RE: [pfSense Support] HEADS UP -- IPSEC Filtering now in recent snapshots
I think what you're thinking about is the different between AH and ESP. AH provides origin authentication so it adds a hash checksum for the IP header if that gets changed by NAT the packet will be dropped by the other IPSEC endpoint as it fails the checksum match. ESP on the other hand does encryption on the data and does not touch the IP Header so it's free to be modified by NAT. Thanks John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 28, 2007 7:27 AM To: support@pfsense.com Subject: Re: [pfSense Support] HEADS UP -- IPSEC Filtering now in recent snapshots if I remember the protocol correctly, IPSec has a checksum that's embedded into it to show if the packet has been altered. NAT alters the crap out of the packet to make it traverse the network, hence breaking the IPSec security and therefore making it a worthless packet. meaning IPSec into a NAT tunnel will never work but outbound from said tunnel would. -Sean - Original Message - From: John Cianfarani [EMAIL PROTECTED] To: support@pfsense.com Sent: Wednesday, February 28, 2007 12:53 AM Subject: RE: [pfSense Support] HEADS UP -- IPSEC Filtering now in recent snapshots I can always hope :P Good to know I can NAT out of an IPSec tunnel that atleast is useful for me. Good work anyhow. Thanks John -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 10:44 PM To: support@pfsense.com Subject: Re: [pfSense Support] HEADS UP -- IPSEC Filtering now in recent snapshots On 2/20/07, John Cianfarani [EMAIL PROTECTED] wrote: Catching up on the list here and I saw this, that awesome work! Curious does this mean we are any closer to doing NAT for traffic in/out of a IPSec tunnel. For some form of closer. Sadly, not really. IPSec policy takes affect before filtering/nating, so while coming out of a tunnel you could nat (inside interface), traffic initiated _inside_ your network across the tunnel will hit the tunnel before PF sees it to nat (nat only occurs egress on an interface). Maybe someday we'll see this, but it's going to take alot more kernel reorg I think. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] HEADS UP -- IPSEC Filtering now in recent snapshots
I can always hope :P Good to know I can NAT out of an IPSec tunnel that atleast is useful for me. Good work anyhow. Thanks John -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 10:44 PM To: support@pfsense.com Subject: Re: [pfSense Support] HEADS UP -- IPSEC Filtering now in recent snapshots On 2/20/07, John Cianfarani [EMAIL PROTECTED] wrote: Catching up on the list here and I saw this, that awesome work! Curious does this mean we are any closer to doing NAT for traffic in/out of a IPSec tunnel. For some form of closer. Sadly, not really. IPSec policy takes affect before filtering/nating, so while coming out of a tunnel you could nat (inside interface), traffic initiated _inside_ your network across the tunnel will hit the tunnel before PF sees it to nat (nat only occurs egress on an interface). Maybe someday we'll see this, but it's going to take alot more kernel reorg I think. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] HEADS UP -- IPSEC Filtering now in recent snapshots
Catching up on the list here and I saw this, that awesome work! Curious does this mean we are any closer to doing NAT for traffic in/out of a IPSec tunnel. Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Friday, February 09, 2007 2:01 PM To: support @ pfsense. com Subject: [pfSense Support] HEADS UP -- IPSEC Filtering now in recent snapshots HEADS UP! IPSEC Filtering is now present in the 1.0.X branch first appearing in todays snapshot. By default on upgrade we will install a default PASS rule for the IPSEC interface to permit traffic. So basically anyone upgrading will not see a difference. However, you can edit the default rule and introduce fine grain control of the IPSEC tunnels if you wish. The feature will appear in todays snapshot which is currently building located at http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/ Have fun! Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] VLAN trunking?
pfSense does do 802.1q trunking so if they device you are connecting does (should be most except some older switches) you shouldnt have a problem. Thanks John From: Nathan Osborne [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 08, 2006 9:19 AM To: support@pfsense.com Subject: [pfSense Support] VLAN trunking? Hi everyone, I have a pretty basic VLAN question that I haven't been able to find the answer to: Can pfSense do VLAN trunking? More specifically: I'm installing a Metro Ethernet connection with pfSense boxes on each end. I need to tag all traffic sent over the Metro Ethernet connection with a specific VLAN id in order for the ISP's switch to handle the traffic correctly and send it on to the pfSense box on the other end. Can pfSense do this through its VLAN configuration, or would I need a 802.1q switch in between the pfSense and the Metro E connection on each end to specify the VLAN info? Each box has Intel cards (em), running ver 1.0.1. Thanks for any tips, Nate
RE: [pfSense Support] VLAN/Subnet Question
There are a couple steps that need to be done. First you will probably lose access if this is your only interface, so have access via another interface. I recommend you use a 3rd interface to bring in your trunks incase there are problems with your trunk. Also as a security precaution if you are running a colo. Make sure your switch is configured with 802.1q trunking to the pfsense interface and those specific new customer vlans are allowed on that trunk. Goto Interfaces - Assign - VLANs --- Now here you add in the pfsense interface which is connected to your switches trunk port and the vlan numbers. Next Goto Interfaces - Assign - Interfaces --- Now add new interfaces and assign them to the VLANs you just created. Last step would be to go into each new interface to enable set an ip and build rules for it. I found I needed to reboot pfsense once to get it to take all the vlans, but that might just have been me. Hope that helps John -Original Message- From: Lee Hetherington [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 31, 2006 2:24 AM To: support@pfsense.com Subject: [pfSense Support] VLAN/Subnet Question Hi Folks, I have a quick question about vlans and subnets. For example on my opt1 I currently have an a.b.c.d/24 subnet. I wish to split this into VLANs and give each of my colo customers a /29. I cannot see how todo this so that the pfsense falls into this equation: for example lets say the customer is assigned 192.168.0.0/29 192.168.0.1 virtual gateway between left.pfsense and right.pfsense 192.168.0.2 left.pfsense 192.168.0.3 right.pfsense 192.168.0.4 first customer ip I cannot see anyway to add multiple ip's to the interfaces. Other than carp addresses which isnt what I need to add is it? the gateway would be a carp but I wanted to assign the left.pfsense and right.pfsense ip's directly to the box. Many Thanks, Lee - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Re: IPSEC diff to test
I'll try it this week if I get a chance.
Thanks for the patch Bill.
John
-Original Message-
From: Bill Marquette [mailto:[EMAIL PROTECTED]
Sent: Sunday, April 16, 2006 11:56 AM
To: pfSense Discussion List; pfsense
Subject: [pfSense Support] Re: IPSEC diff to test
Nobody? I've made this easier. Just replace /etc/inc/vpn.inc with
the contents of http://www.pfsense.org/~billm/vpn.inc.txt
If this doesn't get tested, it won't get commited and it certainly
won't be part of 1.0. It's already late for beta 3 and we're not
expecting a beta 4, so speak now, or forever hold your peace.
--Bill
On 4/4/06, Bill Marquette [EMAIL PROTECTED] wrote:
Can I get a couple people to try out the following diff? It (I think)
fixes the 'prefer older sa' option that actually prefers newer SA's
issue (the one where we tell you to click that option to prefer it :))
Before I commit this, I'd like some feedback from people that have
done this to fix ipsec issues as well as people that haven't used this
option (and can confirm it's not breaking anything). If it's
absolutely required, I can post a full version of the file, but the
full install (I know embedded doesn't have it) should have diff and
patch, so this should apply.
Save to /tmp/vpn.inc.diff and run:
cd / patch /tmp/vpn.inc.diff
If there are no rejected entries, reboot. If it fails - go to
Diagnostics - Edit file and update /etc/inc/vpn.inc with
http://cvstrac.pfsense.com/getfile?f=pfSense/etc/inc/vpn.incv=1.89.2.18
Thanks
--Bill
Index: vpn.inc
===
RCS file: /cvsroot/pfSense/etc/inc/vpn.inc,v
retrieving revision 1.112
diff -u -r1.112 vpn.inc
--- vpn.inc 11 Mar 2006 22:45:22 - 1.112
+++ vpn.inc 29 Mar 2006 14:00:23 -
@@ -118,9 +118,9 @@
}
if(isset($config['ipsec']['preferredoldsa'])) {
- mwexec(/sbin/sysctl net.key.preferred_oldsa=0);
+ mwexec(/sbin/sysctl -w net.key.preferred_oldsa=30);
} else {
- mwexec(/sbin/sysctl -w net.key.preferred_oldsa=-30);
+ mwexec(/sbin/sysctl -w net.key.preferred_oldsa=0);
}
$number_of_gifs = find_last_gif_device();
@@ -1233,4 +1233,4 @@
return 0;
}
-?
\ No newline at end of file
+?
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Free IPsec client software, suggestions?
The Cisco client is not for IPSec, it works with Ciscos own standard of VPN. John From: Henk van Kester [mailto:[EMAIL PROTECTED] Sent: Friday, April 14, 2006 7:24 AM To: support@pfsense.com Subject: RE: [pfSense Support] Free IPsec client software, suggestions? Why isn't it possible to use the Cisco IPSec VPN client with PFsense? Van: Tommaso Di Donato [mailto:[EMAIL PROTECTED] Verzonden: vrijdag 14 april 2006 10:40 Aan: support@pfsense.com Onderwerp: Re: [pfSense Support] Free IPsec client software, suggestions? Try this: http://vpn.ebootis.de/ It is intended for linux interop, but I think it could help too! Tom On 4/14/06, Henk van Kester [EMAIL PROTECTED] wrote: The website is off-line :( does anyone has a local-copy of the webpage?? -Oorspronkelijk bericht- Van: lartc [mailto:[EMAIL PROTECTED]] Verzonden: vrijdag 14 april 2006 8:20 Aan: support@pfsense.com Onderwerp: Re: [pfSense Support] Free IPsec client software, suggestions? hi jonathan, windows comes free with an ipsec client although it's a pain in the ass to setup. http://ipsec.math.ucla.edu/services/ipsec-windows.html cheers charles On Thu, 2006-04-13 at 10:02 -0500, Jonathan Woodard wrote: Is there a free IPsec VPN client I can use with Windows 2000/XP to connect to pfsense through IPsec. I have been using PPTP but I understand it's not as secure and I'm having trouble getting connected with it on my Linux desktop. I realize this is a bit off topic for Pfsense, but someone else might use this discussion later. Thank you very much for any help and please keep up the outstanding work on this project. It's coming along great and I see it really making a name for itself. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- simplified chinese is not nearly as easy as they would have you believe ... a superlative oxymoron --anonymous - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Vlan Configuration
I think there is a bug when reconfiguring vlans. After creating and then deleting several vlans the real interface as per an ifconfig -a (vlan0, vlan1 etc) dont seem to be removed. If you then try to setup a new/different vlans its configuration will show up but wont actually be taking effect. After assigning and configuring the interface the box seems to drop connections on all interfaces for about 30secs. This is tested and reproducible in Beta2. Once its all setup all the vlans seem to work fine on the wrap platform. Thanks John
RE: [pfSense Support] Vlan Configuration
Yeah I've been meaning to upgrade but I figured I'd report it anyway. A quick search via the cvs trac didn't seem to show anything relating to this since Beta 2 came out. Yeah I'm not really worried about the drop, wasn't sure if it was supposed to be normal or not. I'm not planning on changing the vlans a lot. (Well other than today :P ) Thanks John -Original Message- From: Holger Bauer [mailto:[EMAIL PROTECTED] Sent: Friday, March 31, 2006 2:41 AM To: support@pfsense.com Subject: RE: [pfSense Support] Vlan Configuration There is nothing that can be done to prevent the interface drop I think. On faster hardware it won't be 30 seconds though. The reconfiguring downs all interfaces and brings them up again. Concerning the vlan remove/add problem please try http://pfsense.com/~sullrich/RELENG_1_SNAPSHOT_03-26-2006/ (I don't think something like that was corrected but it's always good to test with the most recent version when reporting bugs). Holger -Original Message- From: John Cianfarani [mailto:[EMAIL PROTECTED] Sent: Friday, March 31, 2006 9:33 AM To: support@pfsense.com Subject: [pfSense Support] Vlan Configuration I think there is a bug when reconfiguring vlans. After creating and then deleting several vlans the real interface as per an ifconfig -a (vlan0, vlan1 etc) don't seem to be removed. If you then try to setup a new/different vlans it's configuration will show up but won't actually be taking effect. After assigning and configuring the interface the box seems to drop connections on all interfaces for about 30secs. This is tested and reproducible in Beta2. Once it's all setup all the vlans seem to work fine on the wrap platform. Thanks John Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Static routes over IPSec
I guess depending on someones needs if its many clients subnet need to access 1 remote subnet you could nat on the inside. Though Im not sure of the order of packets being Nated or inspected for IPSec tunnels. John From: Jeff Quinonez [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 29, 2006 6:41 PM To: support@pfsense.com Subject: Re: [pfSense Support] Static routes over IPSec I had to do the exact same thing. I have a pfsense box at home and a test pfsense box at work. (great work btw folks, love pfsense) I have 6 different subnets and had to build a tunnel for each one. I wish there was a way to build one tunnel and then just add static routes to the various subnets. (i don't have static ip's at home so every once in a while i need to change the ip on the tunnels) I worked with Checkpoint FW-1 a few years ago (on Solaris) and had to add the routes to various subnets at the Solaris command line and then add the routes via the gui. Actually had a script that would add the routes in the event of a reboot of the firewall. I wonder if pfsense could work this way? On 3/28/06, Holger Bauer [EMAIL PROTECTED] wrote: I'm not sure if pfSense can route over IPSEC (haven't tested that) but in case it can't do that here is another way that will work (I have m0n0s running with that kind of setup): You have to create 2 parallel tunnels. The problem is that both tunnels are terminated between the same public IPs. To get the traffic of both tunnels seperated you must use a different identifier for each tunnel. Create preshared keys at both ends for both tunnels and use the unique identifiers for both tunnels. Otherwise the traffic will get mixed up. Tunneldefinitions: local subnet 192.168.1.x - remote subnet 192.168.19.x, identifier to.lan.local secret secret1 local subnet 192.168.1.x - remote subnet 10.0.0.x, identifier to.dmz.local secret secret2 I even use this kind of setup to route from location1 to location3 via location2 with no direct link between location1 and location3. You can combine this with static routes at the pfSense where the traffic leaves the tunnel if needed btw to reach subnets via another gateway. Holger -Original Message- From: Jason J Ellingson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 29, 2006 12:09 AM To: support@pfsense.com Subject: [pfSense Support] Static routes over IPSec I guess I'm encountering a mental block on how to do this... Can anyone help? I have two pfSense boxes in different locations (and obviously on the Internet). I have a LAN to LAN IPSec between them. 192.168.1.x - 192.168.19.x The far pfSense box also has a DMZ/OPT1 network: 10.0.0.x Is there a way to have traffic from my 192.168.1.x network go over the IPSec tunnel to talk to the 10.0.0.x network? Perhaps I need to look at establishing a second IPSec tunnel? 192.168.1.x - 10.0.0.x I have tried setting up a static route on the local box (192.168.1.x) that points 10.0.0.x traffic to gateway of 192.168.1.1 (remote LAN gateway), but that didn't seem to work. Thanks all! - Jason - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- got root?
RE: [pfSense Support] Port 80 State Issues
I found with a lot of torrents running it can fill up the default state table pretty quickly (especially big torrents with lots of peers). Moving it to like 3 seemed to resolve this for me. Thanks John -Original Message- From: Chris [mailto:[EMAIL PROTECTED] Sent: Friday, March 17, 2006 11:09 PM To: support@pfsense.com Subject: [pfSense Support] Port 80 State Issues After about 10 minutes port 80 just stops working. This is a new issue ever since I updated to Beta 2 from Beta 1. Every other port operates normally, (Nothing noticeable) Bittorrent works, as does FTP yet port 80 (WEB) just stops loading pages. I have made no changes to my config and the only way I have found to temperarly solve this issue is to flush the States. This gives me about 10 minutes before port 80 stops working again. Please help. I have attached my NAT rules in hopes that that can help debug. There is nothin gin my logs that looks like it could be releated in any way. Please Help, Chris May - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] lockups continue
I remember reading another post in a moonwall thread that someone had the same issues. John -Original Message- From: Vivek Khera [mailto:[EMAIL PROTECTED] Sent: Thursday, March 16, 2006 10:56 AM To: support@pfsense.com Subject: [pfSense Support] lockups continue I'm still observing lockups which appears to happen more often during times when I'm connected to the VPN via mobile user from my Mac laptop. Once it happened at another time. I'm running beta2 on a Dell PE800. It has otherwise been very stable. The only thing I've changed during the entire time I've been running pfsense (since September '05) is to add a soekris vpn1401 card. I'm leaning towards that being the culprit. I don't see them at all on a WRAP box running m0n0wall with the mini- pci version (vpn1411) of the same card. This leads me to believe it is either a bad card or FreeBSD 6.x driver for hifn is faulty. Anyone else seeing lockups with the soekris vpn PCI card? Ideally, I'd like to get an image with either the debugger enabled or the kernel software watchdog so it will just reset itself (presuming it is not totally locked). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] VMWare Server and ESX 3 vm. Possibly player, gsx and esx 2?
I get file not found trying to download it. John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Saturday, March 11, 2006 10:40 PM To: support @ pfsense. com Subject: [pfSense Support] VMWare Server and ESX 3 vm. Possibly player, gsx and esx 2? Please check out http://wiki.pfsense.com/wikka.php?wakka=VMWareESXandServerEdition and let me know how it works and on what versions of VMWare and what platforms. Also performance numbers would be nice to know. This image uses em1000 nics so it should perform pretty well I would think but have absolutely no evidince to back this up. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Creating a PPTP connection from behind pfsense
I've had very similar issues with this as well. Though with me many times it won't connct and if I wait 5-10 and retry it eventually seems to work. Same issue with 3 sites. Strange part is that there is one place I pptp into which is done by a win2k server and it always connects never any issues. John -Original Message- From: Brian [mailto:[EMAIL PROTECTED] Sent: Thursday, March 09, 2006 10:45 AM To: support@pfsense.com Subject: Re: [pfSense Support] Creating a PPTP connection from behind pfsense I have had this exact same issue for some time and have never been able to find the solution. My situation is the same. Office pfSense with PPTP enabled. Home pfSense without PPTP and I can connect from home to work without any issues. Once I enable PPTP @ home, I can no longer get from home to work using PPTP. Turning off PPTP @ home then allows me to connect from home to work again. Holger has tried this in his lab I believe and was not able to re-create it and I think maybe he did it outside of the lab too without being able to create the problem and thus it was closed. While I am sorry to see you have the same issue, it is encouraging to know I am not crazy :-) I am sorry I have no real info on a fix, I can only confirm this behavior. Edward van Berkum wrote: I have the following problem and can't figure out why it's going wrong, I have the latest 1.0Beta2 running. I have setup a box, with pfsense, and everything works fine so I connect to my office pptp server to check my e-mail, till now no problem. Sinse I now and then want to check my computer at home, I have enabled the pptp server within pfsense, after that I checked if it worked from my internal lan, and it did. So I wanted to enable and make it available for my office so I can connect to my home. So I created a nat rule from 1723 to 1723 on the ip adres of pfsense, and let it create a filter rule. Now my problem ocurs, I can't create a PPTP connection to my office lan anymore, it keeps hanging on verifying username and password. After I remove the nat and filter rules, disable the pptp server, reboot pfsense then I am able to make to connection again. On monowall this worked veryfine, but sinse pfsense has more configuration options and a shell to customize several things like the timeout in PPTP. and off-course many other features I wanted to use that. Does anyone no a solution to this problem? Here are my nat and filter rules from the config NAT - rule protocoltcp/protocol external-port1723/external-port target192.168.10.1/target local-port1723/local-port interfacewan/interface descrpptp/descr /rule Filter rule interfacewan/interface protocoltcp/protocol - source any / /source - destination address192.168.10.1/address port1723/port /destination descrNAT pptp/descr /rule Regards Edward van Berkum - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] HW infos
Looks very slick, any local US/Can resellers? -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 07, 2006 5:07 PM To: support@pfsense.com Subject: Re: [pfSense Support] HW infos So far I am testing http://linitx.com/product_info.php?cPath=4products_id=909 (Thanks LinITX) and its an amazing little box. Just got a RAL wireless card mounted. Neat box, check em out! On 12/16/05, Dan Swartzendruber [EMAIL PROTECTED] wrote: At 11:47 AM 12/16/2005, Scott Ullrich wrote: On 12/16/05, Vivek Khera [EMAIL PROTECTED] wrote: Intel provides the NIC drivers for FreeBSD. They do not suck. They work exceptionally well. I agree. Never have had any issues with Intel nics + freebsd. Same here. Realtek, on the other hand :( - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Problem with ipsec tunnel
I dont see a release of 0.6.5 released yet on their webpage unless its recently available in their cvs Did you try checking the Prefer Old SA option (whose value is reverse making it prefer new sas see previous thread between me and bill) since checking this my tunnels have been very stable. John From: Pedro Paulo de Magalhaes Oliveira Junior [mailto:[EMAIL PROTECTED] Sent: Friday, March 03, 2006 10:16 AM To: support@pfsense.com Subject: RES: [pfSense Support] Problem with ipsec tunnel Does Beta2 have fixed mobile IPSEC problem that was related with ipsec-tools-0.6.5? De: Tommaso Di Donato [mailto:[EMAIL PROTECTED] Enviada em: quinta-feira, 2 de março de 2006 12:58 Para: support@pfsense.com Assunto: Re: [pfSense Support] Problem with ipsec tunnel Yes it is.. and those rules are already present! Thank you again, I'll let you know. On 3/2/06, John Cianfarani [EMAIL PROTECTED] wrote: For the rules I was speaking about the cisco do you know if these run IOS? I'm not sure if these adsl device run that or just a gui. If it's IOS the rules would be something like: permit esp any any permit any any eq isakmp John From: Tommaso Di Donato [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 02, 2006 9:22 AM To: support@pfsense.com Subject: Re: [pfSense Support] Problem with ipsec tunnel On 3/2/06, John Cianfarani [EMAIL PROTECTED] wrote: Ah it was late last night misread part of that, no more 3am replies. :P Eh eh, same habits.. don't worry! On the cisco's are you forwarding the appropriate ports (protocol 50/51 ESP/AH, and UDP 500) to the inside pfsense boxes? At the moment, I am forwarding only 500/udp, because of 2 problems: the first is that I am not so good in Cisco programming, so I do not know how to forward AHESP (but I think that I could solve this problem with a bit of google'ng). The second is that I looked for 4500/udp port listening, and I found nothing. So.. I thought that there was a problem (or a misconfiguration in racoon). Now I enabled 4500/udp, this night I'll test again.. In any of your rules are you allowing udp isakmp and esp to the host? They might even have a ipsec passthrough option to do this. I think that psSense does it automatically. Am i wrong? Or you are speaking about the routers? Sorry for the confusion No.. you're welcome! Thank you again! Tom From: Tommaso Di Donato [mailto: [EMAIL PROTECTED]] Sent: Thursday, March 02, 2006 3:25 AM To: support@pfsense.com Subject: Re: [pfSense Support] Problem with ipsec tunnel On 3/2/06, John Cianfarani [EMAIL PROTECTED] wrote: 1. Even though you need to NAT for your inside hosts IPSec is listening on the WAN interface. I'm sorry... I cannot understand the point.. PC pfSense Cisco 827 --internet Here I have 2 nat: pfsense is natting my pc, and CIsco is natting pfsense. Of course, in pfsense I can see racoon listening on wan interface (only on 500/udp, ton on 4500/udp) 2. Not sure but my guess would be no (without a lot of easy configuration changes) You mean you guess there is no port 4500? One think that was reversed in previous builds (not sure if is changed in 2-20) is the Prefer old IPSec Sa checkbox under System-Advnced. Bill found that in the code pfsense already tries old sa's first, so when you check this box it will make it prefer NEW Sa's. That was the heart of a lot of my Ipsec troubles. mmh, I tried both ways... no differences... Do you have the WAN as the local endpoint and LAN Subnet as the Local subnet on each side? As I believe there still is an issue with ipsec-tools if you are trying to do host to host setup. (/32s) Yes I have; I'm trying net-to-net. I'm so sorry I do not have my box here in order to send logs... What are you using as your local identified IP or FQDN? I tried both. Obviously, changing psk accordingly... Once you get a session up can you do a ping c 5 S your pfsense lan ip remote pfsense lan ip from the Diag - Command Prompt tab? Ok, I'll do it.. For now, I am testing pinging from a pc on the lan side. I think this night I'll do some other test, using as second endpoint a linux box (i am more familiar with linux ipsec implementation). Ah, by the way.. when I see a SPD or a SA established, sould something be wisible with netstat -rn? Thank you again... Thanks John From: Tommaso Di Donato [mailto: [EMAIL PROTECTED]] Sent: Thursday, March 02, 2006 2:38 AM To: support@pfsense.com Subject: [pfSense Support] Problem with ipsec tunnel Hi guys! Yesterday I tried to setup a vpn tunnel between me and a friend. The we had mainly 2 problems: first, we both have dynamic IP (but this could be solved for example looking at the ip given
[pfSense Support] Was the IPSec Prefer old SA bug correct?
I looked through the change log but didnt see if the reversal bug for the Prefer Old IPsec SA was corrected or its default behavior changed in beta2? Thanks John
RE: [pfSense Support] Was the IPSec Prefer old SA bug correct?
Okay no prob, just wanted to know which setting was going to be the one that works for me. John -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Friday, March 03, 2006 3:43 PM To: support@pfsense.com Subject: Re: [pfSense Support] Was the IPSec Prefer old SA bug correct? Same behaviour currently. I'll probably end up just changing the wording of that option, not the behaviour as I'm not willing to break peoples existing configs. This might get changed for a potential Beta3 (I wouldn't be surprised if we have one as we have more work to do on the shaper that probably won't get the user testing in a snapshot that it would in a real beta release) --Bill On 3/3/06, John Cianfarani [EMAIL PROTECTED] wrote: I looked through the change log but didn't see if the reversal bug for the Prefer Old IPsec SA was corrected or its default behavior changed in beta2? Thanks John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Problem with ipsec tunnel
Ah it was late last night misread part of that, no more 3am replies. :P I though when you said behind DSL router you ment a DSL modem and the internet ip was on the pfsense. On the ciscos are you forwarding the appropriate ports (protocol 50/51 ESP/AH, and UDP 500) to the inside pfsense boxes? In any of your rules are you allowing udp isakmp and esp to the host? They might even have a ipsec passthrough option to do this. Sorry for the confusion John From: Tommaso Di Donato [mailto:[EMAIL PROTECTED] Sent: Thursday, March 02, 2006 3:25 AM To: support@pfsense.com Subject: Re: [pfSense Support] Problem with ipsec tunnel On 3/2/06, John Cianfarani [EMAIL PROTECTED] wrote: 1. Even though you need to NAT for your inside hosts IPSec is listening on the WAN interface. I'm sorry... I cannot understand the point.. PC pfSense Cisco 827 --internet Here I have 2 nat: pfsense is natting my pc, and CIsco is natting pfsense. Of course, in pfsense I can see racoon listening on wan interface (only on 500/udp, ton on 4500/udp) 2. Not sure but my guess would be no (without a lot of easy configuration changes) You mean you guess there is no port 4500? One think that was reversed in previous builds (not sure if is changed in 2-20) is the Prefer old IPSec Sa checkbox under System-Advnced. Bill found that in the code pfsense already tries old sa's first, so when you check this box it will make it prefer NEW Sa's. That was the heart of a lot of my Ipsec troubles. mmh, I tried both ways... no differences... Do you have the WAN as the local endpoint and LAN Subnet as the Local subnet on each side? As I believe there still is an issue with ipsec-tools if you are trying to do host to host setup. (/32s) Yes I have; I'm trying net-to-net. I'm so sorry I do not have my box here in order to send logs... What are you using as your local identified IP or FQDN? I tried both. Obviously, changing psk accordingly... Once you get a session up can you do a ping c 5 S your pfsense lan ip remote pfsense lan ip from the Diag - Command Prompt tab? Ok, I'll do it.. For now, I am testing pinging from a pc on the lan side. I think this night I'll do some other test, using as second endpoint a linux box (i am more familiar with linux ipsec implementation). Ah, by the way.. when I see a SPD or a SA established, sould something be wisible with netstat -rn? Thank you again... Thanks John From: Tommaso Di Donato [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 02, 2006 2:38 AM To: support@pfsense.com Subject: [pfSense Support] Problem with ipsec tunnel Hi guys! Yesterday I tried to setup a vpn tunnel between me and a friend. The we had mainly 2 problems: first, we both have dynamic IP (but this could be solved for example looking at the ip given by the provider, and setting upt the tunnel with that ip.. . Second, we both are behind a DLS router, so pfsense boxes arte both NATed.. I tried to estabilish a tunnel in many way: net-to-net, net-to-mobile (following the marvellous tutorial), using dyndns record, etc. But I had problems.. ipsec SA establishes, SDP also, but at the end I cannot have traffic passing. NO traffic dropped un firewall logs On the routers, we redirected only port 500/UDP from the router to the pfsense boxes... So, my question are: 1) is it possible to establish such a tunnel (2 NATed endpoint, in agressive mode, PSK)? In early ipsec-over-udp implementation, I can remember there were some problems in such a configuration 2) if it is possible, have I to redirect other ports? In linux ipsec implementation, when I use NAT-T I had to rdr port 4500/upd, but on my pfsense box I cannot see such a port open 3) ..and in the end.. am I missing something? I do not have my box with me now, but I can recall the settings very well.. I'm using 02-20 SNAPSHOT. Thank you, guys.. very much. Tom
RE: [pfSense Support] Site-to-site IPSec
Tom might be on the right track here you can also try to ping across the link making the packetsize larger and larger with (-l size) and with the do not fragment set (-f). Thanks John From: Tommaso Di Donato [mailto:[EMAIL PROTECTED] Sent: Thursday, March 02, 2006 2:41 AM To: support@pfsense.com Subject: Re: [pfSense Support] Site-to-site IPSec On 3/2/06, Bennett [EMAIL PROTECTED] wrote: DOESN'T WORK: 1) Remote desktop gets a response from the remote computer and opens a blank window, but never makes it to the login screen and eventually disconnects citing a possible network failure(note that if there was no initial response, Remote Desktop would say it couldn't connect to the remote computer and not open the window) In my personal experience with Linux, this was due to tcpmss-clamping e path-MTU discovery. Try to specify a fixed MTU.. But I have to say that I'm not a pf guru 2) Exchange 2003 servers on either end of the VPN can't see each other 3) Browse shares by computer name I think they are related.. Hope it helps Tom
[pfSense Support] Traffic Shaper - VoIP
Finally got around to testing the shaper again today with VoIP on snapshot 02-19-06. Tried several things but I could not make it work. Setup is as follows: 4mbit/800kb cable modem, nothing else connected but a wrap pfsense and 1 phone. Phone is using SIP to connect to a remote asterisk box in a colo center codec is g711. Inside: LAN Download: 4000 Outside: WAN Upload: 600 (was a little more conservative with this number) Check prioritize voice, type = asterisk and allotted BW of 256Kbits. Nothing else selected just next to the end. Tested a fews calls just to the asterisk box (like voice mail) and the voice stutters several times a second. After a few calls after about 5-8secs it would clear up for maybe 2seconds and then resume stutter. This is a the same issue Ive seen all my tests of the traffic shaper in the past. Watching the traffic queue screen during a call shows the qVOIPup and qVOIPDown queues with about 15kb or so each and the drops just keep counting higher. The qlandef and qwandef both show small amount of traffic of a few 1-2 kb a sec and no drops. All other queues show 0 traffic and 0 drops. If I turn off the shaper the voice is perfect again. If you need any more information just ask. I can probably even setup a temporary asterisk box if you need to connect to test stuff out. Thanks John Cianfarani
RE: [pfSense Support] Traffic Shaper - VoIP
I'm willing to test it out how do I apply this patch? Do I just copy it into the root and something like: patch -p0 20060225-shaper-fixes.diff Thanks John -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Saturday, February 25, 2006 6:18 PM To: support@pfsense.com Subject: Re: [pfSense Support] Traffic Shaper - VoIP Thanks for the update. I just spent a number of hours on the shaper and think I found the problem. This does appear to be an OS level bug but I've sort of worked around it in our config. Beta 2 is just around the corner, the fixes, which require the wizard to be re-run (I've enforced this for those upgrading), will show up there (or if anyones willing to apply a patch - http://www.pfsense.com/~billm/20060225-shaper-fixes.diff - requires re-running of wizard and possible reboot). I removed the upperlimit setting from the wizard - it's still available in the UI for those that wish to break their config as I'm hoping we'll get some resolution from the FreeBSD side on this soon. --Bill On 2/25/06, John Cianfarani [EMAIL PROTECTED] wrote: Finally got around to testing the shaper again today with VoIP on snapshot 02-19-06. Tried several things but I could not make it work. Setup is as follows: 4mbit/800kb cable modem, nothing else connected but a wrap pfsense and 1 phone. Phone is using SIP to connect to a remote asterisk box in a colo center codec is g711. Inside: LAN Download: 4000 Outside: WAN Upload: 600 (was a little more conservative with this number) Check prioritize voice, type = asterisk and allotted BW of 256Kbits. Nothing else selected just next to the end. Tested a fews calls just to the asterisk box (like voice mail) and the voice stutters several times a second. After a few calls after about 5-8secs it would clear up for maybe 2seconds and then resume stutter. This is a the same issue I've seen all my tests of the traffic shaper in the past. Watching the traffic queue screen during a call shows the qVOIPup and qVOIPDown queues with about 15kb or so each and the drops just keep counting higher. The qlandef and qwandef both show small amount of traffic of a few 1-2 kb a sec and no drops. All other queues show 0 traffic and 0 drops. If I turn off the shaper the voice is perfect again. If you need any more information just ask. I can probably even setup a temporary asterisk box if you need to connect to test stuff out. Thanks John Cianfarani - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Traffic Shaper - VoIP
Gah, patch command isn't in the wrap version... Guess I will need to wait for the img... John -Original Message- From: John Cianfarani [mailto:[EMAIL PROTECTED] Sent: Saturday, February 25, 2006 8:02 PM To: support@pfsense.com Subject: RE: [pfSense Support] Traffic Shaper - VoIP I'm willing to test it out how do I apply this patch? Do I just copy it into the root and something like: patch -p0 20060225-shaper-fixes.diff Thanks John -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Saturday, February 25, 2006 6:18 PM To: support@pfsense.com Subject: Re: [pfSense Support] Traffic Shaper - VoIP Thanks for the update. I just spent a number of hours on the shaper and think I found the problem. This does appear to be an OS level bug but I've sort of worked around it in our config. Beta 2 is just around the corner, the fixes, which require the wizard to be re-run (I've enforced this for those upgrading), will show up there (or if anyones willing to apply a patch - http://www.pfsense.com/~billm/20060225-shaper-fixes.diff - requires re-running of wizard and possible reboot). I removed the upperlimit setting from the wizard - it's still available in the UI for those that wish to break their config as I'm hoping we'll get some resolution from the FreeBSD side on this soon. --Bill On 2/25/06, John Cianfarani [EMAIL PROTECTED] wrote: Finally got around to testing the shaper again today with VoIP on snapshot 02-19-06. Tried several things but I could not make it work. Setup is as follows: 4mbit/800kb cable modem, nothing else connected but a wrap pfsense and 1 phone. Phone is using SIP to connect to a remote asterisk box in a colo center codec is g711. Inside: LAN Download: 4000 Outside: WAN Upload: 600 (was a little more conservative with this number) Check prioritize voice, type = asterisk and allotted BW of 256Kbits. Nothing else selected just next to the end. Tested a fews calls just to the asterisk box (like voice mail) and the voice stutters several times a second. After a few calls after about 5-8secs it would clear up for maybe 2seconds and then resume stutter. This is a the same issue I've seen all my tests of the traffic shaper in the past. Watching the traffic queue screen during a call shows the qVOIPup and qVOIPDown queues with about 15kb or so each and the drops just keep counting higher. The qlandef and qwandef both show small amount of traffic of a few 1-2 kb a sec and no drops. All other queues show 0 traffic and 0 drops. If I turn off the shaper the voice is perfect again. If you need any more information just ask. I can probably even setup a temporary asterisk box if you need to connect to test stuff out. Thanks John Cianfarani - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Traffic Shaper hints needed.
So is the traffic shaper working correctly now for voip in the latest snapshot? Thanks John -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 21, 2006 12:28 PM To: support@pfsense.com Subject: Re: [pfSense Support] Traffic Shaper hints needed. You've horribly butchered bits vs bytes. Everything in the shaper wizard is in bits. A 6Mb connection is 6Megabits, not 6MegaBytes, hence the 600KByte download (notice the conversion I did?) FYI, if you have 5 lines, you probably want to reserve 5 x line rate - if line rate is 96Kb/sec then you want 480Kb (or whatever setting above that is close - say 512Kb) for the reservation. That will allow all 5 lines to be talking at the same time. --Bill On 2/21/06, Robert Goley [EMAIL PROTECTED] wrote: I have a pfsense firewall setup that I am trying to prioritize Vonage VOIP traffic. I am replacing a M0n0wall firewall that had some traffic shaper config setup for the Vonage routers. I have 3 Vaonge routers carrying 5 phone lines across a 768KB/6MB (UP/DOWN) cable modem connection. I may be making this harder on myself than it really is but I am not sure what values to put where. I know that as a rule of thumb you only get %10 of the advertised bandwidth. For example, I have a 6 MB download speed but only get about 600kb/s download rate from extremely fast servers. Vonage advertizes 90kb/s bandwidth usage per line. This is actually a 8-10kb/s upload/download rate. When using the traffic shaper wizard, I can specify the provider and optionally a IP address or alias. I chose Vonage and an alias that includes all 3 routers. The next itme is reserved bandwidth for VOIP. I don't know what I need to put here. Is it the advertised speed 768KB or 76KB/s? I don't want to accidentally assign more bandwidth than I have since that renders the traffic shaper useless. I did not have major problems with my VOIP traffic with the M0n0wall. Since switching, I have had quite a bit of broken voice etc. Could someone drop me a couple of hints on this? I am using the 2-8-06 version from sullrich. Robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Traffic Shaper hints needed.
Where are they put out? I never saw anything on the list/blog/ or pfsense homepage? I will put the latest on a couple boxes to begin testing it. Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 21, 2006 1:11 PM To: support@pfsense.com Subject: Re: [pfSense Support] Traffic Shaper hints needed. As far as we know yes. Bill has put out repeated pleas for testing and feedback but nobody seems to care. Scott On 2/21/06, John Cianfarani [EMAIL PROTECTED] wrote: So is the traffic shaper working correctly now for voip in the latest snapshot? Thanks John -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 21, 2006 12:28 PM To: support@pfsense.com Subject: Re: [pfSense Support] Traffic Shaper hints needed. You've horribly butchered bits vs bytes. Everything in the shaper wizard is in bits. A 6Mb connection is 6Megabits, not 6MegaBytes, hence the 600KByte download (notice the conversion I did?) FYI, if you have 5 lines, you probably want to reserve 5 x line rate - if line rate is 96Kb/sec then you want 480Kb (or whatever setting above that is close - say 512Kb) for the reservation. That will allow all 5 lines to be talking at the same time. --Bill On 2/21/06, Robert Goley [EMAIL PROTECTED] wrote: I have a pfsense firewall setup that I am trying to prioritize Vonage VOIP traffic. I am replacing a M0n0wall firewall that had some traffic shaper config setup for the Vonage routers. I have 3 Vaonge routers carrying 5 phone lines across a 768KB/6MB (UP/DOWN) cable modem connection. I may be making this harder on myself than it really is but I am not sure what values to put where. I know that as a rule of thumb you only get %10 of the advertised bandwidth. For example, I have a 6 MB download speed but only get about 600kb/s download rate from extremely fast servers. Vonage advertizes 90kb/s bandwidth usage per line. This is actually a 8-10kb/s upload/download rate. When using the traffic shaper wizard, I can specify the provider and optionally a IP address or alias. I chose Vonage and an alias that includes all 3 routers. The next itme is reserved bandwidth for VOIP. I don't know what I need to put here. Is it the advertised speed 768KB or 76KB/s? I don't want to accidentally assign more bandwidth than I have since that renders the traffic shaper useless. I did not have major problems with my VOIP traffic with the M0n0wall. Since switching, I have had quite a bit of broken voice etc. Could someone drop me a couple of hints on this? I am using the 2-8-06 version from sullrich. Robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] IPSec Testing
Holy crap Batman! This might have fixed it. Did a little bit of testing only with the pix as the remote client it comes up after simulated power outages and builds the tunnel again without issue. Tested with long/short SA see how it reacts if SAs are expired and it still comes up. It actually seems pretty stable actually and pretty tough to make the tunnel fail now. Will continue doing some testing to confirm. Thanks for the tip! John -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Sunday, February 19, 2006 10:03 PM To: support@pfsense.com Subject: Re: [pfSense Support] IPSec Testing Not sure if you've tried this, if it'll make a difference, or what exactly it'll do, but try Prefer old IPsec SAs in System-Advanced I'm having no problems with my tunnels, pfsense-pfsense and pfsense-nortel contivity, but they're both network tunnel configs with static IPs, not road warrior. --Bill On 2/19/06, John Cianfarani [EMAIL PROTECTED] wrote: Been doing some testing the last little bit to try to nail down what it isn't working right with IPSec tunnels and I just wanted to give an update and maybe get some suggestions on what to try next. I've moved one of the pfsense boxes (running Beta1 Snapshot 2-2-06) into a colo location to confirm that the internet was not the issue. The Colo pfsense is setup for mobile clients and I have 2 boxes (at 2 different locations) acting as remote client. One of the clients is another pfsense box running Beta1 and the other is a Cisco Pix. Both boxes connect and establish their tunnels (and renegotiate as lifetimes expires tested over 2-3 days) though after a simulated power outage with the Cisco Pix it is never able to reconnect after that point. The next day the remote pfsense then no longer is able to connect. Trying to disable/enable ipsec on the colo pfsense seems to have no limited to no effect. (sometimes it works sometimes it doesn't) Both remote boxes seem to complain about retransmitting of phase 1 so it doesn't even seem like IKE listening anymore, even though a netstat shows it's running. The colo pfsense also doesn't show any log entries while the box is retrying (even with the extended debug on for raccoon). My thought at the moment is that somehow the colo pfsense doesn't think the tunnel has ever gone down and maybe treats the new isakmp requests differently. This is what I'm thinking for next tests: 1. My thoughts for the next tests are to try to use the pix as the central site and to try to get pfsense to connect into it. 2. Other though is to go back and try 94.x 95.x with ipsec-tools 6.2 to see if I can replicate it there. 3. Try to use the developer ed. and build with ipsec-tools 6.2 Thanks John Here are some logs as well. z.z.z.z is colo pfsense a.a.a.a is remote pfsense b.b.b.b is cisco pix -- Colo Pfsense - netstat -- Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) udp4 0 0 gw-central2.isakmp *.* udp4 0 0 192.168.1.2.isakmp *.* udp4 0 0 z.z.z.z.isakmp *.* udp4 0 0 localhost.isakmp *.* -- remote pfsense - ipsec log --- Feb 19 20:58:00racoon: INFO: initiate new phase 1 negotiation: a.a.a.a[500]=z.z.z.z[500] Feb 19 20:58:00racoon: INFO: begin Aggressive mode. Feb 19 20:58:31racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP z.z.z.z[0]-a.a.a.a[0] Feb 19 20:58:31racoon: INFO: delete phase 2 handler. Feb 19 20:59:00racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found. --- remote cisco pix debug -- ISAKMP (0): ID payload next-payload : 13 type : 11 protocol : 17 port : 500 length : 28 ISAKMP (0): Total payload length: 32 ISAKMP (0): beginning Aggressive Mode exchange ISAKMP (0): retransmitting phase 1... ISAKMP (0): retransmitting phase 1... ISAKMP (0): deleting SA: src b.b.b.b, dst z.z.z.z ISADB: reaper checking SA 0x9e66ec, conn_id = 0 DELETE IT! VPN Peer:ISAKMP: Peer Info for z.z.z.z/500 not found - peers:0 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] IPSec Testing
That's pretty interesting and the best I could come up with is that it would try to renegotiate an old SA. I would think the default should be to accept any new SA as normally you would want your newest one. Thanks John -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Monday, February 20, 2006 11:45 AM To: support@pfsense.com Subject: Re: [pfSense Support] IPSec Testing On 2/20/06, John Cianfarani [EMAIL PROTECTED] wrote: Holy crap Batman! This might have fixed it. Did a little bit of testing only with the pix as the remote client it comes up after simulated power outages and builds the tunnel again without issue. Tested with long/short SA see how it reacts if SAs are expired and it still comes up. It actually seems pretty stable actually and pretty tough to make the tunnel fail now. Good to hear. I just did a little research on that option...surprisingly it does the opposite of what I'd expect it to do. Setting preferred old sa in the web gui, sets the kernel sysctl net.key.preferred_oldsa=0, which means it prefers NEW SA's (which is a good thing). We'll kick it around and see what the best thing to do here is. Will continue doing some testing to confirm. Thanks for the tip! No problem, glad that helped. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] IPSec Testing
Been doing some testing the last little bit to try to nail down what it isnt working right with IPSec tunnels and I just wanted to give an update and maybe get some suggestions on what to try next. Ive moved one of the pfsense boxes (running Beta1 Snapshot 2-2-06) into a colo location to confirm that the internet was not the issue. The Colo pfsense is setup for mobile clients and I have 2 boxes (at 2 different locations) acting as remote client. One of the clients is another pfsense box running Beta1 and the other is a Cisco Pix. Both boxes connect and establish their tunnels (and renegotiate as lifetimes expires tested over 2-3 days) though after a simulated power outage with the Cisco Pix it is never able to reconnect after that point. The next day the remote pfsense then no longer is able to connect. Trying to disable/enable ipsec on the colo pfsense seems to have no limited to no effect. (sometimes it works sometimes it doesnt) Both remote boxes seem to complain about retransmitting of phase 1 so it doesnt even seem like IKE listening anymore, even though a netstat shows its running. The colo pfsense also doesnt show any log entries while the box is retrying (even with the extended debug on for raccoon). My thought at the moment is that somehow the colo pfsense doesnt think the tunnel has ever gone down and maybe treats the new isakmp requests differently. This is what Im thinking for next tests: 1. My thoughts for the next tests are to try to use the pix as the central site and to try to get pfsense to connect into it. 2. Other though is to go back and try 94.x 95.x with ipsec-tools 6.2 to see if I can replicate it there. 3. Try to use the developer ed. and build with ipsec-tools 6.2 Thanks John Here are some logs as well. z.z.z.z is colo pfsense a.a.a.a is remote pfsense b.b.b.b is cisco pix -- Colo Pfsense - netstat -- Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) udp4 0 0 gw-central2.isakmp *.* udp4 0 0 192.168.1.2.isakmp *.* udp4 0 0 z.z.z.z.isakmp *.* udp4 0 0 localhost.isakmp *.* -- remote pfsense - ipsec log --- Feb 19 20:58:00 racoon: INFO: initiate new phase 1 negotiation: a.a.a.a[500]=z.z.z.z[500] Feb 19 20:58:00 racoon: INFO: begin Aggressive mode. Feb 19 20:58:31 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP z.z.z.z[0]-a.a.a.a[0] Feb 19 20:58:31 racoon: INFO: delete phase 2 handler. Feb 19 20:59:00 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found. --- remote cisco pix debug -- ISAKMP (0): ID payload next-payload : 13 type : 11 protocol : 17 port : 500 length : 28 ISAKMP (0): Total payload length: 32 ISAKMP (0): beginning Aggressive Mode exchange ISAKMP (0): retransmitting phase 1... ISAKMP (0): retransmitting phase 1... ISAKMP (0): deleting SA: src b.b.b.b, dst z.z.z.z ISADB: reaper checking SA 0x9e66ec, conn_id = 0 DELETE IT! VPN Peer:ISAKMP: Peer Info for z.z.z.z/500 not found - peers:0
RE: [pfSense Support] IPSec Testing
Hmm somehow I never noticed that option. I will give it a try. Though I must admit I'm a bit confused on what it does. Thanks John -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Sunday, February 19, 2006 10:03 PM To: support@pfsense.com Subject: Re: [pfSense Support] IPSec Testing Not sure if you've tried this, if it'll make a difference, or what exactly it'll do, but try Prefer old IPsec SAs in System-Advanced I'm having no problems with my tunnels, pfsense-pfsense and pfsense-nortel contivity, but they're both network tunnel configs with static IPs, not road warrior. --Bill On 2/19/06, John Cianfarani [EMAIL PROTECTED] wrote: Been doing some testing the last little bit to try to nail down what it isn't working right with IPSec tunnels and I just wanted to give an update and maybe get some suggestions on what to try next. I've moved one of the pfsense boxes (running Beta1 Snapshot 2-2-06) into a colo location to confirm that the internet was not the issue. The Colo pfsense is setup for mobile clients and I have 2 boxes (at 2 different locations) acting as remote client. One of the clients is another pfsense box running Beta1 and the other is a Cisco Pix. Both boxes connect and establish their tunnels (and renegotiate as lifetimes expires tested over 2-3 days) though after a simulated power outage with the Cisco Pix it is never able to reconnect after that point. The next day the remote pfsense then no longer is able to connect. Trying to disable/enable ipsec on the colo pfsense seems to have no limited to no effect. (sometimes it works sometimes it doesn't) Both remote boxes seem to complain about retransmitting of phase 1 so it doesn't even seem like IKE listening anymore, even though a netstat shows it's running. The colo pfsense also doesn't show any log entries while the box is retrying (even with the extended debug on for raccoon). My thought at the moment is that somehow the colo pfsense doesn't think the tunnel has ever gone down and maybe treats the new isakmp requests differently. This is what I'm thinking for next tests: 1. My thoughts for the next tests are to try to use the pix as the central site and to try to get pfsense to connect into it. 2. Other though is to go back and try 94.x 95.x with ipsec-tools 6.2 to see if I can replicate it there. 3. Try to use the developer ed. and build with ipsec-tools 6.2 Thanks John Here are some logs as well. z.z.z.z is colo pfsense a.a.a.a is remote pfsense b.b.b.b is cisco pix -- Colo Pfsense - netstat -- Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) udp4 0 0 gw-central2.isakmp *.* udp4 0 0 192.168.1.2.isakmp *.* udp4 0 0 z.z.z.z.isakmp *.* udp4 0 0 localhost.isakmp *.* -- remote pfsense - ipsec log --- Feb 19 20:58:00racoon: INFO: initiate new phase 1 negotiation: a.a.a.a[500]=z.z.z.z[500] Feb 19 20:58:00racoon: INFO: begin Aggressive mode. Feb 19 20:58:31racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP z.z.z.z[0]-a.a.a.a[0] Feb 19 20:58:31racoon: INFO: delete phase 2 handler. Feb 19 20:59:00racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found. --- remote cisco pix debug -- ISAKMP (0): ID payload next-payload : 13 type : 11 protocol : 17 port : 500 length : 28 ISAKMP (0): Total payload length: 32 ISAKMP (0): beginning Aggressive Mode exchange ISAKMP (0): retransmitting phase 1... ISAKMP (0): retransmitting phase 1... ISAKMP (0): deleting SA: src b.b.b.b, dst z.z.z.z ISADB: reaper checking SA 0x9e66ec, conn_id = 0 DELETE IT! VPN Peer:ISAKMP: Peer Info for z.z.z.z/500 not found - peers:0 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] redial pppoe by cron
If it needs traffic to bring up your tunnel you could try to add something like. ping some internet ip John -Original Message- From: Gertjan Kroeb [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 14, 2006 6:20 AM To: support@pfsense.com Subject: RE: [pfSense Support] redial pppoe by cron Concerning the proposed : In the webgui go to Diagnosticsedit file and load /etc/crontab Then add the following line: * reconnecthour * * * root killall mpd /usr/local/sbin/mpd -b -d /var/etc -p /var/run/mpd.pid pptp Then save that file. Reboot to make sure the new settings are reloaded. This is not officially supported and I have not yet tried that myself but got that information from Scott when I asked for that some time ago. I'm located in germany too and I'm affected by the ugly 24h-disconnects too. This way you can make sure the reconnect doesn't appear during officehours or during daytimes, what can be pretty annoying if you use VoIP or VPN. Please provide feedback if that works for you. Not sure if this will handle dyndnsupdates too (maybe Scott can comment in this). If you could test that too that would be great. Holger The disconnection just works just great (normal : this is a sledge hammer approach) - however, this will not re-connect by itself ! (Maybe I didn't wait long enough.) Gertjan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Multiple segments on an interface?
I don't believe you can assign secondary addresses to an interface but you can do trunking with an 802.1q capable switch to bring in several vlans. (under interfaces - assign - vlans ) Thanks John -Original Message- From: Derrick MacPherson [mailto:[EMAIL PROTECTED] Sent: Monday, February 13, 2006 3:19 PM To: support@pfsense.com Subject: [pfSense Support] Multiple segments on an interface? Can I have multiple segments on an interface? Meaning can I run 10.10.10.0/24 and 172.16.128.0/20 on the same interface? I assume I can but I don't see where on the web interface I can do so.. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] PPTP User Password
Just wondering if there is a reason why extended characters eg. ! are not accepted in the pptp user password? Thanks John
[pfSense Support] PPTP Rule Error
Doing some testing with 1.0-BETA1-TESTING-SNAPSHOT-2-2-06 and whenever I enable PPTP I get this error in the logs: php: : There were error(s) loading the rules: /tmp/rules.debug:171: syntax error pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [171]: pass in quick proto gre from any to keep state label allow gre pptpd Looks like it's missed the destination part. Thanks John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] PPTP Rule Error
Think I found the problem, the WAN interface didn't have a dhcp ip yet. Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Sunday, February 05, 2006 5:19 PM To: support@pfsense.com Subject: Re: [pfSense Support] PPTP Rule Error Do you have PPTP redirect enabled? On 2/5/06, John Cianfarani [EMAIL PROTECTED] wrote: Doing some testing with 1.0-BETA1-TESTING-SNAPSHOT-2-2-06 and whenever I enable PPTP I get this error in the logs: php: : There were error(s) loading the rules: /tmp/rules.debug:171: syntax error pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [171]: pass in quick proto gre from any to keep state label allow gre pptpd Looks like it's missed the destination part. Thanks John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] more VoIP issues
I have the same issue when using the shaper. I am using generic Asterisk VoIP traffic. I as soon as I enable the traffic shaper I get the cutting in an out and as soon as I disable it (even in the middle of a call) it is normal. In my tests there is no other traffic on the line other than voip. I thought it was still being worked on that's why I never reported anything. Thanks John -Original Message- From: Charles Sprickman [mailto:[EMAIL PROTECTED] Sent: Friday, January 20, 2006 3:57 PM To: support@pfsense.com Subject: [pfSense Support] more VoIP issues Hello all, I've been playing with the traffic shaper and have basically discovered that it is not tagging the RTP streams as high priority. I'm using a Cisco ATA-186 with Vonage. Last time I brought this up, someone said that altq/pf Just Works in this case, assigning anything with low delay TOS set to the high priority queue by default. It doesn't seem to be doing that. Since turning on the shaper, I get complaints from my co-workers that my voice is cutting in and out. Looking at the nifty queue-status web gui I see that both inbound and outbound rtp is hitting the default queue. I'll also note that doing an upload via ftp or scp gives me quite a lag on all my ssh sessions as well, which are also supposed to land in the high priority queue. The first thing I wanted to do to show this was to run tcpdump on the pfsense box, but there's no bpf device. Any hints on getting that on there? I'm running beta-1. As far as I can tell, this device can't be kldloaded. Thanks, Charles ___ Charles Sprickman NetEng/SysAdmin Bway.net - New York's Best Internet - www.bway.net [EMAIL PROTECTED] - 212.655.9344 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] IPSec BugValidation 5
I will see if I can test something tonight. Pedro what problem do you see fixed? Establishment/Bouncing? John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 11:45 AM To: support@pfsense.com Subject: Re: [pfSense Support] IPSec BugValidation 5 We didnt change anything but ok. Scott On 1/18/06, Pedro Paulo de Magalhaes Oliveira Junior [EMAIL PROTECTED] wrote: Hi, IPSec issue has been fixed in BugValidation 5. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] IPSec Problems
From the looks of it I don't know if it's exactly related it seems that bug is related to remote address being /32's all of the ones I have are /24's. Strange part is the mobile connection will work part of the time, but when it stops working it just seems to be dead. John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Monday, January 16, 2006 11:07 AM To: support@pfsense.com Subject: Re: [pfSense Support] IPSec Problems We are waiting for 0.6.5 of IPSEC-Tools due to a bug. Is this the same? http://article.gmane.org/gmane.comp.security.firewalls.m0n0wall/23905 Scott On 1/16/06, Pedro Paulo de Magalhaes Oliveira Junior [EMAIL PROTECTED] wrote: We are facing the same problem. And it also happen with non mobile. -Mensagem original- De: John Cianfarani [mailto:[EMAIL PROTECTED] Enviada em: segunda-feira, 16 de janeiro de 2006 13:58 Para: support@pfsense.com Assunto: [pfSense Support] IPSec Problems Hey All, I have been having some problems again with some of the Mobile Client IPSec. Not sure if there is any changes/improvements in Beta 2. (All sites are running Beta 1) Here is the issue I've been having, Ipsec tunnels seem to bounce quite frequently while this could be caused by many issues it seems that sometimes when the tunnel goes down it just won't come back up. Setup is a remote-pf site which is the mobile client and the central-pf host site that has a carp address which is the where the remote site builds the tunnel to. I haven't isolated which one the problem is with. When the tunnel gets in this state I try to do the sourced ping from the remote-pf I also have tried to restart the box and the tunnel will still not build. (See below for the ipsec.log after a reboot and a test ping). If I check the ipsec.log on the central-pf it is empty, as if there was either no attempt. If I nmap both hosts it shows 500/udp open|filtered isakmp so it looks like its bound correctly Now just for testing while it is in this state I can build a regular tunnel on the central-pf to the dynamic ip of the remote site and ping and the tunnel will come up right away. Anything to check or try would be appreciated. Thanks John Cianfarani Log from remote-pf after a reload and ping -c 10 -S LANIP REMOTELANIP Jan 16 10:15:17 gw-remote1 racoon: INFO: @(#)ipsec-tools 0.6.4 (http://ipsec-tools.sourceforge.net) Jan 16 10:15:17 gw-remote1 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=8) Jan 16 10:15:17 gw-remote1 racoon: INFO: ::1[500] used as isakmp port (fd=9) Jan 16 10:15:17 gw-remote1 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10) Jan 16 10:15:17 gw-remote1 racoon: INFO: re.mo.te.ip[500] used as isakmp port (fd=11) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c6%sis2[500] used as isakmp port (fd=12) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c5%sis1[500] used as isakmp port (fd=13) Jan 16 10:15:17 gw-remote1 racoon: INFO: 192.168.0.1[500] used as isakmp port (fd=14) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c4%sis0[500] used as isakmp port (fd=15) Jan 16 10:15:17 gw-remote1 racoon: INFO: 172.16.10.1[500] used as isakmp port (fd=16) Jan 16 10:15:18 gw-remote1 racoon: INFO: caught signal 15 Jan 16 10:15:19 gw-remote1 racoon: INFO: racoon shutdown Jan 16 10:15:20 gw-remote1 racoon: INFO: @(#)ipsec-tools 0.6.4 (http://ipsec-tools.sourceforge.net) Jan 16 10:15:20 gw-remote1 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) Jan 16 10:15:21 gw-remote1 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=7) Jan 16 10:15:21 gw-remote1 racoon: INFO: ::1[500] used as isakmp port (fd=8) Jan 16 10:15:21 gw-remote1 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=9) Jan 16 10:15:21 gw-remote1 racoon: INFO: re.mo.te.ip[500] used as isakmp port (fd=10) Jan 16 10:15:21 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c6%sis2[500] used as isakmp port (fd=11) Jan 16 10:15:21 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c5%sis1[500] used as isakmp port (fd=12) Jan 16 10:15:21 gw-remote1 racoon: INFO: 192.168.0.1[500] used as isakmp port (fd=13) Jan 16 10:15:21 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c4%sis0[500] used as isakmp port (fd=14) Jan 16 10:15:21 gw-remote1 racoon: INFO: 172.16.10.1[500] used as isakmp port (fd=15) Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists. anyway replace it: 172.16.10.0/24[0] 172.16.10.1/32[0] proto=any dir=in Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists. anyway replace it: 172.16.0.0/24[0] 172.16.10.0/24[0] proto=any dir=in Jan 16 10:15:21 gw-remote1 racoon: ERROR: such policy already exists. anyway replace it: 172.16.10.1/32[0] 172.16.10.0/24[0] proto=any dir=out Jan
RE: [pfSense Support] IPSec Problems
I have ordered a few more wrap boxes for testing, once they come in maybe later this week (hopefully before I go on vacation) I'll be able to lab this out a little better hopefully to see if I can help pinpoint who is cause of the issue. Is there any way to turn on more debugging for ipsec-tools? Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Monday, January 16, 2006 11:24 AM To: support@pfsense.com Subject: Re: [pfSense Support] IPSec Problems Okay, if for some reason 0.6.5 is not out by the time we go to release I'll back down to 0.6.2. Scott On 1/16/06, John Cianfarani [EMAIL PROTECTED] wrote: From the looks of it I don't know if it's exactly related it seems that bug is related to remote address being /32's all of the ones I have are /24's. Strange part is the mobile connection will work part of the time, but when it stops working it just seems to be dead. John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Monday, January 16, 2006 11:07 AM To: support@pfsense.com Subject: Re: [pfSense Support] IPSec Problems We are waiting for 0.6.5 of IPSEC-Tools due to a bug. Is this the same? http://article.gmane.org/gmane.comp.security.firewalls.m0n0wall/23905 Scott On 1/16/06, Pedro Paulo de Magalhaes Oliveira Junior [EMAIL PROTECTED] wrote: We are facing the same problem. And it also happen with non mobile. -Mensagem original- De: John Cianfarani [mailto:[EMAIL PROTECTED] Enviada em: segunda-feira, 16 de janeiro de 2006 13:58 Para: support@pfsense.com Assunto: [pfSense Support] IPSec Problems Hey All, I have been having some problems again with some of the Mobile Client IPSec. Not sure if there is any changes/improvements in Beta 2. (All sites are running Beta 1) Here is the issue I've been having, Ipsec tunnels seem to bounce quite frequently while this could be caused by many issues it seems that sometimes when the tunnel goes down it just won't come back up. Setup is a remote-pf site which is the mobile client and the central-pf host site that has a carp address which is the where the remote site builds the tunnel to. I haven't isolated which one the problem is with. When the tunnel gets in this state I try to do the sourced ping from the remote-pf I also have tried to restart the box and the tunnel will still not build. (See below for the ipsec.log after a reboot and a test ping). If I check the ipsec.log on the central-pf it is empty, as if there was either no attempt. If I nmap both hosts it shows 500/udp open|filtered isakmp so it looks like its bound correctly Now just for testing while it is in this state I can build a regular tunnel on the central-pf to the dynamic ip of the remote site and ping and the tunnel will come up right away. Anything to check or try would be appreciated. Thanks John Cianfarani Log from remote-pf after a reload and ping -c 10 -S LANIP REMOTELANIP Jan 16 10:15:17 gw-remote1 racoon: INFO: @(#)ipsec-tools 0.6.4 (http://ipsec-tools.sourceforge.net) Jan 16 10:15:17 gw-remote1 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=8) Jan 16 10:15:17 gw-remote1 racoon: INFO: ::1[500] used as isakmp port (fd=9) Jan 16 10:15:17 gw-remote1 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10) Jan 16 10:15:17 gw-remote1 racoon: INFO: re.mo.te.ip[500] used as isakmp port (fd=11) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c6%sis2[500] used as isakmp port (fd=12) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c5%sis1[500] used as isakmp port (fd=13) Jan 16 10:15:17 gw-remote1 racoon: INFO: 192.168.0.1[500] used as isakmp port (fd=14) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c4%sis0[500] used as isakmp port (fd=15) Jan 16 10:15:17 gw-remote1 racoon: INFO: 172.16.10.1[500] used as isakmp port (fd=16) Jan 16 10:15:18 gw-remote1 racoon: INFO: caught signal 15 Jan 16 10:15:19 gw-remote1 racoon: INFO: racoon shutdown Jan 16 10:15:20 gw-remote1 racoon: INFO: @(#)ipsec-tools 0.6.4 (http://ipsec-tools.sourceforge.net) Jan 16 10:15:20 gw-remote1 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) Jan 16 10:15:21 gw-remote1 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=7) Jan 16 10:15:21 gw-remote1 racoon: INFO: ::1[500] used as isakmp port (fd=8) Jan 16 10:15:21 gw-remote1 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=9) Jan 16 10:15:21 gw-remote1 racoon: INFO: re.mo.te.ip[500] used as isakmp port (fd=10) Jan 16 10:15:21 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c6%sis2[500] used as isakmp port (fd=11) Jan 16 10:15:21 gw-remote1 racoon: INFO: fe80
RE: [pfSense Support] IPSec Problems
When the tunnel is up the traffic is excellent no drops at all. Eg. 100 packets transmitted, 100 packets received, 0% packet loss round-trip min/avg/max/stddev = 17.742/22.997/36.222/3.837 ms -Original Message- From: Pedro Paulo de Magalhaes Oliveira Junior [mailto:[EMAIL PROTECTED] Sent: Monday, January 16, 2006 11:28 AM To: support@pfsense.com Subject: RES: [pfSense Support] IPSec Problems My problem is packet loss: C:\Documents and Settings\Administradorping -t 192.168.0.252 Sending to 192.168.0.252 with 32 bytes data: Request timeout. Reply from 192.168.0.252: bytes=32 tempo=146ms TTL=126 Reply from 192.168.0.252: bytes=32 tempo=72ms TTL=126 Reply from 192.168.0.252: bytes=32 tempo=116ms TTL=126 Reply from 192.168.0.252: bytes=32 tempo=116ms TTL=126 Request timeout. Request timeout. Reply from 192.168.0.252: bytes=32 tempo=158ms TTL=126 Reply from 192.168.0.252: bytes=32 tempo=169ms TTL=126 Request timeout. Request timeout. Reply from 192.168.0.252: bytes=32 tempo=210ms TTL=126 Reply from 192.168.0.252: bytes=32 tempo=266ms TTL=126 Reply from 192.168.0.252: bytes=32 tempo=63ms TTL=126 Reply from 192.168.0.252: bytes=32 tempo=84ms TTL=126 Reply from 192.168.0.252: bytes=32 tempo=139ms TTL=126 Reply from 192.168.0.252: bytes=32 tempo=131ms TTL=126 Reply from 192.168.0.252: bytes=32 tempo=136ms TTL=126 Request timeout. Request timeout. Reply from 192.168.0.252: bytes=32 tempo=234ms TTL=126 Reply from 192.168.0.252: bytes=32 tempo=57ms TTL=126 Request timeout. Request timeout. Reply from 192.168.0.252: bytes=32 tempo=62ms TTL=126 Request timeout. Request timeout. Reply from 192.168.0.252: bytes=32 tempo=84ms TTL=126 Ping to 192.168.0.252: Pacotes: Sent = 28, Received = 17, Lost = 11 (39% loss), Roundtrip: Mínimo = 57ms, Máximo = 266ms, Média = 131ms -Mensagem original- De: John Cianfarani [mailto:[EMAIL PROTECTED] Enviada em: segunda-feira, 16 de janeiro de 2006 14:21 Para: support@pfsense.com Assunto: RE: [pfSense Support] IPSec Problems From the looks of it I don't know if it's exactly related it seems that bug is related to remote address being /32's all of the ones I have are /24's. Strange part is the mobile connection will work part of the time, but when it stops working it just seems to be dead. John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Monday, January 16, 2006 11:07 AM To: support@pfsense.com Subject: Re: [pfSense Support] IPSec Problems We are waiting for 0.6.5 of IPSEC-Tools due to a bug. Is this the same? http://article.gmane.org/gmane.comp.security.firewalls.m0n0wall/23905 Scott On 1/16/06, Pedro Paulo de Magalhaes Oliveira Junior [EMAIL PROTECTED] wrote: We are facing the same problem. And it also happen with non mobile. -Mensagem original- De: John Cianfarani [mailto:[EMAIL PROTECTED] Enviada em: segunda-feira, 16 de janeiro de 2006 13:58 Para: support@pfsense.com Assunto: [pfSense Support] IPSec Problems Hey All, I have been having some problems again with some of the Mobile Client IPSec. Not sure if there is any changes/improvements in Beta 2. (All sites are running Beta 1) Here is the issue I've been having, Ipsec tunnels seem to bounce quite frequently while this could be caused by many issues it seems that sometimes when the tunnel goes down it just won't come back up. Setup is a remote-pf site which is the mobile client and the central-pf host site that has a carp address which is the where the remote site builds the tunnel to. I haven't isolated which one the problem is with. When the tunnel gets in this state I try to do the sourced ping from the remote-pf I also have tried to restart the box and the tunnel will still not build. (See below for the ipsec.log after a reboot and a test ping). If I check the ipsec.log on the central-pf it is empty, as if there was either no attempt. If I nmap both hosts it shows 500/udp open|filtered isakmp so it looks like its bound correctly Now just for testing while it is in this state I can build a regular tunnel on the central-pf to the dynamic ip of the remote site and ping and the tunnel will come up right away. Anything to check or try would be appreciated. Thanks John Cianfarani Log from remote-pf after a reload and ping -c 10 -S LANIP REMOTELANIP Jan 16 10:15:17 gw-remote1 racoon: INFO: @(#)ipsec-tools 0.6.4 (http://ipsec-tools.sourceforge.net) Jan 16 10:15:17 gw-remote1 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=8) Jan 16 10:15:17 gw-remote1 racoon: INFO: ::1[500] used as isakmp port (fd=9) Jan 16 10:15:17 gw-remote1 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10) Jan 16 10:15:17 gw-remote1 racoon: INFO: re.mo.te.ip[500] used as isakmp port (fd=11) Jan 16 10:15:17 gw-remote1 racoon: INFO: fe80::20d:b9ff:fe02:c6c6%sis2[500] used as isakmp port
[pfSense Support] CPU Mib
Is there a mib for polling CPU on pfsense, I went through the entire walk and tried some of the standard ones but couldnt find it. John
RE: [pfSense Support] build_embedded.sh
I'm seeing the same problem. John -Original Message- From: alan walters [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 11, 2006 8:58 AM To: support@pfsense.com Subject: [pfSense Support] build_embedded.sh Seems like there are three files effected /boot/kernel.conf_wrap /boot/device.hints_wrap /etc/ttys_wrap Alan Walters Aillweecave Company Limited Ballyvaughan Co Clare Ph (00353) 65 7077 036 Fax (00353) 65 7077 107 Lo Call 1890 AILLWEE - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Errors doing cvsup_current
Any other updates that need to be done as well as I also have a problem when building the embedded. Installing kernel Warning: Object directory not changed from original /usr/src/sbin/devd install -s -o root -g wheel -m 555 devd /home/pfsense/pfSense/sbin Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Friday, December 30, 2005 4:59 PM To: support@pfsense.com Subject: Re: [pfSense Support] Errors doing cvsup_current Same problem as before. Update freesbie2 cd /home/pfsense/freesbie cvs update -d On 12/30/05, John Cianfarani [EMAIL PROTECTED] wrote: I get further now but stop here: - rootmfs Adding init script for /root mfs Saving mtree structure for /root - varmfs Adding init script for /var mfs cp: /home/pfsense/freesbie2/extra/varmfs/varmfs.rc: No such file or directory *** Error code 1 Stop in /home/pfsense/freesbie2. # Checked there is no varmfs directory, only varmfs.sh under /extra Also did a find for it and nothing turned up. Thanks Again John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Friday, December 30, 2005 2:46 PM To: support@pfsense.com Subject: Re: [pfSense Support] Errors doing cvsup_current This is from a newer freebsd buildworlds. cp /usr/sbin/setkey /sbin/ Scott On 12/30/05, John Cianfarani [EMAIL PROTECTED] wrote: When running cvsup_current I get the following error. Phase populate_extra Warning: Object directory not changed from original /usr/src/sbin/devd install -s -o root -g wheel -m 555 devd /home/pfsense/pfSense/sbin cp: /sbin/setkey: No such file or directory Thanks John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Errors doing cvsup_current
Those were the last lines before it stopped... The other script seemed to continue after that and copy packages and running plugins and lots of other stuff I assumed that build_embedded did the same thing. Where does the image get put then? I did a find for both *.img and *.gz and I didn't see it anywhere. Or do I need to run something else to actually create the image? Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Saturday, December 31, 2005 3:35 AM To: support@pfsense.com Subject: Re: [pfSense Support] Errors doing cvsup_current What problem? That looks normal. On 12/31/05, John Cianfarani [EMAIL PROTECTED] wrote: Any other updates that need to be done as well as I also have a problem when building the embedded. Installing kernel Warning: Object directory not changed from original /usr/src/sbin/devd install -s -o root -g wheel -m 555 devd /home/pfsense/pfSense/sbin Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Friday, December 30, 2005 4:59 PM To: support@pfsense.com Subject: Re: [pfSense Support] Errors doing cvsup_current Same problem as before. Update freesbie2 cd /home/pfsense/freesbie cvs update -d On 12/30/05, John Cianfarani [EMAIL PROTECTED] wrote: I get further now but stop here: - rootmfs Adding init script for /root mfs Saving mtree structure for /root - varmfs Adding init script for /var mfs cp: /home/pfsense/freesbie2/extra/varmfs/varmfs.rc: No such file or directory *** Error code 1 Stop in /home/pfsense/freesbie2. # Checked there is no varmfs directory, only varmfs.sh under /extra Also did a find for it and nothing turned up. Thanks Again John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Friday, December 30, 2005 2:46 PM To: support@pfsense.com Subject: Re: [pfSense Support] Errors doing cvsup_current This is from a newer freebsd buildworlds. cp /usr/sbin/setkey /sbin/ Scott On 12/30/05, John Cianfarani [EMAIL PROTECTED] wrote: When running cvsup_current I get the following error. Phase populate_extra Warning: Object directory not changed from original /usr/src/sbin/devd install -s -o root -g wheel -m 555 devd /home/pfsense/pfSense/sbin cp: /sbin/setkey: No such file or directory Thanks John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] VMware Dev Edition
Ah okay thats what I was wondering where I would install packages. So everything under /home/pfsense/pfSense gets rolled into the image. I will be giving it a try this week. Thanks John From: Tommaso Di Donato [mailto:[EMAIL PROTECTED] Sent: Friday, December 30, 2005 10:09 AM To: support@pfsense.com Subject: Re: [pfSense Support] VMware Dev Edition I customized the config.xml file, and the new built iso workd good. The files you have to change are the ones in /home/pfsense/pfSense. My only problem is that I am not able to add a user in the new ISO: if I change the /home/pfsense/pfSense/etc/passwd file, it is overwritten when I lauch build_iso.sh. How can I manage this? Thanx P.S. Except for the user problem, feel free to ask if you need help in installing additional packages...I did it for clamav, pcre, and so on... so maybe I can help you. i.e. try pkg_add -r -p /home/pfsense/pfSense/usr/local On 12/30/05, John Cianfarani [EMAIL PROTECTED] wrote: Maybe I'm confused what this is for then. What customizations would someone do with this?My initial thoughts were what packages got install and some initial configurations etc. Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED]] Sent: Friday, December 30, 2005 12:01 AM To: support@pfsense.com Subject: Re: [pfSense Support] VMware Dev Edition This will always build the latest version of pfSense.It has nothing to do with what is installed. Scott On 12/29/05, John Cianfarani [EMAIL PROTECTED] wrote: Been away from the list for a bit, but I'm just playing with the vmware dev edition and have a few questions I couldn't find the answer to. Do you just modify the version of pfsense that start up to install change packages etc, or is there a special folder / config that you need to change to make custom images? Thanks John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Errors doing cvsup_current
When running cvsup_current I get the following error. Phase populate_extra Warning: Object directory not changed from original /usr/src/sbin/devd install -s -o root -g wheel -m 555 devd /home/pfsense/pfSense/sbin cp: /sbin/setkey: No such file or directory Thanks John
RE: [pfSense Support] IPSec VPN in 0.99 embedded doesn't work
Gah n I haven't even got a chance to try the last versions that worked again... John -Original Message- From: Ispánovits Imre [mailto:[EMAIL PROTECTED] Sent: Saturday, December 24, 2005 7:21 PM To: support@pfsense.com Subject: [pfSense Support] IPSec VPN in 0.99 embedded doesn't work Hi, On the new 0.99 embedded version the ipsec vpn doesn't work for me, although the same generic pc version works fine on the same hardware. I don't see any wrong in the logs, but no SAD/SPD established :( The other side is m0n0wall 1.2 for months (since issued) without changes. Best regards Imre Ispanovits ps. The logs are as follows: == Dec 25 01:06:37 racoon: INFO: fe80::208:c7ff:fec1:530e%fxp0[500] used as isakmp port (fd=16) Dec 25 01:06:37 racoon: INFO: 10.0.0.3[500] used as isakmp port (fd=15) Dec 25 01:06:37 racoon: INFO: fe80::2d0:b7ff:fe71:aba3%fxp1[500] used as isakmp port (fd=14) Dec 25 01:06:37 racoon: INFO: fe80::20f:a3ff:fe1a:e210%ath0[500] used as isakmp port (fd=13) Dec 25 01:06:37 racoon: INFO: 10.0.0.40[500] used as isakmp port (fd=12) Dec 25 01:06:37 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=11) Dec 25 01:06:37 racoon: INFO: ::1[500] used as isakmp port (fd=10) Dec 25 01:06:37 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=9) Dec 25 01:06:37 racoon: INFO: 87.97.13.39[500] used as isakmp port (fd=8) Dec 25 01:06:37 racoon: INFO: fe80::208:c7ff:fec1:530e%ng0[500] used as isakmp port (fd=7) Dec 25 01:06:37 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) Dec 25 01:06:37 racoon: INFO: @(#)ipsec-tools 0.6 (http://ipsec-tools.sourceforge.net) Dec 25 01:06:36 racoon: INFO: racoon shutdown Dec 25 01:06:35 racoon: INFO: caught signal 15 Dec 25 01:06:32 racoon: INFO: fe80::208:c7ff:fec1:530e%fxp0[500] used as isakmp port (fd=16) Dec 25 01:06:32 racoon: INFO: 10.0.0.3[500] used as isakmp port (fd=15) Dec 25 01:06:32 racoon: INFO: fe80::2d0:b7ff:fe71:aba3%fxp1[500] used as isakmp port (fd=14) Dec 25 01:06:32 racoon: INFO: fe80::20f:a3ff:fe1a:e210%ath0[500] used as isakmp port (fd=13) Dec 25 01:06:32 racoon: INFO: 10.0.0.40[500] used as isakmp port (fd=12) Dec 25 01:06:32 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=11) Dec 25 01:06:32 racoon: INFO: ::1[500] used as isakmp port (fd=10) Dec 25 01:06:32 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=9) Dec 25 01:06:32 racoon: INFO: 87.97.13.39[500] used as isakmp port (fd=8) Dec 25 01:06:32 racoon: INFO: fe80::208:c7ff:fec1:530e%ng0[500] used as isakmp port (fd=7) Dec 25 01:06:32 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) Dec 25 01:06:32 racoon: INFO: @(#)ipsec-tools 0.6 (http://ipsec-tools.sourceforge.net) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Ipsec issues update
Title: Ipsec issues update What version are you running that works for you? Thanks John From: alan walters [mailto:[EMAIL PROTECTED] Sent: Sunday, December 18, 2005 6:35 AM To: support@pfsense.com Subject: [pfSense Support] Ipsec issues update Well I have got all my tunnels working again. I found that in the mobile clients section that I needed to change my identifier to a fqdn. Where before it was an ip. Once this was done all my tunnels worked fine again. All sites are on static ip addresses. Alan Walters Aillweecave Company Limited Ballyvaughan Co Clare Ph: 00 353 65 7077 036 Fax: 00 353 65 7077 107
RE: [pfSense Support] /usr/sbin/setkey missing from latest embedded
That whole directory /usr/sbin seems to be only a fraction of what used to be there. All the pkg_* stuff is missing, even ftp, ntpd? is gone. I copied the file over onto both sides into /usr/sbin then chmod 555. Didn't seem to fix my troubles. :( 94.10 # ls -l /usr/sbin | wc -l 222 95.2 # ls -l /usr/sbin | wc -l 53 Good sluth skills though! Thanks John -Original Message- From: Angelo Turetta [mailto:[EMAIL PROTECTED] Sent: Friday, December 16, 2005 8:46 AM To: support@pfsense.com Subject: Re: [pfSense Support] /usr/sbin/setkey missing from latest embedded I don't think that's normal. Replying to myself just to confirm it is not normal. I copied /usr/sbin/setkey to the flash from another 6_STABLE box, disabled then re-enabled ipsec using the checkbox on the top of the config page, and my tunnel sprang to life ! Angelo. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] ipsec issues
Is this only required if you upgraded? All my installs were a reflash. Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Thursday, December 15, 2005 2:45 PM To: support@pfsense.com Subject: Re: [pfSense Support] ipsec issues Yep, that's exactly what is going on. Just delete the old kernel file and install the new firmware. In terms of the older files elsewhere, I'd play it safe and not touch them for the time being. If you're really concerned with stale files, a reinstall is the correct answer. Scott On 12/15/05, Vivek Khera [EMAIL PROTECTED] wrote: On Dec 15, 2005, at 1:29 PM, Scott Ullrich wrote: Somethings not correct here. We are well past RC1. inneresting... my 0.96.2 upgraded box also has the same uname -a output. A bunch of modules in /boot/kernel are dated december 11, but the kernel file and a bunch of other modules are dated october 22... OH I see it. We now install /boot/kernel.gz (dated december 11) but the loader is picking up the older uncompressed version. Looks like the upgrade should delete the older kernel... I suspect the right thing to do on upgrade is a similar thing that make installkernel does to move /boot/kernel to /boot/kernel.old and update some sysctl values to tell the system that's the booted kernel. This way /boot/kernel will be exactly the current kernel no more no less. additionally, /usr/bin has some october 22 dated files: yp*, usb*, dig, and host. /usr/libexec has some older files too. Can these outdated files just be deleted? Seems like they are not used at all. On a normal freebsd install I'd just delete any non- updated files like these. The only risk with deleting old libs from /lib or /usr/lib is that some older packages may be linked against older libc's. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Re: IPSec Broken in 95.8 Embedded?
Tried that, doesn't seem to bring it up. I thought I could run some racoon command to force it up. If your interested I can probably setup a pptp account on the fw for you/holger. Or I can send edited versions of the config files. Thanks for the help John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 14, 2005 11:15 AM To: support@pfsense.com Subject: Re: [pfSense Support] Re: IPSec Broken in 95.8 Embedded? ping -S LANIPOFFIREWALL IPOFOTHEREND Do the above from the firewall. I still don't understand why people are having ipsec issues. Will have to wait for holger to test. On 12/14/05, John Cianfarani [EMAIL PROTECTED] wrote: After I reloaded the box from scratch again I put only basics in and don't get the bind errors, but I don't see anything when I try to ping across to the other side. I'm wondering if it is whatever that triggers the tunnel to come up. Is there a way I can try to bring up the tunnel manually? Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 13, 2005 2:59 PM To: support@pfsense.com Subject: Re: [pfSense Support] Re: IPSec Broken in 95.8 Embedded? Complete ipsec logs from both ends. On 12/13/05, John Cianfarani [EMAIL PROTECTED] wrote: Is there any specific config/debug I can provide that might show why the tunnels aren't coming up? Or what might be failing? Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 13, 2005 12:18 PM To: support@pfsense.com Subject: Re: [pfSense Support] Re: IPSec Broken in 95.8 Embedded? Standard IPSEC. Nothing fancy. On 12/13/05, John Cianfarani [EMAIL PROTECTED] wrote: Out of curiousity what kind of configuration are they in? (Mobile client?, static ip?) As I still have problems as well in any 95+ I've also tried to recreate stuff from scratch incase it was a config import problem. Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 13, 2005 11:24 AM To: support@pfsense.com Subject: Re: [pfSense Support] Re: IPSec Broken in 95.8 Embedded? Don't know what to say. All my tunnels are up in 3 different locations (7 tunnels total). I am on 0.96.2 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Re: IPSec Broken in 95.8 Embedded?
Out of curiousity what kind of configuration are they in? (Mobile client?, static ip?) As I still have problems as well in any 95+ I've also tried to recreate stuff from scratch incase it was a config import problem. Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 13, 2005 11:24 AM To: support@pfsense.com Subject: Re: [pfSense Support] Re: IPSec Broken in 95.8 Embedded? Don't know what to say. All my tunnels are up in 3 different locations (7 tunnels total). I am on 0.96.2 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Re: IPSec Broken in 95.8 Embedded?
Is there any specific config/debug I can provide that might show why the tunnels aren't coming up? Or what might be failing? Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 13, 2005 12:18 PM To: support@pfsense.com Subject: Re: [pfSense Support] Re: IPSec Broken in 95.8 Embedded? Standard IPSEC. Nothing fancy. On 12/13/05, John Cianfarani [EMAIL PROTECTED] wrote: Out of curiousity what kind of configuration are they in? (Mobile client?, static ip?) As I still have problems as well in any 95+ I've also tried to recreate stuff from scratch incase it was a config import problem. Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 13, 2005 11:24 AM To: support@pfsense.com Subject: Re: [pfSense Support] Re: IPSec Broken in 95.8 Embedded? Don't know what to say. All my tunnels are up in 3 different locations (7 tunnels total). I am on 0.96.2 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Re: IPSec Broken in 95.8 Embedded?
Title: RE: [pfSense Support] Re: IPSec Broken in 95.8 Embedded? I upgraded to 96.2 and ran the test again. I reloaded both boxes and cleared the ipsec.log. Looks like it has trouble binding to the addresses on remote1. Nothing in the logs on central 1 make it look like the connection is making it there. Attached are the ipsec.log from remote1 and central1 (vip master). The only things changed is remote1's wan ip is changed to 77.77.77.x and the Central1 Wan/vip range is change to 99.99.99.x Currently the setup is as follows. (Remote1 also has another interface that has an ip but only used to link it to another lan) 172.16.10.0/24 remote1 -- VIP--/ Central 1\ -- VIP-- 172.16.0.0/24 \ Central 2/ Central 1 and 2 share VIP address via carp. IPSec is setup for mobile clients Mode - Aggressive Identifier FQDN - [EMAIL PROTECTED] Encryption - 3DES Hash - SHA1 DH Key Group - 2 Lifetime 60 Auth Method - Pre-Share Key Phase 2 Protocol - ESP Encryption - 3DES, Blowfish Hash - Sha1 PFS - Off Lifetime - 60 Remote 1 is setup as a tunnel Interface - WAN Local Sub - 172.16.10.0 /24 Remote Sub - 172.16.0.0 /24 Remote Gateway - VIP of Central 1 2 Mode - Aggressive Identifier FQDN - [EMAIL PROTECTED] Encryption - 3DES Hash - SHA1 DH Key Group - 2 Lifetime 60 Auth Method - Pre-Share Key (preshare key is entered) Phase 2 Protocol - ESP Encryption - 3DES, Blowfish Hash - Sha1 PFS - Off Lifetime - 60 All devices have the same pre-shared keys / passwords are also the same [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] As I mentioned before I don't see anything in Status-IPSec-SPD where I did see the policy in versions like 94.10 Thanks John From: Holger Bauer [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 13, 2005 5:58 PMTo: support@pfsense.comSubject: AW: [pfSense Support] Re: IPSec Broken in 95.8 Embedded? could you give us a mockup what kind of ipsec you are using and how it is set up? maybe even the ipsec config sections with removed secrets of both endpoints? Also, likescott said already, logs from both sides would be helpful. If you don't want to send it to the list send them offlist. I can try to simulate your setup here in my lab. Holger -Ursprüngliche Nachricht- Von: John Cianfarani [mailto:[EMAIL PROTECTED] Gesendet: Di 13.12.2005 20:57 An: support@pfsense.com Cc: Betreff: RE: [pfSense Support] Re: IPSec Broken in 95.8 Embedded? Is there any specific config/debug I can provide that might show why thetunnels aren't coming up? Or what might be failing?ThanksJohn-Original Message-From: Scott Ullrich [mailto:[EMAIL PROTECTED]]Sent: Tuesday, December 13, 2005 12:18 PMTo: support@pfsense.comSubject: Re: [pfSense Support] Re: IPSec Broken in 95.8 Embedded?Standard IPSEC. Nothing fancy.On 12/13/05, John Cianfarani [EMAIL PROTECTED] wrote: Out of curiousity what kind of configuration are they in? (Mobile client?, static ip?) As I still have problems as well in any 95+ I've also tried to recreate stuff from scratch incase it was a config import problem. Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 13, 2005 11:24 AM To: support@pfsense.com Subject: Re: [pfSense Support] Re: IPSec Broken in 95.8 Embedded? Don't know what to say. All my tunnels are up in 3 different locations (7 tunnels total). I am on 0.96.2 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]-To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]-To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED] gw-central1-ipsec.log Description: gw-central1-ipsec.log gw-remote1-ipsec.log Description: gw-remote1-ipsec.log - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Traffic Shaper / IPSec
Trying to see if there would be some solution to this problem without putting a second pfsense box behind to do the shaping. I took a read of the m0n0wall list where this seemed to be discused and one idea seemed fairly plausible. Create 2 IPSec tunnels 1 voice 1 data and shape those independantly? Here are my thoughts: My central site has multiple static wan IPs so I could build the tunnels to different IPs. On the remote pfsense I could create 2 rules/queues in the traffic shaper and shape based on the destination IP. (one tunnel having higher priority) Routing traffic properly over these two tunnels could get a bit tricky. The central side has a 192.168.1.0/24 block, I could pretend it was split it into 2x /25s and put 192.168.1.0/25 and 192.168.1.128/25 as the destinations lan for the remote tunnel. I could do something similar or some other ip trickery to make the wan side go back to the correct tunnels. My only concern here is if ipsec traffic as a whole could be shaped like this? Sorry for keeping on this topic, John From: John Cianfarani Sent: Wednesday, December 07, 2005 10:52 PM To: support@pfsense.com Subject: [pfSense Support] Traffic Shaper / IPSec If you build the traffic shaping rules for lan-wan will it treat traffic destined to an IPsec tunnel as a part of that? Essentially Im just looking to give priority to VoIP traffic anything else would be below that. Even if it could be done on the LAN interface regardless of destination. Thanks John
[pfSense Support] Wake on Lan
Running 94.2 on a Wrap at the moment. Not sure if this was fixed in a newer release. But I noticed the Wake All Clients button in the WOL config doesnt seem to work. I have a few servers (Dell PowerEdge) that wake up fine a few seconds later after clicking the MAC address, but will never come up when using the Wake All button. Let me know if you need more info. Thanks John
RE: [pfSense Support] Wake on Lan
Clicking on a MAC would show that. Clicking on the Wake all does not show it. Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Friday, December 09, 2005 1:45 PM To: support@pfsense.com Subject: Re: [pfSense Support] Wake on Lan When you click on the wake all button, do you see something like: Sent magic packet to MAC-ADDRESS-1 Sent magic packet to MAC-ADDRESS-2 ... etc? On 12/9/05, John Cianfarani [EMAIL PROTECTED] wrote: Running 94.2 on a Wrap at the moment. Not sure if this was fixed in a newer release. But I noticed the Wake All Clients button in the WOL config doesn't seem to work. I have a few servers (Dell PowerEdge) that wake up fine a few seconds later after clicking the MAC address, but will never come up when using the Wake All button. Let me know if you need more info. Thanks John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Embedded images size
I'd actually like to install some addition packages on my wrap units. (Perl, Nagios-NRPE, for monitoring the boxes as well as some additional scripting stuff) Last time I asked about this Scott said he was going to look into getting instructions updated to do an image resize. Thanks John -Original Message- From: Holger Bauer [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 07, 2005 5:27 AM To: support@pfsense.com Subject: AW: [pfSense Support] Embedded images size We are trying to reduce the image size. The recent versions now even run from 64 MB CF-Cards. As the embedded images don't support packages there is no need to inflate them with emptyness if 64 MB is everything that's needed. Dump that image to whatever size of CF-card you have (=64 MB). You don't need a 512 MB image only because you have a 512 MB CF-card. Holger -Ursprüngliche Nachricht- Von: Eric Masson [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 7. Dezember 2005 11:21 An: Mailing List pfSense support Betreff: [pfSense Support] Embedded images size Hello, It seems that recent embedded images do not have standard flash card sizes. Is it a deliberate choice (take the image and adapt it to suit your needs) or a mistake (no answer found in the lists archives) ? Regards Éric Masson -- Si ça ne produit rien (biomagnétisme insuffisant), essayer avec la main de quelqu'un d'autre jusqu'à obtention du résultat. -+- Dav in www.le-gnu.net - Change de main, j'sens qu'ça vient -+- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Traffic Shaper / IPSec
If you build the traffic shaping rules for lan-wan will it treat traffic destined to an IPsec tunnel as a part of that? Essentially Im just looking to give priority to VoIP traffic anything else would be below that. Even if it could be done on the LAN interface regardless of destination. Thanks John
RE: [pfSense Support] Traffic Shaper / IPSec
It would be a pfSense-pfSense ESP - IPSec tunnel. I was also wonder if you could even shape everything out of the Lan port regardless of destination (wan,ipsec,dmz). Thanks John -Original Message- From: Dan Swartzendruber [mailto:[EMAIL PROTECTED] Sent: Thursday, December 08, 2005 12:27 AM To: support@pfsense.com Subject: Re: [pfSense Support] Traffic Shaper / IPSec At 11:29 PM 12/7/2005, you wrote: IPSEC cannot be shaped (yet). yes and no. ESP/AH, no, but if you're doing nat-traversal, that's encapsulated in UDP packets, so that would work, no? Scott On 12/7/05, John Cianfarani [EMAIL PROTECTED] wrote: If you build the traffic shaping rules for lan-wan will it treat traffic destined to an IPsec tunnel as a part of that? Essentially I'm just looking to give priority to VoIP traffic anything else would be below that. Even if it could be done on the LAN interface regardless of destination. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Have resize instructions changed?
I was trying with 94.10 John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 23, 2005 2:09 AM To: support@pfsense.com Subject: Re: [pfSense Support] Have resize instructions changed? Could be. Please try our latest round of images. On 11/22/05, John Cianfarani [EMAIL PROTECTED] wrote: Just wondering if the process might have changed for resizing wrap images since when the bootprocess seemed to change. (maybe that was around .90 with the FreeSBIE) After trying to resize I get this Trying to mount root from ufs:/dev/ufs/pfSense Manual root filesystem specification: fstype:device Mount device using filesystem fstype eg. ufs:da0s1a ? List valid disk boot devices empty line Abort manual input Thanks John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Have resize instructions changed?
Is it possible to just make a few empty images (128,256,512 etc) and then just have us mount and copy the partition information inside it? Not sure if that would make it any easier. John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 23, 2005 1:24 PM To: support@pfsense.com Subject: Re: [pfSense Support] Have resize instructions changed? On 11/23/05, John Cianfarani [EMAIL PROTECTED] wrote: I was trying with 94.10 They have changed a little bit. We now use a uzipped /usr mount. I'll see about getting this updated soon. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Have resize instructions changed?
Just wondering if the process might have changed for resizing wrap images since when the bootprocess seemed to change. (maybe that was around .90 with the FreeSBIE) After trying to resize I get this Trying to mount root from ufs:/dev/ufs/pfSense Manual root filesystem specification: fstype:device Mount device using filesystem fstype eg. ufs:da0s1a ? List valid disk boot devices empty line Abort manual input Thanks John
RE: [pfSense Support] IPsec Does Auto Establish work?
Ah okay I was figuring it would always try to keep it up. Any thing I can do from within the pfsense box itself to keep the tunnel up? Is traffic shapping over Ipsec out of the question at the moment? Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Friday, November 18, 2005 11:57 AM To: support@pfsense.com Subject: Re: [pfSense Support] IPsec Does Auto Establish work? On bootup or after initial setup of the tunnel, pfSense will ping across the tunnel to bring it up. Scott On 11/17/05, John Cianfarani [EMAIL PROTECTED] wrote: Does anyone have IPSec tunnels auto establish working? I can only seem to get the tunnels to come up when traffic is passing over them. Also wondering if there is anything special that needs to be done to do traffic shapping through an IPSec tunnel? Thanks John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] IPsec Does Auto Establish work?
I've tried pinging from the shell/console to a remote ipsec endpoint but it doesn't cause the tunnel to come up. (a local machine will cause the tunnel to come up though). I though I read in an earlier message or the faq that freebsd kludges together ipsec tunnels so some routes aren't properly in place. Is this still true? Or is it possible to run the same command/script that pfsense does to bring up the tunnel? Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Friday, November 18, 2005 1:08 PM To: support@pfsense.com Subject: Re: [pfSense Support] IPsec Does Auto Establish work? Yeah, we have cron. Scott On 11/18/05, Jesse Norell [EMAIL PROTECTED] wrote: Ah okay I was figuring it would always try to keep it up. Any thing I can do from within the pfsense box itself to keep the tunnel up? As long as traffic is going through the tunnel, it should stay up. In my case I have a IP phone and never notice an issue. Does pfsense have cron? If so, could make a cronjob to ping once a minute or something. -- Jesse Norell - [EMAIL PROTECTED] Kentec Communications, Inc. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] IPsec Does Auto Establish work?
Here is my somewhat potential setup for why I needed to keep the tunnel up. Lets say you have voip phones at a small remote site (1-2 users) which has a dynamic ip address. (Which uses the mobile ipsec client setup) Lets also assume the phones don't register with the call server (static configuration or they register every 30min/60min). Call server is at the host site. Call comes in for one of the remote phones but because the tunnel is down and the ip is dynamic it can't bring up ipsec session, hence unable to ring the phone. Now you might say if a user isn't there who cares. But the phone might be set to do call forwarding or the user doesn't have their machine on. On this note it could be resolved if it was possible to put in a dynamicdns name instead of ip so the host site would always be able to find the remote site? Thanks John -Original Message- From: Vivek Khera [mailto:[EMAIL PROTECTED] Sent: Friday, November 18, 2005 3:19 PM To: support@pfsense.com Subject: Re: [pfSense Support] IPsec Does Auto Establish work? what's the point of keeping the tunnel up? won't either endpoint force it to re-establish on demand anyhow? i know my mobile user IPsec vpn does so from my mac to pfSense. i'm fairly certain our remote office VPN also does so, but it is a LNG haul over an unreliable network, so it is up and down all the time anyway. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] IPsec Does Auto Establish work?
LOL same example. In my potential setup there will be no server at the remote location. That's why I was looking for a way for pfsense to keep it up. John -Original Message- From: Holger Bauer [mailto:[EMAIL PROTECTED] Sent: Friday, November 18, 2005 3:39 PM To: support@pfsense.com Subject: AW: [pfSense Support] IPsec Does Auto Establish work? Just a real-life example: I have an IPSEC-Mesh between several locations. Each location has it's own VoIP PBX. The PBXs don't talk to each other unless there is a call. If the tunnel is down and you try to call a phone at the distant PBX you get a busy before the tunnel is up (tunnel needs longer to establish than the timeout of the VOIP). The second call then is working as the tunnel was brought up because of the first try which failed. There is other traffic from sublocations to main location only (keeping tunnels from sublocations to mainlocation up, no mesh traffic) but VOIP is going directly from one location to the other through a different tunnel between the two locations (which goes down if there are not calls from time to time). Solutions: - adding cronjobs manually (but they don't get backed up with config.xml, so exchanging/restoring the router needs recalling this settings) - using a server in sublocations subnets doing the ping Holger -Ursprüngliche Nachricht- Von: Scott Ullrich [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 18. November 2005 21:22 An: support@pfsense.com Betreff: Re: [pfSense Support] IPsec Does Auto Establish work? Exactly. I really don't see any reason to constantly babysit the tunnels. If its mission critical to keep the tunnels up, there is cron. There are situations where something can be over-engineered and this smells exactly of it. Scott On 11/18/05, Vivek Khera [EMAIL PROTECTED] wrote: what's the point of keeping the tunnel up? won't either endpoint force it to re-establish on demand anyhow? i know my mobile user IPsec vpn does so from my mac to pfSense. i'm fairly certain our remote office VPN also does so, but it is a LNG haul over an unreliable network, so it is up and down all the time anyway. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] IPsec Does Auto Establish work?
Does anyone have IPSec tunnels auto establish working? I can only seem to get the tunnels to come up when traffic is passing over them. Also wondering if there is anything special that needs to be done to do traffic shapping through an IPSec tunnel? Thanks John
[pfSense Support] IPsec Auto establish
Been playing around with creating IPSec tunnels to another pfSense box and I noticed that I cant seem to get the Automatically establish this tunnel to work at all. The connection will come up quite quickly as soon as I push some traffic over the tunnel but never wants to auto establish. Side A is configured for mobile clients and is a PC with .86 and Side B is a wrap running .90. If you need any information to help troubleshoot please let me know what you would need. Thanks John
RE: [pfSense Support] php vs pfsense
I don't see why you couldn't. I've been able to get perl and several other things built on it. You may want to prefix it into a specific directory so that it doesn't interfere with pfsense's version of php. I don't know if there are specific requirements for the php files running the gui. John -Original Message- From: Szasz Revai Endre [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 19, 2005 8:42 AM To: support@pfsense.com Subject: [pfSense Support] php vs pfsense Can I make a normal php4 (pkg_add) package work with pfsense? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Packages on WRAP
In the future if I need more space on the wrap platform I was considering the same thing. John From: Bill Plein [mailto:[EMAIL PROTECTED] Sent: Sunday, October 16, 2005 11:39 PM To: support@pfsense.com Subject: Re: [pfSense Support] Packages on WRAP On 10/16/05, John Cianfarani [EMAIL PROTECTED] wrote: Not sure if this is something you care about since you really don't want packages installed on the wrap or not. I haven't voiced this opinion yet, but this is an opportune moment. Due to the relatively inexpensive prices, I was considering using a 4GB Minidisk on my Wrap platform. Due to the real disk vs. CompactFlash, the issue of limited writes goes away (CompactFlash can only accept so many writes over it's lifetime). It may not be fast, but it would be acceptable. If I go this route, I will attempt to install a full (LiveCD) version versus the Embedded version, in order to enable packages and more easily take advantage of the larger disk. -- -- Bill Plein
[pfSense Support] Packages on WRAP
After installing a bunch of packages on the wrap (Got my nagios-plugins/nrpe to work) I noticed that it doesnt keep a record of installed packages in /var/db/pkg like it does on the pc. Im guessing this is because /var/db/pkg gets mounted on /dev/md0 # df /var/db/pkg Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/md0 15598 156 14196 1% /tmp Not sure if this is something you care about since you really dont want packages installed on the wrap or not. Side question Now if I wanted to make the nagios nrpe (remote plugin executer) config editable via pfsense gui and saved and such how do I go about that? Thanks John
RE: [pfSense Support] pfsense from scratch
Do package configurations get merged into the main config.xml file? John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Saturday, October 15, 2005 1:24 PM To: support@pfsense.com Subject: Re: [pfSense Support] pfsense from scratch http://pfsense.com/cgi-bin/cvsweb.cgi/pfTiny/ ... That is the current source code for our embedded images. On 10/15/05, Michael Lednev [EMAIL PROTECTED] wrote: Hello, Scott. On 15 îêòÿáðÿ 2005 ã., 21:17:38 you wrote: SU Not as of yet. We are not even settled on one building system as of SU yet. Hard to document a moving target. well, can anyone describe process in not so complete form? :) -- Best regards, Michael mailto:[EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] pfsense from scratch
Should have worded it differently. The configuration files for each application eg. dhcpd.conf for dhcpd. So that when a user backs up their configuration the conf for that application would be included. John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Saturday, October 15, 2005 3:03 PM To: support@pfsense.com Subject: Re: [pfSense Support] pfsense from scratch Package configurations? We do not support packages on embedded images ATM. On 10/15/05, John Cianfarani [EMAIL PROTECTED] wrote: Do package configurations get merged into the main config.xml file? John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Saturday, October 15, 2005 1:24 PM To: support@pfsense.com Subject: Re: [pfSense Support] pfsense from scratch http://pfsense.com/cgi-bin/cvsweb.cgi/pfTiny/ ... That is the current source code for our embedded images. On 10/15/05, Michael Lednev [EMAIL PROTECTED] wrote: Hello, Scott. On 15 îêòÿáðÿ 2005 ã., 21:17:38 you wrote: SU Not as of yet. We are not even settled on one building system as of SU yet. Hard to document a moving target. well, can anyone describe process in not so complete form? :) -- Best regards, Michael mailto:[EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Wrap console error
Getting this error on my wrap unit that I just installed today. g_vfs_done():ad0a[WRITE(offset=56139776, length=8192)]error = 1 Could this have something to do with the fact that I expanded the image to about about 450meg? Thanks John
RE: [pfSense Support] Wrap console error
Thanks for the quick reply! -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Saturday, October 15, 2005 9:56 PM To: support@pfsense.com Subject: Re: [pfSense Support] Wrap console error http://www.mail-archive.com/support@pfsense.com/msg00871.html On 10/15/05, John Cianfarani [EMAIL PROTECTED] wrote: Getting this error on my wrap unit that I just installed today. g_vfs_done():ad0a[WRITE(offset=56139776, length=8192)]error = 1 Could this have something to do with the fact that I expanded the image to about about 450meg? Thanks John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] kern.ipc
Sorry did an upgrade already to 86.4 since I wanted to try to add some other packages. Will let you know if it comes back. John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Thursday, October 13, 2005 9:14 PM To: support@pfsense.com Subject: Re: [pfSense Support] kern.ipc Do this from the shell: update_file.sh /etc/sysctl.conf Then reboot. Scott On 10/13/05, John Cianfarani [EMAIL PROTECTED] wrote: Hey all, Posted this before but it's happened again with the version: 84.6 Will try to upgrade it this week and report if it happens again. Has been up for maybe 2 days. Getting an error on the console repeating kern.ipc.maxpipekva exceeded; see tuning (7) Unable to get in via SSH/Console/Web Gui. FW is still passing traffic. Thanks John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Resize Wrap image
Is there a way to resize/expand the size of partition used on the wrap? I have a 512 Meg card and Id like to try to add some other packages onto it like perl and nagios plugins to monitor but with only 14meg free its kinda tough. Ive tried putting in a machine with a few different partition software qtparted on Knoppix, Paragon HD Manager, and one off Ultimate Boot CD 3.3. Most either dont recognize the partition type or dont see the usb drive. Any help is appreciated. Thanks John
RE: [pfSense Support] Resize Wrap image
Should have looked there first. Will try that now. Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Thursday, October 13, 2005 9:54 PM To: support@pfsense.com Subject: Re: [pfSense Support] Resize Wrap image Use the LiveCD with http://wiki.pfsense.com/wikka.php?wakka=FlashHowTo to resize. Scott On 10/13/05, John Cianfarani [EMAIL PROTECTED] wrote: Is there a way to resize/expand the size of partition used on the wrap? I have a 512 Meg card and I'd like to try to add some other packages onto it like perl and nagios plugins to monitor but with only 14meg free it's kinda tough. I've tried putting in a machine with a few different partition software qtparted on Knoppix, Paragon HD Manager, and one off Ultimate Boot CD 3.3. Most either don't recognize the partition type or don't see the usb drive. Any help is appreciated. Thanks John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] 256MB Wrap Image?
Does that mean we won't be able to add anything at all other than the base pfsense? Is it possible to try to build stuff ourself for this? I was hoping to try to build some nagios agent stuff when my wrap comes in a couple days. John -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Friday, October 07, 2005 10:46 AM To: support@pfsense.com Subject: Re: [pfSense Support] 256MB Wrap Image? Hmmm, maybe I'm missing something here. What's wrong with the 128M image? It fits on my 256M flashes w/out problems. And seeing as the WRAPs no longer support packages it's kind of pointless to add more space to them (I think - but then I'm obviously missing something :)) --Bill On 10/7/05, Michiel de Jager [EMAIL PROTECTED] wrote: Maybe someone cal mail it also to me :-) Same situation here. Michiel On Thu, 2005-10-06 at 23:02 -0400, Eric M. Faden wrote: Does anyone have a 256MB wrap image they can email me? or that I can download from somewhere? I don't actually have a FreeBSD box handy to resize the image. -Eric - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Wireless Card Support
Looking to pick up a wrap system and mini-pci wireless. I want to pick it up from these people as they are close http://www.xagyl.com/catalog/index.php?cPath=23osCsid=9f3cbb3facc76b814572962be73cab67 Anyone know if any of those cards are supported. I checked the hardware list and they are not there just wondering if maybe it is outdated. If they are not are there any recommended cards? Thanks John
RE: [pfSense Support] Output (mwatt) of a minipci wireless card
I agree with you 100%. If you have sensitive data then yet it should either be going over a wired connection or a secure tunnel/vpn when going over a wireless connection. My point was that adjusting the TX power does serve a purpose though. In many situtation were you want to try to prevent your signal from being broadcast farther than the needed. Not even for any security reasons but to try to prevent APs from causing noise onto each others channel. John -Original Message- From: Frimmel, Ivan (ISS South Africa) [mailto:[EMAIL PROTECTED] Sent: Monday, September 26, 2005 3:50 AM To: support@pfsense.com Subject: RE: [pfSense Support] Output (mwatt) of a minipci wireless card My view is that wireless can be considered in the same way The Net it. Unsafe. Howver generally people on it are uninterested in the data passing across it just because of sheer volume. If you have data that is sensitive or you just don't want people to view it use tunneling, that's what Ipsec and PPTP were invented for. i.e. leave your APs open and tunnel into your own network. My view is that lowering tx and using directional antennas is a courtesy thing. If you spend time thinking about your design you get better performance because you have less noise. Ivan. -Original Message- From: John Cianfarani [mailto:[EMAIL PROTECTED] Sent: Sunday, September 25, 2005 2:56 AM To: support@pfsense.com Subject: RE: [pfSense Support] Output (mwatt) of a minipci wireless card You'll never be safe from someone who wants to get your signal/data. But for typical laptop w/ integrated wireless reducing the power would help reduce the range. You deal with the 99% and try your best to protect yourself from the 1%. John -Original Message- From: Espen Johansen [mailto:[EMAIL PROTECTED] Sent: Saturday, September 24, 2005 5:57 PM To: support@pfsense.com Subject: Re: [pfSense Support] Output (mwatt) of a minipci wireless card Hi, I'm sorry but you guys need to read up on wireless. 1: Wireless output power has nothing to do with the range. If the receiving end uses a high performance antenna they can both talk and listen to your AP many miles away. 2. High power cards only gives you more noise. Stick to a cm-9 type card with high RX sensitivity. That will give you much better results. You can not restrict the range of wireless buy lowering the output RX power. Radio lan can not be restricted this way. It's a 2way communication, so anyone with a high gain antenna can both talk and listen to a low powered AP. Range for a 100mw card with a 32dbi directional antenna at NLOS is about 120KM so if you guys think that restricting the TX power is going to keep you safe from the next door internet café, then you are very much mistaken. Cheers and good night. -lsf - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Output (mwatt) of a minipci wireless card
You'll never be safe from someone who wants to get your signal/data. But for typical laptop w/ integrated wireless reducing the power would help reduce the range. You deal with the 99% and try your best to protect yourself from the 1%. John -Original Message- From: Espen Johansen [mailto:[EMAIL PROTECTED] Sent: Saturday, September 24, 2005 5:57 PM To: support@pfsense.com Subject: Re: [pfSense Support] Output (mwatt) of a minipci wireless card Hi, I'm sorry but you guys need to read up on wireless. 1: Wireless output power has nothing to do with the range. If the receiving end uses a high performance antenna they can both talk and listen to your AP many miles away. 2. High power cards only gives you more noise. Stick to a cm-9 type card with high RX sensitivity. That will give you much better results. You can not restrict the range of wireless buy lowering the output RX power. Radio lan can not be restricted this way. It's a 2way communication, so anyone with a high gain antenna can both talk and listen to a low powered AP. Range for a 100mw card with a 32dbi directional antenna at NLOS is about 120KM so if you guys think that restricting the TX power is going to keep you safe from the next door internet café, then you are very much mistaken. Cheers and good night. -lsf - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Output (mwatt) of a minipci wireless card
I do not see why to buy a 400mW card and reduce to half the power. Consider if you ran a hotspot in your coffee shop you wouldnt want the signal to be strong enough for the coffee shop down the street to be able to use your nice strong powerful signal Only enough power needed to cover your little area. Or better example if you were deploying several wireless APs to cover an area you may not want the strong signals from one to cause noise on another wireless AP. John From: Giorgio Ducci [mailto:[EMAIL PROTECTED] Sent: Monday, September 19, 2005 9:57 PM To: support@pfsense.com Subject: Re: [pfSense Support] Output (mwatt) of a minipci wireless card Hi, I have the same mPCI card. Yes, as Scott said you can reduce the TX (Transmission) power in the webgui, under interfaces when you assign a new one (says OPT1) you can tune the TX power from 0 to 99 %. As you probably already know this card reach 400mW at 6Mb of transmission (read spec ). I do not see why to buy a 400mW card and reduce to half the powerAnyway it works fine. Cheers Giorgio On 9/20/05, Michiel de Jager [EMAIL PROTECTED] wrote: So if i buy this one: http://www.mini-box.com/s.nl/sc.8/category.19/it.A/id.386/.f i would be able to reduce the TX power to around 200mwatt? And is this done in a webinterface or do i need to do some 'dirty' handwork? greetz, Michiel de Jager On Mon, 2005-09-19 at 14:03 -0400, Scott Ullrich wrote: TX Power? Yes. Scott On 9/19/05, Michiel de Jager [EMAIL PROTECTED] wrote: Hello all, A little question: is the output power of a minipci wireless card (Atheros) controllable in pfsense? Greetz, Michiel de Jager - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] /rescue directory
I have a version installed under vmware gsx 3.2 as well and I notice the same thing. John From: Tommaso Di Donato [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 13, 2005 3:40 AM To: support@pfsense.com Subject: Re: [pfSense Support] /rescue directory Hi! I did a new install, and this is what I obtain: # df -h Filesystem Size Used Avail Capacity Mounted on /dev/ad0s1a 496M 437M 19M 96% / devfs 1.0K 1.0K 0B 100% /dev # du -h /rescue/ 356M /rescue/ The only think I could imagine is that this is not a real disk, but a vmware Virtual Machine.. Do you think this could be the reason? Tom On 9/12/05, Scott Ullrich [EMAIL PROTECTED] wrote: Try a reinstall. All of my boxes are ~3 megs. Scott
RE: [pfSense Support] /rescue directory
On my none vmware system I have it running on it looks to do the same thing. # df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/ad0s1a3.9G433M3.1G12%/ devfs 1.0K1.0K 0B 100%/dev # du -h /rescue 356M/rescue System specs CPU: Celeron 2.6Ghz Board: Asus P4P800-MX (All hardware except for NIC is disabled, IDE mode is set to compatible) Memory: 512Meg CDROM: LG GCE-8526B HD: WD160GB John From: Tommaso Di Donato [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 13, 2005 10:48 AM To: support@pfsense.com Subject: Re: [pfSense Support] /rescue directory Ok, not a problem.. The important (for me) is to know that in a normal installation it is different On 9/13/05, John Cianfarani [EMAIL PROTECTED] wrote: I have a version installed under vmware gsx 3.2 as well and I notice the same thing. John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Plan author of TrafficShaper some expanation of use the traffic shaper?
Did the update_file.sh -all And now all I get is: Warning: main(includes/functions.inc.php): failed to open stream: No such file or directory in /usr/local/www/index.php on line 41 Fatal error: main(): Failed opening required 'includes/functions.inc.php' (include_path='.:/etc/inc:/usr/local/www:/usr/local/captiveportal') in /usr/local/www/index.php on line 41 Running build 0.84 John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Monday, September 12, 2005 11:26 PM To: Robo.K. Cc: [EMAIL PROTECTED]; support@pfsense.com Subject: Re: [pfSense Support] Plan author of TrafficShaper some expanation of use the traffic shaper? We just amended this Traffic Shaper screens. Do a update_file.sh -all or refer to this screenshot for more information: http://www.pfsense.com/~sullrich/HFSC2.PNG Scott On 9/10/05, Robo.K. [EMAIL PROTECTED] wrote: Thank you, for very usefull explanation. And what does mean Parent queue (CBQ or HFSC only) and Default queue ? For example, if I have a line 1024kbit/s download. I will want create a queues 64, 128, 256, 284,384,512 kbit/s, where I want share just non used /in time/ bandwidth between queues. Some example? :-} Thanks. Bob. From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Sunday, September 11, 2005 1:57 AM To: Robo.K. Cc: support@pfsense.com Subject: Re: [pfSense Support] Plan author of TrafficShaper some expanation of use the traffic shaper? I'm still somewhat working on the shaper and since I've taken about a much needed 2 month break from it, I'm going to have to do a little re-education. Here's a little info right from the pf.conf man page: The hfsc scheduler supports some additional options: realtime _sc_ The minimum required bandwidth for the queue. upperlimit _sc _ The maximum allowed bandwidth for the queue. linkshare _sc_ The bandwidth share of a backlogged queue. sc is an acronym for service curve. The format for service curve specifications is (m1, d, m2). m2 controls the bandwidth assigned to the queue. m1 and d are optional and can be used to control the initial bandwidth assignment. For the first d mil- liseconds the queue gets the bandwidth given as m1, afterwards the value given in m2. In some cases percentages were easier or more right to enter, in other cases the KB values were the right thing to do...the decision for each had nothing to do with what valid values for those fields were, but what my experience showed as useful. --Bill On 9/10/05, Robo.K. [EMAIL PROTECTED] wrote: Plan author of TrafficShaper some expanation of use the traffic shaper? Because one thing is theory of HFSC and other thing is filling boxes Upperlimit Real time Link share Parent queue ...? There http://wiki.pfsense.com/wikka.php?wakka=HFSCBandwidthShapingNotes is some explanation, but not complete. In boxes Upperlimit Realtime Link share are used three values and once percents and once Kbite/s... What is for?what is what? Can explain anybody this more complex? Thank you. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.10.20/95 - Release Date: 9.9.2005 -- * www.inMail.sk - Vasa emailova adresa na cely zivot ZDARMA * www.EuropskaDomena.sk - bezplatna predregistracia domen .EU * Zoner Photo Studio 7 - Spoznajte kuzlo digitalnej fotografie! http://www.zoner.cz/photo-studio -- * www.inMail.sk - Vasa emailova adresa na cely zivot ZDARMA * www.ZonerPress.sk - pocitacova literatura, zameranie na webdesign a grafiku * Zoner Photo Studio 7 - Spoznajte kuzlo digitalnej fotografie! http://www.zoner.cz/photo-studio -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.10.20/95 - Release Date: 9.9.2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.10.20/95 - Release Date: 9.9.2005 -- * www.inMail.sk - Vasa emailova adresa na cely zivot ZDARMA * www.EuropskaDomena.sk - bezplatna predregistracia domen .EU * www.ZonerPress.sk - pocitacova literatura, zameranie na webdesign a grafiku - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Hang at the end of bootup
Changed to keyboard and mouse and it's working now. Thanks John -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Sunday, September 11, 2005 12:01 PM To: support@pfsense.com Subject: Re: [pfSense Support] Hang at the end of bootup This happens on USB keyboards for some reason. If you can, use a PC keyboard. Scott On 9/10/05, John Cianfarani [EMAIL PROTECTED] wrote: I'm working on install version 0.82.4 / 0.84 and seem to be having some troubles. I have gotten it to work fine under vmware though now that I'm trying to move it to a real machine it doesn't seem to like it. Essentially after the LiveCD boots and I do my entire interface configuration it comes to the end with Bootup complete and then hangs. During the initial load there are few error messages that I can see: This repeats several times: acd0: FAILURE - READ_BIG ILLEGAL REQUEST asc=0x64 ascq=0x00 error=4ABORTED A few lines before the option to setup interfaces I get: mount: /: unknown special file or file system No Swap on CDROM After configuring the interfaces there is a line: kbdcontrol: cannot open /dev/ukbd0: Device Busy This and reading some posts in the list made me think the CDROM could be the problem, I moved it to the secondary ide and changed the cable, also reburned the cd at 4x. I set my dhcp server to statically give out ip to see if I could ssh into it but I still could not get it after it hangs. System specs CPU: Celeron 2.6Ghz Board: Asus P4P800-MX (All hardware except for NIC is disabled, IDE mode is set to compatible) Memory: 512Meg CDROM: LG GCE-8526B HD: WD160GB Mouse Keyboard are USB (Gyration) If anyone knows anything else I could try that would be great as I'd like to start testing it on a real box. Wish I could post more output but I have to way to copy it out only retyping L Thanks John Cianfarani - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Hang at the end of bootup
Im working on install version 0.82.4 / 0.84 and seem to be having some troubles. I have gotten it to work fine under vmware though now that Im trying to move it to a real machine it doesnt seem to like it. Essentially after the LiveCD boots and I do my entire interface configuration it comes to the end with Bootup complete and then hangs. During the initial load there are few error messages that I can see: This repeats several times: acd0: FAILURE READ_BIG ILLEGAL REQUEST asc=0x64 ascq=0x00 error=4ABORTED A few lines before the option to setup interfaces I get: mount: /: unknown special file or file system No Swap on CDROM After configuring the interfaces there is a line: kbdcontrol: cannot open /dev/ukbd0: Device Busy This and reading some posts in the list made me think the CDROM could be the problem, I moved it to the secondary ide and changed the cable, also reburned the cd at 4x. I set my dhcp server to statically give out ip to see if I could ssh into it but I still could not get it after it hangs. System specs CPU: Celeron 2.6Ghz Board: Asus P4P800-MX (All hardware except for NIC is disabled, IDE mode is set to compatible) Memory: 512Meg CDROM: LG GCE-8526B HD: WD160GB Mouse Keyboard are USB (Gyration) If anyone knows anything else I could try that would be great as Id like to start testing it on a real box. Wish I could post more output but I have to way to copy it out only retyping L Thanks John Cianfarani
