Re: [pfSense Support] Can captive portal authenticate based on windows login
Ryan wrote: Without seeing the CP screen, automatically logging them in with Windows credentials, no. You can authenticate them on. the CP screen with RADIUS using their Windows credentials to IAS on a Windows Server DC (if you're using AD). I kinda thought that was the case. Thank you for your help Chris. Do you know of anything that might do this? I don't know if the Captive Portal can be coerced to support LDAP or Kerberos, but I have heard of people achieving a single sign-on type setup with Squid that way. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Can captive portal authenticate based on windows login
That is the type of setup I was describing, where they sign on once (in Windows) and then further authentication happens in the background via Kerberos/LDAP/AD/etc. I can't find the exact article I read before, but this describes sort of what I was talking about: http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/ Which is still may not quite what the OP had in mind, but closer. You are correct that it isn't handled by anything in pfSense currently, but it doesn't seem out of the realm of possibility if someone had the knowledge (or money) for such a project. Jim Dimitri Rodis wrote: Single Sign-on (aka one set of credentials) is one thing, the captive portal's ability to automatically _receive_ (and authenticate) the credentials from the requesting client/browser is another. Unless I'm misunderstanding, Ryan wants to get rid of the username/password prompt from the captive portal, and have the current windows logon credentials automatically pass to the captive portal, which is currently not possible with pfSense-- ISA Server is the only thing I know of that does this. Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com -Original Message- From: Jim Pingle [mailto:li...@pingle.org] Sent: Tuesday, April 21, 2009 1:18 PM To: support@pfsense.com Subject: Re: [pfSense Support] Can captive portal authenticate based on windows login Ryan wrote: Without seeing the CP screen, automatically logging them in with Windows credentials, no. You can authenticate them on. the CP screen with RADIUS using their Windows credentials to IAS on a Windows Server DC (if you're using AD). I kinda thought that was the case. Thank you for your help Chris. Do you know of anything that might do this? I don't know if the Captive Portal can be coerced to support LDAP or Kerberos, but I have heard of people achieving a single sign-on type setup with Squid that way. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Pfsense + Postfix (Relay)
Jean Carlos Coelho wrote: It is possible to install postfix in pfsense 1.2.2 only for mail relay ? how can i install into it ? (I am a newbie), thank's!! While it may be _possible_, it would not be _recommended_ or even _wise_ to run a full MTA on your firewall. Can you do it? Maybe. Should you do it? Probably not. You may not find many people willing to help answer that question because of that fact. There is some information on the Documentation Wiki about installing FreeBSD packages, but beyond that you are on your own for things of that nature. I would suggest you to find another way to relay your mail that wouldn't drastically reduce your security and threaten the integrity of your firewall. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Pfsense + Postfix (Relay)
Paul Mansfield wrote: has anyone considered a transparent redirection of SMTP to a specific SMTP relay, so that (e.g.) captive portal clients on wifi hotspot can't send email without some level of control. this might also solve the OPs problem of providign an smtp relay without actually doing much. There is a bounty thread on the forum for an SMTP proxy (proxsmtp) which has the ability to perform custom actions upon messages. http://forum.pfsense.org/index.php/topic,14551.0.html That's a bit better than running a full MTA. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PFSense 1.2.3RC1 / Problems with IPSEC and AES256
Benjamin Fromme wrote: Hi List, we have several tunnels between some pfsense 1.2.2 boxes. For phase 2 we have configured AES256 as the only encryption algorithm and everything works fine. Now we upgrade one of the boxes to pfsense 1.2.3RC1 and all tunnels on this box are broken. The 1.2.2 boxes show the tunnel as working, on the 1.2.3RC1 box we see the following in the logs: [snip] When we configure the tunnels with 3DES instead of AES every works fine again?! Any ideas? Thanks! Can you try a more recent 1.2.3-RC snapshot based on FreeBSD 7.2? ipsec-tools was upgraded to a version from their CVS tree, 0.8-something. It's been working great for me, it fixed a lot of DPD/Peer Loss issues, and seems to work fine. I haven't tried it with AES yet, but it may help in your situation. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] dhcp and arp list errors
and...@fiberby.dk wrote: Hi Does anyone have an explanation/solution to these errors: When choosing DHCP leases I get the following error: Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 35 bytes) in /usr/local/www/diag_dhcp_leases.php on line 74 When choosing ARP Tables I get the following error: Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 35 bytes) in /usr/local/www/diag_arp.php on line 59 Kind regards Anders It would have to be enormous, but I suppose this could happen with an extraordinarily large dhcpd.leases file. It's used to populate both of those pages. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: SV: [pfSense Support] dhcp and arp list errors
and...@fiberby.dk wrote: Potentionally 1000-1200 clients. I have another running 1.2.2 Super PDSMi+ (http://www.supermicro.com/products/system/1U/5015/SYS-5015M-MR+.cfm) P4 single core 1Gb ram 2Gb Flash on module At the moment it has 1033 dhcp-clients and has none of the listed problems. The size of the client pool isn't as important as the size of the dhcpd.leases file itself. Go to Diagnostics Command and execute this: ls -l /var/dhcpd/var/db/dhcpd.leases I'd be interested in the output from the working and the broken system. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: SV: SV: [pfSense Support] dhcp and arp list errors
and...@fiberby.dk wrote: This is from the broken system: -rw-r--r-- 1 dhcpd _dhcp 39935156 Jun 9 21:30 /var/dhcpd/var/db/dhcpd.leases 15 minutes later: -rw-r--r-- 1 dhcpd _dhcp 77714885 Jun 9 21:45 /var/dhcpd/var/db/dhcpd.leases I've found one malfunctioning device that was sending 1000pps out on the dhcp protocol. I shut it off.. The error is still there. Is there any way I can reset the dhcpd.leases file. And by the way. Thank you for taking the interest:) That would do it, the dhcpd.leases file is larger than the memory a single PHP process is allowed to take up in your case (32MB) Stopping and restarting the dhcpd service may be enough, it is supposed to clear out duplicate leases when it is reloaded. If the malfunctioning device is shut off, it shouldn't continue to grow. Status Services, click the restart (|) button next to dhcpd. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP and Bridging
Joseph Hardeman wrote: One other question now that I think of it. Does CARP work between two firewalls that are running in full Bridge mode, no NATing done at all, just port blocking on the WAN interface? We have two firewalls and I want to make sure any states are kept intact on the chance we have to failover to the secondary. I've done something similar with a CARP cluster that has a LAN and DMZ, where the DMZ is bridged to WAN. I have my switches doing STP and shutting down the ports for the inactive firewall, but there are other ways to get it done, too. There are a couple concepts discussed in this forum thread: http://forum.pfsense.org/index.php/topic,4984.0.html Those involve keeping the bridge interface on the backup unit down until it becomes master. The first is a script that runs from cron that checks every minute to see if the change has happened, and keeps brings the bridge up if a system is master. The main downside is that you have to wait on the cron script to run to see the change. The second is only possible in 1.2.3-RC snapshots and on 2.0, where you can use devd to catch the transition event and call a script to change the bridge accordingly at the exact moment it happens, no waiting for cron to run and pick up on the change. Going this route is faster, but may cause some weirdness if you see the CARP transition flapping at all. In 2.0 I believe you can configure STP right on the bridge interface which may be the better way in the long run. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] trying to boot embedded image fails
Joseph L. Casale wrote: I have an HP DL120 G5 I am trying to use pfSense-1.2.3-RC1-Embedded on and it just hangs on the bootloader. I am using a 4gig USB key that I wrote the img to. Are there any particular bios requirements for this to work or other setup requirements? I have seen some BIOS that would only boot from a USB key in that case after a BIOS update and some option twiddling (though I don't recall what). We have also seen that some embedded devices require booting in packet mode or nopacket mode, depending on the BIOS it could be one or the other. This can be changed, but required plugging the device into another FreeBSD box or another pfSense box and running: boot0cfg -o packet /dev/da0 Where packet can also be nopacket, and /dev/da0 is the full path to the USB device as seen by the OS (check dmesg). I don't recall what the RC1 images are, but the current nanobsd snapshots should be using packet mode. Before doing much else, I'd also try a more recent snapshot than RC1. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] trying to boot embedded image fails
Joseph L. Casale wrote: Are you speaking of these: http://snapshots.pfsense.org/FreeBSD_RELENG_7_2/pfSense_RELENG_1_2/nanobsd/ The pfSense-1.2.3-512mb-20090723-1908-nanobsd.img image didn’t hang the server but it just sat at a blinking cursor:) Sorry, spoke to soon! Same result. I wait for a suggestion on what freebsd iso to yank and get a desktop installed tomorrow to make that change you suggested. The nanobsd/embedded images switch to a serial console during the boot process, did you try using the serial console with that snapshot? Any FreeBSD install will work for that packet/nopacket change, even a pfSense system. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] no job control
David Burgess wrote: http://www.mail-archive.com/support@pfsense.com/msg05025.html After about 4 months on pfsense I'm now seeing this message in the console, Warning: no access to tty (Inappropriate ioctl for device). Thus no job control in this shell. The above-linked thread is over three years old now, do we have any new insight into this message? IIRC it was due to something trying to mute the video console while it is really using serial. It is fixed (mostly?) on the 1.2.3-RC2 nanobsd snapshots, and doesn't seem to happen on 2.0 either. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] no job control
David Burgess wrote: On Wed, Aug 5, 2009 at 6:10 AM, Jim Pingleli...@pingle.org wrote: IIRC it was due to something trying to mute the video console while it is really using serial. It is fixed (mostly?) on the 1.2.3-RC2 nanobsd snapshots, and doesn't seem to happen on 2.0 either. I'm using 1.2.3-RC1 on a (headless) soekris net5501, so I gather I can just ignore the messages then. They have some side effects, like not being able to use CTRL-C to break out of things like ping, so they aren't entirely ignorable, but are typically just an annoyance. You should probably be running one of the more recent nanobsd snapshots anyhow, they can use all the testing they can get. :-) Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense Blocking some traffic
Joseph Hardeman wrote: However I am seeing entries captured in my firewall logs where visitors are being denied per the Default deny rule at the very bottom of the pf rules. My question is why are my explicit rules not capturing the entries before it gets to the last rule? And also, how can I disable those two rules or can they be disabled? My guess is that you're really seeing this: http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection%2C_why%3F And no traffic is actually being dropped. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] dynamic load balancing
Michel Servaes wrote: I am wondering, if the following would be possible - and how to start with it. I have this SDSL and ADSL connection - in where our ADSL has a download limit of 25GB/month If one bypasses the 25GB - the connection drops from 10mbits to 64kbits ! How can I make pfSense see this, so if this happens the connection switches over to the SDSL connection (being 1mbit, still better than 64kbits). You might be able to pull a traffic total from the RRD file for WAN, but it wouldn't necessarily be realtime, you'd have to have a cron script check every so often, and then trigger some other script to actually run some commands to switch. This assumes, of course, that there is no accidental loss of RRD graph data for some reason. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] potential pfsense hardware
Ryan wrote: I'm thinking about picking up a Supermicro Atom based system for use with pfSense: http://www.supermicro.com/products/system/1U/5015/SYS-5015A-H. cfm?typ=H Any thoughts on potential issues with running pfSense on this hardware? The realtek nics they use are not the best. I wish they would use intel. It is an intel board after all. I've been looking at something like that, or the MSI IM-945GSE. http://www.orbitmicro.com/global/ms-9830-010-p-9546.html?ref=base The MSI board has 2x Intel gigabit NICs I like the SuperMicro box though, especially the short 1U case, would be perfect for telco/2-post racks. I'd only question the NIC support, and it seems like that might be ok now: http://www.freebsd.org/cgi/query-pr.cgi?pr=123123 That went in before 7.2 was out, so you'd probably need a 1.2.3-RC2 snap. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] raccon message: racoon: ERROR: libipsec failed pfkey align (Invalid sadb message)
luismi wrote: Is there anyone here with experience with this message racoon: ERROR: libipsec failed pfkey align (Invalid sadb message)? Pfsense version is 1.2.2 and the remote side is a cisco router. Everything seems to be ok, but we have some connectivity problems with some servers and I don't know if they are related with that message. I've seen that before but it's never really been a fatal condition. The tunnels have continued to work despite it. http://doc.pfsense.org/index.php/IPsec_Troubleshooting#Failed_pfkey_align Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Hardware dimensioning: Alix boards
Chris Bagnall wrote: We've been using Alix boards (2C1 initially, now 2D1 - 400Mhz Geode, 128MB RAM) for a few years with pfSense. One of our clients, whose network is normally about 50 users, is running an event this weekend which will see the number of connected devices rise to about 300. Does anyone have any experience as to whether the little Alix system will handle that number of users? The router is only doing fairly basic functions - DHCP, DNS and a small number of routing rules (no WLAN, no traffic shaping, etc.). I don't have any ALIX boxes with that many people behind them, so perhaps someone else may have more input into that specific scenario. That said, in my (albeit limited) testing those devices don't care so much about the amount of clients behind them as much as the throughput. You may want to monitor the number of states just to be safe. They are very CPU limited when it comes to server tasks. If you are just running basic services and no VPNs, as long as you keep the throughput under 80-85Mbit/s you should be OK. If your Internet link is well under that limit, you shouldn't have any problems. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] SNMP oid's for bandwidth
Ståle Johnsen wrote: Hi, I'm trying to monitor in / out bandwidth in bits on wan interface but are having some problems finding the right SNMP oid. I found this one: http://cvstrac.pfsense.com/tktview?tn=257 but the OID i'm trying doesn't return anything. Does anyone have any better suggestions for bandwidth monitoring on pfsense from an nagios server? I use Cacti to monitor mine, and it polled the pfSense box when I setup the graphs and listed all the interfaces, and I just chose them from there. If you need to find the actual OID, you may have to do something like: snmpwalk -v 2c -c yourcommunity pfsense ip mib-2.interfaces And then use the resulting OIDs to see what you want (You can also use -On to find the numeric OIDs instead of their textual counterparts) IIRC, depending on the system, the wan interface will almost never be the same due to various ways the interfaces are detected by the system. You'll have to look in that snmpwalk output, find the interface name which corresponds to your WAN interface, and then use the traffic counters for that interface index number. For example, my WAN would show up like: IF-MIB::ifDescr.8 = STRING: vlan0 So then the various counters that end in .8 would be for that interface. (IF-MIB::ifInOctets.8, IF-MIB::ifOutOctets.8, etc) Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] squid clobbering performance
mayak chunder-qwern wrote: hi all, any reason (or what can i look at) to see why squid transparent proxying is heavily slowing web access ... (w/out proxy, dell.fr takes 3-5 secs, with proxy, dell.fr takes 20+ or more) running latest stable version in a vmware virtual machine with nice hardware. Have you tried the suggestion listed here? http://doc.pfsense.org/index.php/Squid_Package_Tuning#Performance_Tweaks Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Vista DHCP Issue
Curtis LaMasters wrote: I've searched around and read about others with this issue. Basically I have 5 different Vista laptops that cannot get a DHCP address unless I modify the registry and disable a broadcast setting. Does anybody have a solution to this that would prevent me from having to touch each workstation? They are public computers and not part of a domain otherwise I would just do it via GPO. This one is new to me. I have Vista machines at home and at work, and at customer sites all behind pfSense and I've never had a problem obtaining an IP address from DHCP. Is there some other contributing factor perhaps? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Vista DHCP Issue
Chris Buechler wrote: On Thu, Oct 1, 2009 at 4:10 PM, Curtis LaMasters curtislamast...@gmail.com wrote: I've searched around and read about others with this issue. Basically I have 5 different Vista laptops that cannot get a DHCP address unless I modify the registry and disable a broadcast setting. Does anybody have a solution to this that would prevent me from having to touch each workstation? If you can find a solution for ISC dhcpd we'd implement it. I'm not sure exactly how that ends up set on some Vista systems but not others. My repair bench segment is also behind pfSense, and it has seen hundreds of different machines of all makes and models, many of them using Vista, and I've not had one yet that couldn't pull an IP address from DHCP on pfSense. It's always Just Worked(tm) Could this be induced by the switch, perhaps? Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Vista DHCP Issue
apiase...@midatlanticbb.com wrote: In one situation we had a HP procurve switch installed. We had tons of complaints that vista would not work but XP would. We replaced it with a Cisco 2950 and the complaints stopped. I have no idea why that would cause it to work. I have just come to believe Vista is on par with Windows ME for the worst OS ever. My switches at work are all Cisco 2924 and 2950s. My one at home is just the back end of a Linksys WRT54Gv5 though. Haven't had a problem with either one. One customer site off the top of my head that also has pfSense+Vista has a 24 port Netgear 10/100 switch. I don't know of anyone with HP switches though personally. A couple of the threads I read suggested that the replies to a broken Vista request might not be making out of the NIC on the server side, or if it is, it may not be making it back to the clients. Some tcpdump/wireshark output from a broken request and reply from the server and client might be enlightening. If the packets don't leave the server NIC, you could try a few random things like disabling checksums to see if it makes any difference (not that it should, but it's something to try...) Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Vista DHCP Issue
apiase...@midatlanticbb.com wrote: I'm wondering if a patch was added to windows update at some point to fix the problem. Is your Vista totally updated? Just this week I've had my hands on several fully patched Vista machines (including my laptop) as well as two other laptops -- one with Vista and no service packs or updates at all, and one with only SP1 present. All of them worked. It's very inconsistent. I wish I could reproduce it somewhere, it would make investigating it easier. I just checked on my laptop, http://support.microsoft.com/kb/928233 (the KB article linked by Chris in another post in this threat) mentions a registry setting to force the broadcast flag off for non-Windows DHCP Servers: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID} DhcpConnForceBroadcastFlag=dword: On my laptop this is set to 1, and it still works for me. I've even plugged directly into my ALIX with no switch and pulled an IP from there with this laptop, no switch involved. Makes me really suspect some kind of combination of switch, NIC brand/driver on the pfSense box, or some other interaction of that nature. The only way to track it down is probably to collect more data about setups where the problem appears. When it comes to managed switches, there could even be a setting on the switch that causes (or prevents) the problem from appearing. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
Evgeny Yurchenko wrote: Yesterday it happened twice on one of my production firewalls. CPU load was less than 10%. Did not pay attention at the moment but accoring to RRD number of states was not unusual - 4-5k. I reproduced it in my lab - only test connection, so number of states was less than 100. When this happens, check the output of ifconfig -a on the master when it won't take back over, see what advskew it is advertising. There are certain failure states that cause it to set an advskew of 240 regardless of what it is actually configured to be. Figuring out what caused that, however, can be a bit trickier. I push quite a lot of traffic through my pfSense boxes and have never seen them failover in this manner. Nightly backups push just about wire speed through my CARP pair (100MBit). - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] DHCP fatal error in services_dhcp.php line 48
Roberto Greiner wrote: Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 35 bytes) in /usr/local/www/services_dhcp.php on line 48 That is during the DHCP lease cleanup routine. Your /var/dhcpd/var/db/dhcpd.leases file must be huge. It doesn't typically grow that large during normal operation. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] DHCP fatal error in services_dhcp.php line 48
Roberto Greiner wrote: Jim Pingle wrote: Roberto Greiner wrote: Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 35 bytes) in /usr/local/www/services_dhcp.php on line 48 That is during the DHCP lease cleanup routine. Your /var/dhcpd/var/db/dhcpd.leases file must be huge. It doesn't typically grow that large during normal operation. It's a new server. No user ever connected to it Can you check that file just to be sure? If nobody has connected to the server, you can probably safely remove the leases file anyhow. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] DHCP fatal error in services_dhcp.php line 48
Roberto Greiner wrote: Jim Pingle wrote: Roberto Greiner wrote: Jim Pingle wrote: Roberto Greiner wrote: Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 35 bytes) in /usr/local/www/services_dhcp.php on line 48 That is during the DHCP lease cleanup routine. Your /var/dhcpd/var/db/dhcpd.leases file must be huge. It doesn't typically grow that large during normal operation. It's a new server. No user ever connected to it Can you check that file just to be sure? If nobody has connected to the server, you can probably safely remove the leases file anyhow. $ ls -l /var/dhcpd/var/db total 17792 -rw-r--r-- 1 root _dhcp 4529052 Oct 14 09:42 dhcpd.leases -rw-r--r-- 1 dhcpd _dhcp 4528906 Oct 14 09:42 dhcpd.leases~ I removed both files and restarted the server (without the ntp configuration). The ntp server started properly. As a test, I tried to enable the ntp servers configuration again, and got the same error as before. That is rather odd. Something weird must be going on with its network connection if it has a 4.5MB leases file. I can't reproduce this on my test box either. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] potential pfsense hardware
Ryan wrote: Does anyone make an atom board with intel onboard. I'd rather intel if i had my choice. I have seen a couple of flexatx atom boards that look real promising, but they don't have intel nics. MSI has a board with 2x1GB Intel NICs, the IM-945GSE http://www.mini-box.com/MSI-IM-945GSE-Mini-ITX-Motherboard Looks promising, indeed, but I'd prefer a dual core atom board, personally. I've got a couple of these on order for a customer, I'm going to try to beat them around a bit and see how the Realtek nics hold up: http://www.newegg.com/Product/Product.aspx?Item=N82E16816101262 You can get a PCI-E riser for that and then get a multi-port Intel card to use if you want, too. I think (but don't quote me on it) that I heard there was a Jetway daughtboard with intel NICs also. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] potential pfsense hardware
Curtis Maurand wrote: Check this one out. It should work just fine. Very inexpensive. http://www.newegg.com/Product/Product.aspx?Item=N82E16816101262 I mentioned that one elsewhere in the thread. Three of them just arrived in my office and I'm getting ready to test them out. :-) First cool observation, they actually have an internal USB port. Not just pins, but a real port. There are some really tiny USB flash drives that could be used to run these with (cheap) solid state media. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] potential pfsense hardware
Paul Mansfield wrote: On 16/10/09 17:27, Curtis Maurand wrote: Check this one out. It should work just fine. Very inexpensive. http://www.newegg.com/Product/Product.aspx?Item=N82E16816101262 pretty good box at the price; I guess it would be a bit noisy for a home or office environment, 1U server fans tend to be pretty whiny! There are only two fans, one on the motherboard, and one in the PSU. I haven't powered it up yet to check noise levels. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] potential pfsense hardware
Nathan Eisenberg wrote: Newegg says the board only has a PCI-Ex8 slot. I'm not sure which board that would be, as all the Atom boards I've seen are PCI-only. It has 2 PCI-E x8 and a PCI, but it looks like only the PCI-E x8 would be usable with the riser. Here's a pic I took of the mainboard http://twitpic.com/lr2tc Re: Noise - In my experience, Atom servers can run without chassis fans - they only need the CPU fan and the PSU fan. I can barely hear the thing run, with the fans on and the case open. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] potential pfsense hardware
Jim Pingle wrote: Curtis Maurand wrote: Check this one out. It should work just fine. Very inexpensive. http://www.newegg.com/Product/Product.aspx?Item=N82E16816101262 I mentioned that one elsewhere in the thread. Three of them just arrived in my office and I'm getting ready to test them out. :-) First cool observation, they actually have an internal USB port. Not just pins, but a real port. There are some really tiny USB flash drives that could be used to run these with (cheap) solid state media. A couple more things after some tinkering. Picture of the mainboard: http://twitpic.com/lr2tc It's got 4x SATA connectors and 1x PATA, though there isn't really room in the case for more than 1 3.5 drive (or 2x2.5 with an optional bracket, I hear). 2 USB ports on the back, but headers for 5 more inside plus an actual internal USB connector (mentioned above) A second internal COM port header (there is a knockout for a 25-pin connector on the back, too) There is a molex power connector on the mainboard (male) labeled For Device power only. Looks like a few extra fan headers if they're needed (probably not) dmesg output: http://pastebin.com/f22413e10 Power draw, according to my Kill-a-Watt: Drive spin-up: 48w Booting: 33w/0.33a with occasional bumps to 36w Idle: 32w/0.33a When powered off and plugged in, it draws 1w/0.04a Haven't been able to do any load testing yet. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Filter Rules for OpenVPN connections
Andreas Fuchs wrote: I upgraded to 1.2.3 RC3 today. I'm now able to crate an interface on my tun1 for the OpenVPN, after a reboot the coneection is working. But the filter rules don't work. Based on the description i set the interface to a bridging interface to my LAN, but that way the network connection works but a deny everithing rule does not work nor log something. Don't do that. Then i changed the interface to non bridging with an ip of 192.168.15.1 (which is the ip of tun1) also here network connection is fine, but filter rules don't work. Don't do that either. :-) What am i doeing worng? Save/apply at each step where needed. #1: Go to system advanced, check Disable all auto-added vpn rules #2: Manually add in rules on WAN to allow your VPN peers to connect to the appropriate ports #3: Assign OpenVPN interface as an OPT #4: Enable this opt interface, rename if you want, and put 'none' in for the IP #5: Add your firewall rules to the OPT interface tab That should do the trick. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] little offtopic - using cron to monitor ipsec tunnels
Michel Servaes wrote: I was wondering, if there would be a way (by not installing third party software) to monitor the uptime of your ipsec VPN tunnels. Sure, I can ping every LAN printer that is in the other subnet - or install third party software... but some kind of cronjob checking this would also be a cool way to accomplish this. And as soon a VPN is out for xxx minutes, a mail should be sent to the admin. That way - I could anticipate on power outages, or any other reason why a VPN does not come up. There is a cron package you can install to manage the firewall's cron jobs and add your own. A little scripting and such could get the rest. Parsing setkey -D and setkey -DP output can be a little tricky, especially trying to match those up with tunnels in the config though. You can refer to the code in the IPsec status page (and dashboard widget) for some pointers or code to reuse. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsense package system down ?
Indrajaya Pitra Perdana wrote: php: /pkg_mgr.php: XMLRPC request failed with error 2: Invalid return payload: enable debugging to examine incoming payload There was a missing on a tag in the xml, It's possible that was causing the error. Can you try it again? I committed a fix about 45 minutes ago. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsense 1.23 rc3 - ipsec VPN dies randomly, but stays active in the overview
Michel Servaes wrote: Since I have added two IPSEC tunnels to both Linksys' RV042 - my VPN connections start to die randomy, but stay active in both the webgui's overview (both, I mean pfSense and the DLINK's) - but either way is impossible to ping each other !! Have you tried checking the Prefer old IPsec SAs option under System Advanced? Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Split DNS Setup
Bruce Walker wrote: Oh! Here's a thought: I noticed that adding dns-forwarder overrides doesn't restart dnsmasq, so it doesn't necessarily see them. Either restart the service (from the Status - Services) or just click the Save button on the DNS Forwarder menu page. This should not be necessary. When you add an override, you click save on that screen, then apply changes on the main DNS forwarder screen. At that point, the overrides are already working (Confirmed again by a test I just did on my home router) Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] boot failure on alix with pfSense 1.2.3-RC3 (or more recent snapshots)
Hans Maes wrote: Thanks for the suggestion, although I didn't try it in the end. A working fix was posted on the forum yesterday ( http://forum.pfsense.org/index.php/topic,20405.msg107813.html#msg107813 ) - You need to set the bios power management mode to APM on the alix boards with VGA to be able to boot pfSense. May I suggest putting this in the wiki somewhere ? I added that to the Boot Troubleshooting doc on the Wiki, thanks! Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Monitor traffic through vpn
Joseph L. Casale wrote: I have been asked to monitor traffic, per user through our openvpn pfsense setup, as its setup for filtering (Therefor I know what ip each user uses), I presume this can easily be done by looking at traffic between the opt int and the lan int. Are there provisions built in to pfsense to make this easy, can I send the data to a different host for example w/ a mysql backend? If you have your OpenVPN tun interface assigned as an OPT, you can probably use any of the existing bandwidth monitoring software packages: http://doc.pfsense.org/index.php/How_can_I_monitor_bandwidth_usage%3F You might be able to find a free netflow collector that can push data to MySQL, but I have only tinkered with netflow (there is a free perl script out there somewhere that grabs data). Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.3-RC3 PPPoE
On 12/9/2009 9:01 AM, RB wrote: On Wed, Dec 9, 2009 at 01:34, Ermal Luçi ermal.l...@gmail.com wrote: Please provide logs of mpd and explain more what you are trying to do and how you are trying to achive it! What I'm trying to achieve is awfully simple - with a fresh install of 1.2.3-RC3, I'm plugging a dumb Speedport ADSL modem in to one ethernet port (fxp1) and a switch into the other (fxp0). After configuring pfSense with the right PPPoE credentials and _nothing else_, the WAN interface comes up with a valid IP from my ISP and proper-looking MPD logs (I'm running it from the CLI to be certain). However, pinging my next hop or issuing requests to the outside DNS servers results in outbound traffic with no returns (monitoring with tcpdump -s0 -vni on fxp1 and ng0). With 1.2.3-RC1, traffic flows smoothly. I don't have logs with me because the system is down, inaccessible due to this. I've been using 1.2.3 snapshots on my pfSense router at home, and at customer sites, from RC1 through RC3 (and the release images that are pending right now even) and I haven't had any trouble, either on ATT DSL or Verizon DSL both using PPPoE. Are you sure that your DSL link is solid and noise-free? I have seen cases where routers would sign on but could not pass traffic and it turned out to be a weak DSL signal. Does this same line work with any other router? As Ermal said, posting the full log might help, even if you don't see anything out of the ordinary. Some other info that would be helpful would be the output of ifconfig -a and netstat -rn while connected. Perhaps also a traceroute to the next hop and DNS servers. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.3-RC3 PPPoE
On 12/10/2009 6:56 PM, Scott Ullrich wrote: On Thu, Dec 10, 2009 at 6:54 PM, RB aoz@gmail.com wrote: Well, for posterity's sake then: if you have trouble in pfSense/FreeBSD with traffic not passing through an Intel 10/100 NIC (fxp), particularly when return/inbound packets aren't showing up in mpd or another user-level program, turn off TCP Offload. For that matter, any troubleshooting wierd with inexplicably lost traffic should involve explicitly turning off ToE. We will make note of it in the release notes, thanks I also added a small page on the Doc wiki: http://doc.pfsense.org/index.php/Lost_Traffic_/_Packets_Disappear Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Issue upgrading from 1.2.3-RC3 to RELEASE
On 12/10/2009 7:10 PM, John Mitchell wrote: I don't suppose there is any way to backup the RRD Graph data is there? (More specifiically the Traffic portion). Trying to get a years worth of data going ;) You can install the Backup package and grab the data from there, or you could mount the CF in another machine and copy/restore it by hand. http://doc.pfsense.org/index.php/Modifying_Embedded - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Squid Guard with Alix box 1.2.3 embedded
On 12/11/2009 5:21 AM, bsd wrote: I wanted to know if It was Ok to install SquidGuard package with an embedded version of pfSense working on NanoBSD ? I plan to deploy It on Alix board… As the system is mounted RO… I am not certain this will be the best settings. Will this still be ok - or do you have any other suggestion ? What are your advise ? It works, mostly, you just need to take some care. Make sure you set squid to a disable cache or have a cache size of 0, and someone on the forums reported that squidguard's blacklist functionality may not be quite working on embedded. When fixing up the packages, I installed and configured it with basic settings and it did work. I mainly tested the ACLs and Destination filtering, etc. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] hybrid storage?
On 12/11/2009 10:50 AM, David Burgess wrote: I've been happily using 1.2.3-RC1 for many months now on a Soekris net5501 and a 100GB 2.5 SATA drive. I like the idea of an embedded system on a CF card, but that's not possible or advisable for me as I'm running the squid and freeswitch packages. I was wondering however, if it would be difficult, inadvisable, or of no advantage to hack together an embedded system to run from a read-only CF card that mounts certain filesystems on writable media, such as a hard drive, where temp data such as disk cache and audio recordings would live. I've thought a bit about this in the past, and it might be doable in the future or via some kind of filesystem management package, if someone were to come up with one, but it isn't something that would be recommended (at least not yet) or supported. I don't know a tonne about the innards of pfsense and I've never played with the nanoBSD version. Is this something that would work in principle? Would it exploit the benefits of a read-only root filesystem (cold-reset resiliency, The moment you have a drive mounted rw, you lose this. :-) improved fs security, system responsiveness)? Would it require a lot of messing, besides manually altering /etc/fstab? You'd also have to alter the packages (or create appropriate symlinks if they can be followed by the application) to point those directories or files at the new storage location. Some packages might have built-in path settings and you'd just need to change the paths and hit save. Otherwise, you may need to alter the code for the package. As with most things, if you want to experiment, it's up to you, but do so with caution (and plenty of backups) and remember that you'll be out on a limb without a net to catch you if something breaks. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] hybrid storage?
On 12/11/2009 12:22 PM, Paul Mansfield wrote: can you do overlay file systems on freeBSD, so that the base OS and config is read-only and you overlay a read-write file system at a very late stage in booting IF that overlay is uncorrupted? when you've made changes to config, if the worst happens simply boot without the overlay You can with unionfs. I'm not sure how well it's working these days in practice. (As far as being production ready for everyday use as opposed to used in the installer, etc) - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] hybrid storage?
On 12/11/2009 12:33 PM, David Burgess wrote: On Fri, Dec 11, 2009 at 10:30 AM, Jim Pingle li...@pingle.org wrote: On 12/11/2009 12:22 PM, Paul Mansfield wrote: can you do overlay file systems on freeBSD, so that the base OS and config is read-only and you overlay a read-write file system at a very late stage in booting IF that overlay is uncorrupted? when you've made changes to config, if the worst happens simply boot without the overlay You can with unionfs. I'm not sure how well it's working these days in practice. (As far as being production ready for everyday use as opposed to used in the installer, etc) Well, it didn't take long for this conversation to go over my head. I've got some work to do to learn about overlay filesystems and unionfs. I do love a good learning project. It would probably be much easier to alter only the settings of a package to point to an alternate storage location. You do not need to keep /usr/local stuff rw, it typically does not change (especially the binaries). There may be some system settings in /usr/local/etc/ that might need carried over, but if you can configure paths for things in freeswitch like you can in squid, it shouldn't be that hard. Squid would be easy: Make a new mount point, mount a filesystem, point the cache directory at /otherdrive/squid/cache/ instead of /var/squid/cache. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Squid Cache management does'nt save config
On 12/11/2009 5:52 PM, Nathaniel Simch de Morais wrote: Hi all I have a problem with my pfsense and already changed my machine but the problem still. Well, i can make any changes in squid, but in the tab Cache management just don't save. I put all info about cache i want and when i click save the screen returns to default. Does anyone seen this? I can reproduce this one on box, but not on another. The box that I have this problem on is a recent fresh install of a 1.2.3 snapshot from after RC3 but not quite -RELEASE. The box which I can't reproduce it on is an install that has been in place running squid for ages, and has been tracking snapshots periodically, but now is running 1.2.3-RELEASE. Not sure what's going on, either. I've tried setting a few different combinations of settings, no luck. Same browser used on both systems. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: NanoBSD on WRAP
On 12/15/2009 6:31 AM, Rainer Duffner wrote: Ugo Bellavance schrieb: I like this answer, and there are really 2 facts that are highlighted here: - Users will always complain - The better your product and product history, the less users will read the warnings. PfSense has always had a good record to me, so I don't read the upgrade document at each upgrade. I'll wait for the image, Chris, and I don't mind the few weeks of wait, but I think that maybe uploading a (or a set of) README files on the mirror would help... I would personnally be very tempted to read a README file while it is downloading, especially if it has WRAP in its name. That might help, but it is mentioned in the Upgrade Guide, and a couple places on the Doc Wiki. I thought it was mentioned in the release announcement, but I may have been thinking about one of the -RC version announcements. I upgraded my ALIX yesterday to 1.2.3-RELEASE and found out I need the BIOS-update (I switched from 128M embedded to 4GB version, too). Turns out that the image for the BIOS-update provided on the pfSense.org page doesn't work (maybe it's for a different ALIX, I have an ALIX2-series board). Of course, I only found out about this after I had wiped my working pfSense installation with the BIOS-update image (and no old image available, and no internet-access anymore). Luckily, I was able to tether my iMac with my on-call iPhone (the personal iPhone doesn't have 3G reception at home) and download the required files from the pcengines website and finally run 1.2.3 - after a couple of wasted hours. So much for a ready-made image makes it easier for everybody Which model ALIX do you have? It says on the page that there are some excluded models, usually it's the ones with VGA that require a different BIOS. Did the image not boot at all? Or what did it do? Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] NAS/SAN
On 12/19/2009 7:05 PM, Seth Mos wrote: Op 19 dec 2009, om 22:34 heeft Glenn Kelley het volgende geschreven: is there a simple way to add an ISCSI or NAS storage to this system? For systems with limited storage - I do not see a way of doing this out of the box I am missing the context here, why would you need it? I've thought about having some sort of storage add-on for secondary drives (or USB) for use with certain packages like Squid or FreeSWITCH on embedded, or even full installs with a small(er) OS drive. As 2.0 heads toward being more appliance-friendly, this seems more and more relevant. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] FLOSS Weekly 101: pfSense
For those of you who didn't catch the video when it aired, FLOSS Weekly episode 101 about pfSense has been posted. http://twit.tv/floss101 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] embedded install on a Pentium III system
On 12/28/2009 10:28 AM, Kurt Buff wrote: My big question - how would I tell which network interface will be the LAN, to run the WebGUI wizard on... (on an Alix, it's the first one - but how can I tell on this P3-600 (old compaq) board, which would be the first one ?) Or won't it run at all ? Any first thoughts here ? Hook up a monitor and keyboard. Get into the console. Plug in the one of the NICs to a switch (probably the one on your LAN). Do an ifconfig, and see which of your NICs is active. If you are running an embedded image, keyboard/monitor will be disabled and you will need a null modem serial cable to configure this part. Or, since you're already running monowall, check it to see which it thinks is which - how did you figure that one out? That is sound advice. You could edit your pfSense configuration to include these device names before booting the embedded image, otherwise you'd need to use the serial console to reassign them. If you want to edit the config directly on the CF, see here: http://doc.pfsense.org/index.php/Modifying_Embedded The reason it works out of the box on ALIX/Soekris is because the default network adapter names for those are vr0/vr1 on both platforms so those are in the default configuration. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] ntop is dumped
On 12/31/2009 2:12 AM, Koray AGAYA wrote: Hi, I use pfsense *1.2.3-RELEASE* and I installed ntop v.3.3.8. but Ntop working 5 minutes and then stop logs is below kernel: pid 49342 (ntop), uid 0: exited on signal 11 (core dumped) How can I resolve my problem ? [snip] Dec 31 09:00:27 kernel: pid 49342 (ntop), uid 0: exited on signal 11 (core dumped) I have seen this as well, but not on every system. I have some customer routers where it has run indefinitely (weeks, months, etc) and then I have some routers where it only runs for about 10 minutes. So far I haven't been able to track it down or find any correlations, but I haven't really gotten in-depth with it yet. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] About promiscuous mode
On 1/22/2010 8:38 AM, Koray AGAYA wrote: Hi, I use 1.2.3-RELEASE Pfsense, System log have a error, I dont understand What is problem ? Jan 22 15:29:01 kernel: vge0: promiscuous mode disabled This is a part of how the Rate package operates. In that scenario, it's harmless log spam, there is no problem. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Plugins
On 1/22/2010 7:41 PM, Fabian Abplanalp wrote: [snip - I don't use siproxd or spamd so I can't comment there] OpenVPN is also a lot that should be improved asap, for testing purposes I've installed an endian box (which has other ugly limitations), but at least SIP and OpenVPN work as expected with a nice GUI. What exactly do you think needs improved in OpenVPN? Have you tried the 2.0 beta to see if the improvements have already been made? OpenVPN has always been solid for me and my customers, between the GUI options and custom options boxes I have been able to make most anything work. The 2.0 GUI and Certificate Manager make it even better, too. If you want to offer criticism, please be much more specific. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: AW: [pfSense Support] Password reset
On 1/26/2010 4:05 PM, Michel Herzog wrote: Remko Lodder wrote: As mentioned by Aarno, Did you password protect your console? Hello Yes. Problem is that there is no documentation. Also i have not set up the system myself so that's why i am vague :) Its like very important configuration i need to access so thats why i am not just setting up a new. This is covered on the Doc Wiki. http://doc.pfsense.org/index.php/I_locked_myself_out_of_the_WebGUI,_help!#Forgotten_Password_with_Locked_Console Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Ability to summarize # of states/IP
On 2/3/2010 2:35 PM, Nathan Eisenberg wrote: It would be incredibly handy to build a report that summarizes the number of states open, groups by IP. That way, one could easily identify a DOS origin. For example, I just had an attacker attempt to open 40,000 simultaneously HTTP sessions on one of my servers. I'd love to be able to see something like this: Proto Source SRC Ports DST Ports TCP 10.0.x.x40,000 1 TCP 74.1.x.x16 1 TCP 63.5.x.x10 1 TCP 152.4.x.x 4 1 That may not be too difficult to pull off, just some basic regex work and knowledge of the output of pfctl -ss. Though the format of such a report would end up being a bit more complicated than the output you show. There are incoming connections, outgoing connections, outgoing NAT connections, incoming NAT connections (port forwards), etc, etc. And it looks like some detail is only listed in pfctl -ss while a state is active. The output you are talking about would only be a subset of the whole -- namely, outgoing NAT connections. I might see if I can make something useful out of it. It may not take long, but that depends on available time. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Ability to summarize # of states/IP
On 2/3/2010 7:57 PM, Jim Pingle wrote: On 2/3/2010 2:35 PM, Nathan Eisenberg wrote: It would be incredibly handy to build a report that summarizes the number of states open, groups by IP. That way, one could easily identify a DOS origin. For example, I just had an attacker attempt to open 40,000 simultaneously HTTP sessions on one of my servers. I'd love to be able to see something like this: ProtoSource SRC Ports DST Ports TCP 10.0.x.x40,000 1 TCP 74.1.x.x16 1 TCP 63.5.x.x10 1 TCP 152.4.x.x 4 1 That may not be too difficult to pull off, just some basic regex work and knowledge of the output of pfctl -ss. Though the format of such a report would end up being a bit more complicated than the output you show. There are incoming connections, outgoing connections, outgoing NAT connections, incoming NAT connections (port forwards), etc, etc. And it looks like some detail is only listed in pfctl -ss while a state is active. The output you are talking about would only be a subset of the whole -- namely, outgoing NAT connections. I might see if I can make something useful out of it. It may not take long, but that depends on available time. I just committed a basic package that adds Diagnostics State Summary, which has somewhat of a similar form to what you're after. It probably needs some more refinement, but the info is there. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] How to forward protocol 41
On 2/11/2010 4:54 PM, Jan Zorz wrote: 2. Bang the bell very hard to wake up PfSense developers, so they finally deploy IPv6 mechanisms at last. I liked PfSense a lot, but I moved to Mikrotik devices. They have IPv6 (and a lot of v6 mechanisms, like ospf-v3 and others) fully deployed. Many of us would gladly work on IPv6, but we have no IPv6 connectivity directly available. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] FreeRADIUS users
On 3/7/2010 12:45 PM, Rich Johnson wrote: I am unable to edit the OpenVPN status entry. I am getting No Management Daemon. I reinstalled the package. My platform is 1.2.3 Read the note on the bottom of the page, it tells you what needs to be added to the custom options for your OpenVPN server entry. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] FreeRADIUS users
On 3/7/2010 2:49 PM, Joseph L. Casale wrote: Not that I know of. Could you tell us the error message ? Hey, Well, I have a couple installs I tried it on, each on their openvpn server config have: management 127.0.0.1 7050; (port varies between installs etc...) and yet I get: [error] No Management DaemonSee Note Below... I know the mgmt daemon works as I telnet to it for other needs... For the purposes of that status page, the port number of the management daemon must match the port number for OpenVPN. For example, if OpenVPN is running on port 1194, the management daemon must be on 127.0.0.1 1194. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Low-cost VPN endpoint compatible with pfSense
On 3/17/2010 8:02 AM, Chris Bagnall wrote: Greetings list, One of our clients has a requirement for a low-cost ADSL modem/router that'll act as a VPN endpoint (IPSec or OpenVPN) to a central pfSense node (at their head office). Ordinarily I'd just recommend small pfSense nodes like the ALIX (so the VPN is pfSense to pfSense), but this would be a two-box solution (the ADSL modem and the ALIX), and there isn't space for that. I know some versions of the Netgear DG834 claim to support IPSec - has anyone any experience VPNing those with pfSense? I've had a look on the Wiki, but can't see any reference to that device. Alternatively, any hardware suggestions gratefully appreciated. A customer of ours had some Netgear ADSL routers at their sites that did IPsec, but the model escapes me at the moment. They worked fine for a while, but I think about half of them died or started flaking out within 2-3 years. Most anything that does standard IPsec should work together, I have yet to find a router that won't connect up to pfSense in some way with IPsec. I have heard there are also some ADSL modem/routers that ATT is distributing to its business customers which can do IPsec, probably something from Efficient/Siemens or 2Wire. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] help -- policy routing problem
On 3/18/2010 4:11 PM, Chris Buechler wrote: On Thu, Mar 18, 2010 at 4:04 PM, mayak-cq ma...@australsat.com wrote: hi all, i've got a serious policy routing problem that i cannot seem to overcome. the pfsense box has three interfaces: two are wan ports and one is lan -- both wan ports share the same physical media and use the same gateway. they each have a different ip address. i need to route outbound mail traffic out of one specific interface and voip out the other (among other requirements). since the gateway's are the same, and because i cannot specify the interface but only the next router, pfsense seems to choose the first/lowest interface to send mail. Short of an intermediate NAT device as Gary said, you have no other options with the same gateway unless you can put both IPs on one interface. I think Ermal or Scott pointed out a commit a few weeks ago that ECMP was committed upstream, so it's possible that in the future, we won't be stuck with this limitation. (Which will be a very happy day indeed for many users.) Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CPU Throttle
On 4/1/2010 12:38 PM, J.D. Bronson wrote: I have noticed when I boot up pfsense 1.2.3, I see stuff like this on dmesg: kernel: acpi_throttle0: ACPI CPU Throttling on cpu0 I have an Intel Core 2 Quad and have disabled IntelSpeedStep in the BIOS but want to make sure nothing in pfsense throttles or reduces CPU speed or power. Is there anything I need to change/tweak to make sure this doesnt happen or is this message simply stating a feature that isnt necessarily used? It is just stating a feature it found, it isn't used without extra software like powerd, which I don't think is present (or setup anywhere). Though you can check some of those parameters via sysctl to see if they are present, I believe they are under here somewhere: sysctl hw.acpi Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Microsoft Server 2008 DHCP relay
On 4/17/2010 2:17 PM, Karl Fife wrote: [...]As I see it, I don't mind if Microsoft 2K8 server runs the Windows parts of the network but not the whole network. Has anyone actually tried this? Thanks in advance! I haven't tried the DHCP parts, but I have set one up for DNS thusly: Pass the DHCP clients the AD server for DNS -- and ONLY the AD server, and then on the AD server, in the DNS server setup, setup a single forwarder: your pfSense box's LAN IP (or whatever interface it's using) That way your DNS setup in pfSense, including any overrides and such that you have set, will still be used, and 2k8 is still happily doing DNS for whatever it needs. At that site the DHCP was very vanilla so I had no problem letting AD take that over. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] policy routing openvpn -- how to select interface/gateway for openvpn
On 4/19/2010 5:40 AM, mayak-cq wrote: i have a pfsense box with two interfaces (not sharing the same media or gateway). i need for openvpn to use a specific interface/gateway to bind to. as packets are internally generated, standard policy routing won't work here -- i tried the openvpn --bind option to no avail. Try adding 'local x.x.x.x;' to the custom options box on the config, that should allow it to use a specific local IP on the box from which to source its traffic. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] no packages for 2.0
On 4/19/2010 1:57 PM, David Burgess wrote: The Available Packages page for 2.0 beta x86_64 full snapshot from Friday shows no packages, with the warning Unable to communicate with www.pfsense.com. Please verify DNS and interface configuration, and that pfSense has functional Internet connectivity. My DNS works. I don't see anything related in the forum. Am I doing it wrong? It's probably looking for a package file that doesn't exist. Did this ever work before? I'm not sure if there are any 64-bit packages setup in the repo yet. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] L2TP
On 4/21/2010 8:03 AM, Paolo Supino wrote: I've installed PFSense 1.2.3 on a computer that I want to put as a gateway (instead of my crappy ADSL modem). I use L2TP protocol to authenticate to my ISP and connect to the Internet. Going through the menus in the WebConfigurator I can see that PFSense supports PPPoE and PPTP protocols to connect to the Internet, but there's no LT2P option. Searching Google and the forums I found only references to PFSense acting as a L2TP server, but not as a client ... Am I missing something or is my conclusion that there's no LT2P client supprt n PFSense 1.2.3 correct? Is there support for L2TP Client in version 2 (I didn't try it yet)? There isn't yet an L2TP WAN type in pfSense 2.0 either, just the server. It's all done with mpd, though, so it might be possible. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] L2TP
On 4/21/2010 9:01 AM, Paolo Supino wrote: How do I bypass the webConfigurator to do it with mpd? That is beyond the scope of this mailing list. I meant that someone familiar with pfSense internals and mpd's config file format could probably add a WAN type for L2TP if there were enough interest. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] I forgot the login password
On 4/28/2010 4:16 AM, Barkat ali wrote: how to reset the password for login ? Try one of the many options listed here: http://doc.pfsense.org/index.php/I_locked_myself_out_of_the_WebGUI,_help! Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Firewall not blocking ip after adding it to rules
On 4/27/2010 6:37 PM, Chris Flugstad wrote: I block an ip in the fw rules on lan and wan, and then reset states, but traffic is still being passed to and from that ip did i miss something? These problems boil down to one of a few issues: 1. IP has an existing state. Clearing states or rebooting would fix. 2. Rule is below other rules that matches the traffic, and is thus ignored. First match wins. 3. Rule is on the wrong interface. Rules go on the interface where pfSense first sees the traffic (in direction, from the firewall's POV). Blocking traffic coming from a LAN client? Rule goes on LAN. Blocking traffic coming from an Internet host? Rule goes on WAN. 4. The rule does not actually match the traffic. Be more general than specific. Especially make sure the protocol and IP match. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] /boot/loader.conf.local
On 4/30/2010 10:01 PM, Volker Kuhlmann wrote: I have an AMD K6 mobo which requires ACPI to be off, or network interfaces don't work. (Which I had to find out again a few weeks ago upgrading to 1.2.3, having to take the box out to connect monitor and keyboard.) /boot/loader.conf was overwritten by 1.2.3. It still does it in 2.0, but iirc in both cases they are overwritten incorrectly. On 2.0 it overwrites with a blank file, I haven't double checked an upgraded 1.2.x lately. I just opened a ticket this afternoon about that. Searching for this I found to put hint.acpi.0.disabled=1 into /boot/loader.conf.local, which shouldn't be overwritten by system upgrades, and it works as expected. Not sure that is the case on 2.0, as it also includes an empty loader.conf.local at least in the base install. I haven't yet tested to see if it's overwritten. Without a permanent setting like this I can't upgrade pfsense, because after the automatic reboot at the end of the upgrade the box's interfaces won't work. I'm in the same boat on my home router now since it requires disabling DMA in loader.conf to function properly (turning it off in the BIOS has no effect.) The really good pfsense book says (p. 70) to put this line into /boot/device.hints, and that this is also not permanent. It does not mention /boot/device.hints.local, if there is such a thing. There is no device.hints.local, unfortunately. What is the recommended way to turn off acpi permanently with pfsense, and is there a reason why /boot/loader.conf.local isn't mentioned in the book? It was probably partly oversight, and partly the possibility of it also being overwritten by future upgrades. It would be nice if those files would be somehow merged instead of overwritten, since they are special cases. In 2.0 at least you can set some sysctl values in the GUI so that's not so bad, but the settings that must be in device.hints/loader.conf are still tricky to handle. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] upgrading wrap to alix
On 5/1/2010 6:18 PM, Vick Khera wrote: Given that running on the WRAP requires some hackery, and does not support the dual firmware partitions, I'm planning to replace my current WRAP motherboard with the new ALIX board. I have the 2-ethernet, 2 miniPCI version of WRAP. Do I need a new enclosure to fit the ALIX? They appear to be laid out the same, so I'm guessing not, but just wanted to see if anyone here knows. I provide power using PoE so I'm assuming that will still work. The ALIX boards can have a few different configurations, some of which have USB ports, so you may need to check carefully. The enclosures are really cheap though, it would probably be worth getting another given the relatively small cost. PoE should still work. You will have to change the interfaces in the configuration when you restore it on the ALIX. The interfaces on the WRAP are sis(4), the ALIX has vr(4). Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Can't activate dhcp on 2.0 snapshot
On 5/4/2010 8:15 AM, Matias wrote: I'm trying on a virtual machine 2.0 snapshot 20100429 and I'm not able to activate the dhcp on the LAN interface. The interface address is 192.168.56.10, and when activating the DHCP service in the Available range field I can see: 192.168.56.1 - 192.168.56.254 But when entering in the next set of boxes the values 192.168.56.100 and 192.168.56.199 and (after completing all other fields) I get the following error message: The specified range lies outside of the current subnet. Which is incorrect to me. Are you on a 32-bit or 64-bit snapshot? Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't activate dhcp on 2.0 snapshot
On 5/4/2010 8:25 AM, Matias wrote: El 04/05/10 14:19, Jim Pingle escribió: On 5/4/2010 8:15 AM, Matias wrote: I'm trying on a virtual machine 2.0 snapshot 20100429 and I'm not able to activate the dhcp on the LAN interface. The interface address is 192.168.56.10, and when activating the DHCP service in the Available range field I can see: 192.168.56.1 - 192.168.56.254 But when entering in the next set of boxes the values 192.168.56.100 and 192.168.56.199 and (after completing all other fields) I get the following error message: The specified range lies outside of the current subnet. Which is incorrect to me. Are you on a 32-bit or 64-bit snapshot? 64, sorry. There are some known issues with IP comparison functions on 64-bit snapshots. This is probably just one of those issues. Unfortunately, it seems to be a 64-bit PHP bug that we need to find a good workaround for. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't activate dhcp on 2.0 snapshot
On 5/4/2010 8:37 AM, Matias wrote: There are some known issues with IP comparison functions on 64-bit snapshots. This is probably just one of those issues. Unfortunately, it seems to be a 64-bit PHP bug that we need to find a good workaround for. Well, this is good news for me. At least I know that this is not a problem on the 32 bits version. Thanks for your help. Would you like me to open a ticket describing the problem? There is already a ticket open on the issue: http://redmine.pfsense.org/issues/459 That seems to be the root cause of the problem, once that is solved, the other issues will (hopefully!) work themselves out. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Bug in pfsense 2.0 BETA1 20100506 (loadbalancer)
On 5/9/2010 8:39 PM, Chris Buechler wrote: On Fri, May 7, 2010 at 6:40 AM, Kai Szymanski kszyman...@it-partner-nord.de wrote: Hi! If i try to configure the loadbalancer (Services - Load balancer) i get Fatal error: Cannot redeclare killbypid() (previously declared in /etc/inc/util.inc:40) in /etc/inc/util.inc on line 42 How, more specifically, can you replicate that? Ermal fixed this last week: https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/3327ac109894f9974283de655eaa50ef7a97571f Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Does 123 Show Internal LAN Traffic Speeds?
On 5/30/2010 2:39 PM, mehma sarja wrote: While cloning a laptop to a samba file server across my internal LAN, The Traffic Graph on the LAN interface shows no activity. I have a simple home setup with one WAN and one LAN interface. Am I thinking about this the wrong way? That traffic never hits the router, it just goes directly from one system to the other via the switch. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PFsense 2.0 SMTP notifications.
On 6/4/2010 3:19 PM, Ryan wrote: Sorry if this gets sent twice, I forgot to put a subject smacks self in head I finally got a chance t play with the new version 2.0 beta. I must say, I like what I see so far. Thanks I see there is a place under Advanced Notifications for an smtp server for noticfications. What is considered an Alert that would be sent by these notifications? Is there a place to adjust this. I mainly and looking for a notice that a gateway id down. Thanks for the help. Anything that would show up in the top bar as an alert. Gateway failures aren't counted among those, however. Things like CARP changeovers would do that, and some other major things. I have some ideas for beefing that area up. I'm interesting in having an HDD space notification, and I know there are probably other general triggers that people would like to see (high load average, high swap usage, etc) Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] New blocked traffic
I have another soekris running 2.0-BETA2 and seeing the following in the logs from it(it's not logging source or destination). Be nice to have the source ip address... Lyle Giese LCR Computer Services, Inc. Jun 8 21:47:21 proxy pf: 00:00:00.000350 rule 2/0(match): block in on sis0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 243) Jun 8 21:47:21 proxy pf: 00:00:00.000302 rule 2/0(match): block in on sis0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 235) Jun 8 21:47:21 proxy pf: 00:00:00.000290 rule 2/0(match): block in on sis0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 243) Jun 8 21:47:21 proxy pf: 00:00:00.000289 rule 2/0(match): block in on sis0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 243) On 2.0 the pf logs are split into two lines. You need the line after this to see the remainder of the log info. As for the ports you are seeing, they don't look familiar to me, but going by the list here: https://isc.sans.org/port.html They aren't common in terms of source or destination ports seen. https://isc.sans.org/port.html?port=19295 https://isc.sans.org/port.html?port=19296 https://isc.sans.org/port.html?port=61891 Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] New blocked traffic
On 6/9/2010 9:35 AM, Lyle Giese wrote: On 2.0 the pf logs are split into two lines. You need the line after this to see the remainder of the log info. That bytes! How does a simple syslog parser handle that to match the two lines together? How can you guarentee that the next line is the matching line and not from some other process sending stuff to syslog? I don't like it either, but it's due to the way tcpdump parses things now when printing verbose information. I had to change the parser a lot to handle these lines locally. Remotely would be worse, but you could match on host pf: It's even trickier because not every line is split in two. You can look at the log parsing code in 2.0 for some insight into what was needed to overcome this. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Bandwdith usage since start of month?
On 6/18/2010 12:04 PM, Adam Thompson wrote: Is there a way to get this information? Try this command at the CLI, do the values look right when compared to the graph? My awk-fu isn't that good, there's probably a better way to do this: (This should all be one single line) rrdtool fetch /var/db/rrd/wan-traffic.rrd AVERAGE -r 3600 -s '00:00 06/01/2010' -e now | grep -v nan | cut -f2 -d':' | awk '{ sum1 += $1/(1024*1024); sum2 += $2/(1024*1024) } END { printf IN: %u Mbytes OUT: %u Mbytes\n, sum1*3600, sum2*3600; }' I had to use Mbytes since using bytes made awk roll overflow its integer type :-) If you have more than one WAN, you can repeat that with opt1-traffic.rrd, etc. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Bandwdith usage since start of month?
On 6/18/2010 1:28 PM, Adam Thompson wrote: Thank you very much! I never know how to extract the raw data from rrdlogs, now I know it's actually not that hard. (BTW: the AWK is fine, although you can omit the cut(1) stage in the pipe simply by having awk add up $2 and $3 instead of $1 and $2.) And for my next trick, this one works in whatever month you run it: rrdtool fetch /var/db/rrd/wan-traffic.rrd AVERAGE -r 3600 -s 00 `date '+%m/01/%Y'` -e now | grep -v nan | awk '{ sum1 += $2/(1024*1024); sum2 += $3/(1024*1024) } END { printf IN: %u Mbytes OUT: %u Mbytes\n, sum1*3600, sum2*3600; }' Thanks for the reminder, re: cut/awk. It wouldn't be too difficult to add this to the GUI if we can confirm that the results are indeed accurate. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Bandwdith usage since start of month?
On 6/18/2010 1:40 PM, Adam Thompson wrote: It wouldn't be too difficult to add this to the GUI if we can confirm that the results are indeed accurate. Well, I can tell you that the numbers returned matched up exactly with what my ISP wants to bill me for :-) That's certainly a good measure :-) We'd just need to put a big fat disclaimer on the total that says it's not 100% accurate, especially if the RRD data is incomplete for the time period. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Bandwdith usage since start of month?
On 6/18/2010 1:44 PM, Jim Pingle wrote: On 6/18/2010 1:40 PM, Adam Thompson wrote: It wouldn't be too difficult to add this to the GUI if we can confirm that the results are indeed accurate. Well, I can tell you that the numbers returned matched up exactly with what my ISP wants to bill me for :-) That's certainly a good measure :-) We'd just need to put a big fat disclaimer on the total that says it's not 100% accurate, especially if the RRD data is incomplete for the time period. I put a version of this info into a package for 1.2.3 and 2.0 called RRD Summary. For now it just shows the current and previous month, and you can pick which RRD database it uses as well as which day starts the month period. Give it a try and see if it's still accurate. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] upgrade failure from Beta2 to Beta3
On 6/30/2010 10:16 AM, Lyle Giese wrote: I am playing with 2.0 Beta and saw Beta3 was availible. I am running the nanobsd version on a Soekris Net4801 on a 2g SanDisk CF card. The orginal load was by putting the Beta2 image on the CF card with dd. I downloaded the latest snapshot of Beta3 and tried to upload via a browser the new version for upgrading, but it failed with the following: Jun 30 08:52:39 proxy php: : New alert found: Upgrade failed due to the upgrade image being larger than the partition that is configured on disk. Halting. Size on disk: 219 Size of new image: 488 Is removing the CF card and using DD again, my only option now? Are you absolutely sure you are using the proper size upgrade image? Often this error is because the wrong size upgrade image is used, or a full image is being uploaded instead of an upgrade image. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] blocking https:facebook.com via squidguard pfsense gui
On 6/30/2010 4:00 PM, Luke Jaeger wrote: I decided to enable transparent proxy on my school firewall because I was getting a million requests a day to configure proxy settings on student laptops. But now that I turned on transparent proxy, students have discovered that they can get to banned sites (like facebook) via https. http://www.facebook.com is blocked but https://www.facebook.com still works. Can someone let me know how to block these? I understand I have to deny the 'connect method' but don't see where to do this. Can this only be done in command line? You cannot transparently proxy SSL connections. You would have to deny outbound access to port 443 and if they want SSL, they must configure the proxy settings into their browser(s) either by hand or automatically with something like WPAD. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Create larger embedded images
On 7/1/2010 3:45 PM, Trevor Benson wrote: We have a few devices with sad drives we would like to use packages with and configure extra steps into the shutdown to backup additional log data an some small configurations to the /cfg partition. It would be useful to use the rest of the 32G. We have a few systems we intend to build/customize packages on as well, so storing the large image file wouldn't be a problem. If you have any hints that would be great, otherwise we will just follow the nanobsd instructions as far as we can If you want to do all the math and figure out the partition, slice, sector, etc, sizes it is certainly possible, but as long as you're doing unsupported things, you may as well just use fdisk to make the rest of the media another partition, newfs it, and then edit fstab to mount it. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] blocking https:facebook.com via squidguard pfsense gui
On 6/30/2010 4:29 PM, Luke Jaeger wrote: thanks Jim - I got the impression from reading the pfsense forum that there is a way to block https for specific domains by denying the connect method - am I understanding this wrong? That would still require they be routed through squid. Denying a connect method is a function of squid, not of the firewall. (Though by blocking port tcp/443 you can effectively deny that, unless it's running on an alternate port...) Otherwise I might give WPAD a try. There's a doc in the wiki which goes over how to configure it on pfSense. It's not too hard, assuming the browsers are set for auto-configure. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Potential DNS rebind attack detected
On 7/6/2010 10:57 AM, David Burgess wrote: On Tue, Jul 6, 2010 at 8:50 AM, David Burgess apt@gmail.com wrote: Any idea what's going on here? I see a thread is already active in the forum. I'll recall this post in favour of that thread. http://forum.pfsense.org/index.php/topic,26434.msg137878.html#new In case others hit this and haven't looked at the forum thread: Some code has been checked in that should include a fix. Details have been posted in that thread. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Bandwdith usage since start of month?
On 7/13/2010 3:21 PM, Adam Thompson wrote: Aha! In /usr/local/www/status_rrd_summary.php, on line 38, the requested resolution for $lastmonth is 86400, but the RRD file in question doesn't have anything larger than 720*60=43200 (according to rrdtool info, anyway) and defaults to returning not the next-closest resolution, but the *highest* resolution instead. I haven't checked this month, but the last month numbers match my ISP bill perfectly if I change 86400 to 720*60: Thanks for catching that! I committed a fix and updated the package. It should be up shortly. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Bandwdith usage since start of month?
On 7/13/2010 6:20 PM, David Burgess wrote: On Tue, Jul 13, 2010 at 4:06 PM, Jim Pingle li...@pingle.org wrote: I committed a fix and updated the package. It should be up shortly. Parse error: syntax error, unexpected '(' in /usr/local/www/status_rrd_summary.php on line 38 That's version 1.1 Updated again, but I didn't bump the version this time. Try it in about 5 minutes. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Writing a 4gb version from windows.
On 7/14/2010 9:51 AM, Laurentiu STEFAN wrote: I have try to write on a dvd the last version of the pfSense from a PC whit Windows 7. I recive an error:The image file is invalid Can some one send me a link to an image file whit the last full version of the PFsense and instruction to write it on a DVD. The 4GB version is a disk image, not an ISO image. It is intended to be used with a CF or other media directly, it does not contain an installer. You want the LiveCD/Installer ISO image. It will work on CD or DVD. You can boot from it, then install on the target hardware. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: FTP Server or samba server for PFSense
On 7/14/2010 11:18 AM, Laurentiu STEFAN wrote: Can some one help me whit this problem too? 2010/7/14 Laurentiu STEFAN laurentiu.ste...@gmail.com mailto:laurentiu.ste...@gmail.com I have an IBM Inellystation whith 2 Pentium 2 - 350Mhz processor, 512 RAM and 150 GB Hdd. I want to install the PF Sense and I want to use the rest of the HDD space for a FTP server or a SAMBA server. It is posible? There is not currently any kind of file server package for pfSense. It's not a task that most people want to do on their firewall, as it represents a considerable security risk. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Minimal configuration for pfSense.
On 7/14/2010 3:17 PM, Laurentiu STEFAN wrote: It's OKa to use an IBM Pentium MMX 200MHZ, 64MB Ram, 3GB SCSI, 3X LAN for pfSense (Mask, firewall load balancing whith 10 PC behind)? That's not very much RAM. If it doesn't use any packages, and no VPNs, it might work. Barely. But it will probably waste more money in power costs in a year than a newer, more efficient (and faster) unit. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 2.0 beta1 embedded to beta3 upgrade
On 7/28/2010 2:12 PM, stephen at stephenjc wrote: I have tried from the terminal to upgrade from beta1 to beta3. It says everything is ok and reboots but always comes backup as beta1. From a snap that old you will probably have to do a GUI firmware update. Both the console upgrade and auto upgrade were broken at that point. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] USB Keyboard - Boot Hangs
On 8/4/2010 1:24 PM, Tim Nelson wrote: Greetings (again) fellow pfSense'rs- I'm also having issues with booting a system with a USB keyboard. The keyboard works perfectly fine, but when pfSense attempts to initialize all devices, there are problems and the system hangs: Starting device manager (devd)...kbdcontrol: cannot open /dev/ukbd0: Device busy I've tried multiple keyboards, with and without using a KVM, and the result is the same. I've also tried booting without a keyboard altogether but then the error message is 'No such file or directory' instead of 'Device busy'. Any thoughts? Have you tried toggling the Legacy USB option in the BIOS if there is a choice for it? Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] /boot/loader.conf vs /system_advanced_sysctl.php in 2.0
On 8/12/2010 1:54 PM, David Burgess wrote: In 1.2.3 I had very good results adding the following lines to /boot/loader.conf while using the squid package in transparent mode: hint.apic.0.disabled=1 kern.ipc.nmbclusters=32768 kern.maxfiles=65536 kern.maxfilesperproc=32768 net.inet.ip.portrange.last=65535 So far in 2.0 I have not seen that this is necessary, despite that my connection speed has gone up by 400%. I'm not sure what these options do or why they helped performance in 1.2.3, but it raises a couple questions for me. 1. Have changes to 2.0 made the above tweaks superfluous? Are you using squid? Usually the nmbclusters only helped in that case. As for the others, it's hard to say. You should try them individually and see which one actually makes the difference. 2. If I wanted to try setting the above variable, would they still belong in /boot/loader.conf, or is /system_advanced_sysctl.php the place to put those now? The answer is it depends - Some values must be tuned in the loader and cannot be changed once the system is booted. Those will still need to be in loader.conf. The others can go in the sysctl page. Unfortunately, the list of which can be tuned where isn't very well documented. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Large Aliases
On 8/23/2010 3:12 PM, Seth Mos wrote: Hi, Op 23 aug 2010, om 21:08 heeft Jim Cheetham het volgende geschreven: Perhaps there's another way; what are you doing this for? Instead of basing rules on a large set of aliases that you have to update regularly, is there some other characteristic you can group your rules by? (AKA 'describe the original problem, not just the one step you're stuck on') Also, in 2.0 we have support for nested aliases. What you can do with this is pretty straightforward ofcourse. You can then update 1 specific alias which is part of the parent alias. This should make management a lot easier, the chances of error smaller and possibly the number of firewall rules smaller. In 2.0 we also have a URL table alias type that can periodically update its contents from a URL that has IP and IP/CIDR format entries (one per line). We've tried it with 40k+ entries and it works fine. You can't edit the lists on the box though, they only refresh via the contents of the URL. There was no practical way to handle editing that large of a list in the GUI and storing the data in the actual XML file. There is a package for 1.2.3 that imports that functionality as well. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Large Aliases
On 8/23/2010 6:20 PM, Joseph L. Casale wrote: Also, in 2.0 we have support for nested aliases. What you can do with this is pretty straightforward ofcourse. You can then update 1 specific alias which is part of the parent alias. This should make management a lot easier, the chances of error smaller and possibly the number of firewall rules smaller. In 2.0 we also have a URL table alias type that can periodically update its contents from a URL that has IP and IP/CIDR format entries (one per line). We've tried it with 40k+ entries and it works fine. You can't edit the lists on the box though, they only refresh via the contents of the URL. There was no practical way to handle editing that large of a list in the GUI and storing the data in the actual XML file. There is a package for 1.2.3 that imports that functionality as well. This is exactly what I need, the Country Block package was what I wanted but I need finer grained control, so an Alias to work with would do this. A quick pfctl show of the Table enumerated as expected. How does one keep an eye on this? I am confused with the update frequency versus no cron job added msg? The cron job isn't automatically added in 1.2.3 (or 2.0 yet, haven't added it to the config, but that should happen soon) but you can add your own cron job to run daily that calls /etc/rc.update_urltables. It's easy to do with the cron package that's out there too. If you want to check the contents of the table, use pfctl -T show -t name where name is the name of your alias. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org