[pfSense] Another OPT1 routing question

2014-08-10 Thread Chris Murray
Hi all,

I'm having some confusion with my OPT1 interface. I've found quite a few
questions around OPT1 routing, with various solutions too, however none
of them seem to be applicable to me. I may be misunderstanding something
basic, so please bear with me.

I had pfSense inside KVM, with two virtual NICs, each connected to their
corresponding physical NIC. One physical NIC goes to a LAN switch, and
the other to a second switch, into which is plugged a DSL modem. I have
another KVM host plugged into the same switches. It also runs this VM,
and I can migrate back and forth without issue. There's still a single
point of failure in each of the switches, and another in the modem, but
this is good enough for my needs so that I may patch hosts independently
etc. Internet access continues during the migration from host A to host
B and vice versa.

I've added a third NIC, (eth2 on the KVM hosts), added a bridge in the
same way as the others (VMBR2), and presented this to the pfSense VM as
a third NIC. I've added this as OPT1, given it an address in the form
192.168.yyy.1 (the address on the LAN interface is 192.168.xxx.1). I've
connected these two new physical NICs to a separate switch, in the same
manner as the others. Therefore one physical host has three NICs each in
a separate switch.

I intend to mirror the functionality of the LAN in OPT1; just having an
extra range of addresses to use. For now I'd like LAN machines to be
able to contact OPT1 machines and vice-versa.

So the LAN interface still has this rule:
IPv4 *  LAN net *   *   *   *   none

And I've added this one to OPT1, just like the OpenVPN interface has:
IPv4 *  *   *   *   *   *   none

I have a machine plugged into the new switch, 192.168.yyy.60
From an address in 192.168.xxx.0, I can ping 192.168.xxx.1 and
192.168.yyy.1, but *not* 192.168.yyy.60 (destination host unreachable)

On the OPT1 rule, I have Log packets that are handled by this rule
ticked. Status -- System Logs -- Firewall doesn't contain anything at
all for the OPT1 interface. The packet RRD graph for the OPT1 interface
shows a lot of in-block which I don't understand given how relaxed the
rules are.

One odd thing I've noticed is:
The VM has three MAC addresses; one for LAN, one for WAN and one for
OPT1. Inside pfSense's Status -- Interface, they appear as:
WAN interface (PPPOE1) - 00:00:00:00:00:00  there is no WAN
interface and I don't understand this bit, but fair enough
LAN interface - has the VM's LAN MAC address, as you might expect.
OPT1 interface - actually has the VM's WAN MAC address (the second
interface rather than the third interface)

I did correct the MAC address for OPT1, only for it to break my internet
temporarily which a VM restart then fixed. This still hasn't resolved
the routing.

Any help is appreciated. If the issue is due to my virtualised setup,
I'd be interested to know why the LAN/WAN routing works fine the way it
is.

I'm on 32 bit 2.1.4

Many thanks,
Chris
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Strange problems with pfSense 2.1.4

2014-08-10 Thread compdoc
Jason M. wrote:
I'm using the PFW201 hardware from Tranquilnet

According to Tranquilnet:

 *Note: These units may run hot to the touch and we recommend eith a wall
mount or to place them on a cool, dry and hard surface with proper air flow

I can build systems that are much faster and more powerful for less than
half the price so I've never used a PFW201, but I have seen it mentioned
that units like them often have a cpu heat sink that makes contact with the
case. Or, that they have a metal shim that connects the heat sink to the
case. 

Heat transfer for these systems is often critical. Is yours overheating? Are
you testing with one of the Tranquilnet units, or one of the units you got
direct from the supplier?



 Now my question is, what is going wrong? I've tried the same 
config on multiple devices, so I don't think it's hardware. Could 
my config have become corrupted?

I don't follow your logic about it not being the hardware, but yes, your
config could have become corrupted. Try another CF card? Try installing from
scratch and restoring a backup xml file?



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Another OPT1 routing question

2014-08-10 Thread compdoc
 OPT1 interface - actually has the VM's WAN MAC address (the second
interface rather than the third interface)

If you haven't yet, you might want to reassign interfaces on the console
login screen. The Option is number (1) in the list. 

Then reboot.


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Another OPT1 routing question

2014-08-10 Thread Chris Murray
Oh that's odd, they were mixed-up on the console screen and on the
option to reassign interfaces. 

I'd expect em0 em1 and em2 to be enumerated same order as the virtual
interfaces presented to the VM, but when reassigning, they were like
this:

em0 first MAC address   (up)
em1 third MAC address   (up)-- shouldn't that be the second
MAC address?
em2 third MAC address   (down)  -- correct MAC address, but
surely that should be 'up'?

I chose interfaces again anyhow (WAN -- em1, LAN -- em0 and OPT1 --
em2). After one restart my internet access disappeared, but reassigning
via the UI WAN -- PPPOE1 did the trick. 

After one restart it's still working.

Many thanks, I'll remember that one in future!

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of compdoc
Sent: 10 August 2014 14:18
To: 'pfSense Support and Discussion Mailing List'
Subject: Re: [pfSense] Another OPT1 routing question

 OPT1 interface - actually has the VM's WAN MAC address (the second
interface rather than the third interface)

If you haven't yet, you might want to reassign interfaces on the console
login screen. The Option is number (1) in the list. 

Then reboot.


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

-
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4744 / Virus Database: 4007/8010 - Release Date:
08/10/14
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Another OPT1 routing question

2014-08-10 Thread compdoc
em1 third MAC address (up) -- shouldn't that be the second MAC address?


Are you saying two interfaces have the same mac address even after
reassignment? That's not right. 



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] [Bulk] Re: Another OPT1 routing question

2014-08-10 Thread PiBa
You wrote I did correct the MAC address for OPT1, , please note that 
it is normally not needed to configure the MAC addresses of networkcards 
inside the pfSense webgui. (only sometimes if you want to avoid some ISP 
arp-cache update issue when changing hardware) make sure to remove that 
setting if you still have it but want to have pfSense use the same mac's 
that the (virtual) nic really have. I suspect that this is now causing 
the 'duplicate' mac on the pfSense interfaces.


Greets PiBa-NL

compdoc schreef op 10-8-2014 16:21:

em1 third MAC address (up) -- shouldn't that be the second MAC address?


Are you saying two interfaces have the same mac address even after
reassignment? That's not right.



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Another OPT1 routing question

2014-08-10 Thread Chris Murray
They don't now, but the process of reassignment suggested that they did,
and that one of them was down. i.e. the Valid interfaces are: list
wasn't right. It's now correct though, thanks for that.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of compdoc
Sent: 10 August 2014 15:21
To: 'pfSense Support and Discussion Mailing List'
Subject: Re: [pfSense] Another OPT1 routing question

em1 third MAC address (up) -- shouldn't that be the second MAC
address?


Are you saying two interfaces have the same mac address even after
reassignment? That's not right. 



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

-
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4744 / Virus Database: 4007/8010 - Release Date:
08/10/14
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Another OPT1 routing question

2014-08-10 Thread Chris Murray
Just one more issue now which has me puzzled and I'm hoping someone has
some ideas? It appears to be working for some hosts but not others?

I have a machine 192.168.yyy.60, which I can ping  SSH to from the
192.168.xxx.0 network.
I have a machine 192.168.yyy.40, which listens on port 80. I can access
HTTP from the 192.168.xxx.0 network, but I can't SSH or ping it.
I *can* SSH from 192.168.yyy.60 to 192.168.yyy.40, so it is up.
I can ping 192.168.yyy.40 from the OPT1 interface; that's fine. 
As soon as I try to ping from the LAN interface, 100% packet loss.
Yet try to do the same with 192.168.yyy.60, it's fine.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris
Murray
Sent: 10 August 2014 16:29
To: pfSense Support and Discussion Mailing List
Subject: Re: [pfSense] Another OPT1 routing question

They don't now, but the process of reassignment suggested that they did,
and that one of them was down. i.e. the Valid interfaces are: list
wasn't right. It's now correct though, thanks for that.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of compdoc
Sent: 10 August 2014 15:21
To: 'pfSense Support and Discussion Mailing List'
Subject: Re: [pfSense] Another OPT1 routing question

em1 third MAC address (up) -- shouldn't that be the second MAC
address?


Are you saying two interfaces have the same mac address even after
reassignment? That's not right. 



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

-
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4744 / Virus Database: 4007/8010 - Release Date:
08/10/14
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

-
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4744 / Virus Database: 4007/8010 - Release Date:
08/10/14
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


[pfSense] Fwd: new to pfsense

2014-08-10 Thread ram
Hi all

I have just installed PFSENSE in my one of the old box
installation works perfectly

my achievements are

i got one of the Ethernet port and one of o2 dongle to connect internet

i configured to my box back to back cable ethernet

i try to connect o2 it says ppp0 up

i do not see any IP address assined to interface.

how can i get IP address and how can i route my ethernet traffic to ppp0
and use my laptop to browse internet

laptop---ethernet---ppp0

ram
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Another OPT1 routing question

2014-08-10 Thread Chris Murray
Oh I've got it: lack of default route on 192.168.yyy.40

Just how HTTP was working is still a mystery though.

Apologies for the noise!

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris
Murray
Sent: 10 August 2014 21:08
To: pfSense Support and Discussion Mailing List
Subject: Re: [pfSense] Another OPT1 routing question

Just one more issue now which has me puzzled and I'm hoping someone has
some ideas? It appears to be working for some hosts but not others?

I have a machine 192.168.yyy.60, which I can ping  SSH to from the
192.168.xxx.0 network.
I have a machine 192.168.yyy.40, which listens on port 80. I can access
HTTP from the 192.168.xxx.0 network, but I can't SSH or ping it.
I *can* SSH from 192.168.yyy.60 to 192.168.yyy.40, so it is up.
I can ping 192.168.yyy.40 from the OPT1 interface; that's fine. 
As soon as I try to ping from the LAN interface, 100% packet loss.
Yet try to do the same with 192.168.yyy.60, it's fine.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris
Murray
Sent: 10 August 2014 16:29
To: pfSense Support and Discussion Mailing List
Subject: Re: [pfSense] Another OPT1 routing question

They don't now, but the process of reassignment suggested that they did,
and that one of them was down. i.e. the Valid interfaces are: list
wasn't right. It's now correct though, thanks for that.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of compdoc
Sent: 10 August 2014 15:21
To: 'pfSense Support and Discussion Mailing List'
Subject: Re: [pfSense] Another OPT1 routing question

em1 third MAC address (up) -- shouldn't that be the second MAC
address?


Are you saying two interfaces have the same mac address even after
reassignment? That's not right. 



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

-
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4744 / Virus Database: 4007/8010 - Release Date:
08/10/14
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

-
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4744 / Virus Database: 4007/8010 - Release Date:
08/10/14
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

-
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4744 / Virus Database: 4007/8012 - Release Date:
08/10/14
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Strange problems with pfSense 2.1.4

2014-08-10 Thread jmitchel
Hello,
Jason M. wrote:
I'm using the PFW201 hardware from Tranquilnet

 According to Tranquilnet:

  *Note: These units may run hot to the touch and we recommend eith a wall
 mount or to place them on a cool, dry and hard surface with proper air
 flow

 I can build systems that are much faster and more powerful for less than
 half the price so I've never used a PFW201, but I have seen it mentioned
 that units like them often have a cpu heat sink that makes contact with
 the
 case. Or, that they have a metal shim that connects the heat sink to the
 case.

 Heat transfer for these systems is often critical. Is yours overheating?
 Are
 you testing with one of the Tranquilnet units, or one of the units you got
 direct from the supplier?

One, the problem first appeared with the Tranquilnet unit. Two, I forgot
to mention that I noticed that the heat problem (it's hard to miss if you
don't read the directions -- the units are almost hot enough to burn skin
:) and am using a laptop cooler for now. I'm trying out USB powered fans
as a better long term solution, but the units are very cool with the
laptop cooler.



 Now my question is, what is going wrong? I've tried the same
config on multiple devices, so I don't think it's hardware. Could
my config have become corrupted?

 I don't follow your logic about it not being the hardware, but yes, your
 config could have become corrupted. Try another CF card? Try installing
 from
 scratch and restoring a backup xml file?
Well, pfSense recommends the Tranquilnet hardware and the problem occurs
with that. The problem also occurs with the units from the manufacturer
which have the same part number and look identical. These units have a
backup XML file restored to a fresh CF card. Sorry for not mentioning this
in my first message -- I was kind of tired.

I was trying to say that maybe something in the .xml config might have
become corrupted, but I took a look at the .xml file and it doesn't look
like there's room for corruption. The only thing strange is this:

revision
time1407542644/time
description![CDATA[admin@192.168.182.10: 
/system_usermanager.php made
unknown change]]/description
usernameadmin@192.168.182.10/username
/revision

Do have any other ideas?



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list


Thanks for the help,

Jason M.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


[pfSense] Finaly moved to Endian Firewall 3.0

2014-08-10 Thread A Mohan Rao
Dear Sir,

At present temporary i moved to Endian firewall 3.0 for https proxy its
works good.



Thanks

A Mohan Rao
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list