Re: [pfSense Support] Is it possible to Port Forward same PORT to TWO servers? pfsense + TWO Asterisk servers and NAT
On Fri, Jan 14, 2011 at 1:55 PM, Bruce B bruceb...@gmail.com wrote: Hi Everyone, I am facing a dilemma here. If I port forward 1-2 to my first Asterisk server which sets behind pfSense v1.2.3 then I have two way audio. If I remove it I don't have any audio but call establishes. Now, I have a second server, so I am stuck with what to do on the NAT. I tried to set NAT destination to network subnet like 192.168.0.0/24 but it doesn't accept that. Can you please tell me what I need to do? ***I have only 1 IP address so adding more IPs is not an option. Would I have to take advantage of 1:1 NAT? I am not sure what it is and how to set it up if at all. Please guide. Thanks If you want to use two public Asterisk servers, you need two pubic IPs Jesse
Re: [pfSense Support] 1 big pfSense or 2 smaller ones?
On Tue, Jan 4, 2011 at 9:32 PM, Pandu Poluan pa...@poluan.info wrote: Hello, I am planning to deploy pfSense, mostly for firewall and NAT, on my production Cloud. It is based on VMware. What do you recommend: + 1 big multi-CPU pfSense VM, or + 2 smaller single-CPU pfSense VMs A question: Will 2 smaller VMs provide higher throughput than a single big VM? And some notes: - RAM is at a premium here. - I got only 2 Public IP Addresses. Thank you for any input! Rgds, -- Pandu E Poluan * ~ IT Optimizer ~ * *Visit my Website: http://pandu.poluan.info* Google Talk:pepoluan Y! messenger: pepoluan MSN / Live: pepol...@hotmail.com (do *not* send email here) Skype:pepoluan More on me: LinkedIn http://www.linkedin.com/in/pepoluan Facebookhttp://www.facebook.com/pepoluan Not sure how you plan on using 2 routers to do the same job, but keep in mind that adding multiple CPUs to a vmware virtual machine is nothing like having multiple physical CPUs. It will allow the VM to process more than a single thread at a time, but the scheduling can be slowed down. There has to be the same number of physical threads available on your host system as the number of virtual CPUs on your VM. This means that even single threads can end up waiting on processor ready time because you added more virtual CPUs than the underlying system has idle. Bottom line = Don't add more than 1 or 2 virtual CPUs to a pfsense VM. What kind of host system(s) would it run on? Jesse Vollmar Aedis IT, LLC
[pfSense Support] Interface Bridging Problem
Hello, I have a pfsense 1.2 router with a bridging problem that I can't seem to figure out. It is a multi-wan setup, however, the bridge configuration is fairly simple. I am just trying to run another router behind pfsense and have it use a single public IP from a subnet on the WAN interface. After configuring everything the way I thought was right, it works just fine for the first 20-40 minutes. After that, everything stops flowing through the bridge. I am bridging an OPT interface directly to a WAN interface. The OPT interface in the bridge is connected to the WAN port on the other router behind pfsense. Pfsense has NAT mappings for 4 out of the 5 IPs in the public subnet. It does not have any NAT rules for the 5th (IP I'm using behind pfsense) one. The crazy part to me is how everything will work as expected for about a half an hour and then just quit. Could this be a BSD bug? Jesse
Re: [pfSense Support] PFSense 1.2.3 IPSEC Tunnel dropped, no re-connect
On Sat, Jul 17, 2010 at 10:09 AM, Paul Peziol joyride...@gmail.com wrote: Have a site-site tunnel between home and work. Had issues getting the tunnels to work initially. Once they were up they were stable for a few weeks. Rebooted the home router this morning and the tunnel does not come back up. Went into IPSEC and re-saved the tunnels and still does not come up. Get this error ERROR: phase2 negotiation failed due to time up waiting for phase1 Jul 17 09:01:11 racoon: *[]*: INFO: initiate new phase 1 negotiation: HOME WAN[500]=OFFICE WAN[500] Jul 17 09:01:11 racoon: INFO: begin Aggressive mode. Jul 17 09:01:36 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found. Jul 17 09:01:44 racoon: *[]*: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP OFFICE WAN[0]-HOME WAN[0] Jul 17 09:01:44 racoon: INFO: delete phase 2 handler. Jul 17 09:02:01 racoon: ERROR: phase1 negotiation failed due to time up. dd42e11e42fc3dcb: Puzzled why it would work until a reboot. IPSEC status shows *No IPsec security associations.* I tried to delete the tunnels under SPD, resave the ipsec settings. The spd gets recreated but still no tunnel and the above messages. * * You say between home and work. Is it possible that you have a dynamic IP at home and a reboot of your modem pulled down a new IP address? This could potentially have disrupted the IPSec tunnel.
Re: [pfSense Support] vlan troubles
On Fri, Sep 25, 2009 at 6:05 PM, Joseph L. Casale jcas...@activenetwerx.com wrote: I have a vlan (50) setup who's parent interface is Opt2. This parent interface is setup with a static ip of 192.168.1.1/24 and is plugged into a switch A that has that has this port tagged into the specific vlan id of 50 as well. Switch A has a fibre connection to another switch B and the ports are both tagged into vlan 50. Switch B has a non vlan aware computer connected and its port is untagged into vlan 50. From the lan side on a workstation and from the console as well, I can ping 192.168.1.1 but not the IP of the device on the untagged port of Switch B. Opt2 has a default * rule allowing everything. Did I miss something wrt to the vlan setup in pfsense? I did reboot as it mentioned while configuring this. Thanks! jlc Does the vlan interface have an allow rule? You said opt2 does, but what about your vlan interface
Re: [pfSense Support] Load Balancing on vlans
You shouldn't use the parent interface generally. Don't think that's related though. You losing connectivity from the firewall to the gateway? You're far from uncharted territory, the several boxes I've worked on that have 6-12 WANs all use VLANs as WANs. You may need negate rules for anything not reachable via the specified gateway, when you specify a gateway it forces traffic to that gateway. Those are automatically added generally but you could be doing something that's overriding that. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Sorry, your comments have confused me just a bit. I have two physical WAN connections that are doing failover and one LAN interface with vlans under it. I want those vlans to use the failover rather than just the default gateway. Is this not a standard thing to do? If it won't work like this, I suppose I could do some routing on my switch to eliminate the vlans at pfsense. I just thought pfsense would be able to handle that.
Re: [pfSense Support] Load Balancing on vlans
On Fri, Aug 28, 2009 at 9:47 AM, Bill Marquette bill.marque...@gmail.comwrote: What's not normal (and not recommended) is the use of the physical NIC for a network while simultaneously sending tagged frames to it. That may or may not be related to the issue you are having. --Bill Should have mentioned that I am not actually using the LAN NIC for anything but the tagged vlans. Should I be using an OPT interface rather than the LAN interface for my vlans?
Re: [pfSense Support] Load Balancing on vlans
Nope, that helps alot. So, you already have one VLAN interface using a load balancing rule correct? When you try to setup another VLAN interface for load balancing it breaks? It is breaking when I try to setup the first load balancing rule. It will work as expected for a few minutes, then stops. So your LAN is assigned to VLAN not to physical em0 or bge0 or whatever? And you have no LAN, WAN, OPTx assigned to this physical one? I just recently configured the vlan interfaces on a router that had em0 assigned to LAN. I haven't changed that because I didn't know it was a problem, and you are required to have a LAN interface. Do I need to get my vlans on a NIC that doesn't have LAN assigned to it?
Re: [pfSense Support] Load Balancing on vlans
Wait a sec. You configured the vlan interfaces on a router but what about pfSense side? I used router as a synonym for pfsense. My mistake. I just meant my pfSense box.
Re: [pfSense Support] Load Balancing on vlans
FIXED! I finally figured out what was happening. There was no rule sending traffic that needed to reach the pfsense box itself to it. For some reason, EVERYTHING was getting pumped out the active gateway in my failover pool.
Re: [pfSense Support] Load Balancing on vlans
On Thu, Aug 27, 2009 at 12:08 AM, Jesse Vollmarvollm...@gmail.com wrote: Well, when I set the firewall rule to send all traffic to a load balanced gateway (instead of default) stuff just breaks. I can't get to the Internet or I get to anything else on the other vlans. I am using a rule identical to the one I use for the load balancing on LAN except the interface. I tried again this morning to change the allow rule on a vlan interface to send traffic out on a gateway other than default and after about five minutes of working like it should, all traffic stopped. Hosts on that vlan could no longer ping the gateway of that vlan or anything on another network. This is only happening on my vlan interfaces (parent interface is LAN). - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Load Balancing on vlans
On Thu, Aug 27, 2009 at 12:49 PM, Scott Ullrich sullr...@gmail.com wrote: Sounds like a NIC driver issue. Make sure you are using Intel NICS. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I'm using high quality Intel NICs. The vlan tagging works just fine. It appears to be an issue with routing.
[pfSense Support] Load Balancer Interfaces
Hello, I recently had to make some changes to one of my OPT interfaces and now I cannot re-setup the load balancing. I ended up not setting a gateway on that interface (which is used for a cable Internet connection) to get it to work with my ISP. Before making any changes, I deleted out my load balancing rules. When I go back to recreate them, the edit pool page is only showing WAN in the interface drop down. I am trying to do gateway failover using my two Internet connections. It seems like this is related to that OPT interface not having the gateway specified on it. That interface is however working and sending traffic out to my ISP's gateway. Jesse
Re: [pfSense Support] Load Balancer Interfaces
On Wed, Aug 26, 2009 at 10:39 AM, David Burgess apt@gmail.com wrote: At the risk of looking like the N00b that I am, I don't see how pfsense can send traffic out on an interface that has no gateway. Respond, yes; initiate, no. Can we have a look at your routing table? db The route for that OPT1 interface is showing up it is em2. $ netstat -nr Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default67.38.60.77UGS 0 455460ng0 10 link#1 UC 00em0 ... 66.188.33.xxx/30 link#3 UC 00em2 66.188.33.xxx 00:1f:e1:4b:d7:f4 UHLW10em2 1185 67.38.60.7799.23.221.xxx UH 1 4955ng0 99.23.221.xxx lo0UHS 00lo0 127.0.0.1 127.0.0.1 UH 00lo0 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Load Balancer Interfaces
On Wed, Aug 26, 2009 at 11:19 AM, David Burgessapt@gmail.com wrote: As expected, you have no gateway on em2. pfsense is able to route packets to any host on that network, which means it can reply to any incoming packet, or contact any machine on that network, but any traffic that doesn't match the exact networks in the first column, ie, 'the internet', will take the default gateway, ng0. For load balancing to work, and for any outbound connection initiated from your network to go out the em2 interface, you will have to enter a gateway. If this messes things up with your ISP then your ISP has a problem, or you're not setting things up properly. Enter your ISP's gateway on em2 and if that doesn't work we'll troubleshoot from there. db I have entered the ISP's gateway (They actually have two due to us using multiple subnets) and when I do, pfsense can only ping that address. Packets to any other network won't go through. When I remove it, I can ping any internet host from em2. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Routing Between VLANs
Hi guys, I just setup 4 new vlans on pfsense and my switches. Clients on the new vlans can talk to their gateway (the pfsense interface) and hosts on the Internet. However, I would like to allow 2 of the vlans to route back and forth to each other. I can't seem to get this to work. For example, from vlan101 I cannot ping a host on vlan100. Both interfaces have a allow any rule in the firewall. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Routing Between VLANs
On Wed, Aug 26, 2009 at 8:55 PM, Evgeny Yurchenkoevg.yu...@rogers.com wrote: May we see ifconifg and netstat -rn ? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I think I know why... there is no route to that on particular vlan! all the other vlans had routes created for them but the vlan100 did not. $ netstat -nr Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default67.38.60.77UGS 066215ng0 10/24 link#1 UC 00em0 10.0.0.10 00:50:8d:94:0c:36 UHLW14em0 1160 10.0.0.11 00:50:8d:94:0c:37 UHLW1 349em0 1164 10.0.0.15 link#1 UHLW19em0 10.0.0.250 00:01:2e:1d:2d:cb UHLW1 2059em0 1195 10.0.1/24 link#13UC 00 vlan4 10.0.101/24link#10UC 00 vlan1 10.0.101.252 00:24:2c:24:ec:b4 UHLW1 446 vlan1908 10.0.102/24link#11UC 00 vlan2 10.0.103/24link#12UC 00 vlan3 66.188.33.184/30 link#3 UC 00em2 66.188.33.185 00:1f:e1:4b:d7:f4 UHLW1 275em2 1196 99.23.221.158 lo0UHS 00lo0 127.0.0.1 127.0.0.1 UH 00lo0 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Routing Between VLANs
Okay I deleted that vlan and now there is a system error and the web gui doesn't work. I'm on my phone now (no internet from pfsense). The error is xml error: opt cannot occur more than once. I opened a shell and then opened config.xml and it has a opt entry... I don't know how to edit this in bsd since my user has read only On Aug 26, 2009 9:21 PM, Evgeny Yurchenko evg.yu...@rogers.com wrote: Jesse Vollmar wrote: On Wed, Aug 26, 2009 at 8:55 PM, Evgeny Yurchenko evg.yu...@rogers.com wro... Can't see anything wrong here. Double check your default gateways (routing) on workstations connected to these two vlans. - To unsubscribe, e-mail: sup...
Re: [pfSense Support] Routing Between VLANs
On Wed, Aug 26, 2009 at 9:37 PM, Scott Ullrichsullr...@gmail.com wrote: On Wed, Aug 26, 2009 at 9:29 PM, Jesse Vollmarvollm...@gmail.com wrote: Okay I deleted that vlan and now there is a system error and the web gui doesn't work. I'm on my phone now (no internet from pfsense). The error is xml error: opt cannot occur more than once. I opened a shell and then opened config.xml and it has a opt entry... I don't know how to edit this in bsd since my user has read only I just fixed this bug a few days ago. Run /etc/rc.conf_mount_rw vi /conf/config.xml Find the optxxx interfaces and rename it to something like opt200909261213 where as the numbers are basically MMDDHHSS Might have to sweep the config.xml file and locate any references to that old opt rule and delete them out of the config file. Then run rm /tmp/config.cache Then you should be in good shape. Finally run shutdown -r now Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Alright, got that fixed. That was't fun... good job on fixing it. lol - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Load Balancing on vlans
Is load balancing supported on vlan interfaces? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Load Balancing on vlans
On Thu, Aug 27, 2009 at 12:01 AM, Chris Buechlerc...@pfsense.org wrote: Yes. They're no different than any other. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Well, when I set the firewall rule to send all traffic to a load balanced gateway (instead of default) stuff just breaks. I can't get to the Internet or I get to anything else on the other vlans. I am using a rule identical to the one I use for the load balancing on LAN except the interface. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiple Subnets From ISP Same Interface
Depends on exactly how they're routing them to you, and how you want to use them. If you want to use them with NAT, and you aren't using CARP, just add them as Other VIPs. IPs that are routed to you do not need ARP. If you're using CARP, add them as Other VIPs and make sure the ISP is routing that new subnet to a CARP VIP. If you want to directly assign the public IPs on inside systems, add another interface for the new subnet, whether physical or VLAN (this has nothing to do with the ISP, it's your internal network). Alternatively you can put both subnets on the same inside interface, but I would avoid that. http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org I'm not using CARP and I would like to use them with NAT. According to that, your reccomendation would be to use other VIPs. My only question is, will they route properly since the ISP has this new subnet using a different gateway address than the first subnet. On my interface the gateway is defined, but it isn't be the gateway for my new VIPs. I think they would need a different route. This makes me think that I either have to add another interface, or do multiple subnets on the same interface. Am I right? Thanks for the help everyone!
Re: [pfSense Support] Multiple Subnets From ISP Same Interface
On Tue, Aug 18, 2009 at 8:39 PM, Chris Buechler c...@pfsense.org wrote: Is it really a gateway address, i.e. they have it assigned on their router, or are they actually routing you the entire IP block? Ideally it will be the latter, they can and should be routing additional space to one of your existing addresses. Then you can setup the full subnet on an internal interface or VLAN without any ARP, or use it in combination with NAT using Other VIPs. If they insist on having the gateway IP on their equipment (they shouldn't, I would refuse that if it were my ISP), you're probably stuck bridging an internal interface or VLAN to WAN, though proxy ARP might work depending on how they have things setup. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Part of the problem is that I am not exactly sure how they are delivering the IPs. The ISP is Charter. I purchased from them a static 5 pack which is a /29 routed subnet according to them. Here is what they sent me (I replaced the actual numbers): Ok got the 5pack on the router: IP 66.188.xx.b to .c *Subnet 255.255.255.248 Gateway 66.188.xx.a* I am going to ask that technician about it tomorrow and see what exactly he configured. Just to recap though, that IP info above doesn't line up with the ranges from my other subnet. The info for the other subnet has a different Gateway address than that one.
Re: [pfSense Support] Multiple Subnets From ISP Same Interface
On cable you may be stuck with no other option than NAT or bridging, cable ISPs tend to be much less flexible with routing. Proxy ARP + NAT should work, you can disregard the gateway in that case assuming it's an IP alias on your current WAN gateway. If you bridge, you're going to need extra routing setup to get from the public IP hosts on the bridge to the other networks behind the firewall, since Charter isn't going to route your internal networks back to your firewall and your gateway is going to be that IP on your cable modem. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org NAT is fine with me, but that gateway isn't a VIP on my WAN. Are you saying that I would need to add it?
[pfSense Support] Multiple Subnets From ISP Same Interface
Hey guys, after googling this for a while, I'm not finding any clear instructions for doing this. I currently have a multi-wan scenario with failover configured. I just purchased another static IP block from one of the ISPs and they are now routing those to me (so they say). I would like to use this new subnet in concurrence with my old subnet, both on the same interface (OPT1). The subnets do not share the same gateway. What is the proper way to configure this? Thanks, Jesse
Re: [pfSense Support] Multiple Subnets From ISP Same Interface
Wouldn't that mean that the ISP would have to define the vlans on their end? That wouldn't be an option. On Mon, Aug 17, 2009 at 5:43 PM, Victor Padro vpa...@gmail.com wrote: On Mon, Aug 17, 2009 at 4:33 PM, Jesse Vollmarvollm...@gmail.com wrote: Hey guys, after googling this for a while, I'm not finding any clear instructions for doing this. I currently have a multi-wan scenario with failover configured. I just purchased another static IP block from one of the ISPs and they are now routing those to me (so they say). I would like to use this new subnet in concurrence with my old subnet, both on the same interface (OPT1). The subnets do not share the same gateway. What is the proper way to configure this? Thanks, Jesse Use VLANs? -- Linux User #452368 Ubuntu User #28025 http://twitter.com/vpadro Manifiesto por una cultura libre: http://culturalibre.org/ Doing a thing well is often a waste of time. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiple Subnets From ISP Same Interface
There is only one single modem. They have to share the same interface, because they come in on the same port. Unless of course you mean a virtual interface. On Mon, Aug 17, 2009 at 5:55 PM, Evgeny Yurchenko evg.yu...@rogers.comwrote: Jesse Vollmar wrote: Hey guys, after googling this for a while, I'm not finding any clear instructions for doing this. I currently have a multi-wan scenario with failover configured. I just purchased another static IP block from one of the ISPs and they are now routing those to me (so they say). I would like to use this new subnet in concurrence with my old subnet, both on the same interface (OPT1). The subnets do not share the same gateway. What is the proper way to configure this? Thanks, Jesse Add new interface. Eugene. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiple Subnets From ISP Same Interface
This is too hard for me to draw out. Sorry. I only have one physical cable modem that according to the ISP is having two subnets routed to it. However, subnet 1 has a different gateway than subnet 2 on the ISP end. On Mon, Aug 17, 2009 at 6:00 PM, Evgeny Yurchenko evg.yu...@rogers.comwrote: Jesse Vollmar wrote: There is only one single modem. They have to share the same interface, because they come in on the same port. Unless of course you mean a virtual interface. On Mon, Aug 17, 2009 at 5:55 PM, Evgeny Yurchenko evg.yu...@rogers.comwrote: Jesse Vollmar wrote: Hey guys, after googling this for a while, I'm not finding any clear instructions for doing this. I currently have a multi-wan scenario with failover configured. I just purchased another static IP block from one of the ISPs and they are now routing those to me (so they say). I would like to use this new subnet in concurrence with my old subnet, both on the same interface (OPT1). The subnets do not share the same gateway. What is the proper way to configure this? Thanks, Jesse Add new interface. Eugene. How come they have different gateways? Could you draw diagram? Eugene - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
