Re: [pfSense] pfSense on WatchGuard xtm 810?
You'll be better off. HDD or SSD. -Original Message- well. there is sata ports. I will try them first.. Eero 16.2.2018 21.27 "Peder Rovelstad" kirjoitti: > May be wrong, but I think without nano, you can only install full, > which will thrash the CF in short order. But I see someone on EBay > selling one preconfigured for the xtm 5 series. > No headers for a 2.5" drive inside, eh? Here's a guide, but you'd > still need a CF adapter or machine with a CF slot for install. > https://doc.pfsense.org/index.php/Upgrading_64-bit_NanoBSD_2.3_to_2.4 > > > > >I've had good luck in similar cases by installing on a generic > >machine > then > putting the media in the target box. > > >>On Feb 16, 2018, 13:40, at 13:40, Eero Volotinen > >> > wrote: > >>Hi List, > >> > >>I need to install pfsense 2.4 on watchguard xtm 810. there is issue > >>as it does not boot from usb stick, only from cf or sata. > >> > >>Any idea how to install pfsense on it? it works with 2.3 nano-vga > >>image, but such is not available for pfsense 2.4 > >> > >>-- > >>Eero > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfSense on WatchGuard xtm 810?
well. there is sata ports. I will try them first.. Eero 16.2.2018 21.27 "Peder Rovelstad" kirjoitti: > May be wrong, but I think without nano, you can only install full, which > will thrash the CF in short order. But I see someone on EBay selling one > preconfigured for the xtm 5 series. > No headers for a 2.5" drive inside, eh? Here's a guide, but you'd still > need a CF adapter or machine with a CF slot for install. > https://doc.pfsense.org/index.php/Upgrading_64-bit_NanoBSD_2.3_to_2.4 > > > > >I've had good luck in similar cases by installing on a generic machine > then > putting the media in the target box. > > >>On Feb 16, 2018, 13:40, at 13:40, Eero Volotinen > wrote: > >>Hi List, > >> > >>I need to install pfsense 2.4 on watchguard xtm 810. there is issue as > >>it does not boot from usb stick, only from cf or sata. > >> > >>Any idea how to install pfsense on it? it works with 2.3 nano-vga > >>image, but such is not available for pfsense 2.4 > >> > >>-- > >>Eero > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfSense on WatchGuard xtm 810?
May be wrong, but I think without nano, you can only install full, which will thrash the CF in short order. But I see someone on EBay selling one preconfigured for the xtm 5 series. No headers for a 2.5" drive inside, eh? Here's a guide, but you'd still need a CF adapter or machine with a CF slot for install. https://doc.pfsense.org/index.php/Upgrading_64-bit_NanoBSD_2.3_to_2.4 > >I've had good luck in similar cases by installing on a generic machine then putting the media in the target box. >>On Feb 16, 2018, 13:40, at 13:40, Eero Volotinen wrote: >>Hi List, >> >>I need to install pfsense 2.4 on watchguard xtm 810. there is issue as >>it does not boot from usb stick, only from cf or sata. >> >>Any idea how to install pfsense on it? it works with 2.3 nano-vga >>image, but such is not available for pfsense 2.4 >> >>-- >>Eero ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense on watchguard xtm 810?
Thanks. that sounds like a good idea. Eero 16.2.2018 21.02 "Melvin" kirjoitti: > I've had good luck in similar cases by installing on a generic machine > then putting the media in the target box. > > On Feb 16, 2018, 13:40, at 13:40, Eero Volotinen > wrote: > >Hi List, > > > >I need to install pfsense 2.4 on watchguard xtm 810. there is issue as > >it > >does not boot from usb stick, only from cf or sata. > > > >Any idea how to install pfsense on it? it works with 2.3 nano-vga > >image, > >but such is not available for pfsense 2.4 > > > >-- > >Eero > >___ > >pfSense mailing list > >https://lists.pfsense.org/mailman/listinfo/list > >Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense on watchguard xtm 810?
I've had good luck in similar cases by installing on a generic machine then putting the media in the target box. On Feb 16, 2018, 13:40, at 13:40, Eero Volotinen wrote: >Hi List, > >I need to install pfsense 2.4 on watchguard xtm 810. there is issue as >it >does not boot from usb stick, only from cf or sata. > >Any idea how to install pfsense on it? it works with 2.3 nano-vga >image, >but such is not available for pfsense 2.4 > >-- >Eero >___ >pfSense mailing list >https://lists.pfsense.org/mailman/listinfo/list >Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] pfsense on watchguard xtm 810?
Hi List, I need to install pfsense 2.4 on watchguard xtm 810. there is issue as it does not boot from usb stick, only from cf or sata. Any idea how to install pfsense on it? it works with 2.3 nano-vga image, but such is not available for pfsense 2.4 -- Eero ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Maximum CARP Addresses?
On 02/16/2018 10:09 AM, ad^2 wrote: > Ok I understand. What are the limitations here? How many aliases can be > stacked on one CARP VIP? > > Is anyone out there running +255 VIPs? My implementation will required at > least 500 floating IPs right away. While there is no known practical limit, if you feel you need that many VIPs, most likely your design is deeply flawed in some way. If you explain the purpose of the setup and how the IP addresses are delivered to your firewall, there is likely a better way to reach your goal. Jim P. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Wireless authentication issues after Freeradius upgrade
Thanks for your assistance, my current plan of action is resetting the SG-4860 and then loading a PfSense xml configuration file without the freeradius configuration. That might negate some of the issues i encountered, there are extreme differences between freeradius 2 and 3 but the PFsense web configurator seems to account for these. Kind Regards, - Sigurd Kristensen On Fri, Feb 16, 2018 at 3:45 PM, wrote: > You may be better posting to the Freeradius maillist but IIRC there are > significant differences between the config files for Freeradius 2 and 3 > meaning you have to rewrite the radius config files for version 3 as a > version 2 file will not work. > > This is from the freeradius website on upgrading to version 3 from 2... > > The configuration for 3.0 is largely compatible with the 2.x.x > configuration. However, it is NOT possible to simply use the 2.x.x > configuration as-is. Instead, it should be re-created. > > Hope that helps. > > Kind regards, > Dan > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Sigurd > Kristensen > Sent: 16 February 2018 13:57 > To: list@lists.pfsense.org > Subject: [pfSense] Wireless authentication issues after Freeradius upgrade > > We recently purchased a Netgate SG-4860 in order to replace our custom > built > desktop hardware. > > The desktop hardware was running pfsense 2.3.x and the sg-4860 was running > 2.4.0 when delivered. According to Pfsense documentation its possible to > migrate configuration.xml files to newer versions of Pfsense which is what > we did. > > After replacing two pieces of hardware most appliances came up correctly as > intended, however after reinstalling Freeradius 3 (over the previously > installed Freeradius 2..x.x) Our radius based wireless SSID's stopped > functioning. With the following error: > > "mschap: FAILED: No NT/LM-Password. Cannot perform authentication" > > Tests with the command radtest have worked by authenticating from the > pfsense server itself. However the access points are unable to > authenticate. > > I have two offices running pfsense 2.3.3 and Freeradius 2 that are > currently > working from the same SQL database without any issues. > > I have seen several posts with similar issues, but no apparant solution. > Many of these are however authenticating against LDAP and not plain-text > SQL > - Among these are: > > http://lists.freeradius.org/pipermail/freeradius-users/ > 2015-October/080614.h > tml > http://freeradius.1045715.n5.nabble.com/question-regarding- > PEAP-MSCHAPv2-ERR > OR-FAILED-No-NT-LM-Password-Cannot-perform-authentication-td5737504.html > https://github.com/FreeRADIUS/freeradius-server/issues/1314 > http://freeradius-users.freeradius.narkive.com/ > I8llQ7CQ/question-regarding-p > eap-mschapv2-error-failed-no-nt-lm-password-cannot-perform-authentication > http://freeradius-users.freeradius.narkive.com/ > iEZKvxM1/rlm-mschap-failed-no > -nt-lm-password-cannot-perform-authentication > > Notable warnings and errors from the output of "radiusd -X" > > Warning: > ... > [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item > "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". > [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item > "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". > ... > > Warning: > ... > # Loading authorize {...} > Ignoring "sql" (see raddb/mods-available/README.rst) Ignoring "ldap" (see > raddb/mods-available/README.rst) ... > > Warning: > > (7) WARNING: Outer and inner identities are the same. User privacy is > compromised. > > > Warning: > ... > (7) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not > exist! Cancelling invalid proxy request. > > > Warning: > ... > (7) mschap: WARNING: No Cleartext-Password configured. Cannot create > NT-Password > (7) mschap: WARNING: No Cleartext-Password configured. Cannot create > LM-Password ... > > Error: > ... > (7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform > authentication > (7) mschap: ERROR: MS-CHAP2-Response is incorrect > > Currently i suspect either an issue when the AP connects to the Freeradius > 3 server or an issue in the imported configuration. > > Currently using Aerohive for the wireless solution. > > Excerp from database: > > mysql> select * from radcheck; > +-++--+++--- > -+-- > + > | id | name | username | attribute | op | value | > email| > +-++--+++--- > -+-- > + > | 3 | some name | username | Cleartext-Password | := | somepassword | > usern...@domain.dk | > | 6 | some name | username | Cleartext-Password | := | somepassword | > usern...@domain.dk | > > Issue is crossposted here: > https://forum.pfsense.org/index.php?topic=1440
Re: [pfSense] Maximum CARP Addresses?
On Fri, Feb 16, 2018 at 1:20 AM, Chris L wrote: > On Feb 15, 2018, at 11:35 AM, ad^2 wrote: > > > > Hello all, > > > > I read in the forum (h_t_t_p_s://forum.pfsense. > org/index.php?topic=109346.0) > > the 255 VHID limitation in CARP is no longer an issue in recent > versions. I > > cannot find any documentation to support it. > > > > I have a need to host a lot more than 255 virtual IP addresses. > > > > Can someone confirm or deny this. If it's true point me to the > > documentation that states this. If not, is there a way around it? > > > > Thanks in advance, > > > > jimp was referring to the requirement that a CARP VIP must be contained in > the same subnet as the interface address. Removal of that > requirement/limitation is what changed. > > The VHID is 8 bits and you can’t use 0 so 1-255. > > As discussed there, make IP Alias VIPs and assign them to CARP VIPs. They > will go up and down with CARP MASTER/BACKUP status and will result in no > additional multicast traffic per VIP. Try it I think you’ll like it. > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > Ok I understand. What are the limitations here? How many aliases can be stacked on one CARP VIP? Is anyone out there running +255 VIPs? My implementation will required at least 500 floating IPs right away. Thanks, JD ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Wireless authentication issues after Freeradius upgrade
You may be better posting to the Freeradius maillist but IIRC there are significant differences between the config files for Freeradius 2 and 3 meaning you have to rewrite the radius config files for version 3 as a version 2 file will not work. This is from the freeradius website on upgrading to version 3 from 2... The configuration for 3.0 is largely compatible with the 2.x.x configuration. However, it is NOT possible to simply use the 2.x.x configuration as-is. Instead, it should be re-created. Hope that helps. Kind regards, Dan -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Sigurd Kristensen Sent: 16 February 2018 13:57 To: list@lists.pfsense.org Subject: [pfSense] Wireless authentication issues after Freeradius upgrade We recently purchased a Netgate SG-4860 in order to replace our custom built desktop hardware. The desktop hardware was running pfsense 2.3.x and the sg-4860 was running 2.4.0 when delivered. According to Pfsense documentation its possible to migrate configuration.xml files to newer versions of Pfsense which is what we did. After replacing two pieces of hardware most appliances came up correctly as intended, however after reinstalling Freeradius 3 (over the previously installed Freeradius 2..x.x) Our radius based wireless SSID's stopped functioning. With the following error: "mschap: FAILED: No NT/LM-Password. Cannot perform authentication" Tests with the command radtest have worked by authenticating from the pfsense server itself. However the access points are unable to authenticate. I have two offices running pfsense 2.3.3 and Freeradius 2 that are currently working from the same SQL database without any issues. I have seen several posts with similar issues, but no apparant solution. Many of these are however authenticating against LDAP and not plain-text SQL - Among these are: http://lists.freeradius.org/pipermail/freeradius-users/2015-October/080614.h tml http://freeradius.1045715.n5.nabble.com/question-regarding-PEAP-MSCHAPv2-ERR OR-FAILED-No-NT-LM-Password-Cannot-perform-authentication-td5737504.html https://github.com/FreeRADIUS/freeradius-server/issues/1314 http://freeradius-users.freeradius.narkive.com/I8llQ7CQ/question-regarding-p eap-mschapv2-error-failed-no-nt-lm-password-cannot-perform-authentication http://freeradius-users.freeradius.narkive.com/iEZKvxM1/rlm-mschap-failed-no -nt-lm-password-cannot-perform-authentication Notable warnings and errors from the output of "radiusd -X" Warning: ... [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". ... Warning: ... # Loading authorize {...} Ignoring "sql" (see raddb/mods-available/README.rst) Ignoring "ldap" (see raddb/mods-available/README.rst) ... Warning: (7) WARNING: Outer and inner identities are the same. User privacy is compromised. Warning: ... (7) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. Warning: ... (7) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (7) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password ... Error: ... (7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (7) mschap: ERROR: MS-CHAP2-Response is incorrect Currently i suspect either an issue when the AP connects to the Freeradius 3 server or an issue in the imported configuration. Currently using Aerohive for the wireless solution. Excerp from database: mysql> select * from radcheck; +-++--++++-- + | id | name | username | attribute | op | value | email| +-++--++++-- + | 3 | some name | username | Cleartext-Password | := | somepassword | usern...@domain.dk | | 6 | some name | username | Cleartext-Password | := | somepassword | usern...@domain.dk | Issue is crossposted here: https://forum.pfsense.org/index.php?topic=144096.0 Any assistance in this is appreciated. -- Sigurd Kristensen Systems Administrator -- Nodes Copenhagen // Artillerivej 86, 2300 Copenhagen, Denmark Aarhus // Frederiksgade 45, 2. sal, 8000 Aarhus, Denmark London // 174 North Gower Street, London NW1 2NB, United Kingdom Mobile: +45 31626876 Web: http://www.nodes.dk ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold --- This email has been checked for viruses by AVG. http://www.avg.com ___ pfSen
[pfSense] Wireless authentication issues after Freeradius upgrade
We recently purchased a Netgate SG-4860 in order to replace our custom built desktop hardware. The desktop hardware was running pfsense 2.3.x and the sg-4860 was running 2.4.0 when delivered. According to Pfsense documentation its possible to migrate configuration.xml files to newer versions of Pfsense which is what we did. After replacing two pieces of hardware most appliances came up correctly as intended, however after reinstalling Freeradius 3 (over the previously installed Freeradius 2..x.x) Our radius based wireless SSID's stopped functioning. With the following error: "mschap: FAILED: No NT/LM-Password. Cannot perform authentication" Tests with the command radtest have worked by authenticating from the pfsense server itself. However the access points are unable to authenticate. I have two offices running pfsense 2.3.3 and Freeradius 2 that are currently working from the same SQL database without any issues. I have seen several posts with similar issues, but no apparant solution. Many of these are however authenticating against LDAP and not plain-text SQL - Among these are: http://lists.freeradius.org/pipermail/freeradius-users/2015-October/080614.html http://freeradius.1045715.n5.nabble.com/question-regarding-PEAP-MSCHAPv2-ERROR-FAILED-No-NT-LM-Password-Cannot-perform-authentication-td5737504.html https://github.com/FreeRADIUS/freeradius-server/issues/1314 http://freeradius-users.freeradius.narkive.com/I8llQ7CQ/question-regarding-peap-mschapv2-error-failed-no-nt-lm-password-cannot-perform-authentication http://freeradius-users.freeradius.narkive.com/iEZKvxM1/rlm-mschap-failed-no-nt-lm-password-cannot-perform-authentication Notable warnings and errors from the output of "radiusd -X" Warning: ... [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". ... Warning: ... # Loading authorize {...} Ignoring "sql" (see raddb/mods-available/README.rst) Ignoring "ldap" (see raddb/mods-available/README.rst) ... Warning: (7) WARNING: Outer and inner identities are the same. User privacy is compromised. Warning: ... (7) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. Warning: ... (7) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (7) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password ... Error: ... (7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication (7) mschap: ERROR: MS-CHAP2-Response is incorrect Currently i suspect either an issue when the AP connects to the Freeradius 3 server or an issue in the imported configuration. Currently using Aerohive for the wireless solution. Excerp from database: mysql> select * from radcheck; +-++--++++--+ | id | name | username | attribute | op | value | email| +-++--++++--+ | 3 | some name | username | Cleartext-Password | := | somepassword | usern...@domain.dk | | 6 | some name | username | Cleartext-Password | := | somepassword | usern...@domain.dk | Issue is crossposted here: https://forum.pfsense.org/index.php?topic=144096.0 Any assistance in this is appreciated. -- Sigurd Kristensen Systems Administrator -- Nodes Copenhagen // Artillerivej 86, 2300 Copenhagen, Denmark Aarhus // Frederiksgade 45, 2. sal, 8000 Aarhus, Denmark London // 174 North Gower Street, London NW1 2NB, United Kingdom Mobile: +45 31626876 Web: http://www.nodes.dk ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold