Re: [pfSense] best ipsec cipher for aes-ni on sg-8860
On Sat, Dec 9, 2017 at 2:56 PM, Chris L wrote: > AES-GCM with all hashes disabled in the ESP/Phase 2. I'm curious why you recommend this. I'm not being contrary, just curious. I've always had hashing enabled for both P1 and P2s. Is this something unique to AES-GCM? -ea ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How To install MySQL on Pfsense 2.4
pfSense is a purpose-built router distribution, not a general-purpose OS. While it may be possible to do what you propose, you *should not* do this. Instead, if you require a database server, host it on a separate machine. On Mon, May 15, 2017 at 11:27 PM, mohsen Abbaspour wrote: > Hello everyone > English is not my first language , excuse me for mistakes > > I know that this is a repetitive questioning " How to install Mysql on > pfsense ?" > > But , I searched almost topic about that , and finally I dont understand > what is correct solution ? maybe install Mysql on pfsense 2.4 ?? if the > answer is yes so How to do that ? if the answer is no what is > alternative solution ?? > > integration freeradius and mysql is my reason for Mysql installation > , I want to grouped my internet user and have separated group > So tnx > > > -- > > > > > Check out my professional profile and connect with me on LinkedIn. > http://lnkd.in/RqFEqH > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] What am I doing wrong? <10mbit through SG-1000
On Tue, Feb 7, 2017 at 11:59 PM, Øyvind 'bolt' Hvidsten wrote: > I have an SG-1000 on which I experience very low throughput. You're not the only one. I received my SG-1000 in mid December and have been going back and forth with Netgate support since then, trying to troubleshoot the poor performance I've been experiencing. To be fair, the Netgate support team has been very responsive and engaged in the process, but as of the most recent snapshot, I'm still seeing very poor performance vs. the SG-2220 (temporarily borrowed from my employer) I'd been using. I have a 50/5 internet connection, and I can reliably see those speeds with the SG-2220. With the SG-1k, I'm lucky if I can hit 15Mbit down reliably, and this is with the bare-bones, factory default config. Additionally, the SG-1000 seems to remain in a very high-latency state for some time following speed tests. I'll have (for instance) ~8ms latency to my ISP's default gateway before a speed test, and then during the speed test and for some 10 minutes after the test, latency will spike into the hundreds of ms. At this point, I've thrown in the towel, and have requested that I return the SG-1k for credit towards the purchase of an SG-2220. Support requested that as a last troubleshooting step, that I grant them remote access to my SG-1k so they can perform some more thorough real-time troubleshooting and testing. I'll be setting this up with them this week, and if they're not able to resolve it, I'll be returning the SG-1000. I was very hopeful for this device, but at least at this stage of its maturity, there appear to still be significant issues to overcome. -Erik ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfSense on EC2 & IPsec
Well, as it happens, I resolved this within 60 seconds of hitting send. :) On the side behind NAT, I need to change my identifier to "IP Address" instead of "My IP Address", and listed the public IP of the instance. At that point, everything came up as expected. -Erik On Mon, Oct 24, 2016 at 8:55 PM, Erik Anderson wrote: > Hello - > > I recently deployed the Netgate pfSense appliance into an AWS VPC. Due > to how AWS handles their networking, all traffic to/from servers there > to the public internet transit a 1:1 NAT. So the IP address that is on > my pfSense router's WAN interface differs from its true public IP. > > I should note that I have pfSense on both sides - 2.3_RELEASE on the > non-AWS side and 2.3.2_RELEASE inside AWS. > > As I expected when setting out to do this, I ran into some IPsec > related issues when trying to bring up a tunnel. I've set up tunnels > dozens of times between pfsense and other IPsec stacks without issue - > this is the first time I've been stumped, and I'm certain it has > something to do with the fact that the traffic transits a NAT on the > way to the pfsense WAN interface. > > When I try and bring up the tunnel, I see these logs on the non-AWS end: > > http://hastebin.com/uyodoqubem.css > > ...and these on the AWS pfsense: > > http://hastebin.com/dinogaliyi.vbs > > Any ideas what could be going wrong here? > > This log message "found 1 matching config, but none allows pre-shared > key authentication using Main Mode" seems like a red herring, as I've > been through the P1 configs on both sides many times to make sure that > parameters match. > > Thanks all - > Erik ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] pfSense on EC2 & IPsec
Hello - I recently deployed the Netgate pfSense appliance into an AWS VPC. Due to how AWS handles their networking, all traffic to/from servers there to the public internet transit a 1:1 NAT. So the IP address that is on my pfSense router's WAN interface differs from its true public IP. I should note that I have pfSense on both sides - 2.3_RELEASE on the non-AWS side and 2.3.2_RELEASE inside AWS. As I expected when setting out to do this, I ran into some IPsec related issues when trying to bring up a tunnel. I've set up tunnels dozens of times between pfsense and other IPsec stacks without issue - this is the first time I've been stumped, and I'm certain it has something to do with the fact that the traffic transits a NAT on the way to the pfsense WAN interface. When I try and bring up the tunnel, I see these logs on the non-AWS end: http://hastebin.com/uyodoqubem.css ...and these on the AWS pfsense: http://hastebin.com/dinogaliyi.vbs Any ideas what could be going wrong here? This log message "found 1 matching config, but none allows pre-shared key authentication using Main Mode" seems like a red herring, as I've been through the P1 configs on both sides many times to make sure that parameters match. Thanks all - Erik ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] client VPN on IOS
On Thu, Sep 17, 2015 at 2:15 PM, Usama Ahmad wrote: > Just a heads up Openvpn TLS Authentication does not work with iOS. What makes you say that? We've been using it successfully for years. Just for kicks, I just now tested it on iOS 9, and that works fine as well. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] client VPN on IOS
On Tue, Sep 15, 2015 at 12:49 PM, WebDawg wrote: > It does not require a jailbreak anymore? Interesting. Nope, not for several years. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] domain override: multiple IPs?
On Mon, Sep 14, 2015 at 11:41 PM, Chris Buechler wrote: > Add the same domain multiple times. Haha, I should have known. Thanks Chris. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] domain override: multiple IPs?
Hello all - We're running 2.2.4. We have a domain override in our DNS Forwarder for our Active Directory domain. Is there any way to provide multiple IP addresses for this override? For obvious reasons, I'd like to provide both of our domain controller IPs. Thank you! -Erik ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Using pfSense with an external proxy appliance
Hello, Shortly I'm going to need to deal with a situation I've never had to sort out before - using pfSense to redirect outbound HTTP(S) from clients to an iPrism proxy/filter appliance. We're running pfsense v2.2.4. Is this possible to do with pfSense in a transparent manner? Or will I be forced to reconfigure each client to go through the proxy? I've had a search through the forum and mailing list archives, and haven't seen anything on this topic. Thank you! Erik ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] GUI performance on an ALIX 2d3
On Thu, Aug 13, 2015 at 4:50 PM, Rainer Duffner wrote: > How much RAM does it have? The 2d3 has 256MB. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] GUI performance on an ALIX 2d3
Hello all - I've been running pfSense on my ALIX 2d3 happily for many years now. For the most part, it still does its job well. However, with most recent release, any changes made in the GUI take a *long* time to commit. By long I mean ~2 minutes. That's how long it takes from clicking "Save" to the screen refresh and the "Apply changes" button showing up. Is this slow GUI performance to be expected? Was there some change in v2.2.4 that would have caused this? I realize that the 2d3 board is getting quite long in the tooth, so perhaps this is just something I need to deal with until I finally cave in and purchase an SG-2220. Thank you! -Erik ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Small form factor pfsense box
Jim, is the SG-2220 still targeted for an Aug 31st ship date? On Mon, Aug 3, 2015 at 4:57 AM, Jim Thompson wrote: > Thank you. > > These: > > http://store.pfsense.org/SG-2220/ > http://store.netgate.com/mobile/ADI/RCC-DFF-2220.aspx > > Seem like just what Cheyanne asked for. > > -- Jim > >> On Aug 3, 2015, at 12:48 AM, Walter Parker wrote: >> >> The Project sells hardware: http://store.pfsense.org/hardware/ >> >> I bought small form factor routers from Netgate before and I'm happy. >> http://store.netgate.com/Routers-C178.aspx >> >> >> Walter >> >> On Sun, Aug 2, 2015 at 10:04 PM, Cheyenne Deal >> wrote: >> >>> Does anyone have any recommendations for a small form factor machine for >>> pfsense? >>> I am looking for dual gb interfaces and able to handle at least a 50mb >>> internet connection >>> ___ >>> pfSense mailing list >>> https://lists.pfsense.org/mailman/listinfo/list >>> Support the project with Gold! https://pfsense.org/gold >> >> >> >> -- >> The greatest dangers to liberty lurk in insidious encroachment by men of >> zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] checking on DHCP-PD status?
Hello- I receive an IPv6 delegation via DHCP-PD on my WAN. Is there a simple way to check what was actually delegated in terms of network/mask/etc.? CLI is fine. I'm running pfsense v2.2.3. Thanks! -Erik ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] WAN Traffic graph double-counting?
On Fri, Apr 3, 2015 at 10:07 AM, Heimir Eidskrem wrote: > We are seeing the same thing on 2.1.5 > It's a reported bug I believe. Ahh yes: https://redmine.pfsense.org/issues/3314 ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] WAN Traffic graph double-counting?
Hello all - I'm running 2.1.5-RELEASE on a Soekris net6501-50. I've noticed that whenever I perform a large file upload, it seems as if the WAN live traffic graph is counting outgoing packets twice. Here's a screenshot of my LAN and WAN graphs: http://photos.smugmug.com/photos/i-VkmcrD6/0/O/i-VkmcrD6.png We have a 50Mbit symmetric internet connection, and uploads to well-provisioned services (Amazon S3, Vimeo, etc.) can easily consume all of the available outbound bandwidth. As you can see, packets entering the LAN interface seem to be counted correctly, but those exiting the WAN interface are counted twice. Any ideas here? My WAN is a P2P connection with a routed /29 block. The outside NAT address is an IfAlias VIP. Thanks! -Erik ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Pfsense 2.2 CPU 100%
What process is consuming your CPU? On Tue, Mar 10, 2015 at 8:52 AM, Guillaume JULLIEN wrote: > Hello, > > Since I upgraded my pfsenses to version 2.2, they more than often display > 100% cpu load. > I'm testing an installation on an Alix APU1D. > no extra addon installed > only one service defined : DHCP > only my laptop connected on lan interface > If I plug WAN interface to my LAN CPU load can be 100% even with no > particular network traffic. > > ? > > Any advice ? > > > -- > *Guillaume JULLIEN* > > [image: www.aquilog.fr] > > Mobile 06 24 68 25 24 Fax 05 57 96 83 58 Mail g.jull...@aquilog.fr > Web www.aquilog.fr > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Soekris 6501-50/SSD upgrade failure
I should note that in addition to the symptoms I mentioned earlier that followed the 2.2.0 upgrade, there were several messages like this on the console: cannot get uid for user 'root' ...and similar. Unfortunately I don't have the full context of those logs. Thank you- Erik On Tue, Jan 27, 2015 at 8:23 PM, Erik Anderson wrote: > I just attempted a self-upgrade from 2.1.5-RELEASE to 2.2.0-RELEASE on > a Soekris 6501-50. Storage is a 64GB Sandisk SSD with the full install > on it (not NanoBSD). > > After the upgrade, the router rebooted as expected and then came > *partially* back up, as in the interfaces were configured and it would > NAT/route packets, but none of the daemons were started correctly > (DHCP, DNS Forwarder, SSH, etc.). Even the web configurator was > throwing 500 errors. > > After attaching to the serial console, I noticed php-fpm errors, which > would explain the web configurator issues, but not the rest of the > daemons failure to start. > > Next, I decided to do a fresh 2.2 install, so I downloaded the serial > memstick image, burned it to a usb drive and booted off of it. I ran > the installation wizard, which appeared to go just fine (no errors). > Then rebooted, only to find out that the BIOS doesn't recognize the > internal SSD as a bootable drive. As such, it's just stuck in a reboot > cycle. > > As a last resort, I downloaded the 2.1.5 memstick serial image, burned > that to a USB drive and ran *that* installer, which proceeded > normally. I rebooted, just as I did with the 2.2 installer, and this > time it actually booted as expected, and I was able to successfully > restore my config backup. > > So, I'm back up and running, which is good, but my question is: where > to go from here? There appears to be some sort of an issue with the > 2.2 memstick installer, perhaps not installing the bootloader > correctly, or not setting the "active" flag on the partition? I'm just > throwing out possibilities here - I really have no idea why 2.2 failed > to install correctly. > > I'd appreciate any insight on: > 1) What might have caused the 2.2 installation failures > 2) How I might proceed with a successful upgrade from 2.1.5 to 2.2.0 > > Thank you! > -Erik Anderson ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Soekris 6501-50/SSD upgrade failure
I just attempted a self-upgrade from 2.1.5-RELEASE to 2.2.0-RELEASE on a Soekris 6501-50. Storage is a 64GB Sandisk SSD with the full install on it (not NanoBSD). After the upgrade, the router rebooted as expected and then came *partially* back up, as in the interfaces were configured and it would NAT/route packets, but none of the daemons were started correctly (DHCP, DNS Forwarder, SSH, etc.). Even the web configurator was throwing 500 errors. After attaching to the serial console, I noticed php-fpm errors, which would explain the web configurator issues, but not the rest of the daemons failure to start. Next, I decided to do a fresh 2.2 install, so I downloaded the serial memstick image, burned it to a usb drive and booted off of it. I ran the installation wizard, which appeared to go just fine (no errors). Then rebooted, only to find out that the BIOS doesn't recognize the internal SSD as a bootable drive. As such, it's just stuck in a reboot cycle. As a last resort, I downloaded the 2.1.5 memstick serial image, burned that to a USB drive and ran *that* installer, which proceeded normally. I rebooted, just as I did with the 2.2 installer, and this time it actually booted as expected, and I was able to successfully restore my config backup. So, I'm back up and running, which is good, but my question is: where to go from here? There appears to be some sort of an issue with the 2.2 memstick installer, perhaps not installing the bootloader correctly, or not setting the "active" flag on the partition? I'm just throwing out possibilities here - I really have no idea why 2.2 failed to install correctly. I'd appreciate any insight on: 1) What might have caused the 2.2 installation failures 2) How I might proceed with a successful upgrade from 2.1.5 to 2.2.0 Thank you! -Erik Anderson ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] OpenVPN: "Unable to contact daemon" error
On Mon, Jan 19, 2015 at 7:46 PM, Chris Buechler wrote: > OP's issue is likely this one that's fixed in 2.2. > https://redmine.pfsense.org/issues/3894 > where if an OpenVPN client is delayed trying to do a DNS lookup (or > potentially other causes, that seemed to be the only replicable one), > OpenVPN doesn't respond to SIGTERM and would get started a second time > without stopping the first, which ends up breaking the status display. Yep, that sounds like it could likely be the cause. Thanks Chris! ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] issues registering VoIP phone through pfSense
For some phones, I've found that I need to do the following: 1. Disable automatic outbound NAT & add requisite outbound NAT mappings for your internal subnets 2. Select "Static port" in the outbound NAT rule for your whatever subnet your phones are on. On Mon, Jan 19, 2015 at 8:24 PM, marc matthes wrote: > I’m have difficulty getting my home VoIP system to pass sip through the > pfSense Firewall. I have added rules both on the LAN and Wan to pass all > traffic and have also tried port forwarding of 5060-5080 to the Asterisk > box along with 1 to 2 port forward to the asterisk box. I have Nat > turned on and to register with proxy enabled but I can’t get the phone to > register. > > > > > > WKS > 192.168.1.137 > > | > > | > > 10.0.0.5|PFsense|192.168.1.208 | > > VoIP Phone--|SWITCH|--| |---|SWITCH|--VoIP > Phone > > Cisco 7962| | | > Cisco 7970 > > 10.0.0.10 | > 192.168.1.105 > > | > > | > > Asterisk > Server > > > 192.168.1.202 > > > > > > Marc > > > > > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] OpenVPN: "Unable to contact daemon" error
On Mon, Jan 19, 2015 at 3:16 PM, Oliver Hansen wrote: > A bit of a guess but when I've had an issue with the OpenVPN GUI it was > something in my OpenVPN Advanced Configuration section that I had added long > ago and was no longer necessary or conflicting in some way. Thanks, Oliver. I double-checked that config section, and it's empty. -Erik ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] OpenVPN: "Unable to contact daemon" error
Hello all - Running 2.1.5-RELEASE on a Soekris net6501-50. Since the 2.1.4 release, I've seen this error message appear incessantly on the dashboard: http://photos.smugmug.com/photos/i-qwQLZCV/0/O/i-qwQLZCV.png Despite the web GUI being unable to determine OpenVPN status, clients continue to be able to connect and exchange traffic through OpenVPN without issue. If I ssh in, kill the OpenVPN processes and then re-start them from the web GUI, the error goes away temporarily, but will always return within 24 hours or so. As I mentioned, this seemed to start in 2.1.4, and I hoped that it would be resolved in 2.1.5, but that didn't happen. Any ideas on how to resolve this? Thanks! -Erik ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] LAN: IPv6 static configuration
On Fri, Oct 10, 2014 at 1:50 AM, Seth Mos wrote: > So check your routing with netstat -r before and after changing and see > if you lost your default gateway. Thanks, Seth. As it turned out, my second whack at getting v6 set up this morning worked perfectly. The only change I can think of is that I did end up rebooting the router the other day after things locked up, so perhaps there was some odd state that got cleared with the reboot. Thanks for your advice! -Erik ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] LAN: IPv6 static configuration
Any thoughts on this? Unfortunately, all of the examples and documentation I can find on IPv6 configures with pfSense are geared towards consumer-class circuits using DHCP-PD, and I've not found anything about proper static configuration. Again, I thought this would be simple, but at least during my first attempt at configuration, I ran into major issues. Thank you all! -Erik On Wed, Oct 8, 2014 at 2:19 PM, Erik Anderson wrote: > Good afternoon- > > This is in regards to pfsense-2.1.4-RELEASE. > > This morning my ISP (finally) turned on IPv6 on our circuit. They > assigned a /126 P2P link for the WAN and are routing a /48 to us. I > have the WAN interface configured without issue, and am able to ping6 > from the router itself to external addresses. > > The problem arose when I added the static IPv6 configuration to my LAN > interface. I chose an arbitrary /64 subnet for the LAN and assigned an > IP to the interface. When I applied this configuration, *all* traffic > to and through the router (both v4 and v6) stopped. I couldn't ping > the v4 address of the router, etc. I ended up having to attach to the > serial console and restore a previous config file in order to restore > connectivity. > > My questions are: > > 1) How was adding v6 addressing information to the LAN interface able > to affect v4 traffic? > > 2) How can I add static v6 configuration to the LAN interface sucessfully? > > This all seemed like it should be a very simple task, but apparently > I'm missing something. > > Thank you! > -Erik ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] LAN: IPv6 static configuration
Good afternoon- This is in regards to pfsense-2.1.4-RELEASE. This morning my ISP (finally) turned on IPv6 on our circuit. They assigned a /126 P2P link for the WAN and are routing a /48 to us. I have the WAN interface configured without issue, and am able to ping6 from the router itself to external addresses. The problem arose when I added the static IPv6 configuration to my LAN interface. I chose an arbitrary /64 subnet for the LAN and assigned an IP to the interface. When I applied this configuration, *all* traffic to and through the router (both v4 and v6) stopped. I couldn't ping the v4 address of the router, etc. I ended up having to attach to the serial console and restore a previous config file in order to restore connectivity. My questions are: 1) How was adding v6 addressing information to the LAN interface able to affect v4 traffic? 2) How can I add static v6 configuration to the LAN interface sucessfully? This all seemed like it should be a very simple task, but apparently I'm missing something. Thank you! -Erik ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] upgrade from 1.2.3
On Wed, Oct 8, 2014 at 9:23 AM, Nick Upson wrote:> > Thanks for the input everyone, you confirmed my thoughts. I'll build a 2.x > system on replacment hardware, manually copy the config (unless I can > restore from the original ?) and swop them over You should be able to restore the config without issue. The only manual bits you may need to configure is re-assigning the interfaces. I've recently went through a similar upgrade, and didn't have any issues. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Autostart
On Thu, Oct 2, 2014 at 11:35 AM, Brian Caouette wrote: > Is there a way to autostart on occasions like this when we loose power? Under your ESXi host's configuration tab, there a "Virtual Machine Startup/Shutdown" section that you can use to set various VMs to start up automatically on boot. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] v2.1.5: OpenVPN + IPv6. Any success?
I recently got IPv6 turned up on my Comcast cable circuit. They're delegating a /60 to my router. I have successfully configured interface tracking on the LAN interface and that is working great. Next, I'd like to get the OpenVPN server configured to enable v6 communication with mobile VPN clients. Has anyone had success with this? When configuring the LAN interface, it is set to track the WAN interface, and I can set a prefix ID to provide a unique subnet to LAN clients. As far as I've seen, there's no equivalent configuration available for OpenVPN, correct? Sure, I could probably pick an arbitrary subnet from the block delegated to me and assign IPs from that to OpenVPN clients, but what happens if my delegated block changes? Then everything breaks. I'm not certain that Comcast will always assign the same block. Is there a graceful way to handle this situation? Thank you! -Erik ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] rc.filter_configure_sync error
On Mon, Aug 25, 2014 at 12:30 PM, Sebastian Mannino wrote: > Hi im new in pfsense and i need help, how can i use joomla web page for > cautivé portal? Thanks for all Hello Sebastian - When starting a new thread to a mailing list, please do not reply to an existing message (as you did). This is called "thread hijacking", and is generally considered to be a poor practice, as it messes up message organization in members' mail user agents. -Erik ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] rc.filter_configure_sync error
On Mon, Aug 25, 2014 at 9:16 AM, Vick Khera wrote: > I used to have configuration sync failures regularly when I had vastly > under-powered servers (ALIX boards). On the modern hardware, I never > have any issues. I do not recall if I had those same errors as you are > seeing. Thanks for the reply, Vick. This pfsense instance is running on a Soekris 6501, and from the RRD graphs and my manual monitoring of system utilization, CPU is not the cause of this. -Erik ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] rc.filter_configure_sync error
Since upgrading to 2.1.4, I've been seeing these alerts quite frequently: Aug 25 01:19:34 pfsense-01 php: rc.filter_configure_sync: New alert found: PF was wedged/busy and has been reset. Aug 25 01:19:34 pfsense-01 php: rc.filter_configure_sync: New alert found: There were error(s) loading the rules: pfctl: DIOCXCOMMIT: Device busy - The line in question reads [0]: Could anyone comment on what would trigger this message? It seems as if it may be caused by a rules reload, but in my case, this happened after 1AM, and there was no one working on the pfsense server at that point. Are there any periodic reloads scheduled via cron or the like? Thank you! -Erik ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] pfctl alerts
Hello all, I've been getting the following errors in my pfsense (2.1.4-RELEASE) syslog, once a day for the last several days: Aug 11 15:31:32 pfsense-01.example.com php: rc.filter_configure_sync: New alert found: PF was wedged/busy and has been reset. Aug 11 15:31:32 pfsense-01.example.com php: rc.filter_configure_sync: New alert found: There were error(s) loading the rules: pfctl: DIOCXCOMMIT: Device busy - The line in question reads [0]: Any ideas what might be causing this? ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Traffic shaper related error
On Tue, Aug 5, 2014 at 9:37 AM, Jim Pingle wrote: > Ensure that the correct interfaces are being chosen, especially if you > have reassigned the traditional WAN/LAN interface roles, since the > "single WAN" wizard would assume that the first interface is WAN, > regardless of what it may have been renamed. Oh, interesting. In my case, my interfaces look like this: - em0 (802.1q trunk to LAN subnets) - em1 (WAN) Does that mean that I'll need to "reverse" things when going through the wizard? Additionally, not sure if this affects anything, but my WAN address is on a P2P circuit, and my ISP routes a /29 to my WAN IP. I have defined a VIP (IP Alias) which resides in my /29 subnet, and this is the IP I use as my "main egress IP", so all traffic sourced from my network gets NATed to this IP. Again, not sure if this applies to the traffic shaper, but I thought it worth mentioning. -Erik ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Traffic shaper related error
Just giving this a bump. As it turns out, this error appears any time I build a shaper using the single-wan, multi-lan wizard. I haven't given any of the other options a try as they don't apply to my situation, and likewise, I haven't yet tried manually creating all of the traffic shaper queues, rules, etc. Has anyone else seen this and if so, any recommendations for resolution? -Erik On Thu, Jul 31, 2014 at 2:08 PM, Erik Anderson wrote: > v 2.1.4... > > I configured a traffic shaper earlier this week (Monday I believe), > and I just started getting errors on the web UI stating: > > [There were error(s) loading the rules: pfctl: DIOCGIFSPEED: Invalid > argument - The line in question reads [0]: ] > > Grepping through my syslog server, the first occurrence of this error > was at 06:43 this morning (the 31st): > > Jul 31 06:43:38 pfsense-01.invenshure.com php: > rc.filter_configure_sync: New alert found: There were error(s) loading > the rules: pfctl: DIOCGIFSPEED: Invalid argument - The line in > question reads [0]: > > No config changes would have happened at this point that would trigger > configuration reload. > > Googling around, I found this bug: > > https://redmine.pfsense.org/issues/2901 > > Following the lead of the user that posted this bug (and then > abandoned it), I removed my shaper and that fixed the problem. That's > not a viable long-term solution for me, though. > > Does anyone have guidance as to what the cause of this bug is? > > I'd be glad to provide config snippets if that would be helpful - just > specify which section(s) of the config would be helpful. > > Thank you! > -Erik ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Traffic shaper related error
v 2.1.4... I configured a traffic shaper earlier this week (Monday I believe), and I just started getting errors on the web UI stating: [There were error(s) loading the rules: pfctl: DIOCGIFSPEED: Invalid argument - The line in question reads [0]: ] Grepping through my syslog server, the first occurrence of this error was at 06:43 this morning (the 31st): Jul 31 06:43:38 pfsense-01.invenshure.com php: rc.filter_configure_sync: New alert found: There were error(s) loading the rules: pfctl: DIOCGIFSPEED: Invalid argument - The line in question reads [0]: No config changes would have happened at this point that would trigger configuration reload. Googling around, I found this bug: https://redmine.pfsense.org/issues/2901 Following the lead of the user that posted this bug (and then abandoned it), I removed my shaper and that fixed the problem. That's not a viable long-term solution for me, though. Does anyone have guidance as to what the cause of this bug is? I'd be glad to provide config snippets if that would be helpful - just specify which section(s) of the config would be helpful. Thank you! -Erik ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] issue with routing between LAN subnets
Thanks Michael - I actually got this sorted out, and replied to myself and the list with the resolution. Thanks! On Thu, Jul 24, 2014 at 8:26 PM, Michael Schuh wrote: > > 2014-07-25 2:52 GMT+02:00 Erik Anderson : >> >> Hello - >> >> This evening I upgraded to 2.1.4 and have noticed an odd issue >> communicating between two of my LAN subnets. >> >> For the purposes of this example, I have main-LAN (192.168.3.1/24) and >> voice-LAN (192.168.5.1/24). >> >> I have firewall rules in place on the main-LAN interface to permit >> traffic to the voice-LAN. >> >> When I ping from my workstation on the main-LAN to a server on the >> voice-LAN, I get the following: >> >> https://gist.github.com/anderiv/60bac6fb637192eb8419 >> >> That ICMP reply is coming from the default gateway of our WAN >> interface. It makes sense that comcast is blocking RFC1918 addresses, >> but the question is: why is this traffic being routed out the WAN >> instead of to the voice-LAN? >> >> Here's a packet capture, taken on the main-LAN interface: >> >> https://www.cloudshark.org/captures/215fcc948bb7 >> >> All of this worked perfectly in the previous version of pfsense we >> were at (2.0.1). >> >> Any insights into what may be causing this? >> >> Thank you- >> Erik >> ___ >> List mailing list >> List@lists.pfsense.org >> https://lists.pfsense.org/mailman/listinfo/list > > > Hi Erik, > > i would start with: > > Checking the FW-Logs in -> System-Logs -> there should be an entry then, > which tells you also which rule blocks and what the incoming interface was. > checking the interface configuation -> Status Inferfaces in the WebUI > checking the routing of the pfsense -> netstat -nr - > either at the console > or at -> Diagnostics -> Command blah in the WebUI > Cchecking the NAT-Setup of the PfSense > > if i remember correctly for checking the connectivity from the FW-Console, > one has to pass the source-address and/or the interface to the ping command. > > this should bring you more insights and ideas on what is wrong. > > if i remember correctly, parts of the interface assignment got changed > between 2.0.1 and 2.1 or so. > but i can be mistaken with this. > > hth > > michael > > > > ___ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] issue with routing between LAN subnets
OK, I got this resolved by adding an explicit firewall rule to the main-LAN interface allowing traffic from that subnet to the voice-LAN subnet. Previously, I had an "allow anything to anywhere" rule that would have permitted this. This rule also had some policy routing applied to it, sending matching traffic out of a certain WAN gateway. It would seem as if this policy routing matching behavior changed somewhere between 2.0.1 and 2.1.4 such that if packets match, it will still apply the policy routing instructions even if they're both local subnets. This is why I was receiving ICMP replies from my WAN next-hop. -Erik On Thu, Jul 24, 2014 at 7:52 PM, Erik Anderson wrote: > Hello - > > This evening I upgraded to 2.1.4 and have noticed an odd issue > communicating between two of my LAN subnets. > > For the purposes of this example, I have main-LAN (192.168.3.1/24) and > voice-LAN (192.168.5.1/24). > > I have firewall rules in place on the main-LAN interface to permit > traffic to the voice-LAN. > > When I ping from my workstation on the main-LAN to a server on the > voice-LAN, I get the following: > > https://gist.github.com/anderiv/60bac6fb637192eb8419 > > That ICMP reply is coming from the default gateway of our WAN > interface. It makes sense that comcast is blocking RFC1918 addresses, > but the question is: why is this traffic being routed out the WAN > instead of to the voice-LAN? > > Here's a packet capture, taken on the main-LAN interface: > > https://www.cloudshark.org/captures/215fcc948bb7 > > All of this worked perfectly in the previous version of pfsense we > were at (2.0.1). > > Any insights into what may be causing this? > > Thank you- > Erik ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] issue with routing between LAN subnets
Hello - This evening I upgraded to 2.1.4 and have noticed an odd issue communicating between two of my LAN subnets. For the purposes of this example, I have main-LAN (192.168.3.1/24) and voice-LAN (192.168.5.1/24). I have firewall rules in place on the main-LAN interface to permit traffic to the voice-LAN. When I ping from my workstation on the main-LAN to a server on the voice-LAN, I get the following: https://gist.github.com/anderiv/60bac6fb637192eb8419 That ICMP reply is coming from the default gateway of our WAN interface. It makes sense that comcast is blocking RFC1918 addresses, but the question is: why is this traffic being routed out the WAN instead of to the voice-LAN? Here's a packet capture, taken on the main-LAN interface: https://www.cloudshark.org/captures/215fcc948bb7 All of this worked perfectly in the previous version of pfsense we were at (2.0.1). Any insights into what may be causing this? Thank you- Erik ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense slowing wan speed
On Sat, Jul 5, 2014 at 9:00 PM, Brian Henson wrote: > I have a PFsense box on a 50/5 DSL connection and when its directly > connected the to the modem it drops the speed significantly as compared to a > wireless router directly connected to the modem. Do you have a traffic shaper enabled? Have you verified that your ethernet interfaces are linked up at proper speed/duplex? -Erik ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Embedded 2.0.1 -> 2.1.2 upgrade issues
On Thu, Jul 3, 2014 at 4:46 PM, Chris Buechler wrote: > Yes but if you run out of RAM while booting, much of the OS may be > left unconfigured or partially configured. If you ran out of RAM while > the system was already up and running, generally the things that would > die wouldn't impact the ability of the system to filter and NAT. That makes a lot of sense. > The > most common way to exhaust 256 MB is several active OpenVPN instances, > which take up much more RAM for a brief period when they initially > start up than they do under normal operating conditions. Packages the > other common way. I have two OpenVPN servers configured, but the only package I have installed is the OpenVPN client export package. I ordered a Soekris 6501 today, which has 1GB of RAM. I presume I'll have a much better experience with that then I've had trying to squeeze things into 256M. Thanks for the reply, Chris. I appreciate it. Have a great 4th weekend. -Erik ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Embedded 2.0.1 -> 2.1.2 upgrade issues
Hello all - I'm resurrecting this thread in hopes of getting some advice and/or clarity on what's going on. As you can read in my previous email, I attempted an in-place upgrade from 2.0.1 to 2.1.2, which failed due to it (for some reason) not NATting packets correctly. Last night I finally got around to burning a clean 2.1.2 image on a CF card, installing it, then restoring one of my 2.0.1 backups. After doing this, I had the *exact* same symptoms as I did after the in-place upgrade: - interfaces were configured correctly - firewall and NAT rules correct - internet-bound traffic sourced from the pfsense itself worked fine (pings, DNSmasq, etc.) - it would not NAT LAN packets out the WAN interface I saw one anomaly that I doubt has anything to do with this failure, but I'm not certain, so I'll mention it. This install is on a soekris net-5501, which only has 256 MB RAM. As such, when pfsense booted, php was consistently getting killed due to memory contention. I needed to restart the web configurator from the console. Now, my assumption is that routing, NAT, firewall, etc. are kernel-level functions and should not be affected by an out-of-memory condition. Is this correct? Does anyone have other ideas as to what's going on? Thank you- Erik On Mon, Apr 21, 2014 at 2:23 PM, Erik Anderson wrote: > I have an embedded (soekris) install running 2.0.1-RELEASE. > > This weekend, I attempted an in-place upgrade to 2.1.2-RELEASE. After the > upgrade, all interfaces appeared to be configured correctly: > > - while ssh'ed into pfsense, I could access internet hosts > - all internal VLAN interfaces were configured correctly, and were > accessible as expected from their respective VLANs > - from the "main" internal LAN, I could access the pfsense LAN interface as > well as the web configurator > > However, it didn't appear to be NATing packets correctly from any of the > internal interfaces to the WAN. I double-checked and re-applied the NAT and > firewall rules to no effect. > > Any ideas what could have happened? Are there any known issues with an > in-place 2.0.1 -> 2.1.2 upgrade? > > Next I'm just going to try to burn a clean 2.1.2 image on a CF card and then > restore the config file, which I *hope* will be successful. > > -Erik ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] routed subnet question
On Mon, Jun 30, 2014 at 2:58 PM, Gordon Russell wrote: > Your assumption is correct. We have this same service from Comcast, and we > have a few of our /28 assigned subnet as VIP's on the WAN. The full /28 is > assigned into a third (DMZ) interface on the pfsense box as well in our case. > Port forwards and NATs on the WAN utilize the VIP's, and other public traffic > destined for our /28 gets routed into the DMZ. Perfect - thanks Gordon! ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] routed subnet question
Hello - I've been using pfsense for several years on a Comcast business cable circuit. As many of you have experienced, with this service, Comcast provides a modem with a 4-port customer-facing L2 switch. The WAN interface of my pfsense router is connected to this switch. I then assign the WAN interface one of the IPs from the /29 assigned to us. The other IPs in that /29 I can then assign as VIPs and use for other purposes. Shortly we'll be switching over to Comcast's fiber-based metro ethernet service. This service is delivered to the premise via fiber and the comcast provides a managed switch that we connect to via copper ethernet. This being closer to a "professional-grade" service, they assign a P2P address for our router's WAN interface and then they route our usable subnet to that address. I have never used pfsense in this capacity (with a routed subnet) before. Is my assumption correct that I should just be able add IPs in the usable subnet as VIPs and then alter my NAT rules, etc. to use one of those addresses for egress, use them for port-forwarding, etc.? Thank you! -Erik ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] HP DL160 for pfSense in a datacenter
On Wed, Apr 23, 2014 at 8:14 AM, mayak wrote: > The machine has one of those stupid raid chips that works for software > raid -- pfSense knows about these kinds of cards, but nonetheless, I > would like to make this machine as bullet proof as possible (in terms of > disk failure). You're not going to want to hear this, but... ...purchase a real hardware RAID card. FakeRAID cards are horrible, and I'd never trust them for something as critical as a firewall/router device. You don't need anything fancy - you should be able to source a used RAID controller for a very reasonable price. -Erik ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Embedded 2.0.1 -> 2.1.2 upgrade issues
I have an embedded (soekris) install running 2.0.1-RELEASE. This weekend, I attempted an in-place upgrade to 2.1.2-RELEASE. After the upgrade, all interfaces appeared to be configured correctly: - while ssh'ed into pfsense, I could access internet hosts - all internal VLAN interfaces were configured correctly, and were accessible as expected from their respective VLANs - from the "main" internal LAN, I could access the pfsense LAN interface as well as the web configurator However, it didn't appear to be NATing packets correctly from any of the internal interfaces to the WAN. I double-checked and re-applied the NAT and firewall rules to no effect. Any ideas what could have happened? Are there any known issues with an in-place 2.0.1 -> 2.1.2 upgrade? Next I'm just going to try to burn a clean 2.1.2 image on a CF card and then restore the config file, which I *hope* will be successful. -Erik ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] multi-wan traffic shaping question
Good afternoon, all - I'm currently running 2.0.1 on a Soekris 5501. We have three WAN circuits and three LANs. Traffic from each LAN is policy routed out its "own" WAN circuit. I'd like to implement some traffic shaping for outbound traffic on one of the LANs - the other two have no need for traffic shaping. In this situation, how many WAN circuits should I tell the wizard I have? The shaped traffic will only ever "touch" one of the WAN circuits. Thank you very much! -Erik ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Soekris 5501 + SATA drive issues
On Thu, Dec 22, 2011 at 9:32 PM, Jim Spaloss wrote: > I missed the part about the memstick image. I will tell you that I had all > kinds of problems using the nanobsd images, and ended up hooking up the SSD > to a PC running the PFSense installer and choosing the embedded platform. No problem, Jim. The memstick image actually contains both the full kernel as well as the NanoBSD kernel - I chose the full kernel when installing. In the end, I think I'm just going to go back to installing on a CF card. Then I'll mount the SSD somewhere and use it as a cache space for squid. Thanks! -Erik ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Soekris 5501 + SATA drive issues
On Thu, Dec 22, 2011 at 5:01 AM, Chris Bagnall wrote: > > Appreciate this isn't really an answer to your original question, but is > there a reason why you don't use a compact flash card in the socket on the > board? We have quite a few clients with 5501s, all of which are using CF > cards, and I don't recall having a problem booting with any of them. Thanks Chris - My desire to use an SSD was borne out of the hope that I could have access to a bit more disk space, and to be able to use packages like squid without using up the available write cycles of a CF card. That said, I'm probably going to end up just going with a CF card in the end for ease of installation. I will still plan on keeping the SSD attached, and I'll hopefully be able to use it as cache space for squid. -Erik ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Soekris 5501 + SATA drive issues
I'm at a loss here - My shiny new 5501 arrived today, along with the SATA mounting kit and a small SSD drive. Knowing that the 5501 doesn't support USB boot, I connected the SSD to another system, and installed 2.0.1 to it using the memstick image. I chose the embedded kernel. After connecting the SSD to the 5501, the bootloader started just fine, and it loaded the kernel, but failed when trying to mount the root partition. A full transcript of the boot process is here: http://pastebin.me/82c3fe0bb271a67bf86d5a0d0f0e89f9 You can see on line 161 that the SSD was detected as device ad1, and the system was trying to mount root from /dev/ad4s1a. Problem. So, at the mountroot> prompt, I assumed I could just type "ufs:/dev/ad1s1a". That didn't work, and gave the same error message. >From the loader prompt, here's the device list: OK lsdev cd devices: disk devices: disk0: BIOS drive C: disk0s1a: FFS disk0s1b: swap pxe devices: zfs devices: Any pointers? Thank you! ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] four-interface embedded board for pfSense?
On Fri, Dec 16, 2011 at 11:46 AM, Ian Bowers wrote: > Sounds like Soekris might be right up your alley if you want physical > interfaces. http://soekris.com/ . I've had a net5501 running openbsd for > ages, its been one of my longest operating devices, and I've literally never > had an issue with it. Thanks for the info, Ian. I've been so happy with the ALIX boards that I had all but forgotten about Soekris. :) The 5501 looks perfect for our needs. -Erik ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] four-interface embedded board for pfSense?
Hello all - Historically, I've used the Alix 2d3/2d13 boards - these have three interfaces, and have worked perfectly for me. I now have an instance where I'm going to need triple-wan capabilities, and am wondering what options and/or recommendations are out there for this situation. I would prefer to stick with an embedded setup if possible. I guess the other question I have is: instead of looking for a quad-interface board, can I accomplish the same thing by just adding an 802.1q switch and trunking a couple of the WAN circuits through the switch? I would imagine keeping each individual WAN circuit on its own VLAD ID would be the only way to do this is a secure and reliable fashion. A couple of the WAN circuits will be ADSL, requiring PPPoE negotiation - I'm not sure if this changes anything with regards to being able to terminate the circuit at a switch instead of directly in one of the router interfaces. Thank you! -Erik ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.0-RELEASE now available!
On Sat, Sep 17, 2011 at 1:58 PM, Chris Buechler wrote: > for those who don't watch the blog: > http://blog.pfsense.org/?p=598 Excellent work Chris and all the rest of the devs! Thanks for making a truly incredible product. -Erik ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list