Re: [pfSense] SIP client fails after a few days

[Dave Warren]

On 11/1/2011 10:46 PM, David Burgess wrote:
Interestingly, I just heard the same thing from a user on my network 
today. I don't know the model of his voip handset, but he uses it 
Monday to Friday, but has to clear states each Monday after the 
weekend or he cannot make outgoing calls. He's using pfsense 
2.0-RELEASE on a net5501.


As a data-point, I have not seen this issue here.

I have a handful of VoIP devices, some that stay connected 24/7 (desk 
phones) and some that connect and disconnect (soft phones), all 
connecting to a single remote SIP server, we've run 2.0-RELEASE since 
the week it came out without difficulties.


--
Dave Warren, CEO
Hire A Hit Consulting Services
http://ca.linkedin.com/in/davejwarren

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Load Balancer: Virtual Servers vs DHCP assigned dynamic IP addresses

[Dave Warren]

Howdy,

I'm running into an issue with 2.0-RELEASE and virtual servers on DHCP 
assigned WAN addresses.


I'm currently running two WANs, both of which have their IPs assigned 
dynamically via DHCP. One changes infrequently (1-2 times/year), the 
other updates several times per month.


Inside pfSense there are two web servers that I'd like to load balance 
using pfSense's load balancer. Everything works fine until one of the 
WAN IPs change, at which point I need to manually update the IPs in the 
Virtual Servers tab.


Is there any way to tell pfSense that these entries should represent 
interface IPs rather than hardcoding specific IPs?


--
Dave Warren, CEO
Hire A Hit Consulting Services
http://ca.linkedin.com/in/davejwarren

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] OpenVPN and saved username/password credentials

[Dave Warren]

Does anyone happen to know if pfSense (2.x)'s OpenVPN installation will 
be willing to use saved username/password credentials?


I'm looking into connecting to a remote service that (unfortunately) 
requires a username/password, apparently their system can't be 
configured around this requirement, and I'd like to move the VPN 
connection from the desktop to the firewall level if feasible.


--
Dave Warren, CEO
Hire A Hit Consulting Services
http://ca.linkedin.com/in/davejwarren

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] OpenVPN vs MultiWAN

[Dave Warren]

I've currently got a number of inbound and outbound OpenVPN connections 
on my pfSense server.


We recently added a second WAN and I'm not certain how to load balance 
outbound OpenVPN connections.


I have the impression that floating rules might do the trick, but I'm 
not sure if I've understood the logic or not, am I in the right place?


--
Dave Warren, CEO
Hire A Hit Consulting Services
http://ca.linkedin.com/in/davejwarren

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Alias based on the PTR record

[Dave Warren]

On 3/14/2012 1:10 PM, Ugo Bellavance wrote:
I know it is less secure and creates load on the firewall and DNS 
servers, but is it possible to create an alias to create rules, that 
would allow one to deny traffic for hosts that has a PTR that contains 
a string?


The short answer is no, at least as far as I know it's virtually 
impossible to do so in a reliable fashion.


In order to do that, pfSense would have to query every single IP in the 
world's PTR record and match them against your string to build a rule 
set. A-record rulesets are possible, but not PTR record matches.


Doing it in real time would be a pain too since PTR records take a 
reasonable amount of time, longer than you'd want to hold every single 
connection attempt.


Maybe someone more creative than me has thought of a way to make this 
happen though.


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] does pfsense block XML traffic

[Dave Warren]

On 5/24/2012 7:45 PM, Joseph Rotan wrote:
can anyone confirms if pfsense 2.0 blocks XML traffic or correct me 
i'm i'm wrong in regards to the pfsense online doc. notes saying :


  * No XMLRPC Sync - this prevents the entry from syncing to other
CARP members

what does the above really means can anyone please explain.



This option will not block any sort of XML traffic (and there really 
isn't any such thing as XML traffic, XML is typically passed a content 
using other transports)


The above option controls whether or not the rule is synchronized to 
other pfSense members if you're using CARP. If you don't know what CARP 
is and only have one firewall, ignore the setting completely, it does 
absolutely nothing.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Low(ish) cost pfSense platforms

[Dave Warren]

On 6/8/2012 12:03 PM, Moshe Katz wrote:
For small locations, I use refurbished Pentium 4 and Pentium D 
machines with a bunch of PCI network cards (often Intel dual-port, 
which can now be found cheap on eBay). It doesn't look (or sound) that 
same as a little embedded system but it's pretty dependable.


While these are decent enough boxes in terms of their processor power 
(enough to run some VPNs and whatnot at decent speeds), the whole P4 and 
P-D line are very power hungry in terms of their CPUs.


So they're not horrible choices (Mine is running on a P4 right now), but 
they're not my first choice. Still, the upfront cost for these beasts is 
cheap, going newer enough to cut power may not be worth it.


I've tried a couple Atom based systems and had nothing but issues, 
primarily ACPI compatibility, so I've given up going that route and just 
stuck with the P4 until something better shows up.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Cannot get data about interface em0_vlan4

[Dave Warren]

A couple weeks ago I reconfigured a couple interfaces (primarily a IP 
and subnet change)


Since then, my dashboard traffic graphs inconsistently show me Cannot 
get data about interface em0_vlan4 for various interfaces, including 
some interfaces that were not changed.


It's not entirely consistent, I'm in a multi-WAN environment, initially 
my main WAN wasn't working, today it is and my second WAN (named DSL) 
isn't working.


Any pointers?

Chrome: 25.0.1364.97 m
pfSense: 2.0.2-RELEASE (i386)

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Cannot get data about interface em0_vlan4

[Dave Warren]

On 3/5/2013 04:27, Jim Pingle wrote:

That's a known issue on 2.0.2, fixed on 2.0.3. Check the forum.


Thanks, I appreciate the info.

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Microsoft Outlook Blocked

[Dave Warren]

On 2013-03-17 09:13, Gerald Waugh wrote:
I have searched the archives, and googled it, but have not found a 
solution
firewall is working great except MS Outlook is being blocked, all 
other email clients work OK


This might be overly simplistic, but what happens if you create a rule 
to log traffic to the specific destination IP, are you able to confirm 
that Outlook is attempting a connection at all or could this be an issue 
on Outlook's side of things?


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Prevailing wisdom on Hyperthreading?

[Dave Warren]

On 2013-04-12 13:18, Nathan C. Smith wrote:

A couple years ago when the topic of CPU hyper threading came up I remember 
folks being advised to disable it.  Is that still the prevailing wisdom and 
current best practice?



On P4 series CPUs, you should absolutely disable it.

On modern CPUs, there are a few types of loads where it might actually 
help, but generally it seems reasonably harmless, but I haven't seen 
much indicating it's beneficial to disable it, so I leave it enabled on 
my servers and workstations.


On pfSense, however, I'd almost be inclined to disable it. pfSense is 
rarely CPU-bound (unless you do a lot of high speed VPN connections or 
proxying), but pfSense is latency sensitive and Hyperthreading might 
actually increase latency very slightly.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Conditional Routing question

[Dave Warren]

On 2013-04-29 07:21, Drew Lehman wrote:
I have a business connection from my ISP and run servers.  I also like 
to seed Various Rescue disk and certain Linux distributions on 
Bittorrent.  The problem is, despite having a commercial account, my 
ISP throttles anything with P2P, and takes the rest of my connection 
with it.  So, in order to keep that from happening, I got a VPN 
connection through an third-party.  This works great, but my traffic 
is either VPN or not.
The VPN provider works with OpenVPN and I want to know how to create a 
conditional route that routes all bit-torrent over the OpenVPN, but 
leaves connections such as my gaming and email through my normal WAN 
connection.


The trick here will be figuring out exactly what is and is not 
BitTorrent traffic, but the routing itself is actually fairly 
straightforward.


What you need to do is build a virtual interface for OpenVPN, once 
that's done, you can create a rule immediately above your LAN's Default 
allow rule to allow traffic and assign a specific gateway for specific 
traffic.


I do this on my LAN for port 25, since my ISP blocks port 25 and I need 
direct access to port 25 on remote servers for diagnostic reasons.


Check out an article like 
http://forum.pfsense.org/index.php?topic=29944.0 (in this case, look for 
---Section 2---) which covers setting up an interface and creating 
routing rules -- This article may be a bit out of date, and of course 
it's aimed at setting up a specific VPN, but if you understand the 
concepts rather than following it letter for letter, it should be doable.


As far as narrowing down your BitTorrent traffic, your best bet might be 
to simply run BitTorrent on a specific local IP (or dedicated machine) 
and route all traffic from that machine out via your VPN.


This may still be somewhat problematic as BitTorrent really does need an 
inbound port opened as well, but that's between you and your VPN 
provider. An external seedbox might be a better approach, along with the 
VPN to handle other traffic.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Conditional Routing question

[Dave Warren]

On 2013-04-29 15:09, Drew Lehman wrote:
The inbound is not really much of an issue since the VPN provider 
allows it and simply forwards it back through the VPN.  I am assuming 
they use PNP or something similar since it just works when I open a 
VPN to them now.
I guess the question is, can I direct a protocol through a route? 


As far as I know, in the case of BitTorrent, not really. BitTorrent uses 
unpredictable source and destination ports, so all you can do is confine 
it to a single IP on your side, and route all traffic from that IP 
through the VPN.


I don't know of a way to do this using layer7 filtering, at least at 
this time, but someone else might chime in with a suggestion.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] possible DNS-rebind attack detected

[Dave Warren]

On 2013-05-10 15:36, Josh Bitto wrote:

I'm getting in my system logs the following:

firewall dnsmasq[35138]: possible DNS-rebind attack detected: 
okanagan.bc.ca


Is this something to worry about? I've looked at the forums and most 
people say to disable the rebind option in the system settings. I'm 
kinda concerned if this is a serious log or if it is just a false 
positive. Or if it's just an attempt and I have nothing to worry 
about. Can anyone give me some insight into this?






Is your organization's network affiliated with okanagan.bc.ca in any 
way? I'll assume not, but that might not be entirely correct given the 
geographical proximity.


Assuming not, from the looks of it it's possible that it is designed as 
an attack but it's more likely that okanagan.bc.ca has simply screwed up 
their DNS. Either way, okanagan.bc.ca's internet-facing DNS records are 
not set correctly:


okanagan.bc.ca. 3600IN  A   10.1.33.0
okanagan.bc.ca. 3600IN  A   142.23.95.114
;; Received 75 bytes from 142.23.79.254#53(142.23.79.254) in 99 ms

They shouldn't be leaking a 10/8 address out to the internet, since they 
are, you'll (correctly) get DNS-rebind attack warnings approximately 50% 
of the time when someone visits okanagan.bc.ca from within your internal 
network.


You can likely ignore the warnings entirely, either 1) They're warning 
you about a mis-configuration out on the net, or 2) You were just 
protected against an attack.


Either way, everything worked the way it's supposed to. There's 
absolutely no upside to disabling DNS rebinding attack detection unless 
your networks are supposed to be interconnected and you are supposed to 
be able to access each other's internal IPs.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] unbound not starting

[Dave Warren]

I'm running into an odd issue with unbound.

Recently upgraded to pfSense 2.1, ripped out some multi-WAN 
configuration due to the fact that our second WAN has gone away. The 
interface still exists, but is disabled and all routing and gateway 
failover has been removed.


Primary WAN does rely on DHCP.

After a pfSense reboot, unbound does not come up. I'm also unable to 
start the service using the services manager, but if I go to the unbound 
dialog, change nothing and click Save, it starts immediately and 
functions well.


dnsmasq is completely disabled -- We were only using it because it did a 
better job of splitting load across the two WANs, otherwise unbound 
looks like a far better solution.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Traffic Graph: Not reflecting reality?

[Dave Warren]

I'm wondering if it's possible that data in the Traffic Graph is not 
showing up correctly?


We recently relocated and are waiting to get our primary connection 
installed, so in the mean time we're on a 3Mb/0.75Mb DSL line. However, 
pfSense often shows 6Mb/s coming out of the LAN during a download.


Is it possible that the proxy server (transparent proxy enabled) or 
something else is causing data to be displayed incorrectly?


Both the modem itself and download speed tests confirm our 3Mb speed, 
yet pfSense regularly shows a flat line at 6Mb/s in the traffic graph 
when we're under load.



--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Traffic Graph: Not reflecting reality?

[Dave Warren]

On 2013-11-06 13:20, David Burgess wrote:
I don't use a proxy server any my internal interface graphs usually 
report double traffic. Only the real time graphs though, as rrd looks 
correct.


Actually I think I eliminated the proxy anyway, the proxy is optional 
here (except the transparent proxy on port 80) and it happens with NNTP 
connections which are not proxied.


RRD graphs look closer to being possible, and the WAN and LAN seem to 
match roughly what I'd expect.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Cannot get data about interface em0_vlan4

[Dave Warren]

On 2013-03-05 17:14, Dave Warren wrote:

On 3/5/2013 04:27, Jim Pingle wrote:

That's a known issue on 2.0.2, fixed on 2.0.3. Check the forum.


Thanks, I appreciate the info.



This is an issue again in 2.1... ?

Same scenario as before, I reconfigured an interface, rebooted, now I'm 
getting Cannot get data about interface em0_vlan4 on an unrelated 
interface.


2.1-RELEASE (i386)
built on Wed Sep 11 18:16:50 EDT 2013. Outside of the fact that some 
traffic graphs have been doubled for some moons, traffic graphs were 
working fine until an interface re-configuration earlier today.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Traffic Graph: Not reflecting reality?

[Dave Warren]

On 2013-11-07 16:20, Mike McLaughlin wrote:
So I realized that I am capturing the traffic via SNMP so I looked -- 
it shows the same ~200% use on my DMZ vs the WAN it's using. I was a 
bit surprised by this because the pfSense RRD graphs do not appear to 
have the same discrepancy - they show nearly mirror images for the 2 
interfaces.


I don't use SNMP here, but I see the same, RRDs appear to be accurate. 
Oddly it's only some interfaces that double in the traffic graphs, but 
not all.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] OpenVPN client bug? An IPv4 protocol was selected, but the selected interface has no IPv4 address error

[Dave Warren]

I have a number of OpenVPN client sessions set up (where my pfSense 
connects to a remote OpenVPN server as a client)


Today I needed to switch one from TCP to UDP and received An IPv4 
protocol was selected, but the selected interface has no IPv4 address. 
The interface was properly configured using DHCPv4, and therefore has no 
IP address.


After banging my head comparing this VPN with other established/working 
VPNs and getting no-where, I started getting through the code to find 
this gem:


pfsense /usr/local/www/vpn_openvpn_client.php

   } elseif ((stristr($pconfig['protocol'], 6) === false)  
!get_interface_ip($iv_iface)  ($pconfig['interface'] != any)) {
$input_errors[] = gettext(An IPv4 protocol was 
selected, but the selected interface has no IPv4 address.);


So basically it is currently impossible to create or modify any OpenVPN 
client pipe that uses DHCP, as the IP (which isn't known until the 
OpenVPN client connects, and is dynamic) must be hard-coded into the 
interface before the connection is created.


Commenting out the offending PHP allowed me to save changes and 
successfully connect to the VPN.


While this code likely makes sense when setting up and OpenVPN server, 
it should not apply when setting up an OpenVPN client.


Am I missing something or is this a bug?

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] OpenVPN client bug? An IPv4 protocol was selected, but the selected interface has no IPv4 address error

[Dave Warren]

On 2013-12-23 04:31, Chris Buechler wrote:

It shouldn't allow you to pick that, and I'm surprised it worked when
you did in the past (probably we ignored the fact you had it set that
way). It's right to reject it, but for a different reason than it's
telling you. You can't bind the outside of an OpenVPN tunnel to the
inside. You'd be telling it to use the VPN to connect to the VPN. It
has to be on the proper WAN.


Interesting, when I had it set to a WAN in the past it gave me an error 
about the interface already being assigned or something to that extent, 
so I read up and found some directions that suggested setting it to the 
OpenVPN tunnel itself.


I'll experiment once I'm back in the office and see what happens if I 
change it to a WAN.


Thanks.

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

Light travels faster than sound. This is why some people appear
bright until you hear them speak...

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] MultiWAN vs unbound

[Dave Warren]

Can anyone point me in the right direction to set up unbound to work 
across multiple WANs (specifically, to failover to the second WAN if the 
primary WAN becomes unavailable)


We flipped back to the built-in DNS forwarder this evening, it seems to 
be doing the job, but this requires a manual switch (and of course puts 
us back to forwarding, rather than resolving locally, which is less than 
ideal)


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

1832-Curling is introduced to the U.S., giving Americans
a sport combining the surface of hockey with the thrill
of watching paint dry.


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] issue Downloading package from Pfsense.com

[Dave Warren]

But can you ping *domains* from the pfSense box, like www.google.com ?

The point isn't to see if you can ping, but if ping can complete a DNS 
lookup and retrieve an IP successfully. This is potentially more useful 
than using DNS specific lookup tools, since ping will rely on the OS DNS 
resolution settings rather than (potentially) using it's own.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren



On 2014-02-13 12:03, Muhammad Yousuf Khan wrote:

Yes i can ping, here is the result from web console Diagnosticsping
Ping output:
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8 http://8.8.8.8: icmp_seq=0 ttl=40 time=293.328 ms
64 bytes from 8.8.8.8 http://8.8.8.8: icmp_seq=1 ttl=40 time=295.391 ms
64 bytes from 8.8.8.8 http://8.8.8.8: icmp_seq=2 ttl=40 time=293.850 ms

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 293.328/294.190/295.391/0.876 ms



On Fri, Feb 14, 2014 at 12:39 AM, Jonatas Baldin 
jonatas.bal...@gmail.com mailto:jonatas.bal...@gmail.com wrote:


Can you ping domains from the pfSense box, like www.google.com
http://www.google.com ?


2014-02-13 17:19 GMT-02:00 Muhammad Yousuf Khan sir...@gmail.com
mailto:sir...@gmail.com:

Hello all,

I am Newbie, my pfsense is behind the ISP router, having a
private ip of 192.x.x.x
i can ping via ssh and via web console both i can also check
dnslookup from console and ssh they are working fine. however
when i click on available packages. i see this

Unable to communicate with www.pfsense.com
http://www.pfsense.com. Please verify DNS and interface
configuration, and that pfSense has functional Internet
connectivity.


any idea what i am mistaking. i even uncheck block private ip
addressess option from Interfaces and WAN still i can ping
to 8.8.8.8 but can not see anything in available packages tab
except above error.

Thanks,
MYK

___
List mailing list
List@lists.pfsense.org mailto:List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list




-- 


Jonatas Baldin de Oliveira
Consultor de TI


___
List mailing list
List@lists.pfsense.org mailto:List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list




___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Netgate's customized pfSense release

[Dave Warren]

On 2014-02-13 09:27, David Burgess wrote:

On Thu, Feb 13, 2014 at 9:54 AM, Andrew Hull l...@coffeebreath.org wrote:


My knee jerk reaction is that this is A Bad Thing(tm), and I reloaded the
devices with images from ESF. Does anyone here have a strong opinion one way
or the other?

My first reaction is that the branding is a good thing. Netgate brings
pfsense to folks who in many cases would not touch free software, but
just want something that works out of the box. I've recommended the
m1n1wall many times. As for the update URL, I'm a little surprised,
but maybe they're just trying to track stats.


I'd be a little disappointed if they didn't use their own auto-update 
URL, since this would mean customers would end up on stock pfSense after 
an update, rather than Netgate's customized version, negating any 
tweaking Netgate may have done to make pfSense work seamlessly on their 
hardware.


This seems like a good thing to me, and arguably the whole point of 
being open source and BSD licensed. Reading the other messages on the 
list, this arrangement definitely seems mutually beneficial for both 
pfSense and Netgate.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] unbound using ipv6 in ipv4-only environment

[Dave Warren]

I've noticed that the latest Unbound package attempts to use IPv6 even 
when I only have IPv4 connectivity, resulting in a handful of errors logged.


I'm not sure if these errors cause problems or not, I'd expect them to 
fail instantly, however, I'm not certain whether it's actually a factor, 
the underlying issue I'm trying to troubleshoot is periodic delays in 
DNS resolution. If I don't restore the cache, I do observe definite 
delays the first time a particular gTLD or ccTLD is accessed, which 
coincides with a bunch of IPv6 related errors as unsuccessfully unbound 
attempts to connect.


Is there any harm in flipping unbound's IPv6 support off in the package? 
Is there any reason to leave it on? Is it doing any harm?


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense version 2.1.1 has been released

[Dave Warren]

On 2014-04-04 19:29, Chris Buechler wrote:

On Fri, Apr 4, 2014 at 9:13 PM, Peder Rovelstad provels...@comcast.net wrote:

Worked for me on my home FW, but didn't reboot on own (I did receive mail
message that it would reboot in 10 sec).  Power cycle brought it back on the
right slice. Looking good!


Did you inadvertently switch architectures maybe? Going from 32 bit to
64 bit is the most common cause of that, when it finishes it can no
longer execute the reboot binary as it's a 64 bit binary on a 32 bit
running kernel.


Out of curiosity, couldn't this be solved by including both a 32-bit and 
64-bit binary and calling both?




___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] apinger not noticing good connection

[Dave Warren]

On 2014-04-22 06:18, David Burgess wrote:


 Anyone else seeing apinger losing packets while ping doesn't?

For many days now the gateway widget on my 2.1 box has been reporting 
packet loss in the 300-500% range. Meanwhile ping and RRD show no 
packet loss.


This same system was recently showing a baseline of 2% loss in RRD 
while ping showed no loss. I had to stop apinger and delete my RRD 
data to fix that one.




I gave up on expecting apinger to do anything useful, it constantly sees 
loss where there is none* here, and occasionally sees nothing unusual 
when the upstream modem is down completely.


*None meaning less than 1%, per RRD and a normal ping from a workstation.

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] Change MAC address on one VLAN of the same NIC.

[Dave Warren]

Howdy!

A quick question, is it possible for one NIC to use a different MAC 
address on a different VLANs?


The longer version is that my ISP was kind enough to supply us with 
three modems:


1) 100Mb bridge, with a static IP
2) 100Mb NAT gateway, with a DHCP assigned static IP
3) 15Mb bridge for VoIP, with a DHCP assigned IP

My pfSense box only has one interface, using VLANs to connect to the 
modems through our managed switch.


#1 and #2 work fine, but I can't get #1 and #3 online together, when the 
ISP sees the same MAC address on modem #1 and #3, it routes all traffic 
to one modem or the other, despite the fact that they have different IP 
addresses.


I'm hoping there's a way to override the MAC address on VLAN for modem 
#3, but despite the field being available on VLAN interfaces, it doesn't 
seem to apply.


Just to be clear, if I unplug either #1 or #3, or if I connect #3 to a 
DHCP-assigned bridge on a different ISP, everything works. The IPs on 
all three ranges are in different subnets, so there's no gateway 
conflicts, as far as I can tell it's just the MAC address conflict.


Is there a better approach?

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Change MAC address on one VLAN of the same NIC.

[Dave Warren]

On 2014-05-03 00:49, Ermal Luçi wrote:


On Sat, May 3, 2014 at 12:14 AM, Dave Warren da...@hireahit.com 
mailto:da...@hireahit.com wrote:


Howdy!

A quick question, is it possible for one NIC to use a different
MAC address on a different VLANs?


Well FreeBSD supports this if ng_vlan gets used.
ng_vlan is being used only for Q-in-Q in pfSense.
It needs some development to make a vlan based on ng_vlan support in 
pfSense.


Though today is not possible to configure that, apart the command line.


Fair enough, thanks. I'm working on a hardware solution, but that's a 
little ways away right now.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] Intel Pro/1000 PT Quad Port PCI-e Gigabit Ethernet

[Dave Warren]

Anyone have experience with a Intel Pro/1000 PT Quad Port PCI-e Gigabit 
Ethernet Server Adapter EXP19404PT on pfSense?


From wandering the forums it looks like it should be supported in 
pfSense 2, but I can't find any confirmation that it actually works.


Or alternatively, can anyone else recommend a quad port that's available 
at a reasonable price for a small deployment?


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Intel Pro/1000 PT Quad Port PCI-e Gigabit Ethernet

[Dave Warren]

On 2014-05-09 15:13, Jason McClung wrote:

On 5/9/2014 3:02 PM, Dave Warren wrote:
Anyone have experience with a Intel Pro/1000 PT Quad Port PCI-e 
Gigabit Ethernet Server Adapter EXP19404PT on pfSense?


From wandering the forums it looks like it should be supported in 
pfSense 2, but I can't find any confirmation that it actually works.


Or alternatively, can anyone else recommend a quad port that's 
available at a reasonable price for a small deployment?


I have Intel Pro/1000PT Quad port (low-profile if that matters) in my 
home pfSense box. I just installed it 2 weeks ago actually (recent 
cheap ebay find).  I have has no issue so far, but I am not a too 
demanding user.

Check out the FreeBSD 8.3 HCL for supported network cards.
http://www.freebsd.org/releases/8.3R/hardware.html#ETHERNET


The one I'm looking at is listed, but I've learned that the HCL isn't 
always reliable as to whether something actually works in the real world :(


I'm looking on eBay as well, it's worth the gamble vs buying new.

Thanks!

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Bogon List

[Dave Warren]

On 2014-05-23 05:50, Paul Galati wrote:
My pfsense box is connected to the edge and has a public IP address, 
so private and bogons are checked.  It s the end user that appears to 
be on an ISP that is using a private IP one hop upstream from his 
personal router.  When his packets reach the public internet, it 
appears to come from 216.14.x.x.


My question is why IP 216.14.x.x is being caught by the bogon filter 
even though it is not listed in CYMRU's database.




It might not hurt to check Diagnostics -- Tables to see if the IP is 
listed there.


I had a weird scenario a few days ago, an alias previously contained a 
mix of hostnames and IP addresses, several of which were removed.


A period of days later, I noticed that the table still included the IP 
addresses resolved from the hostnames (but the IPs that were listed as 
IPs had been removed). I verified that Aliases changes had been applied, 
which they had.


I then added a new hostname to the list, it was added to the table, 
while the existing IPs remained.


I can't reproduce it on demand, but it was a fairly small alias list so 
I verified every entry by hand, the bad data was there (and seemed to 
want to stay there), so it makes me wonder if other lists could be 
subject to the same phantom entries?


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] RRD 1-month vs 3-month

[Dave Warren]

Exactly 1 month ago we got new internet connectivity installed, and I 
reconfigured some interfaces. To allow me to track bandwidth on our new 
configuration, I reset RRD statistics.


Looking at the traffic graphs for the 1-month and 3-month, the numbers 
appear to be off by a fair amount.


1 month IPv4 in-pass: 11.30GB
3 month IPv4 in-pass:  5.33GB

1 month IPv4 out-pass: 5.37GB
3 month IPv4 out-pass: 5.11GB

1 month IPv4 in-block: 13.12GB
3 month IPv4 in-block:  7.13GB

1 month IPv6 in-block: 4.53GB
3 month IPv6 in-block: 4.28GB

I feel like I'm missing something obvious here, but how is it possible 
that I've got more traffic reported in the 1-month graphs than the 
3-month graphs?


The actual graphs are posted here:

https://www.dropbox.com/s/67nd5hwq0n43tt2/status_rrd_graph_img-1month.php.png
https://www.dropbox.com/s/sik3u8ladx2rv3n/status_rrd_graph_img-3month.php.png


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] RRD 1-month vs 3-month

[Dave Warren]

On 2014-05-30 09:54, Michael Hardrick wrote:

Graphs are usually rounded off to the 90th percentile (or similar).
Graphs of one-day, one-week, one-month, one-year will reflect more
of a relative percentage of the total bandwidth for the period.


A bit of rounding is fine, but we're not talking about that, I'm seeing 
over double the in-pass, and nearly double the in-block. That's a *huge* 
difference.


(Original stats below, for reference)


1 month IPv4 in-pass: 11.30GB
3 month IPv4 in-pass:  5.33GB

1 month IPv4 out-pass: 5.37GB
3 month IPv4 out-pass: 5.11GB

1 month IPv4 in-block: 13.12GB
3 month IPv4 in-block:  7.13GB

1 month IPv6 in-block: 4.53GB
3 month IPv6 in-block: 4.28GB

I feel like I'm missing something obvious here, but how is it possible that 
I've got more traffic reported in the 1-month graphs than the 3-month
graphs?

The actual graphs are posted here:

https://www.dropbox.com/s/67nd5hwq0n43tt2/status_rrd_graph_img-1month.php.png
https://www.dropbox.com/s/sik3u8ladx2rv3n/status_rrd_graph_img-3month.php.png




___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Report Errors

[Dave Warren]

On 2014-06-02 11:18, Brian Caouette wrote:

This one shows a really low hit rate:
http://bbs.dlois.com:/lightsquid/index.cgi

I thought Squid was better than this. Suggestions? 



I'm only seeing 4 users one day, 8 the other, and a fairly low amount of 
data transferred, so a low hit rate is expected.


Modern browsers do a fairly decent job of caching internally, so 
typically with a single user, squid's hit rate will be pretty close to 
0%, it's only once you have multiple users accessing the same sites that 
you'll see any real degree of caching.


With modern sites moving toward HTTPS for everything including static 
resources, proxies are likely to see lower hit rates than was typical 
even a handful of years ago due to the fact that proxies can (usually) 
only cache HTTP content, HTTPS content gets tunneled through the proxy.



Can anyone point me in the right direction? As much as I like pfSense it
and packages are really prone to glitches and over all bugs. 


I don't disagree.

Packages don't get the same level of quality checking/testing that 
pfSense itself does, and are often very complicated pieces of software 
wrapped up under a set of One size fits some defaults, with only a 
handful of the most common options directly exposed to the user.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] skype 29 minute fail

[Dave Warren]

On 2014-06-16 14:08, Stefan Baur wrote:

Am 16.06.2014 22:50, schrieb Vick Khera:

FWIW I just did a call with the firewall set to conservative state
management. Still 29 minutes until voice quality fail.

I'm anything but a Skype expert, but have you tried blocking your Skype
installs from becoming supernodes?

On Windows:
HKEY_LOCAL_MACHINE\Software\Policies\Skype\Phone, DisableSupernode,
REG_DWORD = 1


Based on 
http://arstechnica.com/business/2012/05/skype-replaces-p2p-supernodes-with-linux-boxes-hosted-by-microsoft/ 
and 
http://www.zdnet.com/skype-ditched-peer-to-peer-supernodes-for-scalability-not-surveillance-717215/ 
it doesn't sound like Skype uses Supernodes anymore anyway, so that 
probably isn't relevant.


(Also not a Skype expert, I just remember reading about it and went 
Googling :)


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Unbound vs stock

[Dave Warren]

On 2014-07-11 10:04, Brian Caouette wrote:

Why is it unbound doesn't report dns name for light squid and if I return to 
stock it does? In both  of them I have enabled register static mappings yet 
unbound doesn't give the time to light squid in the reports were stock does..


When you use dnsmasq, pfSense adds 127.0.0.1 to the top of resolv.conf, 
and therefore pfSense itself asks dnsmasq for local resolution and is 
able to resolve local hostnames.


However, when you use unbound, dnsmasq is turned off, so pfSense itself 
is just using your configured DNS servers (or ISP DHCP provided ones, 
depending on configuration)


Assuming unbound does full resolution and doesn't forward, you can work 
around this by listing 127.0.0.1 as your primary DNS resolver in 
pfSense. However, if you do that, you'll have to make sure that pfSense 
isn't handing out these DNS servers IPs to clients anywhere (DHCP 
server? OpenVPN?)


And if you have unbound forwarding, obviously you can't include 
127.0.0.1 or unbound will forward to itself.


Finally, pointing to 127.0.0.1 will partially break upgrades since 
pfSense will come up without packages, and therefore without a DNS 
server, then it will find itself unable to find pfsense.org to download 
packages.


Ultimately the fix will be for pfSense to recognize unbound as a local 
DNS server and add it to resolv.conf by default, similar to dnsmasq.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Squid Problem and DNS?

[Dave Warren]

On 2014-07-16 08:43, Brian Caouette wrote:
I have not tried ISP's dns as I've found Googles to be faster. I can 
try that test tonight when I get home though to rule out the possibility.


Be aware that using non-local DNS can end up with a suboptimal CDN 
routing situation as you get routed to the CDN nearest your chosen DNS 
servers rather than your actual local network.


These might well be appropriately placed, but they might not, depending 
on where Google's DNS resolution happens for the node that you hit.


In my opinion, running your own DNS is a better solution, if you're 
technically capable. On pfSense, this is often as simple as installing 
unbound and using it as a full resolver instead of DNS Forwarding/dnsmasq.



As for #2 I understand I just find it odd the prior install although 
poor hit rate still produce results were the current install is at 0 
after a week. Our traffic hasn't changed we still surf the same sites. 
The kids are typically on facebook, youtube, and game sites and the 
wife on school and work as I am.


Between sites moving everything to HTTPS and the amount of dynamic 
content, hit rates are typically very low these days. Even static 
resources are often served over HTTPS (SPDY removing the last major 
reason to not use HTTPS for such things)


Making it worse (but not really) is the way a lot of static content is 
called, embedding version numbers into JS/CSS/etc file names and using 
cache control headers to encourage clients to cache these resources for 
weeks, allowing browsers to efficiently cache resources that used to be 
served out of local proxy servers.


Still, I'd expect a rate greater than absolute 0, but it takes a large 
number of users to get any real value out of a proxy level cache these days.


Or at least that was my experience when our office was stuck on a 3Mb 
pipe instead of our usual dual 100Mb for a few months.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] ZFS warning message on local console during boot

[Dave Warren]

On 2014-07-30 14:47, Jim Thompson wrote:

no pfSense we produce has an installer that will make a zfs filesystem.


I also get some zfs warnings during boot, and I absolutely guarantee you 
that I have not created or changed any partitions at all from pfSense's 
defaults.


Based on other messages in this thread, it appears that it's harmless 
and can be ignored since no zfs partitions are actually mounted, but the 
error still appears.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] ZFS warning message on local console during boot

[Dave Warren]

On 2014-07-30 13:23, Paul Mather wrote:

I swear by ZFS on my regular FreeBSD systems (though I was having
trouble with it on FreeBSD/i386 latterly).  I don't think there's any
bashing of ZFS per se, just a wondering why you'd use it on a
firewall appliance that's basically a nanobsd setup at heart...


Maybe it's just me, but I want my firewall to just work after power 
failures, on failing drives, etc is a big plus. Having a self-repairing, 
snapshotting file system sounds like a huge benefit, but I don't know 
what the drawbacks are in this context, so I can't make an actual 
recommendation.


Imagine having snapshots before updates or major changes so that things 
can be reverted to a working state, rather than relying on the piecemeal 
XML backups which, at best, brings you a moderately similar to the 
previous state configuration.


Being immune to corruption due to power-failures would be nice too; when 
I was running squid on pfSense, an unexpected power failure virtually 
always resulted in file system corruption being repaired, still 
resulting in a broken squid cache -- I have the impression that zfs 
would give me a lot more resiliency here (but possibly not, perhaps 
squid simply can't ever recover gracefully)


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] pfSense DHCP PTR registration

[Dave Warren]

  
  
I recently switched over to pfSense's DHCP, and have managed to get
A record registration from pfSense working, however, I'm unable to
get PTR record registration working reliably.

It appears that pfSense is trying to register IPs in
16.172.in-addr.arpa, whereas my reverse DNS zone is named
0.16.172.in-addr.arpa, consistent with the fact that I'm using
172.16.0.0/24 for my internal subnet.

Is there a way to tell pfSense to register records in
0.16.172.in-addr.arpa instead? Or do I have something misconfigured?

(To be clear, I'm wanting pfSense's DHCP server to register the IPs
in the appropriate upstream DNS server, not in the DNS forwarder as
in my configuration the DNS forwarder is not authoritative or in a
position to intercept queries)

-- 
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


  


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Fwd: [Announce] 2.1.5 Release

[Dave Warren]

On 2014-08-29 07:47, Jim Thompson wrote:

again, the CSS changed, and the browsers love to cache that stuff.


Not if the HTML that calls the CSS throws a version into the filename or 
query, in which case there is no caching issues at all when the version 
is incremented.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] APU and SSD: full install or NanoBSD

[Dave Warren]

On 2014-10-30 17:15, Jim Thompson wrote:

On Oct 30, 2014, at 3:39 PM, Dave Warren da...@hireahit.com wrote:
Buy quality instead of junk?

...

Even a cheapo 30GB/60GB/whatever SSD is more than enough for pfSense and makes 
a far more reliable solution than external flash.

I strongly disagree.SSDs have to be part of a system, especially in an 
embedded environment.   The debacle with the “cheap 30GB” m-sata drive from PC 
Engines earlier in the year (they had to take them all back) should amply 
demonstrate why thinking such as what you express here is deeply flawed.


Sorry if I wasn't clear, I meant a cheapo SSD because it's small -- I'm 
suggesting you don't need to invest in a large or fast SSD for pfSense, 
but rather, cheap out on size, while getting a quality device built for 
lifespan and reliability.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Enforcing policy routing gateway

[Dave Warren]

On 2015-01-11 19:40, Moshe Katz wrote:
Depending on how complex your rules are, you could also create 
negative versions of them that explicitly block that traffic on all 
other interfaces except the VPN.  (Aliases could help simplify that, 
but you may or may not actually want to do it, depending on the rule 
complexity.)


I'd love an option to reject/drop/whatever traffic destined to 
unavailable gateways, this is far better than leaking the traffic out 
the wrong gateway for my purposes. However, at the moment it adds a 
fairly significant amount of overhead to have to duplicate every rule 
with a Or else just reject the above...


It's functional, but a hassle.

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] postfix+mailscanner on 2.2.4

[Dave Warren]

On 2015-07-30 12:51, Juan Pablo wrote:

Hello guys, does anybody know if $subject packages are working on
2.2.4? I have not seen it working since 2.1.5, and would like to hear
about it.

thanks everyone for the effort on making such a beauty as pfSense!


Unfortunately not, the package not maintained, and does not work on any 
modern version of pfSense.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Access Point Recommendations?

[Dave Warren]

On 2015-07-23 21:24, Adam Thompson wrote:

On 2015-07-23 10:46 AM, Karl Fife wrote:
Your point about having a one-off solution is a great one. Installing 
a single UniFi AP would be unnecessarily complex.


The TP-Link TL-WA801nd is a BGN-only device.  Do you (or anyone) have 
a preferred stand-alone AC access point?


Not a recommendation at all, but stay away from EnGenius devices. OK 
hardware  good price, but (e.g.) my AP comes with an open DNS 
resolver that can't be disabled, and they don't seem to think it's a 
problem at all...




I like the EnGenius hardware, when it works, but if it doesn't, support 
doesn't seem to care about much. I'm trying to map SSIDs to VLANs, the 
traffic just won't pass, switch doesn't even see it, and support hasn't 
be useful. Looks like a bug, but still, it's literally the reason I 
bought the device over my previous solution. On the other hand, the 
speed is amazing, so I'm not ripping it out.


I noticed the DNS resolver, but it didn't bother me personally as I have 
other resolvers similarly positioned in my network. As a possible 
workaround, does it need DNS at all? If not, either remove it's DNS 
settings, or configure your resolver to refuse packets. Not perfect, but 
it's better than being an open resolver if it's exposed to untrusted 
users. And for whatever it's worth, it looks like a non-caching 
forwarder, not a full resolver.


Still, it concerns me that support doesn't understand how it's a 
potential issue. If you use it for NAT/routing/anything, does it listen 
on the WAN interface, or only the LAN side?


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Access Point Recommendations?

[Dave Warren]

On 2015-07-24 10:15, Adam Thompson wrote:


To clarify, I have an EAP-600, which is a pure access point, not a 
router at all.  It only has one LAN port, grand total.  There is *no* 
universe where it makes sense for an access point to run a DNS 
server/forwarder/whatever. 


I have the EAP900H, which is inherently similar (it's outwardly 
physically identical). However, it has the capability to enable a guest 
network, which has NAT, so in this configuration, the DNS forwarder does 
make sense. They probably used the same basic firmware. But there's no 
excuse for not making it configurable, nor should it be enabled by 
default unless the guest network is enabled.


Ultimately I'm not unhappy with the overall performance of the unit, but 
it's still not one I'd wholeheartedly recommend, mostly because of the 
support experience.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] QoS for fairness usage

[Dave Warren]

On 2015-07-14 00:55, Lorenzo Milesi wrote:

Hi
I found this [1] nice and quick howto which explains how to set up pfSense QoS 
to obtain fair usage between clients, so that one will not suck all the 
available bandwidth.
Has anyone tried it? is it working for you?

I made a quick check and doesn't really seem to, I started a download on my 
laptop and then on the server and the latter was going nearly full speed, 
leaving less than 100kB/s to my client.



[1] http://www.gridstorm.net/pfsense-traffic-limiting-fair-share/


I spent days tweaking, trying suggestions on the forums, IRC, etc. 
Nothing came of it, I could never get any sort of QoS working to balance 
traffic between users without allowing one user to starve out others, or 
even to prioritize some traffic at the expense of others. Traffic would 
seem to get into the right queue, but fire up an active torrent on a 
clien tweaked for far too many connections and normal browsing traffic 
from other machines was still quickly starved out.


I eventually gave up and just started limiting known problem-users, this 
too proved to be unreliable as I would regularly see problem users 
exceeding their limits very considerably, both upstream and downstream, 
but it did help.


Ultimately we just brought in a second pipe from the ISP and now we 
route high-bandwidth users to that pipe and let them fight it out 
amongst themselves. That has worked quite reliably.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Disable DHCP domain-name request

[Dave Warren]

On 2015-11-22 22:51, Nicola Ferrari (#554252) wrote:

Hi, marco?
Did you remove old dhcp leases on pfsense?

If you renew dhcp request on an already present client (in dhcp 
leases), the client will use the old lease (and all its options), so 
you'll not see your new configurations reflected.


Delete all leases from Status -> DHCP leases, restart dhcp service and 
retry ...


That's not necessary and would be incorrect behaviour if it were 
happening. I just confirmed here with my pfSense installation, new 
options are applied without removing the old lease in all expected 
cases, including the Domain Name field.


I tested via a Domain Name change against an automatic renewal and 
manual renewal, as well as a "release/renew" cycle; in all cases the 
client was aware of the new settings immediately after the DHCP 
operation completed.


Now admittedly some broken clients won't reflect all changes 
immediately; some of our VoIP phones will update DNS servers as soon as 
they renew, but won't update timezone information until the next reboot, 
but this is a client deficiency and nothing you do in pfSense (including 
removing the old lease) will make a difference, and it only causes 
issues on specific hardware, but if you capture and analyze the packets, 
you'll see correct data was sent by the DHCP server.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Restoring DHCP table from 2.2.x into 2.3.x

[Dave Warren]

Howdy!

I am looking at replacing my 2.2.something pfSense box with a fresh 
install of 2.3. Is it possible to restore just the DHCP configuration 
(leases, statics, and custom DHCP options)?


Enough of the other stuff is being tossed that a fresh install would 
seem to make sense, but it would be convenient if IP assignments didn't 
need to change as this makes it easier to bring the new firewall up side 
by side with the old one and transfer over relatively seamlessly.



--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Restoring DHCP table from 2.2.x into 2.3.x

[Dave Warren]

On 2016-05-29 17:35, Walter Parker wrote:

You could try copying the the entries from the old XML and paste it in the
new XML file.


Is the backup/restore mechanism similar and compatible? This would at 
least bring static assignments and configuration across, without 
restoring anything else, which would probably be Good Enough for my 
purposes, in general any machine that is powered on when it's lease 
expires will tend to request the same IP from the new server, although 
it's a bit of an imperfect solution.


I'm more nervous about copying entire sections into the XML right now, 
although if the data appears similar, it may be worth considering.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense upgrade problems?

[Dave Warren]

On Wed, Feb 22, 2017, at 10:23, Eero Volotinen wrote:
> The process will require 14 MiB more space.
> 
> 73 MiB to be downloaded.
> 
> Fetching php56-5.6.30.txz: .. done
> 
> pkg: php56-5.6.30 failed checksum from repository
> 
> something wrong with the packages?

I upgraded a couple pfSense boxes without difficulty, including one
virtual test server a few hours ago. 



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] looking for perfect pfsense box for home?

[Dave Warren]

On 2016-08-21 05:50, Paul Mather wrote:

Not to sound like an apologist or a shill for the pfSense project, but in the line just above the "Products" 
link that you presumably clicked on, right at the very top of the page, is a link labelled "Store".  On the 
same line as the "Store" link is a "Partner Locator" link that goes to a page with a list of MSP, 
VAR, and Retail companies.  That might have been a good place to find official pfSense hardware.:-)


Perhaps. But when I went to the product comparison page, I found none 
were even close to what I need; it's not that I wasn't aware of the 
store, but rather, there was no reason to visit the store to look at 
products that I wasn't going to buy.


If /products is intended to be an overview, why not replace the specific 
model entries with categories that show the ranges of prices and 
capabilities, and change the "More Details" buttons to link to products 
within those families? Or at least give some clue that there are other 
offerings in some obvious way.


Even so, I'm not sure it would have mattered, 799USD is still a lot for 
what it is; I spent under 100CAD on a 1U server from eBay that will 
probably do more than I'll need for the immediate future. I'll probably 
just buy Gold and call it a day.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] looking for perfect pfsense box for home?

[Dave Warren]

On 2016-08-03 08:43, Steve Yates wrote:

I'm being serious but what is your rationale for not using pfSense's/NetGate's?

https://www.pfsense.org/products/

The "cheap" part (< $299)?  We tried a "build our own" approach and it's tough 
to get a small package.  Any old PC will do just fine if one adds an SSD but as someone pointed out 
that may use far more power in the long run.


For me, it's the fact that I want to rackmount my gear, but $1,799.00 is 
the cheapest option offered on pfSense.org that can rackmount.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] looking for perfect pfsense box for home?

[Dave Warren]

On 2016-08-20 04:02, Jim Thompson wrote:

On Aug 20, 2016, at 3:10 AM, Dave Warren <da...@hireahit.com> wrote:


On 2016-08-03 08:43, Steve Yates wrote:
I'm being serious but what is your rationale for not using pfSense's/NetGate's?

https://www.pfsense.org/products/

The "cheap" part (< $299)?  We tried a "build our own" approach and it's tough 
to get a small package.  Any old PC will do just fine if one adds an SSD but as someone pointed out 
that may use far more power in the long run.

For me, it's the fact that I want to rackmount my gear, but $1,799.00 is the 
cheapest option offered on pfSense.org that can rackmount.

You seem to have added $1000 without justification:

https://store.pfsense.org/SG-4860-1U/


Perhaps someone should put that on the https://pfsense.org/ website?

I started at https://pfsense.org/, then clicked on Products, which took 
me to https://pfsense.org/products/ which only offers 
https://store.pfsense.org/XG-2758/ when I was looking for a new product 
a couple weeks ago. It didn't occur to me you would have multiple 
incomplete lists of products, so I ordered hardware elsewhere already. 
Shame, I'd rather have supported pfSense, but it's too late now.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Any side effects or negative impact to reassigning ports?

[Dave Warren]

Howdy!

I'm building out a new pfSense box, but the NICs have not yet arrived
and I'm wondering how much configuration I can do in advance. My
configuration will be a quad port Intel NIC, two ports will be WAN ports
directly connected to a pair of modems, and the other two will be a LACP
LAGG group carrying multiple tagged VLANs, routing some traffic
internally and some externally.

Can I create the VLANs now and associate them with one of the onboard
NICs so that I can proceed with all the other configuration details,
DHCP servers, firewall rules custom NAT, and everything else, such that
when the real NIC is installed, I create the LAGG and re-assign the
interfaces? Or are there any "things" in pfSense that are associated
with the physical NIC rather than the interface?


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] acme package: wrong agreement URL

[Dave Warren]

For anyone else still having issues, it looks like the package was
updated November 16th.

On Sat, Nov 18, 2017, at 20:39, WebDawg wrote:
> Did you report this as a bug?
> 
> On Thu, Nov 16, 2017 at 4:36 AM, Brian Candler 
> wrote:
> > Trying to use the acme package with pfsense 2.4.1 and the LetsEncrypt
> > staging server
> >
> > Certificate enrolment failed, although all the output was in green.
> >
> > /tmp/acme//acme_issuecert.log shows HTTP 400 errors, with the
> > following response:
> >
> > [Thu Nov 16 10:28:19 UTC 2017]
> > response='{"type":"urn:acme:error:malformed","detail":"Provided agreement
> > URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does
> > not match current agreement URL
> > [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]","status":
> > 400}'
> >
> > I couldn't see how to change this in the GUI, so I had to edit
> > /usr/local/pkg/acme/acme.sh
> >
> > I presume the package needs updating?
> >
> > Thanks,
> >
> > Brian.
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> 
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Firewall by ASN

[Dave Warren]

Howdy!

Is there a way to firewall traffic based on the ASN?

The underlying reason is that we've recently enabled HE's tunnelbroker 
which, for the most part, works great.


However we've run into certain services *cough*Netflix*cough* which 
reject traffic sent through a HE tunnel. I'd like to reject this traffic 
from the tunnel, which will force the client to fallback on IPv4 
connections.


I've experimented with simply rejecting all IPv6 traffic from the 
device, or watching what connections it makes and blocking the 
appropriate IPv6 allocations, but with widely distributed networks the 
client often jumps to a different block of IPs and it would be a lot 
less work to block an ASN at a time rather than a specific range at a time.


For the two services I'm using for testing, both seem like they could be 
blocked by ASN fairly easily.


If there is no better way, I might try to write a HTTPS service which 
parses ARIN's WHOIS and returns a list of ranges allocated to a 
particular ASN, but it seems like there could be a better way.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DNS over TLS config for pfSense 2.2.6

[Dave Warren]

On 2018-04-06 00:09, Bryan D. wrote:

On 2018-Apr-05, at 10:47 PM, Dave Warren <d...@thedave.ca> wrote:


Cloudflare has pushed an update, and things seem to be working from here. For 
those having issues, try again now?


Thanks for the "heads up."  Works for me, also (i.e., on pfSense 2.2.6 
configured as stated in previous posting).


How's the speed? I'm seeing moderately slower results for queries that 
go out to 1.1.1.1, whereas queries from the cache or stub zones (to 
servers hosted out on the 'net) are very fast.


If I switch TLS off and go back to @53 it's faster, but ultimately not 
as fast as just running recursion myself.





___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DNS over TLS config for pfSense 2.2.6

[Dave Warren]

On 2018-04-05 01:25, Bryan D. wrote:

On 2018-Apr-04, at 10:05 PM, Dave Warren <d...@thedave.ca> wrote:


I can also confirm that 9.9.9.9@853 does work here which re-enforces that this 
is a Cloudflare specific issue.

-

So it looks like the following config works on pfSense 2.2.6's unbound/DNS 
Resolver (so should work with 1.1.1.1 when Cloudflare gets things fixed):
server:
ssl-upstream: yes
ssl-port: 853
forward-zone:
name: "."
forward-addr: 9.9.9.9@853


Cloudflare has pushed an update, and things seem to be working from 
here. For those having issues, try again now?


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DNS over TLS config for pfSense 2.2.6

[Dave Warren]

I'm running 2.4.3-RELEASE (amd64). I can't get it working here either 
after a couple hours of poking at it on and off, it now looks like this 
is actually a Cloudflare issue:


https://community.cloudflare.com/t/1-1-1-1-was-working-but-not-anymore/15136/4

"Thanks for the report! This is going to be fixed in the next upgrade 
that’s being rolled out.
There was an interop issue in the last upgrade with Unbound as it sends 
the frame size and the actual DNS message in two separate packets 
instead of both at once."


So it looks like the immediate solution is to revert to port 53 and wait 
for Cloudflare. I can also confirm that 9.9.9.9@853 does work here which 
re-enforces that this is a Cloudflare specific issue.



On 2018-04-04 19:23, James wrote:

Sorry, mine was indeed on 2.4.X. The daemon appeared to start up but any 
queries returned no records.



On Thu, 5 Apr 2018, at 11:20 AM, Steve Yates wrote:

Wild guess, but did you try it in 2.4.x?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List  On Behalf Of Bryan D.
Sent: Wednesday, April 4, 2018 8:01 PM
To: pfSense Support and Discussion Mailing List 
Subject: [pfSense] DNS over TLS config for pfSense 2.2.6

Re: https://www.netgate.com/blog/dns-over-tls-with-pfsense.html
---
Applying the suggested "Custom Options" to the Unbound/DNS Resolver
configuration in pfSense 2.2.6 does not work, with logs indicating that
"forward-ssl-upstream" is invalid.

I tried various incantations using "server:ssl-upstream: yes"
with and without "ssl-port: 853" and, although the unbound service would
then run, a DNS/host query always indicated that no hosts were found.

Does anyone know a configuration that will work with pfSense 2.2.6?

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold