Re: [pfSense] Multiple IPSEC Mutual PSK + Xauth Tunnels

[Chris Buechler]

On Wed, Nov 2, 2011 at 1:38 AM, Daniel Davis
 wrote:
> We have a situation where all our iOS users connect via IPSEC VPN for remote
> access. This works great and is very stable. What we want to achieve however
> is for certain clients to have access only to certain networks (different
> sets of firewall rules and phase 2 tunnels for different groups of users). I
> believe that to do this we would need to be able to have multiple Phase 1
> tunnel definitions with Mutual PSK + Xauth as the authentication method,
> however this is not available as an option if I manually add another Phase 1
> tunnel. Is this possible to achieve with PfSense 2?
>

I don't believe the underlying ipsec-tools supports that. It's not
supported in the GUI for sure.

The way to accomplish that with OpenVPN is to assign static IPs to
clients and filter accordingly, though there isn't an option to do the
same for IPsec mobile clients.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing CheckPoint Firewall-1 with pfSense

[Daniel Davis]

> -Original Message-
> From: list-boun...@lists.pfsense.org [mailto:list-
> boun...@lists.pfsense.org] On Behalf Of Ugo Bellavance
> Sent: Thursday, 24 November 2011 4:04 AM
> To: list@lists.pfsense.org
> Subject: [pfSense] Replacing CheckPoint Firewall-1 with pfSense
> 
> Hi,
> 
> We're thinking about replacing our CheckPoint Firewall-1 by pfSense.

Ugo,

Been there, done this. Trust me, you will thank yourself for it (no more 
SmartDashboard/SmartCenter and exorbitant support fees!!). We've replaced both 
Checkpoint and Fortinet systems with pfSense with great success.

> We
> are using only those features on Firewall-1 (R65):
> 
> - Security (default deny on everything)
> - NAT (inbound (for internet-facing hosts) and outbound (selective,
> workstations go out through a proxy, other selected hosts are NAT'd
> based on destination host and port(s))
> - We do have some security rules defined in their SmartDefense, but it
> is a nightmare to configure without having many false positives.  I'm
> pretty sure we could go without or simply add Snort to pfSense
> 
> We had a project of roaming users VPN but it's on the ice right now.
> We
> are using SSH tunnels to connect home user's PC to the corporate
> network
> and we will need a solution for the few corporate laptops to connect to
> the corporate network. However, I guess that with all the options
> available in pfSense regarding VPN, I don't think this would be a
> problem.
> 
> Reasons to switch to pfSense:
> 
> - Our Firewall-1 version is not supported anymore so we have to upgrade
> anyway
> - Service contracts are a lot cheaper
> - We would have to pay extra $$ for a redundant setup (CARP pfSense is
> free)
> - It is a platform that I know and I like open-source software
> - It is "officially supported" on vmware (Well, I guess, with a service
> contract)
> - Server load balancing can be used for simple HA setups
> - DHCP server on the firewall (no need for DHCP relay)
> - Other interesting packages
> 
> We are thinking about running a redundant (CARP) setup with one pfSense
> on our VMWare cluster, and one on a physical, separate machine.

I would not recommend a hybrid physical/virtual CARP cluster as CARP is 
entirely network reliant. In a physical CARP cluster best practice is to 
dedicate a network interface on each machine for CARP with a crossover cable 
between them so that even in the event of a switch failure they can still talk 
and elect a master. You would need a dedicated NIC per host, an additional 
physical switch and additional vswitches to achieve the same sort of resiliency 
in a mixed physical/virtual configuration. This can get expensive and adds 
additional points of failure, but without it you run the risk of ending up with 
two masters (i.e. split brain) if the connectivity between your physical and 
virtual networks were to fail. vmWare HA is your friend here, it will remove 
the possibility of a split brain for you if both hosts are running in the 
cluster. HA is not network reliant (as long as you are using a separate storage 
network), it uses a combination of network and shared data store heartb
 eats to monitor hosts and VMs. One host can lose network connectivity, CARP 
will failover the firewalls, the cluster will detect a host isolation response 
and restart the failed VM on another host, all very orderly and controlled with 
less than a couple of seconds of downtime and no physical intervention.

We use two firewalls with CARP in a vSphere cluster, works very nicely.

The things to remember if you go with the two virtual machines are:

1. Make sure you follow the instructions for CARP and ESX/ESXi from the 
wiki.
2. Change the host that ESXi pings to determine its network 
availability. If you leave this as the default gateway, the ESX host that is 
hosting the master node will never fail over even in the event of a network 
outage, as it will still be able to ping the VM. This must be something that is 
highly available, we use the address of the stacked switches in our blade 
chassis. See 
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1002478

If you can tolerate a minute or two of downtime in the event of a host failure 
you could even consider a single pfSense VM and just trust vmWare HA to do the 
failover.

> 
> Concerns:
> 
> 1- NAT Reflexion - We don't have a split-DNS setup.  CheckPoint does
> seem to manage NAT Reflexion perfectly.
> 
> 2- Ease to migrate the configuration to pfSense - I would set a pfSense
> VM in parallel and start migrating all the rules manually, but I'm
> scared about missing some or seeing a situation where the Firewall-1
> can
> do it and not pfSense.
> 
> 3- Backups.  Are automated backups (of the config, at least) possible
> even w/o a service contract?
> 
> Can people share their experience with this kind of scenario?
> 
> Don't hesitate if you need more info.
> 
> Thanks,
> 
> Ugo


pfSense works well for 

Re: [pfSense] Multiple IPSEC Mutual PSK + Xauth Tunnels

[Daniel Davis]

Bump... any ideas?

From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On 
Behalf Of Daniel Davis
Sent: Wednesday, 2 November 2011 3:09 PM
To: 'pfSense support and discussion'
Subject: [pfSense] Multiple IPSEC Mutual PSK + Xauth Tunnels

We have a situation where all our iOS users connect via IPSEC VPN for remote 
access. This works great and is very stable. What we want to achieve however is 
for certain clients to have access only to certain networks (different sets of 
firewall rules and phase 2 tunnels for different groups of users). I believe 
that to do this we would need to be able to have multiple Phase 1 tunnel 
definitions with Mutual PSK + Xauth as the authentication method, however this 
is not available as an option if I manually add another Phase 1 tunnel. Is this 
possible to achieve with PfSense 2?

Thanks,

Daniel

--
This message has been scanned for viruses and dangerous content by 
mail.lasseters.com.au, and no infections were found.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Unstable RDC connections

[Chris Buechler]

On Wed, Nov 23, 2011 at 5:18 PM, Ron Lemon  wrote:
>
> Good Afternoon,
>
>
>
> I have an odd problem that I am hoping someone might be able to assist me 
> with.  I have a pfSense 2 box with 2 NICs in it.  WAN and LAN.  The LAN has 3 
> subnets on it 10.0.0.0/24, 10.0.1.0/24 and 10.0.4.0/24.
>
>
>
> 1.   If I sit in 10.0.1.0 I can connect to an RDC server in the same 
> subnet with no problems.
>
>
>
> 2.   If I sit in 10.0.0.0 and try to connect to the same server as the 
> previous test my RDC connection drops and reconnects maybe once every minute 
> or two.
>
>
>
> 3.   If I sit in 10.0.0.0 and try to connect to and RDC server in 
> 10.0.4.0 it is rock solid.
>
>
>
> 4.   If I connect to the same 10.0.1.0 server as in 1 and 2 above from 
> outside the building and come in through the WAN it is rock solid.
>
>
>
> So it does not appear to be the server, it does not appear to be the switches 
> in the building, it doesn’t look like the FW as other paths on the same 
> interfaces work no problem.  I am stumped.
>

Guessing that one of the affected hosts is dual homed, so the firewall
only sees one direction of the traffic, and hence will eventually drop
the TCP connection as it starts looking like spoofed traffic. Can't
statefully filter with any firewall if it doesn't see both directions.
That or the other alternative is there is another router in the mix
somewhere that's routing the opposite direction traffic. There is a
work around to not keep state on traffic in those scenarios for the
most common case, where there is a static route involved, but that
wouldn't be applicable here. That's an ugly network in general with 3
subnets on the same broadcast domain, splitting that up properly into
VLANs or similar and hence fixing all the weird routing possibilities
you have in that scenario is the best option, and really the only
option if you need to filter between the subnets. Adding sloppy state
firewall rules for traffic passing between the internal subnets should
work around it too.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] NAT reflection and SIP registration

[David Burgess]

I have the SIP client in my Android 2.3 phone set up to register to my
local Askozia (Asterisk) PBX. The problem I'm having is that if I use
the FQDN of the PBX server, the SIP client only registers when I'm off
the network. In order to have the SIP client register successfully
when on the local network, I have to drop the domain part and just use
the hostname. Obviously this creates problems when I'm not on the
local network.

It used to work to just use the FQDN and the SIP client would register
whether I was local or not. I'm not sure why it quit working, whether
it was the upgrade from pfsense 2.0-RC to 2.0-RELEASE, or if it was
the upgrade of the phone from Cyanogenmod 7.0 to 7.1.

The PBX server has a RFC1918 address and pfsense is doing NAT for it
to the internet. I'm using pfsense's DNS Forwarder on the internal
network along with the first two DHCP options. If I ping the PBX
server's hostname from the Android terminal I get a response from the
internal address. Likewise, if I ping the PBX's FQDN I get a response,
again from the internal address. If I do an nslookup on the FQDN from
Android, I get the WAN address as a response, even if I create a host
override entry in pfsense's DNS Forwarder.

So I'm actually not sure what the problem is. Android's SIP client
just times out when trying to register locally, and Askozia's logs
don't create any entry. Neither device supports tcpdump to my
knowledge, and with them both being on the same LAN I can't really see
what's happening between them on the network (I guess I could probably
do this from the switch or AP).

Any ideas on the problem or a workaround?

db
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing CheckPoint Firewall-1 with pfSense

[Yehuda Katz]

On Wed, Nov 23, 2011 at 1:34 PM, Ugo Bellavance  wrote:

> We're thinking about replacing our CheckPoint Firewall-1 by pfSense.  We
> are using only those features on Firewall-1 (R65):
>


Concerns:
> 3- Backups.  Are automated backups (of the config, at least) possible even
> w/o a service contract?
>
We wrote a very simple config backup script based on the ones that are
already included.
We call it from a shell script that runs on a schedule on another server.
I will try to clean it up and send it to you if you are interested.

Alternatively, you can try this:
http://forum.pfsense.org/index.php/topic,11356.msg62849.html
I have not tried it, so I don't know how out-dated it is.
Note: A modification for how to install rsync:
http://doc.pfsense.org/index.php/Installing_FreeBSD_Packages

- Yehuda
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing CheckPoint Firewall-1 with pfSense

[Nathan Eisenberg]

> Hi,
> 
> We're thinking about replacing our CheckPoint Firewall-1 by pfSense.
> We
> are using only those features on Firewall-1 (R65):

Based on your requirements, you'll be quite happy with PFSense.  
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Unstable RDC connections

[Ron Lemon]

Good Afternoon,

I have an odd problem that I am hoping someone might be able to assist me with. 
 I have a pfSense 2 box with 2 NICs in it.  WAN and LAN.  The LAN has 3 subnets 
on it 10.0.0.0/24, 10.0.1.0/24 and 10.0.4.0/24.


1.   If I sit in 10.0.1.0 I can connect to an RDC server in the same subnet 
with no problems.


2.   If I sit in 10.0.0.0 and try to connect to the same server as the 
previous test my RDC connection drops and reconnects maybe once every minute or 
two.


3.   If I sit in 10.0.0.0 and try to connect to and RDC server in 10.0.4.0 
it is rock solid.


4.   If I connect to the same 10.0.1.0 server as in 1 and 2 above from 
outside the building and come in through the WAN it is rock solid.

So it does not appear to be the server, it does not appear to be the switches 
in the building, it doesn't look like the FW as other paths on the same 
interfaces work no problem.  I am stumped.

We do have traffic shaping enabled so I went in to there and removed the 
shaper, same issue.

Anyone have any amazing in-sites as I sit and watch my session drop and 
reconnect?

Thanks,

_
Ron Lemon
Information Technology Manager, Maplewood Computing Ltd. | 800.265.3482 | 
www.maplewood.com

This email message, and any files transmitted with it, are confidential and 
intended solely for the use of the intended recipient(s). Any unauthorized 
review, use, disclosure or distribution is prohibited. If you are not the 
intended recipient, please contact the sender by reply email and destroy all 
copies of the original message and attachments.

[cid:image001.jpg@01CCAA03.04453510]

<>___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Load Balancer: Virtual Servers vs DHCP assigned dynamic IP addresses

[Dave Warren]

On 11/22/2011 5:11 PM, Jim Pingle wrote:

On 11/22/2011 7:45 PM, Dave Warren wrote:

Is there any way to tell pfSense that these entries should represent
interface IPs rather than hardcoding specific IPs?

I don't recall if we reject the syntax in the GUI, but I believe relayd
supports using a hostname for such parameters. If you use a dyndns
hostname for that WAN, you might try using it there.


I do have dynamic DNS for both the public interfaces (or can, without 
much hassle. Right now I have one hostname that points to either of the 
interfaces based on external failover management)


However, the UI doesn't accept hostnames.


I've only used it with static IPs so I'm not sure how that will react
there. It may not get automatically reloaded when a WAN IP changes, but
it's worth trying.


Worse, it needs to wait until about 75 seconds after the WAN IP changes 
to allow for the Dynamic DNS system to update and TTLs to expire. Doing 
it natively would be cleaner, although this might work if relayd is 
smart enough to accept hostnames and notice when said hostnames change.


All that being said, I should note that I'm not even that picky about 
how quickly it works, IP changes on the primary connection are 
infrequent enough that it's just not a big deal. IP changes on the 
backup connection are frequent, but a bit of downtime there only matters 
when the primary connection is down, and failovers already take 1-5 minutes.



Even if the GUI input validation rejects it, it'd be worth trying to
disable that validation to see if it actually works in relayd.conf


What's the best way to do that? Can I hack the backup file and upload it 
(I've used that to bypass certain UI limitations in the past), or am I 
looking at hax0ring files on the pfSense box?


--
Dave Warren, CEO
Hire A Hit Consulting Services
http://ca.linkedin.com/in/davejwarren

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Replacing CheckPoint Firewall-1 with pfSense

[Ugo Bellavance]

Hi,

We're thinking about replacing our CheckPoint Firewall-1 by pfSense.  We 
are using only those features on Firewall-1 (R65):


- Security (default deny on everything)
- NAT (inbound (for internet-facing hosts) and outbound (selective, 
workstations go out through a proxy, other selected hosts are NAT'd 
based on destination host and port(s))
- We do have some security rules defined in their SmartDefense, but it 
is a nightmare to configure without having many false positives.  I'm 
pretty sure we could go without or simply add Snort to pfSense


We had a project of roaming users VPN but it's on the ice right now.  We 
are using SSH tunnels to connect home user's PC to the corporate network 
and we will need a solution for the few corporate laptops to connect to 
the corporate network. However, I guess that with all the options 
available in pfSense regarding VPN, I don't think this would be a problem.


Reasons to switch to pfSense:

- Our Firewall-1 version is not supported anymore so we have to upgrade 
anyway

- Service contracts are a lot cheaper
- We would have to pay extra $$ for a redundant setup (CARP pfSense is free)
- It is a platform that I know and I like open-source software
- It is "officially supported" on vmware (Well, I guess, with a service 
contract)

- Server load balancing can be used for simple HA setups
- DHCP server on the firewall (no need for DHCP relay)
- Other interesting packages

We are thinking about running a redundant (CARP) setup with one pfSense 
on our VMWare cluster, and one on a physical, separate machine.


Concerns:

1- NAT Reflexion - We don't have a split-DNS setup.  CheckPoint does 
seem to manage NAT Reflexion perfectly.


2- Ease to migrate the configuration to pfSense - I would set a pfSense 
VM in parallel and start migrating all the rules manually, but I'm 
scared about missing some or seeing a situation where the Firewall-1 can 
do it and not pfSense.


3- Backups.  Are automated backups (of the config, at least) possible 
even w/o a service contract?


Can people share their experience with this kind of scenario?

Don't hesitate if you need more info.

Thanks,

Ugo

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] how stable is IPv6 for 2.0?

[Eugen Leitl]

On Wed, Nov 23, 2011 at 11:44:56AM -0500, Jim Pingle wrote:
> On 11/23/2011 11:09 AM, Eugen Leitl wrote:
> > I did see something like that. Just repeated the 
> > above, and it seems the last sync did succeed:
> > 
> > #  pfSsh.php playback gitsync master
> > 
> > Starting the pfSense shell system...
> > 
> > ===> Checking out master
> > ===> Fetching updates...
> > ===> Installing new files...
> > ===> Removing FAST-CGI temporary files...
> > ===> Upgrading configuration (if needed)...
> > ===> Configuring filter...
> > ===> Running /etc/rc.php_ini_setup...
> > ===> Locking down the console if needed...
> > ===> Signaling PHP and Lighty restart...
> > ===> Checkout complete.
> > 
> > Your system is now sync'd and PHP and Lighty will be restarted in 5 seconds.
> > 
> > I'm still getting the error whenever I click on the pfSense home
> > button at the left top.
> 
> It should be listing something under "fetching updates" (like it did on
> mine) if there were new commits.
> 
> Out of curiosity, compare the output of the following commands to what I
> see:
> 
> # cd /root/pfsense/pfSenseGITREPO/pfSenseGITREPO
> # grep url .git/config
> url = git://github.com/bsdperimeter/pfsense.git
> # git log -1
> commit 34d0f40c407de2d5ac37209314d7d4570626aa9e
> Author: jim-p 
> Date:   Wed Nov 23 10:56:41 2011 -0500
> 
> Clear the PHP errors when 'no' is pressed also.

Ah, finally. I had the wrong git depository:

# grep url .git/config
url = https://github.com/smos/pfsense-ipv6.git
# vi .git/config
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
fetch = +refs/heads/*:refs/remotes/origin/*
url = git://github.com/bsdperimeter/pfsense.git
[branch "master"]
remote = origin
merge = refs/heads/master

Fixed and updated, and it checks clean now:

# cd /root/pfsense/pfSenseGITREPO/pfSenseGITREPO
# grep url .git/config
url = git://github.com/bsdperimeter/pfsense.git
# git log -1
commit 34d0f40c407de2d5ac37209314d7d4570626aa9e
Author: jim-p 
Date:   Wed Nov 23 10:56:41 2011 -0500

Clear the PHP errors when 'no' is pressed also.


Thanks!

-- 
Eugen* Leitl http://leitl.org";>leitl http://leitl.org
__
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] how stable is IPv6 for 2.0?

[Jim Pingle]

On 11/23/2011 11:09 AM, Eugen Leitl wrote:
> I did see something like that. Just repeated the 
> above, and it seems the last sync did succeed:
> 
> #  pfSsh.php playback gitsync master
> 
> Starting the pfSense shell system...
> 
> ===> Checking out master
> ===> Fetching updates...
> ===> Installing new files...
> ===> Removing FAST-CGI temporary files...
> ===> Upgrading configuration (if needed)...
> ===> Configuring filter...
> ===> Running /etc/rc.php_ini_setup...
> ===> Locking down the console if needed...
> ===> Signaling PHP and Lighty restart...
> ===> Checkout complete.
> 
> Your system is now sync'd and PHP and Lighty will be restarted in 5 seconds.
> 
> I'm still getting the error whenever I click on the pfSense home
> button at the left top.

It should be listing something under "fetching updates" (like it did on
mine) if there were new commits.

Out of curiosity, compare the output of the following commands to what I
see:

# cd /root/pfsense/pfSenseGITREPO/pfSenseGITREPO
# grep url .git/config
url = git://github.com/bsdperimeter/pfsense.git
# git log -1
commit 34d0f40c407de2d5ac37209314d7d4570626aa9e
Author: jim-p 
Date:   Wed Nov 23 10:56:41 2011 -0500

Clear the PHP errors when 'no' is pressed also.

Jim
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] how stable is IPv6 for 2.0?

[Eugen Leitl]

On Wed, Nov 23, 2011 at 10:52:45AM -0500, Jim Pingle wrote:
> On 11/23/2011 10:45 AM, Eugen Leitl wrote:
> > On Wed, Nov 23, 2011 at 10:42:41AM -0500, Jim Pingle wrote:
> >> On 11/23/2011 10:36 AM, Eugen Leitl wrote:
> >>> Thanks -- did that, and rebooted.
> >> [snip]
> >>> Crash report details:
> >>>
> >>
> >> Did you submit the report? If so, did it give you an error when it
> >> submitted?
> > 
> > Yes, submitted, and no error given:
> > 
> > Processing...
> > 
> > Uploading...
> > 
> > Upload received OK.
> > 
> > Continue and delete crash report files from local disk.
> > 
> 
> Looking at the report it sent to us, it does not look like the code
> actually updated. It submitted that report in plain text when the code I
> added would have gzipped it.
> 
> Are you sure the gitsync finished successfully?
> 
> You should see output like this:
> : pfSsh.php playback gitsync master
> 
> Starting the pfSense shell system...
> 
> ===> Checking out master
> ===> Fetching updates...
> remote: Counting objects: 13, done.
> remote: Compressing objects: 100% (2/2), done.
> remote: Total 7 (delta 5), reused 7 (delta 5)
> Unpacking objects: 100% (7/7), done.
> >From git://github.com/bsdperimeter/pfsense
>96f9e3f..dc43ff1  master -> origin/master
> ===> Installing new files...
> ===> Removing FAST-CGI temporary files...
> ===> Upgrading configuration (if needed)...
> ===> Configuring filter...
> ===> Running /etc/rc.php_ini_setup...
> ===> Locking down the console if needed...
> ===> Signaling PHP and Lighty restart...
> ===> Checkout complete.
> 
> Your system is now sync'd and PHP and Lighty will be restarted in 5 seconds.

I did see something like that. Just repeated the 
above, and it seems the last sync did succeed:

#  pfSsh.php playback gitsync master

Starting the pfSense shell system...

===> Checking out master
===> Fetching updates...
===> Installing new files...
===> Removing FAST-CGI temporary files...
===> Upgrading configuration (if needed)...
===> Configuring filter...
===> Running /etc/rc.php_ini_setup...
===> Locking down the console if needed...
===> Signaling PHP and Lighty restart...
===> Checkout complete.

Your system is now sync'd and PHP and Lighty will be restarted in 5 seconds.

I'm still getting the error whenever I click on the pfSense home
button at the left top.

-- 
Eugen* Leitl http://leitl.org";>leitl http://leitl.org
__
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] how stable is IPv6 for 2.0?

[Jim Pingle]

On 11/23/2011 10:45 AM, Eugen Leitl wrote:
> On Wed, Nov 23, 2011 at 10:42:41AM -0500, Jim Pingle wrote:
>> On 11/23/2011 10:36 AM, Eugen Leitl wrote:
>>> Thanks -- did that, and rebooted.
>> [snip]
>>> Crash report details:
>>>
>>
>> Did you submit the report? If so, did it give you an error when it
>> submitted?
> 
> Yes, submitted, and no error given:
> 
> Processing...
> 
> Uploading...
> 
> Upload received OK.
> 
> Continue and delete crash report files from local disk.
> 

Looking at the report it sent to us, it does not look like the code
actually updated. It submitted that report in plain text when the code I
added would have gzipped it.

Are you sure the gitsync finished successfully?

You should see output like this:
: pfSsh.php playback gitsync master

Starting the pfSense shell system...

===> Checking out master
===> Fetching updates...
remote: Counting objects: 13, done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 7 (delta 5), reused 7 (delta 5)
Unpacking objects: 100% (7/7), done.
>From git://github.com/bsdperimeter/pfsense
   96f9e3f..dc43ff1  master -> origin/master
===> Installing new files...
===> Removing FAST-CGI temporary files...
===> Upgrading configuration (if needed)...
===> Configuring filter...
===> Running /etc/rc.php_ini_setup...
===> Locking down the console if needed...
===> Signaling PHP and Lighty restart...
===> Checkout complete.

Your system is now sync'd and PHP and Lighty will be restarted in 5 seconds.

Jim
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] how stable is IPv6 for 2.0?

[Eugen Leitl]

On Wed, Nov 23, 2011 at 10:42:41AM -0500, Jim Pingle wrote:
> On 11/23/2011 10:36 AM, Eugen Leitl wrote:
> > Thanks -- did that, and rebooted.
> [snip]
> > Crash report details:
> > 
> 
> Did you submit the report? If so, did it give you an error when it
> submitted?

Yes, submitted, and no error given:

Processing...

Uploading...

Upload received OK.

Continue and delete crash report files from local disk.

-- 
Eugen* Leitl http://leitl.org";>leitl http://leitl.org
__
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] how stable is IPv6 for 2.0?

[Jim Pingle]

On 11/23/2011 10:36 AM, Eugen Leitl wrote:
> Thanks -- did that, and rebooted.
[snip]
> Crash report details:
> 

Did you submit the report? If so, did it give you an error when it
submitted?

Jim
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] how stable is IPv6 for 2.0?

[Eugen Leitl]

On Wed, Nov 23, 2011 at 10:22:16AM -0500, Jim Pingle wrote:
> On 11/23/2011 4:21 AM, Eugen Leitl wrote:
> > Just upgraded to 
> > http://files.pfsense.org/jimp/ipv6/pfSense-Full-Update-2.1-DEVELOPMENT-i386-20111021-1243.tgz
> > on a SuperMicro Atom -- system boots fine but I'm getting
> > Crash report begins.  Anonymous machine information:
> [snip]
> > Is this of any concern?
> > Should I follow the suggestion in the
> > crash reporter, and upgrade to a new snapshot?
> 
> That message can also trigger on a logged PHP error. Those were not
> shown in the report box but I just checked in a fix now.
> 
> You should gitsync the code to pick up changes that happened after that
> image was made.
> 
> Easiest way is via the command line:
> pfSsh.php playback gitsync master

Thanks -- did that, and rebooted.

Diagnostics: Crash reporter

Unfortunately we have detected a programming bug.

Would you like to submit the programming debug logs to the pfSense developers 
for inspection?

Please double check the contents to ensure you are comfortable sending this 
information before clicking Yes.

Contents of crash reports:

Crash report begins.  Anonymous machine information:

i386
8.1-RELEASE-p6
FreeBSD 8.1-RELEASE-p6 #1: Fri Oct 21 12:51:27 EDT 2011 
r...@bsd8x86.pingle.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.8

Crash report details:

-- 
Eugen* Leitl http://leitl.org";>leitl http://leitl.org
__
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] how stable is IPv6 for 2.0?

[Jim Pingle]

On 11/23/2011 4:21 AM, Eugen Leitl wrote:
> Just upgraded to 
> http://files.pfsense.org/jimp/ipv6/pfSense-Full-Update-2.1-DEVELOPMENT-i386-20111021-1243.tgz
> on a SuperMicro Atom -- system boots fine but I'm getting
> Crash report begins.  Anonymous machine information:
[snip]
> Is this of any concern?
> Should I follow the suggestion in the
> crash reporter, and upgrade to a new snapshot?

That message can also trigger on a logged PHP error. Those were not
shown in the report box but I just checked in a fix now.

You should gitsync the code to pick up changes that happened after that
image was made.

Easiest way is via the command line:
pfSsh.php playback gitsync master

Jim
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] how stable is IPv6 for 2.0?

[Chris Buechler]

On Wed, Nov 23, 2011 at 4:39 AM, Eugen Leitl  wrote:
>
> Hmm, I'm getting IPv6 autoconfig bullshit overriding my
> static configuration:
>
>        inet6 fe80::225:90ff:fe02:1a4e%em0 prefixlen 64 scopeid 0x3
>        inet6 2a01:4f8:7d:300:: prefixlen 56
>
> Anyone knows how disable IPv6 autoconfig in pfSense?
>

You referring to the link local, fe80? That's not autoconfig, and you
don't want to disable link local (most OSes don't even allow you to do
so, though I see I can force an ifconfig -alias in FreeBSD and it'll
remove it, there isn't an option to not add it AFAIK). SLAAC support
is still on the todo list, currently unless you hack it in yourself
your interfaces can't use SLAAC.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] how stable is IPv6 for 2.0?

[Eugen Leitl]

On Wed, Nov 23, 2011 at 10:39:00AM +0100, Eugen Leitl wrote:
> 
> inet6 fe80::225:90ff:fe02:1a4e%em0 prefixlen 64 scopeid 0x3
> inet6 2a01:4f8:7d:300:: prefixlen 56
> 
> Anyone knows how disable IPv6 autoconfig in pfSense?

Sorry, I'm an idiot, disregard. Assigned the wrong IPv6
address to the WAN. ping6 works now.

-- 
Eugen* Leitl http://leitl.org";>leitl http://leitl.org
__
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] how stable is IPv6 for 2.0?

[Eugen Leitl]

On Wed, Nov 23, 2011 at 10:21:08AM +0100, Eugen Leitl wrote:
> On Sun, Nov 20, 2011 at 04:36:51PM +0100, Seth Mos wrote:
> > Hi,
> > 
> > Op 20 nov 2011, om 16:33 heeft Eugen Leitl het volgende geschreven:
> > 
> > > Great, I'll take the plunge, then. Thanks!
> > 
> > Just for extra clarification, the images on 
> > http://files.pfsense.org/jimp/ipv6/ are the easiest to start rolling and to 
> > have a reasonably stable starting point.
> > 
> > We only make these when a new feature is introduced and broken ones are 
> > yanked soon. Contrary to normal snapshots.

Hmm, I'm getting IPv6 autoconfig bullshit overriding my
static configuration:

inet6 fe80::225:90ff:fe02:1a4e%em0 prefixlen 64 scopeid 0x3
inet6 2a01:4f8:7d:300:: prefixlen 56

Anyone knows how disable IPv6 autoconfig in pfSense?
 
> Just upgraded to 
> http://files.pfsense.org/jimp/ipv6/pfSense-Full-Update-2.1-DEVELOPMENT-i386-20111021-1243.tgz
> on a SuperMicro Atom -- system boots fine but I'm getting
> Crash report begins.  Anonymous machine information:
> 
> i386
> 8.1-RELEASE-p6
> FreeBSD 8.1-RELEASE-p6 #1: Fri Oct 21 12:51:27 EDT 2011 
> r...@bsd8x86.pingle.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.8
> 
> Crash report details:
> 
> Filename: /var/crash/minfree
> 2048
> 
> Is this of any concern?
> Should I follow the suggestion in the
> crash reporter, and upgrade to a new snapshot?
>  
> > Regards,
> > 
> > Seth
> > 
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > http://lists.pfsense.org/mailman/listinfo/list
> -- 
> Eugen* Leitl http://leitl.org";>leitl http://leitl.org
> __
> ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
> 8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
-- 
Eugen* Leitl http://leitl.org";>leitl http://leitl.org
__
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] how stable is IPv6 for 2.0?

[Eugen Leitl]

On Sun, Nov 20, 2011 at 04:36:51PM +0100, Seth Mos wrote:
> Hi,
> 
> Op 20 nov 2011, om 16:33 heeft Eugen Leitl het volgende geschreven:
> 
> > Great, I'll take the plunge, then. Thanks!
> 
> Just for extra clarification, the images on 
> http://files.pfsense.org/jimp/ipv6/ are the easiest to start rolling and to 
> have a reasonably stable starting point.
> 
> We only make these when a new feature is introduced and broken ones are 
> yanked soon. Contrary to normal snapshots.

Just upgraded to 
http://files.pfsense.org/jimp/ipv6/pfSense-Full-Update-2.1-DEVELOPMENT-i386-20111021-1243.tgz
on a SuperMicro Atom -- system boots fine but I'm getting
Crash report begins.  Anonymous machine information:

i386
8.1-RELEASE-p6
FreeBSD 8.1-RELEASE-p6 #1: Fri Oct 21 12:51:27 EDT 2011 
r...@bsd8x86.pingle.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.8

Crash report details:

Filename: /var/crash/minfree
2048

Is this of any concern?
Should I follow the suggestion in the
crash reporter, and upgrade to a new snapshot?
 
> Regards,
> 
> Seth
> 
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
-- 
Eugen* Leitl http://leitl.org";>leitl http://leitl.org
__
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list