Re: [pfSense] Inbound Load Balancing on 2.0
On 14 Οκτ 2011, at 15:31, "Seb" wrote: > Hi list, > > I followed the instructions listed here - > http://doc.pfsense.org/index.php/Inbound_Load_Balancing and got Inbound Load > Balancing working fine (in the end - it would be good if it said that you > needed to add firewall pass rules for both the virtual server ip and the > underlieing IPs!). > > BUT! It also says in that guide that there is a way to enable sticky > connections. I cannot see this in 2.0. I note that the guide was written > for 1.2. Was this option removed, or is it somewhere else? > > At the moment, my testing has shown that if I refresh the HTML page within 60 > seconds I get the same server, if I wait more than 60 seconds to refresh I > get the other server. That is cutting it a bit fine for us, as we are not > sharing sessions between the servers. I would really like to get this > timeout to 2 minutes. I tried setting the "State Timeout" to 120 seconds in > the firewall rule (under Advanced Options) to see if this would change > anything, but it didn't make any difference to which web server was sent the > request. > > Does anyone have any suggestions on how to solve my problem? > > If Sticky Connections no longer work in pfSense 2.0, how feasible is it to do > inbound load balancing via source IP hashing? > > Or can I make another change that would do it, perhaps a sysctl setting? > > Also, this page: > http://doc.pfsense.org/index.php/Inbound_Load_Balancing_Troubleshooting > suggests using this for troubleshooting: > /sbin/pfctl -a slb -s nat > But when I try it I get this: > # /sbin/pfctl -a slb -s nat > pfctl: DIOCGETRULES: Invalid argument > Many thanks, > Sebastian > > > > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list Hi there, In the top left menu you will click the Advanced. There is a tick option for sticky sessions Regards, Nikos___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] X86 to X64 Question
> >>> Problem is that you now have a 64-bit reboot binary on a 32-bit > >>> system, and it can't be executed. Also sometimes other bits > freak > >>> out even if it starts the reboot process. (We try to preserve a > >>> 32-bit reboot binary but apparently that isn't enough). > >>> Jim > > > > have you figured out how to do it remotely ? > > please share :) > > matheus > > I haven't tried yet. Since I don't have drac or ipmi or a metered > IP capable PDU on the firewalls I want to move to x64, I think I'll > need to go on-site to see what happens. Luckily, it's only about > 15 blocks from me. I'll think about doing this in the next week or > two. Once it happens, I'll share my experience on here. One possibility: create an entire duplicate of the filesystem (at least /sbin, /bin, /lib) under a temporary directory, and have another terminal logged in and chroot'ed to that set of binaries - you should be able to execute them from that chroot'ed session. An open question is whether to make the copies real copies (which guarantees their integrity) or hard links to the originals - which might make running daemons happier, but I don't know if the installer truncates or unlinks the old files before copying in the new ones; if truncation, hardlinks are useless, if unlinking, then hard links might be better. There's no real difference in the amount of disk space consumed, ultimately - you'll need 2x the space at one point or another in the process regardless. This is just a theory, I haven't tested it. Feel free to let me know how it works :-). -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] X86 to X64 Question
On 10/14/2011 1:50 PM, Nenhum_de_Nos wrote: On Fri, October 14, 2011 14:41, Vaughn L. Reid III wrote: On 10/14/2011 1:19 PM, Jim Pingle wrote: If you upgrade from x86 to x64. Can you do the upgrade remotely from 2.0 release x86 using the gui? Or, is it necessary to do the upgrade from the pfsense console command line interface? It can be done remotely, but ... Also, when Seth mentioned "hard reboot," is he describing doing an init 6 from the command prompt or physically pulling the plug on the unit? Someone will need to pull the plug or cycle power manually. If you have IPMI/DRAC/etc then you can reset it that way. Problem is that you now have a 64-bit reboot binary on a 32-bit system, and it can't be executed. Also sometimes other bits freak out even if it starts the reboot process. (We try to preserve a 32-bit reboot binary but apparently that isn't enough). Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list Thanks! That clears that up for me. Now... if only there were a listing somewhere of what addons are available for x86 versus x64 versus embedded :-) Have a good weekend everyone. Vaughn, have you figured out how to do it remotely ? please share :) matheus I haven't tried yet. Since I don't have drac or ipmi or a metered IP capable PDU on the firewalls I want to move to x64, I think I'll need to go on-site to see what happens. Luckily, it's only about 15 blocks from me. I'll think about doing this in the next week or two. Once it happens, I'll share my experience on here. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] X86 to X64 Question
On Fri, October 14, 2011 14:41, Vaughn L. Reid III wrote: > > > On 10/14/2011 1:19 PM, Jim Pingle wrote: >>> If you upgrade from x86 to x64. Can you do the upgrade remotely from >>> 2.0 release x86 using the gui? Or, is it necessary to do the upgrade >>> from the pfsense console command line interface? >> It can be done remotely, but ... >> >>> Also, when Seth mentioned "hard reboot," is he describing doing an init >>> 6 from the command prompt or physically pulling the plug on the unit? >> Someone will need to pull the plug or cycle power manually. If you have >> IPMI/DRAC/etc then you can reset it that way. >> >> Problem is that you now have a 64-bit reboot binary on a 32-bit system, >> and it can't be executed. Also sometimes other bits freak out even if it >> starts the reboot process. (We try to preserve a 32-bit reboot binary >> but apparently that isn't enough). >> >> Jim >> ___ >> List mailing list >> List@lists.pfsense.org >> http://lists.pfsense.org/mailman/listinfo/list > > Thanks! That clears that up for me. > > Now... if only there were a listing somewhere of what addons are > available for x86 versus x64 versus embedded :-) > > Have a good weekend everyone. Vaughn, have you figured out how to do it remotely ? please share :) matheus -- We will call you cygnus, The God of balance you shall be A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? http://en.wikipedia.org/wiki/Posting_style ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] X86 to X64 Question
On 10/14/2011 1:19 PM, Jim Pingle wrote: If you upgrade from x86 to x64. Can you do the upgrade remotely from 2.0 release x86 using the gui? Or, is it necessary to do the upgrade from the pfsense console command line interface? It can be done remotely, but ... Also, when Seth mentioned "hard reboot," is he describing doing an init 6 from the command prompt or physically pulling the plug on the unit? Someone will need to pull the plug or cycle power manually. If you have IPMI/DRAC/etc then you can reset it that way. Problem is that you now have a 64-bit reboot binary on a 32-bit system, and it can't be executed. Also sometimes other bits freak out even if it starts the reboot process. (We try to preserve a 32-bit reboot binary but apparently that isn't enough). Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list Thanks! That clears that up for me. Now... if only there were a listing somewhere of what addons are available for x86 versus x64 versus embedded :-) Have a good weekend everyone. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] X86 to X64 Question
> If you upgrade from x86 to x64. Can you do the upgrade remotely from > 2.0 release x86 using the gui? Or, is it necessary to do the upgrade > from the pfsense console command line interface? It can be done remotely, but ... > Also, when Seth mentioned "hard reboot," is he describing doing an init > 6 from the command prompt or physically pulling the plug on the unit? Someone will need to pull the plug or cycle power manually. If you have IPMI/DRAC/etc then you can reset it that way. Problem is that you now have a 64-bit reboot binary on a 32-bit system, and it can't be executed. Also sometimes other bits freak out even if it starts the reboot process. (We try to preserve a 32-bit reboot binary but apparently that isn't enough). Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] X86 to X64 Question
On 10/14/2011 5:40 AM, Chris Buechler wrote: On Wed, Oct 12, 2011 at 3:24 PM, Nenhum_de_Nos wrote: On Wed, October 12, 2011 09:34, Seth Mos wrote: On 12-10-2011 14:07, Vaughn L. Reid III wrote: A few questions about moving to X64: Does moving to X64 require a fresh install, or can it be done via the update firmware controls in the web gui by selecting the x64 repository and then doing an upgrade? Yes. Needs a hard reboot in the end. You'll lose your RRD graphs. I didn't get it. Can I update to amd64. Yes. I know of a number of installs that have been upgraded, it's not something we would generally recommend but the only issues we've seen are the ones Seth described. There may be hardware-specific issues in some cases where your hardware is affected by driver bugs in the underlying OS that are 64 bit only, but that's the very rare exception. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list If you upgrade from x86 to x64. Can you do the upgrade remotely from 2.0 release x86 using the gui? Or, is it necessary to do the upgrade from the pfsense console command line interface? Also, when Seth mentioned "hard reboot," is he describing doing an init 6 from the command prompt or physically pulling the plug on the unit? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] X86 to X64 Question
On Fri, October 14, 2011 06:40, Chris Buechler wrote: > On Wed, Oct 12, 2011 at 3:24 PM, Nenhum_de_Nos > wrote: >> >> On Wed, October 12, 2011 09:34, Seth Mos wrote: >>> On 12-10-2011 14:07, Vaughn L. Reid III wrote: A few questions about moving to X64: Does moving to X64 require a fresh install, or can it be done via the update firmware controls in the web gui by selecting the x64 repository and then doing an upgrade? >>> >>> Yes. Needs a hard reboot in the end. You'll lose your RRD graphs. >> >> I didn't get it. Can I update to amd64. > > Yes. > > I know of a number of installs that have been upgraded, it's not > something we would generally recommend but the only issues we've seen > are the ones Seth described. There may be hardware-specific issues in > some cases where your hardware is affected by driver bugs in the > underlying OS that are 64 bit only, but that's the very rare > exception. good to hear Chris. But I still don't know the media to use to do the update. Can I do it from remote end ? I have a remote site I by mistake installed i386 (and all others sites run amd64). I set a lab on VirtualBox then I will plan on doing on the real machine. thanks, matheus -- We will call you cygnus, The God of balance you shall be A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? http://en.wikipedia.org/wiki/Posting_style ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Inbound Load Balancing on 2.0
Bottom posted /Seb _ From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Shibashish shib4u-at-gmail.com Sent: 14 October 2011 14:15 To: pfSense support and discussion Subject: Re: [pfSense] Inbound Load Balancing on 2.0 On Fri, Oct 14, 2011 at 6:01 PM, Seb wrote: Hi list, I followed the instructions listed here - http://doc.pfsense.org/index.php/Inbound_Load_Balancing and got Inbound Load Balancing working fine (in the end - it would be good if it said that you needed to add firewall pass rules for both the virtual server ip and the underlieing IPs!). BUT! It also says in that guide that there is a way to enable sticky connections. I cannot see this in 2.0. I note that the guide was written for 1.2. Was this option removed, or is it somewhere else? At the moment, my testing has shown that if I refresh the HTML page within 60 seconds I get the same server, if I wait more than 60 seconds to refresh I get the other server. That is cutting it a bit fine for us, as we are not sharing sessions between the servers. I would really like to get this timeout to 2 minutes. I tried setting the "State Timeout" to 120 seconds in the firewall rule (under Advanced Options) to see if this would change anything, but it didn't make any difference to which web server was sent the request. Does anyone have any suggestions on how to solve my problem? If Sticky Connections no longer work in pfSense 2.0, how feasible is it to do inbound load balancing via source IP hashing? Or can I make another change that would do it, perhaps a sysctl setting? Also, this page: http://doc.pfsense.org/index.php/Inbound_Load_Balancing_Troubleshooting suggests using this for troubleshooting: /sbin/pfctl -a slb -s nat But when I try it I get this: # /sbin/pfctl -a slb -s nat pfctl: DIOCGETRULES: Invalid argument Many thanks, Sebastian Did u check System > Advanced > Miscellaneous and enable... Load Balancing Load BalancingUse sticky connections Successive connections will be redirected to the servers in a round-robin manner with connections from the same source being sent to the same web server. This 'sticky connection' will exist as long as there are states that refer to this connection. Once the states expire, so will the sticky connection. Further connections from that host will be redirected to the next web server in the round robin. -- Shib --- Hi Shib, Aha! No, I didn't find that option as the documentation didn't tell me where to find it! And I checked pretty much every other page anyway. But thanks for helping me find it - that's exactly what I was hoping for. Having now tested, it didn't take effect immediately, and apparently required a reboot to start working. Possibly pressing the clear states button might have made it start working - I didn't try that - but I assumed the states were clearing anyway after a minute (or 2 minutes after the next change I made), so I didn't expect that to change much. I also set my State Timeout to 120 seconds before the reboot but that didn't change anything. Given this, what does it mean by "This 'sticky connection' will exist as long as there are states that refer to this connection. Once the states expire, so will the sticky connection."? I have tested refreshing the page after 3 minutes now that Sticky is working, and I still get the same server! I would expect it to change server after 2 minutes - the State Timeout in the firewall rule... It does still seem to change server, but after a much longer period that 2 minutes. Basically, is the state expiration time configurable? Kind regards, Seb ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Inbound Load Balancing on 2.0
On Fri, Oct 14, 2011 at 6:01 PM, Seb wrote: > ** > Hi list, > > I followed the instructions listed here - > http://doc.pfsense.org/index.php/Inbound_Load_Balancing and got Inbound > Load Balancing working fine (in the end - it would be good if it said that > you needed to add firewall pass rules for both the virtual server ip and the > underlieing IPs!). > > BUT! It also says in that guide that there is a way to enable sticky > connections. I cannot see this in 2.0. I note that the guide was written > for 1.2. Was this option removed, or is it somewhere else? > > At the moment, my testing has shown that if I refresh the HTML page within > 60 seconds I get the same server, if I wait more than 60 seconds to refresh > I get the other server. That is cutting it a bit fine for us, as we are not > sharing sessions between the servers. I would really like to get this > timeout to 2 minutes. I tried setting the "State Timeout" to 120 seconds in > the firewall rule (under Advanced Options) to see if this would change > anything, but it didn't make any difference to which web server was sent the > request. > > Does anyone have any suggestions on how to solve my problem? > > If Sticky Connections no longer work in pfSense 2.0, how feasible is it to > do inbound load balancing via source IP hashing? > > Or can I make another change that would do it, perhaps a sysctl setting? > > Also, this page: > http://doc.pfsense.org/index.php/Inbound_Load_Balancing_Troubleshooting > suggests using this for troubleshooting: > > /sbin/pfctl -a slb -s nat > > But when I try it I get this: > > # /sbin/pfctl -a slb -s nat > pfctl: DIOCGETRULES: Invalid argument > Many thanks, > > Sebastian > > > > Did u check System > Advanced > Miscellaneous and enable... Load Balancing Load Balancing *Use sticky connections* Successive connections will be redirected to the servers in a round-robin manner with connections from the same source being sent to the same web server. This 'sticky connection' will exist as long as there are states that refer to this connection. Once the states expire, so will the sticky connection. Further connections from that host will be redirected to the next web server in the round robin. -- Shib ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Inbound Load Balancing on 2.0
Hi list, I followed the instructions listed here - http://doc.pfsense.org/index.php/Inbound_Load_Balancing and got Inbound Load Balancing working fine (in the end - it would be good if it said that you needed to add firewall pass rules for both the virtual server ip and the underlieing IPs!). BUT! It also says in that guide that there is a way to enable sticky connections. I cannot see this in 2.0. I note that the guide was written for 1.2. Was this option removed, or is it somewhere else? At the moment, my testing has shown that if I refresh the HTML page within 60 seconds I get the same server, if I wait more than 60 seconds to refresh I get the other server. That is cutting it a bit fine for us, as we are not sharing sessions between the servers. I would really like to get this timeout to 2 minutes. I tried setting the "State Timeout" to 120 seconds in the firewall rule (under Advanced Options) to see if this would change anything, but it didn't make any difference to which web server was sent the request. Does anyone have any suggestions on how to solve my problem? If Sticky Connections no longer work in pfSense 2.0, how feasible is it to do inbound load balancing via source IP hashing? Or can I make another change that would do it, perhaps a sysctl setting? Also, this page: http://doc.pfsense.org/index.php/Inbound_Load_Balancing_Troubleshooting suggests using this for troubleshooting: /sbin/pfctl -a slb -s nat But when I try it I get this: # /sbin/pfctl -a slb -s nat pfctl: DIOCGETRULES: Invalid argument Many thanks, Sebastian ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] X86 to X64 Question
On Wed, Oct 12, 2011 at 3:24 PM, Nenhum_de_Nos wrote: > > On Wed, October 12, 2011 09:34, Seth Mos wrote: >> On 12-10-2011 14:07, Vaughn L. Reid III wrote: >>> A few questions about moving to X64: >>> >>> Does moving to X64 require a fresh install, or can it be done via the >>> update firmware controls in the web gui by selecting the x64 repository >>> and then doing an upgrade? >> >> Yes. Needs a hard reboot in the end. You'll lose your RRD graphs. > > I didn't get it. Can I update to amd64. Yes. I know of a number of installs that have been upgraded, it's not something we would generally recommend but the only issues we've seen are the ones Seth described. There may be hardware-specific issues in some cases where your hardware is affected by driver bugs in the underlying OS that are 64 bit only, but that's the very rare exception. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] ICMP redirects from CARP address?
Hello list, We are in the process of replacing an old (linux based) firewall with two pfSense boxes, using CARP for failover. The default gateway for the LAN segment will become a CARP address, but there are a few other gateways to VPNs to other offices. In the old setup, the clients would have only a default route, while the firewall would have static routes and send ICMP redirects for them to the clients. Now, in testing the new setup, we see the following: nethack:~$ ping 192.168.8.10 PING 192.168.8.10 (192.168.8.10) 56(84) bytes of data. >From 192.168.1.217: icmp_seq=1 Redirect Host(New nexthop: 192.168.1.18) 64 bytes from 192.168.8.10: icmp_req=1 ttl=62 time=11.0 ms >From 192.168.1.217: icmp_seq=2 Redirect Host(New nexthop: 192.168.1.18) 64 bytes from 192.168.8.10: icmp_req=2 ttl=62 time=4.87 ms >From 192.168.1.217: icmp_seq=3 Redirect Host(New nexthop: 192.168.1.18) 64 bytes from 192.168.8.10: icmp_req=3 ttl=62 time=4.92 ms >From 192.168.1.217: icmp_seq=4 Redirect Host(New nexthop: 192.168.1.18) 64 bytes from 192.168.8.10: icmp_req=4 ttl=62 time=4.81 ms So while in the old setup, the firewall would send 1 (or maximum 2) redirects after which the client would use that route, now the clients seem to ignore the redirects and keep using the default route. Now I noticed the address the redirect is being send from is not the default gateway, but the physical address of the NIC associated with that address, and is therefore maybe ignored. Possibly related to this is that connections to a host on one of the static routes will just hang after a while. e.g. an ssh connection will hang anytime after 0-30 seconds. I would like some advice on how to deal with this situation, for example how to get the ICMP redirects to be send out from the CARP address. thanks, Ruben ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.0 - Filtering traffic on OpenVPN
>I'm attempting to connect from a client to a device on the LAN which means the traffic should be hitting the filter rule on the OpenVPN tab, which allows all traffic. What client are you using? And from what OS? If you are using Vista/7 remember to run the OpenVPN client as an admin so it can write the routing upon connecting. -Tim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list