Re: [pfSense] CARP failover works but it only fails back the LAN

[Steve Yates]

I am not sure this is related but it is weird/bad...I got around to 
setting the skew back to 0 for all CARP IPs on router1.  pfSense (2.2.1) syncs 
the change to router2 so those skews change from 101 to 100.  However 
afterwards router1 shows all five as Status of Master, and router2 shows all 
five with a blank Status.  I must edit each of the five, save (without making 
changes) and only once changes are Applied the Status shows as Backup.  That 
sounds like a configuration sync bug?  I did see this when setting the skew 
from 0 to 1 earlier today and passed it off as I was clicking around a lot, but 
it seems to be repeatable.

--
Steve


Steve Yates wrote on Mon, Mar 23 2015 at 2:50 pm:

> Just ran into an odd scenario in my testbed...if pfSense (router1) is in a VM
> (Parallels Cloud/Virtuozzo), and I run "service network restart" on the host 
> for
> that VM, pfSense fails over the WAN interface but does not fail over the LAN
> interface.  At that point external communication is lost because one router is
> handling LAN and one WAN.  It does not seem to recover afterwards until the
> host is restarted (we're also using VLANs on the host level for the pfSense VM
> to use for its interfaces, so that may be a factor in having the host 
> restart).
> 
> Per http://www.freebsd.org/cgi/man.cgi?query=carp&sektion=4, if
> net.inet.carp.preempt=1 then the CARP interfaces should fail over together.
> Running "sysctl net.inet.carp" on pfSense shows net.inet.carp.preempt=1.  If I
> reload the CARP status page on router2 quickly, I can see that the WAN and
> LAN interfaces correctly fail over so router2 is Master, however it almost
> immediately reverts so router2 is Master for WAN but router2 is Backup for
> LAN, and router1 is Master for LAN.
> 
> How can I ensure they "fail back" together?
> 
> Note that when I simply boot the host for router1, pfSense does fail over and
> back correctly!  So something is making it not fail back on the network 
> restart?
> 
> For what it's worth we have a IPv4 and IPv6 CARP IPs for WAN, and an IPv4, an
> IPv4 alias, and IPv6 CARP IP for LAN.
> 
> I found an OpenBSD (which I know is different OS, but...) FAQ page on CARP
> that says "By default all carp(4) interfaces are added to the carp group."
> However if I run "ifconfig -v" on pfSense no groups are listed for em0 and 
> em1,
> only lo0, enc0, and ovpns1.  I created a pfSense interface group "carpgroup" 
> for
> LAN and WAN, but had the same symptoms.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Locked myself out by disabling LAN

[RB]

On Mon, Mar 23, 2015 at 9:05 PM, Jean-Stéfane Bergeron  
wrote:
> I'm on the road for another two weeks - is there anyway I can re-enable my 
> lan or connect to my router remotely to restore access? Or am I pooched until 
> I can get back to my router physically?

Without one of shell (console, ssh) or web access, you're pretty
stuck.  Since you applied the change, a reboot won't help.  Usually
when I'm on the road I have a red light switch tied to critical
equipment that friends/family/petsitters can manage without too much
drama.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ipsec and multi-wan

[Gregory K Shenaut]

> On Mar 23, 2015, at 17:31 , Chris Buechler  wrote:
> 
> On Thu, Mar 19, 2015 at 12:48 PM, Gregory K Shenaut
>  wrote:
>> Hi, I have a system with two sites. One of the sites has two WAN 
>> connections, the other one. I have an IPSEC tunnel passing all traffic 
>> between the two sites. I'm having some difficulty with site-to-site access. 
>> I can ping anything in either site from either site, but can't do much of 
>> anything else. For example, I can't open web pages across the tunnel: 
>> sometime I get nothing, sometimes a hundred or so characters then nothing 
>> else. When I try to transfer lots of data across the tunnel, typically I get 
>> some initial data, again a hundred or so characters, then it hangs, and, 
>> frequently, the tunnel itself goes down and I have to wait for it to 
>> re-establish itself.
>> 
> 
> Almost certainly needing MSS clamping. Advanced settings tab, check
> that box there. Then start new connections (may want to kill states
> just to make really sure), and things will probably work.

This worked like a champ! I didn't know that option existed. Thank you.

Greg

> 've tried all sorts of things, and I believe that there may be a problem in 
> routing due to the dual-WAN setup on one of the sites. I'm not entirely 
> certain, but it's possible the problem began when I set up dual-WAN.
>> 
>> I'm on pfsense 2.2.1.
>> 
>> There is a sentence in the documentation at 
>>  under Prerequisites:
>> 
>>> If pfSense is not the default gateway on the LAN where it is installed, 
>>> static routes must be added to the default gateway, pointing the remote VPN 
>>> subnet to the IP address on pfSense in the LAN subnet.
>> 
> 
> Is that actually the case? VPN is on a separate box from the default
> gateway on the LAN?

> 
>> I've tried adding various static routes based on my understanding of that 
>> sentence, but they haven't helped, which is why I'm asking this question.
>> 
>> First, preliminary question: when you make a change to the System > Static 
>> Routes web page and apply it, it seems like sometimes older
>> routes aren't deleted. Is it necessary to reboot every time you change the 
>> static routes to make sure that you get rid of ones you deleted or
>> deactivated?
> 
> Never necessary to reboot. Where are you seeing they're still there?
> Routes being there after you deleted the static route is generally
> indicative of something else adding them back, like a dynamic routing
> protocol, or them being in an OpenVPN client or server, or similar.

> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Locked myself out by disabling LAN

[Jean-Stéfane Bergeron]

Good evening everyone,

I ran into a problem with my pfsense install today. I'm connecting remotely 
over a VPN connection to my network. For some reason, all my local devices 
became inaccessible today. 

My VPN connection still can connect to my network. When I logged into my 
router, I noticed that the lan connection was down. 

In an attempt to restart the lan connection I disabled it ... I thought I'd be 
able to restart it - that was Dumb! 

You probably know that I am now unable to connect to my router's web interface. 

I can still connect to the VPN interface and get an IP address from the VPN 
subnet, but nothing to fix my stupidity. 

I'm on the road for another two weeks - is there anyway I can re-enable my lan 
or connect to my router remotely to restore access? Or am I pooched until I can 
get back to my router physically?

Thanks for your help! I'm so disappointed in my own stupidity!

__

Sent from my iPhone
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2.1 Site-to-Site IPsec VPN Connection Instability

[Bryan D.]

On 2015-Mar-23, at 5:24 PM, Chris Buechler  wrote:

> There's nothing to go on to offer any worthwhile suggestions. IPsec
> logs best place to start.


If you can be more specific, I'll try to help.  Sorry, but I don't have enough 
background with IPsec to ferret things out on my own.  I did try setting both 
"Networking" and "IPsec Traffic" (in Advanced Settings) to Diag then to Raw, 
but saw no additional IPsec logging after pressing the "Restart IPsec service" 
button on that page.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ipsec and multi-wan

[Chris Buechler]

On Thu, Mar 19, 2015 at 12:48 PM, Gregory K Shenaut
 wrote:
> Hi, I have a system with two sites. One of the sites has two WAN connections, 
> the other one. I have an IPSEC tunnel passing all traffic between the two 
> sites. I'm having some difficulty with site-to-site access. I can ping 
> anything in either site from either site, but can't do much of anything else. 
> For example, I can't open web pages across the tunnel: sometime I get 
> nothing, sometimes a hundred or so characters then nothing else. When I try 
> to transfer lots of data across the tunnel, typically I get some initial 
> data, again a hundred or so characters, then it hangs, and, frequently, the 
> tunnel itself goes down and I have to wait for it to re-establish itself.
>

Almost certainly needing MSS clamping. Advanced settings tab, check
that box there. Then start new connections (may want to kill states
just to make really sure), and things will probably work.


> I've tried all sorts of things, and I believe that there may be a problem in 
> routing due to the dual-WAN setup on one of the sites. I'm not entirely 
> certain, but it's possible the problem began when I set up dual-WAN.
>
> I'm on pfsense 2.2.1.
>
> There is a sentence in the documentation at 
>  under Prerequisites:
>
>> If pfSense is not the default gateway on the LAN where it is installed, 
>> static routes must be added to the default gateway, pointing the remote VPN 
>> subnet to the IP address on pfSense in the LAN subnet.
>

Is that actually the case? VPN is on a separate box from the default
gateway on the LAN?


> I've tried adding various static routes based on my understanding of that 
> sentence, but they haven't helped, which is why I'm asking this question.
>
> First, preliminary question: when you make a change to the System > Static 
> Routes web page and apply it, it seems like sometimes older
> routes aren't deleted. Is it necessary to reboot every time you change the 
> static routes to make sure that you get rid of ones you deleted or
> deactivated?

Never necessary to reboot. Where are you seeing they're still there?
Routes being there after you deleted the static route is generally
indicative of something else adding them back, like a dynamic routing
protocol, or them being in an OpenVPN client or server, or similar.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2.1 Site-to-Site IPsec VPN Connection Instability

[Bill Arlofski]

On 03/21/2015 07:38 PM, Bryan D. wrote:

We've had a pfSense-to-pfSense "always on" IPsec VPN connecting 2 offices since 
2008 (pfSense 1.2 IIRC) and it's:
- been ultra reliable (if VPN is down, suspect ISP issue or pfSense box failure)
- it's been quick to connect (about 1 second, almost unnoticeable)
- it's worked across numerous upgrades without issue (nice!)

Beginning with pfSense v2, we added multiple P2s at each end (still same 
reliability, etc.).

One of the offices has had its hardware updated and its pfSense updated to 2.2 then 2.2.1 
(after testing to see whether we seemed to be affected by the "multiple P2 
issue" noted in the upgrade page -- we're OK on that one).  This connection has 
continued to work with the same characteristics as before.  The 2.2.1 system is 64-bit 
and the other end is v2.1.5 32-bit

We recently added a second site-to-site IPsec VPN, essentially the same as the existing 
one except both sides are pfSense v2.2.1 (but other end is 32-bit) and stronger 
algorithms are being used and P1 is set to v2 (supposedly avoiding any "multiple 
P2" issues).

The new pfSense (v2.2.1 at both ends) "always on" (not!) IPsec VPN is:
- v-e-r-y  s-l-o-w  to connect: e.g. pinging when connection is down yields: once 
a connection after 12 seconds, once a connection after 22 seconds and dozens of 
connections after > 2.25 minutes
- completely unable to "stay connected": both sides have DPD enabled (5 sec./3 
retries) and both sides can be initiators and both sides have 1 P2 set to ping the 
pfSense at the other end
- pressing the "connect button" on pfSense's IPsec status page yields an "instant 
connection" but there won't be any P2 traffic coming back for a while, which seems to 
consistently be the connection-delay issue

If one of the ends has regular (almost constant) traffic, the VPN stays 
connected.  In testing, I've had one non-pfSense system pinging the pfSense at 
the other end and the VPN stays connected.

If VPN traffic pauses for a short time (ten minutes?), the connection is 
dropped.  While that is not what's expected, given the config, it wouldn't be 
bad _if_ the connection was quickly re-established with traffic, but it's not.

I'm providing this information because of the discussions about issues with 
multiple P2s and the idea that they're solved by using v2 P1 at both ends.  
It's quite possible that:
- there are issues with multiple P2s even with v2 P1
- the DPD stuff isn't working
- the P2 "automatically ping host" stuff isn't working ... but pinging a host 
via a non-pfSense system does keep the connection alive

I'm willing to run some tests if someone wants to tell me what they want done.  
For about a week, the new v2.2.1 site-to-site VPN won't really be used, I can 
do almost anything that doesn't cause the other side to go dead (or I'd need to 
make a trip to the other site and that may not happen very quickly).


/me also raises hand

Since the 2.2 upgrade and now the 2.2.1 I am seeing the same symptoms with a 
few of our endpoints. None of which are currently 2.2 nor 2.2.1, some of which 
are m0n0walls. :)


Bill



--
Bill Arlofski
Reverse Polarity, LLC
http://www.revpol.com/
-- Not responsible for anything below this line --
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2.1 Site-to-Site IPsec VPN Connection Instability

[Chris Buechler]

There's nothing to go on to offer any worthwhile suggestions. IPsec
logs best place to start.

On Mon, Mar 23, 2015 at 6:02 PM, Bryan D.  wrote:
> FWIW, since my original report, I've noticed some other things:
>
> - since it's not yet "deployed," the v2.2.1 (at both ends) site-to-site IPsec 
> VPN has only 1 laptop and 1 wireless access point on the LAN and virtually 
> nothing else happening on the WAN (it's tied to a cable modem)
>
> - the condition, when I did the original report, was that the laptop was 
> sleeping -- it's a Mac with network wake-up configured and, in that mode, 
> they constantly bring the port up 'n down (hundreds of times per day, each, 
> according to switches at this office)
>
> - I needed to make some changes to that laptop so I had someone bring it over 
> here ... and that significantly changed the VPN "up-ness" behavior:
>
>   + now the VPN is _much_ more likely to be up when I attempt to use it 
> (i.e., with no LAN-to-LAN non-pfSense traffic, assuming there is some 
> generated by the VPN mechanisms, themselves), but ... wait for it ...
>
>   + if I ping the pfSense at the other end and the VPN connection _is_ alive, 
> it'll stay alive as long as I continue the once-a-second pinging (from a 
> non-pfSense system on the LAN) ...
>
>   + however, if I kill the ping, wait 2 or 3 minutes then ping it again, 
> it'll be down ... i.e., the pinging activity seems to stimulate a connection 
> failure once the pinging stops (this seems to be a consistent behavior) ...
>
>   + or maybe what I'm seeing is "the norm" -- i.e., that, as soon as there's 
> a lull in Lan-to-Lan traffic for a short time, the connection drops (even 
> though the config includes DPD and ping'd host at each end)
>
> e.g.:
> [surprise, it's up]
> __
> /Users/admin  (2015-03-23 @ 15:26:05)
> root # ping 172.16.22.1
> PING 172.16.22.1 (172.16.22.1): 56 data bytes
> 64 bytes from 172.16.22.1: icmp_seq=0 ttl=63 time=26.280 ms
> 64 bytes from 172.16.22.1: icmp_seq=1 ttl=63 time=17.740 ms
> 64 bytes from 172.16.22.1: icmp_seq=2 ttl=63 time=18.134 ms
> ^C
> --- 172.16.22.1 ping statistics ---
> 3 packets transmitted, 3 packets received, 0.0% packet loss
> round-trip min/avg/max/stddev = 17.740/20.718/26.280/3.936 ms
>
>
> [now wait about 2.5 minutes ... and it's down]
> __
> /Users/admin  (2015-03-23 @ 15:26:12)
> root # ping 172.16.22.1
> PING 172.16.22.1 (172.16.22.1): 56 data bytes
> Request timeout for icmp_seq 0
> Request timeout for icmp_seq 1
> ... 
> Request timeout for icmp_seq 95
> Request timeout for icmp_seq 96
> Request timeout for icmp_seq 97
> 64 bytes from 172.16.22.1: icmp_seq=98 ttl=63 time=15.365 ms
> 64 bytes from 172.16.22.1: icmp_seq=99 ttl=63 time=14.927 ms
> 64 bytes from 172.16.22.1: icmp_seq=100 ttl=63 time=13.905 ms
> 64 bytes from 172.16.22.1: icmp_seq=101 ttl=63 time=15.105 ms
> 64 bytes from 172.16.22.1: icmp_seq=102 ttl=63 time=17.298 ms
> 64 bytes from 172.16.22.1: icmp_seq=103 ttl=63 time=18.674 ms
> 64 bytes from 172.16.22.1: icmp_seq=104 ttl=63 time=16.015 ms
> 64 bytes from 172.16.22.1: icmp_seq=105 ttl=63 time=15.246 ms
> 64 bytes from 172.16.22.1: icmp_seq=106 ttl=63 time=15.009 ms
> 64 bytes from 172.16.22.1: icmp_seq=107 ttl=63 time=15.953 ms
> 64 bytes from 172.16.22.1: icmp_seq=108 ttl=63 time=17.085 ms
> 64 bytes from 172.16.22.1: icmp_seq=109 ttl=63 time=21.631 ms
> 64 bytes from 172.16.22.1: icmp_seq=110 ttl=63 time=16.873 ms
> 64 bytes from 172.16.22.1: icmp_seq=111 ttl=63 time=16.639 ms
> 64 bytes from 172.16.22.1: icmp_seq=112 ttl=63 time=15.385 ms
> ^C
> --- 172.16.22.1 ping statistics ---
> 113 packets transmitted, 15 packets received, 86.7% packet loss
> round-trip min/avg/max/stddev = 13.905/16.341/21.631/1.823 ms
>
> __
> /Users/admin  (2015-03-23 @ 15:30:21)
> root #
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2.1 Site-to-Site IPsec VPN Connection Instability

[Bryan D.]

FWIW, since my original report, I've noticed some other things:

- since it's not yet "deployed," the v2.2.1 (at both ends) site-to-site IPsec 
VPN has only 1 laptop and 1 wireless access point on the LAN and virtually 
nothing else happening on the WAN (it's tied to a cable modem)

- the condition, when I did the original report, was that the laptop was 
sleeping -- it's a Mac with network wake-up configured and, in that mode, they 
constantly bring the port up 'n down (hundreds of times per day, each, 
according to switches at this office)

- I needed to make some changes to that laptop so I had someone bring it over 
here ... and that significantly changed the VPN "up-ness" behavior:

  + now the VPN is _much_ more likely to be up when I attempt to use it (i.e., 
with no LAN-to-LAN non-pfSense traffic, assuming there is some generated by the 
VPN mechanisms, themselves), but ... wait for it ...

  + if I ping the pfSense at the other end and the VPN connection _is_ alive, 
it'll stay alive as long as I continue the once-a-second pinging (from a 
non-pfSense system on the LAN) ...

  + however, if I kill the ping, wait 2 or 3 minutes then ping it again, it'll 
be down ... i.e., the pinging activity seems to stimulate a connection failure 
once the pinging stops (this seems to be a consistent behavior) ...

  + or maybe what I'm seeing is "the norm" -- i.e., that, as soon as there's a 
lull in Lan-to-Lan traffic for a short time, the connection drops (even though 
the config includes DPD and ping'd host at each end)

e.g.:
[surprise, it's up]
__
/Users/admin  (2015-03-23 @ 15:26:05)
root # ping 172.16.22.1
PING 172.16.22.1 (172.16.22.1): 56 data bytes
64 bytes from 172.16.22.1: icmp_seq=0 ttl=63 time=26.280 ms
64 bytes from 172.16.22.1: icmp_seq=1 ttl=63 time=17.740 ms
64 bytes from 172.16.22.1: icmp_seq=2 ttl=63 time=18.134 ms
^C
--- 172.16.22.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 17.740/20.718/26.280/3.936 ms


[now wait about 2.5 minutes ... and it's down]
__
/Users/admin  (2015-03-23 @ 15:26:12)
root # ping 172.16.22.1
PING 172.16.22.1 (172.16.22.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
... 
Request timeout for icmp_seq 95
Request timeout for icmp_seq 96
Request timeout for icmp_seq 97
64 bytes from 172.16.22.1: icmp_seq=98 ttl=63 time=15.365 ms
64 bytes from 172.16.22.1: icmp_seq=99 ttl=63 time=14.927 ms
64 bytes from 172.16.22.1: icmp_seq=100 ttl=63 time=13.905 ms
64 bytes from 172.16.22.1: icmp_seq=101 ttl=63 time=15.105 ms
64 bytes from 172.16.22.1: icmp_seq=102 ttl=63 time=17.298 ms
64 bytes from 172.16.22.1: icmp_seq=103 ttl=63 time=18.674 ms
64 bytes from 172.16.22.1: icmp_seq=104 ttl=63 time=16.015 ms
64 bytes from 172.16.22.1: icmp_seq=105 ttl=63 time=15.246 ms
64 bytes from 172.16.22.1: icmp_seq=106 ttl=63 time=15.009 ms
64 bytes from 172.16.22.1: icmp_seq=107 ttl=63 time=15.953 ms
64 bytes from 172.16.22.1: icmp_seq=108 ttl=63 time=17.085 ms
64 bytes from 172.16.22.1: icmp_seq=109 ttl=63 time=21.631 ms
64 bytes from 172.16.22.1: icmp_seq=110 ttl=63 time=16.873 ms
64 bytes from 172.16.22.1: icmp_seq=111 ttl=63 time=16.639 ms
64 bytes from 172.16.22.1: icmp_seq=112 ttl=63 time=15.385 ms
^C
--- 172.16.22.1 ping statistics ---
113 packets transmitted, 15 packets received, 86.7% packet loss
round-trip min/avg/max/stddev = 13.905/16.341/21.631/1.823 ms

__
/Users/admin  (2015-03-23 @ 15:30:21)
root # 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2.1 Site-to-Site IPsec VPN Connection Instability

[compdoc]

My ipsec connection goes down at least once a day now, maybe more. It’s a 2.2.1 
to remote 2.1.5 connection. 

 

After I open Status: IPsec and turn the connection off/on, all is well. Only 
have to do that with the 2.2.1 server - doesn't seem to affect the 2.1.5 side. 

 

 

 

From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Justin Edmands
Sent: Monday, March 23, 2015 3:00 PM
To: pfSense Support and Discussion Mailing List
Subject: Re: [pfSense] 2.2.1 Site-to-Site IPsec VPN Connection Instability

 

I am having issues as well. 2.0.0 <--> 2.0.3 works fine. Upgraded to 2.2.1 and 
the connection always fails within 24 hours.

Please let me know how the 2.2.1 x 5 setup works. 

 

 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2.1 Site-to-Site IPsec VPN Connection Instability

[Justin Edmands]

I am having issues as well. 2.0.0 <--> 2.0.3 works fine. Upgraded to 2.2.1
and the connection always fails within 24 hours.

Please let me know how the 2.2.1 x 5 setup works.

On Mon, Mar 23, 2015 at 1:40 PM, Jeremy Bennett  wrote:

> Yes. I have 5 sites (of various 2.0+ pfsense) connected via IPSec.
> Historically, this setup was the definition of stable. Since adding a 2.2
> box it has been flaky as all get out.
>
> I'm in the process of upgrading each location to 2.2.1. Hoping that will
> be the easy fix, if not, will have to start chasing it.
>
>
> On Monday, March 23, 2015, mayak  wrote:
>
>>
>> On 03/23/2015 03:03 PM, mayak wrote:
>>
>>> On 03/22/2015 12:38 AM, Bryan D. wrote:
>>>
 We've had a pfSense-to-pfSense "always on" IPsec VPN connecting 2
 offices since 2008 (pfSense 1.2 IIRC) and it's:
 - been ultra reliable (if VPN is down, suspect ISP issue or pfSense box
 failure)
 - it's been quick to connect (about 1 second, almost unnoticeable)
 - it's worked across numerous upgrades without issue (nice!)

 Beginning with pfSense v2, we added multiple P2s at each end (still
 same reliability, etc.).

 One of the offices has had its hardware updated and its pfSense updated
 to 2.2 then 2.2.1 (after testing to see whether we seemed to be affected by
 the "multiple P2 issue" noted in the upgrade page -- we're OK on that
 one).  This connection has continued to work with the same characteristics
 as before.  The 2.2.1 system is 64-bit and the other end is v2.1.5 32-bit

 We recently added a second site-to-site IPsec VPN, essentially the same
 as the existing one except both sides are pfSense v2.2.1 (but other end is
 32-bit) and stronger algorithms are being used and P1 is set to v2
 (supposedly avoiding any "multiple P2" issues).

>>> 
>>>
>>> i have to say that i am also experiencing this. i'm in the process of
>>> installing smokeping to prove connectivity is good between the public ip
>>> endpoints between various vpns.
>>>
>>> will report back with those results.
>>>
>>> thanks
>>>
>>> m
>>> __
>>>
>> it is happening -- three times since last post ... anyone else noticing
>> vpn outages?
>>
>> thanks
>>
>> m
>>
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] CARP failover works but it only fails back the LAN

[Steve Yates]

ED Fochler wrote on Mon, Mar 23 2015 at 2:58 pm:

> Is your skew set to 0 on your primary router’s CARP interfaces?

I tried it set to Base=1, Skew=0 (original setup), and Base=1, Skew=1.  
Same behavior.  (the CARP setting sync actually adjusts the backup's skew from 
100 to 101).

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] CARP failover works but it only fails back the LAN

[ED Fochler]

Is your skew set to 0 on your primary router’s CARP interfaces?

ED.

> On 2015, Mar 23, at 3:50 PM, Steve Yates  wrote:
> 
> Just ran into an odd scenario in my testbed...if pfSense (router1) is in a VM 
> (Parallels Cloud/Virtuozzo), and I run "service network restart" on the host 
> for that VM, pfSense fails over the WAN interface but does not fail over the 
> LAN interface.  At that point external communication is lost because one 
> router is handling LAN and one WAN.  It does not seem to recover afterwards 
> until the host is restarted (we're also using VLANs on the host level for the 
> pfSense VM to use for its interfaces, so that may be a factor in having the 
> host restart).
> 
> Per http://www.freebsd.org/cgi/man.cgi?query=carp&sektion=4, if 
> net.inet.carp.preempt=1 then the CARP interfaces should fail over together.  
> Running "sysctl net.inet.carp" on pfSense shows net.inet.carp.preempt=1.  If 
> I reload the CARP status page on router2 quickly, I can see that the WAN and 
> LAN interfaces correctly fail over so router2 is Master, however it almost 
> immediately reverts so router2 is Master for WAN but router2 is Backup for 
> LAN, and router1 is Master for LAN.
> 
> How can I ensure they "fail back" together?
> 
> Note that when I simply boot the host for router1, pfSense does fail over and 
> back correctly!  So something is making it not fail back on the network 
> restart?
> 
> For what it's worth we have a IPv4 and IPv6 CARP IPs for WAN, and an IPv4, an 
> IPv4 alias, and IPv6 CARP IP for LAN.
> 
> I found an OpenBSD (which I know is different OS, but...) FAQ page on CARP 
> that says "By default all carp(4) interfaces are added to the carp group."  
> However if I run "ifconfig -v" on pfSense no groups are listed for em0 and 
> em1, only lo0, enc0, and ovpns1.  I created a pfSense interface group 
> "carpgroup" for LAN and WAN, but had the same symptoms.
> 
> Thanks,
> --
> 
> Steve Yates
> ITS, Inc.
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] CARP failover works but it only fails back the LAN

[Steve Yates]

Just ran into an odd scenario in my testbed...if pfSense (router1) is in a VM 
(Parallels Cloud/Virtuozzo), and I run "service network restart" on the host 
for that VM, pfSense fails over the WAN interface but does not fail over the 
LAN interface.  At that point external communication is lost because one router 
is handling LAN and one WAN.  It does not seem to recover afterwards until the 
host is restarted (we're also using VLANs on the host level for the pfSense VM 
to use for its interfaces, so that may be a factor in having the host restart).

Per http://www.freebsd.org/cgi/man.cgi?query=carp&sektion=4, if 
net.inet.carp.preempt=1 then the CARP interfaces should fail over together.  
Running "sysctl net.inet.carp" on pfSense shows net.inet.carp.preempt=1.  If I 
reload the CARP status page on router2 quickly, I can see that the WAN and LAN 
interfaces correctly fail over so router2 is Master, however it almost 
immediately reverts so router2 is Master for WAN but router2 is Backup for LAN, 
and router1 is Master for LAN.

How can I ensure they "fail back" together?

Note that when I simply boot the host for router1, pfSense does fail over and 
back correctly!  So something is making it not fail back on the network restart?

For what it's worth we have a IPv4 and IPv6 CARP IPs for WAN, and an IPv4, an 
IPv4 alias, and IPv6 CARP IP for LAN.

I found an OpenBSD (which I know is different OS, but...) FAQ page on CARP that 
says "By default all carp(4) interfaces are added to the carp group."  However 
if I run "ifconfig -v" on pfSense no groups are listed for em0 and em1, only 
lo0, enc0, and ovpns1.  I created a pfSense interface group "carpgroup" for LAN 
and WAN, but had the same symptoms.

Thanks,
--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2.1 Site-to-Site IPsec VPN Connection Instability

[Jeremy Bennett]

Yes. I have 5 sites (of various 2.0+ pfsense) connected via IPSec.
Historically, this setup was the definition of stable. Since adding a 2.2
box it has been flaky as all get out.

I'm in the process of upgrading each location to 2.2.1. Hoping that will be
the easy fix, if not, will have to start chasing it.

On Monday, March 23, 2015, mayak  wrote:

>
> On 03/23/2015 03:03 PM, mayak wrote:
>
>> On 03/22/2015 12:38 AM, Bryan D. wrote:
>>
>>> We've had a pfSense-to-pfSense "always on" IPsec VPN connecting 2
>>> offices since 2008 (pfSense 1.2 IIRC) and it's:
>>> - been ultra reliable (if VPN is down, suspect ISP issue or pfSense box
>>> failure)
>>> - it's been quick to connect (about 1 second, almost unnoticeable)
>>> - it's worked across numerous upgrades without issue (nice!)
>>>
>>> Beginning with pfSense v2, we added multiple P2s at each end (still same
>>> reliability, etc.).
>>>
>>> One of the offices has had its hardware updated and its pfSense updated
>>> to 2.2 then 2.2.1 (after testing to see whether we seemed to be affected by
>>> the "multiple P2 issue" noted in the upgrade page -- we're OK on that
>>> one).  This connection has continued to work with the same characteristics
>>> as before.  The 2.2.1 system is 64-bit and the other end is v2.1.5 32-bit
>>>
>>> We recently added a second site-to-site IPsec VPN, essentially the same
>>> as the existing one except both sides are pfSense v2.2.1 (but other end is
>>> 32-bit) and stronger algorithms are being used and P1 is set to v2
>>> (supposedly avoiding any "multiple P2" issues).
>>>
>> 
>>
>> i have to say that i am also experiencing this. i'm in the process of
>> installing smokeping to prove connectivity is good between the public ip
>> endpoints between various vpns.
>>
>> will report back with those results.
>>
>> thanks
>>
>> m
>> __
>>
> it is happening -- three times since last post ... anyone else noticing
> vpn outages?
>
> thanks
>
> m
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2.1 Site-to-Site IPsec VPN Connection Instability

[mayak]

On 03/23/2015 03:03 PM, mayak wrote:

On 03/22/2015 12:38 AM, Bryan D. wrote:

We've had a pfSense-to-pfSense "always on" IPsec VPN connecting 2 offices since 
2008 (pfSense 1.2 IIRC) and it's:
- been ultra reliable (if VPN is down, suspect ISP issue or pfSense box failure)
- it's been quick to connect (about 1 second, almost unnoticeable)
- it's worked across numerous upgrades without issue (nice!)

Beginning with pfSense v2, we added multiple P2s at each end (still same 
reliability, etc.).

One of the offices has had its hardware updated and its pfSense updated to 2.2 then 2.2.1 
(after testing to see whether we seemed to be affected by the "multiple P2 
issue" noted in the upgrade page -- we're OK on that one).  This connection has 
continued to work with the same characteristics as before.  The 2.2.1 system is 64-bit 
and the other end is v2.1.5 32-bit

We recently added a second site-to-site IPsec VPN, essentially the same as the existing 
one except both sides are pfSense v2.2.1 (but other end is 32-bit) and stronger 
algorithms are being used and P1 is set to v2 (supposedly avoiding any "multiple 
P2" issues).



i have to say that i am also experiencing this. i'm in the process of 
installing smokeping to prove connectivity is good between the public ip 
endpoints between various vpns.

will report back with those results.

thanks

m
__

it is happening -- three times since last post ... anyone else noticing vpn 
outages?

thanks

m

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] newbie question

[Steve Yates]

Pol Hallen wrote on Mon, Mar 23 2015 at 5:09 am:

> adsl <-- server1 <-- WAN pfsense (2 NICs) LAN <-- internal lan
> 
> (I known that pfsense should be after adsl modem)
> 
> does ipsense runs correctly with this configuration?
> 
> WAN to server1
> LAN1 to internal lan
> 
> or I must add a third NIC and connect LAN1 to server1 and LAN2 to
> internal lan?

Is pfSense running on server1?  Or is server1 supposed to be in a DMZ?  
If pfSense is separate from server1, then yes you will need another NIC.  
Otherwise all Internet traffic will go to server1 and not get to pfSense.

Or, if server1 connects to the Internet directly, and pfSense connects 
to the Internet separately (so they are in parallel), and you have two WAN IP 
addresses, that will work.

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.2.1 Site-to-Site IPsec VPN Connection Instability

[mayak]

On 03/22/2015 12:38 AM, Bryan D. wrote:

We've had a pfSense-to-pfSense "always on" IPsec VPN connecting 2 offices since 
2008 (pfSense 1.2 IIRC) and it's:
- been ultra reliable (if VPN is down, suspect ISP issue or pfSense box failure)
- it's been quick to connect (about 1 second, almost unnoticeable)
- it's worked across numerous upgrades without issue (nice!)

Beginning with pfSense v2, we added multiple P2s at each end (still same 
reliability, etc.).

One of the offices has had its hardware updated and its pfSense updated to 2.2 then 2.2.1 
(after testing to see whether we seemed to be affected by the "multiple P2 
issue" noted in the upgrade page -- we're OK on that one).  This connection has 
continued to work with the same characteristics as before.  The 2.2.1 system is 64-bit 
and the other end is v2.1.5 32-bit

We recently added a second site-to-site IPsec VPN, essentially the same as the existing 
one except both sides are pfSense v2.2.1 (but other end is 32-bit) and stronger 
algorithms are being used and P1 is set to v2 (supposedly avoiding any "multiple 
P2" issues).



i have to say that i am also experiencing this. i'm in the process of 
installing smokeping to prove connectivity is good between the public ip 
endpoints between various vpns.

will report back with those results.

thanks

m
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense and anchors

[Alessandro Baggi]

On 03/23/2015 01:22 PM, Jim Pingle wrote:

On 03/23/2015 07:33 AM, Alessandro Baggi wrote:

Hi list,
I need to create an anchors for a proxy. Seems to be not possible
accomplish this with web interfaces. How I can insert anchor
(rdr-anchor) in main ruleset without kill pfsense?

Can someone point me in the right direction?


Look at the code for the recent FTP proxy package [1]. It does exactly
that, and the code is fairly small/simple.

Jim

1:
https://github.com/pfsense/pfsense-packages/blob/master/config/ftpproxy/ftpproxy.inc#L96
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Hi Jim,
thanks for you reply. I'm new to pfsense and I did not understand where 
apply modification.



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense and anchors

[Jim Pingle]

On 03/23/2015 07:33 AM, Alessandro Baggi wrote:
> Hi list,
> I need to create an anchors for a proxy. Seems to be not possible
> accomplish this with web interfaces. How I can insert anchor
> (rdr-anchor) in main ruleset without kill pfsense?
> 
> Can someone point me in the right direction?

Look at the code for the recent FTP proxy package [1]. It does exactly
that, and the code is fairly small/simple.

Jim

1:
https://github.com/pfsense/pfsense-packages/blob/master/config/ftpproxy/ftpproxy.inc#L96
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] pfsense and anchors

[Alessandro Baggi]

Hi list,
I need to create an anchors for a proxy. Seems to be not possible 
accomplish this with web interfaces. How I can insert anchor 
(rdr-anchor) in main ruleset without kill pfsense?


Can someone point me in the right direction?

Thanks in advance.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] newbie question

[Koko Wijatmoko]

On Mon, 23 Mar 2015 11:09:21 +0100
"Pol Hallen"  wrote:

> does ipsense runs correctly with this configuration?
> 
yes, WAN pfSense can be static or dynamic.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] newbie question

[Pol Hallen]

Hi all :-)

my lan (for purpose testing):

adsl <-- server1 <-- WAN pfsense (2 NICs) LAN <-- internal lan

(I known that pfsense should be after adsl modem)

does ipsense runs correctly with this configuration?

WAN to server1
LAN1 to internal lan

or I must add a third NIC and connect LAN1 to server1 and LAN2 to internal
lan?

thanks for help!

Pol

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold