[pfSense] Issue with SMTP - Spam behind NAT
To whom it may concern, Today I have come to you with the question on how to block users from spamming with smtp/25, behind NAT and the IP of PfSense ( NAT). We do not wish/want to block the entire SMTP traffic in the private range to the world, because there are important clients behind the pfSense, who actually behave normally, we thought about forcing all the SMTP traffic to be redirected trough the pfsense machine, so it can be scanned/blocked. (even when the user decides not to do this and want to use their own SMTP server). Is there some documentation for this or rate-limiting available? Do you might have any solutions for the problem described above? The current situation causes our server to be blocked at blacklists. Hopefully somebody can help me out! Thanks in advance, Mikey van der Worp - Mikey van der Worphttps://www.linkedin.com/profile/view?id=182619557 System Administrator Utelisys Communications B.V. Trinity Buildings Tower A, 7th floor Pietersbergweg 15 1105 BM Amsterdam Tel +31 - 20 - 561 8010 Fax +31 - 20 - 561 8021 Like us on facebook https://www.facebook.com/utelisyscommunications Follow us on Linkedin https://www.linkedin.com/company/utelisys-communications-b.v./ www.utelisys.comhttp://www.utelisys.com/ - https://www.utelisys.com/ ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Issue with SMTP - Spam behind NAT
Helo! My policy is to block client which gets IPs from DHCP. All other IPs (good clients) can be manualy dedicated to their MAC addresses adnd allowed through. Servers shoud have static IPs of course. You can also add another rule for logging only, so you can chech who is te bad one Lep pozdrav / Best regards Andrej Ferčič, univ.dipl.inž. and...@pcklinika.simailto:and...@pcklinika.si M +386 41 71 60 89 PCklinika d.o.o.., Belšakova ulica 9, SI-2250 Ptuj, Slovenija | T +386 2 780 61 80 F +386 2 780 61 81 W www.pcklinika.sihttp://www.pcklinika.si/ From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Mikey van der Worp Sent: Thursday, October 09, 2014 1:06 PM To: list@lists.pfsense.org Subject: [pfSense] Issue with SMTP - Spam behind NAT To whom it may concern, Today I have come to you with the question on how to block users from spamming with smtp/25, behind NAT and the IP of PfSense ( NAT). We do not wish/want to block the entire SMTP traffic in the private range to the world, because there are important clients behind the pfSense, who actually behave normally, we thought about forcing all the SMTP traffic to be redirected trough the pfsense machine, so it can be scanned/blocked. (even when the user decides not to do this and want to use their own SMTP server). Is there some documentation for this or rate-limiting available? Do you might have any solutions for the problem described above? The current situation causes our server to be blocked at blacklists. Hopefully somebody can help me out! Thanks in advance, Mikey van der Worp - Mikey van der Worphttps://www.linkedin.com/profile/view?id=182619557 System Administrator Utelisys Communications B.V. Trinity Buildings Tower A, 7th floor Pietersbergweg 15 1105 BM Amsterdam Tel +31 - 20 - 561 8010 Fax +31 - 20 - 561 8021 Like us on facebook https://www.facebook.com/utelisyscommunications Follow us on Linkedin https://www.linkedin.com/company/utelisys-communications-b.v./ www.utelisys.comhttp://www.utelisys.com/ - https://www.utelisys.com/ ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Issue with SMTP - Spam behind NAT
On 9/10/14 12:05 pm, Mikey van der Worp wrote: Today I have come to you with the question on how to block users from spamming with smtp/25, behind NAT and the IP of PfSense ( NAT). We do not wish/want to block the entire SMTP traffic in the private range to the world, because there are important clients behind the pfSense, who actually behave normally, we thought about forcing all the SMTP traffic to be redirected trough the pfsense machine, so it can be scanned/blocked. (even when the user decides not to do this and want to use their own SMTP server). I'd have to caution *against* doing the above. Many people have their mail clients set to use TLS for outbound mail (quite sensibly), and that will invariably break if you try to intercept traffic to port 25 and run it through your own filtering mail server. It's the bane of my life when we have clients staying in hotels that do this :-) Worth adding from a user privacy perspective, it's pretty bad manners to intercept outbound mail traffic, especially if your users aren't explicitly consenting to this being done. If you want to prevent outbound spam from your users, I'd suggest setting up an SMTP smarthost that sends mail on behalf of your users (I'm sure there are probably pfSense packages for this, but I'd do it on another server, personally), educate your users about using this upstream SMTP server, give them time to change mail settings etc., then block port 25 outbound and specifically open it for clients that need (legitimately) to use it. The important thing is explaining to users what you're doing, why you're doing it, and how they can 'opt out' of it if they want/need to. Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Issue with SMTP - Spam behind NAT
Hello, please let me know the process for unsubscribing from all the mailing lists of pfsense. Thanks and Regards, *Rizul Khanna* rizulkha...@gmail.com | +91 8595370298, +91 9501074400 | http://www.linkedin.com/pub/rizul-khanna/39/81/a3b | http://virtualizationforyou.blogspot.in/ | On Thu, Oct 9, 2014 at 4:50 PM, Chris Bagnall pfse...@lists.minotaur.cc wrote: On 9/10/14 12:05 pm, Mikey van der Worp wrote: Today I have come to you with the question on how to block users from spamming with smtp/25, behind NAT and the IP of PfSense ( NAT). We do not wish/want to block the entire SMTP traffic in the private range to the world, because there are important clients behind the pfSense, who actually behave normally, we thought about forcing all the SMTP traffic to be redirected trough the pfsense machine, so it can be scanned/blocked. (even when the user decides not to do this and want to use their own SMTP server). I'd have to caution *against* doing the above. Many people have their mail clients set to use TLS for outbound mail (quite sensibly), and that will invariably break if you try to intercept traffic to port 25 and run it through your own filtering mail server. It's the bane of my life when we have clients staying in hotels that do this :-) Worth adding from a user privacy perspective, it's pretty bad manners to intercept outbound mail traffic, especially if your users aren't explicitly consenting to this being done. If you want to prevent outbound spam from your users, I'd suggest setting up an SMTP smarthost that sends mail on behalf of your users (I'm sure there are probably pfSense packages for this, but I'd do it on another server, personally), educate your users about using this upstream SMTP server, give them time to change mail settings etc., then block port 25 outbound and specifically open it for clients that need (legitimately) to use it. The important thing is explaining to users what you're doing, why you're doing it, and how they can 'opt out' of it if they want/need to. Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Issue with SMTP - Spam behind NAT
On 9/10/14 12:21 pm, Rizul khanna wrote: Hello, please let me know the process for unsubscribing from all the mailing lists of pfsense. Follow the link at the bottom of every list email. Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Trying to debug check_reload_status using too much CPU [https://redmine.pfsense.org/issues/2555]
A transparent firewall is showing the same problem as ticket 2555, I am unable to diagnose the issues without help. I have tried rebooting, the problem comes back at boot time. Killing the process, it respawns almost instantly. Problem started within the last 24 hours. What steps should I take next? [2.0.2-RELEASE][r...@xxx.zzz]/root(1): nice top last pid: 56970; load averages: 1.67, 0.84, 0.35 up 0+00:02:16 11:52:48 33 processes: 2 running, 31 sleeping CPU: 1.1% user, 27.3% nice, 67.0% system, 0.0% interrupt, 4.5% idle Mem: 24M Active, 11M Inact, 41M Wired, 104K Cache, 43M Buf, 377M Free Swap: PID USERNAME THR PRI NICE SIZERES STATETIME WCPU COMMAND 262 root1 136 20 3408K 1208K RUN 1:15 89.99% check_reload_status 8555 root1 440 4880K 2360K select 0:01 0.00% syslogd 9146 root1 440 3316K 904K piperd 0:01 0.00% logger 8964 root1 440 5912K 2184K bpf 0:01 0.00% tcpdump 20839 root1 760 45780K 20776K accept 0:01 0.00% php 19916 root1 760 44756K 12528K accept 0:00 0.00% php 17713 root1 440 7996K 3604K select 0:00 0.00% sshd 19466 root1 440 5692K 3828K kqread 0:00 0.00% lighttpd 14748 root1 440 3316K 1324K select 0:00 0.00% apinger 32901 root1 76 20 3656K 1404K wait 0:00 0.00% sh 21861 root1 484 3712K 1988K RUN 0:00 0.00% top 10596 root1 440 6080K 6104K select 0:00 0.00% ntpd 56300 root1 760 3688K 1564K wait 0:00 0.00% login 56328 root1 760 3688K 1564K wait 0:00 0.00% login 20583 root1 760 4696K 2264K pause0:00 0.00% tcsh 18107 root1 760 3656K 1424K wait 0:00 0.00% sh 10415 root1 440 3436K 1376K select 0:00 0.00% inetd 18665 root1 760 3656K 1428K wait 0:00 0.00% sh 56747 root1 760 3656K 1388K wait 0:00 0.00% sh 56409 root1 760 3656K 1388K wait 0:00 0.00% sh 59417 root1 760 3656K 1388K ttyin0:00 0.00% sh 59575 root1 760 3656K 1388K ttyin0:00 0.00% sh 275 root1 440 1888K 532K select 0:00 0.00% devd 10445 root1 440 5276K 3064K select 0:00 0.00% sshd 35276 root1 440 3408K 1384K nanslp 0:00 0.00% cron 49308 root1 76 20 1564K 592K nanslp 0:00 0.00% sleep 39394 root1 760 3316K 976K wait 0:00 0.00% minicron 38981 root1 760 3316K 976K wait 0:00 0.00% minicron 38490 root1 760 3316K 976K wait 0:00 0.00% minicron 267 root1 76 20 3408K 1080K kqread 0:00 0.00% check_reload_status 39382 root1 760 3316K 1020K nanslp 0:00 0.00% minicron 39507 root1 760 3316K 1020K nanslp 0:00 0.00% minicron 38688 root1 760 3316K 1020K nanslp 0:00 0.00% minicron [2.0.2-RELEASE][r...@xxx.zzz]/root(2): ps auxwww USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 262 96.0 0.3 3408 1208 ?? RNs 11:51AM 1:16.43 /usr/local/sbin/check_reload_status root 0 0.0 0.0 088 ?? DLs 11:51AM 0:00.41 [kernel] root 1 0.0 0.1 1888 460 ?? SLs 11:51AM 0:00.01 /sbin/init -- root 2 0.0 0.0 0 8 ?? DL 11:51AM 0:00.01 [g_event] root 3 0.0 0.0 0 8 ?? DL 11:51AM 0:00.05 [g_up] root 4 0.0 0.0 0 8 ?? DL 11:51AM 0:00.08 [g_down] root 5 0.0 0.0 0 8 ?? DL 11:51AM 0:00.00 [crypto] root 6 0.0 0.0 0 8 ?? DL 11:51AM 0:00.00 [crypto returns] root 7 0.0 0.0 0 8 ?? IL 11:51AM 0:00.00 [fw0_probe] root 8 0.0 0.0 0 8 ?? DL 11:51AM 0:00.01 [pfpurge] root 9 0.0 0.0 0 8 ?? DL 11:51AM 0:00.00 [xpt_thrd] root10 0.0 0.0 0 8 ?? RL 11:51AM 0:01.84 [idle] root11 0.0 0.0 0 136 ?? WL 11:51AM 0:00.22 [intr] root12 0.0 0.0 0 8 ?? DL 11:51AM 0:00.00 [ng_queue] root13 0.0 0.0 0 128 ?? DL 11:51AM 0:00.00 [usb] root14 0.0 0.0 0 8 ?? DL 11:51AM 0:00.00 [pagedaemon] root15 0.0 0.0 0 8 ?? DL 11:51AM 0:00.00 [vmdaemon] root16 0.0 0.0 0 8 ?? DL 11:51AM 0:00.00 [pagezero] root17 0.0 0.0 0 8 ?? DL 11:51AM 0:00.00 [idlepoll] root18 0.0 0.0 0 8 ?? DL 11:51AM 0:00.00 [bufdaemon] root19 0.0 0.0 0 8 ?? DL 11:51AM 0:00.00 [syncer] root20 0.0 0.0 0 8 ?? DL 11:51AM 0:00.00 [vnlru] root21 0.0 0.0 0 8 ?? DL 11:51AM 0:00.00 [softdepflush] root29 0.0 0.0 0 8 ?? DL 11:51AM 0:00.03 [md0] root35 0.0
Re: [pfSense] Issue with SMTP - Spam behind NAT
unsubscribe 2014-10-09 13:32 GMT-03:00 Aaron C. de Bruyn aa...@heyaaron.com: In most of my client networks, there is an internal exchange server and an external spam filter / mail gateway. I use floating rules to allow all SMTP traffic to the spam filter, and all SMTP traffic to the Exchange servers, then I block all other SMTP. Viruses trying to send mail out to various SMTP servers on the net get blocked (because it's not going through the spam gateway) and the Exchange server requires authenticated SMTP. This makes it easy to set things like copiers (which usually have horridly complex SMTP support with little or no logging other than something went wrong) and various linux/unix boxes to use our spam filter as an unauthenticated relay, and viruses using SMTP can only talk to Exchange or the spam filter. Either way, it's fairly easy to figure out which host is spewing mail by looking at the Exchange or Postfix logs. It's also fairly easy to rate-limit or block hosts that send more than 100 messages in an hour. Use floating rules to accomplish the task. For example: * Apply immediately on match, accept tcp/25 from any to exchange ip * Apply immediately on match, accept tcp/25 from any to spam filter ip * Apply immediately on match, reject tcp/25 from any to any -A On Thu, Oct 9, 2014 at 4:05 AM, Mikey van der Worp mvdw...@utelisys.com wrote: To whom it may concern, Today I have come to you with the question on how to block users from spamming with smtp/25, behind *NAT* and the IP of PfSense ( NAT). We do not wish/want to block the entire SMTP traffic in the private range to the world, because there are important clients behind the pfSense, who actually behave normally, we thought about forcing all the SMTP traffic to be redirected trough the pfsense machine, so it can be scanned/blocked. (even when the user decides not to do this and want to use their own SMTP server). Is there some documentation for this or rate-limiting available? Do you might have any solutions for the problem described above? The current situation causes our server to be blocked at blacklists. Hopefully somebody can help me out! Thanks in advance, Mikey van der Worp - *Mikey van der Worp https://www.linkedin.com/profile/view?id=182619557* System Administrator Utelisys Communications B.V. Trinity Buildings Tower A, 7th floor Pietersbergweg 15 1105 BM Amsterdam Tel +31 - 20 - 561 8010 Fax +31 - 20 - 561 8021 *Like us on facebook* https://www.facebook.com/utelisyscommunications *Follow us on Linkedin* https://www.linkedin.com/company/utelisys-communications-b.v./ www.utelisys.com – https://www.utelisys.com/ ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Atte Jorge Severino Numero movil Personal: 08-7775834 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Issue with SMTP - Spam behind NAT
Go here: https://lists.pfsense.org/mailman/listinfo/list On 10/9/2014 12:30 PM, Jorge Severino wrote: unsubscribe 2014-10-09 13:32 GMT-03:00 Aaron C. de Bruyn aa...@heyaaron.com mailto:aa...@heyaaron.com: In most of my client networks, there is an internal exchange server and an external spam filter / mail gateway. I use floating rules to allow all SMTP traffic to the spam filter, and all SMTP traffic to the Exchange servers, then I block all other SMTP. Viruses trying to send mail out to various SMTP servers on the net get blocked (because it's not going through the spam gateway) and the Exchange server requires authenticated SMTP. This makes it easy to set things like copiers (which usually have horridly complex SMTP support with little or no logging other than something went wrong) and various linux/unix boxes to use our spam filter as an unauthenticated relay, and viruses using SMTP can only talk to Exchange or the spam filter. Either way, it's fairly easy to figure out which host is spewing mail by looking at the Exchange or Postfix logs. It's also fairly easy to rate-limit or block hosts that send more than 100 messages in an hour. Use floating rules to accomplish the task. For example: * Apply immediately on match, accept tcp/25 from any to exchange ip * Apply immediately on match, accept tcp/25 from any to spam filter ip * Apply immediately on match, reject tcp/25 from any to any -A On Thu, Oct 9, 2014 at 4:05 AM, Mikey van der Worp mvdw...@utelisys.com mailto:mvdw...@utelisys.com wrote: To whom it may concern, Today I have come to you with the question on how to block users from spamming with smtp/25, behind *_NAT_* and the IP of PfSense ( NAT). We do not wish/want to block the entire SMTP traffic in the private range to the world, because there are important clients behind the pfSense, who actually behave normally, we thought about forcing all the SMTP traffic to be redirected trough the pfsense machine, so it can be scanned/blocked. (even when the user decides not to do this and want to use their own SMTP server). Is there some documentation for this or rate-limiting available? Do you might have any solutions for the problem described above? The current situation causes our server to be blocked at blacklists. Hopefully somebody can help me out! Thanks in advance, Mikey van der Worp - *Mikey van der Worp https://www.linkedin.com/profile/view?id=182619557* System Administrator Utelisys Communications B.V. Trinity Buildings Tower A, 7th floor Pietersbergweg 15 1105 BM Amsterdam Tel+31 - 20 - 561 8010 tel:%2B31%20-%2020%20-%20561%208010 Fax+31 - 20 - 561 8021 tel:%2B31%20-%2020%20-%20561%208021 *Like us on facebook* https://www.facebook.com/utelisyscommunications *Follow us on Linkedin* https://www.linkedin.com/company/utelisys-communications-b.v./ www.utelisys.com http://www.utelisys.com/-- https://www.utelisys.com/ ___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Atte Jorge Severino Numero movil Personal: 08-7775834 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Trying to debug check_reload_status using too much CPU[https://redmine.pfsense.org/issues/2555]
-Original Message- From: Jason Pyeron Sent: Thursday, October 09, 2014 12:06 A transparent firewall is showing the same problem as ticket 2555, I am unable to diagnose the issues without help. I have tried rebooting, the problem comes back at boot time. Killing the process, it respawns almost instantly. Problem started within the last 24 hours. What steps should I take next? I think I have tracked it down, but it does not seem justifiable. System: Gateways: Edit gateway Edit gateway Advanced Down = 1 It was set to monitor the connection per the SLA. Resetting back to 10 returns the load to 0.01 [2.0.2-RELEASE][r...@xxx.zzz]/root(1): nice top last pid: 56970; load averages: 1.67, 0.84, 0.35 up 0+00:02:16 11:52:48 33 processes: 2 running, 31 sleeping CPU: 1.1% user, 27.3% nice, 67.0% system, 0.0% interrupt, 4.5% idle Mem: 24M Active, 11M Inact, 41M Wired, 104K Cache, 43M Buf, 377M Free Swap: PID USERNAME THR PRI NICE SIZERES STATETIME WCPU COMMAND 262 root1 136 20 3408K 1208K RUN 1:15 89.99% check_reload_status 8555 root1 440 4880K 2360K select 0:01 0.00% syslogd 9146 root1 440 3316K 904K piperd 0:01 0.00% logger 8964 root1 440 5912K 2184K bpf 0:01 0.00% tcpdump 20839 root1 760 45780K 20776K accept 0:01 0.00% php 19916 root1 760 44756K 12528K accept 0:00 0.00% php 17713 root1 440 7996K 3604K select 0:00 0.00% sshd 19466 root1 440 5692K 3828K kqread 0:00 0.00% lighttpd 14748 root1 440 3316K 1324K select 0:00 0.00% apinger 32901 root1 76 20 3656K 1404K wait 0:00 0.00% sh 21861 root1 484 3712K 1988K RUN 0:00 0.00% top 10596 root1 440 6080K 6104K select 0:00 0.00% ntpd 56300 root1 760 3688K 1564K wait 0:00 0.00% login 56328 root1 760 3688K 1564K wait 0:00 0.00% login 20583 root1 760 4696K 2264K pause0:00 0.00% tcsh 18107 root1 760 3656K 1424K wait 0:00 0.00% sh 10415 root1 440 3436K 1376K select 0:00 0.00% inetd 18665 root1 760 3656K 1428K wait 0:00 0.00% sh 56747 root1 760 3656K 1388K wait 0:00 0.00% sh 56409 root1 760 3656K 1388K wait 0:00 0.00% sh 59417 root1 760 3656K 1388K ttyin0:00 0.00% sh 59575 root1 760 3656K 1388K ttyin0:00 0.00% sh 275 root1 440 1888K 532K select 0:00 0.00% devd 10445 root1 440 5276K 3064K select 0:00 0.00% sshd 35276 root1 440 3408K 1384K nanslp 0:00 0.00% cron 49308 root1 76 20 1564K 592K nanslp 0:00 0.00% sleep 39394 root1 760 3316K 976K wait 0:00 0.00% minicron 38981 root1 760 3316K 976K wait 0:00 0.00% minicron 38490 root1 760 3316K 976K wait 0:00 0.00% minicron 267 root1 76 20 3408K 1080K kqread 0:00 0.00% check_reload_status 39382 root1 760 3316K 1020K nanslp 0:00 0.00% minicron 39507 root1 760 3316K 1020K nanslp 0:00 0.00% minicron 38688 root1 760 3316K 1020K nanslp 0:00 0.00% minicron [2.0.2-RELEASE][r...@xxx.zzz]/root(2): ps auxwww USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 262 96.0 0.3 3408 1208 ?? RNs 11:51AM 1:16.43 /usr/local/sbin/check_reload_status root 0 0.0 0.0 088 ?? DLs 11:51AM 0:00.41 [kernel] root 1 0.0 0.1 1888 460 ?? SLs 11:51AM 0:00.01 /sbin/init -- root 2 0.0 0.0 0 8 ?? DL 11:51AM 0:00.01 [g_event] root 3 0.0 0.0 0 8 ?? DL 11:51AM 0:00.05 [g_up] root 4 0.0 0.0 0 8 ?? DL 11:51AM 0:00.08 [g_down] root 5 0.0 0.0 0 8 ?? DL 11:51AM 0:00.00 [crypto] root 6 0.0 0.0 0 8 ?? DL 11:51AM 0:00.00 [crypto returns] root 7 0.0 0.0 0 8 ?? IL 11:51AM 0:00.00 [fw0_probe] root 8 0.0 0.0 0 8 ?? DL 11:51AM 0:00.01 [pfpurge] root 9 0.0 0.0 0 8 ?? DL 11:51AM 0:00.00 [xpt_thrd] root10 0.0 0.0 0 8 ?? RL 11:51AM 0:01.84 [idle] root11 0.0 0.0 0 136 ?? WL 11:51AM 0:00.22 [intr] root12 0.0 0.0 0 8 ?? DL 11:51AM 0:00.00 [ng_queue] root13 0.0 0.0 0 128 ?? DL 11:51AM 0:00.00 [usb] root14 0.0 0.0 0 8 ?? DL 11:51AM 0:00.00 [pagedaemon] root15 0.0 0.0 0 8 ?? DL 11:51AM 0:00.00 [vmdaemon] root16 0.0 0.0 0 8 ?? DL 11:51AM 0:00.00
Re: [pfSense] LAN: IPv6 static configuration
Any thoughts on this? Unfortunately, all of the examples and documentation I can find on IPv6 configures with pfSense are geared towards consumer-class circuits using DHCP-PD, and I've not found anything about proper static configuration. Again, I thought this would be simple, but at least during my first attempt at configuration, I ran into major issues. Thank you all! -Erik On Wed, Oct 8, 2014 at 2:19 PM, Erik Anderson erike...@gmail.com wrote: Good afternoon- This is in regards to pfsense-2.1.4-RELEASE. This morning my ISP (finally) turned on IPv6 on our circuit. They assigned a /126 P2P link for the WAN and are routing a /48 to us. I have the WAN interface configured without issue, and am able to ping6 from the router itself to external addresses. The problem arose when I added the static IPv6 configuration to my LAN interface. I chose an arbitrary /64 subnet for the LAN and assigned an IP to the interface. When I applied this configuration, *all* traffic to and through the router (both v4 and v6) stopped. I couldn't ping the v4 address of the router, etc. I ended up having to attach to the serial console and restore a previous config file in order to restore connectivity. My questions are: 1) How was adding v6 addressing information to the LAN interface able to affect v4 traffic? 2) How can I add static v6 configuration to the LAN interface sucessfully? This all seemed like it should be a very simple task, but apparently I'm missing something. Thank you! -Erik ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
