RE: [pfSense Support] Multiplan WAN IPs on same interface via DHCP
No progress yet. Guess having a six-week old kid and a big birthday party didn't help :-) Anyway, here's a what I want to get ready for 1.1: - Capability to create virtual interfaces bridged to physical or logical (e.g. vlan) adapters Why we'd want to have that: - Ability to obtain multiple WAN IPs using DHCP (and then use advanced NAT features, e.g. for multiple web servers, multiple game hosts requiring a specific port, etc.) - Serve multiple IP networks on a single physical interface without vlan tagging (if you really want to) - Multiple IP networks per vlan (no comment) (no virtual access points such as described in http://www.solunet.com/wp/Colubris/WhitePapers/wp_vap.pdf, sorry, guys) As far as the GUI's concerned, each of those virtual interfaces will look like a physical NIC, complete with MAC spoofing capabilities et al. I'm still trying to get my head around the different scripts, etc. that make up pfSense, so I could really use some pointers on where to look for the files/scripts that - is run when configuring the interfaces from the console (the do you want to create vlans now? one) - sets up the vlans and if configs (guess the code for setting up virtual ifs should go there) - builds the pf rules (might need a rule to pass packets from the physical if to the virtual one from what i've seen so far And I'll need to be able to check to make sure the physical interface is not wireless (results could be quite unpredictable). Thanks for your help and any other tips on what I should be looking out for in order not to make my life miserable :-) -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Dienstag, 25. Oktober 2005 17:58 To: support@pfsense.com Subject: Re: [pfSense Support] Multiplan WAN IPs on same interface via DHCP Thats pretty promising. Sounds like we have a prospect for 1.1! Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Multiplan WAN IPs on same interface via DHCP
On 10/28/05, Scott Ullrich [EMAIL PROTECTED] wrote: Thanks for your help and any other tips on what I should be looking out for in order not to make my life miserable :-) No, thank you for doing all the leg work on this. This is quite interesting and if we can make it work then it somewhat removes the need for proxy-arp from what I can tell? We can relatively easily tie this into the Virtual IP screen. A new type 'logical' and allow the IP to be either static or DHCP. I think we need to do some reworking on how NAT happens to make this fully doable (as you've already noticed), but there is a glimmer of light :) --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Multiplan WAN IPs on same interface via DHCP
On 10/28/05, Bill Marquette [EMAIL PROTECTED] wrote: We can relatively easily tie this into the Virtual IP screen. A new type 'logical' and allow the IP to be either static or DHCP. I think we need to do some reworking on how NAT happens to make this fully doable (as you've already noticed), but there is a glimmer of light :) Sounds good to me! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Multiplan WAN IPs on same interface via DHCP
Thats pretty promising. Sounds like we have a prospect for 1.1! Scott On 10/25/05, Thomas [EMAIL PROTECTED] wrote: Just to let you know, I'm still working on this but am findinc precious little time to do so. Your update for today is: Succeeded in cloning the interfaces on my WRAP box and was able to obtain different IP addresses through dhclient (all this with pf disabled, but so far so good! Thomas - Depending on what interface names the eiface interfaces come up as try adding: pass on $eiface any somewhere above the fallthru deny in /tmp/rules.debug and then do a pfctl -f /tmp/rules.debug to reload it. Alternately if you don't mind losing filtering for the purpose of testing to make sure it's not pf (and just not getting logged) try: pfctl -d which will disable filtering pfctl -e will re-enable when done. The fact that this does work in FreeSBIE makes me suspect pfctl. Also, o...thought just came to mind, the traffic might be getting NAT'd to the physical IPs address - all the more reason to disable PF for the test :) --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Multiplan WAN IPs on same interface via DHCP
Took me a while to test this, especially since I had to recover from 0.89, which stopped my box from booting (complaining about a parse error in dyndns.class). Not quite there yet, so here's brain food for the gurus (as I've pointed out before, I'm rather new to BSD, coming from the Wintel world). First of all, thanks for the modules, Scott. I've later worked out that ng_ether and ng_iface are already in the kernel, so that only ng_eiface was actually required. I've managed to get the virtual interfaces up and bridged using netgraph, individual MAC addresses and all (don't forget to disable ARP messages or they'll drive you nuts, as you now have multiple interfaces sharing a network). BUT, it doesn't work. It's as if something was stopping traffic crossing the bridge, even though I don't see an entry in the FW log (default rule). If I test the same on a Freesbie 1.1 box (FreeBSD 5.3), all works fine (well, at least the DHCP server sees the different MAC addresses requesting leases and issues them accordingly, I'll blame the fact that the IP address isn't always contained in the ifconfig output to a feature/bug in 5.3s dhclient). There's probably a very easy way to fix this, but I doubt I'll figure it out myself :-) Thanks Thomas -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Freitag, 21. Oktober 2005 18:12 To: support@pfsense.com Subject: Re: [pfSense Support] Multiplan WAN IPs on same interface via DHCP Great! If you get this working then we will definately look at adding support to CVS head for this. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Multiplan WAN IPs on same interface via DHCP
On 10/23/05, Thomas [EMAIL PROTECTED] wrote: Took me a while to test this, especially since I had to recover from 0.89, which stopped my box from booting (complaining about a parse error in dyndns.class). Not quite there yet, so here's brain food for the gurus (as I've pointed out before, I'm rather new to BSD, coming from the Wintel world). First of all, thanks for the modules, Scott. I've later worked out that ng_ether and ng_iface are already in the kernel, so that only ng_eiface was actually required. I've managed to get the virtual interfaces up and bridged using netgraph, individual MAC addresses and all (don't forget to disable ARP messages or they'll drive you nuts, as you now have multiple interfaces sharing a network). BUT, it doesn't work. It's as if something was stopping traffic crossing the bridge, even though I don't see an entry in the FW log (default rule). If I test the same on a Freesbie 1.1 box (FreeBSD 5.3), all works fine (well, at least the DHCP server sees the different MAC addresses requesting leases and issues them accordingly, I'll blame the fact that the IP address isn't always contained in the ifconfig output to a feature/bug in 5.3s dhclient). There's probably a very easy way to fix this, but I doubt I'll figure it out myself :-) Thanks Thomas Depending on what interface names the eiface interfaces come up as try adding: pass on $eiface any somewhere above the fallthru deny in /tmp/rules.debug and then do a pfctl -f /tmp/rules.debug to reload it. Alternately if you don't mind losing filtering for the purpose of testing to make sure it's not pf (and just not getting logged) try: pfctl -d which will disable filtering pfctl -e will re-enable when done. The fact that this does work in FreeSBIE makes me suspect pfctl. Also, o...thought just came to mind, the traffic might be getting NAT'd to the physical IPs address - all the more reason to disable PF for the test :) --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Multiplan WAN IPs on same interface via DHCP
Guys I'm still eager to try this. Unfortunately, I need the ng_ether.ko, ng_bridge.ko and ng_eiface.ko modules that are not part of the pfSense Embedded image (no reason why they should be at this time, anyway). Could anyone compile them for me and send them through, I don't currently have the possibility of setting up a machine to do so myself. Thanks Thomas -Original Message- [snip] Maybe this could do the trick: http://www.essenz.com/support/lists/hackers/20040509/27.html? [snip] On 10/13/05, Thomas [EMAIL PROTECTED] wrote: My cable ISP allows me to obtain up to 5 IP addresses via DHCP (nope, no static addresses here, they cost a fortune). For the sake of having more control over NAT and port mappings, I'd like to be able to use more than the single IP address obtained by pfSense out of the box. By chance have you tried this? It's not really supported at the moment but I have been reviewing some freebsd archives and it may be possible if I do some tweaks to dhclient-script. I need to setup a testing environement to verify. If you have set this up can you send me your dhclient logs from the system logs area? [snip] Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Multiplan WAN IPs on same interface via DHCP
On 10/21/05, Thomas [EMAIL PROTECTED] wrote: Guys I'm still eager to try this. Unfortunately, I need the ng_ether.ko, ng_bridge.ko and ng_eiface.ko modules that are not part of the pfSense Embedded image (no reason why they should be at this time, anyway). Could anyone compile them for me and send them through, I don't currently have the possibility of setting up a machine to do so myself. Just curious as to what you are going to try with these modules. I have been looking around but still cannot find how the isp is issuing multiple ip's with one mac address. Maybe a custom dhcp server? Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Multiplan WAN IPs on same interface via DHCP
On 10/21/05, Scott Ullrich [EMAIL PROTECTED] wrote: On 10/21/05, Thomas [EMAIL PROTECTED] wrote: Guys I'm still eager to try this. Unfortunately, I need the ng_ether.ko, ng_bridge.ko and ng_eiface.ko modules that are not part of the pfSense Embedded image (no reason why they should be at this time, anyway). Could anyone compile them for me and send them through, I don't currently have the possibility of setting up a machine to do so myself. Just curious as to what you are going to try with these modules. I have been looking around but still cannot find how the isp is issuing multiple ip's with one mac address. Maybe a custom dhcp server? I suspect what he's trying to do with eiface is create multiple virtual interfaces on the firewall and bridge them to the external NIC. Presumably each of these interfaces would have their own MAC address (or at least we could ifconfig -lladdr them - that the right syntax?) and run dhclient on them. Correct guess Thomas? --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Multiplan WAN IPs on same interface via DHCP
On 10/21/05, Bill Marquette [EMAIL PROTECTED] wrote: I suspect what he's trying to do with eiface is create multiple virtual interfaces on the firewall and bridge them to the external NIC. Presumably each of these interfaces would have their own MAC address (or at least we could ifconfig -lladdr them - that the right syntax?) and run dhclient on them. Correct guess Thomas? BTW, if nobody get's this working in the next few weeks, there's a good chance I'll end up looking into this too as I'll be moving and the ISP in the new location gives out DHCP assigned statics. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Multiplan WAN IPs on same interface via DHCP
Awesome. Expect to hear from me within the next 48 hours. Thanks a lot Thomas -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Freitag, 21. Oktober 2005 17:52 To: support@pfsense.com Subject: Re: [pfSense Support] Multiplan WAN IPs on same interface via DHCP On 10/21/05, Bill Marquette [EMAIL PROTECTED] wrote: I suspect what he's trying to do with eiface is create multiple virtual interfaces on the firewall and bridge them to the external NIC. Presumably each of these interfaces would have their own MAC address (or at least we could ifconfig -lladdr them - that the right syntax?) and run dhclient on them. Correct guess Thomas? That's sneaky and I like it. Here's the modules: http://www.pfsense.com/~sullrich/ng_eiface.ko http://www.pfsense.com/~sullrich/ng_bridge.ko http://www.pfsense.com/~sullrich/ng_iface.ko Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Multiplan WAN IPs on same interface via DHCP
Great! If you get this working then we will definately look at adding support to CVS head for this. Scott On 10/21/05, Thomas [EMAIL PROTECTED] wrote: Awesome. Expect to hear from me within the next 48 hours. Thanks a lot Thomas -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Freitag, 21. Oktober 2005 17:52 To: support@pfsense.com Subject: Re: [pfSense Support] Multiplan WAN IPs on same interface via DHCP On 10/21/05, Bill Marquette [EMAIL PROTECTED] wrote: I suspect what he's trying to do with eiface is create multiple virtual interfaces on the firewall and bridge them to the external NIC. Presumably each of these interfaces would have their own MAC address (or at least we could ifconfig -lladdr them - that the right syntax?) and run dhclient on them. Correct guess Thomas? That's sneaky and I like it. Here's the modules: http://www.pfsense.com/~sullrich/ng_eiface.ko http://www.pfsense.com/~sullrich/ng_bridge.ko http://www.pfsense.com/~sullrich/ng_iface.ko Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Multiplan WAN IPs on same interface via DHCP
Maybe this could do the trick: http://www.essenz.com/support/lists/hackers/20040509/27.html? Don't seem to be able to create an eiface with the ether protocol, though (could do an iface with inter, but no way to specify the MAC address on that). I'm 100% *nix-Illiterate, so I've got no idea what I'm looking for to further try this :-) Thanks for any help. -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Samstag, 15. Oktober 2005 21:59 To: support@pfsense.com Subject: Re: [pfSense Support] Multiplan WAN IPs on same interface via DHCP First I need to figure out how to force dhcpd to give out multiple ip's for a mac. Anyone know this off-hand? On 10/13/05, Thomas [EMAIL PROTECTED] wrote: Didn't dare try this yet, as I was looking for a way to request multiple leases using different MAC addresses (coming from the Wintel world, I've yet so see a DHCP server that issues more than one lease for the same MAC). If you can point me in the right direction (the archives you looked at suggesting it may be possible), I'll be happy to have a go. Thomas -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 13. Oktober 2005 18:45 To: support@pfsense.com Subject: Re: [pfSense Support] Multiplan WAN IPs on same interface via DHCP On 10/13/05, Thomas [EMAIL PROTECTED] wrote: My cable ISP allows me to obtain up to 5 IP addresses via DHCP (nope, no static addresses here, they cost a fortune). For the sake of having more control over NAT and port mappings, I'd like to be able to use more than the single IP address obtained by pfSense out of the box. By chance have you tried this? It's not really supported at the moment but I have been reviewing some freebsd archives and it may be possible if I do some tweaks to dhclient-script. I need to setup a testing environement to verify. If you have set this up can you send me your dhclient logs from the system logs area? Here's what I was thinking: - Is it possible to define multiple virtual interfaces (not VLANs) one one physical one, each with its own (spoofed) MAC address? They'd then be configured as DHCP-Interfaces in pfSense and get their own (different IPs). That would be ideal, but I don't think the interfaces are clonable. - If so, would it be possible (OK, now I'm asking a bit much here) to get DynDNS for each of them? This for sure will not work. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Multiplan WAN IPs on same interface via DHCP
On 10/13/05, Thomas [EMAIL PROTECTED] wrote: My cable ISP allows me to obtain up to 5 IP addresses via DHCP (nope, no static addresses here, they cost a fortune). For the sake of having more control over NAT and port mappings, I'd like to be able to use more than the single IP address obtained by pfSense out of the box. By chance have you tried this? It's not really supported at the moment but I have been reviewing some freebsd archives and it may be possible if I do some tweaks to dhclient-script. I need to setup a testing environement to verify. If you have set this up can you send me your dhclient logs from the system logs area? Here's what I was thinking: - Is it possible to define multiple virtual interfaces (not VLANs) one one physical one, each with its own (spoofed) MAC address? They'd then be configured as DHCP-Interfaces in pfSense and get their own (different IPs). That would be ideal, but I don't think the interfaces are clonable. - If so, would it be possible (OK, now I'm asking a bit much here) to get DynDNS for each of them? This for sure will not work. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Multiplan WAN IPs on same interface via DHCP
Didn't dare try this yet, as I was looking for a way to request multiple leases using different MAC addresses (coming from the Wintel world, I've yet so see a DHCP server that issues more than one lease for the same MAC). If you can point me in the right direction (the archives you looked at suggesting it may be possible), I'll be happy to have a go. Thomas -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 13. Oktober 2005 18:45 To: support@pfsense.com Subject: Re: [pfSense Support] Multiplan WAN IPs on same interface via DHCP On 10/13/05, Thomas [EMAIL PROTECTED] wrote: My cable ISP allows me to obtain up to 5 IP addresses via DHCP (nope, no static addresses here, they cost a fortune). For the sake of having more control over NAT and port mappings, I'd like to be able to use more than the single IP address obtained by pfSense out of the box. By chance have you tried this? It's not really supported at the moment but I have been reviewing some freebsd archives and it may be possible if I do some tweaks to dhclient-script. I need to setup a testing environement to verify. If you have set this up can you send me your dhclient logs from the system logs area? Here's what I was thinking: - Is it possible to define multiple virtual interfaces (not VLANs) one one physical one, each with its own (spoofed) MAC address? They'd then be configured as DHCP-Interfaces in pfSense and get their own (different IPs). That would be ideal, but I don't think the interfaces are clonable. - If so, would it be possible (OK, now I'm asking a bit much here) to get DynDNS for each of them? This for sure will not work. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
