Re: [pfSense Support] how to block the bit torrent
if you use any technology to classify and/or block bit torrent at layer 4, all someone has to do is change their source port to something different, or proxy the connection so the destination port is different. Or if you're particularly unlucky, they might use VPN to mask it. This is why you cannot depend on a fire-and-forget solution to do all the blocking for you. it's better to identify the offending traffic, save some pcaps to show what the user was doing, then deal with the user themselves face to face or over email. Notify them that their activity is a breach of security policy. What is reading have you done on traffic shaping, packet filtering, IDS, etc? No offense, but I think you may lack some fundamental understanding of the technologies involved. Please take that as an observation only, I'm not talking down to you. You've asked a number of very basic questions today, so I'm trying to get a good handle of where you're at. Regards, - Ian On Thu, Sep 1, 2011 at 11:49 AM, suresh suresh wrote: > suppose i block through the traffic shapers means what will happen > > if user changes bit torrent port in his/her machine only he/her download > torrent or bit torrent automatically changes the port number start > downloading.please help me. > > Thank you, > > Regards, > Suresh > > > On Thu, Sep 1, 2011 at 9:06 PM, Ian Bowers wrote: > >> savvy users will use a different port. if your goal is to say "we block >> bit torrent", this shouldnt matter. if your goal is to actually block bit >> torrent or successfully enforce security policy, this may not be sufficient. >> >> >> On Thu, Sep 1, 2011 at 11:32 AM, suresh suresh < >> suresh.notion...@gmail.com> wrote: >> >>> if we disable the bit torrent using traffic shapers.. bit torrent will be >>> block or what will happen.please help me >>> >>> Thank you, >>> >>> Regards, >>> Suresh >>> >>> >>> On Thu, Sep 1, 2011 at 8:44 PM, Ian Bowers wrote: >>> >>>> pfsense is the freebsd, so one way or another you can install the snort. >>>> there is a pfsense package for it though for easy installation and >>>> maintenance. you may want to google IDS and how to tune it before >>>> deploying >>>> it. IDS isn't something you want to walk into blind. >>>> >>>> >>>> On Thu, Sep 1, 2011 at 11:04 AM, suresh suresh < >>>> suresh.notion...@gmail.com> wrote: >>>> >>>>> we can install the snort in pfsense 1.2.3? >>>>> >>>>> >>>>> On Thu, Sep 1, 2011 at 8:13 PM, Ian Bowers wrote: >>>>> >>>>>> You won't find much success in trying to block bittorrent with a >>>>>> firewall. Your best bet is to use IDS (eg: snort) or another sort of >>>>>> categorization software or appliance to identify who is using bittorrent >>>>>> and >>>>>> deal with them at layer 8 via company security policy. Torrenting is one >>>>>> place where you simply cannot deploy a fire-and-forget solution and hope >>>>>> for >>>>>> it to actually work. >>>>>> >>>>>> Regards, >>>>>> -Ian >>>>>> >>>>>> >>>>>> On Thu, Sep 1, 2011 at 9:38 AM, suresh suresh < >>>>>> suresh.notion...@gmail.com> wrote: >>>>>> >>>>>>> Hi All, >>>>>>> >>>>>>> how to block the bit torrent in my nlan network.. and how to block >>>>>>> the websites,and how to block the websites except some lan connection. >>>>>>> please help me. >>>>>>> >>>>>>> Thank you, >>>>>>> >>>>>>> Regards, >>>>>>> suresh >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> >
Re: [pfSense Support] how to block the bit torrent
savvy users will use a different port. if your goal is to say "we block bit torrent", this shouldnt matter. if your goal is to actually block bit torrent or successfully enforce security policy, this may not be sufficient. On Thu, Sep 1, 2011 at 11:32 AM, suresh suresh wrote: > if we disable the bit torrent using traffic shapers.. bit torrent will be > block or what will happen.please help me > > Thank you, > > Regards, > Suresh > > > On Thu, Sep 1, 2011 at 8:44 PM, Ian Bowers wrote: > >> pfsense is the freebsd, so one way or another you can install the snort. >> there is a pfsense package for it though for easy installation and >> maintenance. you may want to google IDS and how to tune it before deploying >> it. IDS isn't something you want to walk into blind. >> >> >> On Thu, Sep 1, 2011 at 11:04 AM, suresh suresh < >> suresh.notion...@gmail.com> wrote: >> >>> we can install the snort in pfsense 1.2.3? >>> >>> >>> On Thu, Sep 1, 2011 at 8:13 PM, Ian Bowers wrote: >>> >>>> You won't find much success in trying to block bittorrent with a >>>> firewall. Your best bet is to use IDS (eg: snort) or another sort of >>>> categorization software or appliance to identify who is using bittorrent >>>> and >>>> deal with them at layer 8 via company security policy. Torrenting is one >>>> place where you simply cannot deploy a fire-and-forget solution and hope >>>> for >>>> it to actually work. >>>> >>>> Regards, >>>> -Ian >>>> >>>> >>>> On Thu, Sep 1, 2011 at 9:38 AM, suresh suresh < >>>> suresh.notion...@gmail.com> wrote: >>>> >>>>> Hi All, >>>>> >>>>> how to block the bit torrent in my nlan network.. and how to block the >>>>> websites,and how to block the websites except some lan connection. please >>>>> help me. >>>>> >>>>> Thank you, >>>>> >>>>> Regards, >>>>> suresh >>>>> >>>> >>>> >>> >> >
Re: [pfSense Support] how to block the bit torrent
pfsense is the freebsd, so one way or another you can install the snort. there is a pfsense package for it though for easy installation and maintenance. you may want to google IDS and how to tune it before deploying it. IDS isn't something you want to walk into blind. On Thu, Sep 1, 2011 at 11:04 AM, suresh suresh wrote: > we can install the snort in pfsense 1.2.3? > > > On Thu, Sep 1, 2011 at 8:13 PM, Ian Bowers wrote: > >> You won't find much success in trying to block bittorrent with a firewall. >> Your best bet is to use IDS (eg: snort) or another sort of categorization >> software or appliance to identify who is using bittorrent and deal with them >> at layer 8 via company security policy. Torrenting is one place where you >> simply cannot deploy a fire-and-forget solution and hope for it to actually >> work. >> >> Regards, >> -Ian >> >> >> On Thu, Sep 1, 2011 at 9:38 AM, suresh suresh > > wrote: >> >>> Hi All, >>> >>> how to block the bit torrent in my nlan network.. and how to block the >>> websites,and how to block the websites except some lan connection. please >>> help me. >>> >>> Thank you, >>> >>> Regards, >>> suresh >>> >> >> >
Re: [pfSense Support] how to block the bit torrent
You won't find much success in trying to block bittorrent with a firewall. Your best bet is to use IDS (eg: snort) or another sort of categorization software or appliance to identify who is using bittorrent and deal with them at layer 8 via company security policy. Torrenting is one place where you simply cannot deploy a fire-and-forget solution and hope for it to actually work. Regards, -Ian On Thu, Sep 1, 2011 at 9:38 AM, suresh suresh wrote: > Hi All, > > how to block the bit torrent in my nlan network.. and how to block the > websites,and how to block the websites except some lan connection. please > help me. > > Thank you, > > Regards, > suresh >
Re: [pfSense Support] Bandwdith usage since start of month?
darkstat will give you a rolling month, but I'm not sure what would conveniently do traffic since the start of a given month. On Fri, Jun 18, 2010 at 12:04 PM, Adam Thompson wrote: > I’m trying to determine how much traffic I’ve transferred since the first of > the month; the RRD graphs let me see the last month’s worth of traffic but I > can’t see any way to specify custom ranges. > > > > I vaguely remember seeing a package that let me select specific ranges on > those graphs but I can’t find it now (and I might be remembering something > else altogether – who knows). > > > > Is there a way to get this information? > > > > Thanks, > > > > -Adam Thompson > > Chief Technical Architect, C3A Inc. > > athom...@c3a.ca > > (204) 272-9628 / fax: (204) 272-8291 > > - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: CARP ip on different network range
On Thu, Jun 3, 2010 at 3:11 PM, Vick Khera wrote: > On Thu, Jun 3, 2010 at 3:06 PM, Ian Bowers wrote: >> My comment on patching was more abstract than saying "Cisco is more of >> a fire and forget box than BSD". a BSD box, even as a network >> appliance, is going to have more services listening than a cisco >> router. Or at least that tends to be the case in practice. Most >> > > The stock freebsd install listens on basically nothing unless you tell > it to, including ssh. pfSense is not really a "BSD Box" either, and > is even more tightly configured. This argument is a big red herring. > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > Shrug. I'm not picking on pfsense, and I'm not picking on BSD. the "in practice" caveat is a big one since users tend to enable all kinds of features for all kinds of reasons. There's no red herring here. I do a lot of this sort of work and just wanted to hand out some opinions I had based on experience with this particular asker's issue. BSD is great, pfsense is great, all this is great on it's own without cisco. I was handing out a specific response to a specific situation, nothing more. Any abstractions you want to add to it aren't necessarily my opinion. -Ian - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: CARP ip on different network range
On Thu, Jun 3, 2010 at 12:14 AM, Chris Buechler wrote: > On Tue, Jun 1, 2010 at 1:05 PM, Ian Bowers wrote: >> >> I usually >> reccommend a cisco router over a BSD box for WAN delivery duty since >> they rarely if ever need patching > > Cisco has put out more security updates in the past two months than we > have in the 5.5 years this project has existed. The applicability of > those varies depending on what functionality you're using, but if you > want to maintain a secure IOS, you definitely need to patch more than > "rarely". Most FreeBSD security advisories don't apply to us as > they're either local only and in our case if you have local access you > have root, or they're in components that we don't include. > > Not that I disagree with the point of your post as a whole. Unless > you're in a large datacenter with two drops into your cage or cabinet, > you end up with one single point of failure of some sort per-Internet > connection, with redundant firewalls behind that. Whether it's a Cisco > router with a CSU/DSU, a cable or DSL modem, wireless or wimax CPE, > fiber CPE, etc. there is always something. It's unavoidable, which is > another reason you want multi-WAN plus redundant firewalls. > > Re: not having to burn two IPs for CARP, I hope we can get carpdev > functional at some point post-2.0 so that won't be necessary. > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > My comment on patching was more abstract than saying "Cisco is more of a fire and forget box than BSD". a BSD box, even as a network appliance, is going to have more services listening than a cisco router. Or at least that tends to be the case in practice. Most routers have no services open to the outside, and only an access port (ssh or sometimes telnet) open on the inside. Any network services like routing protocols and whatnot will all be internal. So they tend to be lower maintenance from the service standpoint. I tend to see more services based attacks than any other malicious activity, so I suppose I should have been more clear about the "YMMV-ness" of what I had said earlier. FWIW I've run OpenBSD or pfsense as my border router/firewall for close to a decade at home and had zero issues despite a number of malicious attempts. So this isn't to say a BSD box isn't perfectly well suited for border duty. I'm only saying that in my experience if you want a redundant firewall setup, and the firewalls are where you want to focus your attention, having a "dumb" box that just pushes the internet into your network so your firewalls can do the heavy lifting is a solution I tend to reccommend. grain of salt etc. -Ian - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: CARP ip on different network range
On Tue, Jun 1, 2010 at 12:24 PM, Matias wrote: > El 01/06/10 18:09, Evgeny Yurchenko escribió: >> >> Matias wrote: >>> >>> El 01/06/10 17:14, Evgeny Yurchenko escribió: Matias wrote: > > El 01/06/10 17:00, Evgeny Yurchenko escribió: >> >> Matias wrote: >>> >>> Hi, >>> >>> I've an internet connection on which my ISP provides a /29 network, >>> just one IP for my pfSense (1.2.1) box and on ip for their gateway. >>> >>> I'd like to set up this IP as CARP and be shared with the second >>> pfSense box I have, but as far as I understand, in order to have this >>> IP address as CARP I must set up another two IPs on **the same >>> range** >>> the CARP IP is.But I don't have more real IPs. >>> >>> What is your recommendation in this situation? >>> >>> >>> Thanks for your help. >>> >> /29 gives you 6 usable IPs. >> pfSense-1 >> pfSense-2 >> Gateway >> and you can configure 3 CARPs. >> >> Evgeny. >> >> - >> To unsubscribe, e-mail: >> support-unsubscr...@pfsense.com >> For additional commands, e-mail: >> support-h...@pfsense.com >> >> Commercial support available - https://portal.pfsense.org >> >> > > > Sorry, it is a /30 actually. > Oh. In this case you have to get more public IPs from your provider. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org >>> >>> Do you know if with pfSense 2.0 there will be the option to usea a >>> CARP IP outside the interface(s) network? >>> >> To me it just does not make sense - to use IPs on WAN than can not be >> routed to you by Provider. What for? >> >> - >> To unsubscribe, e-mail: >> support-unsubscr...@pfsense.com >> For additional commands, e-mail: >> support-h...@pfsense.com >> >> Commercial support available - https://portal.pfsense.org >> >> > > The only IP reacheable from my ISP point of view should be the CARP one. Why > would I like to have two routeable (and payed) public IP addresses on the > real interfaces of each pfsense box that I'm not going to use ever? > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > A typical deployment where redundant firewalls come into play would be a router on the edge with a switch behind it, and both firewalls on the switch. if you have a vlan capable switch like a cisco 2950 or something, you can handle outside, inside, and the betwen-box carp traffic all on the same switch. And still have room leftover for your LAN switching needs. 2950s tend to go for between $50 and $75, and their ability to do things like VLAN an spanning tree make their real value per dollar pretty damn high over what you can get at best buy. It struck me as odd at first to have a router outside the firewall since the firewall is the "hardest" box, and it would make sense for it to be furthest on the periphery of my network. But all a router is really doing is passing traffic from the ISP into the LAN. As long as you configure it to just pass traffic and allow telnet/ssh access from the LAN only, there is really very little to exploit. a simple cisco 2600 series router with 2 ethernet interfaces will take care of most peoples LAN <-> WAN routing needs and can be had for very cheap. for a little more you can even put an etherswitch module in it and take all your CARP traffic off the LAN switch. I usually reccommend a cisco router over a BSD box for WAN delivery duty since they rarely if ever need patching, they do simple wan delivery marvelously well, the config is dead simple, and they very very rarely fail. Just pass all traffic through it using a single NAT/PAT pool to give your pfsense boxen a few addresses to work with, and have your pfsense box do any rules/translations/etc for the LAN. A Cisco 2611xm or 2621xm can be had for under 200 on ebay. cheaper if you spend a little time hunting. I usually reccommend the XM models since they have much better throughput than the non-xm models of the same numbers. And a 16 mbit cable connection stresses them pretty hard (they were intended as T1 routers, modern broadband blows T1s away). But this is how you can easily do CARP with only 1 public IP being served to your premesis. Just think of your cisco router as another telco router... Set it up and forget it's there, and pretend like your pfsense boxes are the real edge devices. You might be
Re: [pfSense Support] how does one test for stability?
to be honest, you ought to get something like Cacti running on an external server. It's easy to deploy and configure. You'll get charts of all kinds of info, and its only a few clicks to set up. In order to run it you'll need to know a little about SNMP. But for monitoring, quite honestly SNMP is king. It's old, crude, and ridiculously good at what it does. On Thu, Feb 4, 2010 at 1:46 PM, Vick Khera wrote: > On Thu, Feb 4, 2010 at 11:46 AM, mehma sarja wrote: > > Nagios is complex and the Reconnoiter thing looks weird. Now that I think > > TANSTAAFL. If your requirements involve knowing when things are not > working right, you a) need to know what the baseline of "working > properly" means, and b) have a means to detect when that baseline is > out of the norm, and c) have a means to notify you of that. The tools > that do this are not trivial, because the problem is not trivial. I > really don't think your Control Center software at your prior company > was "easy" software. > > > about it, is there a formal database in a pfsense install? Don't > > know...pkg_info -a shows blank and a find on *.conf does not show a hint > of > > a db. The PHPService package could be used to send messages. Remote > > syslogging will get some info - not all. > > Not that I'm aware. I suspect if any package needed a database it'd > install it. But that just seems wrong, from a moral standpoint, to > have on a firewall. I suppose it would be ok if it were sqlite or > BDB... but never anything that listened to a network socket. > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > >
Re: [pfSense Support] beta1 and rum based ap
On Mon, Jan 11, 2010 at 5:52 AM, Nenhum_de_Nos wrote: > > On Mon, January 11, 2010 06:19, Chris Buechler wrote: > > On Fri, Jan 8, 2010 at 12:00 AM, Nenhum_de_Nos > > wrote: > >> hail, > >> > >> I have a beta1 trial of pfsense as an ap on rum based tp-link device. I > >> can run it till the notebook assiciates, but can't get it to send data > >> (associates ok) and got a page fault at: > >> > >> Stopped at rinjdaelEncrypt+0xc9: corl 0x10(%ecx), xedx > >> > >> this is a just installed system and all I did was create the hostap > >> wlan0 > >> and the bridge0 (LAN+WLAN). > >> > >> i can say I don't know how to make pfsense an ap, as I tried on the > >> production box running 1.2.3RC1 and was not successful. but there I got > >> no > >> page fault, so I thought this had to be sent. > >> > >> by the way, when using FreeBSD straight, I create a bridge and then the > >> hostap interface, here I should behave the same way if I'd like the wlan > >> people to see lan crowd ? I will install 1.2.3R and try on it a bit. > >> > > > > I suggest trying a stock FreeBSD 8.0, set things up manually, and see > > what happens. I suspect probably the same thing, in which case you'll > > need to report details to freebsd-net so it can be resolved. > > Hi Chris, > > I did it when I was testing the usb wlan nic and all fine. but I tried on > bridge based ap, not as pfsense does of adding ip to rum0 (or rum0_wlan0 > as in beta1). > > I got to figure out why my pfsense ap didn't work, I needed to add rules > to firewall just as lan has (the pass all, no documentation said that). I > got it working ok in 1.2.3R, but not beta1. > > is there a estimate time to beta1 become rc ? (just estimation, just for > me to plan when to make migration plans). > > thanks, > > matheus > > > -- > We will call you cygnus, > The God of balance you shall be > > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > > http://en.wikipedia.org/wiki/Posting_style > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > This may not be exactly what you're looking for, but I remember in documentation for most USB based wlan cards that they don't really handle being an AP very well. from man rum: BUGS Host AP mode doesn't support client power save. Clients using power save mode will experience packet loss (disabling power saving on the client will fix this). This may or may not be related, but is probably worth looking into
Re: [pfSense Support] Source NAT
I'd really like to see source NAT added. I've been used to pf on openbsd for a while... it'll let you abuse nat any way you like it, and will still call you the next day. I tried pfsense and actually really liked it a lot. it was eventually the lack of options for NAT that made me switch back... no source distinction and strange collisions complaints when allocating ports (overlaps which wouldnt actually have hindered traffic). On Fri, Dec 18, 2009 at 7:15 AM, Paul Mansfield wrote: > On 18/12/09 10:58, Tapani Tarvainen wrote: > > On Fri, Dec 18, 2009 at 11:13:45AM +0200, Tapani Tarvainen > (pfse...@tapanitarvai > > > >> I took a stab at hacking filter.inc and modified it so that if > >> there's modifier in the nat rule, it uses it > >> as source in the rdr entry. > > > > Does anybody think it'd be worthwhile to submit that as a patch? > > Or would someone like to see it otherwise (small enough even > > for posting on the list, perhaps - 105 line context diff)? > > it does sound useful, even for those who just want to tinker! > > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > >
Re: [pfSense Support] XMLRPC debugging
On Aug 21, 2009, at 5:02 PM, Scott Ullrich wrote: On Fri, Aug 21, 2009 at 3:45 PM, Ian Levesque wrote: php: /xmlrpc.php: Disallowing CARP sync loop. You have a CARP sync loop. You do not want to do that. Thanks, Scott - that much I figured out :) It turns out that even though I had all the checkboxes unchecked, just having an IP in the "Synchronize to IP" field on my secondary router would cause the perceived sync loop. Leaving the "Synchronize Enabled" checked and "pfSync sync peer IP" filled in gives me shared state tables without the xmlrpc sync issues. Thanks for everyone's help; it's especially nice to see the project's founders on here helping out. Cheers, Ian - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: AW: [pfSense Support] XMLRPC debugging
On Aug 21, 2009, at 2:39 AM, Matthias Niggemeier wrote: -Ursprüngliche Nachricht- Von: Ian Levesque [mailto:i...@crystal.harvard.edu] Gesendet: Freitag, 21. August 2009 00:25 An: support@pfsense.com Betreff: Re: [pfSense Support] XMLRPC debugging On Aug 18, 2009, at 10:30 AM, Ian Levesque wrote: I just noticed that my two pfSense boxen aren't syncing anymore. In the logs, I see: An error code was received while attempting XMLRPC sync with username admin https://192.168.8.1:443 - Code 2: Invalid return payload: enable debugging to examine incoming payload Can you remember your last change? I had this problem when a rule comment contains special characters. Check all your rules and aliases to contain only a-z,A-Z,0-9,+,-,.,(,) (some more as valid for XML (UTF8) without escaping). I checked, but didn't see anything. Thanks for the idea. Ian - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] XMLRPC debugging
I just noticed that my two pfSense boxen aren't syncing anymore. In the logs, I see: An error code was received while attempting XMLRPC sync with username admin https://192.168.8.1:443 - Code 2: Invalid return payload: enable debugging to examine incoming payload How can I enable XMLRPC debugging and run it from the CLI? I haven't been able to figure out this problem. I've tried to do a backup of my primary router's config, and then restore it on the secondary box, but that didn't resolve the issue. You shouldn't do that, that will configure the secondary to sync to itself, which could cause problems (though we have checks that should prevent that from breaking anything). I didn't copy over all the configs; just the DHCP, DNS and filter rules. Post your configurations and maybe something will be apparent. Email them to me offlist if you prefer. I'll send them to you, thanks for offering your eyes. One thing I did notice in the logs is from the secondary router, it complains: php: /xmlrpc.php: Disallowing CARP sync loop. The secondary box's CARP settings: Synchronize Enabled checked Synchronize Interface CARPSYNC pfSync sync peer IP 192.168.8.1 Synchronize to IP 192.168.8.1 Remote System Password (set) Everything else is unchecked The primary box has 192.168.8.2 as the "sync peer" and "Synchronize to" IP, everything checked. Thanks all - Ian - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] XMLRPC debugging
On Aug 18, 2009, at 10:30 AM, Ian Levesque wrote: I just noticed that my two pfSense boxen aren't syncing anymore. In the logs, I see: An error code was received while attempting XMLRPC sync with username admin https://192.168.8.1:443 - Code 2: Invalid return payload: enable debugging to examine incoming payload How can I enable XMLRPC debugging and run it from the CLI? I haven't been able to figure out this problem. I've tried to do a backup of my primary router's config, and then restore it on the secondary box, but that didn't resolve the issue. Does anyone have any clue as to how I can troubleshoot this further? Thanks, Ian - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Using a different gateway reply-to IP in PF rules
On Aug 18, 2009, at 6:51 PM, Chris Buechler wrote: On Tue, Aug 18, 2009 at 6:44 PM, Ian Levesque wrote: From the rule editing page, it appears that a gateway can be defined, but I'm only given the option of using "default" or my default route (1.2.3.4). The description below says "Leave as 'default' to use the system routing table", but with the way the rules are generated by pfSense, all of our WAN traffic is sent back out the default gateway instead of the more precise match. I understand that the solution to this is to change the above generated rule to use "reply-to (em2 1.2.3.5)" or to omit the reply-to altogether. Is there any way to accommodate this rather obscure use-case in pfSense? Can we add additional routes to the "Gateway" drop-down? What you're seeing is this: http://redmine.pfsense.org/issues/show/14 Gateway is for route-to, there is no way to specify reply-to, as that's handled automatically. 1.2.3 does have a checkbox under System -> Advanced to disable adding reply-to entirely, which is a solution as long as you aren't using multi-WAN (you can just comment out the reply-to line in /etc/inc/filter.inc too). Hi Chris - thanks for the reply. I'm still on 1.2.1 and am waiting to upgrade with the final 1.2.3 release. If I make a change to /etc/inc/filter.inc now, it would be lost when I upgraded pfSense, correct? I just want to avoid getting hit with this again after the 1.2.3 release is installed (at which point, this network bridging will be live). We don't have a solution for multi-WAN cases combined with WAN static routes to something other than your gateway on that interface at this time. Either the static route won't work for traffic initiated from that router, or you disable reply-to and break reply routing for multi-WAN. Indeed, I knew that the solution would break multi-WAN so I wasn't hopeful that there'd even be a solution in pfSense. I'm happy to hear that you've added the ability to effectively disable reply-to. Many thanks, I've been recommending pfSense heartily for the past year and I'm glad that I can continue to use it for our needs. Ian - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Using a different gateway reply-to IP in PF rules
Hello,
I've got a WAN rule that allows traffic from a specific subnet in our
university's private network direct access to our LAN. We're basically
bridging two LANs across a WAN interface. The generated rule looks
like this, where 1.2.3.4 is our default gateway:
pass in log quick on $wan reply-to (em2 1.2.3.4) proto { tcp udp }
from { 10.11.143.0/24 } to { 10.0.8.0/23 } keep state label
"USER_RULE: Outside LAN"
The problem we have is that we're using a static route to access the
gateway to this "outside LAN", let's say that's "1.2.3.5". What we
need is for traffic that comes in from 1.2.3.5 for our LAN to go back
out to 1.2.3.5, not to the default route. We do have the static route
defined:
default1.2.3.4 UGS 0 5766491em2
10.11.143.0/24 1.2.3.5 UGS 0 384em2
From the rule editing page, it appears that a gateway can be defined,
but I'm only given the option of using "default" or my default route
(1.2.3.4). The description below says "Leave as 'default' to use the
system routing table", but with the way the rules are generated by
pfSense, all of our WAN traffic is sent back out the default gateway
instead of the more precise match.
I understand that the solution to this is to change the above
generated rule to use "reply-to (em2 1.2.3.5)" or to omit the reply-to
altogether. Is there any way to accommodate this rather obscure use-
case in pfSense? Can we add additional routes to the "Gateway" drop-
down?
Thanks,
Ian
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
[pfSense Support] XMLRPC debugging
Hello, I just noticed that my two pfSense boxen aren't syncing anymore. In the logs, I see: An error code was received while attempting XMLRPC sync with username admin https://192.168.8.1:443 - Code 2: Invalid return payload: enable debugging to examine incoming payload How can I enable XMLRPC debugging and run it from the CLI? Thanks, Ian - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Statically-defined DHCP clients with dynamic addressing not entered into DNS
On Jun 26, 2009, at 2:00 PM, Ian Levesque wrote: We're running DHCP and DNS on a pair of CARPed pfSense 1.2.1 boxen. Other than the fact that they don't sync DCHP entries, it's been working OK for us. However, we've currently got them configured to assign static IPs to specific MACs, and that's becoming difficult to manage. We'd prefer to add an entry for each host's MAC and a hostname, but omit the IP address assignment. While we can do this currently - said hosts do receive an IP address is the dynamic pool - the hosts' hostname fails to be assigned in DNS. Remember, statically-assigned IP hosts (hence, hosts added to /etc/hosts) DO get added to DNS. I'm surprised that nobody seems to have DHCP/DNS configured with your clients allocated IP addresses from a dynamic pool. This seems like a pretty simple use case. Ian - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Statically-defined DHCP clients with dynamic addressing not entered into DNS
Hi all,
We're running DHCP and DNS on a pair of CARPed pfSense 1.2.1 boxen.
Other than the fact that they don't sync DCHP entries, it's been
working OK for us. However, we've currently got them configured to
assign static IPs to specific MACs, and that's becoming difficult to
manage. We'd prefer to add an entry for each host's MAC and a
hostname, but omit the IP address assignment. While we can do this
currently - said hosts do receive an IP address is the dynamic pool -
the hosts' hostname fails to be assigned in DNS. Remember, statically-
assigned IP hosts (hence, hosts added to /etc/hosts) DO get added to
DNS.
Interestingly, our DHCP leases on the responding DHCP server show:
IP address MAC address HostnameOnline Lease
Type
10.0.9.200 00:0c:f1:aa:c2:27 online active
00:0c:f1:aa:c2:27 ian-testpc online static
and the non-responding DHCP server shows only:
00:0c:f1:aa:c2:27 ian-testpc online static
Is this a known limitation?
Thanks!
Ian
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense 1.2.1-RC2 now available
Upgrade from -RC1 went smoothly here. Running CARP on two routers, upgraded primary then secondary router. No problems to report. Cheers, Ian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Syncing DHCP configs
Before I go through the process of trying to hack into the sync backend on pfsense, I just wanted to put this out there one last time... Anybody with inside info willing to shed some light on the future plans for this issue? Cheers, Ian On Oct 31, 2008, at 3:11 PM, Ian Levesque wrote: Just found the bug report: http://cvstrac.pfsense.org/tktview?tn=1747,33 Still curious about potential workarounds and the projected release for a fix. Cheers, Ian On Oct 31, 2008, at 2:56 PM, Ian Levesque wrote: Hi all - I have two pfSense installations, successfully using carp + XMLRPC sync to provide failover routing, firewall, DNS and DHCP services to my network of a few hundred workstations. Everything has been working beautifully, except for one thing: the dhcp configuration isn't synced between the boxen. This poses two problems: 1) because we're running redundant dhcp, unless both dhcp servers are using the same config we have the possibility of inconsistent dhcp results on our LAN and 2) if the primary dhcp server does go down, there's a risk that some clients whose lease time expired may forfeit their IP address. Before I spend the time trying to figure out a reliable way to sync the config, has anybody already successfully found a workaround to this deficiency? Also, does anybody know if this will be fixed in 1.2.1? Cheers, Ian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Syncing DHCP configs
Just found the bug report: http://cvstrac.pfsense.org/tktview?tn=1747,33 Still curious about potential workarounds and the projected release for a fix. Cheers, Ian On Oct 31, 2008, at 2:56 PM, Ian Levesque wrote: Hi all - I have two pfSense installations, successfully using carp + XMLRPC sync to provide failover routing, firewall, DNS and DHCP services to my network of a few hundred workstations. Everything has been working beautifully, except for one thing: the dhcp configuration isn't synced between the boxen. This poses two problems: 1) because we're running redundant dhcp, unless both dhcp servers are using the same config we have the possibility of inconsistent dhcp results on our LAN and 2) if the primary dhcp server does go down, there's a risk that some clients whose lease time expired may forfeit their IP address. Before I spend the time trying to figure out a reliable way to sync the config, has anybody already successfully found a workaround to this deficiency? Also, does anybody know if this will be fixed in 1.2.1? Cheers, Ian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
[pfSense Support] Syncing DHCP configs
Hi all - I have two pfSense installations, successfully using carp + XMLRPC sync to provide failover routing, firewall, DNS and DHCP services to my network of a few hundred workstations. Everything has been working beautifully, except for one thing: the dhcp configuration isn't synced between the boxen. This poses two problems: 1) because we're running redundant dhcp, unless both dhcp servers are using the same config we have the possibility of inconsistent dhcp results on our LAN and 2) if the primary dhcp server does go down, there's a risk that some clients whose lease time expired may forfeit their IP address. Before I spend the time trying to figure out a reliable way to sync the config, has anybody already successfully found a workaround to this deficiency? Also, does anybody know if this will be fixed in 1.2.1? Cheers, Ian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] syslogd stuck at 100% cpu
On Oct 28, 2008, at 12:03 PM, Scott Ullrich wrote:
This is fixed in 1.2.1.
Good to hear. Is this fix included in the latest daily snapshot? Until
1.2.1 is released, is there something else I could do (maybe just a
nightly `kill -HUP ${syslogdpid}` cron job) to ensure that it doesn't
get stuck again?
BTW, thanks for all the work you do, Scott.
Cheers,
Ian
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] syslogd stuck at 100% cpu
Hello, I'm running 1.2.1-RC1 (built on Sat Sep 13 03:53:42 EDT 2008). After about 10 days of uptime, I noticed that logs were becoming stale. It turns out that all logging functionality stopped yesterday evening. In dmesg, the last messages are: pid 20276 (clog), uid 0: exited on signal 11 (core dumped) pid 20281 (clog), uid 0: exited on signal 11 (core dumped) I then noticed that the syslogd process is using 100% CPU: USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 217 100.0 0.1 3236 1096 ?? Rs 16Oct08 1083:50.92 / usr/sbin/syslogd -ss -f /var/etc/syslog.conf I tried to hup the proc but it wouldn't die, so I had to kill it and restart syslogd by hand. Any ideas on how to troubleshoot the cause of this further? Cheers, Ian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Can we specify DNS suffix?
On Oct 27, 2008, at 7:01 AM, Steve Harman wrote: Do we have the ability in pfSense to specify the domain suffix(es) that get distributed to clients via DHCP? I couldn’t find anywhere. my DHCP clients receive the domain i use in the General Setup > Domain field. is there a reason you'd have your router on a different domain than its DHCP clients? cheers, ian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfsense on mac mini?
ironsystems.com has great 1U half length P4 ~2.4GHz/256mb/80gb boxes for like $800, have a ton of them at my workplace for DNS servers, dhcp, etc etc. Dual fxp cards and room for an additional pci card, dont know how fast the motherboard is in terms of keeping up with say a 4 port 100mb card, but the price is right and the boxes are rock solid, we run openbsd on all of them and have never had a problem, not a minute of downtime in the year or so I've been there. Kinda OT, but good info for someone possibly :) -Ian On 9/9/05, Chris Buechler <[EMAIL PROTECTED]> wrote: > dny wrote: > > >it's quite small hardware and doesnt take too much space. > > > >i think, it's pretty good candidate to put into rack > >rather than other expensive rackmounted hardware... > > > > > it's not going to work, as Scott said, but...really, you're kidding, > right? :) "Expensive" rack mounted hardware? A base mini is $499, and > you'd have to add USB NIC's to that. You could get a 1U rack mountable > box with 3 NIC's that'll push 100 Mb at wire speed for that price, and > not deal with something that isn't rack mountable and has USB NIC's > hanging all over the place. Or build a mini ITX box for cheaper, with > internal NIC's. > > I have a mini and love it, but I'd never consider using one for a > firewall. > > -cmb > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
