Re: [pfSense] SIP client fails after a few days
On 11/1/2011 10:46 PM, David Burgess wrote: Interestingly, I just heard the same thing from a user on my network today. I don't know the model of his voip handset, but he uses it Monday to Friday, but has to clear states each Monday after the weekend or he cannot make outgoing calls. He's using pfsense 2.0-RELEASE on a net5501. As a data-point, I have not seen this issue here. I have a handful of VoIP devices, some that stay connected 24/7 (desk phones) and some that connect and disconnect (soft phones), all connecting to a single remote SIP server, we've run 2.0-RELEASE since the week it came out without difficulties. -- Dave Warren, CEO Hire A Hit Consulting Services http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Load Balancer: Virtual Servers vs DHCP assigned dynamic IP addresses
Howdy, I'm running into an issue with 2.0-RELEASE and virtual servers on DHCP assigned WAN addresses. I'm currently running two WANs, both of which have their IPs assigned dynamically via DHCP. One changes infrequently (1-2 times/year), the other updates several times per month. Inside pfSense there are two web servers that I'd like to load balance using pfSense's load balancer. Everything works fine until one of the WAN IPs change, at which point I need to manually update the IPs in the Virtual Servers tab. Is there any way to tell pfSense that these entries should represent interface IPs rather than hardcoding specific IPs? -- Dave Warren, CEO Hire A Hit Consulting Services http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] OpenVPN and saved username/password credentials
Does anyone happen to know if pfSense (2.x)'s OpenVPN installation will be willing to use saved username/password credentials? I'm looking into connecting to a remote service that (unfortunately) requires a username/password, apparently their system can't be configured around this requirement, and I'd like to move the VPN connection from the desktop to the firewall level if feasible. -- Dave Warren, CEO Hire A Hit Consulting Services http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] OpenVPN vs MultiWAN
I've currently got a number of inbound and outbound OpenVPN connections on my pfSense server. We recently added a second WAN and I'm not certain how to load balance outbound OpenVPN connections. I have the impression that floating rules might do the trick, but I'm not sure if I've understood the logic or not, am I in the right place? -- Dave Warren, CEO Hire A Hit Consulting Services http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Alias based on the PTR record
On 3/14/2012 1:10 PM, Ugo Bellavance wrote: I know it is less secure and creates load on the firewall and DNS servers, but is it possible to create an alias to create rules, that would allow one to deny traffic for hosts that has a PTR that contains a string? The short answer is no, at least as far as I know it's virtually impossible to do so in a reliable fashion. In order to do that, pfSense would have to query every single IP in the world's PTR record and match them against your string to build a rule set. A-record rulesets are possible, but not PTR record matches. Doing it in real time would be a pain too since PTR records take a reasonable amount of time, longer than you'd want to hold every single connection attempt. Maybe someone more creative than me has thought of a way to make this happen though. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] does pfsense block XML traffic
On 5/24/2012 7:45 PM, Joseph Rotan wrote: can anyone confirms if pfsense 2.0 blocks XML traffic or correct me i'm i'm wrong in regards to the pfsense online doc. notes saying : * No XMLRPC Sync - this prevents the entry from syncing to other CARP members what does the above really means can anyone please explain. This option will not block any sort of XML traffic (and there really isn't any such thing as XML traffic, XML is typically passed a content using other transports) The above option controls whether or not the rule is synchronized to other pfSense members if you're using CARP. If you don't know what CARP is and only have one firewall, ignore the setting completely, it does absolutely nothing. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Low(ish) cost pfSense platforms
On 6/8/2012 12:03 PM, Moshe Katz wrote: For small locations, I use refurbished Pentium 4 and Pentium D machines with a bunch of PCI network cards (often Intel dual-port, which can now be found cheap on eBay). It doesn't look (or sound) that same as a little embedded system but it's pretty dependable. While these are decent enough boxes in terms of their processor power (enough to run some VPNs and whatnot at decent speeds), the whole P4 and P-D line are very power hungry in terms of their CPUs. So they're not horrible choices (Mine is running on a P4 right now), but they're not my first choice. Still, the upfront cost for these beasts is cheap, going newer enough to cut power may not be worth it. I've tried a couple Atom based systems and had nothing but issues, primarily ACPI compatibility, so I've given up going that route and just stuck with the P4 until something better shows up. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Cannot get data about interface em0_vlan4
A couple weeks ago I reconfigured a couple interfaces (primarily a IP and subnet change) Since then, my dashboard traffic graphs inconsistently show me Cannot get data about interface em0_vlan4 for various interfaces, including some interfaces that were not changed. It's not entirely consistent, I'm in a multi-WAN environment, initially my main WAN wasn't working, today it is and my second WAN (named DSL) isn't working. Any pointers? Chrome: 25.0.1364.97 m pfSense: 2.0.2-RELEASE (i386) -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Cannot get data about interface em0_vlan4
On 3/5/2013 04:27, Jim Pingle wrote: That's a known issue on 2.0.2, fixed on 2.0.3. Check the forum. Thanks, I appreciate the info. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Microsoft Outlook Blocked
On 2013-03-17 09:13, Gerald Waugh wrote: I have searched the archives, and googled it, but have not found a solution firewall is working great except MS Outlook is being blocked, all other email clients work OK This might be overly simplistic, but what happens if you create a rule to log traffic to the specific destination IP, are you able to confirm that Outlook is attempting a connection at all or could this be an issue on Outlook's side of things? -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Prevailing wisdom on Hyperthreading?
On 2013-04-12 13:18, Nathan C. Smith wrote: A couple years ago when the topic of CPU hyper threading came up I remember folks being advised to disable it. Is that still the prevailing wisdom and current best practice? On P4 series CPUs, you should absolutely disable it. On modern CPUs, there are a few types of loads where it might actually help, but generally it seems reasonably harmless, but I haven't seen much indicating it's beneficial to disable it, so I leave it enabled on my servers and workstations. On pfSense, however, I'd almost be inclined to disable it. pfSense is rarely CPU-bound (unless you do a lot of high speed VPN connections or proxying), but pfSense is latency sensitive and Hyperthreading might actually increase latency very slightly. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Conditional Routing question
On 2013-04-29 07:21, Drew Lehman wrote: I have a business connection from my ISP and run servers. I also like to seed Various Rescue disk and certain Linux distributions on Bittorrent. The problem is, despite having a commercial account, my ISP throttles anything with P2P, and takes the rest of my connection with it. So, in order to keep that from happening, I got a VPN connection through an third-party. This works great, but my traffic is either VPN or not. The VPN provider works with OpenVPN and I want to know how to create a conditional route that routes all bit-torrent over the OpenVPN, but leaves connections such as my gaming and email through my normal WAN connection. The trick here will be figuring out exactly what is and is not BitTorrent traffic, but the routing itself is actually fairly straightforward. What you need to do is build a virtual interface for OpenVPN, once that's done, you can create a rule immediately above your LAN's Default allow rule to allow traffic and assign a specific gateway for specific traffic. I do this on my LAN for port 25, since my ISP blocks port 25 and I need direct access to port 25 on remote servers for diagnostic reasons. Check out an article like http://forum.pfsense.org/index.php?topic=29944.0 (in this case, look for ---Section 2---) which covers setting up an interface and creating routing rules -- This article may be a bit out of date, and of course it's aimed at setting up a specific VPN, but if you understand the concepts rather than following it letter for letter, it should be doable. As far as narrowing down your BitTorrent traffic, your best bet might be to simply run BitTorrent on a specific local IP (or dedicated machine) and route all traffic from that machine out via your VPN. This may still be somewhat problematic as BitTorrent really does need an inbound port opened as well, but that's between you and your VPN provider. An external seedbox might be a better approach, along with the VPN to handle other traffic. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Conditional Routing question
On 2013-04-29 15:09, Drew Lehman wrote: The inbound is not really much of an issue since the VPN provider allows it and simply forwards it back through the VPN. I am assuming they use PNP or something similar since it just works when I open a VPN to them now. I guess the question is, can I direct a protocol through a route? As far as I know, in the case of BitTorrent, not really. BitTorrent uses unpredictable source and destination ports, so all you can do is confine it to a single IP on your side, and route all traffic from that IP through the VPN. I don't know of a way to do this using layer7 filtering, at least at this time, but someone else might chime in with a suggestion. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] possible DNS-rebind attack detected
On 2013-05-10 15:36, Josh Bitto wrote: I'm getting in my system logs the following: firewall dnsmasq[35138]: possible DNS-rebind attack detected: okanagan.bc.ca Is this something to worry about? I've looked at the forums and most people say to disable the rebind option in the system settings. I'm kinda concerned if this is a serious log or if it is just a false positive. Or if it's just an attempt and I have nothing to worry about. Can anyone give me some insight into this? Is your organization's network affiliated with okanagan.bc.ca in any way? I'll assume not, but that might not be entirely correct given the geographical proximity. Assuming not, from the looks of it it's possible that it is designed as an attack but it's more likely that okanagan.bc.ca has simply screwed up their DNS. Either way, okanagan.bc.ca's internet-facing DNS records are not set correctly: okanagan.bc.ca. 3600IN A 10.1.33.0 okanagan.bc.ca. 3600IN A 142.23.95.114 ;; Received 75 bytes from 142.23.79.254#53(142.23.79.254) in 99 ms They shouldn't be leaking a 10/8 address out to the internet, since they are, you'll (correctly) get DNS-rebind attack warnings approximately 50% of the time when someone visits okanagan.bc.ca from within your internal network. You can likely ignore the warnings entirely, either 1) They're warning you about a mis-configuration out on the net, or 2) You were just protected against an attack. Either way, everything worked the way it's supposed to. There's absolutely no upside to disabling DNS rebinding attack detection unless your networks are supposed to be interconnected and you are supposed to be able to access each other's internal IPs. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] unbound not starting
I'm running into an odd issue with unbound. Recently upgraded to pfSense 2.1, ripped out some multi-WAN configuration due to the fact that our second WAN has gone away. The interface still exists, but is disabled and all routing and gateway failover has been removed. Primary WAN does rely on DHCP. After a pfSense reboot, unbound does not come up. I'm also unable to start the service using the services manager, but if I go to the unbound dialog, change nothing and click Save, it starts immediately and functions well. dnsmasq is completely disabled -- We were only using it because it did a better job of splitting load across the two WANs, otherwise unbound looks like a far better solution. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Traffic Graph: Not reflecting reality?
I'm wondering if it's possible that data in the Traffic Graph is not showing up correctly? We recently relocated and are waiting to get our primary connection installed, so in the mean time we're on a 3Mb/0.75Mb DSL line. However, pfSense often shows 6Mb/s coming out of the LAN during a download. Is it possible that the proxy server (transparent proxy enabled) or something else is causing data to be displayed incorrectly? Both the modem itself and download speed tests confirm our 3Mb speed, yet pfSense regularly shows a flat line at 6Mb/s in the traffic graph when we're under load. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Traffic Graph: Not reflecting reality?
On 2013-11-06 13:20, David Burgess wrote: I don't use a proxy server any my internal interface graphs usually report double traffic. Only the real time graphs though, as rrd looks correct. Actually I think I eliminated the proxy anyway, the proxy is optional here (except the transparent proxy on port 80) and it happens with NNTP connections which are not proxied. RRD graphs look closer to being possible, and the WAN and LAN seem to match roughly what I'd expect. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Cannot get data about interface em0_vlan4
On 2013-03-05 17:14, Dave Warren wrote: On 3/5/2013 04:27, Jim Pingle wrote: That's a known issue on 2.0.2, fixed on 2.0.3. Check the forum. Thanks, I appreciate the info. This is an issue again in 2.1... ? Same scenario as before, I reconfigured an interface, rebooted, now I'm getting Cannot get data about interface em0_vlan4 on an unrelated interface. 2.1-RELEASE (i386) built on Wed Sep 11 18:16:50 EDT 2013. Outside of the fact that some traffic graphs have been doubled for some moons, traffic graphs were working fine until an interface re-configuration earlier today. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Traffic Graph: Not reflecting reality?
On 2013-11-07 16:20, Mike McLaughlin wrote: So I realized that I am capturing the traffic via SNMP so I looked -- it shows the same ~200% use on my DMZ vs the WAN it's using. I was a bit surprised by this because the pfSense RRD graphs do not appear to have the same discrepancy - they show nearly mirror images for the 2 interfaces. I don't use SNMP here, but I see the same, RRDs appear to be accurate. Oddly it's only some interfaces that double in the traffic graphs, but not all. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] OpenVPN client bug? An IPv4 protocol was selected, but the selected interface has no IPv4 address error
I have a number of OpenVPN client sessions set up (where my pfSense connects to a remote OpenVPN server as a client) Today I needed to switch one from TCP to UDP and received An IPv4 protocol was selected, but the selected interface has no IPv4 address. The interface was properly configured using DHCPv4, and therefore has no IP address. After banging my head comparing this VPN with other established/working VPNs and getting no-where, I started getting through the code to find this gem: pfsense /usr/local/www/vpn_openvpn_client.php } elseif ((stristr($pconfig['protocol'], 6) === false) !get_interface_ip($iv_iface) ($pconfig['interface'] != any)) { $input_errors[] = gettext(An IPv4 protocol was selected, but the selected interface has no IPv4 address.); So basically it is currently impossible to create or modify any OpenVPN client pipe that uses DHCP, as the IP (which isn't known until the OpenVPN client connects, and is dynamic) must be hard-coded into the interface before the connection is created. Commenting out the offending PHP allowed me to save changes and successfully connect to the VPN. While this code likely makes sense when setting up and OpenVPN server, it should not apply when setting up an OpenVPN client. Am I missing something or is this a bug? -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] OpenVPN client bug? An IPv4 protocol was selected, but the selected interface has no IPv4 address error
On 2013-12-23 04:31, Chris Buechler wrote: It shouldn't allow you to pick that, and I'm surprised it worked when you did in the past (probably we ignored the fact you had it set that way). It's right to reject it, but for a different reason than it's telling you. You can't bind the outside of an OpenVPN tunnel to the inside. You'd be telling it to use the VPN to connect to the VPN. It has to be on the proper WAN. Interesting, when I had it set to a WAN in the past it gave me an error about the interface already being assigned or something to that extent, so I read up and found some directions that suggested setting it to the OpenVPN tunnel itself. I'll experiment once I'm back in the office and see what happens if I change it to a WAN. Thanks. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren Light travels faster than sound. This is why some people appear bright until you hear them speak... ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] MultiWAN vs unbound
Can anyone point me in the right direction to set up unbound to work across multiple WANs (specifically, to failover to the second WAN if the primary WAN becomes unavailable) We flipped back to the built-in DNS forwarder this evening, it seems to be doing the job, but this requires a manual switch (and of course puts us back to forwarding, rather than resolving locally, which is less than ideal) -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren 1832-Curling is introduced to the U.S., giving Americans a sport combining the surface of hockey with the thrill of watching paint dry. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] issue Downloading package from Pfsense.com
But can you ping *domains* from the pfSense box, like www.google.com ? The point isn't to see if you can ping, but if ping can complete a DNS lookup and retrieve an IP successfully. This is potentially more useful than using DNS specific lookup tools, since ping will rely on the OS DNS resolution settings rather than (potentially) using it's own. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren On 2014-02-13 12:03, Muhammad Yousuf Khan wrote: Yes i can ping, here is the result from web console Diagnosticsping Ping output: PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8 http://8.8.8.8: icmp_seq=0 ttl=40 time=293.328 ms 64 bytes from 8.8.8.8 http://8.8.8.8: icmp_seq=1 ttl=40 time=295.391 ms 64 bytes from 8.8.8.8 http://8.8.8.8: icmp_seq=2 ttl=40 time=293.850 ms --- 8.8.8.8 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 293.328/294.190/295.391/0.876 ms On Fri, Feb 14, 2014 at 12:39 AM, Jonatas Baldin jonatas.bal...@gmail.com mailto:jonatas.bal...@gmail.com wrote: Can you ping domains from the pfSense box, like www.google.com http://www.google.com ? 2014-02-13 17:19 GMT-02:00 Muhammad Yousuf Khan sir...@gmail.com mailto:sir...@gmail.com: Hello all, I am Newbie, my pfsense is behind the ISP router, having a private ip of 192.x.x.x i can ping via ssh and via web console both i can also check dnslookup from console and ssh they are working fine. however when i click on available packages. i see this Unable to communicate with www.pfsense.com http://www.pfsense.com. Please verify DNS and interface configuration, and that pfSense has functional Internet connectivity. any idea what i am mistaking. i even uncheck block private ip addressess option from Interfaces and WAN still i can ping to 8.8.8.8 but can not see anything in available packages tab except above error. Thanks, MYK ___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Jonatas Baldin de Oliveira Consultor de TI ___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate's customized pfSense release
On 2014-02-13 09:27, David Burgess wrote: On Thu, Feb 13, 2014 at 9:54 AM, Andrew Hull l...@coffeebreath.org wrote: My knee jerk reaction is that this is A Bad Thing(tm), and I reloaded the devices with images from ESF. Does anyone here have a strong opinion one way or the other? My first reaction is that the branding is a good thing. Netgate brings pfsense to folks who in many cases would not touch free software, but just want something that works out of the box. I've recommended the m1n1wall many times. As for the update URL, I'm a little surprised, but maybe they're just trying to track stats. I'd be a little disappointed if they didn't use their own auto-update URL, since this would mean customers would end up on stock pfSense after an update, rather than Netgate's customized version, negating any tweaking Netgate may have done to make pfSense work seamlessly on their hardware. This seems like a good thing to me, and arguably the whole point of being open source and BSD licensed. Reading the other messages on the list, this arrangement definitely seems mutually beneficial for both pfSense and Netgate. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] unbound using ipv6 in ipv4-only environment
I've noticed that the latest Unbound package attempts to use IPv6 even when I only have IPv4 connectivity, resulting in a handful of errors logged. I'm not sure if these errors cause problems or not, I'd expect them to fail instantly, however, I'm not certain whether it's actually a factor, the underlying issue I'm trying to troubleshoot is periodic delays in DNS resolution. If I don't restore the cache, I do observe definite delays the first time a particular gTLD or ccTLD is accessed, which coincides with a bunch of IPv6 related errors as unsuccessfully unbound attempts to connect. Is there any harm in flipping unbound's IPv6 support off in the package? Is there any reason to leave it on? Is it doing any harm? -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense version 2.1.1 has been released
On 2014-04-04 19:29, Chris Buechler wrote: On Fri, Apr 4, 2014 at 9:13 PM, Peder Rovelstad provels...@comcast.net wrote: Worked for me on my home FW, but didn't reboot on own (I did receive mail message that it would reboot in 10 sec). Power cycle brought it back on the right slice. Looking good! Did you inadvertently switch architectures maybe? Going from 32 bit to 64 bit is the most common cause of that, when it finishes it can no longer execute the reboot binary as it's a 64 bit binary on a 32 bit running kernel. Out of curiosity, couldn't this be solved by including both a 32-bit and 64-bit binary and calling both? ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] apinger not noticing good connection
On 2014-04-22 06:18, David Burgess wrote: Anyone else seeing apinger losing packets while ping doesn't? For many days now the gateway widget on my 2.1 box has been reporting packet loss in the 300-500% range. Meanwhile ping and RRD show no packet loss. This same system was recently showing a baseline of 2% loss in RRD while ping showed no loss. I had to stop apinger and delete my RRD data to fix that one. I gave up on expecting apinger to do anything useful, it constantly sees loss where there is none* here, and occasionally sees nothing unusual when the upstream modem is down completely. *None meaning less than 1%, per RRD and a normal ping from a workstation. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Change MAC address on one VLAN of the same NIC.
Howdy! A quick question, is it possible for one NIC to use a different MAC address on a different VLANs? The longer version is that my ISP was kind enough to supply us with three modems: 1) 100Mb bridge, with a static IP 2) 100Mb NAT gateway, with a DHCP assigned static IP 3) 15Mb bridge for VoIP, with a DHCP assigned IP My pfSense box only has one interface, using VLANs to connect to the modems through our managed switch. #1 and #2 work fine, but I can't get #1 and #3 online together, when the ISP sees the same MAC address on modem #1 and #3, it routes all traffic to one modem or the other, despite the fact that they have different IP addresses. I'm hoping there's a way to override the MAC address on VLAN for modem #3, but despite the field being available on VLAN interfaces, it doesn't seem to apply. Just to be clear, if I unplug either #1 or #3, or if I connect #3 to a DHCP-assigned bridge on a different ISP, everything works. The IPs on all three ranges are in different subnets, so there's no gateway conflicts, as far as I can tell it's just the MAC address conflict. Is there a better approach? -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Change MAC address on one VLAN of the same NIC.
On 2014-05-03 00:49, Ermal Luçi wrote: On Sat, May 3, 2014 at 12:14 AM, Dave Warren da...@hireahit.com mailto:da...@hireahit.com wrote: Howdy! A quick question, is it possible for one NIC to use a different MAC address on a different VLANs? Well FreeBSD supports this if ng_vlan gets used. ng_vlan is being used only for Q-in-Q in pfSense. It needs some development to make a vlan based on ng_vlan support in pfSense. Though today is not possible to configure that, apart the command line. Fair enough, thanks. I'm working on a hardware solution, but that's a little ways away right now. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Intel Pro/1000 PT Quad Port PCI-e Gigabit Ethernet
Anyone have experience with a Intel Pro/1000 PT Quad Port PCI-e Gigabit Ethernet Server Adapter EXP19404PT on pfSense? From wandering the forums it looks like it should be supported in pfSense 2, but I can't find any confirmation that it actually works. Or alternatively, can anyone else recommend a quad port that's available at a reasonable price for a small deployment? -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Intel Pro/1000 PT Quad Port PCI-e Gigabit Ethernet
On 2014-05-09 15:13, Jason McClung wrote: On 5/9/2014 3:02 PM, Dave Warren wrote: Anyone have experience with a Intel Pro/1000 PT Quad Port PCI-e Gigabit Ethernet Server Adapter EXP19404PT on pfSense? From wandering the forums it looks like it should be supported in pfSense 2, but I can't find any confirmation that it actually works. Or alternatively, can anyone else recommend a quad port that's available at a reasonable price for a small deployment? I have Intel Pro/1000PT Quad port (low-profile if that matters) in my home pfSense box. I just installed it 2 weeks ago actually (recent cheap ebay find). I have has no issue so far, but I am not a too demanding user. Check out the FreeBSD 8.3 HCL for supported network cards. http://www.freebsd.org/releases/8.3R/hardware.html#ETHERNET The one I'm looking at is listed, but I've learned that the HCL isn't always reliable as to whether something actually works in the real world :( I'm looking on eBay as well, it's worth the gamble vs buying new. Thanks! -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Bogon List
On 2014-05-23 05:50, Paul Galati wrote: My pfsense box is connected to the edge and has a public IP address, so private and bogons are checked. It s the end user that appears to be on an ISP that is using a private IP one hop upstream from his personal router. When his packets reach the public internet, it appears to come from 216.14.x.x. My question is why IP 216.14.x.x is being caught by the bogon filter even though it is not listed in CYMRU's database. It might not hurt to check Diagnostics -- Tables to see if the IP is listed there. I had a weird scenario a few days ago, an alias previously contained a mix of hostnames and IP addresses, several of which were removed. A period of days later, I noticed that the table still included the IP addresses resolved from the hostnames (but the IPs that were listed as IPs had been removed). I verified that Aliases changes had been applied, which they had. I then added a new hostname to the list, it was added to the table, while the existing IPs remained. I can't reproduce it on demand, but it was a fairly small alias list so I verified every entry by hand, the bad data was there (and seemed to want to stay there), so it makes me wonder if other lists could be subject to the same phantom entries? -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] RRD 1-month vs 3-month
Exactly 1 month ago we got new internet connectivity installed, and I reconfigured some interfaces. To allow me to track bandwidth on our new configuration, I reset RRD statistics. Looking at the traffic graphs for the 1-month and 3-month, the numbers appear to be off by a fair amount. 1 month IPv4 in-pass: 11.30GB 3 month IPv4 in-pass: 5.33GB 1 month IPv4 out-pass: 5.37GB 3 month IPv4 out-pass: 5.11GB 1 month IPv4 in-block: 13.12GB 3 month IPv4 in-block: 7.13GB 1 month IPv6 in-block: 4.53GB 3 month IPv6 in-block: 4.28GB I feel like I'm missing something obvious here, but how is it possible that I've got more traffic reported in the 1-month graphs than the 3-month graphs? The actual graphs are posted here: https://www.dropbox.com/s/67nd5hwq0n43tt2/status_rrd_graph_img-1month.php.png https://www.dropbox.com/s/sik3u8ladx2rv3n/status_rrd_graph_img-3month.php.png -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] RRD 1-month vs 3-month
On 2014-05-30 09:54, Michael Hardrick wrote: Graphs are usually rounded off to the 90th percentile (or similar). Graphs of one-day, one-week, one-month, one-year will reflect more of a relative percentage of the total bandwidth for the period. A bit of rounding is fine, but we're not talking about that, I'm seeing over double the in-pass, and nearly double the in-block. That's a *huge* difference. (Original stats below, for reference) 1 month IPv4 in-pass: 11.30GB 3 month IPv4 in-pass: 5.33GB 1 month IPv4 out-pass: 5.37GB 3 month IPv4 out-pass: 5.11GB 1 month IPv4 in-block: 13.12GB 3 month IPv4 in-block: 7.13GB 1 month IPv6 in-block: 4.53GB 3 month IPv6 in-block: 4.28GB I feel like I'm missing something obvious here, but how is it possible that I've got more traffic reported in the 1-month graphs than the 3-month graphs? The actual graphs are posted here: https://www.dropbox.com/s/67nd5hwq0n43tt2/status_rrd_graph_img-1month.php.png https://www.dropbox.com/s/sik3u8ladx2rv3n/status_rrd_graph_img-3month.php.png ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Report Errors
On 2014-06-02 11:18, Brian Caouette wrote: This one shows a really low hit rate: http://bbs.dlois.com:/lightsquid/index.cgi I thought Squid was better than this. Suggestions? I'm only seeing 4 users one day, 8 the other, and a fairly low amount of data transferred, so a low hit rate is expected. Modern browsers do a fairly decent job of caching internally, so typically with a single user, squid's hit rate will be pretty close to 0%, it's only once you have multiple users accessing the same sites that you'll see any real degree of caching. With modern sites moving toward HTTPS for everything including static resources, proxies are likely to see lower hit rates than was typical even a handful of years ago due to the fact that proxies can (usually) only cache HTTP content, HTTPS content gets tunneled through the proxy. Can anyone point me in the right direction? As much as I like pfSense it and packages are really prone to glitches and over all bugs. I don't disagree. Packages don't get the same level of quality checking/testing that pfSense itself does, and are often very complicated pieces of software wrapped up under a set of One size fits some defaults, with only a handful of the most common options directly exposed to the user. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] skype 29 minute fail
On 2014-06-16 14:08, Stefan Baur wrote: Am 16.06.2014 22:50, schrieb Vick Khera: FWIW I just did a call with the firewall set to conservative state management. Still 29 minutes until voice quality fail. I'm anything but a Skype expert, but have you tried blocking your Skype installs from becoming supernodes? On Windows: HKEY_LOCAL_MACHINE\Software\Policies\Skype\Phone, DisableSupernode, REG_DWORD = 1 Based on http://arstechnica.com/business/2012/05/skype-replaces-p2p-supernodes-with-linux-boxes-hosted-by-microsoft/ and http://www.zdnet.com/skype-ditched-peer-to-peer-supernodes-for-scalability-not-surveillance-717215/ it doesn't sound like Skype uses Supernodes anymore anyway, so that probably isn't relevant. (Also not a Skype expert, I just remember reading about it and went Googling :) -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Unbound vs stock
On 2014-07-11 10:04, Brian Caouette wrote: Why is it unbound doesn't report dns name for light squid and if I return to stock it does? In both of them I have enabled register static mappings yet unbound doesn't give the time to light squid in the reports were stock does.. When you use dnsmasq, pfSense adds 127.0.0.1 to the top of resolv.conf, and therefore pfSense itself asks dnsmasq for local resolution and is able to resolve local hostnames. However, when you use unbound, dnsmasq is turned off, so pfSense itself is just using your configured DNS servers (or ISP DHCP provided ones, depending on configuration) Assuming unbound does full resolution and doesn't forward, you can work around this by listing 127.0.0.1 as your primary DNS resolver in pfSense. However, if you do that, you'll have to make sure that pfSense isn't handing out these DNS servers IPs to clients anywhere (DHCP server? OpenVPN?) And if you have unbound forwarding, obviously you can't include 127.0.0.1 or unbound will forward to itself. Finally, pointing to 127.0.0.1 will partially break upgrades since pfSense will come up without packages, and therefore without a DNS server, then it will find itself unable to find pfsense.org to download packages. Ultimately the fix will be for pfSense to recognize unbound as a local DNS server and add it to resolv.conf by default, similar to dnsmasq. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Squid Problem and DNS?
On 2014-07-16 08:43, Brian Caouette wrote: I have not tried ISP's dns as I've found Googles to be faster. I can try that test tonight when I get home though to rule out the possibility. Be aware that using non-local DNS can end up with a suboptimal CDN routing situation as you get routed to the CDN nearest your chosen DNS servers rather than your actual local network. These might well be appropriately placed, but they might not, depending on where Google's DNS resolution happens for the node that you hit. In my opinion, running your own DNS is a better solution, if you're technically capable. On pfSense, this is often as simple as installing unbound and using it as a full resolver instead of DNS Forwarding/dnsmasq. As for #2 I understand I just find it odd the prior install although poor hit rate still produce results were the current install is at 0 after a week. Our traffic hasn't changed we still surf the same sites. The kids are typically on facebook, youtube, and game sites and the wife on school and work as I am. Between sites moving everything to HTTPS and the amount of dynamic content, hit rates are typically very low these days. Even static resources are often served over HTTPS (SPDY removing the last major reason to not use HTTPS for such things) Making it worse (but not really) is the way a lot of static content is called, embedding version numbers into JS/CSS/etc file names and using cache control headers to encourage clients to cache these resources for weeks, allowing browsers to efficiently cache resources that used to be served out of local proxy servers. Still, I'd expect a rate greater than absolute 0, but it takes a large number of users to get any real value out of a proxy level cache these days. Or at least that was my experience when our office was stuck on a 3Mb pipe instead of our usual dual 100Mb for a few months. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] ZFS warning message on local console during boot
On 2014-07-30 14:47, Jim Thompson wrote: no pfSense we produce has an installer that will make a zfs filesystem. I also get some zfs warnings during boot, and I absolutely guarantee you that I have not created or changed any partitions at all from pfSense's defaults. Based on other messages in this thread, it appears that it's harmless and can be ignored since no zfs partitions are actually mounted, but the error still appears. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] ZFS warning message on local console during boot
On 2014-07-30 13:23, Paul Mather wrote: I swear by ZFS on my regular FreeBSD systems (though I was having trouble with it on FreeBSD/i386 latterly). I don't think there's any bashing of ZFS per se, just a wondering why you'd use it on a firewall appliance that's basically a nanobsd setup at heart... Maybe it's just me, but I want my firewall to just work after power failures, on failing drives, etc is a big plus. Having a self-repairing, snapshotting file system sounds like a huge benefit, but I don't know what the drawbacks are in this context, so I can't make an actual recommendation. Imagine having snapshots before updates or major changes so that things can be reverted to a working state, rather than relying on the piecemeal XML backups which, at best, brings you a moderately similar to the previous state configuration. Being immune to corruption due to power-failures would be nice too; when I was running squid on pfSense, an unexpected power failure virtually always resulted in file system corruption being repaired, still resulting in a broken squid cache -- I have the impression that zfs would give me a lot more resiliency here (but possibly not, perhaps squid simply can't ever recover gracefully) -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] pfSense DHCP PTR registration
I recently switched over to pfSense's DHCP, and have managed to get A record registration from pfSense working, however, I'm unable to get PTR record registration working reliably. It appears that pfSense is trying to register IPs in 16.172.in-addr.arpa, whereas my reverse DNS zone is named 0.16.172.in-addr.arpa, consistent with the fact that I'm using 172.16.0.0/24 for my internal subnet. Is there a way to tell pfSense to register records in 0.16.172.in-addr.arpa instead? Or do I have something misconfigured? (To be clear, I'm wanting pfSense's DHCP server to register the IPs in the appropriate upstream DNS server, not in the DNS forwarder as in my configuration the DNS forwarder is not authoritative or in a position to intercept queries) -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Fwd: [Announce] 2.1.5 Release
On 2014-08-29 07:47, Jim Thompson wrote: again, the CSS changed, and the browsers love to cache that stuff. Not if the HTML that calls the CSS throws a version into the filename or query, in which case there is no caching issues at all when the version is incremented. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] APU and SSD: full install or NanoBSD
On 2014-10-30 17:15, Jim Thompson wrote: On Oct 30, 2014, at 3:39 PM, Dave Warren da...@hireahit.com wrote: Buy quality instead of junk? ... Even a cheapo 30GB/60GB/whatever SSD is more than enough for pfSense and makes a far more reliable solution than external flash. I strongly disagree.SSDs have to be part of a system, especially in an embedded environment. The debacle with the “cheap 30GB” m-sata drive from PC Engines earlier in the year (they had to take them all back) should amply demonstrate why thinking such as what you express here is deeply flawed. Sorry if I wasn't clear, I meant a cheapo SSD because it's small -- I'm suggesting you don't need to invest in a large or fast SSD for pfSense, but rather, cheap out on size, while getting a quality device built for lifespan and reliability. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Enforcing policy routing gateway
On 2015-01-11 19:40, Moshe Katz wrote: Depending on how complex your rules are, you could also create negative versions of them that explicitly block that traffic on all other interfaces except the VPN. (Aliases could help simplify that, but you may or may not actually want to do it, depending on the rule complexity.) I'd love an option to reject/drop/whatever traffic destined to unavailable gateways, this is far better than leaking the traffic out the wrong gateway for my purposes. However, at the moment it adds a fairly significant amount of overhead to have to duplicate every rule with a Or else just reject the above... It's functional, but a hassle. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] postfix+mailscanner on 2.2.4
On 2015-07-30 12:51, Juan Pablo wrote: Hello guys, does anybody know if $subject packages are working on 2.2.4? I have not seen it working since 2.1.5, and would like to hear about it. thanks everyone for the effort on making such a beauty as pfSense! Unfortunately not, the package not maintained, and does not work on any modern version of pfSense. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Access Point Recommendations?
On 2015-07-23 21:24, Adam Thompson wrote: On 2015-07-23 10:46 AM, Karl Fife wrote: Your point about having a one-off solution is a great one. Installing a single UniFi AP would be unnecessarily complex. The TP-Link TL-WA801nd is a BGN-only device. Do you (or anyone) have a preferred stand-alone AC access point? Not a recommendation at all, but stay away from EnGenius devices. OK hardware good price, but (e.g.) my AP comes with an open DNS resolver that can't be disabled, and they don't seem to think it's a problem at all... I like the EnGenius hardware, when it works, but if it doesn't, support doesn't seem to care about much. I'm trying to map SSIDs to VLANs, the traffic just won't pass, switch doesn't even see it, and support hasn't be useful. Looks like a bug, but still, it's literally the reason I bought the device over my previous solution. On the other hand, the speed is amazing, so I'm not ripping it out. I noticed the DNS resolver, but it didn't bother me personally as I have other resolvers similarly positioned in my network. As a possible workaround, does it need DNS at all? If not, either remove it's DNS settings, or configure your resolver to refuse packets. Not perfect, but it's better than being an open resolver if it's exposed to untrusted users. And for whatever it's worth, it looks like a non-caching forwarder, not a full resolver. Still, it concerns me that support doesn't understand how it's a potential issue. If you use it for NAT/routing/anything, does it listen on the WAN interface, or only the LAN side? -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Access Point Recommendations?
On 2015-07-24 10:15, Adam Thompson wrote: To clarify, I have an EAP-600, which is a pure access point, not a router at all. It only has one LAN port, grand total. There is *no* universe where it makes sense for an access point to run a DNS server/forwarder/whatever. I have the EAP900H, which is inherently similar (it's outwardly physically identical). However, it has the capability to enable a guest network, which has NAT, so in this configuration, the DNS forwarder does make sense. They probably used the same basic firmware. But there's no excuse for not making it configurable, nor should it be enabled by default unless the guest network is enabled. Ultimately I'm not unhappy with the overall performance of the unit, but it's still not one I'd wholeheartedly recommend, mostly because of the support experience. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] QoS for fairness usage
On 2015-07-14 00:55, Lorenzo Milesi wrote: Hi I found this [1] nice and quick howto which explains how to set up pfSense QoS to obtain fair usage between clients, so that one will not suck all the available bandwidth. Has anyone tried it? is it working for you? I made a quick check and doesn't really seem to, I started a download on my laptop and then on the server and the latter was going nearly full speed, leaving less than 100kB/s to my client. [1] http://www.gridstorm.net/pfsense-traffic-limiting-fair-share/ I spent days tweaking, trying suggestions on the forums, IRC, etc. Nothing came of it, I could never get any sort of QoS working to balance traffic between users without allowing one user to starve out others, or even to prioritize some traffic at the expense of others. Traffic would seem to get into the right queue, but fire up an active torrent on a clien tweaked for far too many connections and normal browsing traffic from other machines was still quickly starved out. I eventually gave up and just started limiting known problem-users, this too proved to be unreliable as I would regularly see problem users exceeding their limits very considerably, both upstream and downstream, but it did help. Ultimately we just brought in a second pipe from the ISP and now we route high-bandwidth users to that pipe and let them fight it out amongst themselves. That has worked quite reliably. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Disable DHCP domain-name request
On 2015-11-22 22:51, Nicola Ferrari (#554252) wrote: Hi, marco? Did you remove old dhcp leases on pfsense? If you renew dhcp request on an already present client (in dhcp leases), the client will use the old lease (and all its options), so you'll not see your new configurations reflected. Delete all leases from Status -> DHCP leases, restart dhcp service and retry ... That's not necessary and would be incorrect behaviour if it were happening. I just confirmed here with my pfSense installation, new options are applied without removing the old lease in all expected cases, including the Domain Name field. I tested via a Domain Name change against an automatic renewal and manual renewal, as well as a "release/renew" cycle; in all cases the client was aware of the new settings immediately after the DHCP operation completed. Now admittedly some broken clients won't reflect all changes immediately; some of our VoIP phones will update DNS servers as soon as they renew, but won't update timezone information until the next reboot, but this is a client deficiency and nothing you do in pfSense (including removing the old lease) will make a difference, and it only causes issues on specific hardware, but if you capture and analyze the packets, you'll see correct data was sent by the DHCP server. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Restoring DHCP table from 2.2.x into 2.3.x
Howdy! I am looking at replacing my 2.2.something pfSense box with a fresh install of 2.3. Is it possible to restore just the DHCP configuration (leases, statics, and custom DHCP options)? Enough of the other stuff is being tossed that a fresh install would seem to make sense, but it would be convenient if IP assignments didn't need to change as this makes it easier to bring the new firewall up side by side with the old one and transfer over relatively seamlessly. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Restoring DHCP table from 2.2.x into 2.3.x
On 2016-05-29 17:35, Walter Parker wrote: You could try copying the the entries from the old XML and paste it in the new XML file. Is the backup/restore mechanism similar and compatible? This would at least bring static assignments and configuration across, without restoring anything else, which would probably be Good Enough for my purposes, in general any machine that is powered on when it's lease expires will tend to request the same IP from the new server, although it's a bit of an imperfect solution. I'm more nervous about copying entire sections into the XML right now, although if the data appears similar, it may be worth considering. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense upgrade problems?
On Wed, Feb 22, 2017, at 10:23, Eero Volotinen wrote: > The process will require 14 MiB more space. > > 73 MiB to be downloaded. > > Fetching php56-5.6.30.txz: .. done > > pkg: php56-5.6.30 failed checksum from repository > > something wrong with the packages? I upgraded a couple pfSense boxes without difficulty, including one virtual test server a few hours ago. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] looking for perfect pfsense box for home?
On 2016-08-21 05:50, Paul Mather wrote: Not to sound like an apologist or a shill for the pfSense project, but in the line just above the "Products" link that you presumably clicked on, right at the very top of the page, is a link labelled "Store". On the same line as the "Store" link is a "Partner Locator" link that goes to a page with a list of MSP, VAR, and Retail companies. That might have been a good place to find official pfSense hardware.:-) Perhaps. But when I went to the product comparison page, I found none were even close to what I need; it's not that I wasn't aware of the store, but rather, there was no reason to visit the store to look at products that I wasn't going to buy. If /products is intended to be an overview, why not replace the specific model entries with categories that show the ranges of prices and capabilities, and change the "More Details" buttons to link to products within those families? Or at least give some clue that there are other offerings in some obvious way. Even so, I'm not sure it would have mattered, 799USD is still a lot for what it is; I spent under 100CAD on a 1U server from eBay that will probably do more than I'll need for the immediate future. I'll probably just buy Gold and call it a day. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] looking for perfect pfsense box for home?
On 2016-08-03 08:43, Steve Yates wrote: I'm being serious but what is your rationale for not using pfSense's/NetGate's? https://www.pfsense.org/products/ The "cheap" part (< $299)? We tried a "build our own" approach and it's tough to get a small package. Any old PC will do just fine if one adds an SSD but as someone pointed out that may use far more power in the long run. For me, it's the fact that I want to rackmount my gear, but $1,799.00 is the cheapest option offered on pfSense.org that can rackmount. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] looking for perfect pfsense box for home?
On 2016-08-20 04:02, Jim Thompson wrote: On Aug 20, 2016, at 3:10 AM, Dave Warren <da...@hireahit.com> wrote: On 2016-08-03 08:43, Steve Yates wrote: I'm being serious but what is your rationale for not using pfSense's/NetGate's? https://www.pfsense.org/products/ The "cheap" part (< $299)? We tried a "build our own" approach and it's tough to get a small package. Any old PC will do just fine if one adds an SSD but as someone pointed out that may use far more power in the long run. For me, it's the fact that I want to rackmount my gear, but $1,799.00 is the cheapest option offered on pfSense.org that can rackmount. You seem to have added $1000 without justification: https://store.pfsense.org/SG-4860-1U/ Perhaps someone should put that on the https://pfsense.org/ website? I started at https://pfsense.org/, then clicked on Products, which took me to https://pfsense.org/products/ which only offers https://store.pfsense.org/XG-2758/ when I was looking for a new product a couple weeks ago. It didn't occur to me you would have multiple incomplete lists of products, so I ordered hardware elsewhere already. Shame, I'd rather have supported pfSense, but it's too late now. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Any side effects or negative impact to reassigning ports?
Howdy! I'm building out a new pfSense box, but the NICs have not yet arrived and I'm wondering how much configuration I can do in advance. My configuration will be a quad port Intel NIC, two ports will be WAN ports directly connected to a pair of modems, and the other two will be a LACP LAGG group carrying multiple tagged VLANs, routing some traffic internally and some externally. Can I create the VLANs now and associate them with one of the onboard NICs so that I can proceed with all the other configuration details, DHCP servers, firewall rules custom NAT, and everything else, such that when the real NIC is installed, I create the LAGG and re-assign the interfaces? Or are there any "things" in pfSense that are associated with the physical NIC rather than the interface? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] acme package: wrong agreement URL
For anyone else still having issues, it looks like the package was updated November 16th. On Sat, Nov 18, 2017, at 20:39, WebDawg wrote: > Did you report this as a bug? > > On Thu, Nov 16, 2017 at 4:36 AM, Brian Candler> wrote: > > Trying to use the acme package with pfsense 2.4.1 and the LetsEncrypt > > staging server > > > > Certificate enrolment failed, although all the output was in green. > > > > /tmp/acme//acme_issuecert.log shows HTTP 400 errors, with the > > following response: > > > > [Thu Nov 16 10:28:19 UTC 2017] > > response='{"type":"urn:acme:error:malformed","detail":"Provided agreement > > URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does > > not match current agreement URL > > [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]","status": > > 400}' > > > > I couldn't see how to change this in the GUI, so I had to edit > > /usr/local/pkg/acme/acme.sh > > > > I presume the package needs updating? > > > > Thanks, > > > > Brian. > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Firewall by ASN
Howdy! Is there a way to firewall traffic based on the ASN? The underlying reason is that we've recently enabled HE's tunnelbroker which, for the most part, works great. However we've run into certain services *cough*Netflix*cough* which reject traffic sent through a HE tunnel. I'd like to reject this traffic from the tunnel, which will force the client to fallback on IPv4 connections. I've experimented with simply rejecting all IPv6 traffic from the device, or watching what connections it makes and blocking the appropriate IPv6 allocations, but with widely distributed networks the client often jumps to a different block of IPs and it would be a lot less work to block an ASN at a time rather than a specific range at a time. For the two services I'm using for testing, both seem like they could be blocked by ASN fairly easily. If there is no better way, I might try to write a HTTPS service which parses ARIN's WHOIS and returns a list of ranges allocated to a particular ASN, but it seems like there could be a better way. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] DNS over TLS config for pfSense 2.2.6
On 2018-04-06 00:09, Bryan D. wrote: On 2018-Apr-05, at 10:47 PM, Dave Warren <d...@thedave.ca> wrote: Cloudflare has pushed an update, and things seem to be working from here. For those having issues, try again now? Thanks for the "heads up." Works for me, also (i.e., on pfSense 2.2.6 configured as stated in previous posting). How's the speed? I'm seeing moderately slower results for queries that go out to 1.1.1.1, whereas queries from the cache or stub zones (to servers hosted out on the 'net) are very fast. If I switch TLS off and go back to @53 it's faster, but ultimately not as fast as just running recursion myself. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] DNS over TLS config for pfSense 2.2.6
On 2018-04-05 01:25, Bryan D. wrote: On 2018-Apr-04, at 10:05 PM, Dave Warren <d...@thedave.ca> wrote: I can also confirm that 9.9.9.9@853 does work here which re-enforces that this is a Cloudflare specific issue. - So it looks like the following config works on pfSense 2.2.6's unbound/DNS Resolver (so should work with 1.1.1.1 when Cloudflare gets things fixed): server: ssl-upstream: yes ssl-port: 853 forward-zone: name: "." forward-addr: 9.9.9.9@853 Cloudflare has pushed an update, and things seem to be working from here. For those having issues, try again now? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] DNS over TLS config for pfSense 2.2.6
I'm running 2.4.3-RELEASE (amd64). I can't get it working here either after a couple hours of poking at it on and off, it now looks like this is actually a Cloudflare issue: https://community.cloudflare.com/t/1-1-1-1-was-working-but-not-anymore/15136/4 "Thanks for the report! This is going to be fixed in the next upgrade that’s being rolled out. There was an interop issue in the last upgrade with Unbound as it sends the frame size and the actual DNS message in two separate packets instead of both at once." So it looks like the immediate solution is to revert to port 53 and wait for Cloudflare. I can also confirm that 9.9.9.9@853 does work here which re-enforces that this is a Cloudflare specific issue. On 2018-04-04 19:23, James wrote: Sorry, mine was indeed on 2.4.X. The daemon appeared to start up but any queries returned no records. On Thu, 5 Apr 2018, at 11:20 AM, Steve Yates wrote: Wild guess, but did you try it in 2.4.x? -- Steve Yates ITS, Inc. -Original Message- From: ListOn Behalf Of Bryan D. Sent: Wednesday, April 4, 2018 8:01 PM To: pfSense Support and Discussion Mailing List Subject: [pfSense] DNS over TLS config for pfSense 2.2.6 Re: https://www.netgate.com/blog/dns-over-tls-with-pfsense.html --- Applying the suggested "Custom Options" to the Unbound/DNS Resolver configuration in pfSense 2.2.6 does not work, with logs indicating that "forward-ssl-upstream" is invalid. I tried various incantations using "server:ssl-upstream: yes" with and without "ssl-port: 853" and, although the unbound service would then run, a DNS/host query always indicated that no hosts were found. Does anyone know a configuration that will work with pfSense 2.2.6? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold