Re: [pfSense Support] OPT1 and LAN cannot communicate
This won't be an issue if you're running 1.2.3-release, as the block RFC1918 option is only on the WAN interface. Adam Thompson wrote: (Going from memory here...) Check the Block RFC1918 addresses checkbox on the Interface configuration pages. It should be set on WAN but not OPT1 or LAN. -Adam Thompson athom...@athompso.net Sent from my BlackBerry device on the Rogers Wireless Network - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Web Browsing Access Problems
Joseph Rotan wrote: Hi, i'm currently using pfsense 1.2.3 and just recently i'm having problems accessing other websites as for now i can only access google website, i thought the problem has to do with my PC but when i access internet without going through pfsense i can access one than one internet sites. Is there anyone ever come across the problem or any hint to solve this issue. Thanks, Joseph. Try setting your MTU lower. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Attachments very slow to download from Hotmail
Paul Mansfield wrote: On 01/06/10 11:29, Adam Egan wrote: Hi all, Odd problem. Attachments take an AGE to download from Hotmail. As far as I can tell it does not affect our POP3 mail or Google Mail. I have pfSense 1.2.2 with squid running as a transparent proxy. No fancy routing, just NAT. MTU path discovery problem? are you blocking icmp? pfSense 1.2.2 is very old and out of date. Before anything else, upgrade. Then look at this: http://doc.pfsense.org/index.php/Squid_Package_Tuning - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Attachments very slow to download from Hotmail
No, but since literally thousands of bugs were fixed since 1.2.2, its entirely possible that whatever was actually causing the problem was fixed. Adam Egan wrote: Upgrading to 1.2.3 seemed to cure the problem... I will do some more testing and let the list know.. Any reason 1.2.2 would have a problem with hotmail? Adam On 1 June 2010 13:54, Gary Buckmaster g...@s4f.com wrote: Paul Mansfield wrote: On 01/06/10 11:29, Adam Egan wrote: Hi all, Odd problem. Attachments take an AGE to download from Hotmail. As far as I can tell it does not affect our POP3 mail or Google Mail. I have pfSense 1.2.2 with squid running as a transparent proxy. No fancy routing, just NAT. MTU path discovery problem? are you blocking icmp? pfSense 1.2.2 is very old and out of date. Before anything else, upgrade. Then look at this: http://doc.pfsense.org/index.php/Squid_Package_Tuning - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] How to apply rule on pfsense 1.2.3 to block pornography sites
CIPA does not, in fact, require content level inspection. This is something that the vendors of CIPA compliant filters use in their marketing, but it simply isn't true. CIPA requires a best-effort attempt to filter children's access to harmful material and the ability for teachers to override the block in the case of overblocking. Richard Sperry wrote: Schools in the USA require CIPA level of protection. I know dans guardian does support that and maybe squid guard. Rules would not support that level and OPENDNS does not either (dns can be changed with a host file, CIPA requires content level inspection.) -Original Message- From: Chris Buechler [mailto:cbuech...@gmail.com] Sent: Sunday, May 23, 2010 6:39 PM To: support@pfsense.com Subject: Re: [pfSense Support] How to apply rule on pfsense 1.2.3 to block pornography sites On Sun, May 23, 2010 at 8:08 PM, Joseph Rotan joseph.ro...@gmail.com wrote: Hi, I'm setting up a firewall for a high school but the school management requested that students should not able to access pornography sites, currently i have enabled any any rule on the WAN and LAN interface of my box. Is there anyone can help me out in on how to apply a rule that will block students from accessing pornography sites. That's impossible to do with rules, rules can either allow web access or block it, not allow it dependent on content. You need content filtering of some sort, OpenDNS's free service is what many users use. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiwan and DNS forwarder
Chris Buechler wrote: On Fri, May 21, 2010 at 4:53 PM, Ryan radiote...@aaremail.com wrote: -Original Message- From: Gary Buckmaster [mailto:g...@s4f.com] Sent: Friday, May 21, 2010 3:24 PM To: support@pfsense.com Subject: Re: [pfSense Support] Multiwan and DNS forwarder Actually, the easier way to do this is to use policy routes. Create aliases called ISP1DNS and ISP2DNS and put the appropriate DNS server IPs in those two aliases. Then create firewall rules on your LAN interface(s) above any load balancing rules which will match DNS traffic to the appropriate DNS servers and select the appropriate gateway. I would think your approach would work if the end computer was requesting dns from the real dns server, not using dns forwarding. I think the DNS request does not originate from the Lan, but from the router itself. I may be wrong in this though. Yeah, that is correct, if you're using the DNS forwarder you must use static routes. Yeah, I missed that requirement on the first read-through. Didn't mean to give you a bum steer. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] VPN question
If I understand your scenario, you're wanting to send all Internet bound traffic from your office LAN connection across a VPN tunnel and egress your network at the colocation facility? This can be accomplished quite easily with OpenVPN (maybe with IPSEC, but I've personally done it with OpenVPN) by using the OpenVPN tunnel as your default route. It should be noted that this may impact performance in a noticeable way, depending on how much data traffic you send across the tunnel. Chris Flugstad wrote: So i have a scenario I'd like to run by you all I have a location with a dsl connection. pfsense router there. I want to vpn that connection back to my COLO so I can use my public IP's on the pfsense router at the location with the dsl connection. Would i setup pfsense in my colo with public ip's on my LAN, then setup vpn(openvpn perhaps) on both boxes, and then dhcp out the public ip's from the colo'd pfsense box on the remote box? does this make sense? -topher - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] VPN question
Your restriction is going to be the DSL line speed. I'm afraid I don't have a generic config for this off the top of my head, but it should be a very standard point-to-point OpenVPN tunnel other than the difference in the remote network being your default route (0.0.0.0/0.0.0.0). It's been a bit since I've done this setup, but I remember it being pretty straightforward. Chris Flugstad wrote: i have gig e on one end. the bottleneck im sure will be the office end. however, i get faster download speeds from my colo to the office than i do from other internet sites. maybe this will improve my speeds? do you have a config for this, so i can test it out. i have a vmware pfsense box i just installed and gonna setup a client side now. much appreciated. topher On 5/20/2010 6:11 PM, Gary Buckmaster wrote: If I understand your scenario, you're wanting to send all Internet bound traffic from your office LAN connection across a VPN tunnel and egress your network at the colocation facility? This can be accomplished quite easily with OpenVPN (maybe with IPSEC, but I've personally done it with OpenVPN) by using the OpenVPN tunnel as your default route. It should be noted that this may impact performance in a noticeable way, depending on how much data traffic you send across the tunnel. Chris Flugstad wrote: So i have a scenario I'd like to run by you all I have a location with a dsl connection. pfsense router there. I want to vpn that connection back to my COLO so I can use my public IP's on the pfsense router at the location with the dsl connection. Would i setup pfsense in my colo with public ip's on my LAN, then setup vpn(openvpn perhaps) on both boxes, and then dhcp out the public ip's from the colo'd pfsense box on the remote box? does this make sense? -topher - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] XBOX live not working with public IPS on MY LAN
I'm using an XBox behind a very straightforward pfSense install without any difficulty. You shouldn't need any special contortions to make it work except NATing the ports XBox Live wants (it works without them but it complains). UPnP should also Just Work if you enable that. Chris Flugstad wrote: So I have a pfsense router in a buidling DHCP'ing pub ip's on the LAN. I have a user that can connect his xbox 360 online to xbox live but cannot connect to other players or join parties. He has tried plugging his xbox directly bypassing his router and giving his xbox a pub ip. this does not work. i wonder if something would need to be set in pfsense to allow this to work? Again, I have public ip's on the inside of my network so i do not have NAT for any of you who are going to respond with responses that would point me into doing fw changes for NAT below is a dump of my config. Sincerely, Topher ?xml version=1.0? pfsense version3.0/version lastchange/ themenervecenter/theme system optimizationnormal/optimization hostname /hostname domain .net/domain username /username password$./password timezoneEtc/GMT-8/timezone time-update-interval/ timeservers0.pfsense.pool.ntp.org/timeservers webgui protocolhttps/protocol port/ certificate/ private-key/ /webgui disablenatreflectionyes/disablenatreflection ssh authorizedkeys/ port/ /ssh enablesshdyes/enablesshd maximumstates/ shapertype/ dnsserver207.66.128.8/dnsserver dnsserver207.66.60.8/dnsserver dnsallowoverride/ /system interfaces lan ifbge0/if ipaddr216.127.63.65/ipaddr subnet26/subnet media/ mediaopt/ bandwidth100/bandwidth bandwidthtypeMb/bandwidthtype bridge/ /lan wan ifbge1/if mtu/ media/ mediaopt/ bandwidth100/bandwidth bandwidthtypeMb/bandwidthtype spoofmac/ ipaddr216.127.32.44/ipaddr subnet29/subnet gateway216.127.32.41/gateway /wan /interfaces staticroutes/ pppoe username/ password/ provider/ /pppoe pptp username/ password/ local/ subnet/ remote/ /pptp bigpond/ dyndns typedyndns/type username/ password/ host/ mx/ /dyndns dhcpd lan enable/ range from216.127.63.66/from to216.127.63.126/to /range defaultleasetime/ maxleasetime/ netmask/ failover_peerip/ gateway216.127.63.65/gateway ddnsdomain/ next-server/ filename/ staticmap mac00:21:91:15:90:24/mac ipaddr216.127.63.80/ipaddr hostnameWBR-1310/hostname descr/ /staticmap /lan /dhcpd pptpd mode/ redir/ localip/ remoteip/ /pptpd ovpn/ dnsmasq enable/ /dnsmasq snmpd syslocation/ syscontact/ rocommunitypublic/rocommunity /snmpd diag ipv6nat/ /diag bridge/ syslog/ nat ipsecpassthru/ advancedoutbound enable/ /advancedoutbound /nat filter rule typeblock/type interfacewan/interface max-src-nodes/ max-src-states/ statetimeout/ statetypekeep state/statetype os/os source address216.127.63.80/address /source destination any/ /destination descr/ /rule rule typepass/type interfacewan/interface max-src-nodes/ max-src-states/ statetimeout/ statetypekeep state/statetype os/ source any/ /source destination any/ /destination descr/ /rule rule typereject/type interfacelan/interface max-src-nodes/ max-src-states/ statetimeout/ statetypekeep state/statetype os/ source address216.127.63.80/address /source destination any/ /destination descrblock misch ip/descr /rule rule typeblock/type interfacelan/interface max-src-nodes/ max-src-states/ statetimeout/ statetypekeep state/statetype os/ source address216.127.63.116/address /source destination any/ /destination disabled/ descrblock misch ip/descr /rule rule typeblock/type interfacelan/interface max-src-nodes/ max-src-states/ statetimeout/ statetypekeep state/statetype os/ source address216.127.63.100/address /source destination any/ /destination descr/ disabled/ /rule rule typepass/type interfacelan/interface max-src-nodes/ max-src-states/ statetimeout/ statetypekeep state/statetype os/ source networklan/network /source destination any/ /destination descrDefault LAN -gt; any/descr /rule /filter ipsec preferredoldsa/ /ipsec aliases alias namemischeif/name address216.127.63.80/address descrbad peoplos/descr typehost/type detailEntry added Mon, 18 Jan 2010 16:57:58 +0800||/detail /alias /aliases proxyarp/ cron item minute0/minute hour*/hour mday*/mday month*/month wday*/wday whoroot/who command/usr/bin/nice -n20 newsyslog/command /item item minute1,31/minute hour0-5/hour mday*/mday month*/month wday*/wday whoroot/who command/usr/bin/nice -n20 adjkerntz -a/command /item item minute1/minute hour3/hour mday1/mday month*/month wday*/wday whoroot/who command/usr/bin/nice -n20 /etc/rc.update_bogons.sh/command /item item minute*/60/minute hour*/hour mday*/mday month*/month wday*/wday whoroot/who command/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout/command /item item minute1/minute hour1/hour mday*/mday month*/month wday*/wday whoroot/who command/usr/bin/nice -n20 /etc/rc.dyndns.update/command /item item minute*/60/minute hour*/hour mday*/mday month*/month wday*/wday whoroot/who command/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600
Re: [pfSense Support] XBOX live not working with public IPS on MY LAN
My point wasn't that you need NAT, I got the part where you said you weren't NATing. The point is that no special configurations are needed to make XBox live work with pfSense and yes, UPnP is simply to automagically set up NATs as needed. Chris Flugstad wrote: I totally knew I'd get a response in regards to NATing ;) I am not using NAT. I have public ip's on the inside of this network so there is no NATING. UPNP would only be used for NAT correct? I myself tend to skim posts on here, so I totally understand Gary, and thanks for the quick response. Hopefully someone else has a response that will help though. -topher On 5/11/2010 5:23 PM, Gary Buckmaster wrote: I'm using an XBox behind a very straightforward pfSense install without any difficulty. You shouldn't need any special contortions to make it work except NATing the ports XBox Live wants (it works without them but it complains). UPnP should also Just Work if you enable that. Chris Flugstad wrote: So I have a pfsense router in a buidling DHCP'ing pub ip's on the LAN. I have a user that can connect his xbox 360 online to xbox live but cannot connect to other players or join parties. He has tried plugging his xbox directly bypassing his router and giving his xbox a pub ip. this does not work. i wonder if something would need to be set in pfsense to allow this to work? Again, I have public ip's on the inside of my network so i do not have NAT for any of you who are going to respond with responses that would point me into doing fw changes for NAT below is a dump of my config. Sincerely, Topher ?xml version=1.0? pfsense version3.0/version lastchange/ themenervecenter/theme system optimizationnormal/optimization hostname /hostname domain .net/domain username /username password$./password timezoneEtc/GMT-8/timezone time-update-interval/ timeservers0.pfsense.pool.ntp.org/timeservers webgui protocolhttps/protocol port/ certificate/ private-key/ /webgui disablenatreflectionyes/disablenatreflection ssh authorizedkeys/ port/ /ssh enablesshdyes/enablesshd maximumstates/ shapertype/ dnsserver207.66.128.8/dnsserver dnsserver207.66.60.8/dnsserver dnsallowoverride/ /system interfaces lan ifbge0/if ipaddr216.127.63.65/ipaddr subnet26/subnet media/ mediaopt/ bandwidth100/bandwidth bandwidthtypeMb/bandwidthtype bridge/ /lan wan ifbge1/if mtu/ media/ mediaopt/ bandwidth100/bandwidth bandwidthtypeMb/bandwidthtype spoofmac/ ipaddr216.127.32.44/ipaddr subnet29/subnet gateway216.127.32.41/gateway /wan /interfaces staticroutes/ pppoe username/ password/ provider/ /pppoe pptp username/ password/ local/ subnet/ remote/ /pptp bigpond/ dyndns typedyndns/type username/ password/ host/ mx/ /dyndns dhcpd lan enable/ range from216.127.63.66/from to216.127.63.126/to /range defaultleasetime/ maxleasetime/ netmask/ failover_peerip/ gateway216.127.63.65/gateway ddnsdomain/ next-server/ filename/ staticmap mac00:21:91:15:90:24/mac ipaddr216.127.63.80/ipaddr hostnameWBR-1310/hostname descr/ /staticmap /lan /dhcpd pptpd mode/ redir/ localip/ remoteip/ /pptpd ovpn/ dnsmasq enable/ /dnsmasq snmpd syslocation/ syscontact/ rocommunitypublic/rocommunity /snmpd diag ipv6nat/ /diag bridge/ syslog/ nat ipsecpassthru/ advancedoutbound enable/ /advancedoutbound /nat filter rule typeblock/type interfacewan/interface max-src-nodes/ max-src-states/ statetimeout/ statetypekeep state/statetype os/os source address216.127.63.80/address /source destination any/ /destination descr/ /rule rule typepass/type interfacewan/interface max-src-nodes/ max-src-states/ statetimeout/ statetypekeep state/statetype os/ source any/ /source destination any/ /destination descr/ /rule rule typereject/type interfacelan/interface max-src-nodes/ max-src-states/ statetimeout/ statetypekeep state/statetype os/ source address216.127.63.80/address /source destination any/ /destination descrblock misch ip/descr /rule rule typeblock/type interfacelan/interface max-src-nodes/ max-src-states/ statetimeout/ statetypekeep state/statetype os/ source address216.127.63.116/address /source destination any/ /destination disabled/ descrblock misch ip/descr /rule rule typeblock/type interfacelan/interface max-src-nodes/ max-src-states/ statetimeout/ statetypekeep state/statetype os/ source address216.127.63.100/address /source destination any/ /destination descr/ disabled/ /rule rule typepass/type interfacelan/interface max-src-nodes/ max-src-states/ statetimeout/ statetypekeep state/statetype os/ source networklan/network /source destination any/ /destination descrDefault LAN -gt; any/descr /rule /filter ipsec preferredoldsa/ /ipsec aliases alias namemischeif/name address216.127.63.80/address descrbad peoplos/descr typehost/type detailEntry added Mon, 18 Jan 2010 16:57:58 +0800||/detail /alias /aliases proxyarp/ cron item minute0/minute hour*/hour mday*/mday month*/month wday*/wday whoroot/who command/usr/bin/nice -n20 newsyslog/command /item item minute1,31/minute hour0-5/hour mday*/mday month
[pfSense Support] Reboot request
When you have a moment, would you power cycle the 1u device in our rack labeled tyr.fp.s4f.com? Thank you. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Reboot request
Jostein Elvaker Haande wrote: On 30 April 2010 17:45, Gary Buckmaster g...@s4f.com wrote: When you have a moment, would you power cycle the 1u device in our rack labeled tyr.fp.s4f.com? Thank you. Sure thing, I just have book myself a plane ticket first. :) Thanks for your help! Sorry guys, obviously a misfire. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] help -- policy routing problem
This will not work. Both gateways are the same, which is how routing is being done. Setting up another NAT device in front of one of the WAN interfaces is a kludgy workaround. Otherwise, I'm afraid you're out of luck. Curtis LaMasters wrote: On Thu, Mar 18, 2010 at 3:04 PM, mayak-cq ma...@australsat.com wrote: hi all, i've got a serious policy routing problem that i cannot seem to overcome. the pfsense box has three interfaces: two are wan ports and one is lan -- both wan ports share the same physical media and use the same gateway. they each have a different ip address. i need to route outbound mail traffic out of one specific interface and voip out the other (among other requirements). since the gateway's are the same, and because i cannot specify the interface but only the next router, pfsense seems to choose the first/lowest interface to send mail. is there a way around this? thanks m I have not tested this but an advanced outbound NAT setup where you specify either the source or destination port and NAT address could work. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Squid + Content filtering
If you are wanting to integrate with AD, you will not want to use the pfSense package. You would be better served setting up squid and DG on a separate box and using a GPO to enforce proxy settings on your LAN clients. You can then further enforce your site policy by only allowing web traffic to leave your network from the squid box using firewall rules in pfSense. JASON JAMES wrote: I know this has been asked several times and I have searched but came up with no solid answers. We're running PFsense as our FW + Squid as a web cache for a fairly large school district. We're migrating away from our paid content filtering solution and are looking at Dans guardian. I realize that there is no package for DG and probably will never be. What we would like to do is run SQUID on one box and DG by itself on another. Is this possible? We've purchased the PFSense handbook which is great btw (thanks). There obviously isnt much information on this subject in it however so we would greatly appreciate any information that anyone currently has. Summary: PFSense acting as Firewall + Web cache Seperate server running Dans guardian for content filtering. Squidguard is not really an option for us because there is no current way to setup bypass accounts for specific users or integrate with AD. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OT: physical interface v vlan
David Burgess wrote: I would like to know if somebody can tell me an advantange, other than raw throughput, of a router with multiple interfaces when compared with a router using few physical interfaces but vlans in their place. I cannot come up with one. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Physical segregation of network segments with differing security policies would be another. Admittedly, this is a philosophical difference, but I typically don't keep network segments that have different security stances on the same hardware if I can help it. Multiple LAN segments can certainly share the same physical hardware and just be segmented by VLANs, but I would shy away from having a LAN segment and a DMZ segment on the same switch and sharing the same NIC on the router/firewall. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] embedded devices
Markus Winkler wrote: Hi, I'm new here and would like to ask you something about the use of pfSense on embedded devices, especially on PC Engines WRAP/ALIX boards. In the wiki I read that there are a) some functional limitations and b) a special handling of booting necessary when using WRAP boards (which I used a long time together with m0n0wall and still have some unused ones). My question: will I have the same problems when using the newer ALIX boards or does this platform working without the WRAP limitations? If running on ALIX is possible without these issues then I rather would buy new boards than using the old WRAPs. Thanks and kind regards, Markus - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org The limitations you're referring to are exclusive to the WRAP. PCEngines ended support for the device and so they haven't released a firmware to support packetmode, which is necessary for the newer versions of pfSense. It can be overcome, but there are distinct limitations to using a WRAP with newer versions of pfSense. Your ALIX boards will work just fine with the newer versions of pfSense. I have several of them and they work perfectly. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IPSec on 1.2-embedded
Vick Khera wrote: On Tue, Feb 9, 2010 at 11:19 AM, Gary Buckmaster g...@s4f.com wrote: Using 1.2.3 and setting a low DPD value should help this issue, but keep in mind that it will still be dead until the DPD value has been reached. What is this called on the GUI? I don't see anything obvious in the tunnel configuration page. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org The field you're looking for is DPD Interval. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IPSec on 1.2-embedded
Evgeny Yurchenko wrote: Hello. There is Soekris with 1.2-RELEASE-embedded on CF. It has an IPSec tunnel to 1.2.3 carp-cluster. When carp-switchover occurs on the cluster the tunnel remains active but dead (active to former active node). 1. Will upgrade to pfSense-nano solve this problem? 2. Is it possible to do this upgrade remotely? Thanks. Evgeny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Its not possible to upgrade remotely. You will need to reflash the CF card. Using 1.2.3 and setting a low DPD value should help this issue, but keep in mind that it will still be dead until the DPD value has been reached. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Noob Multiple Public IP Question
The WAN IP should be set using the correct netmask. You should also consider using CARP type virtual IP addresses, even if you're not doing a CARP cluster. CARP virtual IPs will respond to ping whereas proxyARP will not. Beyond that, the process for a 1:1 NAT is very simple. Whatever you're missing, its likely to be something small and innocuous. Adam Van Ornum wrote: Date: Wed, 27 Jan 2010 21:19:17 -0600 From: g...@s4f.com To: support@pfsense.com Subject: Re: [pfSense Support] Noob Multiple Public IP Question Assuming Comcast gave you a contiguous netblock, your netblock would be *.*.0.192-207 (192 being the network address and 207 being the broadcast) leaving 193-206 as usable IP addresses. *.*.0.175 isn't in that net block and so its not likely that its available for you to use. Adam Van Ornum wrote: Ok, I am pretty inexperienced with IP addressing, particularly when it comes to configuring firewalls with multiple public IPs, but at my small business I'm the most experienced with IT stuff in general so I get to be the one who deals with all this stuff. We have Comcast as our internet provider with a range of public IPs of which we are currently only using one. I'd like to be able to use another public IP in order to expose more services, such as a separate mail or web server. Comcast provided public IPs: *.*.0.206/28 Current WAN IP: *.*.0.193/28 Current WAN Gateway: *.*.0.206 This was setup with a different firewall (a crappy consumer box) before I got here, so after I started I switched over to pfSense and just used the settings that were in the old box. Currently, everything is working fine with this setup but now I am trying to set things up so I can use another public IP (ie *.*.0.175) to expose different web and mail services hosted on a different internal server and I can't get it to work. What I have tried is to add a virtual IP (I've tried both Proxy ARP and Other) with the following settings: Interface: WAN IP Address: *.*.0.175/32 And I then setup 1:1 NAT mapping *.*.0.175/32 to 192.168.100.10. Lastly, I create a firewall rule on the WAN interface to allow port 80 where the destination is 192.168.100.10. However, this does not seem to work...what am I missing? Thanks for pointing that out...that was actually just a mistake in my email...I meant *.*.0.195. I'm not really that much of a noob. :) Apparently I had 175 stuck in my head for some reason...I'll double check the config when I get back to work tomorrow but I'm pretty sure I had it right (195) there. Are there any other issues that jump out? Should the WAN IP be set to /28 or should it be set to something else like /32? Just to see what would happen I tried setting it to /32 and then our Internet access went completely down. Hotmail: Powerful Free email with security by Microsoft. Get it now. http://clk.atdmt.com/GBL/go/196390710/direct/01/ - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Noob Multiple Public IP Question
Assuming Comcast gave you a contiguous netblock, your netblock would be *.*.0.192-207 (192 being the network address and 207 being the broadcast) leaving 193-206 as usable IP addresses. *.*.0.175 isn't in that net block and so its not likely that its available for you to use. Adam Van Ornum wrote: Ok, I am pretty inexperienced with IP addressing, particularly when it comes to configuring firewalls with multiple public IPs, but at my small business I'm the most experienced with IT stuff in general so I get to be the one who deals with all this stuff. We have Comcast as our internet provider with a range of public IPs of which we are currently only using one. I'd like to be able to use another public IP in order to expose more services, such as a separate mail or web server. Comcast provided public IPs: *.*.0.206/28 Current WAN IP: *.*.0.193/28 Current WAN Gateway: *.*.0.206 This was setup with a different firewall (a crappy consumer box) before I got here, so after I started I switched over to pfSense and just used the settings that were in the old box. Currently, everything is working fine with this setup but now I am trying to set things up so I can use another public IP (ie *.*.0.175) to expose different web and mail services hosted on a different internal server and I can't get it to work. What I have tried is to add a virtual IP (I've tried both Proxy ARP and Other) with the following settings: Interface: WAN IP Address: *.*.0.175/32 And I then setup 1:1 NAT mapping *.*.0.175/32 to 192.168.100.10. Lastly, I create a firewall rule on the WAN interface to allow port 80 where the destination is 192.168.100.10. However, this does not seem to work...what am I missing? Hotmail: Trusted email with Microsoft’s powerful SPAM protection. Sign up now. http://clk.atdmt.com/GBL/go/196390706/direct/01/ - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Squid Stopping
Before anything else, I would suggest upgrading the most current release. 1.2.3 has been out and stable for a long time. Rafael Cristian wrote: HI guys, I'm having problems with the PFsense in version 1.2.2 in one of my clients. There are more or less installed pfsense squid 2.7.8.1 ,with squidguard+ 1.3.2, and load balance 2 adsl links. There are 2 days behind the pfsense caught when he called again and had lost all settings. I did the restore from a backup, but as there was no backup settings load balance had to redo it. I reversed, I made a little different, I left a link with adls PPPoE and the other adls with the router. OK But the problem is that from time to time my users complain that the internet connection drops. and after about 2 minutes it returns. What I could identify q is the service squid and squidguard are stopping. There is some problem in pfsense to do with pfsense loadbalance doing pppoe and other connected to a router? Has anyone had this problem or guide me what can I do? []’s Rafael Ávila - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Web filtering with Squid/Squidguard and AD Groups
Its possible to do with Squid and SquidGuard, and while some of the widgets exist in the package GUI, I don't think they actually do anything. Curtis LaMasters wrote: Is there a way that I am just not seeing to authenticate users based on their AD group (Users, Admins, Executives, etc) with Squid or Squidguard. I would need to apply different policies to each group. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Web filtering with Squid/Squidguard and AD Groups
Actually, most of the heavy lifting will need to be done with squid's ad-authenticator. There are a number of howto's for doing this online, but I'm afraid I don't have one handy right now. Get squid authenticating to your AD system, then you simply need to configure squidguard to filter based on those groups. In a hypothetical example, if you have AD groups for Students, Teachers, Administrators and IT staff, you would want to ensure that everyone is contacting squid on the authenticated port, not being transparently proxied through squid. The browser would then send the AD credentials to squid upon connection and squid would confirm the credentials against your AD server. Then all HTTP requests would be passed to squidguard as coming from someone within say the Students group and would be filtered according to your squidGuard ACLs for that group. Disclaimer: All of this works with off-the-shelf squid+squidguard, I do not know how much of this can be done specifically with the squid+squidguard package in pfSense. Most of the GUI stuff is there, but I don't know how much of the underlying code is there or works. This would be an excellent bounty project for some people to embark upon since URL filtering seems to be something that everyone and their second cousin wants to see in the pfSense squid package. -Gary Curtis LaMasters wrote: Do you happen to have a config that I can look at to do this or should I start looking at Squidguard's page? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jan 20, 2010 at 11:08 AM, Gary Buckmaster g...@s4f.com wrote: Its possible to do with Squid and SquidGuard, and while some of the widgets exist in the package GUI, I don't think they actually do anything. Curtis LaMasters wrote: Is there a way that I am just not seeing to authenticate users based on their AD group (Users, Admins, Executives, etc) with Squid or Squidguard. I would need to apply different policies to each group. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Less bandwidth available behind the firewall
Klaus Lichtenwalder wrote: Am Mittwoch, den 13.01.2010, 11:14 -0500 schrieb Ugo Bellavance: [...] ## Linux box net.ipv4.tcp_tso_win_divisor = 3 net.ipv4.tcp_adv_win_scale = 2 net.ipv4.tcp_app_win = 31 net.ipv4.tcp_window_scaling = 1 net.core.rmem_default = 107520 net.core.wmem_default = 107520 net.core.rmem_max = 131071 net.core.wmem_max = 131071 [...] Sorry, I'm not a BSD guy, but the Linux memory values seem somewhat low. How much RAM do you have in that box? Theses values and the following could be set somewhat more generous, depending on available RAM and BDP (bandwidth delay product) net.ipv4.tcp_mem=311904 415872 623808 net.ipv4.tcp_wmem= 4096 16384 4194304 net.ipv4.tcp_rmem= 4096 87380 4194304 Klaus Point of note: you're running pfSense 1.2.2 and the current release is 1.2.3. Before tinkering with the underlying system, it might be helpful to upgrade to the latest stable version and see if the operating system and upgraded drivers give you any relief. Gary - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Bogons file overwritten w/ bad data
Check out the rc_updatebogons.sh script in /etc. That's how the file is updated. Joseph L. Casale wrote: My conf restore went smooth except for one problem, the /etc/bogons file got overwritten with looked like some html from an ISP redirected web page of some sorts (should have saved it, sorry). Luckily I had ssh access, I copied the one over from the iso and rebooted and it came up fine... How does that file update or get written to? Anyway to prevent this, or was there something I overlooked during the restore? jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] blacklist exceptions?
Luke, You may want to post about this on the packages section of the forum. The author of the squidguard package is very active there and he may be able to help you out. As far as I know, he is not active on the support@ mailing list. -Gary Luke Jaeger wrote: Thanks - I did this but it didn't work. (I restarted squidguard as well). Anything else I need to look at? Luke Jaeger | Technology Coordinator Pioneer Valley Performing Arts Charter Public School www.pvpa.org On Nov 14, 2009, at 3:19 AM, Serg Dvoriancev wrote: You must use Wiki Howto http://doc.pfsense.org/index.php/SquidGuard_package - Original Message - From: Luke Jaeger ad...@pvpa.org To: support@pfsense.com Sent: Friday, November 13, 2009 6:53 PM Subject: [pfSense Support] blacklist exceptions? We are using pfSense 1.2.2 with squidguard as firewall/content filter for a school. Squidguard is configured to use the shallalist.de blacklists and it works quite well. But there are times when I want to whitelist a site (ie sexuality info sites that Shalla has mistakenly categorized as porn) - if I add it to Proxy server:Access control it's still blocked. Anything I can do other than putting in a request to Shalla to re-categorize? Luke Jaeger | Technology Coordinator Pioneer Valley Performing Arts Charter Public School www.pvpa.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] NAT and Bridge on the same box
Curtis, Should work. That kind of setup definitely works on physical NICS (DMZ bridged to WAN, LAN NAT'd to WAN). I can't think of any reason why it would cause issues on VLANs. Probably worth setting up a test scenario in ESXi first to make sure. -Gary Curtis LaMasters wrote: I have a need to provide NAT for the majority of our services and also assign public IP's to our customers. My question is, can I do bridging and NAT on the same server? I.E. can I have my WAN interface with all it's virtual IP's continue to map to my internal VLAN's and then have a seperate VLAN(s) bridge and be able to deliver public IP's to those customers? Is it as simple as setting the bridge with WAN on that interface and then assigning IP's? Sorry if this has been covered in the past. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiwan - no loadbalance needed
Michel Servaes wrote: Hi, When reading several posts, I found much info about load balancing... but this is something I don't need. What I would like to have, is to route all internet traffic through one interface (an PPPoE session), and some traffic (terminal server smtp) from the other interface (incoming). If I read a bit further on, it seems that you best dedicate the WAN interface to the actual traffic, to be able to use the most out of packages... And, that OPT1 is for the other interface to allow incoming traffic to our terminal server and mail-server. Currently I have one xDSL connection, that will be for all common traffic, and I have one SDSL connection to allow my external co-workers to join the terminal server. (the connection will be shared for smtp traffic - for that I shall use QoS to allow my terminal sessions to be the most priority). To put it simple (I think), is that OPT1 should be treated as incoming traffic, and WAN should only be used for outgoing traffic (eg. internet, radio, downloading, ...) Hope this makes sense... kind regards - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org This is entirely do-able and we have a number of commercial support customers who run a setup very much like this. You may also consider configuring your WAN to fail over to your OPT interface in the case of the WAN interface going down. This will ensure mostly uninterrupted Internet access for your LAN clients. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
David Rees wrote: On Wed, Jul 29, 2009 at 10:31 AM, iggd...@gmail.com wrote: Unfortunately Gmail top posts by default. So expecting bottom posting to be and to remain the default behavior may be an exercise in futility. proper ettiquite or not, some people just bang off replies and figure everything is a-ok. This being a reason, not an excuse. Yes - bottom posting takes a bit of work. But on a high volume mailing list or if you receive a lot of mail, a little bit of context goes a LONG way. And while we're talking about it - Trim your messages, too! Only leave the relevant portion of the original email in the message - so that means trimming the list-footer off the message. Again - it takes a bit of work, but it really makes reading mailing lists a LOT easier. Try it for a bit - once you do, you'll realize how much better it is. -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Can we please knock this crap off now? The 5 people in the world who care about top posting have made their point, the 5 people in the world who think that top posting is perfectly valid seem to be willing to abide by your particular brand of netiquette naziism and the rest of the world is going to continue to join this list, top post, bottom post, send emails with return receipt requests, send emails entirely composed of HTML, reply to emails belonging to other threads and generally do whatever they feel like doing. If you really feel *this* strongly about mailing list etiquette perhaps now would be a good time to re-examine your life. I think its safe to say that the rest of us are tired of your spam. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Traffic Shapping : High priority on particular port
Bastien DARMON wrote: Hello, Is there a way, in pfsense, to give the highest priority over the rest of the traffic to an application running on a particular port? A VPN is connecting some branches where an application is running on port 1. This application should have the highest priority over the rest of the traffic running over the VPN. Any suggestion on how to do this? Bastien In 1.2.x you cannot shape over a VPN tunnel. This changes in 2.0. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Appliance support
Chris Buechler wrote: On Tue, Jun 23, 2009 at 2:42 AM, Jesse Petersonjesse.peter...@exbiblio.com wrote: Hello, I know pfSense has it's Embedded edition/setup, but I have a bit of a predicament. I have an architecture-wise plain x86 PC but which does not have a keyboard, video, NOR a COM port. Without any way to give input to the device I can't configure pfSense. No extremely simple way to accomplish this. Best is to install with the medium (HD, CF) in another box that does have keyboard/video or serial, after install go to a command prompt and edit /cf/conf/config.xml to manually replace the interfaces as desired, save changes, rm /tmp/config.cache, shut down, transfer HD/CF, you're set. If it has a USB port, I think it's possible to pick up the config off a FAT formatted USB flash drive (at least with the live CD, not sure about full or embedded). You can open a feature request at redmine.pfsense.org if you'd like. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Also, the embedded instances of pfSense don't come out-of-the-box ready either. You still need to attach a serial cable and do the initial configuration. This is as it should be. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] dhcp and arp list errors
and...@fiberby.dk wrote: Hi Does anyone have an explanation/solution to these errors: When choosing DHCP leases I get the following error: Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 35 bytes) in /usr/local/www/diag_dhcp_leases.php on line 74 When choosing ARP Tables I get the following error: Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 35 bytes) in /usr/local/www/diag_arp.php on line 59 Kind regards Anders - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org It would be helpful to know what version of pfSense you're seeing this on, what kind of system you're using and how much memory usage you have. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Help with ldap integration
You want to check the support forums. The author of the squid package is very active on there and your question has been asked and answered in various forms already. Good luck. Diego B. Sechin wrote: Hi, i'm not retrieving sucess in integrate openldap with squid. My configuration. auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -v 3 -b dc=asa,dc=ind,dc=br -D cn=admin,dc=asa,dc=ind,dc=br -w Ldap123123 -f uid=%s -u uid -P 192.168.0.1 15 auth_param basic children 2 auth_param basic realm Informe seu usuario e senha para acessar a Internet auth_param basic credentialsttl 60 minutes acl password proxy_auth REQUIRED http_access allow password localnet Someone Help me... Plese! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: AW: [pfSense Support] 1: lame installation 2: no make 3: no 1.2.3 devel vers. 4. multicast supported? 5. import of old config.xml from possible?
pfSense 1.2-Release is based on the FreeBSD 6 tree and is extremely out of date, which is why you can't get the packages. In short, upgrade to a recent version of pfSense first. newsma...@teletreff.net wrote: Hello Paul, No, i have the 1.2.0 Release and in your path the lame package ist not included, only in the csup directory or directly from sourceforge. Maybe it has been removed because of copyright reasons and therefore ist is only avaiable as sourcecode ... so there is no chance without make? with the package local with the updated ports tree with csup: code # setenv PACKAGESITE ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/i386/7.0-RELE ASE/packages/Latest/ # cd /usr/ports/audio # pkg_add lame tar: Unrecognized archive format: Inappropriate file type or format pkg_add: tar extract of /usr/ports/audio/lame failed! pkg_add: unable to extract table of contents file from '/usr/ports/audio/lame' - not a package? /code with package download: code # pkg_add -r lame Error: FTP Unable to get ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/i386/7.0-RELE ASE/packages/Latest/lame.tbz: Not logged in pkg_add: unable to fetch 'ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/i386/7.0-REL EASE/packages/Latest/lame.tbz' by URL /code - but the package is not on the server any longer - Yes, 1.2.2 ist outdated and there is no developer version for the 1.2.3 on the servers :-( Hopeful to get answers to all 5 questions ;-) Thanks a lot Ralf -Ursprüngliche Nachricht- Von: Paul Mansfield [mailto:it-admin-pfse...@taptu.com] Gesendet: Dienstag, 19. Mai 2009 12:27 An: support@pfsense.com Betreff: Re: [pfSense Support] 1: lame installation 2: no make 3: no 1.2.3 devel vers. 4. multicast supported? 5. import of old config.xml from possible? ---fwd--- pfsense 1.2.2 is based on the now obsolete freebsd 7.0, so you can't simply pkd_add -r as it won't find the package since it's not in the main freebsd repos. instead, set PACKAGESITE as follows... # setenv PACKAGESITE ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/i386/7.0-RELE ASE/packages/Latest/ and then install, e.g. # pkg_add -r syslog-ng - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Firewall rules keep failing
You can easily install a dedicated squid box (not a pfSense box running squid) in your network and accomplish the same goals. Graeme Evans wrote: Chris Seems you may be on to something. I have removed Squid and what was a very re-producible issue doesn't _seem_ to be happening. I had thought about that but dismissed it as it was affecting ICMP/Ping, TCP/FTP and other traffic which I didn't think squid would interfere with. However now I have another problem, It's most important to have the security but squid saves us hours of time and gigs of bandwidth a day by caching updates for all the PC's that come through our workshop. Really could do with it installed and still have the intended security. I guess I could have a second PFSense box caching within the workshop segment but it shouldn't be needed. Graeme Evans Technical Manager KCS Computer Solutions e: graeme.ev...@kcssolutions.co.uk w: www.kcssolutions.co.uk t: 017687 75526 f: 017687 75636 a: Packhorse Court, Keswick, Cumbria, CA12 5JB Keswick Computer Services Ltd. trading as KCS Computer Solutions (Registered in England Wales) Company Number: 4533301 VAT Number: GB734 732 432 This email and any attachments are confidential. It may contain privileged information and is intended for the named recipient(s) only. It must not be distributed without consent. If you are not one of the intended recipients, please notify the sender immediately and do not disclose, distribute, or retain this email or any part of it. Unless expressly stated, opinions in this email are those of the individual sender, and not of Keswick Computer Services Ltd. Legally binding obligation can only arise for, or be entered into on behalf of, Keswick Computer Services Ltd by duly authorised representatives. Keswick Computer Services Ltd excludes any liability whatsoever for any offence caused, any direct or consequential loss arising from the use, or reliance on, this e-mail or its contents. We believe but do not warrant that this e-mail and any attachments are virus free. You must therefore take full responsibility for virus checking. Keswick Computer Services Ltd reserve the right to scan all e-mail communications through its network. -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: 17 April 2009 15:36 To: support@pfsense.com Subject: Re: [pfSense Support] Firewall rules keep failing On Fri, Apr 17, 2009 at 4:15 AM, Graeme Evans graeme.ev...@kcssolutions.co.uk wrote: Situation: I have a simple PFSense setup with a single PFsense 1.2.2 computer, 1 WAN interface, and 2 Local interfaces - one named LAN (10.0.0.0/24), and the other is Workshop (10.0.1.0/24). We have allsorts of computers including infected PC's connected to our Workshop interface so there are firewall rules setup only to allow internet access from both Local interfaces and on the workshop interface a some simple rules allowing things like FTP access to our fileserver on the LAN interface. We want no other access between subnets. We also have squid installed in transparent mode listening on the Workshop interface only, lightsquid, If you uninstall squid does it change? If traffic isn't getting logged and you have logging on all your firewall rules, squid has to be picking it up. There are a number of potential consequences of the squid packages, this may be one. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] RE: [SPAM] Re: [pfSense Support] website browsing
This is not the way to do this as the configuration will not survive reboots. You can set the MTU on the interface configuration page for your WAN interface in the webGUI. I would encourage you to check that out. Mikel Jimenez Fernandez wrote: Hi Yo have to reduce the MTU of interfaces ifconfig interface mtu 1380 for example Do it in LAN and WAN and tell me results Thanks Juan Rivera wrote: How did you reduce the MTU files? What is happening on my end is that when I download files it works perfectly fine but when I browse the internet it take a while to show the page and sometime we get PAGE CAN NOT BE DISPLAY its getting annoying now and getting a lot of complains form users can you tell me how to reduce the MTU files? Thank you -Original Message- From: Mikel Jimenez Fernandez [mailto:mi...@irontec.com] Sent: Monday, April 13, 2009 11:31 AM To: support@pfsense.com Subject: [SPAM] Re: [pfSense Support] website browsing Hello I have this issue and i solve it reducing de MTU values. Thanks Juan Rivera wrote: Hi I'm having trouble trying to browse some websites it loads really slow is there anything that can help us improve that? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Moving Target - How do people track down bandwidth usage...?
Jaime Díaz wrote: On Thu, Apr 9, 2009 at 9:56 AM, Chuck Mariotti cmario...@xunity.com wrote: Are either of these safe to run on embedded (Alix)? I did a custom install so that I can install Packages, so that I could run snort, but I can't seem to keep snort running, keeps shutting down by itself. So wonder if I'll run into any issues with these... -Original Message- From: Jaime Díaz [mailto:jnd...@gmail.com] Sent: Thursday, April 09, 2009 8:50 AM To: support@pfsense.com Subject: Re: [pfSense Support] Moving Target - How do people track down bandwidth usage...? On Thu, Apr 9, 2009 at 9:39 AM, Chuck Mariotti cmario...@xunity.com wrote: Yesterday we had a huge hit on our bandwidth for a period of time... How are people tracking down bandwidth usage to specific machines, etc...? By the time I captured some packets and pulled up wireshark, the hit was gone. It showed up later in the day, but again, too fast to track down. Is there an easy way to track down specifically what machines are using up bandwidth? Regards, Chuck - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org You could use bandwidthd or ntop to track down those users. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Sorry, I didn't knew you were running on an embedded platform. I wouldn't run it on such hardware. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Judicious use of pftop should show you exactly which IP address(es) are consuming your bandwidth at the time so you can take appropriate action. Spend some time learning the different screens of pftop and no further packages will be required. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Filtering by URL or regexp
luismi wrote: Is possible to create rules to match URLs or regext expression? I would like to provide access just to *.foobar.com but I don't know the IPs used for that domain :-/ - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org This has been covered on this list many times before. Please consult the archives. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi-WAN with Fail Over
Alexsander Loula wrote: Hi Folks, I have 2 WAN's (WAN1 - production and WAN2 - backup) and I need to set them as fail over (when WAN1 goes down WAN2 takes the traffic and when WAN1 goes up again it will takes the traffic). Both are DHCP. I have followed this procedure in 2 machines (PC and WRAP) without success: http://doc.pfsense.org/index.php/MultiWanVersion1.2 I did several tests changing mainly the Load Balance and Firewall (NAT/Rules) services with no success. It's very intermittent even doing the 3 pools that's not my case. Sometimes it works mainly when the Load Balance status indicators are green and sometimes does not work when the indicators are yellow. Actually I don't want to have the load balance between WAN1 and WAN2, only the fail over from WAN1 to WAN2. Is someone doing it successfully? Best Regards, Alex Many people are doing this successfully. If you have your WAN interfaces load balancing, then it means you have your pool configured for load balancing. Change the behavior to failover. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1:1 NAT - Outbound source IP?
Nathan Eisenberg wrote: Hello, When performing 1:1 NAT, what is the process for making the the egressing NAT traffic originate from the 1:1 IP address? For example… 4.2.2.1 Firewall 4.2.2.2 Server 1 virtual IP 4.2.2.3 Server 2 virtual IP 192.168.1.1 Firewall LAN 192.168.1.2 Server 1 IP 192.168.1.3 Server 2 IP All egress traffic still comes from 4.2.2.1 in this configuration, where I would want egressing traffic to originate from 4.2.2.2 for Server 1. Best Regards, Nathan Eisenberg Atlas Networks, LLC Phone: 206-577-3078 supp...@atlasnetworks.us mailto:supp...@atlasnetworks.us www.atlasnetworks.us http://www.atlasnetworks.us That's the whole point of a 1:1 NAT. The process is as follows: 1) Create a VIP (either CARP or ProxyARP) 2) Create a 1:1 NAT mapping between the real private IP and the public VIP (ie: 4.2.2.2 - 192.168.1.2) 3) Create firewall rules allowing the traffic you want to hit the private IP for the resource (ie: 192.168.1.2) Consider using aliases for the firewall rules, it makes the rules make far more sense at a glance and makes life easier to manage if you have a lot of servers. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Squid authentication against AD.
Wayne Langdon wrote: Hi, Has anyone managed to successfully setup pfsense+squid to authenticate Windows users automatically against AD, ie: based on their Windows domain signon and not prompting for user/pass when using proxy? Any help regarding this will be appreciated. Thank you, Wayne. This has been asked and answered many times on this list. Please search the archives for more details. The short answer is no. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: AW: [pfSense Support] Squid authentication against AD.
Fuchs, Martin wrote: Would only be possible with integrated authentication in IE and with squid using it… Afaik it works with isa and even there only with IE… so… no… Regards, Martin *Von:* Wayne Langdon [mailto:wa...@langdon.co.za] *Gesendet:* Freitag, 13. März 2009 12:56 *An:* support@pfsense.com *Betreff:* [pfSense Support] Squid authentication against AD. Hi, Has anyone managed to successfully setup pfsense+squid to authenticate Windows users automatically against AD, ie: based on their Windows domain signon and not prompting for user/pass when using proxy? Any help regarding this will be appreciated. Thank you, Wayne. Martin, That's actually incorrect. It is entirely possible to use squid+ad authentication simply using proxy settings put into the browser, and the authentication piece works fine with IE, Firefox, even Opera. The issue is getting squid to authenticate to AD and query for group membership. A lot of this was stubbed into the squid package, but never completed by the author and no one has been interested in finishing it. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Routing multiple subnets through IPSEC
Bennett Lee wrote: On Thu, Mar 12, 2009 at 10:46 PM, Chris Buechler wrote: On Thu, Mar 12, 2009 at 9:48 PM, Bennett Lee pfse...@bennettandgina.com wrote: How can I route multiple subnets across the same IPSEC tunnel? You can't in 1.2.x. Solution here: http://doc.pfsense.org/index.php/IPSec_with_Multiple_Subnets Sweet! Thanks, Chris. Supernetting works for me all my clients except one. Is routing over IPSEC a future option in 2.0 or is it too nasty to implement? (My one client who really wants it is, of course, the one for whom supernetting doesn't work.) :P --Bennett - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Its coming in 2.0. Matt Grooms has done an immense amount of work with the IPSEC code for 2.0 and its really, *really* nice. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] firewall blocking legit traffic
Brad Gillette wrote: I am using pfSense as transparent briding firewall and overall is working pretty good and how I want it to work except for some traffic that is coming in on my LAN interace is being blocked by the 'default deny rule'. I'm allowing all traffic that is generated on the LAN side to leave. I see where some others have ran into a similar problem. I do run 2 different IP subnets on my LAN and a router on the WAN side of the pfSense box routes between. Some of the traffic between the 2 subnets is getting blocked and some gets passed just fine This is typically a misconfiguration in your firewall rules. By default the LAN is in a default allow state. If you are bumping up against the default deny rule, then you are either using an OPT interface as a LAN, which is fine, just realize that all OPT interfaces come in a default deny state, and make your firewall rules accordingly. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] firewall blocking legit traffic
Brad Gillette wrote: How can I tell if my LAN is on a opt interface? On Thu, Mar 12, 2009 at 8:40 AM, Gary Buckmaster g...@centipedenetworks.com mailto:g...@centipedenetworks.com wrote: Brad Gillette wrote: I am using pfSense as transparent briding firewall and overall is working pretty good and how I want it to work except for some traffic that is coming in on my LAN interace is being blocked by the 'default deny rule'. I'm allowing all traffic that is generated on the LAN side to leave. I see where some others have ran into a similar problem. I do run 2 different IP subnets on my LAN and a router on the WAN side of the pfSense box routes between. Some of the traffic between the 2 subnets is getting blocked and some gets passed just fine This is typically a misconfiguration in your firewall rules. By default the LAN is in a default allow state. If you are bumping up against the default deny rule, then you are either using an OPT interface as a LAN, which is fine, just realize that all OPT interfaces come in a default deny state, and make your firewall rules accordingly. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com mailto:support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com mailto:support-h...@pfsense.com Commercial support available - https://portal.pfsense.org https://portal.pfsense.org/ You said you run two different IP subnets on your LAN, how are you accomplishing this? Through a physically separate card or some other means? This is likely to be the starting point to your issue. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PPP/POTS modem support
Joshua Schmidlkofer wrote: Is there any known / supported way with pfSense to use an old fashion modem?I have a customer with a large number of 56K Frame Relay lines. He is moving most of them to DSL and pfSense + IPsec. His one request was regarding the ability to have a dial-up standby in case there is a sustained DSL outage. Does anyone have any advice? Sincerely, joshua - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Check the archives of this list. Your question has been answered a few times. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] MAC Filtering
pfSense does not do firewalling based on MAC address. Quirino Santilli wrote: Hello guys, I need to build a bridging firewall with MAC address based rules. Is pfsense capable of doing the trick? If not (as I guessed from the features) how can I achieve my goal? Thank you for the help. r3N0oV4 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] MAC Filtering
MAC address filtering is of extremely limited utility. It is just as trivial to spoof a MAC address as it is to spoof an IP address. The problems you are trying to solve are already solved with captive portal and a judicious use of DHCP. If you require further layers of obtuseness, you can employ port-level security on your switches. apiase...@midatlanticbb.com wrote: Yeah, I was hoping to get around that, by simply adding the MAC address to a firewall rule, and pfSense would check the ARP table and use the appropriate IP address automatically. So i guess it's not true layer 2 filtering, but its close enough. Adam Tim Nelson wrote: MAC to IP address tracking is handled by the ARP package. :-) All joking aside, maybe you want to look at static DHCP assignments denying unknown clients or the captive portal? Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 - apiase...@midatlanticbb.com wrote: Are there any plans on adding this feature, or MAC to IP Address tracking. I would be willing to submit an bounty if it's technically possible. This is very useful for hotels, airports, wifi hot spots. Where you want to block an PC that is using DHCP. I've actually never seen this feature in a firewall, Adam Gary Buckmaster wrote: pfSense does not do firewalling based on MAC address. Quirino Santilli wrote: Hello guys, I need to build a bridging firewall with MAC address based rules. Is pfsense capable of doing the trick? If not (as I guessed from the features) how can I achieve my goal? Thank you for the help. r3N0oV4 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org __ Information from ESET NOD32 Antivirus, version of virus signature database 3865 (20090218) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org __ Information from ESET NOD32 Antivirus, version of virus signature database 3865 (20090218) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] MAC Filtering
RB wrote: On Fri, Feb 20, 2009 at 07:13, Gary Buckmaster g...@centipedenetworks.com wrote: pfSense does not do firewalling based on MAC address. Actually, it does, if indirectly. Use the captive portal. More than likely it fits your use case anyway, but can also be used to enter static lists of allowed MAC addresses that do not go through the captive page. L2-attached users will have MAC entries automatically created destroyed for them by the login process if you do not check the Disable MAC filtering box in the CP configuration page. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org You're correct of course. I was trying to address his overriding question about using the firewall to do MAC level filtering, since that was his original query. The addition of Captive Portal (which uses ipfw to do the MAC filtering portion btw) to the mix is probably the correct answer for what he's trying to do, although he was not in any way especially clear in his initial or follow up queries on the subject. At this point, however, you and I are both in agreement and just clarifying our points. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Simple question...Setting LANS Default GW
Marty Nelson wrote: I know, I know stupid question. Is the default gateway the WAN address? If not, where is it located? Thanks, -M The default gateway is the default route for traffic on that network segment to reach all remote network segments not otherwise specified in the routing table. So if you're trying to route traffic from your pfSense box out to the Internet, the default gateway will be the next hop on your WAN subnet's network (hint: this address is provided by your ISP). If, on the other hand, you're trying to handle routing for your LAN clients, the normal default gateway is going to be the LAN IP address of your pfSense box. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: hard drive install failure
I assume you've already followed this: http://doc.pfsense.org/index.php/Boot_Troubleshooting Nick Upson wrote: the 320 Gb drive works fine for a fedora 8 install the smaller drives both would have had to fail at exactly the same place which seems unlikely 2009/2/18 RB aoz@gmail.com: On Wed, Feb 18, 2009 at 09:27, Nick Upson nick.up...@gmail.com wrote: anyone? Most probably didn't respond because your description of the problem seemed pretty obvious that you have a hard drive failure. pfSense uses modern FreeBSD under the hood, and there's no reason a 320GB drive would be too large. If the drive works anywhere else, it might be cause for concern with pfSense; otherwise, installing on the smaller (more importantly, different) drive didn't prove anything. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Support CARP active/active
cassio lima wrote: hi freinds pfsense in the support carp mode active / active and how I can configure? No, it does not support active/active. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsense and relayd
Yes, its it 2.0 Paul Mansfield wrote: the load balancing feature in pfsense is a little bit basic. is anyone working on a port/package of relayd, and if so, how well does it work? found some recent news about it in an openbsd blog http://www.bsdlover.cn/html/54/n-1154.html thanks - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Load balancer
Hiren Joshi wrote: Hello all, I'm using pfsense to firewall at the moment but pass all the http traffic to an internal load balancer (nginx). My question is, would it be possible to replace nginx with pfsense and how would the two compare in terms of performance? Many thanks, Josh. We use pfSense to load balance 65 million requests daily to a cluster of HTTP servers on fairly minimal hardware. Performance for us has been excellent. I can't speak to nginx, never heard of it and I've not had reason to look past pfSense for our needs. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Stuck on boot
k_o_l wrote: Can’t get further than Pfsense/i386 boot Default: 0:ad(0,a)/boot/loader Boot: Could you be more specific with your issue? What version of pfSense? What hardware are you using? Is this an install or just a LiveCD? Have you already worked through the Boot Troubleshooting section of the FAQ? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] DMZ to LAN access
Peter Todorov wrote: Hello, I have a LAN that have 192.168.2.0/24 http://192.168.2.0/24 and DMZ (second LAN) with 192.168.4.0/24 http://192.168.4.0/24 How can I access LAN from DMZ? pfsense 1.2 - dual WAN configuration. Thank you in advance for answers. -- честността не е порок Typically this is inadvisable from a security standpoint. However, in order to allow it, create firewall rules on your DMZ interface with the destination IP of the machine(s) you want to send to. !DSPAM:4964d6b815801234511312! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Really need some help
Is there a reason you haven't upgraded? Especially since 1.2 was released well over a year ago, and now 1.2.1 is up with increased support. Before chasing down issues down rabbit holes, I would encourage you to consider upgrading, especially when 1.2.2 is released here in the next few days. Atkins, Dwane P wrote: We have 1.2 RC2 installed on a Dell server. Periodically, it locks up solid. You can web into it, but when you go to see how many users there are on the Captive Portal, it locks up. It will show you the number of users but will not display the list. Can I look for a log somewhere that will give me this error message? I have not upgraded to the full version yet. Any help would be greatly appreciated. Dwane *Dwane Atkins* *Senior Network Analyst* *IMS-System Network Operations* *University of Texas Health Science Center at San Antonio* *Tel: 210-567-0158* *http://ims.uthscsa.edu http://ims.uthscsa.edu/* !DSPAM:4964eea115801830115539! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Zabbix Agent package on 1.2.1
Tim, The Zabbix agent package has been broken for quite some time. I've recommended before that it be removed entirely. The zabbix agent itself doesn't work well with FreeBSD and so you're unlikely to get much use out of it. -Gary Tim Nelson wrote: Good morning/afternoon/evening- I've recently tried installing the Zabbix Agent package on a fresh 1.2.1 installation and it appears to have some 'issues'. Namely, one issue. It doesn't install at all. The output from the installation session: Downloading package configuration file... done. Saving updated package information... done. Downloading Zabbix Agent and its dependencies... done. Checking for successful package installation... failed! Installation aborted. It happens rather quickly too leading me to believe that no packages are actually downloaded and it tries to continue installation anyways. Does anyone have some pointers? Thanks! Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org !DSPAM:4963a5be15808977057609! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Zabbix Agent package on 1.2.1
Is there anyone here who is actually using Zabbix in production and monitoring FreeBSD boxes with it? I know it looks like a shiny toy, but I'm telling you that the reality is far less. The monitoring is limited at best for linux, and almost completely unusable without major customization for FreeBSD. I agree that having a nice centralized monitoring system to use with pfSense would be nice, but our extensive experience evaluating Zabbix led us to the conclusion that it's not ready for prime time. Tim Nelson wrote: Part of the intrigue for me was a nice consolidated interface for everything. With Nagios, you still really need Cacti to make it fully functional. Plus, the zabbix-agent allows for an even wider scope of monitoring versus plain old network/ping/snmp checks. I've tried the Nagios/Cacti route and just didn't like it. - Curtis LaMasters wrote: Just curious, what does Zabbix do that Nagios does not? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Tue, Jan 6, 2009 at 12:48 PM, Nathan Eisenberg nat...@atlasnetworks.us mailto:nat...@atlasnetworks.us wrote: Tim, Zabbix does support SNMP checks and TCP/IP via zabbix-server originated pings and port checks. -Original Message- From: Tim Nelson [mailto:tnel...@rockbochs.com mailto:tnel...@rockbochs.com] Sent: Tuesday, January 06, 2009 10:45 AM To: support@pfsense.com mailto:support@pfsense.com Subject: Re: [pfSense Support] Zabbix Agent package on 1.2.1 Thank you all for the responses! I thought that the Zabbix Agent package may be out of date but it did list it as being 'up to par' with version 1.2.1 of pfSense in the packages page. Apparently it is incorrect. Well, back to the drawing board. Checking to see if Zabbix supports plain TCP/UDP port monitoring, content checking, and SNMP polling... OT I've been using JFFNMS for quite some time as a monitoring solution. It works well as long as you don't mind running PHP4 and MySQL4 on an older box. The latest version has some serious issues (Google jffnms admin structure not found) which haven't been fixed and the project is nearly dead. It's time to move on... /OT Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 - Nathan Eisenberg nat...@atlasnetworks.us mailto:nat...@atlasnetworks.us wrote: Throwing my hat in the ring here - we have several zabbix servers deployed in production. It is very good; it is easy to set it up to get emails on disk failures, raid rebuilds, individual fan failures; pretty much anything you might want to hear about. Plus having anything you else you can imagine on a graph is pretty nice. -Original Message- From: Paul Mansfield [mailto:it-admin-pfse...@taptu.com mailto:it-admin-pfse...@taptu.com] Sent: Tuesday, January 06, 2009 10:34 AM To: support@pfsense.com mailto:support@pfsense.com Subject: Re: [pfSense Support] Zabbix Agent package on 1.2.1 Tim Nelson wrote: I've recently tried installing the Zabbix Agent package on a fresh 1.2.1 installation and it appears to have some 'issues'. Namely, one issue. It doesn't install at all. The output from the installation session: we too would be interested in this, as we're trialling zabbix in place of cacti and nagios - To unsubscribe, e-mail: support-unsubscr...@pfsense.com mailto:support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com mailto:support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com mailto:support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com mailto:support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com mailto:support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com mailto:support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com mailto:support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com mailto:support-h...@pfsense.com
Re: [pfSense Support] Error thrown only for a URL
The error, as quite clearly shown, is DNS related and very likely specific to that network. This isn't a pfSense problem, its a DNS problem. Incidentally, you're running 1.2. Upgrade. 1.2.1 is out. jose thomas wrote: Thankyou Chritopher, Thankyou for your mail. In fact my another pfSense 1.2 box connecting from another network work fine. The only difference is that the network which have the squid enabled one have the problem for only www.nytimes.com http://www.nytimes.com. I didn't see any other site shown this type of error. With Best Regards Jose On Wed, Dec 31, 2008 at 5:55 PM, Christopher Iarocci ciaro...@tfop.net mailto:ciaro...@tfop.net wrote: Jose, I'm not sure I can help you figure out why it is not working for you, but I can tell you this which might help you eliminate certain things. I have version 1.2.1 release of PFSense running with squid and squidguard. Both nytimes.com http://nytimes.com and www.nytimes.com http://www.nytimes.com work fine for me. I used firefox on a windows computer to test it. My DNS servers are internal on the network and my PFSense box also uses the internal DNS server. Christopher Iarocci Network Solutions Manager Twin Forks Office Products 631-727-3354 *From:* jose thomas [mailto:tk.j...@gmail.com mailto:tk.j...@gmail.com] *Sent:* Wednesday, December 31, 2008 8:21 AM *To:* support@pfsense.com mailto:support@pfsense.com *Subject:* [pfSense Support] Error thrown only for a URL Hello, I have installed pfSense 1.2 for our Office network and it is working perfectly with squid configured. However, facing a problem for a single site - www.nytimes.com http://www.nytimes.com. The following error is thrown immediately giving the URL http://www.nytimes.com The error is Network Error (dns_server_failure) Your request could not be processed because a error occurred contacting the DNS server. The DNS server may be temporarily unavailable, or there could be a network problem. If I try nytimes.com http://nytimes.com it works. www.nytimes.com http://www.nytimes.com is pingable as well as reach via traceroute from my PC as well as from the pfSense box. Can anybody suggest me how to resolve this. TIA Jose -- Mobile: +971-50-9943477 Office: +971-4-4370703 Residence: +971-4-2232044 -- Mobile: +971-50-9943477 Office: +971-4-4370703 Residence: +971-4-2232044 !DSPAM:495ba2d915805753142211! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PFSense 1.2 - 1.2.1 upgrade, dashboard gone?
If you edit your config.xml manually (which you typically shouldn't do) you will also have to remove the /tmp/config.cache file in order for the changes to be picked up. Emanuele Baglini wrote: Hi, try to remove the dashboard package. edit your configuration file and remove the dashboard section. Reinstall the package. Bye *From:* Chris Myers [mailto:cmy...@mail.millikin.edu] *Sent:* Monday, December 29, 2008 3:31 AM *To:* support@pfsense.com *Subject:* [pfSense Support] PFSense 1.2 - 1.2.1 upgrade, dashboard gone? Hi all! I have a quick question. Before I upgraded to 1.2.1, I had the dashboard working properly on version 1.2. However, after the upgrade, I'm just presented with the generic System Overview page instead of the dashboard. I've tried going in and reinstalling the package itself as well as the package's GUI components on the 'Installed Packages' tab (both of which say they succeeded,) but when I go back to where the dashboard should be, I still just have the generic System Overview. I also don't have a Dashboard menu item under Status anymore. Other than that, 1.2.1 has been working fine for me thus far. I looked on the support forums and saw one posting about this in RC2, but not much else. Any ideas? Should I just blow away the system and reinstall, then reload my config? Chris !DSPAM:4958fd0015802059814130! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] import DHCP static IP mappings
Kirk Wight wrote: Hello, Is there any way to import or drop in an existing dhcpd.conf to pfSense, to avoid having to enter dozens of static IP mappings in the GUI? I've tried simply adding my existing mappings to the pfSense /var/dhcpd/etc/dhcpd.conf, but they don't show up in the GUI... does the GUI tie in somewhere else? Merci, Kirk Kirk Wight Administrateur de systèmes / Systems Administrator [EMAIL PROTECTED] Diving Horse Creations 356, rue Le Moyne, bureau 100 Montréal (Québec) H2Y 1Y3 Tél. : (514) 844-8673 p202 Fax : (514) 844-9503 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org No there isn't. Everything in pfSense relies on the config.xml page. If you simply drop in your existing config, it will be overwritten. !DSPAM:4939456915802026811331! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Policy Routing and Re-Direct Question
It can be done, although not if the proxy machine is inside your LAN. It would need to live on a separate network segment (ie: DMZ). In this case, yes, its possible to redirect outbound traffic for TCP 80 to the proxy machine, do your content filtering and pass it on. You cannot transparently proxy SSL traffic in this manner however due to the fact that the streams are encrypted. -Gary Vaughn L. Reid III wrote: Hello, I have a policy routing and re-direct question. Is it possible in PFSense to do something like the following: A request comes to PFSense on the internal LAN interface on port 80 or port 443. Instead of passing this out WAN to the Internet, can the traffic, instead, be re-directed to a different port number of another internal machine (e.g. a proxy server or content filter)? Ascii art example: LAN Network Workstation port 80 or 443 request -- PFSense LAN interface -- internal PFSense rules, etc -- re-direct back out interface to 2nd Internal network machine which would then either serve the content or fetch it from the Internet I'm asking this to see if it is feasible to set up a traditional proxy server/content filter in a way to avoid having to configure proxy settings on each client machine. I'm also wanting to keep the proxying and content filtering off of the gateway routers. If it would make things easier, the 2nd machine could live on a different PFSense interface. Thanks for your help. Vaughn Reid III - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org !DSPAM:4936b04415805038518620! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense stable version
Dwane, For that device, you definitely want to use the 1.2.1-RC2 image. Atkins, Dwane P wrote: I am using a Dell R200 and I would like to know what is the most stable version of pfSense that we should use? At one point, we had downloaded 1.2 and had issues installing this on the R200 because I believe it was the SATA drives? There was a snapshot available and someone provided us with a link, but I cannot find the snapshot releases any longer. Thanks for the help. Dwane !DSPAM:4926e7e815801871087290! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] embedded pfsense and external squid ... how?
Important point of note, you cannot transparently redirect SSL encrypted traffic to squid for caching. Squid can't look inside an SSL tunnel and so the connections will simply break. Otherwise, Angelo's correct, this is the way to transparently redirect to an external squid box. Angelo Turetta wrote: David Meireles wrote: In pfSense's DHCP Server config, put the squid's server up address as the gateway. David, you are either joking, or crazy... :) LARTC, Add a redirect on LAN interface from LAN to any port 80, internal address proxy. If you need 443 (or 8080), create an alias and use that inthe redirect rule. Remember to pass traffic from the proxy to the internet (on DMZ) Angelo. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org !DSPAM:491d944715801475114737! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] VLAN Troubles with Cisco 3550
What version of pfSense are you running? 1.2-Release? 1.2.1-RC? Fredrik Rambris wrote: Hello Searched through the list and found many posts on VLAN. To my knowledge I have done what I think is correct but packages wont go through. I can see in the pfSense logs that packages do get in on the right VLAN interface but that's about it. bge0 is WAN bge1 is LAN I have defined two VLANs (201 and 202) and added them as interfaces VLAN201 10.150.1.1 VLAN202 10.150.2.1 ! This is where bge0 is connected interface FastEthernet0/1 switchport trunk encapsulation dot1q switchport mode trunk no ip address ! ! attached to machine b (10.150.2.10) interface FastEthernet0/17 switchport access vlan 202 no ip address ! ! attached to machine a (10.150.1.10) interface FastEthernet0/31 switchport access vlan 201 no ip address I have added an allow anything anywhere rule on each VLAN interface (and WAN too) When I ping the firewall from machines a or b the log say something on the lines of Oct 14 18:12:42 VLAN202 10.150.2.10 10.150.2.1 ICMP But no replies come back. I cannot ping the machines from pfSense either. So packages gets tagged and understood TO pfSense but something error happens the other way. What I do get on machine A and B is some Cisco packets: Capturing on eth1 0.00 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 1.999793 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 2.791435 Cisco_e1:b1:8d - Cisco_e1:b1:8d LOOP Reply 3.999626 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 5.999456 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 7.999297 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 9.999141 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 11.998963 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 12.790606 Cisco_e1:b1:8d - Cisco_e1:b1:8d LOOP Reply 13.998792 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 15.998627 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 17.166677 Cisco_e1:b1:8d - CDP/VTP/DTP/PAgP/UDLD CDP Device ID: Switch Port ID: FastEthernet0/17 17.998475 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 19.998302 Cisco_e1:b1:8d - Spanning-tree-(for-bridges)_00 STP Conf. Root = 32970/00:09:b7:e1:b1:80 Cost = 0 Port = 0x800d 14 packets captured Any hints, tips, clues? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Ipsec over LAN
Is there a particular reason you need this traffic to be encapsulated? At first blush, this would seem to be a pretty standard routing problem, easily solvable with static routes. Unless there's some very specific reason for needing the encryption. -Gary BSD Wiz wrote: it's on my corporate network, both wan interfaces of the pfsense box are on the same private ip subnet. we built 2 labs using pfsense and now we want to connect the two labs. i haven't had any luck getting them to work yet... the reason i've asked the question is because i have several site to site vpn's over the internet up and running and never had any problems with them but i can't get this lan setup to work. so if i know it's should work i'll keep playing with it. thanks, -phil On Oct 14, 2008, at 4:30 PM, Chris Buechler wrote: On Tue, Oct 14, 2008 at 2:59 PM, BSD Wiz [EMAIL PROTECTED] wrote: To be clear, both boxes lans are different subnet of course but the WANs are on the same subnets. If they're on the same ISP with privately addressed WANs that will work, if they allow routing between customers. If it's two different ISPs you aren't going to be able to connect them with private WAN IPs since they aren't routable across the Internet. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Very urgent - DHCP server failure
That's a pretty helpful log message. Looks like you declared a failover peer incorrectly. Please review your configuration with that in mind. Matias Surdi wrote: Hi, I'm using pfSense 1.2 , and suddenly DHCP seems to have stopped working. On the system log, i see the following: Oct 7 22:23:34 dhcpd: Internet Systems Consortium DHCP Server V3.0.5 Oct 7 22:23:34 dhcpd: Copyright 2004-2006 Internet Systems Consortium. Oct 7 22:23:34 dhcpd: All rights reserved. Oct 7 22:23:34 dhcpd: For info, please visit http://www.isc.org/sw/dhcp/ Oct 7 22:23:34 dhcpd: failover peer declaration with no referring pools. Oct 7 22:23:34 dhcpd: In order to use failover, you MUST refer to your main failover declaration Oct 7 22:23:34 dhcpd: in each pool declaration. You MUST NOT use range declarations outside Oct 7 22:23:34 dhcpd: of pool declarations. Any idea? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] dansguardian + pfsense
Koray AGAYA wrote: Hi All, I searched internet but I didnt find about pfs+dansguardian Is anybody install dansguardian manual on pfsense please help me ? Or prefer another any content filter package ? Thank you There is already a squid and squidGuard package available for pfSense. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] blocking china
Chris Buechler wrote: On Tue, Sep 23, 2008 at 10:40 AM, Derrick Conner [EMAIL PROTECTED] wrote: For some reason, some of the messages in here get sent to junk mail. Gmail has been sending about 10-20% of the list messages to spam the past week or so for me. I changed my filter for the lists to never move to spam, and it's been showing this message not marked as spam because of a filter on 10-20% of messages. Nothing has changed on our end, and I checked to see if we somehow got blacklisted somewhere but that's not the case. If anybody has an idea why this has started happening recently please let me know. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] I would suspect that enough people who subscribed to the list, and who are too lazy to unsubscribe simply pressed the tag as spam button on list emails so they didn't have to see them anymore. It's common enough, and very annoying. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] multi-wan / ha
JJB wrote: Any issues to look out for when configuring dual redundant pf firewalls load balancing to multiple wan connections? In our case a 3mb line and a 3mb dsl line. We have LAN, WAN and DMZ interfaces on the pf firewall. We were attempting to use QOS until someone on the list hipped us that QOS doesn't work with more than two interfaces. Just wondering if anything is waiting to bite us when we go live with the config. - Joel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Joel, Excepting that the traffic shaper doesn't work with a multi-wan configuration in the 1.2 series, you should have no difficulty with the rest of your setup. CARP clustering works fine with multi-WAN. I would encourage you to set up your primary firewall first, configure your multi-WAN and load balanced setup before bringing in the secondary CARP member. -Gary - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] PF and UT not working
ram wrote: On Wed, Jul 30, 2008 at 7:03 PM, Curtis LaMasters [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: This may have been beaten to death now but if UT is truely in a bridge mode, you shouldn't need an IP address on it except for management. If that is the case, I could change the IP of UT to something in the private range and see if your issues clear up. What is your internet connection. I am going to assume a cable or DSL modem of some sort. What may be happeing is your cable modem sees the IP of your PF box and the MAC of your UT box and somehow not getting the rest of the ARP information. Hi yes as per the suggestion i have changed UT box IP to another range for checking but still i get authentication success, and takes lot of time to resolve domain, and lost the connection. I have Dedicated Internet, and own DNS Server in my network. If i remove UT from network i can get all the things working perfect with out any issue but when i involve UT in bridge mode i am having this problem.. but when i add UT in bridge mode with CP, it works charm but iam adding Pfsense in my network for loadbalance and failover and capitive portal since UT does not have capabilities to do the same job what iam looking any suggestions or most welcome ram This thread has gone way past pfSense support and now into the realms of UT support. Since the problem, at least from what we are able to surmise from the small amount of substance in your posts, seems to be entirely with UT, I'd encourage you to take up this conversation with the UT community. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPv6
Ihsan Dogan wrote: Hello, Are there any plans to improve the IPv6 support of pfSense? Ihsan Currently none of the developers has an IPv6 network with which to do testing. There have been a number of queries on this subject, including a fairly long thread on this mailing list. For further details, I'd encourage you to review the archives of this thread. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Snort Install Missing
DLStrout wrote: I was just wondering if there was something drastically broke in the past latest release? Why the removal (just to far out of date?) I uninstalled on a test box and I can't even get it back in its old version/state ... is there a reason that the older version wasn't left available? Seem that older is better than nothing (unless of course drastically broken/flawed). Just wondering. -- David L. Strout Engineering Systems Plus, LLC No, the snort package no longer had an active maintainer, was out of date, broken and a source of much angst in the support forum. The policy of the pfSense developers has been to remove un-maintained, broken packages. Since there are a lot of people who want to see this package fixed and maintained, it has been suggested that a bounty be put together to get the snort package fixed and updated. Something similar happened with the squid package, very successfully. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Feature request - Installer logo/details
Paul Cockings wrote: Instead of trying to 're-brand' pfsense with themes/skins etc how about a provision in a future release to include an area where the person who is installing/maintaining the pfsense box can upload there own logo/contact/support details?Mabye space for a 300x200 logo, and a text area for details. This would not effect a default install, any credit to the pfsense team, or trouble in-place upgrading. The logo and details could be stored as part of the backup routine. If your hell bent on taking the credit from pfsense then your free to customise a theme etc, but I think 99% of users would be happy with this feature suggestion, allowing both parties represent there efforts. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Centipede networks sponsored a project for 1.3 that makes rebranding pfSense builds extremely easy. In 1.3 and beyond, its simply a matter of changing a single configuration file option and putting in your own theme(s). From there you can build your own re-branded pfSense images as you normally would. It's really that simple. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] LOCKWARNING and LOCKERROR messages
Arnel B. Espanola wrote: Hello, Please advise how can I permanently stop this issue from happening. This occurs once or twice a month. And to fix it I have to clear the lock as suggested in this link: http://forum.pfsense.org/index.php/topic,8152.0.html Go to Diagnostics - Command in the web gui and run the following command. rm /var/run/captiveportal.lock I would appreciate if anyone has found a permanent solution on this and share it with me so as to prevent it from happening as it becomes nuisance. Thanks, Arnel Jul 13 09:58:22 captiveportal logportalauth[74546]: LOCKERROR: waiting for lock for 10 minute/s - EXITING PROCESS! Jul 13 09:58:22 captiveportal logportalauth[74546]: LOCKWARNING: waiting for lock for 10 minute/s! Jul 13 09:57:22 captiveportal logportalauth[74546]: LOCKWARNING: waiting for lock for 9 minute/s! Jul 13 09:56:22 captiveportal logportalauth[74546]: LOCKWARNING: waiting for lock for 8 minute/s! Jul 13 09:55:22 captiveportal logportalauth[74546]: LOCKWARNING: waiting for lock for 7 minute/s! Jul 13 09:54:22 captiveportal logportalauth[74546]: LOCKWARNING: waiting for lock for 6 minute/s! Jul 13 09:53:22 captiveportal logportalauth[74546]: LOCKWARNING: waiting for lock for 5 minute/s! Jul 13 09:52:22 captiveportal logportalauth[74546]: LOCKWARNING: waiting for lock for 4 minute/s! Jul 13 09:51:21 captiveportal logportalauth[74546]: LOCKWARNING: waiting for lock for 3 minute/s! Jul 13 09:50:21 captiveportal logportalauth[74546]: LOCKWARNING: waiting for lock for 2 minute/s! Jul 13 09:49:21 captiveportal logportalauth[74546]: LOCKWARNING: waiting for lock for 1 minute/s! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Arnel, What version of pfSense are you running? Is it a full install or an embedded install? What do the system resources look like at times when this is happening? Are your CPU and memory pegged pretty hard? -Gary - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Trying to rebrand pfsense
You realize that HEAD is the most distant and non-functional of the branches and is probably the worst possible candidate for re-branding and release, right? Ahmed Abdallah wrote: I'm trying to get the HEAD version of pfSense, so I added the HEAD to PFSENSETAG in pfsense_local.sh. It worked but the resulting iso did not contain php and the initialization scripts failed to start. So, I tried to get from git after restoring PFSENSETAG to RELENG_1_2 by uncommenting the USE_GIT , GIT_REPO, GIT_REPO_BSDINSTALLER and GIT_REPO_FREESBIE2 . It built the iso but when I booted it had alot of errors, so I found out that the directory /usr/loca/lib/php/20060613 is empty please anyone help me with a way to build the latest pfSense -- Ahmed Abdalla --Systems Engineer Linux-Plus Information Systems L.L.C Tel : +20 2 2527 6616 EXT : 806 Fax : +20 2 2526 1055 Mobile : +20 10 688 9009 email : [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] website : http://www.linux-plus.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Error while building pfSense on FreeBSD 6.3 and 7
If you want to customize the web interface, you can do that on the working system, you don't need to build a new ISO for that. Simply edit the php. If you're trying to make a pfSense clone with your customizations, that's another thing entirely and then yes, you would need to be able to build. The link that Bill provided you should be everything you need. Ahmed Abdallah wrote: I want to add some customization in the web interface,so I guess I need to build pfSense Ahmed Abdalla --Systems Engineer Linux-Plus Information Systems L.L.C Tel : +20 2 2527 6616 EXT : 806 Fax : +20 2 2526 1055 Mobile : +20 10 688 9009 email : [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] website : http://www.linux-plus.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Please don't switch to FreeBSD7 in pfSense1.2.1
Angelo Turetta wrote: Chris Buechler wrote: The serial console is your only concern? If that doesn't work with 7.0 and RELENG_1_2 for whatever reason we'll fix it. We want to keep our latest stable release on the latest stable FreeBSD release, but nothing is final on that yet. Yes, I understand, but from FreeBSD6 to FreeBSD7 also the device drivers have changed so much and so has the scheduler, the memory allocation, the kernel threading Angelo Turetta - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] IMNSHO, device driver changes and tracking something close to current are good things. There are so many devices that just don't have decent support in FreeBSD6 and some devices are simply broken in FreeBSD6. Given that 1.3 is a long ways off, it would seem to make sense to have 1.2.1 track the most current stable FreeBSD branch possible. But then I tend to trust the pfSense devs' decision making process. I've never seen them push out a general release that was anything less than extremely stable. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Error while building pfSense on FreeBSD 6.3 and 7
Please read the support@ mailing list archives before posting. In the past few days the developers wrote that they are in the middle of making a major migration of the source code and that the build process should be very broken for awhile. In short, you will not be able to successfully build pfSense until their migration is finished and a new developer's ISO is built. There is no timeline for when this will happen. Ahmed Abdallah wrote: First of all I'd like to thank you guys for building such a wonderful application, really it's very wonderful and your efforts are very appreciated. Second, I've been trying to build a fresh pfSense following the guide at http://devwiki.pfsense.org/BuildingpFSense but I've faced alot of problems. 1- Currently I'm building it on FreeBSD 6.3 and found a problem saying Find:: not found error code 127 and stopped in freesbie2. 2- I tried to build it on FreeBSD 7 and faced alot of problems, like saying that the kernel option ALTQ-FAIRQ is unknown !!! and eventaully decided to build it on FreeBSD 6.3 So, I've two questions: 1- What wrong happened in no 1. . What does Find:: not found mean and how can I fix it ? 2- Is building PFSense on FreeBSD 7 possible now or not cause of your repo. migration from cvs to git ?? Thanks and long live pfSense :) -- Ahmed Abdalla --Systems Engineer Linux-Plus Information Systems L.L.C Tel : +20 2 2527 6616 EXT : 806 Fax : +20 2 2526 1055 Mobile : +20 10 688 9009 email : [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] website : http://www.linux-plus.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Error while building pfSense on FreeBSD 6.3 and 7
Check out the 6/23 email from Chris Buechler entitled: build_iso.sh Error during compiling. Ahmed Abdallah wrote: Thanks Gary,and I surely read the mailing list, and found some stuff talking about that but not in the past few days, but I also found some guys talking about being able to build it successfully, so I didn't know if the building process is still broken or not. Anyway, thanks for the reply -- Ahmed Abdalla --Systems Engineer Linux-Plus Information Systems L.L.C Tel : +20 2 2527 6616 EXT : 806 Fax : +20 2 2526 1055 Mobile : +20 10 688 9009 email : [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] website : http://www.linux-plus.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Non power user
Hiren Joshi wrote: Hello all, I know this goes against best practise but would it be possible to have a non-admin user for the web interface on PFsense? Basically I would like to allow people to see the RDD graphs but no be able to make any changes to the setup etc. Any idea how this could be done? Many Thanks, Hiren. This *exact* feature is coming in 1.3 as part of the user manager setup. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] two gateways on the samen network
Matias Surdi wrote: Suppose I've an OPT interface connected to a network where I've two other gateways, how can I do policy routing to thesese routers? As far as I can see, pfSense just allows one gateway per interface.Am I wrong? Thanks a lot. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] No, you're correct, one gateway per-interface is what it currently supports. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Re: two gateways on the samen network
Matias Surdi wrote: but. I've just found System-Static Routes. that seems to do the job for me :-) Thanks. Yep, that's true. If you only need static routes, then that'll work just fine. That wasn't immediately clear from your initial email. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Snort / Squid /imspector startup
Brent, This issue has been covered a few times in the forums with various causes and effects. I recommend you check the forums out for further details. Most problems with snort not blocking or detecting things boil down to not enough memory available to snort and/or the wrong detection heuristic being used. Keep in mind that both squid and snort are VERY memory intensive applications and that if you don't have enough memory to feed the beasts, your results will be disappointing. -Gary Brent wrote: Hello..im running pfsense 1.2 release..using it as a firewall / nat. Im also using squid , snort , imspector. What seems to be happening..is when i update the rules for snort OR if i have to stop any of those services for any reason, starting them up is always a pain as usually squid starts up with no prob but snort will say its running and there will be a daemon in the process list but it actually isnt doing anything .. I can usually tell by the amount of memory in use as well as nothing gets logged in the system logs with regard to snort.. i usually have to stop start all the services that i use in hopes that snort will startup work. my question is is there a particular start up order when starting snort / squid ? thank you -- Brent - When the power of love overcomes the love of power the world will know peace - Jimi Hendrix - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Why DHCP and portal logs are limited to 65535 octets?
This is intentional as part of the design of m0n0wall, which pfSense inherited. pfSense uses clog for system logging and all logs are kept in a circular format so as not to consume limited disk space available to embedded systems. The work-around for this is to use a remote syslog. -Gary [EMAIL PROTECTED] wrote: As I have many connections, I can only see the last DHCP leases of the day. But I must be able to visualize the connections up to 1 year. On Fri, 16 May 2008 04:04:29 -0400, Chris Buechler [EMAIL PROTECTED] wrote: On Fri, May 16, 2008 at 3:44 AM, [EMAIL PROTECTED] wrote: Hello, in /var/log/ the DHCP and portal auth logs are limited to 65535 octets. So I can't read lot connections! Is it possible to bypass the limitation (without syslog server) ? That's the first I've heard of this. Can you be more specific - what does it show? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Intel Pro 1000 VT
If that Broadcom card isn't on the supported hardware list for FreeBSD 7, you may be up a creek without a paddle unfortunately. You may try installing straight FreeBSD 7 on this machine and see if it recognizes the cards. That won't help you put pfSense on it, admittedly, but it'll at least give you a clue as to whether or not you'll see support for those cards anytime in the next year or two. Adam Costello wrote: Hi Sean, Sorry didn’t put this in the message below, the Braodcom (NetXtreme BCM5722) is actually the embedded NIC so I can’t replace :( Is my only option a custom build (if I can find the FreeBSD drivers for it)? Cheers Adam *From:* Sean Cavanaugh [mailto:[EMAIL PROTECTED] *Sent:* 15 May 2008 15:09 *To:* support@pfsense.com *Subject:* RE: [pfSense Support] Intel Pro 1000 VT From: [EMAIL PROTECTED] To: support@pfsense.com Date: Thu, 15 May 2008 09:50:17 +0100 Subject: RE: [pfSense Support] Intel Pro 1000 VT I originally thought the problem was that the Intel was not working and the Braodcom was, however with my recent findings have led me to believe neither were working originally :( I've had a look at the supported hardware list for FreeBSD 7 and it doesn't appear in there. I'm quite worried that there is no way round this problem. Cheers Adam If the hardware is not on the supported hardware list, they will NOT work with pfSense. You will have to get another NIC for the server. Windows Live SkyDrive lets you share files with faraway friends. Start sharing. http://www.windowslive.com/skydrive/overview.html?ocid=TXT_TAGLM_WL_Refresh_skydrive_052008 __ This email has been scanned by the SecuraProtect Email Security System. For more information please visit http://www.securaprotect.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Are you still running 1.0.1 or a 1.2-RC?
If so, please stop. pfSense 1.2 has been released now for a very long time and has been production ready since the day it hit the streets. If you're posting to this list having problems with a 1.2RC, before you go _any_ further with your issue, UPGRADE! You really have no excuse for not running 1.2 release. Do yourself a favor, and do the user community as a whole a favor by upgrading your installs to a release version. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] setting time
Curtis LaMasters wrote: What timezone are you in? If CST try Chicago instead of GMT -6. -- Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com Yeah, for those of you who don't know. The GMT settings for FreeBSD and other OSsen are completely wrong. If you're trying to use a GMT time zone setting and its not right, use the Country/City settings instead. For the OP: on the command line, run: ntpdate us.pool.ntp.org As long as your time zones are set correctly, this should ensure your time is set correctly. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] setting time
Have you run: ntpdate pool.ntp.org from the command line? Dean Larson wrote: right now it is running about 10 minutes fast. i set it to chicago about 30 minutes ago... and time still moves on a head. am i missing something? is there some way of telling the time? what i have been doing is getting a command prompt on the machine and doing date. also i've caused a event to log -- and looked at the entry in the look -- ie: pass traffic to a server that the firewall will not let me do: ie: tcp port 40. dean Date: Fri, 9 May 2008 23:46:18 -0500 From: [EMAIL PROTECTED] To: support@pfsense.com Subject: Re: [pfSense Support] setting time What timezone are you in? If CST try Chicago instead of GMT -6. -- Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com _ With Windows Live for mobile, your contacts travel with you. http://www.windowslive.com/mobile/overview.html?ocid=TXT_TAGLM_WL_Refresh_mobile_052008 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] bsdperimeter.com down -- what is the state of commercial support for pfSense?
Yep, coming into the conversation late, but yes, I'm happy to help in any capacity I can. As you all know, we work very closely with the BSDPerimeter team. Because of the BSDCan prep, they've been pretty swamped, so if you have questions, feel free to hit me up first, I'll do what I can to get them answered for you in a timely fashion. Christopher Iarocci wrote: Found this at the bottom of the Centipede Networks site: If you would like more information regarding this release, please contact Gary Buckmaster with Centipede Networks at (918) 524-1010 x 114 or at [EMAIL PROTECTED] I'm sure he could help. -Original Message- From: Timo Schoeler [mailto:[EMAIL PROTECTED] Sent: Friday, May 09, 2008 5:33 AM To: support@pfsense.com Subject: [pfSense Support] bsdperimeter.com down -- what is the state of commercial support for pfSense? Hi there, I'm about to sell a bunch of pfSense-based Firewalls to a customer (who wants to run a nice loadbalanced setup). What about commercial support? bsdperimeter.com is down, as it seems to me... Any ideas? Thanks in advance, Timo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] bsdperimeter.com down -- what is the state of commercial support for pfSense?
Not yet, but it will soon. Currently the load balancer is slbd, but that's changing. IIRC relayd(8) supports this. Doesn't pfSense's load balancing entity rely on relayd(8) (was hoststated(8) before)? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Log Access to pfsense's administration page
David Meireles wrote: Hi there. One client of ours has a pfsense firewall (working great, btw). Due to their policies, and althrough they don't have indoor IT staff, they now the password to access the pfsense admin page (the boss and a teenage pseudo-it-wannabe). It happened more than once that there were problems with pfsense due to someone messing up with the firewall rules, and I know who did it, but the thing is that I cannot say to my costumer Your employe did that without having proof (my word against his). So, I was wondering, is there a way to log the time and ip of who accesses the admin page? Cheerz Not really, the admin account is the admin account. This changes somewhat in 1.3 with the user manager code. If I were you, I would always keep a copy of the config.xml for your clients and update it every time you make changes. Then if something like this happens, you can get into the box and run a diff against the configs. If something's changed, you have pretty clear evidence that it wasn't you. It's also a good policy to have regardless for the purposes of disaster recovery. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Unable to install pfSense 1.2 LiveCD
Rainer Duffner wrote: Am 08.05.2008 um 00:09 schrieb Atkins, Dwane P: I will try that as well. Can't you unplug the internal CD drive and use an USB one to install? Or does it complain nevertheless? Rainer BSDInstaller doesn't currently support USB CD-Roms, this is supposed to change near-future. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] panic on install of stable pfsense on latests Dell PE 1950 server
Disable ACPI Harrie Bonenkamp (Colson) wrote: Dear Support, I tried to install the latest stable pfsense 1.2 on a brand new Dell PowerEdge 1950 With the default (ACPI enabled) install It came back to me with this error: DELL_PE_SC3 Panic ACPI0sDerivePciId unable to initialize PCI bus And system reboots in 15 seconds. The server has this specification: PE1950 III Quad-Core Xeon E5430 2.66GHz/2x6MB 1333FSB PE1950 PCIE Riser (2 Slots) PE1950 Bezel Assembly 4GB FB 667MHz Memory (2x2GB dual rank DIMMs) No second Processor option 300GB SAS (10,000 rpm) 3.5inch Hard Drive PE1950 III 3.5 HDD support chassis Perc 6i Integrated Controller 8X IDE DVD-ROM Drive PE1950 III Non-Redundant Power Supply - No Power Cord Broadcom TCP/IP Offload Engine functionality (TOE) Not Enabled No Operating System PE1950 OpenManage kit and FI Driver PE1950 III - C3,MSSR1, ADD IN PERC 5i/6i or SAS6iR, min 2 / max 2 Harrie Bonenkamp - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Unable to install pfSense 1.2 LiveCD
Try using a different CD-ROM drive, FreeBSD has been shown to be extremely picky with certain CD-ROM drives. Atkins, Dwane P wrote: I am attempting to install pfSense on a Dell PowerEdge RS200 server. This has a 64 bit ES4500 2.2 Ghz Processor with 1 GB memory and 80 gig SATA hard drive. The install goes so far and then I start getting ad4: and acd0 errors (errors that occur on ad4 seem to occur on acd0 acd0: SET FEATURE ENABLE RCACHE: task timeout completing request directly acd0: SET FEATURE ENABLE WCACHE task timeout completing request directly These are a few of the errors. Others include: TEST_UNIT_READY SET MULTI SET FEATURES TRANSFER MODE. ad4 76298 MB WDC WD800AAJ5-18TDA 01.004 at ata2master UDMA33. I am looking through the archives now. Any help would be appreciated. Thank you, Dwane - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] boot usb wothout bios support
Ernesto Eduardo Medina Núñez wrote: Hi I'm new to BSD and pfsense. I want to boot pfsense from my usb pen drive but my BIOS it's old and can't boot from a USB drive. Sombody can help me? Note: I don't have Hard Drive nor Floppy Disk, I just have: -Cd-rom drive -1GB USB pen drive with pfsense installed (it works I tested it on my laptop) - the pfsense cd, - computer with 3 network cards. - celeron proccesor (333) very old! -- Lalo: Just do it, life is too short If your BIOS is too old to boot from a USB drive, but you want to boot from a USB drive, what could you possibly expect us to do? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 1.2 package add-on missing
What does platform does your pfSense install display. You should see this in the splash screen. Paul Peziol wrote: 1: Its installed to the hd. Under System I have Advanced, Firmware, Gen Setup, Setup Wizard, and static routes, Last time I installed it, it had a packages section that appears missing. This is the latest one that I downloaed and dont have older version anymore 2. Ahh. should've looked better. thank for your help On Mon, May 5, 2008 at 10:45 AM, Dimitri Rodis [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: 1. Did you install pfSense to the hard drive? (You need to for packages) 2. Yes.. Go to the interfaces page and add it. Dimitri Rodis Integrita Systems LLC *From:* Paul Peziol [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *Sent:* Monday, May 05, 2008 8:41 AM *To:* support@pfsense.com mailto:support@pfsense.com *Subject:* [pfSense Support] 1.2 package add-on missing Not sure if its a bug or something in my installation but the new version appears to not have a choice to add packages and the firmware update page seems to be out of line. If its a installation issue I will re-install it. 2nd question I have 3 NIC's. I only setup 2 of them on the initial setup. Is there a way to add the 2nd optional one after the fact. Paul - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] spamd package
Vaughn, You should re-visit the spamhaus terms of service for their Zen service. It is not free for commercial use as you are apparently doing. Otherwise, thank you for the feedback on the package. -Gary Vaughn L. Reid III wrote: I have been successfully using the spamd package for about 2 weeks at one of my client sites, and it is working wonderfully. It has reduced the amount of spam that the site's email server was receiving from about 15000 per day to about 50 to 75 per day. I configured the package as follows: On the external spam data sources page, I have the following 2 items configured: provider: spamhaus type: blacklist provider method: url url: zen.spamhaus.org provider: uceprotect network type: blacklist provider method: file file: http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-1.uceprotect.net.gz On the white list tab, I have the client's local email server's IP address listed. I left the default configuration on the spamd settings tab. I am having excellent luck with this package running on a pair of firewalls using CARP. I manually replicated my settings on both boxes, and it successfully works during failover (although the settings and spam database don't replicate -- but that's a given with most of the add-on packages). I believe that you may be experiencing problems because you don't have your local email server white listed. Vaughn Reid III Michel Servaes wrote: Hi, I just tried to install spamd today, but it seems to block all my messages. I've waited 25 minutes, and still no mail arrives. I also tried to add some blacklist servers from the openbsd/spamd page, but it seems not to really work. It just kept three entries in the greylist, and nothing else passed into that list, nor anything went through the mailserver I entered as next MTA. When I telnetted into the SMTP port on my WAN side (from another location obviously), the SMTP HELO string came very slowly (but changing the value to '0' for the delay didn't make it faster). Where can I find good info on how to configure it basic... from that point I could maybe tweak a little, but a basic guideline would be great to start with. Kind regards, Michel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Re: PPTP Ipsec
Please don't do that. If someone has a response, they'll respond when they're able. Keep in mind that this is a free resource, and that help is on a voluntary basis. If this doesn't fit within the threshold you have for a solution, then please consider other options. Spamming the mailing list isn't the way. Wade Blackwell wrote: AnyoneBuelerBueler? -W On Tue, 2008-04-29 at 06:41 -0700, Wade Blackwell wrote: Good morning PFsense fans, Greetings from the starting to get sunny Northwest. I am not sure if what I am trying can be done or not. In concept I know it's possible but I am not seeing the desired results where the rubber meets the road. Basic setup is this; Network A 1.1.1.1/24 | | | I-netPF---PPTP clients 3.3.3.3/28 | | | IPsec tunnel to 2.2.2.0/24 Goal: To have PPTP clients connect in and connect to the PF and then have access to 2.2.2.0/24 over the IPsec tunnel. The tricky part (I am assuming) is that for the tunnel to come up the PPTP clients to bring the IPsec tunnel up they need to be sourced from 1.1.1.0/24. What I did, attempting to make this work, was to setup the advanced outbound NAT allowing all PPTP clients destined for 2.2.2.0/24 to be natted with the interface IP of network A. I am running 1.2-RC2 if that has any bearing. If anyone has tried this or has some insight I would be stoked. Thanks all. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
