my Android phone are able to connect wireless but unable to navigate 2) My Sony/Android TV and my Samsung BluRay player are not able to associate to the wireless AP at all. This is why I am thinking it is similar to but not exactly the same issue described on the forum. -- Chris Brennan -- A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting frowned upon? http://xkcd.com/84/ | http://xkcd.com/149/ | http://xkcd.com/549/ GPG: D5B20C0C (6741 8EE4 6C7D 11FB 8DA8 9E4A EECD 9A84 D5B2 0C0C) 0xD5B20C0C.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
[pfSense Support] Intermitten Wireless
Greetings! I've got a Netgate m1n1-2d13 firewall device[1] and for the most part, it works great (wired that is.) Wireless on the other hand is questionable at best. Sometimes it works, sometimes it doesn't. The wireless kit is [2]. pfSense 1.2.3-RELEASE sees the card just fine ath0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 90:a4:de:2f:1d:bb inet6 fe80::92a4:deff:fe2f:1dbb%ath0 prefixlen 64 scopeid 0x4 media: IEEE 802.11 Wireless Ethernet autoselect mode 11g hostap status: associated ssid The Realm channel 1 (2412 Mhz 11g) bssid 90:a4:de:2f:1d:bb authmode WPA privacy MIXED deftxkey 3 AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 31.5 scanvalid 60 bgscan bgscanintvl 300 bgscanidle 250 roam:rssi11g 7 roam:rate11g 5 protmode OFF burst -apbridge dtimperiod 1 and an pciconf -lv ath0@pci0:0:12:0: class=0x02 card=0x1012185f chip=0x0013168c rev=0x01 hdr=0x00 class = network subclass = ethernet I had my wireless working, my Sony TV was streaming Netflix for days, my iPod was able to browse the internet as well as my android phone and even my Debian laptop was working. Now, my TV can't associate, if it does, it refuses to get an IP address from the DHCP server (which is running) [ad...@router.xaerolimit.net]/root(7): ps auxf | grep dhcpd dhcpd 24379 0.0 0.8 3156 2040 ?? Is Sun05AM 0:01.56 /usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /var/dhcpd/etc/dhcpd.conf vr0 root 60213 0.0 0.1 376 256 p0 R+ 10:32PM 0:00.00 grep dhcpd [1.2.3-RELEASE] [ad...@router.xaerolimit.net]/root(8): My iPod Touch and my Android phone are able to associate and get an IP without any issues, but they cannot browse, I've confirmed this by being able to browse my LAN from both devices but I am unable to get to google.com for example, or anywhere else. I've also confirmed that my TV never does get an IP as when trying to connect Wirelessly, it is unable to get to my local webserver running on the same subnet as the DHCP daemon. So I am unsure what I missed, I'm pretty sure this is a configuration issue with the firewall (basic details are below, if more is needed, by all means ask). Interfaces - OPT2 (Wireless) Check box checked to enable device Description: Wireless Type: DHCP Bridge with: LAN Standard: 802.11g Mode: Access Point 802.11g OFDM Protection Mode: Protection mode off SSID: The Realm Transmit Power: 99 Channel: Auto (usually ch1 is used) WPA: Enable WPA check box checked PSK: SoMe ReAlLy LoNg PaSs WoRd WPA Mode: Both WPA Key Management Mode: Pre Shared Key Authentication: Open System Authentication WPA Pairwise: AES Key Rotation: 60 Master Key Regeneration: 3600 Firewall - Rules - Lan Action: Pass Interface: LAN Protocol: Any Source: LAN Subnet Destination: Any Gateway: Default (192.168.0.1) Description: Default LAN - any Firewall - Rules - Wireless Action: Pass Interface: Wireless Protocol: Any Source: LAN subnet (was any but someone on IRC recommended the change to 'LAN subnet') Destination: Any Gateway: Default (192.168.0.1) Description: Wi-Fi Out If any other configuration details are required, please let me know and I will provide them, but bear in mind, I don't know where/how pfSense stores it's configuration files, The above data was typed manually from the web interface. [1] http://store.netgate.com/Netgate-m1n1wall-2D3-2D13-Black-P216.aspx [2] http://store.netgate.com/KIT-ALIX-5004MP-DUAL-P190C34.aspx -- Chris Brennan -- A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting frowned upon? http://xkcd.com/84/ | http://xkcd.com/149/ | http://xkcd.com/549/ GPG: D5B20C0C (6741 8EE4 6C7D 11FB 8DA8 9E4A EECD 9A84 D5B2 0C0C) - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Routed SSH Sessions are killed After 15 Minutes Whether Active or Not
On Tue, Jul 26, 2011 at 4:15 PM, Paul Kunicki pkuni...@sproutloud.com wrote: Routed SSH Sessions are killed After 15 Minutes Whether Active or Not Hi everyone. I am running 1.2.3-RELEASE on two Dell Poweredge R300s with CARP configured for redundancy. Each node has four interfaces: em0: 192.168.1.x/24 (LAN1) em1: 10.0.20.x/22 (LAN2) bge0: 192.168.4.x/24 (CARP) bge1: 192.168.8.0/24 (WAN BEHIND ANOTHER ROUTER/FIREWALL) When connecting via SSH from LAN2 to another FreeBSD server on LAN1 I am disconnected (Broken Pipe: Write Failed) after exactly 15 minutes even if there is activity i.e. top runnning etc. When I connect from LAN1 to the same server I remain connected. The server that I am connecting to is dual-hommed with a seperate interface on LAN2. SSH sessions over LAN2 to the same server stay connected. You have asymmetric routing because the host is dual homed, which will cause problems with any stateful firewall. You either need policy routing on the host itself to ensure all traffic leaves the same interface it enters via the appropriate gateway when off-subnet, or only use the interface IP where the default gateway resides when off-subnet, and only the local subnet IP when on subnet. Please don't post the same thing to both the forum and mailing list unless you don't have a response on one or the other after 24 hours. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: Intermitten Wireless
Do I add this as a wireless rule? On Tuesday, July 26, 2011, bsd b...@todoo.biz wrote: Le 26 juil. 2011 à 19:48, Chris Brennan a écrit : Greetings! I've got a Netgate m1n1-2d13 firewall device[1] and for the most part, it works great (wired that is.) Wireless on the other hand is questionable at best. Sometimes it works, sometimes it doesn't. The wireless kit is [2]. pfSense 1.2.3-RELEASE sees the card just fine ath0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 90:a4:de:2f:1d:bb inet6 fe80::92a4:deff:fe2f:1dbb%ath0 prefixlen 64 scopeid 0x4 media: IEEE 802.11 Wireless Ethernet autoselect mode 11g hostap status: associated ssid The Realm channel 1 (2412 Mhz 11g) bssid 90:a4:de:2f:1d:bb authmode WPA privacy MIXED deftxkey 3 AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 31.5 scanvalid 60 bgscan bgscanintvl 300 bgscanidle 250 roam:rssi11g 7 roam:rate11g 5 protmode OFF burst -apbridge dtimperiod 1 and an pciconf -lv ath0@pci0:0:12:0: class=0x02 card=0x1012185f chip=0x0013168c rev=0x01 hdr=0x00 class = network subclass = ethernet I had my wireless working, my Sony TV was streaming Netflix for days, my iPod was able to browse the internet as well as my android phone and even my Debian laptop was working. Now, my TV can't associate, if it does, it refuses to get an IP address from the DHCP server (which is running) [ad...@router.xaerolimit.net]/root(7): ps auxf | grep dhcpd dhcpd 24379 0.0 0.8 3156 2040 ?? Is Sun05AM 0:01.56 /usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /var/dhcpd/etc/dhcpd.conf vr0 root 60213 0.0 0.1 376 256 p0 R+ 10:32PM 0:00.00 grep dhcpd [1.2.3-RELEASE] [ad...@router.xaerolimit.net]/root(8): My iPod Touch and my Android phone are able to associate and get an IP without any issues, but they cannot browse, I've confirmed this by being able to browse my LAN from both devices but I am unable to get to google.com for example, or anywhere else. I've also confirmed that my TV never does get an IP as when trying to connect Wirelessly, it is unable to get to my local webserver running on the same subnet as the DHCP daemon. So I am unsure what I missed, I'm pretty sure this is a configuration issue with the firewall (basic details are below, if more is needed, by all means ask). Interfaces - OPT2 (Wireless) Check box checked to enable device Description: Wireless Type: DHCP Bridge with: LAN Standard: 802.11g Mode: Access Point 802.11g OFDM Protection Mode: Protection mode off SSID: The Realm Transmit Power: 99 Channel: Auto (usually ch1 is used) WPA: Enable WPA check box checked PSK: SoMe ReAlLy LoNg PaSs WoRd WPA Mode: Both WPA Key Management Mode: Pre Shared Key Authentication: Open System Authentication WPA Pairwise: AES Key Rotation: 60 Master Key Regeneration: 3600 Firewall - Rules - Lan Action: Pass Interface: LAN Protocol: Any Source: LAN Subnet Destination: Any Gateway: Default (192.168.0.1) Description: Default LAN - any Firewall - Rules - Wireless Action: Pass Interface: Wireless Protocol: Any Source: LAN subnet (was any but someone on IRC recommended the change to 'LAN subnet') Adding a rule such as this one will do you no harm and might help you solve your problem (at least for DHCP): -- -- Chris Brennan A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting frowned upon? http://xkcd.com/84/ | http://xkcd.com/149/ | http://xkcd.com/549/ GPG: D5B20C0C (6741 8EE4 6C7D 11FB 8DA8 9E4A EECD 9A84 D5B2 0C0C) - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PHP error when generating RRD graphs
On Mon, Jul 25, 2011 at 8:40 PM, William Jimenez wjime...@appdynamics.com wrote: Will this be fixed in the latest release candidate you think? Should I maybe do a fresh install of pfsense and restore my config instead? Haven't seen that aside from scenarios where people manually restore their 1.2.3 RRD data on an existing 2.0 install, which you can't do. The error you're seeing means the RRD files weren't upgraded when going from 1.2.3 to 2.0, that happens automatically when your configuration is upgraded. If you do need to manually restore 1.2.3 RRD data, you either need to manually run the process to update those files you'll find in the config upgrade code in /etc/inc/, or restore the RRD files and then restore a 1.2.3 config, and they'll both be upgraded. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PHP error when generating RRD graphs
On Mon, Jul 25, 2011 at 9:19 PM, William Jimenez wjime...@appdynamics.com wrote: I actually don't care much about the old RRD data at this point, I would just like it to start recording data this point on Disable and enable RRD under StatusRRD, Settings tab and that should fix it. Otherwise 'rm -rf /var/db/rrd*' and then hit Save on the Settings tab. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Pantech UML290
ppp: [wan_link0] ACCMAP 0x Jul 24 08:32:35 ppp: [wan_link0] AUTHPROTO CHAP MD5 Jul 24 08:32:35 ppp: [wan_link0] MAGICNUM cf6d11e0 Jul 24 08:32:35 ppp: [wan_link0] PROTOCOMP Jul 24 08:32:35 ppp: [wan_link0] ACFCOMP Jul 24 08:32:35 ppp: [wan_link0] LCP: SendConfigAck #0 Jul 24 08:32:35 ppp: [wan_link0] ACCMAP 0x Jul 24 08:32:35 ppp: [wan_link0] AUTHPROTO CHAP MD5 Jul 24 08:32:35 ppp: [wan_link0] MAGICNUM cf6d11e0 Jul 24 08:32:35 ppp: [wan_link0] PROTOCOMP Jul 24 08:32:35 ppp: [wan_link0] ACFCOMP Jul 24 08:32:35 ppp: [wan_link0] LCP: state change Req-Sent -- Ack-Sent Jul 24 08:32:35 ppp: [wan_link0] LCP: rec'd Configure Ack #1 (Ack-Sent) Jul 24 08:32:35 ppp: [wan_link0] ACFCOMP Jul 24 08:32:35 ppp: [wan_link0] PROTOCOMP Jul 24 08:32:35 ppp: [wan_link0] ACCMAP 0x000a Jul 24 08:32:35 ppp: [wan_link0] MRU 1500 Jul 24 08:32:35 ppp: [wan_link0] MAGICNUM 24c14c1c Jul 24 08:32:35 ppp: [wan_link0] LCP: state change Ack-Sent -- Opened Jul 24 08:32:35 ppp: [wan_link0] LCP: auth: peer wants CHAP, I want nothing Jul 24 08:32:35 ppp: [wan_link0] LCP: LayerUp Jul 24 08:32:35 ppp: [wan_link0] LCP: rec'd Discard Request #1 (Opened) Jul 24 08:32:35 ppp: [wan_link0] CHAP: rec'd CHALLENGE #1 len: 35 Jul 24 08:32:35 ppp: [wan_link0] Name: UMTS_CHAP_SRVR Jul 24 08:32:35 ppp: [wan_link0] CHAP: Using authname 8035221...@vzw4g.com Jul 24 08:32:35 ppp: [wan_link0] CHAP: sending RESPONSE #1 len: 41 Jul 24 08:32:35 ppp: [wan_link0] CHAP: rec'd SUCCESS #1 len: 4 Jul 24 08:32:35 ppp: [wan_link0] LCP: authorization successful Jul 24 08:32:35 ppp: [wan_link0] Link: Matched action 'bundle wan ' Jul 24 08:32:35 ppp: [wan_link0] Link: Join bundle wan Jul 24 08:32:35 ppp: [wan] Bundle: Status update: up 1 link, total bandwidth 1 bps Jul 24 08:32:35 ppp: [wan] can't config [e]:: Invalid argument Jul 24 08:32:35 ppp: fatal error, exiting Jul 24 08:32:35 ppp: [wan] IFACE: Close event Jul 24 08:32:35 ppp: [wan] IPCP: Close event Jul 24 08:32:35 ppp: [wan] Bundle: Shutdown Jul 24 08:32:35 ppp: [wan_link0] Link: Shutdown Jul 24 08:32:35 ppp: process 8764 terminated If I attempt to connect again after this without removing the modem and attaching it to a Windows box, it says that the modem isn't responding to AT commands. I assume this is because the modem maintains the established connection but pfSense has terminated the PPP session. If I restart the pfSense box and attempt to connect again without first connecting the UML290 to a Windows box, I see the error invalid init string in the logs. Does anyone have any ideas on how to get this to work? Chris Jul 24 08:24:26 ppp: [opt1_link0] chat: Connected at 1. Jul 24 08:24:26 ppp: [opt1_link0] MODEM: chat script succeeded Jul 24 08:24:26 ppp: [opt1_link0] Link: UP event Jul 24 08:24:26 ppp: [opt1_link0] LCP: Up event Jul 24 08:24:26 ppp: [opt1_link0] LCP: state change Starting -- Req-Sent Jul 24 08:24:26 ppp: [opt1_link0] LCP: SendConfigReq #1 Jul 24 08:24:26 ppp: [opt1_link0] ACFCOMP Jul 24 08:24:26 ppp: [opt1_link0] PROTOCOMP Jul 24 08:24:26 ppp: [opt1_link0] ACCMAP 0x000a Jul 24 08:24:26 ppp: [opt1_link0] MRU 1500 Jul 24 08:24:26 ppp: [opt1_link0] MAGICNUM 72df4860 Jul 24 08:24:26 ppp: [opt1_link0] LCP: rec'd Configure Request #0 (Req-Sent) Jul 24 08:24:26 ppp: [opt1_link0] ACCMAP 0x Jul 24 08:24:26 ppp: [opt1_link0] AUTHPROTO CHAP MD5 Jul 24 08:24:26 ppp: [opt1_link0] MAGICNUM cf64b9c6 Jul 24 08:24:26 ppp: [opt1_link0] PROTOCOMP Jul 24 08:24:26 ppp: [opt1_link0] ACFCOMP Jul 24 08:24:26 ppp: [opt1_link0] LCP: SendConfigAck #0 Jul 24 08:24:26 ppp: [opt1_link0] ACCMAP 0x Jul 24 08:24:26 ppp: [opt1_link0] AUTHPROTO CHAP MD5 Jul 24 08:24:26 ppp: [opt1_link0] MAGICNUM cf64b9c6 Jul 24 08:24:26 ppp: [opt1_link0] PROTOCOMP Jul 24 08:24:26 ppp: [opt1_link0] ACFCOMP Jul 24 08:24:26 ppp: [opt1_link0] LCP: state change Req-Sent -- Ack-Sent Jul 24 08:24:26 ppp: [opt1_link0] LCP: rec'd Configure Ack #1 (Ack-Sent) Jul 24 08:24:26 ppp: [opt1_link0] ACFCOMP Jul 24 08:24:26 ppp: [opt1_link0] PROTOCOMP Jul 24 08:24:26 ppp: [opt1_link0] ACCMAP 0x000a Jul 24 08:24:26 ppp: [opt1_link0] MRU 1500 Jul 24 08:24:26 ppp: [opt1_link0] MAGICNUM 72df4860 Jul 24 08:24:26 ppp: [opt1_link0] LCP: state change Ack-Sent -- Opened Jul 24 08:24:26 ppp: [opt1_link0] LCP: auth: peer wants CHAP, I want nothing Jul 24 08:24:26 ppp: [opt1_link0] LCP: LayerUp Jul 24 08:24:26 ppp: [opt1_link0] LCP: rec'd
[pfSense Support] RE: (Update) Pantech UML290
After reading the last two posts in this thread: http://forum.pfsense.org/index.php?topic=28649.0 I'm fairly certain that the problem displayed in the logs below is also due the problem described with mpd. However, I've noticed that there are two different mpd binaries present in /usr/local/sbin: -r-xr-xr-x 1 root wheel 460256 Jun 21 16:51 mpd4 -r-xr-xr-x 1 root wheel 519364 Jun 21 16:51 mpd5 Does anyone know which one is being used and from where it's called? -Original Message- From: Chris Clark [mailto:ch...@belthasar.com] Sent: Sunday, July 24, 2011 12:34 PM To: support@pfsense.com Subject: [pfSense Support] Pantech UML290 Greetings everyone, I bought a Pantech UML290 for Verizon's LTE service yesterday and have been attempting to get it working with pfSense 2.0RC3 since then. This morning I've been able to get connection established, but something in pfSense immediately terminates it, citing an invalid argument. This is my procedure and what I've had to do: Configuration (with UML290 connected): Comment out this line in /usr/local/mpd.script: set $modemCmd +CGDCONT=$APNum, \IP\, \$APN\ Go through this procedure here: http://doc.pfsense.org/index.php/Configuring_3G_modems Enter Username: [Number]@vzw4g.com Enter Password: vzw Phone Number: *99***3# Add PPP interface to WAN/OPT1 and leave interface disabled. Procedure: Connect UML290 to a Windows box running VZAM and establish connection there. Remove from Windows box and connect to pfSense box. Enable WAN/OPT1 interface. I then see the following in the logs (taken from both WAN and OPT1 association tries)(also attached): Jul 24 08:24:26 ppp: [opt1_link0] chat: Connected at 1. Jul 24 08:24:26 ppp: [opt1_link0] MODEM: chat script succeeded Jul 24 08:24:26 ppp: [opt1_link0] Link: UP event Jul 24 08:24:26 ppp: [opt1_link0] LCP: Up event Jul 24 08:24:26 ppp: [opt1_link0] LCP: state change Starting -- Req-Sent Jul 24 08:24:26 ppp: [opt1_link0] LCP: SendConfigReq #1 Jul 24 08:24:26 ppp: [opt1_link0] ACFCOMP Jul 24 08:24:26 ppp: [opt1_link0] PROTOCOMP Jul 24 08:24:26 ppp: [opt1_link0] ACCMAP 0x000a Jul 24 08:24:26 ppp: [opt1_link0] MRU 1500 Jul 24 08:24:26 ppp: [opt1_link0] MAGICNUM 72df4860 Jul 24 08:24:26 ppp: [opt1_link0] LCP: rec'd Configure Request #0 (Req-Sent) Jul 24 08:24:26 ppp: [opt1_link0] ACCMAP 0x Jul 24 08:24:26 ppp: [opt1_link0] AUTHPROTO CHAP MD5 Jul 24 08:24:26 ppp: [opt1_link0] MAGICNUM cf64b9c6 Jul 24 08:24:26 ppp: [opt1_link0] PROTOCOMP Jul 24 08:24:26 ppp: [opt1_link0] ACFCOMP Jul 24 08:24:26 ppp: [opt1_link0] LCP: SendConfigAck #0 Jul 24 08:24:26 ppp: [opt1_link0] ACCMAP 0x Jul 24 08:24:26 ppp: [opt1_link0] AUTHPROTO CHAP MD5 Jul 24 08:24:26 ppp: [opt1_link0] MAGICNUM cf64b9c6 Jul 24 08:24:26 ppp: [opt1_link0] PROTOCOMP Jul 24 08:24:26 ppp: [opt1_link0] ACFCOMP Jul 24 08:24:26 ppp: [opt1_link0] LCP: state change Req-Sent -- Ack-Sent Jul 24 08:24:26 ppp: [opt1_link0] LCP: rec'd Configure Ack #1 (Ack-Sent) Jul 24 08:24:26 ppp: [opt1_link0] ACFCOMP Jul 24 08:24:26 ppp: [opt1_link0] PROTOCOMP Jul 24 08:24:26 ppp: [opt1_link0] ACCMAP 0x000a Jul 24 08:24:26 ppp: [opt1_link0] MRU 1500 Jul 24 08:24:26 ppp: [opt1_link0] MAGICNUM 72df4860 Jul 24 08:24:26 ppp: [opt1_link0] LCP: state change Ack-Sent -- Opened Jul 24 08:24:26 ppp: [opt1_link0] LCP: auth: peer wants CHAP, I want nothing Jul 24 08:24:26 ppp: [opt1_link0] LCP: LayerUp Jul 24 08:24:26 ppp: [opt1_link0] LCP: rec'd Discard Request #1 (Opened) Jul 24 08:24:26 ppp: [opt1_link0] CHAP: rec'd CHALLENGE #1 len: 35 Jul 24 08:24:26 ppp: [opt1_link0] Name: UMTS_CHAP_SRVR Jul 24 08:24:26 ppp: [opt1_link0] CHAP: Using authname 8035221...@vzw4g.com Jul 24 08:24:26 ppp: [opt1_link0] CHAP: sending RESPONSE #1 len: 41 Jul 24 08:24:26 ppp: [opt1_link0] CHAP: rec'd SUCCESS #1 len: 4 Jul 24 08:24:26 ppp: [opt1_link0] LCP: authorization successful Jul 24 08:24:26 ppp: [opt1_link0] Link: Matched action 'bundle opt1 ' Jul 24 08:24:26 ppp: [opt1_link0] Link: Join bundle opt1 Jul 24 08:24:26 ppp: [opt1] Bundle: Status update: up 1 link, total bandwidth 1 bps Jul 24 08:24:26 ppp: [opt1] can't config [21]:: Invalid argument Jul 24 08:24:26 ppp: fatal error, exiting Jul 24 08:24:26 ppp: [opt1] IFACE: Close event Jul 24 08:24:26 ppp: [opt1] IPCP: Close event Jul 24 08:24:26 ppp: [opt1] Bundle: Shutdown Jul 24 08:24:26 ppp: [opt1_link0] Link: Shutdown Jul 24 08:24:26 ppp: process 38992 terminated Jul 24 08:32:35 ppp: [wan_link0] chat: Connected at 1. Jul 24 08:32:35 ppp: [wan_link0
RE: [pfSense Support] RE: (Update) Pantech UML290
Thanks Adam, I'm not attempting to use this in a multilink setup; just as the primary WAN interface. -Original Message- From: Adam Thompson [mailto:athom...@athompso.net] Sent: Sunday, July 24, 2011 3:58 PM To: support@pfsense.com Subject: RE: [pfSense Support] RE: (Update) Pantech UML290 -Original Message- From: Chris Clark [mailto:ch...@belthasar.com] Sent: Sunday, July 24, 2011 14:47 To: support@pfsense.com Subject: [pfSense Support] RE: (Update) Pantech UML290 After reading the last two posts in this thread: http://forum.pfsense.org/index.php?topic=28649.0 I'm fairly certain that the problem displayed in the logs below is also due the problem described with mpd. However, I've noticed that there are two different mpd binaries present in /usr/local/sbin: -r-xr-xr-x 1 root wheel 460256 Jun 21 16:51 mpd4 -r-xr-xr-x 1 root wheel 519364 Jun 21 16:51 mpd5 Does anyone know which one is being used and from where it's called? Based on ermal's post to that thread, I would presume 2.0 uses mpd5, and I would also presume that the fix will make it into a snapshot in the very near future. I don't think fixing mpd5 could fix the kernel overflow problem suggested elsewhere, however, so I suggest you not try to use this in a multilink setup for now. -Adam Thompson athom...@athompso.net - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Disabling the GUI?
On Sat, Jul 23, 2011 at 4:07 PM, William Jimenez wjime...@appdynamics.com wrote: Is there a way to disable to GUI on pfsense to increase performance, and then re-enable it when needed? It has 0 impact on performance as it uses nothing other than a few MB RAM if you aren't using it. Even when you're in it, it has very minimal impact and only if you're running close to the capacity of your hardware, where it has minimal CPU cycles to spare. You can hack the source to disable it if you want, but it's not going to do anything unless you really need an extra few MBs RAM. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Fwd: m1n1 device w/ ath wireless
Original Message Subject: m1n1 device w/ ath wireless Date: Fri, 15 Jul 2011 12:49:55 -0400 From: Chris Brennan xa...@xaerolimit.net To: pfSense Support support@pfsense.com Greetings! I've got a Netgate m1n1 2D13 Firewall with an Atheros 4G CM9 Wireless card. As far as I can tell, hardware wise, everything works just fine. The problem is that after my wireless devices associate with the netgate, I am unable to actually go anywhere. I've added a fw rule to blanketly let everything out over wireless and it's bonded with my LAN so all the traffic is on the same subnet. I'm not sure what else I need to/should have to do to make this work. Some help would be appreciated. :) P.S. I am new to *this* list, if I missed something, let me know and I'll make the necessary adjustments. I've been seeing some activity on the pfSense list, so I know it works, but no one has bothered to followup on this and help me figure this out and it's 5 days old already :( I've never had mail such as this go so long, even on a low-traffic mailing list, unanswered. Wireless now works and I can correctly route out over the internet. I have *nfc* what I did, but it works. And the firewall is correctly blocking all incoming traffic as expected. My problem now is that I am trying to open port 2500 on the outside and redirect it over my lan to my gentoo box where I have a web-server running (for my own private purposes). I've added the NAT rule and it successfully created the firewall rule, but the port is still not open. I'm not sure what I did wrong here but some screenshots can be seen here http://imageshack.us/photo/my-images/228/screenshot43e.png/ http://imageshack.us/photo/my-images/215/screenshot42h.png/ http://imageshack.us/photo/my-images/853/screenshot44v.png/ http://imageshack.us/photo/my-images/585/screenshot48p.png/ http://imageshack.us/photo/my-images/847/screenshot49y.png/ If I've missed something, please let me know and I shall provide it. -- Chris Brennan -- A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting frowned upon? http://xkcd.com/84/ | http://xkcd.com/149/ | http://xkcd.com/549/ GPG: D5B20C0C (6741 8EE4 6C7D 11FB 8DA8 9E4A EECD 9A84 D5B2 0C0C) 0xD5B20C0C.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: [pfSense Support] Fwd: m1n1 device w/ ath wireless
On 7/19/2011 3:08 PM, Moshe Katz wrote: Your firewall rule is wrong. It needs to allow from ANY source port to 2500 destination port. The source port is random from the client and the port that you want to open on the firewall is 2500. When you redirect that to port 80 using port forwarding, that is after it has already passed through the firewall successfully. It looks like you are using pfSense 1.2.x. If you can update to one of the 2.0 release candidates (I don't know how updates work for the Netgate-branded version), it has a feature that will automatically create the proper firewall rule when you forward a port. Moshe, Yes, I am using 1.2.x, it's what was installed on this netgate, I don't know how to (yet) upgrade to one of the 2.0x RC's of pfSense, I was thinking about this but unsure how to go about it. if there is some documentation on this I would be greatly appreciative. When I added the NAT rule, it added the fw rule automatically. So I am not sure what you mean, the FW rule is allowing from any source, effectively *:2500, which is what I want, to only allow specific ports though. -- Chris Brennan -- A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting frowned upon? http://xkcd.com/84/ | http://xkcd.com/149/ | http://xkcd.com/549/ GPG: D5B20C0C (6741 8EE4 6C7D 11FB 8DA8 9E4A EECD 9A84 D5B2 0C0C) 0xD5B20C0C.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: [pfSense Support] Fwd: m1n1 device w/ ath wireless
On 7/19/2011 3:33 PM, Moshe Katz wrote: In a firewall rule, the Source Port means where it is coming from on your computer. Your computer usually picks a random port to use when you visit a site in your web browser. So putting Source Port=2500 in your rule will not work. 2500 is the Destination Port in the firewall rule. In screenshot42h.png, that last row should say: * Protocol: TCP * Source Address: * * *Source Port: ** * *Destination Address: WAN_IP* * *Destination Port: 2500* * Gateway: * * ... The bold ones are the ones you need to change. OK, I understand now. Thank you. I can browse to my IP and see my local web-server from my VPS. The reason I point this out is because when I had my linksys (WRT54G) in place, I could navigate to http://my_ip:2500/~chris/ and it would work just as if I was external, but that isn't working now. Was this some automagical configuration of the Linksys? (which btw was running DD-WRT) Or do I need to enable some kind of configuration w/i pfSense for this to work? -- Chris Brennan -- A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting frowned upon? http://xkcd.com/84/ | http://xkcd.com/149/ | http://xkcd.com/549/ GPG: D5B20C0C (6741 8EE4 6C7D 11FB 8DA8 9E4A EECD 9A84 D5B2 0C0C) 0xD5B20C0C.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: [pfSense Support] Fwd: m1n1 device w/ ath wireless
On 7/19/2011 4:02 PM, Yehuda Katz wrote: You are looking for NAT reflection. I do not have a 1.2.3 box to test it with, but I think it is in the System-Advanced section. - Yehuda Sweet! This is exactly what I was looking for! Thank you both, very much. -- Chris Brennan -- A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting frowned upon? http://xkcd.com/84/ | http://xkcd.com/149/ | http://xkcd.com/549/ GPG: D5B20C0C (6741 8EE4 6C7D 11FB 8DA8 9E4A EECD 9A84 D5B2 0C0C) 0xD5B20C0C.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: [pfSense Support] Static Routes
On Tue, Jul 19, 2011 at 2:15 PM, Atkins, Dwane P atki...@uthscsa.edu wrote: Afternoon all. We am running pfsense 1.2.3-RELEASE and having issues with a couple remote sites. We have a few static route statements. Each of them are actually part of the same subnet and go to the same gateway. We prefer to have each subnet routed individually because it is easier to track in the event of a security related incident, BOTS, etc…. Does this release have any issues with the amount of static routes it can handle at one time? Are there issues with a /20 subnet being routed out a specific interface? No limit or any issues with any subnet size. I've been on systems with hundreds of static routes. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Logout button - captive portal
On Fri, Jul 15, 2011 at 2:59 PM, Atkins, Dwane P atki...@uthscsa.edu wrote: Good afternoon all. We use the following version and it has been rather stable. 1.2.3-RELEASE built on Sun Dec 6 23:21:36 EST 2009 My issue is when authenticate, you can do whatever you have been authorized. But when you have completed and click the logout button, it just sits there. You can click it and click it and it will not go away. However, I did notice that I was logged out from the pfsense box which is a good thing. How do we get the button to disappear or to possibly show something that will state that you have been disconnected. Yeah what you're seeing there is it fully disconnects the user. When you're logged out, the portal kills all your states to ensure you're cut off from Internet access, cutting off their HTTP session to the logout window in the process (there is no possible way in the underlying software to kill the host's states with the exception of one to keep the logout window alive). There currently aren't any alternatives there. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] m1n1 device w/ ath wireless
Greetings! I've got a Netgate m1n1 2D13 Firewall with an Atheros 4G CM9 Wireless card. As far as I can tell, hardware wise, everything works just fine. The problem is that after my wireless devices associate with the netgate, I am unable to actually go anywhere. I've added a fw rule to blanketly let everything out over wireless and it's bonded with my LAN so all the traffic is on the same subnet. I'm not sure what else I need to/should have to do to make this work. Some help would be appreciated. :) P.S. I am new to *this* list, if I missed something, let me know and I'll make the necessary adjustments. -- Chris Brennan -- A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting frowned upon? http://xkcd.com/84/ | http://xkcd.com/149/ | http://xkcd.com/549/ GPG: D5B20C0C (6741 8EE4 6C7D 11FB 8DA8 9E4A EECD 9A84 D5B2 0C0C) - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] if possible to use radius and vouchers together?
2011/7/11 梁富宏 lian...@supcon.com: my network has 300 users and some guests.guests need to temperary access internet. now i want to use pfsense's captiveportal to control the users and guests to access internet: 1. users use account to login captiveportal 2. guests use voucher to login captiveportal because of has 300 users ,so i want to use radius to storage the accounts. but in pfsense, the captive portal auth options is Local User Manager / Vouchers Should work with RADIUS just the same as the local user manager, that description is confusing though. I'll check that and change the description. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Incorrect System Log Order/Logging Bug?
On Fri, Jul 8, 2011 at 4:26 PM, Vick Khera vi...@khera.org wrote: On Fri, Jul 8, 2011 at 1:06 PM, Dimitri Rodis dimit...@integritasystems.com wrote: I have my log set to show newest on top, and the log is “mostly” in order, but notice how there are some entries that are in the middle of this screenshot that are “newer” than everything else. (The problem is that Jul 8 15:12:29 has not yet happened in my time zone, it is only shortly after 10AM here..) What's your offset to GMT? I'll guess +5 If the process started before the timezone was set, then you will see stuff like this. Same if you alter the timezone after the process is started. They do not re-read the timezone file ever. This. If you want everything to be on the right timezone you have to reboot after setting it (or restart the services individually), that's always been the case. The logs show in the order they were logged, with the timestamp of the process doing the logging. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Can't connect to cvs.bsdinstaller.org
On Fri, Jul 8, 2011 at 1:13 PM, Bao Ha b...@hacom.net wrote: Hello, We are trying to build the pfSense 2.0. However, the process hangs around the following message: Fetching BSDInstaller using CVSUP... It seems that cvs.bsdinstaller.org keeps timeout. The work-around is to patch the builder_common.sh to use GIT instead of CVSUP. Is there a change in building the bsdinstaller? Yes it's all in github now, have to make sure your tools repo is up to date (and pulling from github as well for it). - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Problems getting PFSync to run properly, starting the Backup server produces Packet Loss on WAN
On Wed, Jul 6, 2011 at 9:45 AM, Raimund Sacherer raimund.sache...@logitravel.com wrote: Hello, I have the same problem if I deactivate CARP on the Backup server, it tells me than that all CARP Interfaces are down, but the packet loss is still there, so I have to shutdown the Backup server. Sounds like something at layer 2 hanging onto the CARP MACs until that port goes down, hence directing traffic at the switch level to the wrong box. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Problems getting PFSync to run properly, starting the Backup server produces Packet Loss on WAN
On Tue, Jul 5, 2011 at 9:13 AM, Raimund Sacherer raimund.sache...@logitravel.com wrote: Hello, Short Problem Description: Starting the Backup Server results in 50% (or more) packet loss on the WAN facing Interfaces. I saw in the states table that it seems that the Backup server is sending packets to over the Master Server, or so it seems. What does your CARP status show on both? Sounds like the two can't communicate with each other on one or more interfaces possibly.
Re: [pfSense Support] Carp failover time
On Sat, Jul 2, 2011 at 4:34 AM, Shibashish shi...@gmail.com wrote: Hi, What is the average time for the carp failover to kick in... i.e. how much time does it take for the backup to become master and start serving requests and vice versa? Immediate if it's expected (i.e. you reboot the master), 1-2 seconds by default if it's not (such as yanking the power plug or any other failure to communicate by the master). Is the timing parameter configurable? Yes, search advskew and advbase. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Strange TCP connection behavior 2.0 RC2 (+3)
On Tue, Jun 28, 2011 at 3:03 AM, William Salt williamejs...@googlemail.com wrote: Hi All, For the last couple of months i have been pulling my hair out trying to solve this problem. We have a 1Gbps transatlantic link from the UK to the US, which has successfully passed the RFC2544 test. At either end, we have a media converter, and a supermicro server with an intel quad port NIC running pfsense 2 (RC2 at one end RC3 at the other) and the IGB driver on the quad port. We can pass 1gbps either way with UDP. However we are experiencing very strange issues with tcp connections. With window scaling enabled, and a max socket buffer set to 16MB, we see no difference. Even disabling window scaling and setting the window to 16MB makes no difference. Each TCP connection starts very slowly, and will max out at around 190mbps, taking nearly 2 minutes to climb to this speed before plateauing. We have to initiate many (5+) connections to saturate the link with tcp connections with iperf. Typical symptoms with a long fat pipe and TCP, you can Google that to find lots more info. You need to make adjustments on the source and destination hosts as they handle windowing, the firewall just passes that traffic. If you're actually testing with iperf on the firewall itself then the same considerations apply to it, though that's probably not indicative of the eventual real world usage. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] init process... starting non-pfsense package
On Tue, Jun 28, 2011 at 5:38 PM, Alberto Mijares amijar...@gmail.com wrote: Hi, as you may guess, I need to start a package I just installed with # pkg_add -r and if I try to start it, it doesn't (start, onestart, CLI, web interface... nothing works). I cannot write a rc.conf either. See http://doc.pfsense.org/index.php/Installing_FreeBSD_Packages (I just added some additional info there to answer your questions if you've already read that page previously). - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] supported auth protocols
On Wed, Jun 22, 2011 at 3:19 AM, Roberto Nunnari roberto.nunn...@supsi.ch wrote: Ok, thank you. Now I have a couple of important tasks that will take me off from this, but I hope I'll be back here in three-four weeks. There will also be a developer mailing list available in the near future, as soon as I have a chance to take down this server and bring up the new one, you'll see an email to this list with info then. You can follow up there then with any additional questions (or here in the mean time). - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] need reboot after changing firewall rules?
On Mon, Jun 20, 2011 at 11:04 AM, Roberto Nunnari roberto.nunn...@supsi.ch wrote: Hi. Mr Router wrote: Just upgraded to RC 2 will check this now and update my findings Could you replicate the problem? Today I upgrade to RC3 and now the problem seems solved. There were a couple days of RC2 snapshots that had broken check_reload_status which prevented filter reloads, right around the time of the original post here. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] supported auth protocols
On Tue, Jun 21, 2011 at 8:51 AM, Roberto Nunnari roberto.nunn...@supsi.ch wrote: Roberto Nunnari wrote: Roberto Nunnari wrote: Roberto Nunnari wrote: Chris Buechler wrote: On Thu, Jun 9, 2011 at 5:49 AM, Roberto Nunnari roberto.nunn...@supsi.ch wrote: Hi all. We now face a problem.. the captive portal, will need to authenticate users via a radius server. Unfortunately, that radius server doesn't support PAP, and pfSense seems to be using right that.. on the web interface I didn't see an option to change it.. Is it possible to set authentication protocol to something more advanced than PAP.. say EAP, PEAP.. we could even accept CHAP.. Currently no. But you can always add that yourself, or get us to do it for you if you have a budget for it. It uses Auth_RADIUS, which can support CHAP with additional extensions. EAP and/or PEAP would require quite a bit more work. Hi Chris. Humm.. I'm still in the evaluation stage.. Could you just tell me what files/libraries should I edit/use in order to add peap or mschapv2? For sure I would give the patches back to the pfSense project once done, but a little help would be much appreciated. humm.. files seems to be in /etc/inc/ .. at least radius.inc and auth.inc .. !!! there's already a funtion Auth_RADIUS_MSCHAPv2 in radius.inc !!! I'm going to try that out right away. Robi Robi I'm a developer and have good experience with C/C++/Java, some experience with php and I'm now starting with python. I also have a good working knowledge of FreeBSD and I'm the system administrator of a few FreeBSD boxes since version 4 to version 6.4. If it is a matter of no more than a couple of days of work, I could try to add support for peap and/or mschapv2. Our radius guy told me that the only accepted protocols at present for us are peap and mschapv2. So, I was wrong when I said that chap was an acceptable option for us. To be true, I'm surprised that pfSense, in the case of radius with captive portal, puts credentials on the network in clear text (PAP) without a chance to choose a more secure protocol. But I also understand that pfSense is free software, and that you guys already have done a great amount of work and released such a wonderful software for free! Thank you again! Best regards. Robi I offer my help to add mschapv2, but I'm new to pfSense and so I don't know anything about current implementation and the startup scripts. In particular I'd like to know 1) what is covered in the current implementation regarding mschapv2 2) what is missing in the current implementation regarding mschapv2 3) is mschapv2 implementation in radius.inc complete? 4) should it be enough to change auth.inc to see it working as an initial test? All of the RADIUS bits are handled with PHP's Auth_RADIUS, by looking into it vs. what we have in our inc files you should be able to answer #1-4. I don't know the answers there offhand. 5) where to put configuration parameters? In config.xml the same as everything else is handled for all portions of the system. 6) I believe it would be desirable to choose at least php/mschapv2 in the captive portal configuration in the web interface. Yeah it would have an option for each configured RADIUS server, or maybe just globally, to select which. 7) is there a developer guide? Not really, there is quite a bit of info on devwiki.pfsense.org. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Current Production Version
On Sun, Jun 19, 2011 at 5:02 AM, Eugen Leitl eu...@leitl.org wrote: On Sat, Jun 18, 2011 at 08:35:56PM -0600, David Burgess wrote: On Sat, Jun 18, 2011 at 7:22 PM, Volker Kuhlmann hid...@paradise.net.nz wrote: Well, this is a little annoying. I have RC1 too, and I had checked only about a week ago, and there is no newer than RC1 on the servers The images are labelled RC1, but if you install them they will show up in your dashboard and console as RC2, for several weeks now. Weird, just upgraded: 2.0-RC1-IPv6 (i386) built on Sat Jun 18 19:16:45 EDT 2011 The IPv6 branch is another world (everyone else in this thread is on stock snapshots), but its label did change as well to RC2 weeks ago. You may have missed: http://forum.pfsense.org/index.php/topic,36682.0.html You should: rm -rf /root/pfsense and sync from the new URL. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Current Production Version
On Sat, Jun 18, 2011 at 7:30 AM, Eugen Leitl eu...@leitl.org wrote: Strange, my 2.0-RC1-IPv6 (i386) is still at RC1. You haven't synced in weeks then. What's the fate of IPv6 development branch, then? http://forum.pfsense.org/index.php/topic,37895.msg195593.html#msg195593 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Current Production Version
On Fri, Jun 17, 2011 at 1:58 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: Apologies for the dumb question... Is the general consensus that 2.0-RC1 is production ready, or is 1.2.3 still recommended for production deployments? Latest snapshot is your best bet over RC1. RC3 comes this weekend, release soon after. There are less than half as many tickets open on 2.0 as there were on 1.2.3 when it was released, latest 2.0 has far fewer bugs than 1.2.3 (with the possible exception of some packages that maintainers haven't updated), granted in both cases they're of the type that are rare to encounter. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Current Production Version
On Fri, Jun 17, 2011 at 4:53 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: Latest snapshot is your best bet over RC1. RC3 comes this weekend, release soon after. There are less than half as many tickets open on 2.0 as there were on 1.2.3 when it was released, latest 2.0 has far fewer bugs than 1.2.3 (with the possible exception of some packages that maintainers haven't updated), granted in both cases they're of the type that are rare to encounter. Just to verify, that would be pfSense-2.0-RC1-i386-20110617-0727.iso.gz, correct? Yep. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] supported auth protocols
On Thu, Jun 9, 2011 at 5:49 AM, Roberto Nunnari roberto.nunn...@supsi.ch wrote: Hi all. We now face a problem.. the captive portal, will need to authenticate users via a radius server. Unfortunately, that radius server doesn't support PAP, and pfSense seems to be using right that.. on the web interface I didn't see an option to change it.. Is it possible to set authentication protocol to something more advanced than PAP.. say EAP, PEAP.. we could even accept CHAP.. Currently no. But you can always add that yourself, or get us to do it for you if you have a budget for it. It uses Auth_RADIUS, which can support CHAP with additional extensions. EAP and/or PEAP would require quite a bit more work. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] multiple captive networks setup
On Thu, Jun 9, 2011 at 5:23 AM, Roberto Nunnari roberto.nunn...@supsi.ch wrote: Just need to add a firewall rule to allow that. Ok. I remember I read somewhere that pfSense uses openbsd pf as firewall even though it is based on FreeBSD. In any case I guess it's possible to do it via the web interface, right? FirewallRules, WAN. We do not enough public IPs, so we'd rather go with the latter, ie NAT each subnet to a unique virtual IP. That should give us a way to track down the public ip to a classroom (mapped to a captive network). Oh, sounded like the WAN-side was really on another private LAN, in that case yeah I would definitely NAT each subnet to its own public IP. Is it possible to define the virtual ips for the wan nic via the web interface, or is it necessary to go to the shell and/or edit files? FirewallVirtual IPs - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsense as a centralized antivirus update to multiple hosts
On Wed, Jun 1, 2011 at 8:24 PM, Joseph Rotan joseph.ro...@gmail.com wrote: Hi, I would like to confirm if pfsense can act as a centralized PC to update anti-virus to multiple host PC's connected on the same LAN. In general, no that's not possible. That depends on how the antivirus updates work. AV will either require pulling updates from the official source, or for centrally-managed corporate-focused AV options, a server that runs on a Windows server is generally required. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] naive prioritization of VoIP?
On Thu, Jun 2, 2011 at 6:12 PM, Adam Thompson athom...@athompso.net wrote: This begs the question of what, exactly do all those other firewalls DO when I set priority. It varies, but generally there's more to it than setting priority. You need link speed as well as you need the firewall do to the queuing and never hit any queuing on your modem or elsewhere outside your control, otherwise priority is useless as you're just going to blast traffic out to be queued where your ISP is rate limiting you. ...speaking of VoIP, does anyone know if the FreeSwitch packages are ever getting updated? It won't be, it's going to be replaced with FusionPBX, the successor to our Freeswitch package. Mark Crane created it, then moved on to FusionPBX, and will be creating a package for it to replace the Freeswitch package at some point (not sure of his exact plans). - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 2.0 restore config partially?
On Wed, Jun 1, 2011 at 5:00 PM, Volker Kuhlmann hid...@paradise.net.nz wrote: When restoring the config on 2.0RC1 only partially from a full config backup nothing is restored. The config must contain only the part being restored when doing a partial restore. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] RE: Snort and pfsense
On Wed, May 25, 2011 at 3:12 AM, A Mohan Rao mohanra...@gmail.com hijacked yet another thread: You've been asked several times now, when you post, you must start a new message with a new subject. What you keep doing is called thread hijacking, you're sending a completely different question on someone else's thread. Any time you post, start a new email to support@pfsense.com. *Never* reply to someone else's email unless you're actually replying to that email, on any mailing list. Also never send file attachments to mailing lists. Some reading on proper mailing list etiquette would go a long way towards people's willingness to help you. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] DHCP Server with virtual IP (subnets)
On Wed, May 25, 2011 at 11:43 AM, Alberto Mijares amijar...@gmail.com wrote: DHCP server only supports the primary subnet, no way to do that without hacking the source. Ok. I guess you mean through webConfigurator. If I modify /var/dhcpd/etc/dhcpd.conf, could achieve my goal? May I write a script and hook it with services_dhcp.php to do this? No, it'll get overwritten. You can modify /etc/inc/services.inc to hard code in the config you need. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] DHCP Server with virtual IP (subnets)
On Tue, May 24, 2011 at 4:24 PM, Alberto Mijares amijar...@gmail.com wrote: Hi, I'm trying to include static IP's in DHCP server. LAN interface has IP 10.10.0.1/24 I added an IP alias for the interface with 10.10.1.1/24, so I include the MAC address of a host for 10.10.1.2 It doesn't like this. How could I do this? And, of course, I should especify the router address too (10.10.1.1, not the natural interfaces IP) DHCP server only supports the primary subnet, no way to do that without hacking the source. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense Git resources
On Wed, May 18, 2011 at 10:57 PM, Yehuda Katz yeh...@ymkatz.net wrote: If there any chance the documentation on http://devwiki.pfsense.org/ about the Git setup will be updated to include how to connect to the mainline on GitHub instead of rcs? Pages are updated but not really anything to it other than changing to the new URLs. One of the benefits of being on github is they have the best git documentation of anywhere I've seen, lots of general info here. http://help.github.com/ - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] L7 queue seems not to work
On Fri, Apr 29, 2011 at 4:49 PM, bsd b...@todoo.biz wrote: No one has any feedback on L7 that and v.2.0.RC1 ? It doesn't work. At least apparently unless manually compiled. There is a ticket open on it. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A REALLY Simple Question, Really
On Fri, Apr 29, 2011 at 9:00 PM, Bruce B bruceb...@gmail.com wrote: Next time, when you change the LAN interface subnet just don't press APPLY. It actually gives you a RED notice to go ahead and change DHCP server range as well and then come back and press APPLY. Still the same. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 802.11 b/g/n radio on Soekris Net5501
On Wed, Apr 20, 2011 at 12:38 PM, Karl Fife karlf...@gmail.com wrote: Can anyone make a recommendation for a pfSense-compatible Mini PCI Wi-Fi radio that is suitable/compatible for a Soekris 5501. I'm looking for something that supports 802.11b/g/n on 2.4 GHz. I'll be building this on 2.0RC1. netgate.com has several supported cards. Though the supported b/g/n cards only work in b/g until we have a release based on FreeBSD 9 (released next year). The Ubiquiti SR71-A would appear to be a great choice, but I've read conflicting results about compatibility with non-'routerstation' boards. Can anyone vouch for this combination? I know the SR71-a is a pretty high-power radio, so are there any considerations with regard to dumping heat from the radio from a standard 5501 enclosure? The SR71-A is based on a newer Atheros chipset that isn't supported in any FreeBSD versions that we currently have releases based on, I think 9.0 will probably be the first release that supports it. Heat shouldn't be a concern with any card, unless it's in a hot room to begin with and the little extra heat pushes it over the edge. If you have a hard drive running in it too that will make things worse. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IPSEC and static routes?
On Tue, Apr 19, 2011 at 11:53 AM, Adam Thompson athom...@athompso.net wrote: I know this has come up more than once in the past, but I can’t find it in the archives (i.e. can’t figure out the right keywords). If my pfSense box is the endpoint of an IPSec tunnel, all the devices routing through it can reach the far side, but traffic originating from the pfSense box itself doesn’t get there. I think I remember the solution being to add a static route on the pfSense box, but I can’t remember precisely what had to be added. http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IPSEC and static routes?
On Tue, Apr 19, 2011 at 9:12 PM, Adam Thompson athom...@athompso.net wrote: I know this has come up more than once in the past, but I can't find it in the archives (i.e. can't figure out the right keywords). [...] http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use _syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over _IPsec_VPN%3F ...I forgot to search the *website*. Duh. That needs some updating for 2.0; who maintains the website? i.e. should I use redmine for submitting updated docs, or is there a better process? Request an account to wikiad...@pfsense.org and you can update it yourself. :) - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Symmetrically routing connection with Multi-WAN and NAT
On Mon, Apr 18, 2011 at 6:14 AM, Per von Zweigbergk p...@itassistans.se wrote: I have the following set up in a lab: [WinXP](LAN)[edgefw](WAN1)(Link1)[mock- ](WAN)[to my real LAN] [ ](WAN2)(Link2)[router](LAN)[Win7] The WinXP box has a chargen server running for testing (I just installed the Windows XP Simple Internet Services). Edgefw and mockrouter are running pfSense 2.0-RC1. What this setup is intended to simulate is a Multi-WAN scenario, where edgefw is the router for a LAN which has two different WAN connections that are NATed. Mockrouter is inserted into the mix simply to simulate the two seperate Internet connections (Link1 and Link2). Mockrouter's WAN connection to my real LAN is just a convenience for me so I can still access the web on my lab machines and not strictly relevant to the lab. Edgefw is configured with two WAN connections, and has a default route out of both of them. The specific part of this setup I'm having difficulty with is routing reply packets for TCP connections. What I have done is that I've made two port forwards on edgefw, from the WAN1 edge IP and the WAN2 edge IP into the WinXP machine on the TCP chargen port. When WAN1 is the default gateway, if I connect from my Win7 box to edgefw's WAN1 IP on the chargen port packets in both directions flow through WAN1. This is to be expected. If I instead connect the same way, but with WAN2's IP, the packets going from Win7 to WinXP flow through WAN2, which is to be expected. However, packets returning on the same connection will exit on WAN1. Which is expected, but not desired - WAN1 is the default route after all, and it's not like the kernel makes routing decisions based on pf's state table. To solve this problem, I googled, and I turned up with the following solution that applies to hand-written pf that I believe would work in my scenario: pass out on $ext_if1 from $ext_if2 route-to ($ext_if2 $ext_gw2) pass out on $ext_if2 from $ext_if1 route-to ($ext_if1 $ext_gw1) You can do that with floating rules. Check your resulting floating rules in /tmp/rules.debug to ensure you have them configured correctly, and enable logging on all your rules so you can determine which rule matched. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PPPoE connection still doesn't establish
On Fri, Apr 15, 2011 at 3:17 AM, Maik Heinelt m...@vegasystems.com wrote: Hi, Today, I have installed latest pfSense v2.0 RC1 build on our Alix board. It seems not to work, even with this version. (I already posted about this problem with a younger pfSense 2.0 build). PPPoE was setup like in any other used router and are correct. cable is connected to modem and the cable is ok. Here are the pfSense logs: Jan 1 09:09:21 ppp: [wan_link0] Link: reconnection attempt 21 Jan 1 09:09:21 ppp: [wan_link0] PPPoE: Connecting to '*' Jan 1 09:09:30 ppp: [wan_link0] PPPoE connection timeout after 9 seconds Jan 1 09:09:30 ppp: [wan_link0] Link: DOWN event Jan 1 09:09:30 ppp: [wan_link0] LCP: Down event That means it got no answer from your ISP at all. Check the Ethernet link on WAN, and power cycle the modem.
Re: [pfSense Support] Question on vlan
On Thu, Apr 14, 2011 at 4:01 AM, Dave LaLong dalal...@gmail.com wrote: Hello List! I setup a vlan and am using dhcp-relay on my pfsense box. I cannot seem to setup a rule that will block the dhcp request. You can't, short of manually hacking the source. On interfaces where the DHCP server or relay is enabled, a rule is automatically added to allow traffic to it. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] WAN DHCP does not pull DNS server info on 2.0-RC1 build Apr 8 2011?
On Tue, Apr 12, 2011 at 12:46 PM, Josh Karli josh.ka...@gmail.com wrote: On 4/11/2011 6:13 PM, Chris Buechler wrote: On Mon, Apr 11, 2011 at 6:11 PM, Josh Karlijosh.ka...@gmail.com wrote: Hello all I updated to the Friday April 8 2011 build via auto update. My WAN is connected to my internet modem and is configured by DHCP, and I am not part of a domain. After the update DNS name resolution did not work for internet addresses, and this was verified using the DiagnosticsDNS Lookup tool (i did not try to resolve netbios names configured in pfsense via the static dhcp rules dns forwarder combination). I manually entered my ISP's DNS servers in SystemGeneral Setup and it now works. Can anyone confirm this? Yes, was fixed over the weekend. I updated to the Monday Apr 11 build today and it does not appear to be fixed. The behavior is not changed. It's definitely fixed. If you don't have Allow DNS server list to be overridden checked under SystemGeneral Setup (it is by default) it won't use the provided DNS servers, where it is checked it does use them. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PPTP password issue
On Wed, Apr 13, 2011 at 10:32 AM, Ernst den Broeder erns...@gmail.com wrote: Hi. We are running 2.0-RC1 on our systems. I recently assigned a PPTP user the following password: x2758A6g924B mpd quotes user passwords so the in there is probably breaking it. The only other character restriction is the password cannot begin with ! because mpd interprets that as not a password but a command to use for authentication. There is input validation in 2.0 to prevent that, though maybe not the quote. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] WAN DHCP does not pull DNS server info on 2.0-RC1 build Apr 8 2011?
On Mon, Apr 11, 2011 at 6:11 PM, Josh Karli josh.ka...@gmail.com wrote: Hello all I updated to the Friday April 8 2011 build via auto update. My WAN is connected to my internet modem and is configured by DHCP, and I am not part of a domain. After the update DNS name resolution did not work for internet addresses, and this was verified using the DiagnosticsDNS Lookup tool (i did not try to resolve netbios names configured in pfsense via the static dhcp rules dns forwarder combination). I manually entered my ISP's DNS servers in SystemGeneral Setup and it now works. Can anyone confirm this? Yes, was fixed over the weekend. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 2.0RC1 - PPTP client disconnect kills all IPsec VPNs
On Wed, Apr 6, 2011 at 9:12 PM, Leon Strong leon.str...@smx.co.nz wrote: On this subject, i'm also noticing whenever a rules update happens, our openvpn connections all drop. possibly something related to resetting the rules, and therefore any established tcp/udp connections? Changing rules does not touch any active connections. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 2.0RC1 - PPTP client disconnect kills all IPsec VPNs
On Thu, Mar 31, 2011 at 5:05 PM, David Rees dree...@gmail.com wrote: I posted this on the forum[1] but didn't get any responses, so am trying here. On 2.0-RC1 (amd64) built on Tue Mar 22 21:02:19 EDT 2011 When a PPTP user connects and then disconnects, all IPsec VPNs go down shortly afterwards. In the logs, we see that the pptp user logs out - shortly afterwards the DPD kicks in on the VPNs, but fails to bring the VPNs back up. Disabling/enabling an IPsec VPN brings them all back up. We don't use PPTP much so it's the first time we've seen it. We're planning on going back to the official RC1 in the mean time. Known issue? Anyone using both PPTP server and IPsec VPNs NOT seeing this issue? What's your setup like? Can't replicate, I connected and disconnected PPTP about 30 times to a system with a few IPsec connections all with DPD and had 0 issues with any of them. Typical basic PPTP setup and site to site IPsec. See if you can narrow it down more, or if there's something specific about your setup that's pertinent. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] HP 1800s - was: Re: [pfSense Support] www.pfsense.org down?
On Sat, Mar 26, 2011 at 7:23 PM, Adam Thompson athom...@athompso.net wrote: The one that failed is a 1800-24G, cheapest managed 24 port gig switch they make. I bought a E2510G-24 to replace it, will use the 1800- 24G replacement somewhere less critical. Though I know our customers have at least 10 of those in production networks and this is the first one I've heard of failing, I feel better with the enterprise-class switch in the datacenter. FWIW, I used to sell a lot of HP ProCurve gear; the only switches of theirs I ever had to return were 1800-series switches (and _one_ 2524, IIRC). A very small proportion, to be sure, effectively zero warranty service rate compared to Cisco, but relatively speaking... I suspect it has to do with the fanless design being slightly less robust - IMHO, anyway. You're probably onto something there. To my surprise, the replacement is the exact same model, and completely identical with one exception - it has a different side piece on one side, and a fan. A noisy one at that unfortunately even by managed switch standards. I was going to replace one of the switches in the rack next to my desk with it, it's probably a bit too noisy for that though. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Some minor issues after upgrade
On Wed, Mar 30, 2011 at 1:11 PM, - Dickie Bradford - dbradf...@never-enuff.net wrote: On 3/26/2011 9:53 PM, - Dickie Bradford - wrote: Today I installed a New 2.0 RC1 pfsense build and then installed my backup config from 1.2.3. It went pretty well with minor issues that were easily fixed. One issue that is not easily fixed is this I have 3 interfaces, WAN (DHCP), LAN (192.168.20.1) and WirelessLan (192.168.21.1). WAN and LAN work perfect, the WirelessLan is acting strange to the fact that from the lan i can only ping a fewl of the active 192.168.21.0/24 address's ...BUT... I can ping all the active address's from the firewall with no problem. example: firewall can ping: 192.168.21.2, 192.168.21.3, 192.168.21.48, 192.168.21.49, 192.168.21.223 Lan IPSEC can only ping: 192.168.21.48, 192.168.21.49 I have the rule to pass everything on all interfaces just for the sake of trying to track this issue down. BOGON's and Private IP blocking are unchecked on all interfaces. I am at a loss of what is wrong Thnx Here is some additional information on this only IP's directly connected to the switch that is connected to the pfsense box cannot be pinged from lan or ipsec, but remote IP's that run accross wireless brigdes thru the switch can be pinged. I have changed the switch to make sure it is not an issue, but the problem still persists. Get a packet capture on the interface the traffic is entering, make sure it's showing there, then on the interface it's leaving, see that it's leaving there. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Is the PPTP/GRE Limitation fixed in 2.0?
On Mon, Mar 28, 2011 at 3:45 PM, Adam Piasecki apiase...@midatlanticbb.com wrote: I found a thread on the message board stating this was fixed in 2.0. I'm testing it right now and can only get 1 client connected at a time. It used to be, caused panics in edge cases and was reverted, won't make 2.0 as we don't have time to fix. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] www.pfsense.org down?
On Sat, Mar 26, 2011 at 8:50 AM, Nebojsa Djordjevic djn...@gmail.com wrote: I'm constantly getting connection reset errors trying to access http://www.pfsense.org/ -- anyone else having the same problem? Was earlier, switch flaked out. Go figure we replace an ancient Cat2924 which are ticking timebombs to fail with a brand new HP managed gigabit switch and it flakes out within a month.. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] www.pfsense.org down?
On Sat, Mar 26, 2011 at 6:40 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: Was earlier, switch flaked out. Go figure we replace an ancient Cat2924 which are ticking timebombs to fail with a brand new HP managed gigabit switch and it flakes out within a month.. At least the HP has a lifetime warranty, where that 2924 will just go into the trash when it fails. :-) Yep. The 2924 replaced the HP again temporarily, ironically... it's the last 2924 I own, used to have a bunch of them and they've all died except that one, and of the bunch of HPs I have in various places (16xx, 1800, 24xx, 25xx, 4000, 53xx), this is the first HP switch I've ever lost (knock on wood). The one that failed is a 1800-24G, cheapest managed 24 port gig switch they make. I bought a E2510G-24 to replace it, will use the 1800-24G replacement somewhere less critical. Though I know our customers have at least 10 of those in production networks and this is the first one I've heard of failing, I feel better with the enterprise-class switch in the datacenter. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Spoofed wan mac issues in 2.0-RC1
On Fri, Mar 25, 2011 at 1:38 PM, Joseph L. Casale jcas...@activenetwerx.com wrote: It appears as if the wan int can only acquire a dynamic ip when its spoofed from a fresh boot. If you down it from the gui interfaces page, it cannot re-acquire an ip when you up it again. Works fine for me. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] RE: Release all unused DHCP leases.
On Wed, Mar 23, 2011 at 2:18 PM, Adam Thompson athom...@athompso.net wrote: Offline leases in the pfSense interface are, I believe, merely a visual guide to show you who last got that IP address. The “offline” part is what I’m not 100% sure about – if it just means the expiry date is past, or if the lease has been released, or if the device isn’t responding to ARP… dunno about that part. Offline in that context means that IP is not currently active in the firewall's ARP table, which means it hasn't accessed the Internet or anything else triggering ARP on the firewall in over 20 minutes. Short of waiting the lease time, or removing the entire lease database or removing individual entries from it, there isn't really a way to delete unexpired leases. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] can't block https://facebook.com via firefox
On Tue, Mar 22, 2011 at 5:22 PM, Adam Thompson athom...@athompso.net wrote: Some commercial firewalls (Fortigate, most notably) claim to filter HTTPS, I'm still a bit unclear on how they manage to break SSL that thoroughly even with what amounts to a MitM attack... The way those in general work (not sure on Fortigate specifically) is they MITM HTTPS as a proxy, you have to install a certificate on all the clients that it uses so they trust the forged certs it provides to the internal clients. There are two HTTPS connections, one from client to the firewall, one from the firewall to the actual site. No open source equivalent that I've seen or heard of. OpenDNS or other DNS blocking/modification such as via the DNS forwarder is generally the easiest way to control HTTPS by domain, and make sure nobody can use other DNS servers. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Cisco AnyConnect
On Mon, Mar 21, 2011 at 11:19 AM, David Burgess apt@gmail.com wrote: On Sun, Dec 5, 2010 at 12:10 AM, Chris Buechler cbuech...@gmail.com wrote: On Sun, Dec 5, 2010 at 2:02 AM, David Burgess apt@gmail.com wrote: But openconnect works, at least for me on Linux, and from what I gather it's available for FreeBSD too. What are the chances of installing openconnect on pfsense as a package to this end? There is a port for it, that should do it. security/openconnect/ I finally attempted this and it was surprisingly easy to do. The problem now is when I try to use the tunnel from the LAN. Of course the AnyConnect server doesn't know how to route to my LAN, and since I have no control over it the obvious answer is outbound NAT. But since pfsense's web UI doesn't know about the tun0 interface, the Outbound NAT page doesn't offer it as an option when creating a rule (a similar problem will exist when trying to make firewall or traffic shaper rules, but I'm not worried about that now). Can somebody point out a pattern for making an outbound NAT rule for openconnect's tun0? Assign tun0 as an OPT interface. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 2.0 Web UI Unresponsive
On Thu, Mar 17, 2011 at 11:44 AM, Jim Riggs freebsd-li...@christianserving.org wrote: I have been having an issue with 2.0 for a few months (beta snapshots and RC1) that is driving me mad. I'm hoping someone can shed some light on this. The server is a Dell PowerEdge R610 with bce0-bce3. It is a repurposed server, so it is built and configured as a server and for performance. In the simplest setup, I only have a LAN (bce0) and WAN (bce1). This is a test server for evaluating 2.0, so it doesn't really have much traffic. There are only a couple of us using it as a gateway. A few minutes after booting, the Web UI will become unusably slow or completely unresponsive. Sometimes we will be greeted with a 503 response. Other times the browser just spins forever. SSH access is similarly flaky. We have found that if we force some traffic through the gateway (e.g. http request from LAN to WAN) right after requesting a page from the Web UI or attempting an SSH session, it will respond to that request. I have dug through posts related to this in the forums and archives, but haven't found too much that's relevant. I did find one post [1], though, that was somewhat similar. Basically, the OP had to run tcpdump on the pfSense box to get it to work. I tried that, and it works! So, now every time I restart the pfSense box I have to log in on console or SSH (if I can get in) and run a `nohup tcpdump -i bce0 /dev/null' to make it behave. Note that unlike the referenced post, we do not have any trouble LAN-WAN through the gateway. It just seems to be problematic accessing the gateway itself from the LAN. Odd, then it's only working when the NIC is in promiscuous mode. What's the exact chipset (run dmesg|grep bce0)? Some odd driver quirk, apparently specific to only certain particular chipsets as I know there are a number of systems running bce that don't have such issues. Running 'ifconfig bce0 promisc' would accomplish the same without having to run tcpdump. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense network throughput issues
On Fri, Mar 18, 2011 at 3:39 AM, Shibashish shi...@gmail.com wrote: snip igb0@pci0:3:0:0: class=0x02 card=0x34f28086 chip=0x10c98086 rev=0x01 hdr=0x00 class = network subclass = ethernet igb1@pci0:3:0:1: class=0x02 card=0x34f28086 chip=0x10c98086 The igb driver in FreeBSD 7.2 has serious performance issues, that's the most likely cause. Your best bet is to test your config on 2.0 and make sure the load balancing config upgrades fine and works correctly. The 8.1 driver doesn't have such issues. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 3G NIC compatible with pfSense ?
On Fri, Mar 18, 2011 at 11:39 AM, bsd b...@todoo.biz wrote: Hi, I wanted to know if you had any idea about 3G / GSM NIC that would be compatible with pfSense ? How is 3G supposed to work with pfSense ? info here: http://doc.pfsense.org/index.php/Configuring_3G_modems - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org