Re: [pfSense Support] pfsense as wireless AP
I was just wondering how to go about setting up pfsense as a wireless AP. Currently, I have 2 wired NICs (1 for WAN, 1 for LAN) and they both work fine. I added the wireless card and the system detected it and everything, but i'm having problems getting it to function how I want to. Sometimes (i think when i bridge it to an interface) i can connect to the wireless NIC from my notebook (and get a DHCP lease), but i cannot get internet connectivity. I was wondering if I need to bridge it to a specific interface, or if I possibly have to mess with the firewall rules to get this to work properly. Anyone who has a setup similar to what I am trying to achieve, please let me know how you did it. Any other advice is welcome as well. I have a similar setup but no bridging going on (never tried that, not real comfortable bridging WiFi onto LAN - security ... and no, not pfSense security). All detected and worked well without complication. I use a Netgear WAG311 (Atheros based) and just create a zone for dedicated WiFi users (AP setup), and add rules to allow/deny WANWiFi, WiFiLAN and LANWiFi comms (or whatever granularity you need). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] DHCP Static Clients
I have about 175-200 static clients (contractors) in the DHCP configuration page and have a need to disable about 40 (communication on this segment is restricted by Deny unknown clients) and I was wondering if you can edit the /var/dhcpd/etc/dhcpd.conf file directly to delete these 40 entries in bulk Should I stop the server daemon first then edit the file, or is this even possible given the config file is created from php scripts -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: [pfSense Support] DHCP Static Clients
That doesn't seem to work either ... when the box is restarted or the service restarted the removed entries re-appear. wondering if you can edit the /var/dhcpd/etc/dhcpd.conf file directly to delete these 40 entries in bulk I'd download the config file via the web interface for the DHCP component, edit that, then upload it back. I wouldn't trust editing files directly on the file system to stick across reboot. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] i just can't succeed in upgrading anymore...
Try using the console upgrade method (option 13) ... I had the very issues w/ a Soekris box some time ago and the console option was the only way I could get that box to upgrade. Then last night I decided to upgrade this box to RC2. The web-based upgrade seemed to do nothing -- the browser kept timing out or getting network disconnects. It was strange. So I uploaded the firmware to the /tmp MFS partition. About 80% into the upload, the console showed a kmem_malloc panic and rebooted. So then I uploaded the firmware to the /root directory. I ran the command line upgrade from the main menu, but after a while started getting disk full errors again. Since I was still up and running, I tried to move the firmware file to /tmp and re-run it, but after the move when I did an ls -l the system again rebooted on kmem_malloc panic. Unfortunately it scrolled off the history buffer of my console window so I don't have the exact message. Once again, I had to flash the firmware and restore. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] RE: Enable ssh access on WAN
1) is it possible to enable ssh access on WAN? If yes, how? It is enabled on all IPs ... just create a rule on the WAN to allow it. 2) is it possible to change port number on WAN side to keep out automated ip-scanner? Setup is in the System Advanced Functions ... there you can enable it on a non-standard port (BTW this is a global setting). On an added note ... if you really need sshd to listen on specific interfaces you can manually edit /etc/ssh/sshd_config and add a ListenAddress directive, then restart sshd. Here's how: INITIAL SETUP: Setup you ssh in the [System: Advanced functions] page w/ your custom port. I like to use 212 {IEEE - ATEXSSTR port}, but you can choose MOST any TCP port, another good candidate is TCP 2120 {IEEE - Quick Eagle Networks CP port} ENSURE THAT SSHD IS RUNNING AND LISTENING: netstat -an | grep -v grep | grep 212 tcp4 0 0 *.212 *.* LISTEN THEN EDIT THE SSHD CONFIG ADD THE ListenAddress LINE(S): vi /etc/ssh/sshd_config ~ # # LAN ADDRESS ListenAddress 192.168.0.100 # WLAN ADDRESS ListenAddress 10.10.10.100 # ~ SAVE THE FILE AND FIND THE PID FOR SSHD: !! NOTE !! DO NOT use pkill -HUP sshd or you WILL knock yourself off the box. ps -xu | grep -v grep | grep sshd root 64984 0.0 0.2 3064 2580 ?? Is9:21AM 0:00.01 /usr/sbin/sshd root 65028 0.0 0.3 5744 2752 ?? Ss9:21AM 0:00.27 sshd: [EMAIL PROTECTED] (sshd) pkill -HUP 64984 NOW CHECK TO SEE IF THE NEW LISTENERS HAVE TAKEN: netstat -an | grep -v grep | grep 212 tcp4 0 0 192.168.0.100.212 *.*LISTEN tcp4 0 0 10.10.10.100.212 *.*LISTEN ADDITIONAL NOTES: - Rules serve as the starting point for allowing service interaction. - If ssh is enabled on the WAN (NOT AT ALL reccommended !!!) use keys. -- David L. Strout Engineering Systems Plus, LLC
Re: Re: [pfSense Support] RE: Enable ssh access on WAN
I've followed your instructions and I had to change some commands. THEN EDIT THE SSHD CONFIG I had this idea: have standard port no. 22 for trusted LAN and a non-standard port for untrusted WAN (e.g Internet). I read the man documentation and I changed /etc/ssh/sshd_config by adding these three lines: # additional SSH port Port xyz ListenAddress aa.bb.cc.dd ...where aa.bb.cc.dd is a LAN IP Yup you can do that too. pkill didn't work on my pfSense. I had to use: What version of pfS are you using? I have the latest 1.2 SNAP-7-21 loaded and pkill is in that build. Not sure if it just made it's way in recently or if it has been there. I'd assume that it has been there as it is a pretty common *NIX util/app. The main problem I've seen while I was trying this customization on the pfSense test machine is that What I have to modify to make those changes permanent? Changes to this file are overwritten on every reboot or change to the Advanced settings page w/ a save. I suspect this will not be addressed in future releases as this is a one-off request and really has no real applicability ... IMHO. Remember this can all be accomplished by rules. An additional access to the pfSense machine from WAN poses a security risk, especially if not well configured, but I've the need to have an additional way to manage the pfSense machine even if all PCs in network are shutdown. Do you mean the following lines in sshd_config? No, follow the instructions on public_key authentication ... a good source is PuTTY's site. In this case the problem seems to be these settings are inherited by the ssh LAN port, too. Yes it does that is by daemon design ... don't know of a way around that. It would be useful to have two config files You'd have to run dual daemons in that case, one for LAN and one for WAN ... I don't see that happening. Thank you for your support! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] pf.c modulate/synproxy bug ?
I was browsing through the CVStrack and focused on 19088-19096. I use the synproxy feature for a few sites that have publicaly accessible servers in a dmz. I am just wondering if this patch was successfully merged in (looks like it was nailed on the 19096 attempt or maybe 19108, but I'm not sure) and should I upgrade. Currently I am at: 1.2-TESTING-SNAPSHOT-07-21-2007 built on Mon Jul 23 15:13:34 EDT 2007 -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Enable ssh access on WAN
1) is it possible to enable ssh access on WAN? If yes, how? It is enabled on all IPs ... just create a rule on the WAN to allow it. 2) is it possible to change port number on WAN side to keep out automated ip-scanner? Setup is in the System Advanced Functions ... there you can enable it on a non-standard port (BTW this is a global setting). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: RE: [pfSense Support] routing over IPsec tunnel
I was just experimenting w/ NAT-T for NAT through IPSec. I searched the forum and mail-list and I see that it is being tested, but there is no implement time frame. Is this a feature that might show up in 1.2FINAL or is it too late to get a feature request in for 1.2? Interesting I have tried opening up the IPsec policy to ANY ANY on both the pfS1/2 boxes. I still see the traceroute (ICMP) packets heading to INET from NET1 when tracing to a NET4 address. Maybe a combo of IPsec policys and static routes??? Not quite sure, not having any luck in trying different combinations of configs. -- -- David L. Strout -- ENGINEERING SYSTEMS PLUS, LLC -- [EMAIL PROTECTED] -- -Original Message- From: Matthew Grooms [mailto:[EMAIL PROTECTED] Sent: Saturday, July 07, 2007 2:30 AM To: support@pfsense.com Subject: Re: [pfSense Support] routing over IPsec tunnel David Strout wrote: I have a need to setup the following topology at several location connected via VPN tunnels. NET1--RTR1--NET2--pfS1--{INET}--pfS2--NET3--RTR2--NET4 --IPsec TUNNEL-- NET1=10.10.10.0/24 NET2=192.168.100.0/24 NET3=192.168.200.0/24 NET4=10.10.20.0/24 I have a VPN tunnel nailed up between the two pfS boxes w/ NET2 NET3 on the LAN side. The pfS1 box has a static route to NET1 via RTR1 and pfS2 has a static route to NET4 via RTR2. The default route on NET1 NET4 is RTR1 RTR2 respectively and RTR1 has a next hop of pfS1 and RTR2's next hop is pfS2. So now that you have your mind wrapped around that here's the problem. In order for NET1 hosts to reach NET3/4 hosts OR NET4 hosts to reach NET1/2 hosts I am assuming there has to be some static routes on the pfS boxes. I added the following static route on pfS1: 10.10.20.0/24{NET4} 192.168.200.254{RTR2s NET3 IP} I added the following static route on pfS2: 10.10.10.0/24{NET1} 192.168.100.254{RTR1s NET2 IP} My assumption is that pfS1 knows about NET3 and pfS2 knows about NET2 via the tunnel. The problem is that when I traceroute from a host on NET1 to a host on NET4 pfS1 forwards the packets to the internet instead of sending them through the tunnel (and vice-versa from NET4 to NET1 pfS2 forwards the packets to the internet instead of through the tunnel). I even added routes to the RTR1/2 for the respective networks as well just to test with and still no go. I must be missing something simple here as I know that this can be done as this is just packet routing. Maybe I haven't had enough coffee yet. Any thoughts are greatly appreciated!!! Static routes won't get you there. Think of IPSEC policies as an alternate end-to-end routing table that is used to determine what traffic will be tunneled to a distant peer. You will need to define separate policies to process traffic between multiple local and distant private networks. In other words, the following policies would be required for your setup ... NET1 - NET3 NET3 - NET1 NET1 - NET4 NET4 - NET1 NET2 - NET3 NET3 - NET2 NET2 - NET4 NET4 - NET2 -Matthew - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] routing over IPsec tunnel
I have a need to setup the following topology at several location connected via VPN tunnels. NET1--RTR1--NET2--pfS1--{INET}--pfS2--NET3--RTR2--NET4 --IPsec TUNNEL-- NET1=10.10.10.0/24 NET2=192.168.100.0/24 NET3=192.168.200.0/24 NET4=10.10.20.0/24 I have a VPN tunnel nailed up between the two pfS boxes w/ NET2 NET3 on the LAN side. The pfS1 box has a static route to NET1 via RTR1 and pfS2 has a static route to NET4 via RTR2. The default route on NET1 NET4 is RTR1 RTR2 respectively and RTR1 has a next hop of pfS1 and RTR2's next hop is pfS2. So now that you have your mind wrapped around that heres the problem. In order for NET1 hosts to reach NET3/4 hosts OR NET4 hosts to reach NET1/2 hosts I am assuming there has to be some static routes on the pfS boxes. I added the following static route on pfS1: 10.10.20.0/24{NET4} 192.168.200.254{RTR2s NET3 IP} I added the following static route on pfS2: 10.10.10.0/24{NET1} 192.168.100.254{RTR1s NET2 IP} My assumption is that pfS1 knows about NET3 and pfS2 knows about NET2 via the tunnel. The problem is that when I traceroute from a host on NET1 to a host on NET4 pfS1 forwards the packets to the internet instead of sending them through the tunnel (and vice-versa from NET4 to NET1 pfS2 forwards the packets to the internet instead of through the tunnel). I even added routes to the RTR1/2 for the respective networks as well just to test with and still no go. I must be missing something simple here as I know that this can be done as this is just packet routing. Maybe I havent had enough coffee yet. Any thoughts are greatly appreciated!!! -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Hub and spoke VPNs
I have several sites up and running on IPsec VPN. Aside from have an issue last week with the versions not being in sync and that causing several of the sites to initiate and then fail, I've had very few problems with this setup. As I continue to tune and secure these sites with policies I come to a question that I can't find a clear answer to .. 1. Which side of the tunnel is the initiator if both are set up the same, and is there an initiator w/ pfS? 2. When using the keep alive setting (auto ping host) is/should this be the inside interface of the remote tunnel. I have tried setting this to some non-assigned IP and the tunnel will collapse after about 10 minutes. If I leave this field blank (don't use keep alive) then the tunnel stay up for a longer period of time after initialization, but will collapse after roughly 28800 (the phase 1 lifetime). -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] 1.2-BETA-2 released!
A good explanation about the date questions that are being asked. http://pfsense.blogspot.com/2007/06/explanation-of-snapshot-file-name-dates.html Hi, I noticed that the 1.2-BETA-2 iso shows a build time in /etc/version.buildtime of Jul 2 20:10. However, the latest snapshot iso shows a version of 1.2-BETA-1-TESTING-SNAPSHOT-07-02-2007 and a build time of Jul 5 02:23. Is the snapshot version correct or should it read 1.2-BETA-2-? Gunter. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] 1.2-BETA-2 released!
I've noticed the version thing in the past in that they aren't alway depicted correctly. I think they are working to correct this, but at the time they are busy with other more pressing matters. My question would be is there a way to extract the build date/info from the iso/tgz files and name the SNAP server files accordingly? BTW, I just did a command line upgrade and it shows 1.2-BETA-1 (built on Thu Jul 5) is this the 1.2-BETA-2 or still BETA-1? Hi, I noticed that the 1.2-BETA-2 iso shows a build time in /etc/version.buildtime of Jul 2 20:10. However, the latest snapshot iso shows a version of 1.2-BETA-1-TESTING-SNAPSHOT-07-02-2007 and a build time of Jul 5 02:23. Is the snapshot version correct or should it read 1.2-BETA-2-? Gunter. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] 1.2-BETA-2 location
I have been looking for the new BETA-2 and haven't found it. Do I have to do a full re-install to get to BETA-2 ver.? -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] VPN tunnel connects properly, but it frequently drops
I have had the same experience w/ the RV016 and pfSense. What is the exact version on the linksys side (have you upgraded the firmware to the current?), and what build of 1.0.1 pfSense are you running? I'd move the the current 1.2-BETA SNAP and upgrade your Linksys to the current 2.0.17. I personally have had very little luck in conecting linksys to anything but linksys for VPN connectivity. I have gotten it to work in the lab and maintain it's stability but under a high load situation it becomes very unstable and drops quite often. Hi, I have PFSense 1.0.1 version configured with open VPN on one site and Dual wan router (Linksys RV016) configured on the other site. VPN connection works fine. However, even though both the routers are configured to be on a Keep Alive status in reference to the VPN connectivity, still the VPN connection drops consistently. Please let me know for any further details you want from me to resolve this issue. Any help from your side would really be appreciated. Thanks Regards, Vidit Gupta - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Fricken PPTP ?
I have the PPTP server enabled on my pfS and I am trying to run the Fricken PPTP proxy and I get the following logs upon startup: Jul 1 08:55:30 Frickin: Network error (Address already in use) Jul 1 08:55:30 Frickin: Network error (Address already in use) Jul 1 08:55:30 Frickin: Frickin v2.0, running as daemon with pid 904 I am trying to bind it to two interfaces as I have users in those zones that need PPTP access out and can't get to their home office PPTP server unless I disable my pfS PPTP service. Ideas ?!?!?! (Friggin' PPTP issues!!!) -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense Firewall Logs: no ports listed !?
eureka After logging all traffic out to console and monitoring this during reboot/boot I came to a stunning conclusion (or might I say the OS gave me the answer). Upon every reboot I would see the following in dmesg: Jul 01 08:39:55 192.168.1.1 Jul 1 08:42:00 pf: tcpdump: WARNING: pflog0: no IPv4 address assigned Jul 01 08:39:55 192.168.1.1 Jul 1 08:42:00 pf: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode So ... I simply added the -vv switch to the two lines in /etc/inc/filter.inc (lines 58 60) as follows: 58 $pid = `ps awwwux | grep -v grep | grep tcpdump -vv -l -n -e -ttt -i pflog0 | awk '{ print $2 }'`; 60 mwexec_bg(/usr/sbin/tcpdump -vv -l -n -e -ttt -i pflog0 | logger -t pf -p local0.info); AND VIOLA' .. logs are showing ports correctly. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense Firewall Logs: no ports listed !?
FYI . Clearly the below method is a hack, but it seemed to work on the AMD box that was giving me heartburn on logging protos correctly. I have just tried it on the Intel box too and it seems to have no adverse affect. I just don't know what the difference is in processing packets on AMD vs. Intel, or if that is even the issue. -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: [pfSense Support] pfSense Firewall Logs: no ports listed !? From: [EMAIL PROTECTED] To: support@pfsense.com Date: 07-01-2007 9:42 am eureka After logging all traffic out to console and monitoring this during reboot/boot I came to a stunning conclusion (or might I say the OS gave me the answer). Upon every reboot I would see the following in dmesg: Jul 01 08:39:55 192.168.1.1 Jul 1 08:42:00 pf: tcpdump: WARNING: pflog0: no IPv4 address assigned Jul 01 08:39:55 192.168.1.1 Jul 1 08:42:00 pf: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode So ... I simply added the -vv switch to the two lines in /etc/inc/filter.inc (lines 58 60) as follows: 58 $pid = `ps awwwux | grep -v grep | grep tcpdump -vv -l -n -e -ttt -i pflog0 | awk '{ print $2 }'`; 60 mwexec_bg(/usr/sbin/tcpdump -vv -l -n -e -ttt -i pflog0 | logger -t pf -p local0.info); AND VIOLA' .. logs are showing ports correctly. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] IPsec tunnel issues in latest build.
I have noticed an anomoly in the IPsec tunnels in the latest build. The situation: I have several tunnels created on my pfS server. I recently upgraded to the latest SNAP (built on Sun Jul 1 11:24:33 EDT 2007) and I started noticing tunnel drops soon after. The Results: I started noticing that the tunnels were dropping and that it took (basically) a full reboot to re-establish the tunnels (7 of them). The tunnels are IPsec|ESP|MD5 tunnels (pretty standard tunnels) built to the WAN interface and designating the internal LAN subnet on either side as their parent networks. Everything has worked flawlessly in the past with this configuration. The Findings: None to speak of, except I see a lot of the following messages in the logs: Jul 1 14:10:30 racoon: INFO: delete phase 2 handler. Jul 1 14:10:30 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP x.x.x.x[0]-x.x.x.x[0] Jul 1 14:09:59 racoon: INFO: begin Identity Protection mode. Jul 1 14:09:59 racoon: INFO: initiate new phase 1 negotiation: x.x.x.x[500]=x.x.x.x[500] Jul 1 14:09:59 racoon: INFO: IPsec-SA request for x.x.x.x queued due to no phase1 found. Jul 1 14:09:23 racoon: INFO: 192.168.168.1[500] used as isakmp port (fd=23) Jul 1 14:09:23 racoon: INFO: fe80::208:c7ff:fe59:26cd%fxp0[500] used as isakmp port (fd=22) Jul 1 14:09:23 racoon: INFO: x.x.x.x[500] used as isakmp port (fd=21) Jul 1 14:09:23 racoon: INFO: fe80::250:8bff:fe08:283d%fxp1[500] used as isakmp port (fd=20) Jul 1 14:09:23 racoon: INFO: 192.168.100.1[500] used as isakmp port (fd=19) Jul 1 14:09:23 racoon: INFO: fe80::208:c7ff:fea4:970c%tl0[500] used as isakmp port (fd=18) Jul 1 14:09:23 racoon: INFO: fe80::209:5bff:fe92:465a%ath0[500] used as isakmp port (fd=17) Jul 1 14:09:23 racoon: INFO: 10.10.10.1[500] used as isakmp port (fd=16) Jul 1 14:09:23 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15) Jul 1 14:09:23 racoon: INFO: ::1[500] used as isakmp port (fd=14) Jul 1 14:09:23 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=13) Jul 1 14:09:23 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) Jul 1 14:09:23 racoon: INFO: @(#)ipsec-tools 0.6.7 (http://ipsec-tools.sourceforge.net) -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: [pfSense Support] IPsec tunnel issues in latest build.
As soon as I see the below entry in the (IPsec) logs: racoon: INFO: received Vendor ID: DPD The tunnels start dropping. I have the ping address set to the internal LAN address on each pfS box and this has worked in the past (I assume pinging the internal interface address is a form of DPD). I see no input errors on any of the LAN interfaces so I'd assume that they arent to heavily loaded. I have even set an any|any|any in the IPsec rule on a couple on the tunnels to see if that makes any difference. Not sure what is going on. I run IPSEC in over 9 locations and I have yet to see any issues with it on the recent versions. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: Re: [pfSense Support] IPsec tunnel issues in latest build.
Thanks Scott I though of that and checked ... sure enough there was a difference in the hub and several of the spokes I just updated all to the latest SNAP and all seems to have settled down now. All 7 tunnels up and stable! Make sure all endpoints are running the same version. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: Re: Re: [pfSense Support] IPsec tunnel issues in latest build.
Thanks it seemed to work well here. I wish I were of more help, more often. -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: Re: Re: [pfSense Support] IPsec tunnel issues in latest build. From: [EMAIL PROTECTED] To: support@pfsense.com Date: 07-01-2007 4:05 pm On 7/1/07, David Strout [EMAIL PROTECTED] wrote: Thanks Scott I though of that and checked ... sure enough there was a difference in the hub and several of the spokes I just updated all to the latest SNAP and all seems to have settled down now. All 7 tunnels up and stable! Make sure all endpoints are running the same version. Good to hear. I just fixed a bug that involves CARP and port = 500 (UDP) as well. In addition your -vv change made all of the protocols start appearing correctly. Nice find! Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense Firewall Logs: no ports listed !?
Problem is now solved in recent snapshots. Indeed it is, thanks for all the great work. I have noticed that all of the entries show as proto ESP. I seem to remember that some time ago this same situation crept in after a logging/logging ports issue a while ago. I seem to remember that there was a fix in that there needed to be a -v switch added to the tcpdump command ... not sure really though. BTW, I did an upgrade to a 6-28 built on 6-29 at 13:10 SNAP. This wasn't a clean install from ISO. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: [pfSense Support] pfSense Firewall Logs: no ports listed !?
An updete ... It seems that TCP packets (looks like UDP and ICMP are exempt from this issue and report correctly) are getting reported as ESP proto. I enable the RAW logging and see the logger stream as I'd expect to. I have even tried to augment the /etc/inc/filter.inc file w/ adding a -vv switch to the tcpdump statement to no avail. Just though I'd report my findings. Going to do a full reinstall in an hour or so and will report after that. -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: [pfSense Support] pfSense Firewall Logs: no ports listed !? From: [EMAIL PROTECTED] To: support@pfsense.com Date: 06-30-2007 7:16 am Problem is now solved in recent snapshots. Indeed it is, thanks for all the great work. I have noticed that all of the entries show as proto ESP. I seem to remember that some time ago this same situation crept in after a logging/logging ports issue a while ago. I seem to remember that there was a fix in that there needed to be a -v switch added to the tcpdump command ... not sure really though. BTW, I did an upgrade to a 6-28 built on 6-29 at 13:10 SNAP. This wasn't a clean install from ISO. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense Firewall Logs: no ports listed !?
I have added some sample log data from the problem server as you asked. We have some major log display issues back in 1.2 snapshots for some reason. Can you add your findings as a comment to this? http://cvstrac.pfsense.com/tktview?tn=1348,32 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] WLAN (Atheros) MAC ACLs
Everyone, I have just installed a Netgear WAG311 in one of the test servers and all is working GREAT!!! I just have one question ... is there any plan to add a MAC filtering feature so that there is an added layer when running a WiFi NIC, or is this the 802.1X option? I know that 802.1X (NAC) is very similar to what I am asking for, but after enabling the 802.1X check box I see no option to add MAC addresses. Thanks in advance ... Obviously confused! -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense Firewall Logs: no ports listed !?
Yup, I have tested this on both a Soekris 4801 and a server install ... the below findings are what I observed on both platforms. -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: [pfSense Support] pfSense Firewall Logs: no ports listed !? From: [EMAIL PROTECTED] To: support@pfsense.com Date: 06-29-2007 8:21 pm On 6/25/07, David Strout [EMAIL PROTECTED] wrote: Morning everyone, Just wanted to give an update I did an upgrade on an older 1.2-BETA-1-TESTING-SNAPSHOT-05-??-2007 (I think it was around 5-10,11 time frame) and the logging seems to work with this. I have found in testing that anything after the 5-29 builds are broken and if you do a fresh install it is unquestionably broken. I can't quite pin down the time frame on when this little logging issue crept in but it seems that anything prior to 5-29 when upgraded with the latest SNAP is OK, but if you've upgraded after 5-29 (like using the 6-?? SNAPs) then the log ports go bye bye. Still digging, but wanted to give an update of what I've found so far. Anyone running an embedded version that has this problem as well? Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: AW: [pfSense Support] WLAN (Atheros) MAC ACLs
Thanks I just found the forum thread on this ... this works for all intents and purposes the same way as MAC ACLs would on your run of the mill Linksys/Netgear. Thanks!! -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: AW: [pfSense Support] WLAN (Atheros) MAC ACLs From: [EMAIL PROTECTED] To: support@pfsense.com Date: 06-29-2007 9:01 pm Hi ! ATM it's not supported by the wlan daemon in conjunction with specific drivers such as thiis ones used for your card... I'm usind the same and tried to write some patch but it's out of function :-( So use the captiveportal function to get nearly the same functionality... -Ursprüngliche Nachricht- Von: David Strout [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 29. Juni 2007 23:20 An: support@pfsense.com Betreff: [pfSense Support] WLAN (Atheros) MAC ACLs Everyone, I have just installed a Netgear WAG311 in one of the test servers and all is working GREAT!!! I just have one question ... is there any plan to add a MAC filtering feature so that there is an added layer when running a WiFi NIC, or is this the 802.1X option? I know that 802.1X (NAC) is very similar to what I am asking for, but after enabling the 802.1X check box I see no option to add MAC addresses. Thanks in advance ... Obviously confused! -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] SNAP build date vs. file date ?
Is there a difference between SNAPs w/ the same file date? I see a SNAP out there from 6-6 but when I upgrade a system with it, it will show a different build date ... does this mean that there are in fact different builds going on daily/semi-daily? I'm just trying to get some clarity on the differences and what they mean. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] pfSense Firewall Logs: no ports listed !?
Morning everyone, Just wanted to give an update I did an upgrade on an older 1.2-BETA-1-TESTING-SNAPSHOT-05-??-2007 (I think it was around 5-10,11 time frame) and the logging seems to work with this. I have found in testing that anything after the 5-29 builds are broken and if you do a fresh install it is unquestionably broken. I can't quite pin down the time frame on when this little logging issue crept in but it seems that anything prior to 5-29 when upgraded with the latest SNAP is OK, but if you've upgraded after 5-29 (like using the 6-?? SNAPs) then the log ports go bye bye. Still digging, but wanted to give an update of what I've found so far. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense Firewall Logs: no ports listed !?
I also noticed that in the show raw logs mode the ports do not show. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: AW: [pfSense Support] pfSense Firewall Logs: no ports listed !?
Actually it seems to be the way the packets are getting handed off to the pflog0 interface if you run tcpdump on the physical interface all ports show as expected. Still digging. It's because it's also not in the filter.log... :-( -Ursprüngliche Nachricht- Von: David Strout [mailto:[EMAIL PROTECTED] Gesendet: Montag, 18. Juni 2007 21:47 An: support@pfsense.com Betreff: Re: [pfSense Support] pfSense Firewall Logs: no ports listed !? I also noticed that in the show raw logs mode the ports do not show. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense Firewall Logs: no ports listed !?
I find that if you issue the snarf (snaplen) switch to the tcpdump command it reports the correct ports. Where is the /usr/sbin/tcpdump -l -n -e -ttt -i pflog0 issued from .. rc script I also noticed that in the show raw logs mode the ports do not show. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: [pfSense Support] pfSense Firewall Logs: no ports listed !?
Looks like there is a possibility to start the tcpdump sequence that feeds syslog with a -s 128 parameter, but not sure if it is producing the desired results. Check in /etc/inc/filter.inc IIRC. Scott On 6/18/07, David Strout [EMAIL PROTECTED] wrote: I find that if you issue the snarf (snaplen) switch to the tcpdump command it reports the correct ports. Where is the /usr/sbin/tcpdump -l -n -e -ttt -i pflog0 issued from .. rc script I also noticed that in the show raw logs mode the ports do not show. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: Re: [pfSense Support] pfSense Firewall Logs: no ports listed !?
NOPE !!! Last suggestion DID NOT produce the desired results. It did show some ports but everything shows up as proto ESP and I think the ports (src dst) were reversed. Looks like logging (port displaying) is broken. I will try to help figure it out and lend a hand where I can in this effort. Looks like there is a possibility to start the tcpdump sequence that feeds syslog with a -s 128 parameter, but not sure if it is producing the desired results. Check in /etc/inc/filter.inc IIRC. Scott On 6/18/07, David Strout [EMAIL PROTECTED] wrote: I find that if you issue the snarf (snaplen) switch to the tcpdump command it reports the correct ports. Where is the /usr/sbin/tcpdump -l -n -e -ttt -i pflog0 issued from .. rc script I also noticed that in the show raw logs mode the ports do not show. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] SNORT Package ?
I just loaded the latest SNAP and enabled the SNORT package ... I noticed on thing ... purely functional, but when I go to the Snort: Rules page and choose a Category from the pull down the Rules never change. Not a real problem as you can go to the category page and click the category you want and get to all the rules for that category. Is there a fix in CVS for this or some simple hack I can do for this added functionality or is it something to wait for in the next SNAP. BTW, I have tried uninstalling the package and reinstalling to no avail. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] SNORT Package ?
To follow up ... this might be an IE7 error. I DC the little error icon in the lower left of the browser window and get a explanitation of the error as follows Line: 150 Char: 5 Error: 'document.forms.1.selectbox' is null or not an object Code: 0 URL: https://10.10.10.1/snortrules.php -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: [pfSense Support] SNORT Package ? From: [EMAIL PROTECTED] To: support@pfsense.com Date: 06-17-2007 9:24 am I just loaded the latest SNAP and enabled the SNORT package ... I noticed on thing ... purely functional, but when I go to the Snort: Rules page and choose a Category from the pull down the Rules never change. Not a real problem as you can go to the category page and click the category you want and get to all the rules for that category. Is there a fix in CVS for this or some simple hack I can do for this added functionality or is it something to wait for in the next SNAP. BTW, I have tried uninstalling the package and reinstalling to no avail. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: [pfSense Support] SNORT Package ?
One more added note ... this functionality seems to work fine in Firefox arrrgh @[EMAIL PROTECTED] IE ! -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: [pfSense Support] SNORT Package ? From: [EMAIL PROTECTED] To: support@pfsense.com Date: 06-17-2007 9:29 am To follow up ... this might be an IE7 error. I DC the little error icon in the lower left of the browser window and get a explanation of the error as follows Line: 150 Char: 5 Error: 'document.forms.1.selectbox' is null or not an object Code: 0 URL: https://10.10.10.1/snortrules.php -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: [pfSense Support] SNORT Package ? From: [EMAIL PROTECTED] To: support@pfsense.com Date: 06-17-2007 9:24 am I just loaded the latest SNAP and enabled the SNORT package ... I noticed on thing ... purely functional, but when I go to the Snort: Rules page and choose a Category from the pull down the Rules never change. Not a real problem as you can go to the category page and click the category you want and get to all the rules for that category. Is there a fix in CVS for this or some simple hack I can do for this added functionality or is it something to wait for in the next SNAP. BTW, I have tried uninstalling the package and reinstalling to no avail. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Access Control Features ....
I'll be looking forward to that ... not that the current isn' great or anything ... but I have a few sites where the admins get in and constantly fool around with setting and end up breaking the platform, so it'd be nice to be able to put the clamp down on them for certain screens/functions. Is there any way to snap the features into a current branch?? I looked for the RELENG_1 like someone replied, but I can seem to find them. I have a box sitting here with the latest and greatest 1.2-BETA-1-TESTING-SNAPSHOT-06-06-2007 sitting here that I was thinking that I could sync up to CVS if I knew what to snap in for this functionality. - Original Message - Yes. It won't be considered beta at first though, it'll just be RELENG_1 snapshots. It'll be a couple months or more after 1.2 is out before 1.3 is beta.
Re: [pfSense Support] Access Control Features ....
Yes. It won't be considered beta at first though, it'll just be RELENG_1 snapshots. It'll be a couple months or more after 1.2 is out before 1.3 is beta. I'll be looking forward to that ... not that the current isn' great or anything ... but I have a few sites where the admins get in and constantly fool around with setting and end up breaking the platform, so it'd be nice to be able to put the clamp down on them for certain screens/functions. Is there any way to snap the features into a current branch?? I looked for the RELENG_1 like someone replied, but I can seem to find them. I have a box sitting here with the latest and greatest 1.2-BETA-1-TESTING-SNAPSHOT-06-06-2007 sitting here that I was thinking that I could sync up to CVS if I knew what to snap in for this functionality. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: [pfSense Support] Access Control Features ....
Sorry about the double post ... my mail server issues!! - Original Message - I'll be looking forward to that ... not that the current isn' great or anything ... but I have a few sites where the admins get in and constantly fool around with setting and end up breaking the platform, so it'd be nice to be able to put the clamp down on them for certain screens/functions. Is there any way to snap the features into a current branch?? I looked for the RELENG_1 like someone replied, but I can seem to find them. I have a box sitting here with the latest and greatest 1.2-BETA-1-TESTING-SNAPSHOT-06-06-2007 sitting here that I was thinking that I could sync up to CVS if I knew what to snap in for this functionality. - Original Message - Yes. It won't be considered beta at first though, it'll just be RELENG_1 snapshots. It'll be a couple months or more after 1.2 is out before 1.3 is beta. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: [pfSense Support] Access Control Features ....
Thanks again for the great info and prompt response!!! - Original Message - As previously mentioned, you'll need a dev iso and roll your own releng_1 install. Not sure I have the where-with-all, but I'll certainly attempt it ... are you are tlking about building from scratch or from the CVS? right...we're only building releng_1_2 snaps right now to make sure people don't get confused on what snapshot to test. Understood ... BTW, the latest 1.2-BETA-1-TESTING-SNAPSHOT-06-06-2007 works GREAT !!! It took me many many hours to backport that code from HEAD - way to much has changed. There's no simple patch for this either as it had a few bugs when committed (probably still does, working on that now). Build a releng_1 iso and install from there is your best bet right now. --Bill Again, I will attempt this ... not really sure where to start but I am thinking that I will fire up a FreeBSD VM and get started there are there any docs/hints/FAQs on this process? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Access Control Features ....
Thanks for all the helpful info ... best place to start will be with the dev iso (doesn't matter what branch..really) http://snapshots.pfsense.com/FreeBSD6/RELENG_1_2/iso/Developers/ - the wiki http://wiki.pfsense.com/wikka.php?wakka=pfSenseHome and the development forum http://forum.pfsense.org/index.php?board=32.0 (wher most dev related questions have been asked and already answered :) --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Access Control Features ....
Well it seems very useful to delegate administration of the pf-box, or just monitoring the status without granting unnecessary access to users. I searched through the list and forums pretty throughly and didn't find much movement on the access control features. I did play with the fbegin.inc editing trick w/ little applicable success for a prod. environment. I am wondering if the [user/group access control features] are still planned or have they been put on hold? Obviously I'd like to see it working and would even volunteer to test some beta configurations ... I've tried to load the HEAD version as I understand it is in there, but have had little success with it on the lab box. Not sure if it my hardware or the build I can give spec if interested, but I suspect everyone is too busy working on STABLE to look at HEAD issues. Is there any way to sync the [user/group access control features] [session expire/logout button] into a stable/current snapshot for some testing? I have a couple weeks of free time and a pretty open ticket on the lab space so I'd be more than willing to test the hell out of this to help where ever I can and try to get this into 1.2 if applicable and ready. Feedback welcome!!! -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: [pfSense Support] Access Control Features ....
Will these additions make their way into the new 1.3-BETA snaps once the 1.2 is out of beta and in production as full release? Is the snapshot site down this morning? Having some trouble getting to it. It's too late for 1.2, we're already in the beta cycle for that branch. I have backported this code to the releng_1 branch however, so we'll see it in 1.3. To keep confusion down, there are no 1.3 snaps currently so you'll need a dev install to build this I'm afraid. --Bill On 6/9/07, David Strout [EMAIL PROTECTED] wrote: Well it seems very useful to delegate administration of the pf-box, or just monitoring the status without granting unnecessary access to users. I searched through the list and forums pretty throughly and didn't find much movement on the access control features. I did play with the fbegin.inc editing trick w/ little applicable success for a prod. environment. I am wondering if the [user/group access control features] are still planned or have they been put on hold? Obviously I'd like to see it working and would even volunteer to test some beta configurations ... I've tried to load the HEAD version as I understand it is in there, but have had little success with it on the lab box. Not sure if it my hardware or the build I can give spec if interested, but I suspect everyone is too busy working on STABLE to look at HEAD issues. Is there any way to sync the [user/group access control features] [session expire/logout button] into a stable/current snapshot for some testing? I have a couple weeks of free time and a pretty open ticket on the lab space so I'd be more than willing to test the hell out of this to help where ever I can and try to get this into 1.2 if applicable and ready. Feedback welcome!!! -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] NAT question
If I were planning on migrating from Automatic outbound NAT rule generation to Manual Outbound NAT rule generation (Advanced Outbound NAT (AON)), were could I look to see what NAT rules are already being generated so as to get a good overview of what has to be manually created to do this migration? Is there a CLI command to see the currently running NAT table? Thanks in advance! -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] NAT question
Looks like I found the command . pfctl -s nat (from the command interface OR the CLI) -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: [pfSense Support] NAT question From: [EMAIL PROTECTED] To: support@pfsense.com Date: 06-06-2007 3:56 pm If I were planning on migrating from Automatic outbound NAT rule generation to Manual Outbound NAT rule generation (Advanced Outbound NAT (AON)), were could I look to see what NAT rules are already being generated so as to get a good overview of what has to be manually created to do this migration? Is there a CLI command to see the currently running NAT table? Thanks in advance! -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: [pfSense Support] NAT question
I have a follow on question about how to create the rules for AON for the following NAT entries . nat-anchor pftpx/* all nat-anchor natearly/* all nat-anchor natrules/* all # # VARIOUS SPECIFIC NETWORK NAT RULES HERE # (I've got this part figured out) # VARIOUS SPECIFIC NETWORK NAT RULES HERE # rdr-anchor pftpx/* all rdr-anchor slb all rdr-anchor imspector all rdr-anchor miniupnpd all -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: [pfSense Support] NAT question From: [EMAIL PROTECTED] To: support@pfsense.com;support@pfsense.com Date: 06-06-2007 4:00 pm Looks like I found the command . pfctl -s nat (from the command interface OR the CLI) -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: [pfSense Support] NAT question From: [EMAIL PROTECTED] To: support@pfsense.com Date: 06-06-2007 3:56 pm If I were planning on migrating from Automatic outbound NAT rule generation to Manual Outbound NAT rule generation (Advanced Outbound NAT (AON)), were could I look to see what NAT rules are already being generated so as to get a good overview of what has to be manually created to do this migration? Is there a CLI command to see the currently running NAT table? Thanks in advance! -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: [pfSense Support] NAT question
Excellent !!! I figured that out after a little experimenting on the lab box ... WORKS GREAT !! coupled with the OPT LAN NAT question I posted the other day. Thanks again ... one and all!! -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: [pfSense Support] NAT question From: [EMAIL PROTECTED] To: support@pfsense.com Date: 06-06-2007 5:01 pm David Strout wrote: I have a follow on question about how to create the rules for AON for the following NAT entries You don't. The only thing you need to be concerned about is nat on blah rules. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Specific NAT question.
I have a specific need to allow clients of a private net (connected to OPT3 w/ 10.10.10.0/24 reserved DHCP addresses) to connect to the LAN net (145.191.112.0/20 static addresses via DHCP reservations). BTW only a small supernet of address are attached to the pfS box (145.191.114.0/23). The issues is that there are servers in the LAN that the clients of the OPT3 network need access to and these servers REQUIRE 145.191.x.x address to access them. These admin will NOT allow private address space to access their servers (tcpwrappers, iptables and other SELinux methods). They are not willing to budge on this . so my thinking is that I can set up a NAT pool to NAT the OPT3 addresses (10.10.10.x) to some open LAN address space (145.191.x.x). I have tried slicing off a very little subnet 255.255.255.242 of the OPT3 net and doing some 1:1 NAT with these addresses and those of the LAN in the same way, but I have had very little luck. QUESTION I Is this type of NAT setup even possible? QUESTION II Do the subnets have to match on either side of the NAT schema? QUESTION III I am using 1:1 because I want to control which OPT3 clients have access into the LAN (is this correct thinking)? QUESTION IV Do I have to get the admins of the routable LAN net to carve out a specific subnet for me to use the 1:1 NAT schema? Regards and thanks !! -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] VLAN Setup of pfSense ?'s
Proof of concept - can this be done??? The customers scenario: They have a pfS box with four interfaces (fxp0-3) fxp0=WAN (static) fxp1=LAN (192.168.1.0/24) fxp2=DMZ (10.1.1.0/24) fxp3=WLAN (192.168.2.0/24) Everything works well and very reliably, but I have two new networks (VLAN'd w/ Cisco switches) that need access to the internet and DMZ based servers through the pfS platform. I can not add another NIC (or dual NIC) to the pfS box as I am out of PCI slots and there is no other option, hardware wise, for this platform. VLAN setup on customer network: VLAN100=management net VLAN101=LAN NET (192.168.1.0/24) VLAN201=KIOSK NET (192.168.100.0/24) VLAN301=LAB NET (192.168.200.0/24) As of today these VLANs/networks (201 301) are segmented/isolated and have their own DHCP servers and have dead ended default gateways IPs of said DHCP server .. another words they go nowhere when requesting addresses other than the attached IP space. I do not have the option of changing the address space of these networks as they are managed by different business units and they are adamant that they will not re-ip their networks. The LAN NET VLAN101 is the only one that has exposure to the internet and they use pfS for DHCP, DNS FWD default gateway. So here is my thinking ... I am thinking that I can present the pfS box with a Cisco trunk that will carry VLANs 101, 201 301 and feed it to the fxp1 interface of the pfS box. I can prune and do all that I need to limit the exposure of all VLANs to the pfS box no problem. But the real question is how to provide default gateway addresses and DHCP service to these three dissimilarly IP'd networks when there is really only one physical NIC. I can see in the interface section were to create the tagging and assign NICs to a tagged VLAN, but I am unclear as to assigning the IP of the dissimilar networks to one NIC, is this the virtual IP address section? Assuming it is and I assign VIPs to the fxp1 interface like this (physical=192.168.1.1, VIP1=192.168.100.1, VIP2=192.168.200.1) then how could I provide DHCP and DNS service to all three networks from pfS? The managers want to remove the DHCP servers from each of the two additional networks and rely on pfS for DHCP and resolution to the net and DMZ. [ thereby putting all the management of these nets on me ... oh whoopee :-( ] I may be reaching here and maybe this can not be done with pfS. Suggestions VERY welcomed !!! -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Captive Portal ?
Now that I plowed through the VLAN issue. I have been presented with another config question. Is there any way to have captive portal active on multiple interfaces? I dug through the mail lists and the forum, but it seems that the answer is a resounding no. So naturally the next question is ... is there any plan to modify the captive portal to address multiple interfaces? I am sure it would be a coding nightmare, but in retrospect, have been presented with the question and seeing the value in their request, it sure would be a nice feature for a future release. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] upgrading Soekris 4801
I am trying to upgrade from: 1.2-BETA-1 to the latest snap: pfSense-Full-And-Embedded-Update-1.2-BETA-1-TESTING-SNAPSHOT-05-14-2007.tgz I am continually getting kicked from the webConfigurator and then have to ssh to the box and restart the web service (opt 11). I was wondering if there is a command line update feature as we saw back in the pre-rel 1 days that will sync pfS to the mirror and do the update without having to go through the web interface. HARDWARE: Soekris 4801, 128MB CF, VPN1411, lan1621 Pretty standard setup, but have had no luck since 1.0.1 in using the web to do upgrades, I have had to do it by taking the device off line and cracking the case and re-burning the flash. Suggestions welcome. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: [pfSense Support] upgrading Soekris 4801
I did a reboot and still no go ... is the upgrade from console available through an ssh session? I don't see it in the options from ssh. - Original Message - Subject: Re: [pfSense Support] upgrading Soekris 4801 From: [EMAIL PROTECTED] On 5/15/07, David Strout [EMAIL PROTECTED] wrote: I am trying to upgrade from: 1.2-BETA-1 to the latest snap: pfSense-Full-And-Embedded-Update-1.2-BETA-1-TESTING-SNAPSHOT-05-14-2007.tgz I am continually getting kicked from the webConfigurator and then have to ssh to the box and restart the web service (opt 11). I was wondering if there is a command line update feature as we saw back in the pre-rel 1 days that will sync pfS to the mirror and do the update without having to go through the web interface. HARDWARE: Soekris 4801, 128MB CF, VPN1411, lan1621 Pretty standard setup, but have had no luck since 1.0.1 in using the web to do upgrades, I have had to do it by taking the device off line and cracking the case and re-burning the flash. Try rebooting the machine and upgrade again or use the new upgrade from console feature. Scott PS: it absolutely requires 128 megabytes or more memory. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: Re: [pfSense Support] upgrading Soekris 4801
I don't have that option. Here's what my ssh session looks like: *** Welcome to pfSense 1.2-BETA-1-embedded on espfwvpn *** WAN* - sis0- xx.xx.xx.xxx LAN* - sis4- 192.168.1.1 pfSense console setup *** 0) Logout (SSH only) 1) Assign Interfaces 2) Set LAN IP address 3) Reset webConfigurator password 4) Reset to factory defaults 5) Reboot system 6) Halt system 7) Ping host 8) Shell 9) PFtop 10) Filter Logs 11) Restart webConfigurator 12) pfSense PHP shell Is this a serial console connection option only?? I am running: 1.2-BETA-1 built on Mon Apr 30 11:14:16 EDT 2007 Should I try a little older snap to get that functionality or id there the possibility of using the old fetch command for upgrading? - Original Message - Subject: Re: Re: [pfSense Support] upgrading Soekris 4801 From: [EMAIL PROTECTED] On 5/15/07, David Strout [EMAIL PROTECTED] wrote: I did a reboot and still no go ... is the upgrade from console available through an ssh session? I don't see it in the options from ssh. Yes, option 13. 13) Upgrade from console Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: Re: Re: [pfSense Support] upgrading Soekris 4801
That is kinda what I suspected :-( Thanks for the suggestions quick response!! - Original Message - Subject: Re: Re: Re: [pfSense Support] upgrading Soekris 4801 From: [EMAIL PROTECTED] Not sure why you are not seeing it... It should appear for all platforms. At this point I would reflash. Scott On 5/15/07, David Strout [EMAIL PROTECTED] wrote: I don't have that option. Here's what my ssh session looks like: *** Welcome to pfSense 1.2-BETA-1-embedded on espfwvpn *** WAN* - sis0- xx.xx.xx.xxx LAN* - sis4- 192.168.1.1 pfSense console setup *** 0) Logout (SSH only) 1) Assign Interfaces 2) Set LAN IP address 3) Reset webConfigurator password 4) Reset to factory defaults 5) Reboot system 6) Halt system 7) Ping host 8) Shell 9) PFtop 10) Filter Logs 11) Restart webConfigurator 12) pfSense PHP shell Is this a serial console connection option only?? I am running: 1.2-BETA-1 built on Mon Apr 30 11:14:16 EDT 2007 Should I try a little older snap to get that functionality or id there the possibility of using the old fetch command for upgrading? - Original Message - Subject: Re: Re: [pfSense Support] upgrading Soekris 4801 From: [EMAIL PROTECTED] On 5/15/07, David Strout [EMAIL PROTECTED] wrote: I did a reboot and still no go ... is the upgrade from console available through an ssh session? I don't see it in the options from ssh. Yes, option 13. 13) Upgrade from console Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] newest pfsense.img boot errors
I am just booting the newest pfsense.img on a Soekris and get a error: Configuring CARP interfaces...done. route: writing to routing socket: No such process route: writing to routing socket: No such process route: writing to routing socket: No such process route: writing to routing socket: No such process route: writing to routing socket: No such process route: writing to routing socket: No such process route: writing to routing socket: No such process route: writing to routing socket: No such process route: writing to routing socket: No such process route: writing to routing socket: No such process Syncing system time before startup... Everything seems to boot ok , but just wondering if there is a reason that this des this or will it present me with routing issues when fully implemented. I have a heavily routed enviroment and was just a little leary about that error. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] cookie/session expire
As usual, I installed the newest 1.2-BETA-1 and found it to work great for my purposes. I have come up against a question from several clients that are now using pfS ... Is/are there any plans for a session/cookie expire button/menu item? I have found that there are cases where someone has been in the firewall and then NOT closed the browser and I can get right into pfSense without logging in. I have simulated this same experience in the lab with both FFOX and IE7, I don't know if it is a browser feature or if it has always been this way. I think I remember a logout button in the last HEAD version that I loaded and played with, but are there any plans for the up coming 1.2 release to incorporate this feature? Should I add this to the feature request section on the board? -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Rule editing issues.
I just upgraded to the latest snap - 1.0.1-SNAPSHOT-03-23-2007 I am noticing some errors when editing rules and then again when I try to save the rule. The following error shows up when I edit a rule: Warning: Invalid argument supplied for foreach() in /usr/local/www/firewall_rules_edit.php on line 729 And this error shows up when I try to save the changes: Warning: Illegal offset type in /etc/inc/config.inc on line 1701 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:1701) in /usr/local/www/firewall_rules_edit.php on line 342 -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: [pfSense Support] Rule editing issues.
Will I need to reapply the snap or just grab a file or two from CVS and apply ??? BTW, thanks for the quick reply!! -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: [pfSense Support] Rule editing issues. From: [EMAIL PROTECTED] To: support@pfsense.com Date: 03-26-2007 10:58 am Fixed. Please test again about 2 hours from now. On 3/26/07, David Strout [EMAIL PROTECTED] wrote: I just upgraded to the latest snap - 1.0.1-SNAPSHOT-03-23-2007 I am noticing some errors when editing rules and then again when I try to save the rule. The following error shows up when I edit a rule: Warning: Invalid argument supplied for foreach() in /usr/local/www/firewall_rules_edit.php on line 729 And this error shows up when I try to save the changes: Warning: Illegal offset type in /etc/inc/config.inc on line 1701 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:1701) in /usr/local/www/firewall_rules_edit.php on line 342 -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: Re: [pfSense Support] Rule editing issues.
http://snapshots.pfsense.com/ -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: Re: [pfSense Support] Rule editing issues. From: [EMAIL PROTECTED] To: support@pfsense.com Date: 03-26-2007 11:07 am where are snapshots available? Thanks [EMAIL PROTECTED] 3/26/2007 11:05 AM Download the latest snapshot in about 2 hours and upload it as you did on the previous one. Scott On 3/26/07, David Strout [EMAIL PROTECTED] wrote: Will I need to reapply the snap or just grab a file or two from CVS and apply ??? BTW, thanks for the quick reply!! -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: [pfSense Support] Rule editing issues. From: [EMAIL PROTECTED] To: support@pfsense.com Date: 03-26-2007 10:58 am Fixed. Please test again about 2 hours from now. On 3/26/07, David Strout [EMAIL PROTECTED] wrote: I just upgraded to the latest snap - 1.0.1-SNAPSHOT-03-23-2007 I am noticing some errors when editing rules and then again when I try to save the rule. The following error shows up when I edit a rule: Warning: Invalid argument supplied for foreach() in /usr/local/www/firewall_rules_edit.php on line 729 And this error shows up when I try to save the changes: Warning: Illegal offset type in /etc/inc/config.inc on line 1701 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:1701) in /usr/local/www/firewall_rules_edit.php on line 342 -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: Re: [pfSense Support] Rule editing issues.
Will this be renamed or show up as: pfSense-Full-Update-1.0.1-SNAPSHOT-03-23-2007.tgz -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: Re: [pfSense Support] Rule editing issues. From: [EMAIL PROTECTED] To: support@pfsense.com Date: 03-26-2007 11:05 am Download the latest snapshot in about 2 hours and upload it as you did on the previous one. Scott On 3/26/07, David Strout [EMAIL PROTECTED] wrote: Will I need to reapply the snap or just grab a file or two from CVS and apply ??? BTW, thanks for the quick reply!! -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: [pfSense Support] Rule editing issues. From: [EMAIL PROTECTED] To: support@pfsense.com Date: 03-26-2007 10:58 am Fixed. Please test again about 2 hours from now. On 3/26/07, David Strout [EMAIL PROTECTED] wrote: I just upgraded to the latest snap - 1.0.1-SNAPSHOT-03-23-2007 I am noticing some errors when editing rules and then again when I try to save the rule. The following error shows up when I edit a rule: Warning: Invalid argument supplied for foreach() in /usr/local/www/firewall_rules_edit.php on line 729 And this error shows up when I try to save the changes: Warning: Illegal offset type in /etc/inc/config.inc on line 1701 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:1701) in /usr/local/www/firewall_rules_edit.php on line 342 -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] newest imbessed image errors ...
This is the error I get when trying to change the interface setting on the newest snapshot - pfSense.img.gz 2007-Mar-26 14:19:42 23.3M application/x-gzip [Mon Mar 26 20:38:28 2007] [apc-error] apc_fcntl_create: open(/tmp/.apc.gvBOOZ, O_RDWR|O_CREAT, 0666) failed: Read-only file system [Mon Mar 26 20:38:28 2007] [apc-error] apc_fcntl_create: open(/tmp/.apc.yugUky, O_RDWR|O_CREAT, 0666) failed: Read-only file system pfSense console setup *** -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: RE: [pfSense Support] embedded image RO file system ..
Not a problem ... just reporting the symptoms. No need to get testy. -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: RE: [pfSense Support] embedded image RO file system .. From: [EMAIL PROTECTED] To: support@pfsense.com Date: 03-26-2007 6:32 pm You are missing some patience, we are working on the issue. Holger -Original Message- From: David Strout [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 27, 2007 12:30 AM To: support@pfsense.com Subject: [pfSense Support] embedded image RO file system .. Am i missing something with the newest snapshot embedded image? It seems to boot fine with an error at the final stages saying: Bootup completece on miibus3o [Mon Mar 26 22:26:45 2007] [apc-error] apc_fcntl_create: open(/tmp/.apc.MY2XI6, O_RDWR|O_CREAT, 0666) failed: Read-only file system [Mon Mar 26 22:26:45 2007] [apc-error] apc_fcntl_create: open(/tmp/.apc.9ChrbL, O_RDWR|O_CREAT, 0666) failed: Read-only file system I also get the same error when I try to do an initial interface config ... What am I missing? -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: [pfSense Support] newest imbessed image errors ...
The errors are gone and I am able to assign interface params, but the halt option doesn't seem to work (seperate issue, maybe it hasn't been working on the embedded ver.) Thanks -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: [pfSense Support] newest imbessed image errors ... From: [EMAIL PROTECTED] To: support@pfsense.com Date: 03-26-2007 7:22 pm On 3/26/07, David Strout [EMAIL PROTECTED] wrote: This is the error I get when trying to change the interface setting on the newest snapshot - pfSense.img.gz 2007-Mar-26 14:19:42 23.3M application/x-gzip [Mon Mar 26 20:38:28 2007] [apc-error] apc_fcntl_create: open(/tmp/.apc.gvBOOZ, O_RDWR|O_CREAT, 0666) failed: Read-only file system [Mon Mar 26 20:38:28 2007] [apc-error] apc_fcntl_create: open(/tmp/.apc.yugUky, O_RDWR|O_CREAT, 0666) failed: Read-only file system Please try the latest image. It appears to be fixed now. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: Re: [pfSense Support] newest imbessed image errors ...
Running on a Soekris 4801, it has always worked before ... i just noticed that it didn't work when i had the console cable connected ... usually I don't manage it that way except when I upgrade and have trouble. -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: Re: [pfSense Support] newest imbessed image errors ... From: [EMAIL PROTECTED] To: support@pfsense.com Date: 03-26-2007 8:21 pm On 3/26/07, David Strout [EMAIL PROTECTED] wrote: The errors are gone and I am able to assign interface params, but the halt option doesn't seem to work (seperate issue, maybe it hasn't been working on the embedded ver.) Not seeing that here. Maybe it's hardware related. pfSense console setup *** 0) Logout (SSH only) 1) Assign Interfaces 2) Set LAN IP address 3) Reset webConfigurator password 4) Reset to factory defaults 5) Reboot system 6) Halt system 7) Ping host 8) Shell 9) PFtop 10) Filter Logs 11) Restart webConfigurator Enter an option: 6 pfSense will shutdown and halt system. This may take one minute. Do you want to proceed [y|n]? y pfSense will shutdown and halt system now. *** FINAL System shutdown message from [EMAIL PROTECTED] *** System going down IMMEDIATELY pfSense is now shutting down ... Waiting (max 60 seconds) for system process `vnlru' to stop...done Waiting (max 60 seconds) for system process `bufdaemon' to stop...done Waiting (max 60 seconds) for system process `syncer' to stop... Syncing disks, vnodes remaining...0 0 done All buffers synced. Uptime: 45m37s - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: Re: Re: [pfSense Support] newest imbessed image errors ...
Yup, same hardware here net4801, lan1621 vpn1411 ... seems to work w/ a m0n0 image and i know it to have worked in the past w/ pfS images (around 1.0.1 stable) .. not sure what's up with it now. not really a big deal, but i just noticed that it hung when I choose option 6. I even pulled the plug and retried it a couple times from the web interface. -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: Re: Re: [pfSense Support] newest imbessed image errors ... From: [EMAIL PROTECTED] To: support@pfsense.com Date: 03-26-2007 8:46 pm On 3/26/07, David Strout [EMAIL PROTECTED] wrote: Running on a Soekris 4801, it has always worked before ... i just noticed that it didn't work when i had the console cable connected ... usually I don't manage it that way except when I upgrade and have trouble. This is also a Soekris 266/4801. Tested it again, works fine on the latest snapshot. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Latest SNAPs
Getting back into it here and I have been looking to grab the latest SNAP and test it in the lab ... but they seem to have disappeared fron Scott's dir. Can someone point me to them? -- David L. Strout Engineering Systems Plus, LLC
Re: [pfSense Support] VPN NAT-T ??
I see through CVStrack that it was pulled out some time ago ... just wondering if there is an update on this. -- David L. Strout Engineering Systems Plus, LLC - Original Message - SUBJECT: [pfSense Support] VPN NAT-T ?? FROM:[EMAIL PROTECTED] TO:[EMAIL PROTECTED] DATE: 01-01-2007 11:36 am Can anyone tell me if this has been incorporated into pfS yet ... and if not, are there any plans to in the future? enabled NAT-T support for IPsec VPN (enable via webGUI) -- David L. Strout Engineering Systems Plus, LLC
[pfSense Support] SNAPSHOT ??
Pardon me if I am missing it somewhere, but I was looking fo info on what the SNAPSHOT's fix. Is there a page on the forum or somewhere where the details of the SNAPs are posted to see if they are relevant to bugs or fixes that we might need to apply. I have looked on the forum in the release info category, on the CVStrack timeline am I missing it here? Are the SNAPs needed or are they just play versions to try new features? If I have missed it or a prior post about this plaese excuse me. -- David L. Strout Engineering Systems Plus, LLC
[pfSense Support] HEAD ?
All, I was so impressed w/ the A/A HEAD version while checking it out on bootable ISO that i put it right into production between lab segments and pulled out the 1.0.1 version for the time being. HoRAHH, this has some real promise and looks great (added features). Any timeline on when some of these features might make their way into the main stream rev pipeline? I am really looking forward to the user access controls and all of the added bells and whistles in the HEAD version. EXCELLENT ! -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Alpha, Alpha version .. ?
I noticed some time ago that there are some nice screen shots of a pfSense w/ user managment incorporated into the weConfigurator. I am really excited to see this feature come into play on pfSense. By any chance are these the alpha, alpha versions? I posted about this some time ago and was wondering if this feature is going to make its way into the mainstream pfS release or will it stay in HEAD? BTW, !!!GREAT!!! work Scott and the rest of the pfSense team and to all those who contribute!!! R1 works great and is up and running in severl locations without incident. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] 1.0-RC3 ?
Is it my imagination or has the web interface slowed down? I just upgraded to the official RC3 and the GUI (webConfigurator) seems MUCH, MUCH slower a screen redraws and refreshes. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: [pfSense Support] 1.0-RC3 ?
I tried it in all three (IE, Firefox, and Mozilla (on Linux)). All of which are the latest version and updated/patched current. Not a huge deal, and it certainly doesn't seem to have any impact on throughput/performance of the FW itself ... it is just the screen refreshes. -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: [pfSense Support] 1.0-RC3 ? From: [EMAIL PROTECTED] To: support@pfsense.com Date: 10-08-2006 1:21 pm I really dont see how on earth this is possible. What browser? On 10/8/06, David Strout [EMAIL PROTECTED] wrote: Is it my imagination or has the web interface slowed down? I just upgraded to the official RC3 and the GUI (webConfigurator) seems MUCH, MUCH slower a screen redraws and refreshes. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: RE: [pfSense Support] 1.0-RC3 ?
I read the post and it seems like this is geared towards floppy config systems ... I am running on an older Proliant server; 4 procs, 2GB RAM and 4 SCA SCSI drives w/ HW RAID CTRLR. All has been great for several releases, I even went through the RC2[abcdef] updates and they didn't have this effect on the machine. If I'm missing the point ... please be so kind as to point it out to me. I have fuddled around with the config and started a clean config and built the new from the old to the same results. Even upon a fresh install of a clean config I see the slowness. Like I said to Scott; this DOES NOT seem to impeed preformance in any way through the FW it is just a visual slowness in the webConfigurator and just seems real laggy when making changes or viewing logs/graphs/configs/etc. -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: RE: [pfSense Support] 1.0-RC3 ? From: [EMAIL PROTECTED] To: support@pfsense.com Date: 10-08-2006 11:43 am http://forum.pfsense.org/index.php/topic,2308.msg13469.html#msg13469 -Original Message- From: David Strout [mailto:[EMAIL PROTECTED] Sent: Sunday, October 08, 2006 3:33 PM To: support@pfsense.com Subject: [pfSense Support] 1.0-RC3 ? Is it my imagination or has the web interface slowed down? I just upgraded to the official RC3 and the GUI (webConfigurator) seems MUCH, MUCH slower a screen redraws and refreshes. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: Re: [pfSense Support] 1.0-RC3 ?
Flashing ... did I say it was flashing? Maybe I wasn't clear ... refreshing .. not flashing. There is nothing flashing here. I am going to try an upgrade on a test appliance in a little bit and I'll let everyone know how that turns out. -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: Re: [pfSense Support] 1.0-RC3 ? From: [EMAIL PROTECTED] To: support@pfsense.com Date: 10-08-2006 3:25 pm I cannot reproduce this. Please use Wink and record a session with it blinking. The webConfigurator has been tested with ie7, firefox 2, firefox 1, and safari and I don't see anything even remotely close to what you describe. And how does flashing have anything to do with being slow? On 10/8/06, David Strout [EMAIL PROTECTED] wrote: I tried it in all three (IE, Firefox, and Mozilla (on Linux)). All of which are the latest version and updated/patched current. Not a huge deal, and it certainly doesn't seem to have any impact on throughput/performance of the FW itself ... it is just the screen refreshes. -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: [pfSense Support] 1.0-RC3 ? From: [EMAIL PROTECTED] To: support@pfsense.com Date: 10-08-2006 1:21 pm I really dont see how on earth this is possible. What browser? On 10/8/06, David Strout [EMAIL PROTECTED] wrote: Is it my imagination or has the web interface slowed down? I just upgraded to the official RC3 and the GUI (webConfigurator) seems MUCH, MUCH slower a screen redraws and refreshes. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: AW: RE: [pfSense Support] 1.0-RC3 ?
Problem solved ... well kinda. I reinstalled from scratch and re-applied the old config and all seems better. I still can't figure it out, I looked over the logs and watched a start-up (many times) from the console but nothing seemed out of order/sync. I can't explain it!! -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: AW: RE: [pfSense Support] 1.0-RC3 ? From: [EMAIL PROTECTED] To: support@pfsense.com Date: 10-08-2006 3:31 pm Hi, David ! I use it at work on a HP Proliant DL380-G2 and do NOT have this issues, but the issue that it takes endless long to start the pfsense, but I think it's a side-effect of the embedded RAID-5 controller... Martin -Ursprüngliche Nachricht- Von: David Strout [mailto:[EMAIL PROTECTED] Gesendet: Sonntag, 8. Oktober 2006 20:27 An: support@pfsense.com; support@pfsense.com Betreff: Re: RE: [pfSense Support] 1.0-RC3 ? I read the post and it seems like this is geared towards floppy config systems ... I am running on an older Proliant server; 4 procs, 2GB RAM and 4 SCA SCSI drives w/ HW RAID CTRLR. All has been great for several releases, I even went through the RC2[abcdef] updates and they didn't have this effect on the machine. If I'm missing the point ... please be so kind as to point it out to me. I have fuddled around with the config and started a clean config and built the new from the old to the same results. Even upon a fresh install of a clean config I see the slowness. Like I said to Scott; this DOES NOT seem to impeed preformance in any way through the FW it is just a visual slowness in the webConfigurator and just seems real laggy when making changes or viewing logs/graphs/configs/etc. -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: RE: [pfSense Support] 1.0-RC3 ? From: [EMAIL PROTECTED] To: support@pfsense.com Date: 10-08-2006 11:43 am http://forum.pfsense.org/index.php/topic,2308.msg13469.html#msg13469 -Original Message- From: David Strout [mailto:[EMAIL PROTECTED] Sent: Sunday, October 08, 2006 3:33 PM To: support@pfsense.com Subject: [pfSense Support] 1.0-RC3 ? Is it my imagination or has the web interface slowed down? I just upgraded to the official RC3 and the GUI (webConfigurator) seems MUCH, MUCH slower a screen redraws and refreshes. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] RC2 ?
Just a quick question about the RC2a,b,c,d,e.tgz files ... should we be applying these to an existing RC2 install, and if so what is the preferred method of applying these patches?--David L. StroutEngineering Systems Plus, LLC
[pfSense Support] Max. outbound PPTP sessions currently limited to 1
http://forum.pfsense.org/index.php/topic,1383.0.html I am baffled by the above post on the forum. Like it or not pfS devs ... PPTP is here to stay and has it place in networking. I am not a big supporter of it personally and I am fully aware of its inherent risks and vulnerabilities. But I find it very unprofessional to state (paraphrase from SUllrich), I think it should go away, I don't like it and therefore I will not make it work right on pfSense. I realize that you are hard at work on other things and most likely have a full plate with hackathon, but it seem you might find a more constructive method of addressing this ISSUE. I can't name ONE enterprise FW that does not support multiple PPTP sessions outbound (if so desired), and since one of the goals of pfS that I have read many times on the board and lists is to make an enterprise class FW ... maybe someone could start addressing the issue with some constructive dialogue or maybe a few pointers on where someone from outside the core dev team might start in getting this to work w/ OpenBSD's PF. This is one of the only downfalls of this project ... the hollier-than-thogh attitude from the core dev team. This is a GREAT product of many hours of arduous labor from ALL, dev team and project contributors alike ... but open-source also means open to suggestions and other lines of thinking. With that said .. where would someone start on getting multiple PPTP sessions working??? -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] SNAPSHOT-07-23-2006 ?
I just did an update to RELENG_1_SNAPSHOT-07-23-2006, and the only thing that I see that isn't working are the rrd graphs. All I get is a little box that says traffic graphs sometimes when I refresh the screen they show up, but most times when I go to that page initially the little box awaits me ... and sometimes even after a refresh they don't show. Any ideas/thoughts. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] DHCP leases page errors ..
I get this warning when I look at the DHCP leases page. I have seen this behavior after rc1. I did several upgrades (snapshot releases) and am currently running: RELENG_1_SNAPSHOT-07-09-2006 And this is the errorI get at the top of the page: Warning: Invalid argument supplied for foreach() in /usr/local/www/diag_dhcp_leases.php on line 232 -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: [pfSense Support] DHCP leases page errors ..
Is there a simple edit of the file I can do to make that fix myself? -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: [pfSense Support] DHCP leases page errors .. From: [EMAIL PROTECTED] To: support@pfsense.com Date: 07-11-2006 1:32 pm On 7/11/06, David Strout [EMAIL PROTECTED] wrote: I get this warning when I look at the DHCP leases page. I have seen this behavior after rc1. I did several upgrades (snapshot releases) and am currently running: RELENG_1_SNAPSHOT-07-09-2006 And this is the errorI get at the top of the page: Warning: Invalid argument supplied for foreach() in /usr/local/www/diag_dhcp_leases.php on line 232 This should be fixed now. Thanks for the heads up. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: [pfSense Support] DHCP leases page errors ..
Sorry everyone ... I found the edit on CVS track. I jumped w/ the ? before I thought about the solution. Thanks again!!! -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: [pfSense Support] DHCP leases page errors .. From: [EMAIL PROTECTED] To: support@pfsense.com Date: 07-11-2006 1:32 pm On 7/11/06, David Strout [EMAIL PROTECTED] wrote: I get this warning when I look at the DHCP leases page. I have seen this behavior after rc1. I did several upgrades (snapshot releases) and am currently running: RELENG_1_SNAPSHOT-07-09-2006 And this is the errorI get at the top of the page: Warning: Invalid argument supplied for foreach() in /usr/local/www/diag_dhcp_leases.php on line 232 This should be fixed now. Thanks for the heads up. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] ? on embedded ...
I noticed that there is a 07.03.2006 snapshot up on the site ... is there any way to do a firmware update on the embedded platform, or does it require a flash re-burn using the img file. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: RE: [pfSense Support] ? on embedded ...
I figured as much ... but wanted to know for sure ... thanks -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: RE: [pfSense Support] ? on embedded ... From: [EMAIL PROTECTED] To: support@pfsense.com Date: 07-05-2006 7:54 pm You need to reflash. -Original Message- From: David Strout [mailto:[EMAIL PROTECTED] Sent: Thursday, July 06, 2006 12:54 AM To: support@pfsense.com Subject: [pfSense Support] ? on embedded ... I noticed that there is a 07.03.2006 snapshot up on the site ... is there any way to do a firmware update on the embedded platform, or does it require a flash re-burn using the img file. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] another ? on embedded ...
A question regarding pfS on embedded I have a 512MB CF and the SYSTEM OVERVIEW always shows 91% disk usage, and if I ssh to the box and do a df -h it shows a couple of filesystems as full ... is this correct, a known issue, or am I burning the flash incorrectly? I use the command [physdiskwrite.exe -u pfsense.img] to write the image file to CF. # df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/ufs/pfSense57M 47M4.8M91% / devfs 1.0K1.0K 0B 100% /dev /dev/md019M 30K 18M 0% /tmp /dev/md119M1.5M 16M 9% /var devfs 1.0K1.0K 0B 100% /var/dhcpd/dev /dev/md2 2.7M586K1.9M23% /var/db/rrd /dev/ufs/pfSenseCfg1.8M 27K1.7M 2% /cf I can send a screen clip if anyone wants to see the SYSTEM OVERVIEW page ... -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: RE: [pfSense Support] another ? on embedded ...
My only concern was/is for logging if I choose to save more than the default 50 logs (I realize that external syslog is the way to ge here ... but). -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: RE: [pfSense Support] another ? on embedded ... From: [EMAIL PROTECTED] To: support@pfsense.com Date: 07-05-2006 9:07 pm nothing to worry about. the partition will always be 64 mb and as it is only used readonly and there is no packagesupport either for the embeddeds this won't run full. there is still plenty of space there for the config.xml. Holger -Original Message- From: David Strout [mailto:[EMAIL PROTECTED] Sent: Thursday, July 06, 2006 2:06 AM To: support@pfsense.com Subject: [pfSense Support] another ? on embedded ... A question regarding pfS on embedded I have a 512MB CF and the SYSTEM OVERVIEW always shows 91% disk usage, and if I ssh to the box and do a df -h it shows a couple of filesystems as full ... is this correct, a known issue, or am I burning the flash incorrectly? I use the command [physdiskwrite.exe -u pfsense.img] to write the image file to CF. # df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/ufs/pfSense57M 47M4.8M 91% / devfs 1.0K1.0K 0B 100% /dev /dev/md019M 30K 18M 0% /tmp /dev/md119M1.5M 16M 9% /var devfs 1.0K1.0K 0B 100% /var/dhcpd/dev /dev/md2 2.7M586K1.9M 23% /var/db/rrd /dev/ufs/pfSenseCfg1.8M 27K1.7M 2% /cf I can send a screen clip if anyone wants to see the SYSTEM OVERVIEW page ... -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] BETA 3 ?
First of all KUDOS to all!! I just upgraded to BETA3, and everything seems to work well that I have had a chance to test: DHCP PPTP IPSec Traffic Shaping logging GREAT JOB rules aliases routing I have two questions ... are there any plans to integrate PPP (dial-up) support into pfS CARP for those of us who have a high speed connection and wish to back it up with a simple PPP dial-up account? And secondly, I am not sure when this went away, but I think you use to be able to disable logging of a rule by clicking on the logging icon on the rules page. This might have been a feature of m0n0, but I thought in earlier releases of pfS you could just click the little blue icon (logging enabled) and have logging of that rule disable wo/ actually editing the rule and unchacking the loggin box. And lastly, I noticed that the addition of RRD graphs. These are tremendous help in getting a visual view of the traffic and system preformance. Is there any plan to incorporate a CPU graph into this set of graphs/page? GREAT JOB EVERYONE -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] BETA 3 ?
One other thing (maybe because I upgraded w/ tgz rather than doing a full/clean intall), but I noticed that the firmware page has changed ... only option is to do a manual firmware upgrade ... did the auto upgrade feature go away .. or should I try a clean install from ISO? -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: [pfSense Support] BETA 3 ? From: [EMAIL PROTECTED] To: support@pfsense.com Date: 04-22-2006 7:51 am First of all KUDOS to all!! I just upgraded to BETA3, and everything seems to work well that I have had a chance to test: DHCP PPTP IPSec Traffic Shaping logging GREAT JOB rules aliases routing I have two questions ... are there any plans to integrate PPP (dial-up) support into pfS CARP for those of us who have a high speed connection and wish to back it up with a simple PPP dial-up account? And secondly, I am not sure when this went away, but I think you use to be able to disable logging of a rule by clicking on the logging icon on the rules page. This might have been a feature of m0n0, but I thought in earlier releases of pfS you could just click the little blue icon (logging enabled) and have logging of that rule disable wo/ actually editing the rule and unchacking the loggin box. And lastly, I noticed that the addition of RRD graphs. These are tremendous help in getting a visual view of the traffic and system preformance. Is there any plan to incorporate a CPU graph into this set of graphs/page? GREAT JOB EVERYONE -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] SNAPSHOT_04-06-2006 ??'s
Everyone, Some nice additions to this rel. .. KUDOS!! A question though on port redirecting ... Here is the setup: -- pfSense boxes acting as a contractor GW w/ LAN, WAN, OPT1(DMZ) and OPT2(PROXY) -- WAN is static (business DSL w/ 8 addresses) w/ global IP. -- LAN is private 192.168.100.0/128 -- OPT1 is private 10.1.1.0/24 -- OPT2 is private 10.1.2.0/24 -- OPT2 has an IPcop proxy server sitting on that network w/ two interfaces. I will eventually put one interface into the ISP network and grab a static from my smallpool, but I want to make sure that I can accomplish what I have conceived before doing so. MY question: Is there a way to redirect all port 80 443 traffic coming in the LAN interface to the OPT2 interface to provide that all web traffic is monitored and accounted for. I would like to do this wo/ getting into the SSH shell and doing command line pf redirects. I was thinking and looking around at outbound NAT ... can I accomplish this with outbound NAT? If not is there any way of getting this done in the GUI wo/ having to do it through the shell? Are there any plans for pf redirects in the GUI in the foreseeable future? Thanks in advance ... !! -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] SNAPSHOT_04-06-2006 ??'s
Thanks for the reply. Yes, I am trying to redirect all http(s) traffic (while not interrupting any other traffic) to the proxy server on the OPT2 network to either transparently proxy or possibly authenticate users for http(s) access. I would like it to be transparent so the users will get content screening and not have to actually login, but that is optional at this point, and out-of-scope for this question. All users on the LAN network have a series of allowed ports ie. FTP, HTTP, POP3, SMTP, VPN, and IM. All I am looking to accomplish is provide some content control with the proxying and URL filtering of 80 443 traffic ... nothing more. I would like for ALL of the other allowed ports to flow through the pfSense GW as designed by filter rules. I just need http(s) / 80 443 to be redirected to the OPT2 network to be picked up by the proxy server. Hope that helps to clarify for all ... Thanks in advance ... -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: [pfSense Support] SNAPSHOT_04-06-2006 ??'s From: [EMAIL PROTECTED] To: support@pfsense.com Date: 04-07-2006 2:58 pm I probably don't fully understand what you're trying to do, but try a Port Forward on the LAN interface and redirect all source to all dest port 80 to the proxy port on the IPCop. Ditto for HTTPS, although I'm not sure you can transparently proxy HTTPS. --Bill On 4/7/06, David Strout [EMAIL PROTECTED] wrote: Everyone, Some nice additions to this rel. .. KUDOS!! A question though on port redirecting ... Here is the setup: -- pfSense boxes acting as a contractor GW w/ LAN, WAN, OPT1(DMZ) and OPT2(PROXY) -- WAN is static (business DSL w/ 8 addresses) w/ global IP. -- LAN is private 192.168.100.0/128 -- OPT1 is private 10.1.1.0/24 -- OPT2 is private 10.1.2.0/24 -- OPT2 has an IPcop proxy server sitting on that network w/ two interfaces. I will eventually put one interface into the ISP network and grab a static from my smallpool, but I want to make sure that I can accomplish what I have conceived before doing so. MY question: Is there a way to redirect all port 80 443 traffic coming in the LAN interface to the OPT2 interface to provide that all web traffic is monitored and accounted for. I would like to do this wo/ getting into the SSH shell and doing command line pf redirects. I was thinking and looking around at outbound NAT ... can I accomplish this with outbound NAT? If not is there any way of getting this done in the GUI wo/ having to do it through the shell? Are there any plans for pf redirects in the GUI in the foreseeable future? Thanks in advance ... !! -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Running out of states again
I have pfS configured on a high-end Compaq server 4proc w/ a 4 disk array and 12 network interfaces and have it set up w/ 2 million states and never run into trouble on that specific server. I have several heavily populated networks connecting on different interfaces and dual WAN setup with site-to-site tunnels to 20+ sites. You might also set you Firewall Optimization Options to agressive, although if you have many long lasting connections like VPN tunnels, this may not be an optimal config option for you. I see (and hear of) no issues w/ the 7-8 thousand users that depend on this box every day. BTW I am running BETA1, and not the latest snapshot. Regards, -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: [pfSense Support] Running out of states again From: [EMAIL PROTECTED] To: support@pfsense.com Date: 02-28-2006 7:12 am Hello All, I had a problem about a month or so ago with running out of states, and upped the state table size to 2 along with setting a few rules to modulate state. Yesterday I ran out of states again and decided to see if there was any way I could control this a bit better rather than just keep upping the table size. Reading through the PF documentation there are what looks like controls for timeouts when the tables are getting full. (adaptive.start and adpative.end) Is there any way of setting these in PFSense? Or have I got it wrong? Lawrence Farr EPC Direct Limited - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Mini-PCI Wireless Recomendations
Can anyone make a good reccomendation for a supported Mini-PCI Wireless b/g card? -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: RE: [pfSense Support] Mini-PCI Wireless Recomendations
Thanks for the info. That looks like a good card, but I am looking for a single antenna card (only b/g) for a specific application. BTW, does any know if the Intel 2200BG card is supported and does Intel or the ath drivers support bridging on pfSense/m0n0? -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: RE: [pfSense Support] Mini-PCI Wireless Recomendations From: [EMAIL PROTECTED] To: support@pfsense.com Date: 02-26-2006 5:38 pm I'm using Wistron CM9 (Info can be found at http://pcengines.ch/cm9.htm ). They can do a/b/g and are atheros based. Holger -Original Message- From: David Strout [mailto:[EMAIL PROTECTED] Sent: Sunday, February 26, 2006 11:36 PM To: support@pfsense.com Subject: [pfSense Support] Mini-PCI Wireless Recomendations Can anyone make a good reccomendation for a supported Mini-PCI Wireless b/g card? -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] SNAP-2-20-06
Just upgraded to the latest SNAPSHOT (02-20-06) from BETA1 and a few thing I notice are: First, Logging still IS NOT working, I now have no logs even if the show RAW logs option is checked. If I run the command /usr/sbin/tcpdump -l -n -e -ttt -v -i pflog0 from an ssh session I get traffic but nothing showing in the system logs webConfigurator interface. Second, I noticed that you can't disable/enable a rules logging feature by clicking on the icon in the rules interface anymore (don't know how long this has been like this, but you use to be able to disable/enable logging in the rule screen). And now a question ... is it possible to make the PPTP server page dynamic in its assigning of addresses? Just wondering how difficult it would be to make a drop down to select the number of PPTP addresses and have it assign the correct subnet mask based on the drop-down selection,(and NO, it is most likely beyond my php/scripting capabilities ... that's why I am asking). Just thinking that it would be a welcome feature as I see lots of questions on the list(s) about custom builds for this very reason (need more PPTP clients / addresses). Going to revert back to BETA1 so that the logging works ... I've experienced very little difficulty w/ the original BETA1 iso, and logging seems to work fine. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] SNAP-2-20-06
Just upgraded to the latest SNAPSHOT (02-20-06) from BETA1 and a few thing I notice are: First, Logging still IS NOT working, I now have no logs even if the show RAW logs option is checked. If I run the command /usr/sbin/tcpdump -l -n -e -ttt -v -i pflog0 from an ssh session I get traffic but nothing showing in the system logs webConfigurator interface. I stand corrected ... logging is in fact now working, but the show raw log option show NO logs. Sorry for mis-stating my findings. Second, I noticed that you can't disable/enable a rules logging feature by clicking on the icon in the rules interface anymore (don't know how long this has been like this, but you use to be able to disable/enable logging in the rule screen). And now a question ... is it possible to make the PPTP server page dynamic in its assigning of addresses? Just wondering how difficult it would be to make a drop down to select the number of PPTP addresses and have it assign the correct subnet mask based on the drop-down selection,(and NO, it is most likely beyond my php/scripting capabilities ... that's why I am asking). Just thinking that it would be a welcome feature as I see lots of questions on the list(s) about custom builds for this very reason (need more PPTP clients / addresses). Going to revert back to BETA1 so that the logging works ... I've experienced very little difficulty w/ the original BETA1 iso, and logging seems to work fine. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] ? about Ajax user rights ....
I may be jumping the gun a bit here, but wanted to ask about the user rights that I see depicted in the PIC images. BTW, I am still running BETA1 (pfSense-LiveCD-1.0BETA1.iso), so if this feature is in the current BTSnapShot then BAM please let me know. I have a real need for this at one site where we have a snoopy (windows) admin that thinks that the pfS VPN systems is his personal play toy. -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] firewall logs .... no show
The command: /usr/sbin/tcpdump -l -n -e -ttt -i pflog0Gives logs like this:000319 rule 35/0(match): block in on fxp1: 24.39.185.75.36838 24.39.185.78.1408: S 1674449733:1674449733(0) win 1024You'll notice ... NO PROTOCOL INFO !!!But, a command like this: /usr/sbin/tcpdump -l -n -e -ttt -v -i pflog0Give logs like this:000242 rule 35/0(match): block in on fxp1: (tos 0x0, ttl 41, id 11077, offset 0, flags [none], proto: TCP (6), length: 40) 24.39.185.75.34774 24.39.185.78.80: S, cksum 0xaaa2 (correct), 1576235070:1576235070(0) win 3072AND You'll notice ... HELLO, THE PROTOCOL INFO is there ready to be egrep'd outSo my question is this, how do I modify the startup of this tcpdump procedure to add the [-v] to see if this actually helps in producing logs in the pfS app?--David L. StroutEngineering Systems Plus, LLC!
Re: Re: Re: [pfSense Support] firewall logs .... no show
I beg your pardon ... I installed it from the pfsense.iso from http://www.pfsense.com/~sullrich/1.0-BETA1-TESTING-SNAPSHOT-2-2-06/ # uname -a FreeBSD espfwvpn2.espmaine.net 6.0-STABLE FreeBSD 6.0-STABLE #0: Fri Feb 3 21:11:08 UTC 2006 [EMAIL PROTECTED]:/usr/obj.pfSense/usr/src/sys/pfSense.6 i386 Think someone should look at the ISO's ... might be nice to post md5s also and maybe check them against the ones you have running successfully prior to posting them. -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: Re: [pfSense Support] firewall logs no show From: [EMAIL PROTECTED] To: support@pfsense.com Date: 02-05-2006 1:53 pm Uhh, then you're not on a pfSense box? On 2/5/06, David Strout [EMAIL PROTECTED] wrote: [EMAIL PROTECTED]:~# find / -name filter.inc [EMAIL PROTECTED]:~# [EMAIL PROTECTED]:~# ls -al /etc/inc /usr/bin/ls: /etc/inc: No such file or directory -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: [pfSense Support] firewall logs no show From: [EMAIL PROTECTED] To: support@pfsense.com Date: 02-05-2006 1:48 pm Looks like you may have solved this issue. -v seems to be forcing the protocol and then the regex can do its magic. Nice work. On 2/5/06, Scott Ullrich [EMAIL PROTECTED] wrote: Edit /etc/inc/filter.inc filter_pflog_start() On 2/5/06, David Strout [EMAIL PROTECTED] wrote: The command: /usr/sbin/tcpdump -l -n -e -ttt -i pflog0 Gives logs like this: 000319 rule 35/0(match): block in on fxp1: 24.39.185.75.36838 24.39.185.78.1408: S 1674449733:1674449733(0) win 1024 You'll notice ... NO PROTOCOL INFO !!! But, a command like this: /usr/sbin/tcpdump -l -n -e -ttt -v -i pflog0 Give logs like this: 000242 rule 35/0(match): block in on fxp1: (tos 0x0, ttl 41, id 11077, offset 0, flags [none], proto: TCP (6), length: 40) 24.39.185.75.34774 24.39.185.78.80: S, cksum 0xaaa2 (correct), 1576235070:1576235070(0) win 3072 AND You'll notice ... HELLO, THE PROTOCOL INFO is there ready to be egrep'd out So my question is this, how do I modify the startup of this tcpdump procedure to add the [-v] to see if this actually helps in producing logs in the pfS app? -- David L. Strout Engineering Systems Plus, LLC! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re: Re: Re: [pfSense Support] firewall logs .... no show
I figured that was the case with the md5' ... that make perfect sense. I seem to have had some residual ext3 fs garbage on the old install ... funny how the system even booted at all ... can't explain that one. I have re patririoned and re-formatted and re-installed the ISO and everything seems in the right place now sorry for the mis-report. I did just port a reply and finding on the logging though. The formatted logs are still AWOL, but the RAW logs now show up. Still diggin' -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: Re: Re: [pfSense Support] firewall logs no show From: [EMAIL PROTECTED] To: support@pfsense.com Date: 02-05-2006 2:33 pm David, If /etc/inc/filter.inc didn't exist then NOTHING would work, I promise you. I have no idea what you have going on other there but all I can say is that /etc/inc/filter.inc does exist, look at CVSWEB and you will see that this is where the file lives. http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/pfSense/etc/inc/ I generally post MD5's on the official beta builds, not on the snapshot builds. On 2/5/06, David Strout [EMAIL PROTECTED] wrote: I beg your pardon ... I installed it from the pfsense.iso from http://www.pfsense.com/~sullrich/1.0-BETA1-TESTING-SNAPSHOT-2-2-06/ # uname -a FreeBSD espfwvpn2.espmaine.net 6.0-STABLE FreeBSD 6.0-STABLE #0: Fri Feb 3 21:11:08 UTC 2006 [EMAIL PROTECTED]:/usr/obj.pfSense/usr/src/sys/pfSense.6 i386 Think someone should look at the ISO's ... might be nice to post md5s also and maybe check them against the ones you have running successfully prior to posting them. -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: Re: [pfSense Support] firewall logs no show From: [EMAIL PROTECTED] To: support@pfsense.com Date: 02-05-2006 1:53 pm Uhh, then you're not on a pfSense box? On 2/5/06, David Strout [EMAIL PROTECTED] wrote: [EMAIL PROTECTED]:~# find / -name filter.inc [EMAIL PROTECTED]:~# [EMAIL PROTECTED]:~# ls -al /etc/inc /usr/bin/ls: /etc/inc: No such file or directory -- David L. Strout Engineering Systems Plus, LLC - Original Message - Subject: Re: [pfSense Support] firewall logs no show From: [EMAIL PROTECTED] To: support@pfsense.com Date: 02-05-2006 1:48 pm Looks like you may have solved this issue. -v seems to be forcing the protocol and then the regex can do its magic. Nice work. On 2/5/06, Scott Ullrich [EMAIL PROTECTED] wrote: Edit /etc/inc/filter.inc filter_pflog_start() On 2/5/06, David Strout [EMAIL PROTECTED] wrote: The command: /usr/sbin/tcpdump -l -n -e -ttt -i pflog0 Gives logs like this: 000319 rule 35/0(match): block in on fxp1: 24.39.185.75.36838 24.39.185.78.1408: S 1674449733:1674449733(0) win 1024 You'll notice ... NO PROTOCOL INFO !!! But, a command like this: /usr/sbin/tcpdump -l -n -e -ttt -v -i pflog0 Give logs like this: 000242 rule 35/0(match): block in on fxp1: (tos 0x0, ttl 41, id 11077, offset 0, flags [none], proto: TCP (6), length: 40) 24.39.185.75.34774 24.39.185.78.80: S, cksum 0xaaa2 (correct), 1576235070:1576235070(0) win 3072 AND You'll notice ... HELLO, THE PROTOCOL INFO is there ready to be egrep'd out So my question is this, how do I modify the startup of this tcpdump procedure to add the [-v] to see if this actually helps in producing logs in the pfS app? -- David L. Strout Engineering Systems Plus, LLC! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL