Re: [pfSense Support] Outbound port forward
On Tue, Sep 6, 2011 at 1:08 PM, Arquivos wrote: > i need to forward all the requests going out by the port 53 (DNS) to a > single external DNS server, in dispite off the DNS configured in the > clients. Can someone help me in that? What you want is a NAT Port Forward entry on your LAN interface to destination port 53 and a redirect target IP of the server you want to force. I haven't tried this but I believe it will do what you are asking. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] dialup router
I'm trying to build a dialup router on an HP t5710. It has 512 MB of flash and a single serial port, which I intend to use for an external modem. I'm wondering if a generic install of 1.2.3 or 2.0 will fit on the 512 MB of flash, or can I do an embedded install and disable the console so that the serial port can be freed up for the modem. Any insight? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Happy Birthday Chris
Happy Birthday, eh. (Canadian) db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PPTP Broken in latest AMD 2.0 Snapshots
On Wed, Aug 17, 2011 at 1:49 PM, Chris Buechler wrote: > http://redmine.pfsense.org/issues/1107 > > Fixing that broke PPPoE entirely on AMD64, doubt if that gets fixed for 2.0. Can you please clarify? Are you saying that folks who use PPPoE on the WAN should not update to the newer 2.0 snaps until this is resolved post-2.0? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] ppp - 3G on 2.0 rc3
On Sat, Jul 30, 2011 at 4:28 PM, Nenhum_de_Nos wrote: > ps: how ofter do nanobsd images are updated ? there is just this from July > 4th and no more available. http://forum.pfsense.org/index.php/topic,38687.0.html db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: unknown cause of limited throughput
On Tue, Jul 5, 2011 at 11:52 PM, David Burgess wrote: > I'll probably kick myself when I figure this one out And the answer is... traffic shaper. I'm so embarrassed. ::Off to kick self:: db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: unknown cause of limited throughput
On Thu, Jul 14, 2011 at 4:39 AM, Ermal Luçi wrote: > Try to tune these sysctl: > net.isr.numthreads: 1 > net.isr.bindthreads: 0 > net.isr.direct: 1 > net.isr.direct_force: 1 I tried those in System: Advanced: System Tunables. Throughput is still 17.4 Mbps between vlan240 and any other. Does pfsense require a reboot to make those sysctl effective? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: unknown cause of limited throughput
On Thu, Jul 14, 2011 at 11:56 AM, Adam Thompson wrote: > Are you passing the VLAN tags all the way into the pfSense VM on a single > vNIC, or are you splitting the VLANs at the vSwitch level and passing them > into multiple vNICs on the pfSense VM? Adam, Thanks for the info. In fact, pfsense is not virtualized here, so in my most recent posting I was able to eliminate virtual machines from the problem altogether by testing from ren to mule, and passes only through pfsense and one vlan switch (twice, on different ports). Ermal, Thanks for the hints. I will test and post back. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: unknown cause of limited throughput
2.0-RC3 (amd64) built on Tue Jul 12 21:23:55 EDT 2011 On Tue, Jul 5, 2011 at 11:52 PM, David Burgess wrote: > I hope that's not too confusing. To summarize, any two machines, real > or virtual, get iperf results near wire speed when on the same L2 > network. Any two machines on different (routed) networks see iperf > speeds between 320 and 550, which is expected due to the limitations > of the router. The exception is rip. Of my three virtual hosts, which > all live on the same ESXi server, only rip is seeing very slow iperf > speeds (and similar nfs speeds) when acting as server to routed hosts. I did some more testing and was surprised by the results. I created a new virtual server "chunk" running Ubuntu Server 10.10 and expected that because it was now the same version OS as my other servers, it would now exhibit normal routed network speeds. But I was wrong. Chunk consistently serves iperf at 12.8 Mbps to a routed client. Intrigued, I moved chunk to a different local vlan/network and tested again. The result: iperf client vlanserver vlan result renreal85chunk virtual250 380 Mbps routed renreal85chunk virtual240 12.8 Mbps routed mule real85chunk virtual250 380 Mbps routed mule real85chunk virtual240 12.8 Mbps routed ren real85 mule real 240 16.8 Mbps routed So it's not the server, it's the vlan or something related to it. vlan85 is my LAN, and the only firewall rule on that interface is a PASS all rule. There is no floating rule that should touch any of this as far as I can tell. The only thing that distinguishes vlan 240 from the other vlans I'm testing (besides being slower) is that the hosts on this vlan have publicly routable IP addresses, while the hosts on every other vlan are 192.168.x.x addresses. There is no NAT occurring between local networks. I've now ruled out virtualization and OS as being the cause of this, and that leaves pfsense and the switch. The switch is not slow where the router is not involved, so unless I've misjudged, this is a pfsense problem. Any ideas? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Incorrect System Log Order/Logging Bug?
On Fri, Jul 8, 2011 at 11:06 AM, Dimitri Rodis wrote: > Can anyone else confirm what appears to be either a bug in the logging with > respect to the timestamps or a bug in the sorting of the log entries? (I > don’t know which) I've seen it here and I suspect the problem is with the timestamps, and the time zone not being applied to some of them. I was about to take a screen shot of mine when I realized that none of my logs are populated since updating to the latest snap yesterday :P db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Reboot of running pfsense 2.0 configuration - interface mismatch question - config.xml overwritten and lost
On Fri, Jul 8, 2011 at 6:09 AM, Jostein Elvaker Haande wrote: > I have the same problem on one of my pfSense installations, with a > Realtek 8112 chipset (onboard NIC). The card refuses to come up on > every even numbered boot (which occurs quite often, seeing as it's > being run with 2.0RCx). The only workaround I've found, is to reboot > the machine and it comes back up again. Really annoying, and I've > tried to search for a solution both on the forums and on Google, but > found nothing. Are you running nanoBSD/embedded? This version keeps two images on your boot device and upgrades only the non-running image. The default behaviour is to boot the same image each time unless you specify the alternate or do an upgrade, but if yours is alternating each reboot for some reason then this may explain your luck. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] unknown cause of limited throughput
I'll probably kick myself when I figure this one out, but here's a riddle for you. pfsense is 2.0RC3. Atom D510 (2x1.6GHz, GBE) Clear DF bit: enabled Scrub: disabled I have a number of real and virtual hosts (single ESXi server with vlans) connected to pfsense through a Netgear gigabit switch using vlans. All hosts are wired and local, so latency is <3 ms in all cases. I noticed some serious slowness using nfs, so I investigated with iperf. All iperf tests were half-duplex, 4 threads, 30 seconds in duration to the server, like so: iperf -c rip -P4 -t30. Here is the results matrix: Client Real/Virtual Vlan Server Real/Virtual VlanResult Notes ren real 85 ripvirtual 240 17 Mbps routed: slow crag virtual 250 rip virtual 240 17 Mbps routed: slow slab virtual85 ripvirtual 240 17 Mbps routed: slow slab virtual85 crag virtual 250 345 Mbps routed renreal 85crag virtual 250 320 Mbps routed renreal 85mule real 85 950 Mbps L2 wire speed renreal 85mule real 250 380 Mbps routed renreal 85slab virtual 85 950 Mbps L2 wire speed slab virtual 85mule real 25 548 Mbps routed mule real 240ripvirtual240 950 Mbps L2 wire speed I hope that's not too confusing. To summarize, any two machines, real or virtual, get iperf results near wire speed when on the same L2 network. Any two machines on different (routed) networks see iperf speeds between 320 and 550, which is expected due to the limitations of the router. The exception is rip. Of my three virtual hosts, which all live on the same ESXi server, only rip is seeing very slow iperf speeds (and similar nfs speeds) when acting as server to routed hosts. I can't explain this, as rip has access to more cores and RAM on the ESXi host than the other VMs. There is no pfsense limiter in place to throttle this traffic. top shows no strain on rip during the tests. All real and VM hosts are running Ubuntu x86_64, although rip is 11.04 while the others are 10.10. All VMs have open-vm-tools installed. I guess this could be an issue with pfsense, Ubuntu 11.04, or ESXi. I'm not sure which, but I find it odd that 1/3 VMs has poor network performance, but only when the traffic is routed. Any ideas where to look? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Current Production Version
On Sat, Jun 18, 2011 at 7:22 PM, Volker Kuhlmann wrote: > Well, this is a little annoying. I have RC1 too, and I had checked only > about a week ago, and there is no newer than RC1 on the servers The images are labelled RC1, but if you install them they will show up in your dashboard and console as RC2, for several weeks now. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multible PPPoE on same NIC?
On Thu, Jun 16, 2011 at 10:21 AM, Steven Sherwood wrote: > Hi there - I assume that you are using multiple modems? Should be possible > to create VLANs and have multiple PPPoE sessions, one on each VLAN. You will > need a VLAN capable switch upstream of you pfSense box for connecting the > modems, but I don't see why that wouldn't work. Are you planning to use mlppp, or something else, like load-balancing? I use 8 modems on vlans for mlppp and it works great. If you're not using mlppp and the pppoe sessions will all be using the same gateway then you may have problems. This does not work in pfsense 1.x, and I know there's been a lot of discussion in the forums over whether it works in 2.0 right now. I think not. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] need reboot after changing firewall rules?
On Thu, Jun 9, 2011 at 10:59 AM, Roberto Nunnari wrote: > Hi. > > I just discovered that modifications to the firewall rules will not be > active until the box is rebooted.. > > Is it a known bug or a misconfiguration on my side? Did you try this? http://doc.pfsense.org/index.php/Reset_States db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Splitting a /24 into multiple subnets
On Mon, May 23, 2011 at 4:14 PM, Andreas Kaiser wrote: >> That allows you to do any routing you want between interfaces / WAN and >> gives you granular control of everything. > > *That* is exactly what I want ;-) Have you turned off automatic outbound NAT and disabled or deleted all the automatically created rules for every interface that has a part of the /24 public subnet? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IPsec, Multi-WAN Session Setup Problems. (2.0 RC1)
On Fri, May 20, 2011 at 1:51 AM, A Mohan Rao wrote: > not able to do client side open vpn setup properly any body can help for > which open vpn client i have to download and install run properly i have to > do server side setup which is i have to attached video. > > > Awaiting for positive response .! You have attempted (at least twice now) to hijack this thread (your post has nothing to do with the going topic). Kindly start a new thread if you would like assistance. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A REALLY Simple Question, Really
On Fri, Apr 29, 2011 at 3:05 PM, Yehuda Katz wrote: > On Fri, Apr 29, 2011 at 4:49 PM, Mehma Sarja wrote: >> >> Alix running pf 20 RC1 nano. Trying to change from default 192.168.1.x >> network to 192.168.100.x on the LAN interface - nothing fancy. >> >> WHAT I DID >> With DHCP enabled and serving on 192.168.1.x, tried to change LAN ip using >> the web GUI. I can guess why it does not work - DHCP is trying to serve on >> the old network and the LAN is trying to change it's network. Don't get any >> love on either network. Turning DHCP off - figured I'd assign my laptop a >> new address manually since there is no DHCP. Nothing on either network. >> >> I think it's time to go read the book. > > It might be easiest for you to fix this from the console. > Log in (if you have it configured to require login), then choose option 2 > from the menu ("Set interface(s) IP address"). > Make sure you enter the DHCP addresses in full: i.e. 192.168.100.x. > - Yehuda The book is for 1.2.3, so much of it may not apply to 2.0. Reset your interfaces on the console as Yehuda said, then reboot from the console if it's still not working. Pfsense sometimes requires a reboot after editing the interfaces, even though it does not prompt you. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense to use more memory
On Thu, Mar 31, 2011 at 11:17 AM, Shibashish wrote: > My pfSense box says > > real memory = 12884901888 (12288 MB) > avail memory = 2567946240 (2448 MB) > > How can i ask pfSense to use more memory? Use the 64-bit version. > I tried the 64-bit version > but it kept crashing, hence reverted back to 32-bit. 2.0 is in RC. Please provide feedback so we can determine the cause of the problem, and either you or the devs can fix it, depending where it lies. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsense site down?
Was down briefly here, but up now.
Re: [pfSense Support] Upgrading options
On Fri, Mar 25, 2011 at 2:25 PM, - Dickie Bradford - wrote: > Is it possible to do backup on a 1.2.3 machine and reload it with a fresh2.0 > and reload the backup? Yes. The only issues I've seen come up in the forum are from users who have international characters in the config file. Delete those and you should be fine. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] can't block https://facebook.com via firefox
On Tue, Mar 22, 2011 at 10:53 AM, Luke Jaeger wrote: > Hello, > > I have squid configured as transparent proxy on my network. The point of transparent proxy is that it doesn't require any system or browser proxy setting; it intercepts all http requests from the user on the active interfaces. I suspect from your description rather that you have squid not in transparent mode and are using group policy or something similar to set the system proxy. Maybe you need to move to true transparent mode, which works with firefox and any other browser. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Cisco AnyConnect
On Sun, Dec 5, 2010 at 12:10 AM, Chris Buechler wrote: > On Sun, Dec 5, 2010 at 2:02 AM, David Burgess wrote: >> >> But openconnect works, at least for me on Linux, and from what I >> gather it's available for FreeBSD too. What are the chances of >> installing openconnect on pfsense as a package to this end? >> > > There is a port for it, that should do it. security/openconnect/ I finally attempted this and it was surprisingly easy to do. The problem now is when I try to use the tunnel from the LAN. Of course the AnyConnect server doesn't know how to route to my LAN, and since I have no control over it the obvious answer is outbound NAT. But since pfsense's web UI doesn't know about the tun0 interface, the Outbound NAT page doesn't offer it as an option when creating a rule (a similar problem will exist when trying to make firewall or traffic shaper rules, but I'm not worried about that now). Can somebody point out a pattern for making an outbound NAT rule for openconnect's tun0? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Moving configs to different machines
On Fri, Mar 18, 2011 at 4:15 PM, Joseph L. Casale wrote: > I have to transfer a config from one server to another. Looking at the backup > I can replace the ifnames and correlate the vlans etc but I am wondering about > the nat/filter pair id's or any other caveats? I have moved a config back and forth between a pair of 2.0 machines. One is i386 embedded and the other amd64 full. All I changed in the config was ifnames (don't do a 'replace all' if you have rrd data in the backup!). You may also need to adjust other settings that might affect things like RAM, DMA, checksum offloading, polling, powerd, etc if your hardware is different in those respects. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] RRD quits collecting
On Wed, Mar 9, 2011 at 3:49 PM, k_o_l wrote: > Since I installed 2.0-RC1 last Friday I’ve noticed RRD at least on two > different occasion stopped collecting data see attached. http://forum.pfsense.org/index.php/topic,33154.0.html db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] List Posting Etiquette [WAS: Re: [pfSense Support] Re: Intel Gigabit - em0: Watchdog Timeout]
On Tue, Mar 8, 2011 at 8:02 AM, Yehuda Katz wrote: > Does anyone else see why this is annoying? I lost all understanding of this thread many posts back. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: AW: [pfSense Support] Re: Intel Gigabit - em0: Watchdog Timeout
On Fri, Mar 4, 2011 at 8:22 PM, Kevin Tollison wrote: > That kills my theories. Must still be driver or kernel. Wonder if one of the > panic fixes caused the issue I am seeing. Ermal did some voodoo that I > didn't understand today. Worked better, but not completely fixed. Glad to > see we have at least one other person seeing this as well. At least I'm not > crazy. My openvpn is very light use, just a heartbeat from a couple remote WAPs for the most part. What kind of traffic are you putting over your vpn? I can try to mimc. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: AW: [pfSense Support] Re: Intel Gigabit - em0: Watchdog Timeout
Client. Sent from my phone. On 2011 3 4 20:14, "Kevin Tollison" wrote: > What about openVPN? > -- > Kevin Tollison > > Sent from my Blackberry > > -Original Message- > From: David Burgess > Date: Fri, 4 Mar 2011 20:12:21 > To: > Reply-To: support@pfsense.com > Subject: Re: AW: [pfSense Support] Re: Intel Gigabit - em0: Watchdog Timeout > On 2011 3 4 20:09, "Kevin Tollison" wrote: >> >> 2 B5 was good until a month or so ago. Are you using any vlans? I am > beginning to think it may be in vlans. > > Yes. One of my onboards has 8 vlans and the other 5. >
Re: AW: [pfSense Support] Re: Intel Gigabit - em0: Watchdog Timeout
On 2011 3 4 20:09, "Kevin Tollison" wrote: > > 2 B5 was good until a month or so ago. Are you using any vlans? I am beginning to think it may be in vlans. Yes. One of my onboards has 8 vlans and the other 5.
Re: AW: [pfSense Support] Re: Intel Gigabit - em0: Watchdog Timeout
On Fri, Mar 4, 2011 at 3:34 PM, Kevin Tollison wrote: > Sorry for the top post. (BlackBerry) > > I worked with Scott and Ermal a while today on an em issue. Ermal was able to > improve the situation some, but it is still not resolved. I had to bail on > him. > > Is anyone experiencing traffic to stop passing when these errors happen. My > boxes are Supermicro with Intel gig NICs. They randomly start and stop > passing traffic. Console is still functional when it happens. As I recall, you're using the X7SPE-HF. My home system is an X7SPA-H, which has the same NICs, and is almost entirely identical save for the IPMI, I think. And yet, I have had no issue with traffic stopping, just the mbuf leaks I had mentioned in the forum. Are you seeing the same thing in one of the newer snaps with the Yandex em driver? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Thoughts on hardware for a possible pfSense installation for firewalling 5000+ workstations on a 30-40Mbps Internet uplink
On Fri, Mar 4, 2011 at 10:12 AM, David Burgess wrote: > If > you want to spend a little more for that 'instant' feel, I can tell > you that a Core i3 550 on the same connection feels pretty much > instant To clarify, I was referring to navigating the UI. All of the hardware I mentioned has provided a satisfactory routing experience in my environment. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Thoughts on hardware for a possible pfSense installation for firewalling 5000+ workstations on a 30-40Mbps Internet uplink
On Fri, Mar 4, 2011 at 10:03 AM, Eric Feldhusen wrote: > As part of a regional education service agency to multiple K-12 school > districts, we're talking about using pfSense for our nat/firewalling for > approximately 5000+ workstations on a 30-40 Mbps internet uplink. Any one > on the list have a pfSense similar to that for any suggestions? http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49 I have used a net5501-70 (Geode 500MHz, 512MB) on a 40/4 connection with ~300 users, and it is fine if you don't expect a quick UI. I have also used an Atom D510 with 4GB of RAM on the same connection and the UI is much more responsive, but power usage jumped from 7W to 19W. If you want to spend a little more for that 'instant' feel, I can tell you that a Core i3 550 on the same connection feels pretty much instant and won't eat more than 40W at the loads you'll be subjecting it to (depending on the hardware you marry it with). db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Intel Gigabit - em0: Watchdog Timeout
On Fri, Mar 4, 2011 at 8:22 AM, Jim Pingle wrote: > Since the switch to the Yandex Intel drivers a couple days ago my VMs > all constantly print watchdog timeouts on the console... It seems to > operate OK, but it makes the console useless. I, for one, welcome our new console-crapping overlords ;) Oops, I mean, too bad about the side effects, but I'm certainly relieved for the worlds-better performance of the new intel driver in 2.0. And FWIW, I have seen no such message on my vga console or in the log. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: throughput tuning in 2.0
On Fri, Mar 4, 2011 at 1:24 AM, Seth Mos wrote: > The current 2.0 snapshots have a different driver for the Intel gigabit > cards. We switched to the Yandex drivers to debug driver issues with the > Intel supplied ones. I wondered. The difference on this system is positive and obvious. > This has fixed performance issues for a number of people but introduced > other issues for a number of others. You can't win them all. We'll leave > this for atleast a week or so until we have a larger sample set. I have another system with different em NICs that was experiencing mbuf leaks. I just updated it to the latest snap and noticed the initial mbufs are much higher. We'll see if they grow over time as with the last driver. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: throughput tuning in 2.0
On Wed, Mar 2, 2011 at 11:21 PM, David Burgess wrote: > On Wed, Mar 2, 2011 at 2:44 AM, David Burgess wrote: > >> the NIC is sending and receiving a total of about 530 >> mbit x2 during the test. > > This gets worse I'm afraid. Well, some good news. I have reinstalled this system fresh (after trying 1.2.3--no NIC driver :( ), and I'm now seeing the expected LAN>WAN throughput of 900+ mbps sustained. Either something has changed in the latest snaps, or I had a bad setting. I had done not much besides tighten up non-LAN firewall rules a bit and turn on powerd. Now I'm wondering if I had enabled NIC checksumming. I'll play a bit and find out what difference that makes. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: throughput tuning in 2.0
On Wed, Mar 2, 2011 at 2:44 AM, David Burgess wrote: > the NIC is sending and receiving a total of about 530 > mbit x2 during the test. This gets worse I'm afraid. I recreated my setup, substituting a GS724T switch in for the GS108E, hoping the switch might be the bottleneck. Again, testing LAN>WAN iperf throughput was a flat 500 mbps, with about 10 mbps on the return during the push test. I then moved one test machine from the WAN to OPT1 and repeated the test. This time throughput dropped to around 200 mbps, and pfsense became totally unresonsive in the UI. As soon as the test ended, the UI quickly responded to whatever I might have clicked on during the iperf test. Similarly in an ssh session on pfsense, I could type in the shell and see the characters I typed with no observable latency, but pressing enter returned the carriage and produced no further output until iperf was halted. Even if I started top running before starting the iperf test, top did not update itself until after iperf was killed. Next I changed the mtu on pfsense and my test machines to 4078, the largest supported by pfsense. This time iperf throughput dropped to 96 mbps and pfsense was similarly unresponsive during the test. These results are troubling. I will probably have to test 1.2.3 on this hardware and hope for better results. Perhaps the Yandex drivers will turn this around? http://forum.pfsense.org/index.php/topic,33345.msg175595.html#msg175595 This is an Intel DG57JG board, FYI, with on-board 82578DC GBE using the em driver. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] throughput tuning in 2.0
On Wed, Mar 2, 2011 at 12:38 AM, Seth Mos wrote: > I'm routing it from one interface to another although it's destination is > also a VLAN on that other interface. Maybe that's where the issue lies. It would be unfortunate if vlan-vlan traffic on a given interface has its maximum throughput reduced by almost half. I would be interested to see how your throughput would differ using two distinct physical interfaces, all else being equal. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] throughput tuning in 2.0
2.0-RC1 (amd64) built on Tue Mar 1 15:52:28 EST 2011 Core i3 550 3.2 GHz 4GB RAM Intel GBE I've just set this system up doing some crude throughput testing with iperf. The most I can push through this box from LAN to WAN is a steady 503-520 mbps, using the default mtu (higher mtu values produce no throughput on iperf for reasons I haven't looked into. I'm suspecting no support in the switch). top -SH is showing ~25% interrupt usage and 30%+ idle on both cores. Hyperthreading is disabled. I'm using a single NIC with vlans, but testing in only one direction, so the NIC is sending and receiving a total of about 530 mbit x2 during the test. iperf test machines show minimal CPU usage during the test, and have no other significant network activity happening concurrently. The switch is a Netgear ProSafe GS108E, which is ostensibly non-blocking. I expected better throughput than that. Any ideas what is holding this thing back, or where I could look to find out? Thanks, db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Microsoft updates through pfSense
On Thu, Feb 17, 2011 at 8:52 PM, Shali K.R. wrote: > Dear db, > > i have tried this, but it showing a high bandwidth usage, is this a proper > way?? I uninstalled the squid package about three months ago, unable to get it to function properly. I will try it again when pfsense 2.0 is stable, and probably pick up the book as well. I wish I could be more helpful than that. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Microsoft updates through pfSense
On Thu, Feb 17, 2011 at 8:42 PM, Shali K.R. wrote: > Dear all, > > I am having 500 windows client machines connected through pfSense and squid, > please suggest me a suitable method for handling updates. You'll find the appropriate info here: http://doc.pfsense.org/index.php/Squid_Package_Tuning db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] install pfsense from usb stick
The 2.0 snapshots include a usb image. Installing 1.2.3 from usb will be a bit of a trick, as you have learned. db
[pfSense Support] Re: pfsense and DDOS
On Tue, Feb 1, 2011 at 12:25 PM, David Burgess wrote: > I recently read a page in the pfsense docs (can't find it in the wiki or > FAQ now), which I believe quoted the pfsense book (don't have it), > where cmb states that pfsense is the best open source firewall, and > one of the best firewalls at handling DDOS attacks. ok, found it. http://forum.pfsense.org/index.php?topic=10471.msg%msg_id% db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] pfsense and DDOS
An article popped up on /. today, and although it's a poorly written article, some of the ensuing discussion did provoke some thought. http://it.slashdot.org/story/11/02/01/181200/Firewalls-Make-DDoS-Attacks-Worse I think the article is mostly just scare marketing, but it raises the question of how a firewall would best react to a DDOS scenario. I recently read a page in the pfsense docs (can't find it in the wiki or FAQ now), which I believe quoted the pfsense book (don't have it), where cmb states that pfsense is the best open source firewall, and one of the best firewalls at handling DDOS attacks. So the thing I'm wondering now, is best practice in terms of hardening pfsense against DDOS. Acknowledging that DDOS is best handled in cooperation with your provider, what can we do at our end? Or are the default firewall settings pretty tight in that regard? Is there anything one might do that would inadvertently expose one's pfsense to DDOS-related troubles? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense 2.0, upgrade to this morning's snap problem
On Mon, Jan 24, 2011 at 11:42 AM, Dimitri Rodis wrote: > After an upgrade to this morning’s snap, I received the following after the > upgrade/reboot (it’s what’s on my PuTTY atm): This looks a lot like what's being discussed here, although I don't see the em driver implicated in your output: http://forum.pfsense.org/index.php/topic,31721.0.html db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Traffic Graph accurate--but not the host list
On Mon, Jan 24, 2011 at 11:38 AM, Dimitri Rodis wrote: > pfSense 2.0, most recent builds > > > > When I go to status/traffic graph, the graph is correct but the list of > hosts is not. I don’t know if there’s something I’m not doing, but here’s > what I did to test it: > > Put a windows machine (my laptop) on the LAN interface, and plug the WAN > into my internal network. I connected to my file server from the laptop, and > copied 10 GB of data from the file server to the laptop. When I did, the > graph showed 98Mb of traffic fairly consistently, but the host list never > showed more than a few kb of traffic for my laptop, and on the WAN side it > never showed the file server’s ip address at all. It almost looks like the > host list is only looking at traffic directed to pfSense itself as opposed > to through that particular interface. It's not clear to me from your email if you looked at the graph for both WAN and LAN interface. In fact, when I look at the WAN graph I only ever see public IP addresses that are local to pfsense. In other words, I have NATed hosts and routed hosts internally, and while I see the routed hosts show up on the WAN graph, I do not see NATed hosts, but I do see their corresponding WAN address. When I look at the LAN graph I see addresses of individual hosts on the LAN. What I do find strange is that I also sometimes see the network and broadcast address of my internal routed network show up on the WAN graph even though that network is routed through a private gateway, and not directly connected to pfsense. So I have this: pfsense WAN: x.x.224.55 pfsense LAN: 192.168.172.254/24 static route: x.x.225.176/30 gw 172.21.172.101 So the only host beyond the 192.168.172.0 network is x.x.225.178, and yet on the LAN graph I occasionally see x.x.225.y, where y = 176-179, although normally it just shows y = 178, which is expected. I also occasionally see addresses show up there and then freeze, where they don't disappear and the rate doesn't change, although that host may be long silent. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Network Traffic difference
On Wed, Jan 19, 2011 at 9:44 PM, Shali K.R. wrote: > > sir .. > In my pfsense traffic graphic shows WAN in 4 Mbps LAN out 1Mbps Why this > differenceanything wrong with mypfsense? http://forum.pfsense.org/index.php/topic,31855.0.html For pcap use tcpdump on the pfsense console. bd - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] MHz myth?
I'm familiar with the hardware sizing guide, and I've done a few benchmarks myself, but I'm wondering if a MHz is a MHz when it comes to pf performance, or do things like IPC and cache sizes matter? What about RAM frequencies and latency? Putting encryption and the various pfsense packages aside, can anybody tell me (based on theory and/or experience) what kind of comparative routing throughput I could expect to see from say an Athlon X2, Athlon II X2, Phenom 2, Atom D510, Pentium D, Celeron D, Core Duo, Core 2 Duo, Pentium G6950 and a Core i7, all dual-core and controlling for NIC and core clock differences? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Is it possible to Port Forward same PORT to TWO servers? pfsense + TWO Asterisk servers and NAT
On Fri, Jan 14, 2011 at 11:55 AM, Bruce B wrote: > Hi Everyone, > I am facing a dilemma here. If I port forward 1-2 to my first > Asterisk server which sets behind pfSense v1.2.3 then I have two way audio. > If I remove it I don't have any audio but call establishes. > Now, I have a second server, so I am stuck with what to do on the NAT. I > tried to set NAT destination to network subnet like 192.168.0.0/24 but it > doesn't accept that. > Can you please tell me what I need to do? > ***I have only 1 IP address so adding more IPs is not an option. Would I > have to take advantage of 1:1 NAT? I am not sure what it is and how to set > it up if at all. Please guide. http://doc.pfsense.org/index.php/VoIP_Configuration My money is on #3. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi WAN
On Thu, Jan 13, 2011 at 11:30 PM, Shali K.R. wrote: > Dear sir, > > How can i create rule for out going? i already created all allow rule for > OPT1 in firewal-> Rules When you create a firewall rule on an interface, that rule will govern only packets arriving on that interface, not leaving it. So by creating a rule on OPT1 to allow all, you are allowing all internet traffic to enter your network--generally not a good idea from a security standpoint, however without any port forward rules defined you have not yet exposed any LAN hosts, only pfsense itself (ie, any services listening there, such as web UI, ssh, DNS). If you want LAN traffic to be able to connect to external hosts via OPT1 then you need to create LAN rules, wherein you may define the WAN interface/gateway that matching traffic will use. I suggest you read up on this document and then come back with specific questions you may have. http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing Enjoy. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi WAN
On Thu, Jan 13, 2011 at 10:29 PM, Shali K.R. wrote: > Dear all, > > I have 2 WAN ( Static and another PPPOE )connections and a LAN connection > > > i added PPPOE as WAN and static as OPT1 two connections are active and i > added a firewall rule for OPT1 allow all to all then i check the > connectivity of OPT1, i can ping to OPT1 from out side but cant ping from > OPT1 to anywhere, any idea??/ You said OPT1 is a WAN with static IP, so I assume you configured it with a gateway. If you didn't turn off automatic outbound NAT then OPT1 will not accept any LAN-destined traffic unless you define port forward rules. Alternately, you could turn off AON if your LAN is in public IP address space (or if one of your WANs is). db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] autorollback?
On Thu, Jan 13, 2011 at 2:00 PM, Charles N Wyble wrote: > Phase one applies the configuration. > > Phase two rolls it back if you don't confirm it. So if you did something > that blocked you out of the device for example, it would auto roll back. Ubiquiti's AirOS 5 has a "change" button which updates the config file but doesn't apply it. Pressing it also causes three buttons to appear on the page, "Test", "Apply" and "Cancel". If you hit the test button it applies your changes then posts a countdown from 180 seconds and the 3 previous buttons are replaced by 2 new, "Apply" and "Revert". This feature has saved me many walks in the snow, and I can see how it could be useful in pfsense. AirOS is open, so I imagine the code could be borrowed if it proves useful/portable to a dev. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Testing 2.0 - What is the upgrade and downgrade process for Daily snapshots?
On Wed, Jan 12, 2011 at 1:46 PM, Bruce B wrote: > So, if I am on: > 1 pfsense > and do an upgrade, does the upgrade apply to "1 pfsense" or "2 pfsense" ? If you booted from 1 then upgraded, it will overwrite the 2 slice. > Also, rather using the Console Cable each time, can I change settings > somewhere to boot from a specific partition? something like > Grub equivalent of Redhat in FreeBSD? Normally only two things will cause the default boot slice to change, a firmware upgrade or user intervention. Besides changing it on the console at boot time, you may also go to Diagnostics: nanoBSD in the webUI to change it. There is a CLI utility to change it as well, but I don't know why a person would want to mess with it. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Testing 2.0 - What is the upgrade and downgrade process for Daily snapshots?
On Wed, Jan 12, 2011 at 1:37 PM, Dimitri Rodis wrote: > if that > doesn’t work, you can use the gui to boot off of the old slice. Very nice > and easy. Or if it /really/ doesn't work you can use the initial boot menu to choose the other slice at boot time. You will see something like this: 1 pfsense 2 pfsense > 1 Whichever number automatically appears at the prompt is the one you were running (if you're just rebooting), or the one you just upgraded to, if you're rebooting after an upgrade. You'll want to change that value before the automatic boot if that slice is giving you problems. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: squid continues downloading but LAN client stalls
On Fri, Jan 7, 2011 at 10:58 AM, David Burgess wrote: > I am trying to download a large iso from microsoft.com. At some point > (different every time), the download stalls on the client. Sorry, forgot to mention what I'm using. 2.0-BETA5 (amd64) built on Tue Jan 4 02:47:18 EST 2011 squid 2.7.9_4 Further, after some time wget on the client did transfer a few more bytes and then stalled again, twice. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Advice?
On Tue, Jan 4, 2011 at 8:25 AM, Nicolas Roussi wrote: > Would this setup be sufficient? Depends on the bandwidth limits you will put on your clients. I have 2.0 with squid running on an Atom D510 with 4GB RAM and a 40/4 mbps mlppp connection and it has no trouble. This is servicing 6 clients with 10/1 each and a campus with 300 wifi customers, limited to 7/1 each. > And does anyone know a way to manage the access points, not necessarily > though the pfsense but maybe a software or hardware solution? Changing the > access points is also part of the plan, Aerohive, Motorolla or Meru > Networks...not sure yet. We use open-mesh indoors and ubiquiti outdoors. Open-mesh networks are managed entirely centrally (on their web site). Ubiquiti (AirMax only?) equipment is managed through their free AirControl software, but it's not feature-complete. In other words, you still have to log into individual units for some changes, or script something with pssh. They have announced a beta version that is supposed to centralise this a lot better. Ubiquiti has also just released Unifi, which is their indoor enterprise mesh, and they claim it is managed centrally. It looks good, but frankly we're happy with our open-mesh, so I haven't had a chance to try the Unifi. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] hardware to run pfsense with multiple ethernet ports
On Mon, Jan 3, 2011 at 10:47 PM, Chris Buechler wrote: > The cheapest new hardware option I'm aware of that can do 6 or more > NICs is a Soekris 5501 with a dual or quad port card, for 6-8 ports. > About $375-400. That's the only very low power option I'm aware of, > should draw under 10 wt. I can second that. I have a 5501-70 that measured 7W on a kill-a-watt with an Intel Pro 1000 GT installed. The unit was not heavily loaded when I took the reading, but I don't think it varied much under load. A dual or quad-port 10/100 card shouldn't use more power than the GBE, I think. Another nice thing about the 5501 is that it takes 6-25VDC input, which can be nice on a tower setup. No poe though. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] FAQ item request: Do I need to know how to use a shell to use PFSense?
I'm annoyed by the recurrence of posts like this: http://www.dslreports.com/forum/r25224935- I see the Linux myth is debunked in the FAQ, but is there something substantial that I can link to that states or demonstrates that pfsense is adequately administered from the UI for most non-dev users? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense and adsl
On Fri, Dec 17, 2010 at 3:29 PM, Evgeny Yurchenko wrote: > I understand double-nat thing and can certainly configure that, > but the simpler the better, I'd prefer to have public IP (range) on pfSense > box. Best case scenario you get a public IP on pfsense, but worst case you can turn off NAT in pfsense and just route through to the modem's NAT. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense and adsl
On Fri, Dec 17, 2010 at 12:39 PM, Evgeny Yurchenko wrote: > Or if you can answer more generally what is genereal pfSense set up if you > get DSL line from ISP? I'm not familiar with that Netgear or PPPoA. My DSL uses PPPoE, and I have two options for handling that login: 1. modem in bridge mode, pfsense uses PPPoE on WAN to login and get IP address. 2. modem in router mode, uses PPPoE on WAN and static IP with or without DHCP server on LAN. PfSense uses static IP or DHCP on WAN. I always keep my modems in bridge mode and let the router do the routing, and normally recommend to others that they do the same. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] custom files in /var/etc/ gone after reboot
On Wed, Dec 15, 2010 at 11:14 AM, Scott Benson wrote: > [r...@host]/conf(17): mkdir blah > mkdir: blah: Read-only file system > [1.2.3-RELEASE] > [r...@host]/conf(18): /etc/rc.conf_mount_rw db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: OT: coexisting with cisco
On Wed, Dec 8, 2010 at 1:38 PM, David Burgess wrote: > Can somebody please tell me the cisco equivalent of a firewall rule > that will keep state? After some closer inspection I don`t think there is a Cisco firewall on site at all, just a router and layer 3 switching. I talked to the Cisco admin and he was surprised to hear that anything was being routed that way without NAT, and has since closed the tap. Too bad, as I would have liked so much access without routing over the internet. Thanks for the suggestions. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] 2.0 book?
Is there any public plan for a 2.0 book? I sure would like to pick one up. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] OT: coexisting with cisco
Can somebody please tell me the cisco equivalent of a firewall rule that will keep state? I have hosts (Windows and pfSense) on opposite sides of a cisco firewall and router which I don't control. When I try to reach pfSense from Windows, tcpdump shows that pfSense is receiving the packet and responding, but Windows never gets the response. I want to tell Mr Cisco-Admin that his firewall is passing packets but not allowing the return, but I don't know the Cisco lingo, and I'm not confident that he'll know what I'm talking about unless I'm very specific. Thanks for your help. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] RDD failed in BETA
On Wed, Dec 8, 2010 at 9:33 AM, k_o_l wrote: > “There has been an error creating the graphs, please check > your system logs” > > I would like to keep my RRD data is there a work around? This has been discussed in the forum, and IIRC, the only solution that was offered was to delete the graphing info. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Cisco AnyConnect
On Sun, Dec 5, 2010 at 12:00 AM, Chris Buechler wrote: > On Sun, Dec 5, 2010 at 1:21 AM, David Burgess wrote: >> Is there a way to connect pfsense with an Anyconnect server? > > No, that's Cisco proprietary. But openconnect works, at least for me on Linux, and from what I gather it's available for FreeBSD too. What are the chances of installing openconnect on pfsense as a package to this end? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Cisco AnyConnect
Is there a way to connect pfsense with an Anyconnect server? Google isn't turning up much for me. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] RFC1918 on WAN
On Sat, Dec 4, 2010 at 2:35 PM, Evgeny Yurchenko wrote: > I would suggest to tcpdump. This way you for sure will know where these > packets are coming from. Thanks for the hint. tcpdump confirms that these are coming from pppoe0, so I'll be talking to my ISP. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] RFC1918 on WAN
My WAN is mlppp with a static public IP address. pfSense is 2.0 beta4. Out of curiosity I disabled the check box on the WAN config page to block private networks. I then created an alias for RFC1918 and loopback addresses and manually created a logging reject rule at the top of the WAN rules for this alias. To my surprise the rule started logging packets at a rate of around 4/minute, suggesting that my ISP is not dropping these as prescribed in the RFC. Before I bring this to their attention, I wanted to ask the list a couple related questions: 1. Is there any reason for an ISP to forward these packets? AFAIK, my ISP does no NATing ever, and every customer gets only publicly routable IP addresses from them. 2. Is there a chance that my logs are misrepresenting, like maybe these packets came from an internal interface, even though the log shows they are from the WAN? Here's a snippet from the Firewall Log page to illustrate what I'm seeing. Dec 4 14:18:44 WAN 192.168.0.2:57198 69.165.225.177:57815 UDP block Dec 4 14:17:30 WAN 172.16.36.144:58728 69.165.225.177:40730 TCP:R block Dec 4 14:17:10 WAN 172.16.36.144:58661 69.165.225.177:40730 TCP:R block Dec 4 14:17:09 WAN 192.168.0.2:22836 69.165.225.177:57815 UDP block Dec 4 14:17:06 WAN 192.168.0.2:22836 69.165.225.177:57815 UDP block Dec 4 14:15:17 WAN 192.168.9.10:5050569.165.225.177:49615 UDP block Dec 4 14:14:41 WAN 192.168.230.178:56200 69.165.225.177:13945 TCP:R - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] (non)local address resolution
pfsense is setup like this: pfsense--WAN (public IP x) --OPT1 (public IP y/30) Connected to OPT1 is client's cisco firewall which is NATing for a 172.21.50/23 subnet. Their dhcp is handing out pfsense's OPT1 address as DNS server, and pfsense is running DNS forwarder. This works well, but I see a lot of this in tcpdump: 12:16:56.091858 IP 172.21.253.1.52683 > 69.165.225.178.53: 55447+ SOA? 166.50.21.172.in-addr.arpa. (44) 12:16:57.104593 IP 172.21.253.1.52683 > 69.165.225.178.53: 55447+ SOA? 166.50.21.172.in-addr.arpa. (44) 12:16:58.118720 IP 172.21.253.1.52683 > 69.165.225.178.53: 55447+ SOA? 166.50.21.172.in-addr.arpa. (44) 12:17:00.130979 IP 172.21.253.1.52683 > 69.165.225.178.53: 55447+ SOA? 166.50.21.172.in-addr.arpa. (44) 12:17:04.140636 IP 172.21.253.1.52683 > 69.165.225.178.53: 55447+ SOA? 166.50.21.172.in-addr.arpa. (44) 12:17:08.150841 IP 172.21.253.1.64392 > 69.165.225.178.53: 20581+ SOA? 172.50.21.172.in-addr.arpa. (44) 12:17:09.162988 IP 172.21.253.1.64392 > 69.165.225.178.53: 20581+ SOA? 172.50.21.172.in-addr.arpa. (44) 12:17:10.177054 IP 172.21.253.1.64392 > 69.165.225.178.53: 20581+ SOA? 172.50.21.172.in-addr.arpa. (44) 12:17:12.189584 IP 172.21.253.1.64392 > 69.165.225.178.53: 20581+ SOA? 172.50.21.172.in-addr.arpa. (44) 12:17:16.198448 IP 172.21.253.1.64392 > 69.165.225.178.53: 20581+ SOA? 172.50.21.172.in-addr.arpa. (44) 12:17:20.210048 IP 172.21.253.1.62240 > 69.165.225.178.53: 5700+ SOA? 175.50.21.172.in-addr.arpa. (44) 12:17:21.221601 IP 172.21.253.1.62240 > 69.165.225.178.53: 5700+ SOA? 175.50.21.172.in-addr.arpa. (44) 12:17:22.235856 IP 172.21.253.1.62240 > 69.165.225.178.53: 5700+ SOA? 175.50.21.172.in-addr.arpa. (44) 12:17:24.247893 IP 172.21.253.1.62240 > 69.165.225.178.53: 5700+ SOA? 175.50.21.172.in-addr.arpa. (44) 12:17:28.256892 IP 172.21.253.1.62240 > 69.165.225.178.53: 5700+ SOA? 175.50.21.172.in-addr.arpa. (44) 12:17:32.267370 IP 172.21.253.1.53081 > 69.165.225.178.53: 32343+ SOA? 177.50.21.172.in-addr.arpa. (44) 12:17:33.280650 IP 172.21.253.1.53081 > 69.165.225.178.53: 32343+ SOA? 177.50.21.172.in-addr.arpa. (44) 172.21.253.1 is the Windows DNS server on the client's network which they were using, but won't be using for this subnet in the future. The DNS server option was changed in DNS just a few hours short of 7 days ago, and dhcp leases are 1 week, so I suppose it's possible but not likely that there are dhcp clients active on that network that are still using (or trying to use) the old DNS server. So I'm just wondering exactly what these packets are about and whether I should be concerned at all for proper DNS function. I did a bit of searching on SOA DNS but no lights are going on for me yet. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] ath0: ath_rx_proc: no mbuf!
On Sun, Nov 28, 2010 at 3:07 PM, Cyril Jaquier wrote: > I searched the pfsense forum and found someone with > a similar issue. ermal suggested to disable the shaper on the wireless > interface. This seems to fix the problem for me. > > Is this a known bug? Any better workaround than disabling the shaper? I don't use wireless with pfsense, so I'm not sure if my situation is related, but my mbuf numbers also climb steadily. After a reboot it starts around 700. Presently at almost 10 days uptime, my mbuf usage is 10142 /10890, although I don't see any negative symptoms that I could attribute to it. This is on 2.0 embedded, Nov 18 snap. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to manage 2 subnets for LAN ?
On 2010-11-19 9:56 AM, "Richard Amerman" wrote: > I do this all the time and using a separate nic is simpler and easier to > manage than an alias. Unless I am missing something, a vlan for this case is > overkill. I discussed this with the m0n0wall list back in '07 where cmb and others essentially said that it's a bad idea to run 2 subnets on a physical network, mostly for security reasons, I think. Given the option I would do the vlan thing, just for the added layer separating the hostile users from my stuff. db
Re: [pfSense Support] how to manage 2 subnets for LAN ?
On Thu, Nov 18, 2010 at 3:51 PM, fi...@7technw.com wrote: > Another easy solution is to just add another nic. Not an option in this case. The OP described a wireless network where the client subnet and management subnet exist on the same physical network. You can't change that in this case, so your two options are to separate them virtually (vlans) or just run them on the same physical network. Yes, he could use another NIC and plug it into a switch along with the first NIC and the wireless network, but this still doesn't separate the two networks, and is no better than creating an alias on the existing NIC. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to manage 2 subnets for LAN ?
On Thu, Nov 18, 2010 at 3:11 PM, Adam Thompson wrote: > I think the OP was referring to running two subnets concurrently on the > same wire, something I often have to do for various reasons, sometimes to > solve co-existence issues while renumbering a network. I have no idea how > to accomplish this in pfSense; apparently I haven't had to do this since I > started using pfSense! In that case you can add an alias to the LAN interface. IIRC, you just run ifconfig appending 'alias' to the end. Don't quote me on it though. Get that working, then use shellcmd to make it stick across reboots. You will also want to check the box in the UI to supress arp errors in the logs. vlans are still the preferred method if your radios support it. What brand are you using? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to manage 2 subnets for LAN ?
On Thu, Nov 18, 2010 at 12:39 PM, Fred Boiteux wrote: > The different LAN subnets' trafic aren't VLAN tagged, and all traffic > comes from one Ethernet port (from the nearest antenna), so I don't > understand how VLAN could be used there ? Most carrier-grade radios support tagging packets from the management interface, so client traffic comes through untagged and management happens on the management vlan. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PfSense web not connect
On Sun, Nov 14, 2010 at 11:02 PM, Яков Тенилин wrote: > get this message:An HTTP_REFERER was detected > other than what is defined in System -> Advanced. $_SERVER['HTTP_REFERER'] . > .You can disable this check if needed in System -> Advanced -> Admin. > In administrative settings, this feature off, but no effect. When connecting > from the LAN to the web interface, this message does not appear. This is being discussed in the forum. It appears to be an unresolved bug in recent snapshots, and you can work around it by using the IP address to connect to the web UI. http://forum.pfsense.org/index.php/topic,30053.0.html db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] New to pfSense, need some advice
On Sun, Nov 7, 2010 at 10:43 PM, Neonicacid wrote: > David, > > I don't have a single switch big enough to support all of the devices that I > currently have on the network. The routers help with that by providing extra > ports to connect devices with. So the simplest way to accomplish this is to a) get a switch with enough ports and attach it to the LAN, or b) disable dhcp on both the wrt54g and befsr41 and just use the LAN ports, effectively using them both as switches, or c) bridge all the OPT and LAN interfaces on pfsense, or d) some combination of the above. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] New to pfSense, need some advice
On Sun, Nov 7, 2010 at 10:19 PM, Neonicacid wrote: > My main issue with how it is set up right now is that File and Printer > Sharing does not jump across the subnets, so none of the computers can > communicate. > > Does anyone have any advice or solutions for this problem? > If you want all your computers to have access to each other then why don't you throw them all on a common LAN switch? Do you have a reason for having OPT1 and OPT2 interfaces and 3 routers? db
Re: [pfSense Support] carp with bridge
On Thu, Oct 28, 2010 at 11:35 AM, Gerald Waugh wrote: > We use bridging as the pfsense machine firewalls servers with public IP > addresses. Clues on how to accomplish with routing appreciated. You have a public subnet from your ISP, 1.1.1.0/24, for example. You get a static IP from your ISP that is outside your subnet, 2.2.2.1, for example. Your ISP has to route your subnet to your static IP. On pfsense: WAN is 2.2.2.1 LAN is 1.1.1.1/24 dhcp server on LAN (if desired) gives out 1.1.1.2 - 1.1.1.254 Did I understand your question correctly? Or is this somehow more complicated when carp is involved? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: Re: [pfSense Support] networked file systems
On Wed, Oct 27, 2010 at 5:59 PM, Adam Thompson wrote: > If you want to take advantage of Linux' TRIM support, you should be > using NFS. TRIM support (AFAIK) requires underlying knowledge of the > filesystem or at least the block allocation... iSCSI hides all of those > details, as it merely exposes one large chunk of disk blocks to the > client. Thanks for pointing that out. That may have crossed my mind once, but I had forgotten about that. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] networked file systems
On Wed, Oct 27, 2010 at 4:00 PM, Nathan Eisenberg wrote: > iSCSI is relatively excellent - and as a block device, has great performance. > I've had less than pleasing results with AOE in several different use-cases. > > If you want to share the cache across multiple firewalls, NFS is your only > real choice of the 3. I don't plan to access it other than from pfsense. I'm moving it external simply because I'm a lot more comfortable handling my SSD from Linux that I would be from pfsense. I'm referring specifically to TRIM support, IO schedulers and partition alignment. TRIM, I'm pretty sure, is not present in pfsense (not sure about FreeBSD). I know nothing at all about IO schedulers in FreeBSD. I've done some research on partition alignment using fdisk and disklabel, and although it appears doable, I'm left not knowing if I've actually done it right in pfsense. All these are non-issues for me in Linux. nfs is no problem for me to set up, but from what I've read I expected iSCSI and AOE to perform better under load. I'm surprised to read that you had poor results with AOE. I've never used it, but the theory appears to be sound. Can anybody tell me how hard it would be to turn pfsense into an iSCSI initiator? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] networked file systems
After some contemplation I think I would like to run squid on my pfsense box, but mount the squid cache directory (/var/squid) on an external host. After some research, I believe the following options would provide the best performance with the least overhead, in descending order: 1. AoE http://en.wikipedia.org/wiki/ATA_over_Ethernet 2. iSCSI http://en.wikipedia.org/wiki/ISCSI 3. nfs http://en.wikipedia.org/wiki/Network_File_System_(protocol) I believe pfsense has nfs client ability natively, so no problem there. According to wikipedia, FreeBSD can be an iSCSI initiator, while AoE support on FreeBSD is 3rd party and out of date. pfsense and the FS host will be on the same ethernet, so connectivity is not an issue here. Any thoughts from the list? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] LAGG Question
On Tue, Oct 26, 2010 at 9:09 AM, James Bensley wrote: >can the pfSense box handle incoming balancing this > way as well as out going? Incoming load balancing in pfsense is different from outgoing load balancing. It allows you to have more than one server on your internal networks responding to incoming connections on a single interface. For example, if your WAN is taking http requests on port 80 from the internet, inbound load balancing allows you to forward those requests to multiple web servers on your LAN, OPT1, etc. Outbound load balancing of course can be configured to route packets from your internal networks out via multiple WANs. The natural result of this is that return packets will come back via the same WAN interface they went out on. Some protocols, including http and bittorrent are very efficient at making use of all your available bandwidth due to generating multiple parallel sessions, which pfsense will balance across the available gateways. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] LAGG Question
On Mon, Oct 25, 2010 at 9:33 AM, James Bensley wrote: > Thanks guys for your responses, I will look into MLPPP but in the mean > time, with regards to load balancing; Again, how does this work in > pfSense? For 1.2: http://doc.pfsense.org/index.php/MultiWanVersion1.2 For 2.0: http://forum.pfsense.org/index.php/topic,10407.0.html Note that there seems to be some confusion as to whether you can do multiwan in 2.0 if more than one interface uses the same gateway (it definitely won't work in 1.2). Drop a NAT router between pfsense and the redundant gateway to overcome this limitation. > pfSense doesn't allow you to configure an IP address, mask and gateway > for every interface on the box, only the interfaces assigned as LAN > and WAN. Not so. See the guides linked above. > So if I group some interfaces together as a load balancing > LAG group the bonded interfaces aren't going to do anything? Not as a LAG group, as a gateway group. The guide is good. Let us know how you make out. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] LAGG Question
On Mon, Oct 25, 2010 at 6:53 AM, James Bensley wrote: > Hello Everybody :) > > I would like to use the LAGG to bond multiple ADSL lines for a faster, > more reliable internet access (using LACP). LAGG acts by bonding multiple interfaces at layer 2. You're trying to bond a pair of interfaces at layer 3. There's a fundamental gap there that you're not going to overcome. You may as well as how you can bond two DSL lines using just em1; you can't. As Steve said, your best bet is mlppp, but if your ISP doesn't support that, then load balancing will have to do. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Cannot achieve 100 mbps Full Duplex (C2D, Intel NICs)
On Thu, Oct 21, 2010 at 12:06 PM, Christian Borchert wrote: > I have tried this network card in another machine (HP Core 2 Quad) and it > works perfectly under the same test conditions. I have limited experience with Dell servers, but I have found some of their newer laptops (Vostro and Latitude) are absolutely atrocious for IO, constantly stuttering mouse pointer, keyboard and sound, for no obvious reason. This is with good hard drives, lots of RAM, page file disabled, speedboot enabled, Windows and Linux, etc... I have reached the conclusion that there is something terribly flawed with the way their hardware is configured. Sorry to be a wet blanket. I hope you find a solution to your problem. :P db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] archives incomplete?
Why is it that when I browse the list archives for this month (gmane and marc), I only see 2 threads? Specifically I'm looking for a link to the ongoing discussion started by Luke Jaeger on script-heavy sites, and I don't see it there. Likewise, when I search the archive for his name I get no hits. Is there an update delete in the archives? Am I doing it wrong? Thanks. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 2.0-BETA4 - Admin logout link?
On Sat, Oct 9, 2010 at 9:53 PM, Yehuda Katz wrote: > I just installed 2.0-BETA4, logged in as admin, and created a new user. > I have not been able to find a logout link so I can try using that user. > Is it there and I just don't see it or is it really not there? > - Yehuda Under the first menu on the left. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Siproxd
On Wed, Oct 6, 2010 at 4:46 AM, belkhiria aymen wrote: > Hi, > I need to configure siproxd as Sip proxy for external users. I don't think siproxd is designed for this, nor is it necessary. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] How do I break down a /22 into smaller subnets to use behind(LAN) side of my pfsense box
On Mon, Oct 4, 2010 at 5:19 PM, Chris Flugstad wrote: > -how to i break up the large block into smaller blocks Like this? http://www.vlsm-calc.net/ db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] BLOCK IP or ALIAS firewall rule not blocking traffic
On Wed, Sep 22, 2010 at 5:30 PM, Chris Flugstad wrote: > I did what i needed to do for the time being though. much appreciated. And that, ladies and gentlemen, is what we call poaching the solution ;) If this list ran on a points system I would get a flogging now. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] BLOCK IP or ALIAS firewall rule not blocking traffic
On Wed, Sep 22, 2010 at 5:14 PM, Chris Flugstad wrote: > wan rules > proto source port dest > port gw > block * 216.127.61.72 * * > * * > > lan rules > block * * * 216.127.61.72 Although you weren't explicit, I got the impression that the host you are trying to block is local to you. If so, then you need to reverse your interfaces OR reverse the source/dest IP addresses. If on the other hand 216.127.61.72 is an internet host that you're trying to detach from your network, then your rules look good. db
Re: [pfSense Support] Allow Traffic Between Interfaces
On Sat, Sep 18, 2010 at 10:11 PM, Ron Lemon wrote: > Hi David, > > I have switched the rules but I am still unable to ping 10.0.1.100 from any > machine in 10.0.0.0 / 24 Just to be sure, I have attached (I hope it makes it through) a screenshot of the rule you should have on your LAN interface. You should have a similar one on OPT1 with the source and destinations reversed. > I hope I have this correct now. Looks right to me. If your firewall rule is correct and you're still receiving no ping response then you'll need to check a couple things. 1. Is the receiving host set to respond to pings? i.e., no Windows firewall preventing it? 2. Do both hosts know that pfsense is the gateway and the default route? If 10.0.1.100 receives a ping from 10.0.0.200 and wants to respond, it has to know where to route the response. Because 10.0.0.200 is not on its subnet (and you haven't given it a static route), it will send its response via the default route, so this needs to be the OPT1 interface of pfsense. If you have dhcp service enabled on OPT1 and your OPT1 hosts are getting their address via dhcp, then this is already happening. 3. If you don't want OPT1 to be the default route for the hosts on that subnet, then you must arrange static routes for those hosts, or enable outbound NAT from LAN to OPT1. db <>- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Allow Traffic Between Interfaces
On Sat, Sep 18, 2010 at 8:54 PM, Ron Lemon wrote: > Action: Pass > Interface: LAN > Protocol: any (I assume this also include ICMP???) > Source: Single Host (10.0.1.100) > Destination: Network (10.0.0.0 / 24) > Gateway: default > > To me this means that 10.0.1.100 can talk to any machine in the 10.0.0.0 / 24 > network about anything (ping, ftp, www, ldap, etc) Almost. In your original post you said that 10.0.1.100 is on OPT1. pfsense's firewall rules operate on packets entering the chosen interface. The rule above doesn't do anything until you change "LAN" to "OPT1". > On OPT1 tab I have > > Action: Pass > Interface: OPT1 > Protocol: any (I assume this also include ICMP???) > Source: Network (10.0.0.0 / 24) > Destination: Single Host (10.0.1.100) > Gateway: default > > To me this means that any machine in the 10.0.0.0 / 24 network can talk to > 10.0.1.100 about anything (ping, ftp, www, ldap, etc) As you may have guessed by now, if you change "OPT1" in the above rule to "LAN" I think you will be in business. Note also that in your original post you didn't say whether you wanted 10.0.1.100 to talk to LAN hosts. If not, then your first rule is not wanted. (if a LAN host connects to 10.0.1.100, it will be allowed to respond, as pfsense is stateful.) Hope that helps. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Allow Traffic Between Interfaces
On Sat, Sep 18, 2010 at 9:59 AM, Ron Lemon wrote: > On LAN interface I created PASS on LAN for ANY protocol from 10.0.1.100 / 32 > (Single Host) on any port to network 10.0.0.0 / 24 > > On LAN interface I created PASS on LAN for ANY protocol from 10.0.1.101 / 32 > (Single Host) on any port to network 10.0.0.0 / 24 Looks like your "from" addresses need to be "to" addresses. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Write 512MB image onto 4GB CF-card ?
On Fri, Sep 17, 2010 at 2:45 AM, Michel Servaes wrote: > Thanks for the explaining - don't know if this dane-elec has > wear-levelling though (I'd suspect they would mention this, if it was) My understanding with SSDs (no idea if CFs are the same way) is that wear-levelling works with available formatted area as well as unpartitioned space. Or having read all the SSD articles on anandtech in the last couple years I have the belief that the fuller your drive is the quicker you will defeat its wear-levelling benefits. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Broadcom opens Linux wireless drivers
So will this benefit the FreeBSD crowd any time soon? http://www.osnews.com/story/23786/BREAKING_BROADCOM_OPEN_SOURCES_WIRELESS_DRIVERS db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] power-out and Alix-boards
On Thu, Sep 9, 2010 at 3:12 PM, Bob Gustafson wrote: > I don't know the significance of 'embedded' in the context of CF cards. Sorry, I meant to say I was paraphrasing Beat, not Bob. The pfsense embedded version, which is recommended for CF installs, mounts the filesystem read-only, and remounts it read-write when making config changes or committing RRD graphs to the CF. My point was that Michel need not worry about his mount options if he is running the embedded version, as it takes care of this. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] power-out and Alix-boards
On Thu, Sep 9, 2010 at 2:26 PM, Michel Servaes wrote: > I am a bit worried about the fact that the CF card should be set read-only. If I may paraphrase Bob, I thought he was meaning that "because/if you are using the embedded version, the problem you describe must be due to some other contributing factor". db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PFsense 2.0 roadmap
On Wed, Sep 8, 2010 at 11:42 AM, Tonix (Antonio Nati) wrote: > Thanks... I see no dates at all. > > About 2.0, I see no documentation around. Is there a list where to ask for > 2.0 features explained? Generally speaking, the forum is where most discussion around 2.0 happens, from what I have seen. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Over 2GB File can not copy LAN to WAN Pfsense
On Tue, Sep 7, 2010 at 10:34 AM, Bradley D. Thornton wrote: > I thought there was about a 2GByte file size limit on Ext2 File systems too. Not according to wikipedia, however "There are also many userspace programs that can't handle files larger than 2 GB." http://en.wikipedia.org/wiki/Ext2#File_system_limits db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org