[pfSense Support] Success Story
It seems like there are always questions and/or complaints on this list, so I just wanted to share a success story. We just returned (this weekend) from running the PC gaming network at Penny Arcade eXpo's west coast event. This is a rather high profile event attended by 60,000+ people, with the PC gaming room being divided into two sections - PC Freeplay, with Intel powered machines donated by Intel themselves, and BYOC, which is more like a regular LAN party where people bring their own rigs. They both share a common internal network (/22) so that they can play games with eachother. One of the major issues this event has always faced is bandwidth. The convention center's bandwidth is extraordinarily expensive, so the event is only able to afford a 45Mbps connection (for 500-600 gaming PC's). This connection has to support regular web browsing, email, IM, etc, as well as game traffic AND game patch traffic (ala Steam and Battle.NET). Further complicating matters, at some points, there are also video streams and tournaments with real money riding on them, which have to run smoothly. Up till now, this has always been accomplished with traffic shaper rules, but these are complex, and difficult to explain to others. They're also not easy to adjust in an adhoc manner. This year, we tried out the bandwidth limiter feature, and basically created different buckets for the protocols and ports we wanted to allow. This made it extremely easy to make sure that there was ALWAYS bandwidth available for the PC attached to a projector showing a video stream, and that the people playing in the Starcraft 2 tournament had enough bandwidth to log on. It was easy to tweak and adjust as the demands evolved. So, to whoever built that feature- THANK YOU! My one bit of feedback: The 'Limiter Info' page is currently *very* hard to decipher. It would be quite nice if there was a readily available breakdown (maybe in graph form, too?) of the different limiters and their utilization. But again, thank you. This, and the layer-7 rules, rock! Pics (apologies for the shameless plug - it's the only location that I have them available at): http://www.facebook.com/media/set/?set=a.10150348477738933.398042.102500853932 PS - you can't see it due to the contrast, but on the picture with the rack and monitor, that monitor was showing the realtime bandwidth utilization (the SVG graph thingy), and people seemed to think that was pretty neat! PPS - Oh, here's one where you CAN see it, kinda: http://hphotos-snc7.fbcdn.net/322411_10150348722388933_102500853932_9609136_7921564_o.jpg Best Regards, Nathan Eisenberg - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] BGP support in 2.0
Does 2.x have BGP support ? We have 2 providers that we wish to connect to via BGP It does, and it works great. Multiple production deployments using it to advertise routes. All outbound - not accepting any prefixes inbound, so can't speak to how well that works. If Chris says it works well though, I believe him! Nathan - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] BGP support in 2.0
I setup one that does both last week, gets full Internet routing table, ~360K routes each, from two providers. And advertises their AS. What about IPv6? ;) - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] RE: Static Routes
I have a 1.2.3-RELEASE box with 32 static routes on it. No issues! Nathan From: Atkins, Dwane P [mailto:atki...@uthscsa.edu] Sent: Tuesday, July 19, 2011 11:16 AM To: 'support@pfsense.com' Subject: [pfSense Support] Static Routes Afternoon all. We am running pfsense 1.2.3-RELEASE and having issues with a couple remote sites. We have a few static route statements. Each of them are actually part of the same subnet and go to the same gateway. We prefer to have each subnet routed individually because it is easier to track in the event of a security related incident, BOTS, etc Does this release have any issues with the amount of static routes it can handle at one time? Are there issues with a /20 subnet being routed out a specific interface? Thank you Dwane
RE: [pfSense Support] Strange TCP connection behavior 2.0 RC2 (+3)
Just to make things simpler, it seems like it might make sense to use a plain old linux box on each end. Test the PFSense element out of the equation, if possible, then reintroduce it. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Current Production Version
Apologies for the dumb question... Is the general consensus that 2.0-RC1 is production ready, or is 1.2.3 still recommended for production deployments? Best Regards, Nathan Eisenberg - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Current Production Version
Latest snapshot is your best bet over RC1. RC3 comes this weekend, release soon after. There are less than half as many tickets open on 2.0 as there were on 1.2.3 when it was released, latest 2.0 has far fewer bugs than 1.2.3 (with the possible exception of some packages that maintainers haven't updated), granted in both cases they're of the type that are rare to encounter. Just to verify, that would be pfSense-2.0-RC1-i386-20110617-0727.iso.gz, correct? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] www.pfsense.org down?
Was earlier, switch flaked out. Go figure we replace an ancient Cat2924 which are ticking timebombs to fail with a brand new HP managed gigabit switch and it flakes out within a month.. At least the HP has a lifetime warranty, where that 2924 will just go into the trash when it fails. :-) - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: RE: [pfSense Support] Microsoft updates through pfSense
I doubt it, why would the SSL cause problems unless you denied clients authentication, but why would you deny access to your own clients?!? You probably don't have the ability to sign valid certificates for update.microsoft.com. Since you're redirecting SSL traffic bound for that destination, instead of telling the application to talk to the right server, the common name is going to be wrong, and the SSL handshake will fail. Nathan - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Microsoft updates through pfSense
Almost certainly not. The update communication is done over an SSL channel and specific ports. Even if you get the ports right, I highly suspect the SSL communication will cause problems. Just build a reg file to point the client boxes at your WSUS/SC server and import it. I've seen this done at dozens of installations, and it works flawlessly. -Original Message- From: James Bensley [mailto:jwbens...@gmail.com] Sent: Friday, February 18, 2011 12:57 AM To: support@pfsense.com Subject: Re: [pfSense Support] Microsoft updates through pfSense Well I haven't tried it but it could work, perhaps Google it? Initially I can't see why it wouldn't work but I haven't tried it so I can't say for sure. --James. (This email was sent from a mobile device) - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] IPv6 support
What I have now does: native ipv6 static on wan and lan. Ability to add firewall rules for ipv4 and ipv6 on the wan and lan That's all I need - interface addresses and firewall rules! Thank you! Thank you! Thank you! Come to Seattle, and I will buy you a beer! When can I have it? :D Nathan Eisenberg - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] IPv6 support
The entire instruction for getting my code are in the forum post, basically just run option 12 from the shell and then playback gitsync. Enter the custom Git url and it should take just 5 minutes. Cool! Link to the forum post? I searched, but did not find. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] How do I break down a /22 into smaller subnets to use behind(LAN) side of my pfsense box
-Original Message- From: David Burgess [mailto:apt@gmail.com] Sent: Monday, October 04, 2010 4:23 PM To: support@pfsense.com Subject: Re: [pfSense Support] How do I break down a /22 into smaller subnets to use behind(LAN) side of my pfsense box On Mon, Oct 4, 2010 at 5:19 PM, Chris Flugstad ch...@cascadelink.com wrote: -how to i break up the large block into smaller blocks Like this? http://www.vlsm-calc.net/ db It depends on how it's delivered to you, but typically, your provider will allocate a /30 to use for the route between them and your WAN interface, and then route (via static routes or a dynamic routing protocol) the /22 to your box. You can then create the various VLAN and physical interfaces for the internal network and assign the smaller blocks to each interface. So, in short, your first step is likely going to be 'talk to your transit provider' to get a /30 setup. To be honest, I wouldn't use a pfsense box to sit in front of a /22 though. I'd use a Cisco router, and then slice up the first /26 or /27 into some reserved space for /30's. Then you can use the /30's to route your various subnets to multiple PFsense boxes as needed. By the way, it would be awesome if PFsense supported RFC 3021 and implement /31 support... could be twice as efficient with routing networks. Best Regards, Nathan Eisenberg Atlas Networks | Sr. Systems Administrator office: 206.577.3078 | www.atlasnetworks.us
RE: [pfSense Support] How do I break down a /22 into smaller subnets to use behind(LAN) side of my pfsense box
Let's say you wanted to split your /22 into two /21s. I can make two /21s out of a single /22? Sweet jesus, you've solved the IP exhaustion crisis! :-) Nathan - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] BGP
The interface rebuilds was an absolute killer for me. I've had to move our shared firewall option on our dedicated servers to a different product, because everytime I added a new customer and vlan, it dropped everyone on that firewall for 10 seconds. Totally untenable. -Original Message- From: Aarno Aukia [mailto:aarnoau...@gmail.com] Sent: Saturday, September 18, 2010 7:28 AM To: support@pfsense.com Subject: Re: [pfSense Support] BGP Hello Ermal, On Sat, Sep 18, 2010 at 14:38, Ermal Luçi ermal.l...@gmail.com wrote: We had full tables on pfsense for almost 2 years, but have now moved on to custom openbsd routers for that. Since you only want to use the Any reason you switched to OpenBSD? Not specifically, I just disliked the way pfsense 1.2.3 handled interface (e.g. vlan interface) adds, where it removes all interfaces and rebuilds them again, dropping all neighbour sessions. That, and some quirks in the gui with full tables (static route add/delete wont work and status-interfaces hangs) and we got someone with openbsd know-how led to the decision for the routers. We're still running lots of pfsense firewalls though and are happy with them. Regards, Aarno -- Aarno Aukia Atrila GmbH Switzerland - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Bug in NAT generator
$natrules .= filter_nat_rules_generate_if($wanif,
{$lansa}/{$lancfg['subnet']}, 5060, , 5060, null,
5060, false);
This line in /etc/inc/filter.inc breaks SIP behind NAT. It seems to exclude
5060 from the outbound NAT rules. Why would you want to do that? Am I
misunderstanding what this does? Changing the ports to something else
immediately fixes native SIP functionality.
Seems to me like this is:
A) Bad
B) At least cludgy (random implementation to do one thing only)
C) Not documented in the code or in the interface that I can find
For my sanity, what would be the clean way of removing that line from
filter.inc? I'm not a programmer, so I just changed the numbers to a port I'm
not using, but I'd rather get rid of it altogether. ;)
Best Regards,
Nathan Eisenberg
RE: [pfSense Support] asterisk behind pfsense+remote sip clients
If your Asterisk is setup correctly, the page David pointed you to has the solutions to all the common issues. The issue you describe is actually more likely to be the firewall/NAT device the phones are behind than the one your server is behind, probably have short UDP timeouts and your keepalive isn't high enough. Agreed. By the by, an easy, if hackish, fix for this tends to be to set the registration interval very low on the phones. This keeps the state established. I have a few environments in homes we service where this is literally the only reliable way to punch through the homeowners' NAT (firewalls they/we can't control, etc). I've seen firewalls that need 60 second intervals, and some that can handle 5 or 10 minute intervals. One of my platforms has a couple thousand SIP registrations from various phone/ATA devices, and the load generated by the registrations is completely nominal. On the server side of things, we're not using NAT, just routing. Still my suspicion is that if you're losing registrations over time, it's a session state issue at the phone's end - especially if the registrations come back when the expire timer runs out (sip show peer xx) and the phone creates a new connection to register itself. Nathan Eisenberg - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] question on blocks SSH connections
Then you need a deny rule on your LAN interface that says 'DENY SOURCE LANNET DEST PORT 22'. -Original Message- From: Cinaed Simson [mailto:cinaed.sim...@gmail.com] Sent: Thursday, August 12, 2010 5:14 PM To: support@pfsense.com Subject: Re: [pfSense Support] question on blocks SSH connections On 08/12/2010 03:44 PM, Tim Dickson wrote: I don't know the IP addresses of the SSH servers on the Internet. Then only allow to the SSH servers you know/want? You can go either way... block all and allow only certain IPs Or allow all, and block certain IPs On 2.0 you can block by OS type too... I need to block all outbound SSH client connections to the Internet on all open outbound ports without interfering with the normal function of the those ports. -- Cinaed -- We are drowning in information and starving for knowledge. - Rutherford D. Roger - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] multi-wan, multi-lan security
it's definitely worth checking for ipv6 connectivity since there's a fair chance its not firewalled off. I disagree with this statement. What makes you believe this? Windows has had built-in, default firewalling for quite some time, as has almost every desktop distribution of linux. SOHO firewalls that don't firewall IPv6 don't do so because they're generally not IPv6 capable (see PFSense for an example of default-deny IPv6 when $supported=0). Most ISPs drop the most vulnerable Windows ports at their border and often even at the CPE, agnostic of addressing protocol. Nathan Eisenberg - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] multi-wan, multi-lan security
This is again, assuming that security is in place... when looking at security at the perimeter, we must assume there is NO security in place. (and adjust for it) Is it possible someone disabled the firewall on windows? Absolutely! , linux? Yes again! We can go back and forth on this Ifs, but assuming the worse, and preparing for it - is the best (and only) solution. Tim, You're missing the point - I'm hardly assuming security is in place. What I objected to was the claim that there will be many V4 hosts with good and working firewalls, who will not be protected if addressed by V6. Will there be a few home users who have a mangled network at layer 1 and get screwed by autoconfiguration? Sure. Is there going to be an epidemic of hosts that have a V4 firewall, but no V6 firewall AND V6 addressability? Absolutely not. This is a non-issue, and not a very interesting one at that. Nathan Eisenberg - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] multi-wan, multi-lan security
thinking aloud... if your provider provides ipv6 as well as ipv4 and devices on your lan are also ipv6, then you're more likely to have a major security breach?? It's only really thinking out loud if you including your reasoning, otherwise it's more like 'concluding out loud'. Why do you think that? Nathan Eisenberg - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] multi-wan, multi-lan security
people won't be using NAT in an ipv6 network, so they'll have real IPs which will contain their MAC addresses, making it much more likely that the internet at large will be able to connect to them. I still don't follow. NAT is not a security mechanism, and MAC addresses are not privileged information. If you're suggesting that more people will be connecting to the internet without a firewall, then I beg to differ (though pfsense doesn't support v6 yet, and just blocks ipv6 by default). Adam - While that's certainly true, in my opinion, whether an IP is known or unknown is irrelevant to that host's security. Best Regards, Nathan Eisenberg - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] multi-wan, multi-lan security
That's poetry. It might be, if it were true. I'm not sure that it is, though. From a distribution layer (/30 for routing to a firewall from a router), I can't think of what you'd need to intentionally do to allow bypass of the firewall that has anything to do with VLANs. If I somehow moved the router into one of the 'internal' networks, bypassing the firewall, the router would have no route to a host, nor would the host have a route to the router. The only exception would be if you're running a L2 bridging firewall, but then I don't think the concept of VLANs is even applicable... Explain? Best Regards, Nathan Eisenberg
RE: [pfSense Support] multi-wan, multi-lan security
You're missing the entire point. If you have one switch, VLAN 2 is your LAN, and VLAN 3 is your unfiltered Internet, and you put both 2 and 3 untagged on the same port... there ya go. From there the amount of damage possible and ease of it happening depends on what kind of Internet connection you have. You lose me right where you say ... there ya go. How do you propose to get your malicious traffic to my vulnerable host? Yes, it's now on the same layer 2 domain - but I'm not sure how that can be exploited by an external attacker. Think of it this way, if you'll accept an analogy: I have a router that passes 1.1.1.0/30 to my firewall's WAN port. 1.1.2.0/24 is routed to that IP, so my LAN interface is 1.1.2.1, and I have a host at 1.1.2.2. I remove the firewall from the equation and plug my router straight into my LAN's physical network. Find a way to ping 1.1.2.2. You can't. My network is, for all external intents and purposes, down. My hosts can't route out. You can't route in, because my router's sending packets to 1.1.1.1, which is down. Your attack is thwarted by the way that layer 3 works. Say I'm not being routed a /24. Say I'm on Comcast and I have a 192.168.0.0/24 LAN. The problem is now even bigger: your carrier, their carrier, and Comcast won't route 192.168.0.0/24. What I'm trying to point out is that there is a difference between real and false security. I don't see a clear, enumerable threat, or any conditions that I, an attacker, could use to break in. There's a lot of real security work to do; work that can be explained in terms of technically possible/probable vectors. Whenever someone says this makes you more secure, I like to ask Is that true? And if so, what makes it true?. So, what makes your claim, that using VLANs on the same switching fabric for both interfaces of a firewall allows the network the firewall protects to be exploited, true? Best Regards, Nathan Eisenberg - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Re: Layer 3-7 Switching
-Original Message- From: Michael Schuh [mailto:michael.sc...@gmail.com] Sent: Tuesday, February 16, 2010 5:34 AM To: support@pfsense.com Subject: Re: [pfSense Support] Re: Layer 3-7 Switching http://doc.pfsense.org/index.php/Inbound_Load_Balancing That would be layer 3 load balancing. There is nothing above layer 3 in this design. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] How to forward protocol 41
sarcasm If you're unhappy with pfSense, simply request a refund. /sarcasm I disagree with the assumption of this statement: that you have to pay for something to have a valid criticism of it. I'd argue that it is the role of the user to advocate for desired features, regardless of what price was paid for the software. The fact that IPv6 support doesn't seem to be finished yet is an issue that gains significance every day. While it could probably have been phrased in more polite way, and possibly with more research behind it, I do understand the sentiment, though. I too would like to see more resources go towards completing IPv6 support in PFSense. I am relieved to see and hear that efforts are being made to address real IPv6 support, but the day when it is done cannot come soon enough. I have native IPv6 transport today to all of my facilities. The time of 'IPv6 is coming' has passed; we have moved into 'IPv6 to the last mile provider and consumer is coming', and with Comcast starting last mile IPv6 betas, it's looking like we're talking about sooner, rather than later. Best Regards, Nathan Eisenberg
[pfSense Support] Ability to summarize # of states/IP
It would be incredibly handy to build a report that summarizes the number of states open, groups by IP. That way, one could easily identify a DOS origin. For example, I just had an attacker attempt to open 40,000 simultaneously HTTP sessions on one of my servers. I'd love to be able to see something like this: Proto Source SRC Ports DST Ports TCP 10.0.x.x40,000 1 TCP 74.1.x.x16 1 TCP 63.5.x.x10 1 TCP 152.4.x.x 4 1 Best Regards, Nathan Eisenberg - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Ability to summarize # of states/IP
And, if I was capable of offering patches, I surely would! :-) Best Regards, Nathan Eisenberg
RE: [pfSense Support] Public IP's behind Public IP's
Chris, Your diagram came through a bit mangled, at least for me. Time to bust out MSPAINT. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Route OpenVPN client requests through IPSec tunnel
I'm betting that the machines in the other office do not have a route to get to 10.99.99.0. Add a static route to the remote office gateway/IPSec router, sending traffic bound for 10.99.99.0/x to your OpenVPN server. The OpenVPN server will know where to send the traffic from there. Best Regards, Nathan Eisenberg Sr. Systems Administrator - Atlas Networks, LLC office: 206.577.3078 | suncadia: 206.210.5450 www.atlasnetworks.us | www.suncadianet.com From: Chris Roubekas [mailto:croube...@cnr-web.com] Sent: Thursday, January 28, 2010 1:00 AM To: support@pfsense.com Subject: [pfSense Support] Route OpenVPN client requests through IPSec tunnel Dear all, I have recently managed to create an IPSec tunnel between my office and another one of the same company. The network topology is as follows: MyOffice: pfSense: LAN 10.100.100.0/255.255.255.0 WAN: 10.100.99.0/255.255.255.0 (connects to router for internet) IPSec tunnel: 192.168.20.0/255.255.255.0 (this is the lan of the other office. I can ping these machines from my local LAN). RoadWarrior OpenVPN (administered by pfSense). IP Range: 10.99.99.0 So far RoadWarrior clients can connect to the VPN and use all services on my local LAN. The problem is I need the road warrior clients to be able to use the machine of the IPSec Tunnel (192.168.20.0) as well. Any good ideas?? C. __ Information from ESET NOD32 Antivirus, version of virus signature database 4811 (20100127) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
RE: [pfSense Support] Route OpenVPN client requests through IPSec tunnel
I don't know if it's possible. It's certainly not the right way to do it, IMHO. The other sides' administrator really just needs to create a static route or accept RIP/BGP/whatever packets from you, so that his router knows how to get to your openVPN network. It might not be under your authority, but you at least have enough of a relationship to have an IPSec tunnel, which means that something standard like adding a route isn't really out of the question. It's a simple route problem - don't make it complicated by adding NAT. If you're set on it, or if the other administrator won't work with you, add a NAT rule to make traffic originating from your openVPN network appear to come from the routers IPSEC address. Best Regards, Nathan Eisenberg From: Chris Roubekas [mailto:croube...@cnr-web.com] Sent: Thursday, January 28, 2010 12:20 PM To: support@pfsense.com Subject: RE: [pfSense Support] Route OpenVPN client requests through IPSec tunnel I was told that NATing my OpenVPN clients to local LAN IP would do the trick of avoiding the routing from the far side (as far side is not under my authority). Can anyone tell me how to do this in pfSense?? C. From: Nathan Eisenberg [mailto:nat...@atlasnetworks.us] Sent: Thursday, January 28, 2010 12:32 PM To: support@pfsense.com Subject: RE: [pfSense Support] Route OpenVPN client requests through IPSec tunnel I'm betting that the machines in the other office do not have a route to get to 10.99.99.0. Add a static route to the remote office gateway/IPSec router, sending traffic bound for 10.99.99.0/x to your OpenVPN server. The OpenVPN server will know where to send the traffic from there. Best Regards, Nathan Eisenberg Sr. Systems Administrator - Atlas Networks, LLC office: 206.577.3078 | suncadia: 206.210.5450 www.atlasnetworks.us | www.suncadianet.com From: Chris Roubekas [mailto:croube...@cnr-web.com] Sent: Thursday, January 28, 2010 1:00 AM To: support@pfsense.com Subject: [pfSense Support] Route OpenVPN client requests through IPSec tunnel Dear all, I have recently managed to create an IPSec tunnel between my office and another one of the same company. The network topology is as follows: MyOffice: pfSense: LAN 10.100.100.0/255.255.255.0 WAN: 10.100.99.0/255.255.255.0 (connects to router for internet) IPSec tunnel: 192.168.20.0/255.255.255.0 (this is the lan of the other office. I can ping these machines from my local LAN). RoadWarrior OpenVPN (administered by pfSense). IP Range: 10.99.99.0 So far RoadWarrior clients can connect to the VPN and use all services on my local LAN. The problem is I need the road warrior clients to be able to use the machine of the IPSec Tunnel (192.168.20.0) as well. Any good ideas?? C. __ Information from ESET NOD32 Antivirus, version of virus signature database 4811 (20100127) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4812 (20100128) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
RE: [pfSense Support] virtual ip
-Original Message- From: a_subscribti...@fiberby.dk [mailto:a_subscribti...@fiberby.dk] Sent: Friday, January 15, 2010 2:06 PM To: support@pfsense.com Subject: [pfSense Support] virtual ip Hi I have two questions regarding virtual ip. 1. Question. Imagine a setup where I have /30 as wan ip and routed a /29 public ip net to that address. I have several lan-interfaces that I want to separate, so that every lan net will be natted through its own public ip. If I have understood correctly, then I don't need to set up an interface with the public ip net, as long as I'm using other VIPs. Is that right? 2. Question. Imagine a setup where I have /30 as wan ip and routed a /29 public ip net to that address. I want to hand some of the public ips directly to servers, and I want to use some as virtual ips. If I have understood correctly, then I would set up an interface with the public ip net. But what vips will I use? Kind regards Anders Please don't double post... you asked this question on Wed 1/13/2010 3:59 AM. Best Regards, Nathan Eisenberg - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] VLAN Setup
-Original Message- From: David Newman [mailto:dnew...@networktest.com] Sent: Sunday, January 10, 2010 9:04 AM To: support@pfsense.com Subject: Re: [pfSense Support] VLAN Setup To your original question, I do not see a way to do this on one pfSense box. At least on 1.2.2, each physical interface can be configured with multiple VLANs but only one IP address. To be clear - each VLAN CAN be configured with its own IP address. Best Regards, Nathan Eisenberg Sr. Systems Administrator - Atlas Networks, LLC office: 206.577.3078 | suncadia: 206.210.5450 www.atlasnetworks.us | www.suncadianet.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] 1:1 NAT - bind actual external IP to an optional interface?
Generally, the best way to handle something like this is to actually give the host the public IP, and avoid NAT altogether. However, sometimes, that's not an option, and so you can use the following to trick the host into working as expected. (Note that 192.0.2.x documentation IPs are used - these represent the public IPs) ISP's Gateway: 192.0.2.1/24 Firewall WAN IP: 192.0.2.10/24 Server WAN IP: 192.0.2.11/24 Firewall's LAN IP: 10.0.0.1/24 Server's LAN IP: 10.0.0.11/24 Server's LAN IP #2: 192.0.2.11/32 (note the mask!) ProxyARP on WAN for 192.0.2.11 Static route on firewall to 192.0.2.11 through 10.0.0.11 on LAN What you're doing is telling the public switch (via ARP) that the firewall's MAC address has 192.0.2.11; therefore, the switch will send that MAC the traffic. The firewall then says that's not me - but I know how where it needs to go, and I'm a router, so I'll take care of that for you. It forwards the traffic to the internal LAN IP of the server, who says Ah, that IP belongs to me, I'll route it internally to myself and accept it. Bingo Presto - the public IP address is now bound to your internal server, and you can address the daemon, which will be listening on that public IP. Best Regards, Nathan Eisenberg From: Karl Fife [mailto:karlf...@gmail.com] Sent: Thursday, December 31, 2009 6:52 AM To: support@pfsense.com Subject: [pfSense Support] 1:1 NAT - bind actual external IP to an optional interface? Like many, I use 1:1 NAT to give one of my public IP address to an internal host. This works great for certain applicatons where the host (such as Asterisk) is 'smart' and can be made aware of the fact that the IP address bound to its own network interface differs from the one the outside world sees and should direct traffic to. In the case of Asterisk which must know its external IP to properly write SDP headers, Asterisk will look to the configured external IP address instead of the one it actually sees bound to its own NIC. No problems! The problem arises when you've got a 'dumber' host that needs to function EXACTLY like it has an actual external IP address, but where the traffic needs to flow through pfSense (for shaping, policies, IDS/IPS). I sometimes also wish that certain hosts with external addresses NOT have an internal address in the event that they become compromised/rooted etc. Naturally It would be ideal to bind the external IP address directly to an optional interface. My understanding (possibly wrong) is that this was not possible (at least) with embedded 1.2-release. Has anything changed in the 1.2.1 or .2 or .3 release that would make this possible? What about in the 2.0 beta? If I can make this work (or some creative variant of it) it will prevent me from needing to buy a number of juniper routers. Feedback very much appreciated! -Karl
[pfSense Support] DHCP question
Any easy way of telling how many DHCP leases are used/remaining in the pool?
RE: [pfSense Support] FTP proxy
From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Thursday, October 08, 2009 6:26 PM To: support@pfsense.com Subject: Re: [pfSense Support] FTP proxy On Thu, Oct 8, 2009 at 9:23 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: Been banging my head on the FTP proxy for a little while on a box that has a lot of 1:1 NAT – finally did a dump of the PF ruleset, and saw this little gem. What’s goin on? ;) How can I… not have this rule? That's not related to your problem. FTP proxy can't work with 1:1 NAT. Sorry for bringing this back up – what’s the correct way to implement an FTP server behind a 1:1 NAT and not receive 500 Illegal PORT command? I don’t care if it uses the proxy, I just want incoming FTP connections to work. ☺ Best Regards, Nathan Eisenberg Sr. Systems Administrator - Atlas Networks, LLC office: 206.577.3078 | suncadia: 206.210.5450 www.atlasnetworks.us | www.suncadianet.com
RE: [pfSense Support] Public ip bgp routing
-Original Message- From: Evgeny Yurchenko [mailto:evg.yu...@rogers.com] Sent: Monday, October 19, 2009 7:32 AM To: support@pfsense.com Subject: Re: [pfSense Support] Public ip bgp routing Chris Flugstad - Mobile wrote: So ive routed pubblic ips behind pfsense but now i want to route blocks of ips over our 2 bgp'd carriers Anyone have a place to start? I will have only 1 interface on the local side and will need multiple blocks off that. Plus setting up so a block can route off another block Thanks topher What is the problem? You can send as many route blocks as you wish. Yea, I don't think there's a problem with it. It should just work, BGP isn't a terribly complicated protocol. But the BGP implementation in PFSense needs further development - the web interface for it has bugs, and I'm not sure if the daemon recognizes iBGP vs eBGP (same AS# vs external), or public AS numbers vs Private. Route reflectors are also incredibly useful in the BGP world - and they're nowhere to be found in the implementation. And what good is a border gateway protocol (BGP) without an internal gateway protocol (IGP) to manage the internal routing? And no, RIP doesn't count as an IGP these days. :-) An OSPF or ISIS implementation would be sweet - it would bring the platform closer to Cisco/Quagga/etc in terms of routing functionality (functionality - not performance). I would love to be able to build a highly available routing infrastructure around PFSense, instead of being limited to using it as a stub gateway/firewall. And even then, it would be nice... Best Regards, Nathan Eisenberg - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Public ip bgp routing
-Original Message- From: Evgeny Yurchenko [mailto:evg.yu...@rogers.com] Sent: Monday, October 19, 2009 11:16 AM To: support@pfsense.com Subject: Re: [pfSense Support] Public ip bgp routing Nathan Eisenberg wrote: But the BGP implementation in PFSense needs further development - the web interface for it has bugs, and I'm not sure if the daemon recognizes iBGP vs eBGP (same AS# vs external), or public AS numbers vs Private. Route reflectors are also incredibly useful in the BGP world - and they're nowhere to be found in the implementation. Daemon recognizes iBGP vs eBGP. Sorry, I do not know what route reflector is. That's good to know. There are still some unfortunate WebGUI bugs, though, and the lack of an IGP is a showstopper. http://en.wikipedia.org/wiki/Route_reflector http://www.networkliquidators.com/article-cisco-ccnp-bsci-certification-bgp-route-reflector-tutorial.asp If you have 5 routers connected to a backbone, and each of them is receiving networks, you have a couple options. You can peer all of the routers in a full logical mesh, and when you add a 6th router, add peering to every other IBGP router and 5 peerings to the new router. This becomes absolutely unmaintainable when you are looking at more like 50 or 100 routers. A route reflector fixes this problem. ' * If a route is received from nonclient peer, reflect to clients only. * If a route is received from a client peer, reflect to all nonclient peers and also to client peers, except the originator of the route. * If a route is received from an EBGP peer, reflect to all client and nonclient peers. ' There's a lot of doc. out there on this, because it's such a pain reliever. Best Regards, Nathan Eisenberg - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] potential pfsense hardware
Newegg says the board only has a PCI-Ex8 slot. I'm not sure which board that would be, as all the Atom boards I've seen are PCI-only. Re: Noise - In my experience, Atom servers can run without chassis fans - they only need the CPU fan and the PSU fan. Nice find. I love the Atom platform. Best Regards, Nathan Eisenberg - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] potential pfsense hardware
The D945 chipset works with PFSense - I see no reason why it wouldn't work. Best Regards, Nathan Eisenberg Sr. Systems Administrator - Atlas Networks, LLC office: 206.577.3078 | suncadia: 206.210.5450 www.atlasnetworks.us | www.suncadianet.com -Original Message- From: Jeppe Øland [mailto:jol...@gmail.com] Sent: Wednesday, October 14, 2009 4:52 PM To: support@pfsense.com Subject: Re: [pfSense Support] potential pfsense hardware On Thu, Aug 27, 2009 at 1:27 PM, Jim Pingle li...@pingle.org wrote: Ryan wrote: I'm thinking about picking up a Supermicro Atom based system for use with pfSense: Has anybody tried pfSense with a board like this? http://www.avalue.com.tw/products/ECM-945GSE.cfm Regards, -Jeppe - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] FTP proxy
Been banging my head on the FTP proxy for a little while on a box that has a lot of 1:1 NAT - finally did a dump of the PF ruleset, and saw this little gem. What's goin on? ;) How can I... not have this rule? no rdr on fxp0 proto tcp from onetoonelist to any port = ftp [cid:image001.png@01CA4844.64860080] Nathan Eisenberg Sr. Systems Administrator - Atlas Networks, LLC office: 206.577.3078 | suncadia: 206.210.5450 www.atlasnetworks.ushttp://www.atlasnetworks.us/ | www.suncadianet.comhttp://www.suncadianet.com/ inline: image001.png
RE: [pfSense Support] Wierd issue with 1:1 NAT
-Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Thursday, October 01, 2009 10:34 PM To: support@pfsense.com Subject: Re: [pfSense Support] Wierd issue with 1:1 NAT Using Squid? http://doc.pfsense.org/index.php/Why_does_my_system_using_1:1_NAT_still _appear_to_access_the_web_via_the_pfSense_router%27s_WAN_IP%3F Bingo. Obvious in retrospect. Thanks! Best Regards, Nathan Eisenberg Sr. Systems Administrator - Atlas Networks, LLC office: 206.577.3078 | suncadia: 206.210.5450 www.atlasnetworks.us | www.suncadianet.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Load Balanced Passive FTP?
Is there a way to load balance a range of ports with one rule? For example, I have a 100 port passive FTP range defined. Do I have to create 100 load balancer rules? 1.2.3 Best Regards, Nathan Eisenberg Sr. Systems Administrator - Atlas Networks, LLC office: 206.577.3078 | suncadia: 206.210.5450 www.atlasnetworks.us | www.suncadianet.com attachment: winmail.dat- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Load Balanced Passive FTP?
-Original Message- From: Chris Buechler [mailto:cbuech...@gmail.com] Sent: Thursday, October 01, 2009 2:58 PM To: support@pfsense.com Subject: Re: [pfSense Support] Load Balanced Passive FTP? On Thu, Oct 1, 2009 at 4:57 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: Is there a way to load balance a range of ports with one rule? Same way you load balance one port. Create a rule that specifies the range. Not sure I follow... If I go to set up a new pool with a port-range, I get : 'The following input errors were detected: * The port must be an integer between 1 and 65535.' Best Regards, Nathan Eisenberg - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Load Balanced Passive FTP?
-Original Message- From: Chris Buechler [mailto:cbuech...@gmail.com] Sent: Thursday, October 01, 2009 4:24 PM To: support@pfsense.com Subject: Re: [pfSense Support] Load Balanced Passive FTP? Oh, for inbound load balancing, I thought you meant outbound. No, no way to do that for a range without putting in one for each port. You can't balance passive FTP port range like that anyway, there's no correspondence between the state on the control channel and the data channel, they would likely end up going to different servers. Yep - inbound! While I respect the marvel that is PFSense's outbound load balancing, I prefer using BGP costs and IS-IS weights at the router. By the way, when will PFSense support OSPF and IS-IS? ;) On topic - failover mode (as opposed to load balanced mode) should work correctly if I can get the virtual servers set up, correct? This is one more reason why FTP sucks. Not that the world needed another one. Best Regards, Nathan Eisenberg Sr. Systems Administrator - Atlas Networks, LLC office: 206.577.3078 | suncadia: 206.210.5450 www.atlasnetworks.us | www.suncadianet.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Wierd issue with 1:1 NAT
Hey, I've not had this problem before - I have a PFSense firewall with a lot of 1:1 NATs. For almost every outbound connection, the traffic seems to originate from the correct IP. For example, if I SSH from behind the firewall to a server outside of the firewall, and then use 'last', I see the 1:1 IP. However, if I visit a web site, like http://whatismyip.com, I get the IP address of the firewall. Very odd... Thoughts? Best Regards, Nathan Eisenberg Sr. Systems Administrator - Atlas Networks, LLC office: 206.577.3078 | suncadia: 206.210.5450 www.atlasnetworks.us | www.suncadianet.com attachment: winmail.dat- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] NAT and Bridge on the same box
There's a number of ways to do this. The right way is to have a separate network between your router and firewall, and then have the routes for your production network in your router. IE: Router--Firewall--Server 1.1.1.2/31 1.1.1.3/31 5.0.0.2/24 5.0.0.1/24 The Router's routing table would look like this: Destination Netmask Gateway 5.0.0.0 255.255.255.0 1.1.1.3 This, of course, eliminates the need to NAT anything. Another way of doing this is to use 1:1 NAT and put the public IPs on loopback adapters on the servers. This is ugly, but it works. IE: RouterFirewallServer 5.0.0.1/24 5.0.0.2/24 192.168.1.2/24 192.168.1.1/24 5.0.0.3/32 (255.255.255.255) The server needs to have IP forwarding turned on, and the firewall needs a proxy ARP IP for 5.0.0.3. You also want to create static routes on the firewall's internal interface that look like this: Destination Netmask Gateway 5.0.0.3 255.255.255.255 192.168.1.2 This means that internal traffic that tries to get 'out' to the public IP of the server will be routed to the private IP of the server - which will then forward it to the loopback interface. Note that you'll also have to put some special firewall rules on the WAN interface to allow traffic from 192.168.1.2 to get to 5.0.0.3 through it. Best Regards, Nathan Eisenberg Sr. Systems Administrator - Atlas Networks, LLC office: 206.577.3078 | suncadia: 206.210.5450 www.atlasnetworks.us | www.suncadianet.com -Original Message- From: Curtis LaMasters [mailto:curtislamast...@gmail.com] Sent: Monday, September 28, 2009 1:02 PM To: support@pfsense.com Subject: [pfSense Support] NAT and Bridge on the same box I have a need to provide NAT for the majority of our services and also assign public IP's to our customers. My question is, can I do bridging and NAT on the same server? I.E. can I have my WAN interface with all it's virtual IP's continue to map to my internal VLAN's and then have a seperate VLAN(s) bridge and be able to deliver public IP's to those customers? Is it as simple as setting the bridge with WAN on that interface and then assigning IP's? Sorry if this has been covered in the past. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Crazy Session State requirement
Knee deep in a deployment of a load balanced web application, I've run into a bizarre requirement. I have a HA PFSense cluster with 5 SSL load balanced virtual hosts, listening on IPs x.x.x.10-x.x.x.14. These map back to 3 backend web servers serving xxx1.com-xxx5.com. I've used this design many times, and never had a problem. However, this application has some crazy cookie stuff built in. Basically, a client may connect to xxx1.com, log in, browse some content, and then browse to xxx2.com. Since these are separate load balanced virtual servers, the PF state tracking mechanism doesn't force the client to go to the same backend server, which means that the session information is inconsistent and the application breaks. So, what I suppose I really need is a way of forcing the connection states to be per-source IP, rather than per source/dest. Is this possible? If not, other workaround suggestions would be lovely! Thanks guys, Nathan
RE: [pfSense Support] Crazy Session State requirement
-Original Message- From: Ermal Luçi [mailto:ermal.l...@gmail.com] Sent: Friday, September 18, 2009 10:26 AM To: support@pfsense.com Subject: Re: [pfSense Support] Crazy Session State requirement Activate sticky option on 1.2.3-RC* installations. -- Ermal To confirm - the sticky behavior in 1.2.3-RC3 is different than in 1.2.2? Is there any documentation on this change that I can take a look at? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Debugging CARP/XMLRPC Sync
What I found was that the configuration files weren't being updated for some reason - even when I disabled sync entirely on both firewalls, it was still attempting to synchronize and failing. I reset all the passwords, everywhere, and things were still broken. I ended up resetting both firewalls to factory defaults, which obviously fixed the problem. But there is definitely a bug lurking there - sadly, I can't provide exact repro steps. Best Regards Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Debugging CARP/XMLRPC Sync
Is there a known bug in 1.2.2 where if you change the password on both systems AFTER setting up XMLRPC, you experience 801 authentication issues - even if you update the password in the CARP configuration? This is what I'm experiencing, and it's driving me nuts. :) Debugging suggestions? Best Regards Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC supp...@atlasnetworks.us http://support.atlasnetworks.us/portal attachment: winmail.dat- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] GBE toe
FWIW - I have not been able to get these to work in PFSense -at all-. http://www.newegg.com/Product/Product.aspx?Item=N82E16833106019 http://www.newegg.com/Product/Product.aspx?Item=N82E16833106018 http://www.newegg.com/Product/Product.aspx?Item=N82E16833106003 Nathan - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] GBE toe
Looks like it was 1.2.1 when I tried: http://www.mail-archive.com/support@pfsense.com/msg15181.html Best Regards Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC supp...@atlasnetworks.usmailto:supp...@atlasnetworks.us http://support.atlasnetworks.us/portal From: David Burgess [mailto:apt@gmail.com] Sent: Wednesday, August 26, 2009 8:22 AM To: support@pfsense.com Subject: Re: [pfSense Support] GBE toe On Wed, Aug 26, 2009 at 9:12 AM, Nathan Eisenberg nat...@atlasnetworks.usmailto:nat...@atlasnetworks.us wrote: FWIW - I have not been able to get these to work in PFSense -at all-. http://www.newegg.com/Product/Product.aspx?Item=N82E16833106019 http://www.newegg.com/Product/Product.aspx?Item=N82E16833106018 http://www.newegg.com/Product/Product.aspx?Item=N82E16833106003 Which versions of pfsense did you try them in? db
RE: [pfSense Support] OpenBGPD
-Original Message- From: Evgeny Yurchenko [mailto:evg.yu...@rogers.com] Sent: Saturday, August 22, 2009 7:24 AM To: support@pfsense.com Subject: Re: [pfSense Support] OpenBGPD There was a bounty http://forum.pfsense.org/index.php/topic,8480.0.html requesting many improvements for OpenBGPD package but it showed lack of interest from public. Eugene. - Looks like someone else is offering to reopen it. If the original posters come back, that's an $800 bounty. Not bad! :) http://forum.pfsense.org/index.php/topic,15785.0.html Best Regards, Nathan Eisenberg - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] OpenBGPD
After seeing the flurry of commits to this package, I was curious, and tried it out with a half dozen VMs in a basic 'core and border' setup. I'd like to play with it a bit more and see what it's really capable of. Are there any good guides out there on using openBGPD, maybe even specific to pfSense? One thing I couldn't figure out how to do is restricting announcements. For example, my upstream carriers restrict my BGP announces so that I can't announce networks that don't belong to me, like 74.125.0.0/16, and steal Google's traffic. :-) Thank You, Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] OpenBGPD
-Original Message- From: Evgeny Yurchenko [mailto:evg.yu...@rogers.com] Sent: Friday, August 21, 2009 5:46 AM To: support@pfsense.com Subject: Re: [pfSense Support] OpenBGPD If you understand BGP without any relation to whatever platform it is used on then its configuration is pretty straightforward. I found pretty nice document explaining OpenBGPD implementation http://www.openbsd.org/papers/linuxtag06-network.pdf plus numerious howtos. You can play with restrictions by using deny from/allow from in RawConfig tab, for now this feature is not supported via gui. Eugene. - I have a moderate understanding of how BGP works, but have much to learn. I would love to see the ability to restrict announcements to specific networks added to the GUI. I'd bet that more polish on this package could let PFSense enter the 'core router' arena. Ah, were I a programmer... Best Regards, Nathan Eisenberg - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Anything like fail2ban for PFSense?
-Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Sunday, August 02, 2009 6:11 PM To: support@pfsense.com Subject: Re: [pfSense Support] Anything like fail2ban for PFSense? Mark Crane added a DenyHosts package recently that does just this. - COOL! Thanks! Incidentally, there appears to be a bug in this package - if you are on Services - DenyHosts, and you click the PFSense logo, it takes you to the URL https://x.x.x.x/packages/denyhosts/index.php rather than https://x.x.x.x/index.php Best Regards Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC supp...@atlasnetworks.us http://support.atlasnetworks.us/portal - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Anything like fail2ban for PFSense?
-Original Message- From: apiase...@midatlanticbb.com [mailto:apiase...@midatlanticbb.com] Sent: Monday, August 03, 2009 11:24 AM To: support@pfsense.com Subject: Re: [pfSense Support] Anything like fail2ban for PFSense? Is this working? I have it installed on 1.2.2 and it doesn't appear to be doing anything. I see a bunch of failed attempts for SSH, and the servers - denyhost doesn't display anything. - I too am running 1.2.2 and cannot get this package to work. I noticed that under status - services, the denyhosts service is not running. Attempting to start it fails. Is there a way to get this running on 1.2.2? Best Regards Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
-Original Message- From: Scott Ullrich [mailto:sullr...@gmail.com] Sent: Wednesday, July 29, 2009 10:56 AM To: support@pfsense.com Subject: Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you. On Wed, Jul 29, 2009 at 1:54 PM, Curtis LaMasterscurtislamast...@gmail.com wrote: I actually find that to be annoying to read. However, in the spirit of good internetship, I'll oblige. Sorry any problems I may have caused. Let me know if I did that correctly. That looks correct. Unfortunately this is the way mailing lists have operated for as long as I have remembered. Scott - At the risk of singling myself out, I prefer top posting. I thought this battle had been fought and abandoned in the early 90s, as no consensus could be reached. The ratio of top poster fanatics to bottom poster fanatics is generally 1:1. Give that, it is difficult to say that mailing lists have operated consistently in one manner or the other. Personally, I find that bottom posting is confusing to read (for me - others feel the same about top posting). It's also not the default behavior in any version of Microsoft Outlook - which means it is time consuming (and before I get a 'so what', consider the user base...) to do. Rather than spending time revisiting this ancient battle, it may simply be more efficient to require trimming posts to the appropriate amount of content, and allow replies to be made at the posters preference. For my part, if I can read the entire email quickly (read: properly trimmed quotes), I don't particularly care whether someone top or bottom posts. I'm far more irked by issues like poor sentence structure, grammar and punctuation; not to mention content. If it really needs to be list policy for one reason or another, then I'll just do my best to remember to comply. I have found, though, the most effective lists are the ones with the fewest policies. After all, we're all on this list because we like and use PfSense - I don't think any of us are truly interested in spending time having our netiquette scrutinized. :-) Best Regards Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Anything like fail2ban for PFSense?
I do feel that changing the port may not truly constitute an increase in security. It makes you less visible, perhaps. But this particular firewall is already subjected to port scans across the entire range, including highports (it has some very high traffic web sites behind it), so the alternate port would be detected relatively quickly anyways. Thank You, Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Anything like fail2ban for PFSense?
Hello Paul, I've considered that, but in this instance, it's not an option. I agree that limiting exposure is a good first step, but I think brute force protection regardless of source address could be a valuable next step. SSH keys ensure that the accounts won't actually be breached; it's just irritating to me that clearly hostile traffic is allowed to attack the service for as long as it pleases. Plus it clutters up the logs and uses some CPU/bandwidth resources - and while I have plenty of both, 'waste not, want not'! :) Best Regards Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC -Original Message- From: Paul Cockings [mailto:p...@cytringan.co.uk] Sent: Tuesday, July 21, 2009 1:00 AM To: support@pfsense.com Subject: Re: [pfSense Support] Anything like fail2ban for PFSense? Jeppe Øland wrote: Some of my pfsense boxes get a lot of SSH bruteforces; is there a package like fail2ban out there which could automatically blacklist IPs after x bad logins? b) limit the connection-rate to a preferred useful value in the filter-rules This works reasonably well. Unfortunately, the entire rule gets locked down when the rate is exceeded, so you may lock yourself out too. (It automatically unlocks when the hammering stops and your rate interval expires, and most hammer scripts move on to a new IP when it stops responding, so it's not the end of the world). Request: It would be really nice if pfsense could limit the connection-rate *per IP*. Regards, -Jeppe Why leave you ssh service exposed to the world? Lock it down to a range of ip's (or subnet of your isp), or if you don't have static ip's try setting up openvpn IMO its best to expose as little as possible. regards, Pc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Anything like fail2ban for PFSense?
Some of my pfsense boxes get a lot of SSH bruteforces; is there a package like fail2ban out there which could automatically blacklist IPs after x bad logins? Best Regards Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC supp...@atlasnetworks.usmailto:supp...@atlasnetworks.us http://support.atlasnetworks.us/portal
RE: [pfSense Support] Outbound mail multi-wan
As others have said, you could statically force it out one interface, but to me, that seems like a rather inelegant solution. Another option would be to use an external smarthost to relay outbound mail. One of your ISPS may allow you to do this, or there are plenty of other mail servers out there that would, too. Using a smarthost, the mail has two routes to get to the outside world (and your SPOF is a sitting safe in a datacenter somewhere). Some mail servers (Exchange for one) let you setup multiple external connectors, so you could actually configure several smarthosts to eliminate SPOFs entirely. Thank You, Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC From: Robert Mortimer [mailto:rmorti...@bluechiptechnology.co.uk] Sent: Thursday, June 18, 2009 1:28 AM To: support@pfsense.com Subject: Re: [pfSense Support] Outbound mail multi-wan IMHO The CARP is good in the event that an entire firewall fails. Each firewall should have access to BOTH WANs Use the load ballencer on each - it's easy to set up with fail over. Insert a route for mail (TCPIP port 25) before your route to the load balanced interface on both firewalls BINGO We have this setup withour CARP - Original Message - From: Evgeny Yurchenko evgeny.yurche...@frontline.ca To: support@pfsense.com Sent: Wednesday, 17 June, 2009 19:58:00 GMT +00:00 GMT Britain, Ireland, Portugal Subject: RE: [pfSense Support] Outbound mail multi-wan -Original Message- From: JJB [mailto:onephat...@earthlink.net] Sent: June 17, 2009 2:48 PM To: support@pfsense.com Subject: Re: [pfSense Support] Outbound mail multi-wan We've tried this 10 different ways, so far it has not worked. Current Config is two pfsense 1.22 firewalls with CARP two WAN connections (not load balanced or failover) (covad att), with a DMZ interface where our mail and other internet servers live. I want the mail server to only make SMTP connections using the ATT interface, but it defaults to using the WAN interface (on the Covad). We route all generic traffic over the covad 10mb wan link (the default) and for server-to-server traffic (such as Iron Mountain backups we route to a specific ip block or address over the ATT interface. It is obvious how to do this with a static route when you have a specific address or block to communicate with, but to say all traffic 'from this DMZ address to anywhere' should be transmitted via the ATT link is not working. A posting on this same subject on the forum (by my 'nix admin guy): http://forum.pfsense.org/index.php/topic,17066.0.html - Joel . Chris Buechler wrote: On Tue, Jun 16, 2009 at 1:37 PM, JJBonephat...@earthlink.net wrote: Yes, setup your rules on the interface with the mail server accordingly. I don't know how to set up pfsense to bind the mail server to the ATT network interface instead of the Covad, can someone provide me with details of how this would be done? It doesn't look like static routes would work since the mail server needs to talk to an unlimited # of machines on the internet. Just add a firewall rule matching traffic from the mail server and select the appropriate gateway or failover pool. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org We - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org May we have screenshot of your rules for the interface your mail-server is connected to? Eugene - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] SSL Offloading
Hey PfSense Gurus - I've got a half dozen redundant PFSense WWW load balancing clusters in production, and yet I've never had to worry about this particular requirement before now. I suspect I already know the answer, but I wanted to check in and make sure. I have a client whose IIS application must be blissfully unaware that it is being encapsulated in SSL. There is an ISAPI filter they wrote to handle their custom authentication system, and having the internal traffic pass through the SSL encapsulation in IIS breaks it. Their solution was to use an old F5 SSL accelerator to offload the SSL traffic out of the environment. Now, I have utterly no interest in using that particular piece of equipment to accomplish this task, but I am also unsure how to exactly accomplish this goal. My preference would be to do this at the PFSense load balancer, rather than installing additional hardware for this purpose. Is there some functionality like this in PFSense, perhaps via a package? If not, is there another open source solution that you'd recommend (probably off list since it would be offtopic)? When thinking about what I want to accomplish, my brain said 'apache SSL proxy' - would I be on the right track there? Best Regards Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC supp...@atlasnetworks.usmailto:supp...@atlasnetworks.us http://support.atlasnetworks.us/portal
RE: [pfSense Support] Axiomtek NA-810A/B
Hey Alex, I've looked at axiomtek equipment before but haven't been able to find a place to buy it. Where have you gotten your gear? Best Regards Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC supp...@atlasnetworks.usmailto:supp...@atlasnetworks.us http://support.atlasnetworks.us/portal From: Alexsander Loula [mailto:alex.lo...@gmail.com] Sent: Thursday, June 18, 2009 11:31 AM To: support@pfsense.com Subject: [pfSense Support] Axiomtek NA-810A/B Hi Folks, I have searching on the list/forum and I found that Axiomtek NA-810C works great with pfSense. Is anyone running successfully with NA-810A/B ? http://www.axiomtek.com/Download/Spec/na-810a_na-810b.pdf Tks, Alex
RE: [pfSense Support] No IP over DHCP
Not sure what your environment is, but if you need to make the LAN interface seem up but don't actually need to plug anything into the port, an easy way of doing that is with a loopback cable. http://www.nutt.net/2004/11/20/diy-ethernet-loopback-cable/ Best Regards Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC supp...@atlasnetworks.us http://support.atlasnetworks.us/portal -Original Message- From: Michael Schmitt [mailto:stiff...@linuxnoob.net] Sent: Saturday, April 25, 2009 11:26 AM To: support@pfsense.com Subject: Re: [pfSense Support] No IP over DHCP Scott Ullrich schrieb: On Fri, Apr 24, 2009 at 5:27 PM, Michael Schmitt stiff...@linuxnoob.net wrote: Hello List, I try the new 1.2.3-RC1-Embedded release on an ALix board. WAN -- sis0, dhcp LAN -- sis1, 10.0.0.1/24 WLAN -- ath0 bridged with LAN (atheros 5212 chipset) dhcp-server is enabled for LAN. the first firewallrules on the LAN and WLAN interfaces are UDP * 67-68*67/68 The porblem: After I seted up the system and tried to get an wireless IP over dhcp it worked fine the first couple of times, but after a while it stops working and i can?t get an ip. Thanks a lot for any ideas. Make sure something is plugged into the LAN port if nothing is currently plugged in there. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Hello Scott, thanks for that! Now all is working fine! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] RE: Load Balancer Using TCP
Excellent, thank you Chris. I always use TCP as well, but this particular site occasionally gets hit by Digg, and until they get enough capacity in their cluster to support that (AKA - a few memcache servers), their web service does sometimes respond so slowly that the load balancer ends up flapping them back and forth. Appreciate the fix being committed - I haven't used the snapshot builds before, but I'll check it out and ping you if I have troubles. Thank You, Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC Atlas Support Center http://support.atlasnetworks.us/portal -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Saturday, April 04, 2009 6:07 PM To: support@pfsense.com Subject: Re: [pfSense Support] RE: Load Balancer Using TCP On Thu, Apr 2, 2009 at 12:22 AM, Nathan Eisenberg nat...@atlasnetworks.us wrote: Here's what ends up in slbd.conf when I save my config: servicename:\ :poolname=poolname:\ :vip=x.x.x.x:\ :vip-port=80:\ :sitedown=x.x.x.x:\ :sitedown-port=80:\ :method=round-robin:\ :services=2:\ :service-port=80:\ :0=192.168.20.61:\ :1=192.168.20.62:\ :tcppoll:send=:expect=: Why is it using TCPPoll if I have it set to use ICMP in the gui? That was a bug, and strangely you're the first to notice. I've always used TCP for server load balancing configurations and suspect everyone else must as well (well, they are whether or not they realize it). I just committed a fix, it'll be in 1.2.3 snapshots built at least 2 hours from now or you can manually apply this diff. https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/d38805bc18a69dda3b33ca3a193420ff656d33dd There is another issue where TCP is always selected when you edit an existing pool, haven't fixed that yet but will. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Load Balancer Using TCP
Hello, I have a load balancer with two web servers behind it. The web servers are to be monitored via ICMP. However, the servers frequently flap, and I see this message in the load balancer log: Apr 1 21:06:57 slbd[56826]: TCP poll succeeded for 192.168.20.61:80, marking service UP Apr 1 21:06:52 slbd[56826]: Service servicename changed status, reloading filter policy Apr 1 21:06:52 slbd[56826]: TCP poll failed for 192.168.20.61:80, marking service DOWN What's going on? :( Best Regards Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC supp...@atlasnetworks.us http://support.atlasnetworks.us/portal attachment: winmail.dat- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] RE: Load Balancer Using TCP
Here's what ends up in slbd.conf when I save my config: servicename:\ :poolname=poolname:\ :vip=x.x.x.x:\ :vip-port=80:\ :sitedown=x.x.x.x:\ :sitedown-port=80:\ :method=round-robin:\ :services=2:\ :service-port=80:\ :0=192.168.20.61:\ :1=192.168.20.62:\ :tcppoll:send=:expect=: Why is it using TCPPoll if I have it set to use ICMP in the gui? Best Regards Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC supp...@atlasnetworks.us http://support.atlasnetworks.us/portal From: Nathan Eisenberg Sent: Wednesday, April 01, 2009 9:10 PM To: support@pfsense.com Subject: [pfSense Support] Load Balancer Using TCP Hello, I have a load balancer with two web servers behind it. The web servers are to be monitored via ICMP. However, the servers frequently flap, and I see this message in the load balancer log: Apr 1 21:06:57 slbd[56826]: TCP poll succeeded for 192.168.20.61:80, marking service UP Apr 1 21:06:52 slbd[56826]: Service servicename changed status, reloading filter policy Apr 1 21:06:52 slbd[56826]: TCP poll failed for 192.168.20.61:80, marking service DOWN What's going on? :( Best Regards Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC supp...@atlasnetworks.us http://support.atlasnetworks.us/portal
[pfSense Support] RE: 1:1 NAT - Outbound source IP?
Just bumping this question up. :) Best Regards, Nathan Eisenberg Atlas Networks, LLC Phone: 206-577-3078 supp...@atlasnetworks.usmailto:supp...@atlasnetworks.us www.atlasnetworks.ushttp://www.atlasnetworks.us From: Nathan Eisenberg Sent: Tuesday, March 17, 2009 9:54 AM To: support@pfsense.com Subject: [pfSense Support] 1:1 NAT - Outbound source IP? Hello, When performing 1:1 NAT, what is the process for making the the egressing NAT traffic originate from the 1:1 IP address? For example... 4.2.2.1 Firewall 4.2.2.2 Server 1 virtual IP 4.2.2.3 Server 2 virtual IP 192.168.1.1 Firewall LAN 192.168.1.2 Server 1 IP 192.168.1.3 Server 2 IP All egress traffic still comes from 4.2.2.1 in this configuration, where I would want egressing traffic to originate from 4.2.2.2 for Server 1. Best Regards, Nathan Eisenberg Atlas Networks, LLC Phone: 206-577-3078 supp...@atlasnetworks.usmailto:supp...@atlasnetworks.us www.atlasnetworks.ushttp://www.atlasnetworks.us
RE: [pfSense Support] RE: 1:1 NAT - Outbound source IP?
Huh, odd, I didn't get that message. No proxy, but still seeing the firewall's IP as the source IP. Very confusing. Best Regards, Nathan Eisenberg Atlas Networks, LLC Phone: 206-577-3078 supp...@atlasnetworks.us www.atlasnetworks.us -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Wednesday, March 18, 2009 1:31 PM To: support@pfsense.com Subject: Re: [pfSense Support] RE: 1:1 NAT - Outbound source IP? On Wed, Mar 18, 2009 at 4:25 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: Just bumping this question up. Gary answered it yesterday. The only way it doesn't work that way is if you have some sort of proxy running on the firewall. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] CARP over Serial?
Seems like I'm ending up asking a lot of questions here lately. (Long Version) I have two servers I want to set up as a CARP cluster. So I did, and that's working fine. The only issue is that the servers only have 2 NICs. I setup a VLAN on the LAN interface to function as a temporary CARP interface. However, I'm not sure I really want to take the cluster production unless I have a dedicated physical cluster link. With other clusters that I've setup, the heartbeat/sync interface is often a serial connection rather than an Ethernet connection. (Short Version) Is there any provision for doing CARP over serial/SLIP, or do I have to have a third Ethernet interface? This seems like it would be a handy feature; I'm surprised I haven't been able to find any documentation on it. Best Regards, Nathan Eisenberg Atlas Networks, LLC Phone: 206-577-3078 supp...@atlasnetworks.usmailto:supp...@atlasnetworks.us www.atlasnetworks.ushttp://www.atlasnetworks.us attachment: winmail.dat- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] traffic shaper, manual howto
Michel, It's actually possible, IIRC, to get to the shaper rule manager directly by going to its URL. There's no link to it, and I don't remember what the address is. The easiest way to get the URL is probably to run through the wizard, bookmark the rule manager URL, and then turn off traffic shaping. (Although given the number of people with active PFsense boxes on this list, someone can probably also just copy/paste.) It would be nice if there was a link to the tool directly, so that you didn't -have- to use the wizard to get started. Best Regards, Nathan Eisenberg Atlas Networks, LLC Phone: 206-577-3078 supp...@atlasnetworks.usmailto:supp...@atlasnetworks.us www.atlasnetworks.ushttp://www.atlasnetworks.us From: Michel Servaes [mailto:mic...@mcmc.be] Sent: Monday, February 23, 2009 7:01 AM To: support@pfsense.com Subject: [pfSense Support] traffic shaper, manual howto Hi, I was wondering, if there is a manual way of defining the traffic shaper, instead of using the wizard ? I actually just would like to assign just 128kbit to all SMTP traffic (in/out, don't care) - and the rest is permitted like it is. I could run the wizard, delete all rules afterwards - but I gather this isn't the way, is it ? Kind regards, Michel - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Date Change Bug
That's what I discovered - I had originally set it to GMT -8, and it is now America/Los Angeles Best Regards, Nathan Eisenberg Atlas Networks, LLC Phone: 206-577-3078 supp...@atlasnetworks.usmailto:supp...@atlasnetworks.us www.atlasnetworks.ushttp://www.atlasnetworks.us From: Christopher Iarocci [mailto:ciaro...@tfop.net] Sent: Monday, February 16, 2009 5:46 AM To: support@pfsense.com Subject: RE: [pfSense Support] Date Change Bug What did you change it to? If you chose a GMT -X setting, they don't work properly. You have to choose a location time zone, not just the GMT + or - setting. Christopher Iarocci Network Solutions Manager Twin Forks Office Products 631-727-3354 From: Nathan Eisenberg [mailto:nat...@atlasnetworks.us] Sent: Sunday, February 15, 2009 6:59 PM To: support@pfsense.com Subject: [pfSense Support] Date Change Bug Hello, I recently changed the timezone on one of our PFSense boxes, as it thought it was 12 hours ahead of where it actually is. Since I have made that change, states do not appear to be expiring normally, and the logs are still labeled with the old date/time offset. However, the result of 'date' in the command line is correct. Restarting this box is pretty difficult, although I am confident that a reboot would fix the issue. Do I have any other options? Best Regards, Nathan Eisenberg Atlas Networks, LLC Phone: 206-577-3078 supp...@atlasnetworks.usmailto:supp...@atlasnetworks.us www.atlasnetworks.ushttp://www.atlasnetworks.us
[pfSense Support] Date Change Bug
Hello, I recently changed the timezone on one of our PFSense boxes, as it thought it was 12 hours ahead of where it actually is. Since I have made that change, states do not appear to be expiring normally, and the logs are still labeled with the old date/time offset. However, the result of 'date' in the command line is correct. Restarting this box is pretty difficult, although I am confident that a reboot would fix the issue. Do I have any other options? Best Regards, Nathan Eisenberg Atlas Networks, LLC Phone: 206-577-3078 supp...@atlasnetworks.usmailto:supp...@atlasnetworks.us www.atlasnetworks.ushttp://www.atlasnetworks.us
[pfSense Support] VLANs/802.1q Trunking
Hello, I set out tonight to get a new firewall box deployed; this will be the first on which I am using the VLAN feature in PFSense. I figured I was going to be done quick; boy was I wrong. My configuration looks like this: PFSENSE [WAN][OPT1 (192.168.1.1) (VLAN 101)][Cisco 2950]Laptop (192.168.1.2) (VLAN 101) There are other VLANs, but I suspect that is not particularly relevant. My issue is that I cannot get through the Cisco 2950 when VLAN tagged. If I connect directly to the PFSense box, everything works exactly as I would have expected it to. So clearly, I have not configured the Cisco correctly. I am confused how, though, because I have performed the following steps on the 2950: Config t Interface fastethernet0/6 switchport access vlan 101 exit Interface fastethernet0/7 switchport access vlan 101 exit show vlan brief shows that both interfaces are on the correct VLAN, and yet... I'm still stuck without traffic. I googled and dove through the forums, and at the end of the day, after 3 hours of searching, I am posting. Any thoughts? :) Thank You, Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC Atlas Support Center http://support.atlasnetworks.us/portal
RE: [pfSense Support] VLANs/802.1q Trunking
Doh. I think this may be what killed me right here. I had setup tagging on my laptop, with the port set to switchport access vlan 101. In retrospect, what you're saying makes perfect sense - I guess I know what I'll be trying tonight. By the way, if anyone has seen a document detailing using PFSense on a 2950 from scratch, a link would be awesome. I'm sure I'll have more questions, but everyone's assistance so far is greatly appreciated. ~Nathan -Original Message- From: RB [mailto:aoz@gmail.com] Sent: Monday, February 09, 2009 4:43 AM To: support@pfsense.com Subject: Re: [pfSense Support] VLANs/802.1q Trunking On Mon, Feb 9, 2009 at 02:17, Aarno Aukia m...@arska.ch wrote: You need to configure the interface on the 2950 to your pfsense box as a trunk to send and receive tagged packets. e.g.: Interface fastethernet0/6 switchport mode trunk switchport trunk encapsulation dot1q Ditto, but make sure that if you're tagging packets on the laptop as well to set it as a trunking interface also. By using switchport access, you're telling the switch to drop tagged packets and place any untagged ones on VLAN 101. This is right for end-point ports - it is unwise to allow your client devices to freely tag however they see fit. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: AW: [pfSense Support] em0: Watchdog timeout -- resetting
Just thought I'd update with what I'm doing on this issue; since this list is indexed, maybe this breadcrumb trail will help out another poor sap along the way. Tomorrow, I plan to explore the following. I'm not sure why these would cause issues, but grasping at straws is good for the soul. -Checksum offloading (disable per http://downloadcenter.intel.com/Detail_Desc.aspx?agr=YProductID=2788DwnldID=11848strOSs=38OSFullName=OS%20Independentlang=eng) - TSO (disable per above link) - Polling (tweak and toggle per above link) - Try SMP Kernel (Why not?) - Update to latest BIOS (That document also mentions an 'update to the latest BIOS', and references the Linux Firmware Kit project. http://linuxfirmwarekit.org/ - the difference is only a revision code, but perhaps the fix is in there. SuperMicro's BIOS update release notes apparently require an NDA (Why!?)) Running OpenBSD latest (4.4), I discovered that I don't receive watchdog timeouts - instead, I am just seeing extremely poor performance (70kbps), where the onboard NICs deliver the expected near-wirespeed. Will update. Thank You, Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC Atlas Networks is an Atlas Accelerator Company -Original Message- From: Nathan Eisenberg [mailto:nat...@atlasnetworks.us] Sent: Monday, January 05, 2009 5:32 PM To: 'support@pfsense.com' Subject: RE: AW: [pfSense Support] em0: Watchdog timeout -- resetting Any thoughts on a next step in troubleshooting? I'm running out of ideas. Setting the port speed and duplex has no effect. Thank You, Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC Atlas Networks is an Atlas Accelerator Company -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Monday, January 05, 2009 5:14 PM To: support@pfsense.com Subject: Re: AW: [pfSense Support] em0: Watchdog timeout -- resetting On Mon, Jan 5, 2009 at 2:02 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: Admittedly, I did not expect to run into hardware/driver issues when I was buying these NICs. :( In fact, that's exactly the reason I went with Intel HW in the first place. Usually that's an accurate assessment. This card is newer than the driver in FreeBSD 7.0 though. And it might not be network driver related at all, might be specific to some other hardware component in relation or combination with that card. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Zabbix Agent package on 1.2.1
Throwing my hat in the ring here - we have several zabbix servers deployed in production. It is very good; it is easy to set it up to get emails on disk failures, raid rebuilds, individual fan failures; pretty much anything you might want to hear about. Plus having anything you else you can imagine on a graph is pretty nice. -Original Message- From: Paul Mansfield [mailto:it-admin-pfse...@taptu.com] Sent: Tuesday, January 06, 2009 10:34 AM To: support@pfsense.com Subject: Re: [pfSense Support] Zabbix Agent package on 1.2.1 Tim Nelson wrote: I've recently tried installing the Zabbix Agent package on a fresh 1.2.1 installation and it appears to have some 'issues'. Namely, one issue. It doesn't install at all. The output from the installation session: we too would be interested in this, as we're trialling zabbix in place of cacti and nagios - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Zabbix Agent package on 1.2.1
Tim, Zabbix does support SNMP checks and TCP/IP via zabbix-server originated pings and port checks. -Original Message- From: Tim Nelson [mailto:tnel...@rockbochs.com] Sent: Tuesday, January 06, 2009 10:45 AM To: support@pfsense.com Subject: Re: [pfSense Support] Zabbix Agent package on 1.2.1 Thank you all for the responses! I thought that the Zabbix Agent package may be out of date but it did list it as being 'up to par' with version 1.2.1 of pfSense in the packages page. Apparently it is incorrect. Well, back to the drawing board. Checking to see if Zabbix supports plain TCP/UDP port monitoring, content checking, and SNMP polling... OT I've been using JFFNMS for quite some time as a monitoring solution. It works well as long as you don't mind running PHP4 and MySQL4 on an older box. The latest version has some serious issues (Google jffnms admin structure not found) which haven't been fixed and the project is nearly dead. It's time to move on... /OT Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 - Nathan Eisenberg nat...@atlasnetworks.us wrote: Throwing my hat in the ring here - we have several zabbix servers deployed in production. It is very good; it is easy to set it up to get emails on disk failures, raid rebuilds, individual fan failures; pretty much anything you might want to hear about. Plus having anything you else you can imagine on a graph is pretty nice. -Original Message- From: Paul Mansfield [mailto:it-admin-pfse...@taptu.com] Sent: Tuesday, January 06, 2009 10:34 AM To: support@pfsense.com Subject: Re: [pfSense Support] Zabbix Agent package on 1.2.1 Tim Nelson wrote: I've recently tried installing the Zabbix Agent package on a fresh 1.2.1 installation and it appears to have some 'issues'. Namely, one issue. It doesn't install at all. The output from the installation session: we too would be interested in this, as we're trialling zabbix in place of cacti and nagios - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Zabbix Agent package on 1.2.1
I've evaluated each of those, several times. My conclusion at the end of the day was that Zabbix was the way to go - and like I said, I have multiple Zabbix servers in production monitoring Windows, Debian, Redhat, Gentoo, OpenBSD, Xen, firewalls, switches, and sensors. I needed to be able to watch everything - from the fan speed on my Windows servers to the free swap space on evaluation servers across the internet. As to why I selected it over nagios and cacti, the reality was that at the end of the day, I felt those tools were not flexible enough for the wide variety of systems and configurations I needed to monitor. This is certainly not to say that your evaluation is in any way wrong; it may simply not be a good fit for your environment, and everyone needs to make that determination for themselves. But that's why we took these jobs - there are often lots of right answers. :) Cheers, Nathan Eisenberg -Original Message- From: Tim Nelson [mailto:tnel...@rockbochs.com] Sent: Tuesday, January 06, 2009 11:29 AM To: support@pfsense.com Subject: Re: [pfSense Support] Zabbix Agent package on 1.2.1 That may be my conclusion as well. Luckily, I'm in the test/RD phase and not looking to go production tomorrow with it. Off the top of my head, I still have OpenNMS, Zenoss, Groundwork, and Hyperic on my list of candidates. Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 - Gary Buckmaster g...@centipedenetworks.com wrote: Is there anyone here who is actually using Zabbix in production and monitoring FreeBSD boxes with it? I know it looks like a shiny toy, but I'm telling you that the reality is far less. The monitoring is limited at best for linux, and almost completely unusable without major customization for FreeBSD. I agree that having a nice centralized monitoring system to use with pfSense would be nice, but our extensive experience evaluating Zabbix led us to the conclusion that it's not ready for prime time. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: AW: [pfSense Support] em0: Watchdog timeout -- resetting
I agree with both of your statements. The portfast option isn't a solution, but it does make debugging this issue a lot less painful. Admittedly, I did not expect to run into hardware/driver issues when I was buying these NICs. :( In fact, that's exactly the reason I went with Intel HW in the first place. Thank You, Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC Atlas Networks is an Atlas Accelerator Company -Original Message- From: Paul Mansfield [mailto:it-admin-pfse...@taptu.com] Sent: Monday, January 05, 2009 3:01 AM To: support@pfsense.com Subject: Re: AW: [pfSense Support] em0: Watchdog timeout -- resetting Fuchs, Martin wrote: And perhaps try to set the port speed in pfsense AND the switch, e.g. 1000MBit FD... Sometimes this helps, too Once you start setting port speeds to fix rates and duplex you're going down a long and slippery slope, it's best to avoid it unless there's a proven good reason! -Ursprüngliche Nachricht- Von: apiase...@midatlanticbb.com [mailto:apiase...@midatlanticbb.com] Can't help with your pfsense problem, but it might help to configure this on your switch. spanning-tree portfast Configured on your cisco switch will change the port to a forwarding state immediately. this might help hide the symptom of the interface bouncing but isn't really a cure - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] em0: Watchdog timeout -- resetting
I ran the script in a linux environment, and received No appropriate hardware found for this fixup. I don't know if I mentioned it previously, but the model number of this card is EXPI9404PTL. Thank You, Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC Atlas Networks is an Atlas Accelerator Company -Original Message- From: Paul Mansfield [mailto:it-admin-pfse...@taptu.com] Sent: Monday, January 05, 2009 3:26 AM To: support@pfsense.com Subject: Re: [pfSense Support] em0: Watchdog timeout -- resetting Paul M wrote: linux - there used to be a problem with the e1000 driver when power saving is enabled in the e1000's eeprom. the fix worked, and I applied it by booting a linux rescue disk and ran the eeprom fix program that I got from the e1000 sourceforce website; their wiki seems to have disappeared so I can't find the script, so I've placed a copy here: http://www.zaurus.org.uk/download/scripts/fixeep-82573-dspd.sh if you have the problem on linux you get detected tx unit hang thus: http://sourceforge.net/tracker/index.php?func=detailaid=1463045group_id=42302atid=447449 p.s. I believe that in theory Intel and manufacturers using their e1000 chips were supposed to be turning this off. p.p.s. I don't think there's any equivalent of ethtool -e eth0 for freebsd, so you can't run that script directly on pfsense/freebsd. If there were, you'd get this: # ethtool -e eth5 Offset Values -- -- 0x 00 e0 81 4b 53 b7 30 0b 47 f6 02 10 ff ff ff ff 0x0010 ff ff ff ff 6b 22 91 51 f1 10 8b 10 86 80 df ac 0x0020 21 00 02 20 04 7e 00 00 00 10 d8 00 00 00 00 27 0x0030 c9 6c 50 31 22 07 0b 04 84 09 00 00 00 c0 07 06 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: AW: [pfSense Support] em0: Watchdog timeout -- resetting
Any thoughts on a next step in troubleshooting? I'm running out of ideas. Setting the port speed and duplex has no effect. Thank You, Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC Atlas Networks is an Atlas Accelerator Company -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Monday, January 05, 2009 5:14 PM To: support@pfsense.com Subject: Re: AW: [pfSense Support] em0: Watchdog timeout -- resetting On Mon, Jan 5, 2009 at 2:02 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: Admittedly, I did not expect to run into hardware/driver issues when I was buying these NICs. :( In fact, that's exactly the reason I went with Intel HW in the first place. Usually that's an accurate assessment. This card is newer than the driver in FreeBSD 7.0 though. And it might not be network driver related at all, might be specific to some other hardware component in relation or combination with that card. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] em0: Watchdog timeout -- resetting
to UP em5: link state changed to UP em5: link state changed to DOWN em4: link state changed to DOWN pflog0: promiscuous mode enabled em5: link state changed to UP ukbd0: Generic USB+PS2 Keyboard, class 0/0, rev 1.10/2.02, addr 2 on uhub0 kbd2 at ukbd0 uhid0: Generic USB+PS2 Keyboard, class 0/0, rev 1.10/2.02, addr 2 on uhub0 em4: link state changed to UP ukbd0: at uhub0 port 1 (addr 2) disconnected ukbd0: detached uhid0: at uhub0 port 1 (addr 2) disconnected uhid0: detached em5: link state changed to DOWN Thank You, Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC Atlas Networks is an Atlas Accelerator Company
[pfSense Support] Running PFSense as XEN Guest
Hello, I am looking at deploying a pair of virtual load balancers for a very specific application. I was wondering if anyone has managed to get PFSense installed and running under XEN in either para or full virtualization? I would be running the latest XEN build, if that makes a difference. Thank You, Atlas Networks is an Atlas Accelerator Company
