Re: [pfSense] 2.3_1 ?
On 2016-05-07 03:49, Jeppe Øland wrote: The only thing not done for me as far as I can tell is to change the version number to 2.3_1 ... but maybe that will change if I reboot the firewall. Also as per the release notes: Note for this update, your version number will remain the same afterwards, still showing as 2.3-RELEASE. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] HA and OpenVPN
On 2016-04-26 05:36, Olivier Mascia wrote: Hello, I now have a HA cluster of 2 pfSense boxes pretty much well setup, everything working as expected, excepted one thing. Connecting to a remote access OpenVPN server on the WAN CARP IP fails here: Apr 25 19:29:36: Vérification du statut d'accessibilité de la connexion ... Apr 25 19:29:36: La connexion est accessible. Tentative de démarrage de la connexion. Apr 25 19:29:38: OpenVPN 2.3.10 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Mar 2 2016 Apr 25 19:29:38: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.09 Apr 25 19:30:00: Control Channel Authentication: using '/var/folders/zz/zyxvpxvq6csfxvn_n0/T/connection.5wkLkh/ta.key' as a OpenVPN static key file Apr 25 19:30:00: UDPv4 link local (bound): [undef] Apr 25 19:30:00: UDPv4 link remote: [AF_INET]w.x.y.z:1194 ... and after a timeout: Apr 25 19:31:00: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Apr 25 19:31:00: TLS Error: TLS handshake failed Apr 25 19:31:00: SIGUSR1[soft,tls-error] received, process restarting Apr 25 19:31:01: UDPv4 link local (bound): [undef] Apr 25 19:31:01: UDPv4 link remote: [AF_INET]w.x.y.z:1194 ... When connecting to either box non CARP WAN address, ie w.x.y.z+1 or z+2 in this example, it works. Even accepting UDP OpenVPN on destination Any does not fix it. So this does not look like a filter rule issue. Is there something particular to take into account regarding UDP traffic toward the WAN CARP IP or something specific regarding OpenVPN? I can live with having to establish VPN to the primary box and change it should it fail (this is for maintenance only of the resources behind the firewall), but I find it strange it does not work on the CARP IP. What obvious thing did I miss? Did you change the OpenVPN configured Interface to be the VIP rather than the WAN? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] LAN to DMZ only working with NAT
On 2015-12-06 09:38, Jarno Elonen wrote: Hi, I'm trying to build a firewall, which NATs LAN-->WAN, and DMZ-->WAN, but routes LAN-->DMZ. The problem is, LAN-->DMZ currently only works if I add a NAT between them. I've tried: 1) Adding "pass all to all" firewall rule to every interface 2) Adding an explicit "pass LAN to DMZ" firewall rule 2) Adding an outbound NAT rule with "Do not NAT" checked 3) Adding a gateway and a static route (no go; pfSense refuses "Destination network" that matches one bound to an interface) Is there perhaps some "enable routing between interfaces" checkbox or something I've missed..? Every relevant post I've found on this seem to claim that 1) and 2) should work. The system is a Watchguard XTM 530 with pfSense 2.2.5-RELEASE (amd64) built on Wed Nov 04 15:49:37 CST 2015 FreeBSD 10.1-RELEASE-p24 Network for LAN is 192.168.0.0/16 and DMZ 10.0.0.0/24. -Jarno ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold Jarno Do the devices on both the LAN and DMZ have a route to reach the other network? In this case that probable means a default route pointing at the respective pfSense interface. Regards Mike ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Internal Clock Broke
On 2015-08-24 11:33, Volker Kuhlmann wrote: On Fri 26 Jun 2015 14:54:38 NZST +1200, Brian Caouette wrote: Anyone else notice the clock is broke on 2.2.3? Anything time related is seriously off. Agreed. It's broken in 2.2.4 too. At least the upgrade to 2.2.4 did not change the time zone (Pacific/Auckland) for me. I can no longer tell for the upgrade to 2.2.3. Time synchronisation does not happen. I configured 2 time servers, both reachable, and the system time is wrong. pfsense # ntpdate -qu 0.pfsense.pool.ntp.org time.paradise.net.nz server 130.217.226.50, stratum 1, offset -11.124288, delay 0.05031 server 103.239.8.22, stratum 1, offset -11.124315, delay 0.03931 server 203.96.152.12, stratum 3, offset -11.120111, delay 0.04111 24 Aug 12:13:24 ntpdate[95005]: step time server 103.239.8.22 offset -11.124315 sec 11 seconds difference does not happen if NTP is working. uptime 23 days. Hardware is PCEngines APU1. Volker No issues here (also Pacific/Auckland) with any 2.2 release. I have about a dozen 2.2.x systems (plus some older ones that I really must get upgraded) that are a mixture of physical and virtual, none of which have any time problems that I am aware of. I have just logged into all of them and checked to make sure. The physical ones are mostly current model pfSense store hardware. All the virtuals are KVM. This is off a 2.2.4 that is a KVM guest and the one with the largest offset. # ntpdate -qu 0.pfsense.pool.ntp.org time.paradise.net.nz server 103.242.68.68, stratum 2, offset -0.003817, delay 0.05771 server 103.242.68.69, stratum 2, offset -0.003988, delay 0.05685 server 203.96.152.12, stratum 0, offset 0.00, delay 0.0 24 Aug 11:53:45 ntpdate[9217]: adjust time server 103.242.68.69 offset -0.003988 sec Regards Mike ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Internal Clock Broke
On 2015-08-24 13:32, Volker Kuhlmann wrote: On Mon 24 Aug 2015 12:16:28 NZST +1200, Brady, Mike wrote: No issues here (also Pacific/Auckland) with any 2.2 release. Well, mine is a stock 2.2.x install, about 12 months old, upgraded a few times to minor point releases. I hacked the php of squid, squidguard and ssh (out of necessity, no BUI support), which doesn't affect ntp. There is nothing unusual in the log, except maybe this warning: Aug 24 ...: restrict: 'monitor' cannot be disabled while 'limited' is enabled After enabling ntpq queries under advanced, ntpd does not sync within a minute: # ntpq -c peer -n remote refid st t when poll reach delay offset jitter == 103.242.70.5.INIT. 16 u- 6400.0000.000 0.000 203.96.152.12 .INIT. 16 u- 6400.0000.000 0.000 On Linux, restarting (stop, start) ntpd gives the stratum info immediately, and syncs to these servers in under 5 minutes. pfsense has done nothing after 15 minutes. There is a problem here. What could it be? Thanks, Volker Volker I think that the INIT states indicate that you are not in fact synced. What does ntpq -n -c peers show? I would also suggest that you have at least 3 servers configured to sync against. Regards Mike ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Internal Clock Broke
On 2015-08-24 15:25, Volker Kuhlmann wrote: OK found it. Under access restrictions, the option Disable all except ntpq and ntpdc queries (default: disabled). must NOT be ticked! The default is ticked. This seems to prevent ntpd altogether from talking to the time servers. That looks like a bug. Could you compare your config, please? It is not ticked on any (three) of the machines that I have just looked at. This is not something that I would have ever changed. Two of the machines are upgrades from releases prior to 2.2 but the third was a clean 2.2 install. What does ntpq -n -c peers show? Same. You can shorten peers all the way to pe. Sorry, I meant ntpq -n -c ass. The condition column will tell you if they are talking or not. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] problem with bacula-client 7.0.5 binaries on pfsense 2.2
Yes backups run successfully. Easiest thing to do while testing is to just run a status client command in bconsole. Once that works you should be good to go. On 2015-02-10 00:46, Dan Langille wrote: Before I go down that road again: by working, do you mean you've successfully run a backup? -- Dan Langille http://langille.org/ On Feb 8, 2015, at 11:07 PM, Brady, Mike mike.br...@devnull.net.nz wrote: The Webui binaries are working for me when I do what I said in the forum post that I referenced. On 2015-02-09 15:02, Dan Langille wrote: On Feb 8, 2015, at 8:45 PM, Brady, Mike mike.br...@devnull.net.nz wrote: It isn't you or the binaries. I also think it's the binaries. The configuration and startup scripts are just broken and have been for a while. Even prior to 2.2. I agree those are broken. However, I am unable to get the webui packages binaries to work. However, installing via pkg works fine, with the same configuration file. https://forum.pfsense.org/index.php?topic=85265.0 It was broken long before that. :) https://forum.pfsense.org/index.php?topic=66385.0 ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] problem with bacula-client 7.0.5 binaries on pfsense 2.2
Thanks for the update Jim. It does now work, after some messing around. But, the required messing around may well have been required due to the messing around that I had done previously, so your mileage may vary. What I did: 1) Reinstall the package in the GUI 2) Delete and redo the the configuration on the GUI 3) ssh on to the pfsense box and kill the running bacula-fd. This was still there from before the reinstall! Stopping/restarting in the GUI silently did nothing. For reference the running process should be: /usr/local/sbin/bacula-fd -u root -g wheel -v -c /usr/pbi/bacula-amd64/etc/bacula/bacula-fd.conf mine was still: /usr/local/sbin/bacula-fd -u root -g wheel -v -c /usr/local/etc/bacula/bacula-fd.conf I have now done this on two machines and status client command in bconsole connects for both. I haven't done a backup yet. On 2015-02-10 08:10, Jim Pingle wrote: On 02/09/2015 11:30 AM, Dan Langille wrote: There's been a bug open for 14 days regarding the configuration issues: https://redmine.pfsense.org/issues/4307 I will try the packaged binaries again. FYI for others (Dan already knows from Twitter): Bacula should be OK now on 2.2, as of package version 1.0.6. The main problem was the paths being used for the various configuration file and startup script references. Once those were fixed up things seem to be OK. There is still some awkwardness in how to set the package GUI up but that's the same as it always was. Have to add two directors, one local for the firewall itself and another for the remote bacula server. There is still a lingering issue with the rc script not restarting properly but we're looking into that as well. Not as critical as the other issues at least. If anyone wants to work on making the GUI more intuitive, feel free to collaborate and submit some patches. Jim ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] bacula-client 7.0.5 on pfsense 2.2
https://forum.pfsense.org/index.php?topic=85265.msg467805#msg467805 On 2015-02-09 01:53, J. Echter wrote: Hi, i'm fiddling with bacula-client on upgraded pfsense 2.2. i don't see any error in the logs, i don't see any error with bacula-fd -f (run in foreground) -d 10 (debug level 10) i even don't see it spitting out errors as the config file isn't existant [2.2-RELEASE][root@pfsense.workgroup.local]/conf: ls /usr/local/etc/bacula/bacula-fd.conf ls: /usr/local/etc/bacula/bacula-fd.conf: No such file or directory [2.2-RELEASE][root@pfsense.workgroup.local]/conf: ps aux | grep bacula root59559 0.0 0.2 56420 7364 - Ss1:50PM 0:00.00 /usr/local/sbin/bacula-fd -u root -g wheel -v -c /usr/local/etc/bacula/bacula-fd.conf root99408 0.0 0.1 18884 2384 0 S+1:50PM 0:00.00 grep bacula netstat doesn't show it listening too: Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 pfsense.https 10.0.1.14.38261 TIME_WAIT tcp4 0 0 pfsense.38791 10.0.1.14.40513 ESTABLISHED tcp6 0 0 localhost.3493 localhost.56539 ESTABLISHED tcp6 0 0 localhost.56539localhost.3493 ESTABLISHED udp4 0 0 192.168.100.1.ntp *.* udp6 0 0 fe80::21b:21ff:f.ntp *.* udp4 0 0 192.168.4.1.ntp*.* udp6 0 0 fe80::21b:21ff:f.ntp *.* udp4 0 0 192.168.1.1.ntp*.* udp6 0 0 fe80::21b:21ff:f.ntp *.* udp4 0 0 192.168.3.1.ntp*.* udp6 0 0 fe80::21b:21ff:f.ntp *.* udp4 0 0 pfsense.ntp*.* udp6 0 0 fe80::21b:21ff:f.ntp *.* udp6 0 0 localhost.ntp *.* udp4 0 0 localhost.ntp *.* udp6 0 0 fe80::d227:88ff:.ntp *.* udp4 0 0 192.168.2.1.ntp*.* udp4 0 0 host-62-245-238-.1194 *.* udp4 0 0 localhost.tftp *.* udp4 0 0 localhost.tftp-proxy *.* icm4 0 0 host-62-245-238-.* *.* any hints to solve this? thanks!! ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] problem with bacula-client 7.0.5 binaries on pfsense 2.2
It isn't you or the binaries. The configuration and startup scripts are just broken and have been for a while. Even prior to 2.2. https://forum.pfsense.org/index.php?topic=85265.0 On 2015-02-09 11:57, Dan Langille wrote: Let me add my voice to the post at http://lists.pfsense.org/pipermail/list/2015-February/008038.html I was running daily backups prior to my upgrade to 2.2. pfSense creates a mangled configuration file. I filed a bug: https://redmine.pfsense.org/issues/4307 Today, I managed to get bacula-fd running by manually creating /usr/local/etc/bacula and placing a valid bacula-fd.conf file in that directory. I am unable to get bacula-fd to authenticate. At this point, I'm beginning to suspect the bacula binaries. Installing and running via pkg succeeds with the same configuration file. Disclosure: I am a committer on the Bacula project and the FreeBSD maintainer for the Bacula ports. I'm not a Bacula novice, but I would like it if someone showed me what I am doing wrong. — Dan Langille http://langille.org/ ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] problem with bacula-client 7.0.5 binaries on pfsense 2.2
The Webui binaries are working for me when I do what I said in the forum post that I referenced. On 2015-02-09 15:02, Dan Langille wrote: On Feb 8, 2015, at 8:45 PM, Brady, Mike mike.br...@devnull.net.nz wrote: It isn't you or the binaries. I also think it's the binaries. The configuration and startup scripts are just broken and have been for a while. Even prior to 2.2. I agree those are broken. However, I am unable to get the webui packages binaries to work. However, installing via pkg works fine, with the same configuration file. https://forum.pfsense.org/index.php?topic=85265.0 It was broken long before that. :) https://forum.pfsense.org/index.php?topic=66385.0 ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold