Re: [pfSense] Vlan Trunk
What exactly is your question here? I don't see any issue implementing this. -lsf On Wed, May 2, 2012 at 7:08 PM, steel max steelmax11...@gmail.com wrote: Dear All, I am trying to implement a wireless network on my corporate environment using, Authentication by Domain Controller windows AD Radius on same Server as well with Pfsense Captive Portal! ***Thanks to you guys for the help, I have done that in my testing zone! *ABOUT My Corporate Network: *Our Corporate network is pretty much complicate to me. Its back-end is powered by a Linux DHCP, Squid Proxy, Cisco Firewall Layer 3 Switch (Core Switch) which has 19 Vlans and all Vlans are trucked and distributed over the network using manageable Dlink switches. Vlans are 5 to 95 and the Vlan I'm intended to use is Vlan10 which is configured in the Layer 3 Switch as a 'Guest Vlan'. Vlan5 is for Data Center, which gives IP range: 192.168.1.xxx Vlan10 (GuestVlan) IP is 192.168.2.xxx! And goes so on according to VlanID! Our Network is more like a Campus Area Network. We have 5 separate building in the city connected by Fiber Optic Cable Provided by 3rd Party. So Vlan10 will be distributed across the network as like other Vlans through trunk ports! *About implementation:* *I want the Output from pfsense should give:* * * 1.Pfsense should’ve WAN of Vlan5 as all the servers in Datacenter are in that range of IP 2.WAN from Core Switch Vlan10 (WAN from vlan5 10 may be dual WAN or something?) 3.LAN only Vlan10 4.LAN output Vlan tagging and trucking enabled to distribute across the network 5.Pfsense should be able to talk Windows AD Radius Server 6.Any user connected to Vlan10 should pass through captive portal radius Server *So above noted 6 points are what I intended to achieve! So Please guys help me on this **:)**. Hope I have given Info! * ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Vlan Trunk
With one exception, it seems you want to use the same vlan as both lan and wan (Vlan 10)??? On Wed, May 2, 2012 at 8:34 PM, Espen Johansen pfse...@gmail.com wrote: What exactly is your question here? I don't see any issue implementing this. -lsf On Wed, May 2, 2012 at 7:08 PM, steel max steelmax11...@gmail.com wrote: Dear All, I am trying to implement a wireless network on my corporate environment using, Authentication by Domain Controller windows AD Radius on same Server as well with Pfsense Captive Portal! ***Thanks to you guys for the help, I have done that in my testing zone! *ABOUT My Corporate Network: *Our Corporate network is pretty much complicate to me. Its back-end is powered by a Linux DHCP, Squid Proxy, Cisco Firewall Layer 3 Switch (Core Switch) which has 19 Vlans and all Vlans are trucked and distributed over the network using manageable Dlink switches. Vlans are 5 to 95 and the Vlan I'm intended to use is Vlan10 which is configured in the Layer 3 Switch as a 'Guest Vlan'. Vlan5 is for Data Center, which gives IP range: 192.168.1.xxx Vlan10 (GuestVlan) IP is 192.168.2.xxx! And goes so on according to VlanID! Our Network is more like a Campus Area Network. We have 5 separate building in the city connected by Fiber Optic Cable Provided by 3rd Party. So Vlan10 will be distributed across the network as like other Vlans through trunk ports! *About implementation:* *I want the Output from pfsense should give:* * * 1.Pfsense should’ve WAN of Vlan5 as all the servers in Datacenter are in that range of IP 2.WAN from Core Switch Vlan10 (WAN from vlan5 10 may be dual WAN or something?) 3.LAN only Vlan10 4.LAN output Vlan tagging and trucking enabled to distribute across the network 5.Pfsense should be able to talk Windows AD Radius Server 6.Any user connected to Vlan10 should pass through captive portal radius Server *So above noted 6 points are what I intended to achieve! So Please guys help me on this **:)**. Hope I have given Info! * ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense routing and TCP sequence numbers
After reading this again I'm thinking you might be confused by IP ID vs sequence numbers? IP header and TCP header are different things. see here for IP header : http://en.wikipedia.org/wiki/IPv4 or this might be of help: http://networkstatic.net/what-are-ethernet-ip-and-tcp-headers-in-wireshark-captures/ On Sat, Sep 14, 2013 at 1:12 PM, Espen Johansen pfse...@gmail.com wrote: Try tcpdump + wireshark. Then read this: http://packetlife.net/blog/2010/jun/7/understanding-tcp-sequence-acknowledgment-numbers/ pfSense should not change sequence numbers unless you tell it to do so. for packet breakdown read : http://www.daemon.org/tcp.html Google is your friend ;-) On Fri, Sep 13, 2013 at 4:15 PM, Martin Fuchs mar...@fuchs-kiel.dewrote: Hi ! ** ** We use pfSense 2.0.1 and have a local LAN, a WAN and remote Offices connected by managed VPN-connections (pfsense does not need to stablish VPN tot he remote offices). ** ** LAN - pfSense - remote office ** ** In the LAN we have a HiPath Communications system and in the remote offices one remote system each. pfSense only routes between these locations. There is no filtering (in the floating rules everthing is allowed between LAN and remote offices.** ** ** ** Firewall-scrub, clear DF and random id generation are disabled. ** ** Does pfSense in this configuration change the TCP sequence numbers oft he conections between the communication systems ? And is there any simple way how i can check this ? ** ** Regards, ** ** martin ** ** ** ** ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
What else is new with thinker as op. 25. okt. 2013 02:18 skrev Jim Thompson j...@netgate.com følgende: The topic has wandered away from pfSense. -- Jim On Oct 24, 2013, at 18:48, Chris Bagnall pfse...@lists.minotaur.cc wrote: On 24/10/13 7:31 pm, Adam Thompson wrote: If I upgraded to a better-quality unit, or switched to licensed spectrum, I could probably eliminate the variability and increase speed simultaneously. Indeed, we have Ubiquiti kit running point to point links in the 5Ghz unlicensed spectrum (band C) over around 18km which deliver ~65Mbps throughput. I think our distance record is just shy of 68km. Within the Ubiquity line, the AirFiber apparently would get me to ~99.99% reliability at ~600Mbps, or ~99.9% reliability at ~1Gbps. Still using unlicensed spectrum, using the built-in directional antennas. Do check the 24Ghz spectrum rules carefully in your jurisdiction - certainly here in the UK the 24Ghz unlicensed spectrum is limited, and only allows fairly low power without a licence. I do not have personal experience with Alvarion, but I can unreservedly recommend Dragonwave. I'd add Motorola Orthogon kit to that list, based on some offshore experience with it a few years ago. Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Restoring from XML prevents VM from booting
Might be that serial redirection makes it show nothing. Bad drives might also cause files to be corrupted. same goes for bad memory. Make sure both are same versions. 5. feb. 2014 18:42 skrev Brian Candler b.cand...@pobox.com følgende: This is a really strange behaviour, I wonder if anyone has seen anything similar. I've just been trying to replicate a production config in a VirtualBox VM (vbox 4.3.6, OSX 10.9.1). I can install pfsense fine, and manually set up a LAN IP address on vboxnet0 so that I can get into the web and use Diagnostics Backup/Restore to upload an existing XML config. But then the VM refuses to boot properly. It only gets as far as: F1 pfSense F6 PXE Boot: F1 | and then hangs at that point (vertical bar, not spinning). This is repeatable if I reinstall and re-restore the same XML config. I was able to workaround the problem by reinstalling, using scp to copy /cf/conf/config.xml directly from another machine, and then reboot. So it's not a show stopper, but it's most bizarre - how can a *config* upload prevent the kernel from booting?? Any thoughts welcome :-) Regards, Brian. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Gateway on a gateway...
Tell your provider to do what mojo said. Or set it up yourself if you have access to the provider routers. Third option is VPN between the pfsense boxes so you can override the routing. 17. mai 2014 21:53 skrev Klaus Wunder kl...@net-wunder.de følgende: Hello, you can use pfSense as a BGP Router. There is a paket you can install. Also you can ask your ISP about the use of the Dynamic Routing Protokoll. Kind Regards Klaus Am 17.05.2014 um 20:14 schrieb J. Echter j.ech...@echter-kuechen-elektro.de: Am 17.05.2014 08:25, schrieb faisal.gill...@akesp.org: Thank you for replying MoJo .. So you recommend me removing pfsense acting as static routes router with real hardware routers ? Or ur asking me to add dynamic routing functionality to pfsense ? Thanks Faisal Sent from my HTC - Reply message - From: mOjO m...@thegeekclub.net m...@thegeekclub.net To: pfSense Support and Discussion Mailing List list@lists.pfsense.orglist@lists.pfsense.org, dragonator dragona...@sleepydragon.net dragona...@sleepydragon.net Subject: [pfSense]Gateway on a gateway... Date: Sat, May 17, 2014 10:07 AM On the pfSense firewall? Nothing. You need to change your routers. Ideally, your MPLS routers are using BGP. Then on the site 1 router under the BGP section you can tell it to advertise the 0.0.0.0 route by adding network 0.0.0.0 and make sure you have a static route on that router for 0.0.0.0 to the firewall. Site 2 should then use the MPLS router as their default gateway instead of the firewall. As an added bonus you can have site 2 failover to their local internet when the MPLS is down by adding a lower metric (255) default route that will kick in when the BGP advertised route disappears when the MPLS goes down. - Reply message - From: faisal.gill...@akesp.org faisal.gill...@akesp.org faisal.gill...@akesp.org faisal.gill...@akesp.org To: dragonator dragona...@sleepydragon.netdragona...@sleepydragon.net, list@lists.pfsense.org list@lists.pfsense.org Subject: [pfSense]Gateway on a gateway... Date: Fri, May 16, 2014 11:27 PM When i try to do this .. Pfsense gives me error that firewall is not local to my subnet which is .. 172.16.1.16 on subnet 255.255.248.0 Branch router is on 172.16.11.0/24 which connects to firewall subnet via MPLS provider router i.e 10.152.8.117/30 So what to do ? Regards Sent from my HTC - Reply message - From: dragonator dragona...@sleepydragon.netdragona...@sleepydragon.net To: faisal.gill...@akesp.org faisal.gill...@akesp.org, list@lists.pfsense.org list@lists.pfsense.org Subject: [pfSense] Gateway on a gateway... Date: Sat, May 17, 2014 12:51 AM Change route on the site 2 gateway to route all traffic to that firewall. Sent via the Samsung Galaxy S™ III, an ATT 4G LTE smartphone Original message From: faisal.gill...@akesp.org Date: 05/15/2014 19:39 (GMT-05:00) To: pfSense Support and Discussion Mailing List list@lists.pfsense.orglist@lists.pfsense.org Subject: [pfSense] Gateway on a gateway... II have two networks connected together with an MPLS network all the clients on both networks can access each other. Site 1( 172.16.0.0/21) has a packet filtering multi WAN firewall (172.16.1.16) on its local subnet which local clients connect to use internet. Site 2 (172.16.11.0/24) clients connects to local router (172.16.11.17) which routes all site 1 destend traffic to site 1 router (172.16.0.17). all site 2 clients have the ip of site 2 router which is (172.16.11.17) in their default gateway. Now i want clients on site 2 to use my packet filtering firewall (172.16.1.16) for their internet needs so how do i define this which out breaking the already communication can anyone guide me in this ? Sent from my HTC ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list anyone able to reply to the list? ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] default gateway over MPLS VPN
You asked this already and it has been responded to. Dont double post! 20. mai 2014 17:54 skrev Michael Schuh michael.sc...@gmail.com følgende: 2014-05-20 11:31 GMT+02:00 Faisal Gillani faisal.gill...@akesp.org: Hello all I am using Pfsense with everything, Pfsense based multi homed firewall and pfSense based routers My Firewall is a has three internet connection which clients see as one when accessing internet My office recently purchased a MPLS VPN solution to connect one of our branch together with our main head office. MPLS VPN Settings Main site Ip 10.152.9.130 Subnet 255.255.255.252 Gateway 10..152.9.129 branch site Ip 10.152.9.117 Subnet 255.255.255.252 Gateway 10..152.9.116 I choose Pfsense to do simple routing at both head office and branch office. The network configuration is as below. Main Site Subnet 172.16.0.0/21 Pfsense based internet firewall ip = 172.16.1.17 Pfsense based router (with all nat and packet filtering disabled) = 172.16.0.18 • The router is configured to static route to branch office subnet by using MPLS provider router address. • The router routes all internet based requests to 172.16.1.17 as it is set as its default gateway. • All same subnet users are setup to use 172.16.0.18 as their default gateway everything is working for them local resource access as well as internet. Branch Site Subnet 172.16.11.0/24 Pfsense based router (with all nat and packet filtering disabled) = 172.16.11.18 • The router is configured to static route to branch office subnet by using MPLS provider router address. • For internet I found this solution on internet to route all internet traffic to the firewall on the main office which is 172.16.1.17 • To achieve this is did these commands as the web GUI wasn’t accepting a none local subnet address # route add -net 172.16.1.17 -iface em0 # route add default 172.16.1.17 Now on branch offices computers can access all the resources on the main office branch, however they can’t access internet. Anyone know what am I doing wrong ? Syed Faisal Gillani Please consider the environment before printing this e-mail ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list Now on branch offices computers can access all the resources on the main office branch, however they can’t access internet. which seems logically correct to me. if i understood correctly, how your setup is: in short: your default gateways are incorrect, therfore no internet access. point your default gateways to the main internet connection and NOT to the MPLS-Gateways. NAT enabled. to get the Net-to-Net (172.16.11.0/24 - 172.16.0.0/21) working: just create a IPSEC VPN-Tunnel from each pfsense box to the other one through the mpls routing/switching, which (the mpls) is not really necessary if you have static WAN-Addresses, but can help to have a stable vpn-tunnel. i.e. IF-MPLS-Address Main Site connects to IF-MPLS-Address-Branch site, et vice versa. so an IPSEC-VPN between those two endpoints should do it. the mpls gateways do not know anything about any 172.16.0.0 net. not their job. :8~) i _think_ the wish is to have the clients communicating with each other like 172.16.4.5 can talk freely to 172.16.11.45 et vice versa. so create each VPN-Side with the access to the certain internal network. no NAT necessary. further reading for understanding recommended: Richard W. Stevens TCP/IP and/or Addison Wesley: TCP/IP and ONC/NFS hth = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Disk Space
1kb size should clue you in. This is however completely normal. 7. juni 2014 12:45 skrev Brian Caouette bri...@dlois.com følgende: Mounted Filesystems*Type**Partition**Percent Capacity**Free**Used**Size* /dev/da0s1a 17%4.38 GB988.37 MB5.81 GB/dev/md0 2%3.26 MB62.00 KB3.61 MB devfs 100%0.00 KB1.00 KB1.00 KBdevfs 100%0.00 KB1.00 KB1.00 KB*Totals : * 17%4.38 GB988.43 MB5.81 GB I'm *guessing this isn't good. How do I fix it?* Sent from my iPad ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Unbound vs stock
Add it to pfsense dns list. Remove it from dhcp etc. If it's used there. 12. juli 2014 01:26 skrev Brian Caouette bri...@dlois.com følgende: So the fix to make it work the same would be to add 127.0.0.1 to resolv.conf manually? Sent from my iPad On Jul 11, 2014, at 6:19 PM, Dave Warren da...@hireahit.com wrote: On 2014-07-11 10:04, Brian Caouette wrote: Why is it unbound doesn't report dns name for light squid and if I return to stock it does? In both of them I have enabled register static mappings yet unbound doesn't give the time to light squid in the reports were stock does.. When you use dnsmasq, pfSense adds 127.0.0.1 to the top of resolv.conf, and therefore pfSense itself asks dnsmasq for local resolution and is able to resolve local hostnames. However, when you use unbound, dnsmasq is turned off, so pfSense itself is just using your configured DNS servers (or ISP DHCP provided ones, depending on configuration) Assuming unbound does full resolution and doesn't forward, you can work around this by listing 127.0.0.1 as your primary DNS resolver in pfSense. However, if you do that, you'll have to make sure that pfSense isn't handing out these DNS servers IPs to clients anywhere (DHCP server? OpenVPN?) And if you have unbound forwarding, obviously you can't include 127.0.0.1 or unbound will forward to itself. Finally, pointing to 127.0.0.1 will partially break upgrades since pfSense will come up without packages, and therefore without a DNS server, then it will find itself unable to find pfsense.org to download packages. Ultimately the fix will be for pfSense to recognize unbound as a local DNS server and add it to resolv.conf by default, similar to dnsmasq. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Host Connectivity on a Specific Subnet
You might take a look in the cf/conf/config.xml .if it persists it should originate from there. Just do a search for the IP. 12. juli 2014 05:04 skrev Stefan Maerz stefan.ma...@thecommunitypartnership.org følgende: Thank you for the response Espen. This was actually the approach I took (flushing arp and reseting switches). It is a moot point now -- I came to the conclusion that I accidentally was spoofing the gateway interface using my Windows 7 MAC address. Darwin award winner? I think so. I misinterpreted Insert my local MAC address in the Interface Edit screen. I thought it meant local to the interface I was editing. Not so! Lesson learned! My poor network was as almost as confused as I was. However at this point I had not solved my original problem. I disabled my WAN interface just to see what would happen. This allowed me to ping my CentOS host. At that point it became clear to me that there was a routing issue -- taking down one interface causing another to start working seems like a pecking order issue to me. I had not checked the routing table before because the pfSense Wiki reads: You do not need to add routes for networks which are directly connected to any interface of the firewall, and doing so may cause problems. You only need to define static routes for networks which cannot be reached via the default gateway. I made the incorrect assumption that this statement implied that somehow no superfluous routes would be added, or if they existed they would automatically be removed. However for some reason it was configured to forward 10.144.1.8 to my WAN interface. A quick route del -host 10.144.1.8 and my network is 100% functional. However, still one problem remains. The route del command is not persistent when I reboot. How do I get rid of it? SystemRoutingRoutes indicates that no static routes are set up. Is there a routing configuration file somewhere? Best Regards, -Stefan On 7/11/2014 6:35 PM, Espen Johansen wrote: Please provide a network drawing. I suspect you have a arp leak or a switch that needs to be restarted to clear its arp cache. Restart switche (s) without nothing connected and add the cetos and pfsense only and only after you have cleared both units arp cache (arp -d). Then take it from there. HTH. - LSF 11. juli 2014 21:57 skrev Stefan Maerz stefan.maerz@ thecommunitypartnership.org mailto:stefan.maerz@ thecommunitypartnership.org følgende: On 7/11/2014 2:03 PM, Stefan Maerz wrote: On 7/10/2014 7:52 PM, Stefan Maerz wrote: Hi everyone, I have a problem I have been unable to solve all day (literally *all* day). My pfSense box has two LAN interfaces and a WAN interface. A CentOS 7.0 server is giving me grief on one of the Subnets when configured as static or dynamic. When I put the problematic CentOS box on the other subnet (and change corresponding host network configurations), it works. The CentOS box also works when I put it on my trustworthy Linksys WRT router (again, changing host network settings along the way). To me this smelled of a firewall problem, but there is nothing logged and I have both LAN interfaces set up to pass everything. Secondly I looked at DHCP for possible DHCP addressing conflicts, but the DHCP server is disabled on this subnet. TCPdump reveals that literally nothing is making it to the gateway interface, however at the same time the activity light on the interface blinks corresponding to my pings (there is no other traffic). Further confusing me is that I am able to get a static IP from other devices when I plug them into the problematic subnet. Basically this single device does not work on this single subnet and that is the only problem. Other devices are fine on this subnet and this device is fine on other subnets. ...? It is also worth noting that all the link lights are lighting up and the cables and switch have been tested to be working correctly. Nothing that I can see looks out of place in pfSense's logs. Here are my host configuration files, all generated by CentOS's nmtui utility. I tried my own manual configurations with the same results (not working):http://pastebin.com/HFYYTG09(possible http://pastebin.com/HFYYTG09%28possible typos -- this is hand written, my apologies if that is the case) I am at a loss and have been at this all day. pfSense has so little to configure that I'm not really sure what I could have done wrong. I feel like it is something really simple
Re: [pfSense] Host Connectivity on a Specific Subnet
Only thing I can think of is that a package with a seperate config file installs it. Do you have quagga/openbgp or any other routing package running/installed? 12. juli 2014 23:58 skrev Stefan Maerz stefan.ma...@thecommunitypartnership.org følgende: Thanks again Espen. I can't find anything in /cf/conf/config.xml related to this address *and* routing. The staticroutes/ tag area is also empty like the webconfiguration indicates. more /cf/conf/config.xml | grep -n 10.144.1.8 outputs: 221:dnsserver10.144.1.8/dnsserver 385:ip10.144.1.8/ip 1055: dns110.144.1.8/dns1 1059: ntp110.144.1.8/ntp1 1061: wins110.144.1.8/wins1 Line 385 is related to a DNS forwarder. I could write an init script to kill the route, but it seems it comes back every 20 minutes or so. And since I have no way of knowing precisely when the route is re-enabled, I would need to run a cronjob every second or so. And even that is not a great solution -- I'd reinstall before that. I'd really prefer a more elegant solution if possible. Any other ideas? Am I searching for the wrong thing? Best Regards, -Stefan On 7/12/2014 2:46 AM, Espen Johansen wrote: You might take a look in the cf/conf/config.xml .if it persists it should originate from there. Just do a search for the IP. 12. juli 2014 05:04 skrev Stefan Maerz stefan.ma...@thecommunitypartnership.org følgende: A quick route del -host 10.144.1.8 and my network is 100% functional. However, still one problem remains. The route del command is not persistent when I reboot. How do I get rid of it? SystemRoutingRoutes indicates that no static routes are set up. Is there a routing configuration file somewhere? ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Host Connectivity on a Specific Subnet
Other packages? OpenVPN? Please list all your installed packages and I´ll have a look. Or remove them one by one until the automagic route add stops. You can always try to grep /* for the IP in question. But it might be part of a DB file for a pkg. I´t might not be plain text. Cant help you remote as I´m on vacation with flaky 3G mobile. On Sun, Jul 13, 2014 at 12:37 AM, Stefan Maerz stefan.ma...@thecommunitypartnership.org wrote: No 3rd party routing installed. -Stefan On 7/12/2014 5:19 PM, Espen Johansen wrote: Only thing I can think of is that a package with a seperate config file installs it. Do you have quagga/openbgp or any other routing package running/installed? 12. juli 2014 23:58 skrev Stefan Maerz stefan.ma...@thecommunitypartnership.org følgende: Thanks again Espen. I can't find anything in /cf/conf/config.xml related to this address *and* routing. The staticroutes/ tag area is also empty like the webconfiguration indicates. more /cf/conf/config.xml | grep -n 10.144.1.8 outputs: 221:dnsserver10.144.1.8/dnsserver 385:ip10.144.1.8/ip 1055: dns110.144.1.8/dns1 1059: ntp110.144.1.8/ntp1 1061: wins110.144.1.8/wins1 Line 385 is related to a DNS forwarder. I could write an init script to kill the route, but it seems it comes back every 20 minutes or so. And since I have no way of knowing precisely when the route is re-enabled, I would need to run a cronjob every second or so. And even that is not a great solution -- I'd reinstall before that. I'd really prefer a more elegant solution if possible. Any other ideas? Am I searching for the wrong thing? Best Regards, -Stefan On 7/12/2014 2:46 AM, Espen Johansen wrote: You might take a look in the cf/conf/config.xml .if it persists it should originate from there. Just do a search for the IP. 12. juli 2014 05:04 skrev Stefan Maerz stefan.ma...@thecommunitypartnership.org følgende: A quick route del -host 10.144.1.8 and my network is 100% functional. However, still one problem remains. The route del command is not persistent when I reboot. How do I get rid of it? SystemRoutingRoutes indicates that no static routes are set up. Is there a routing configuration file somewhere? ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] ZFS warning message on local console during boot
ZFS = FS+LVM. Its efficient in many ways. Its highly resillient to things like silent data corruption ( disk FW bugs, power spikes). It has on the fly checking and repair. Copy on write, snapshoting, NFSv4 native acls and a few more nice things. I dont understand the bashing? -lsf 30. juli 2014 21:44 skrev Stefan Baur newsgroups.ma...@stefanbaur.de følgende: Am 30.07.2014 um 16:43 schrieb Vick Khera: On Wed, Jul 30, 2014 at 9:50 AM, Paul Mather p...@gromit.dlib.vt.edu wrote: Personally, I think ZFS on i386 has become a losing proposition as of late. I ran a ZFS-on-root FreeBSD/i386 10-STABLE system with 2 GB of RAM and it appeared to become very flaky with ZFS in its latter months (I eventually switched it out for a FreeBSD/amd64 system). I cannot fathom a sensible use case for using ZFS on pfSense at all. I'm not consciously using ZFS for anything on pfSense, I *think* I performed the default install, but it could be using ntfs or vfat for all that I care. ;-) So I don't know why it's trying to use that - is it normal for a default pfSense install or not? I just saw the warning message and was wondering what to do about it. -Stefan ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] ZFS warning message on local console during boot
Also remeber that pfsense has had packages like freenas (for some the Ultimate all in one home device). -lsf 30. juli 2014 22:24 skrev Paul Mather p...@gromit.dlib.vt.edu følgende: On Jul 30, 2014, at 4:09 PM, Espen Johansen pfse...@gmail.com wrote: ZFS = FS+LVM. Its efficient in many ways. Its highly resillient to things like silent data corruption ( disk FW bugs, power spikes). It has on the fly checking and repair. Copy on write, snapshoting, NFSv4 native acls and a few more nice things. I dont understand the bashing? I swear by ZFS on my regular FreeBSD systems (though I was having trouble with it on FreeBSD/i386 latterly). I don't think there's any bashing of ZFS per se, just a wondering why you'd use it on a firewall appliance that's basically a nanobsd setup at heart... Cheers, Paul. -lsf 30. juli 2014 21:44 skrev Stefan Baur newsgroups.ma...@stefanbaur.de følgende: Am 30.07.2014 um 16:43 schrieb Vick Khera: On Wed, Jul 30, 2014 at 9:50 AM, Paul Mather p...@gromit.dlib.vt.edu wrote: Personally, I think ZFS on i386 has become a losing proposition as of late. I ran a ZFS-on-root FreeBSD/i386 10-STABLE system with 2 GB of RAM and it appeared to become very flaky with ZFS in its latter months (I eventually switched it out for a FreeBSD/amd64 system). I cannot fathom a sensible use case for using ZFS on pfSense at all. I'm not consciously using ZFS for anything on pfSense, I *think* I performed the default install, but it could be using ntfs or vfat for all that I care. ;-) So I don't know why it's trying to use that - is it normal for a default pfSense install or not? I just saw the warning message and was wondering what to do about it. -Stefan ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Dual IP nets over one ethernet connector
If you have a vlan capable switch (most managed switches can do this) then you can split one interface into several virtuals. Pfsense supports this. If not, a USB ethernet interface would be an option. 16. aug. 2014 19:48 skrev Bob Gustafson bob...@rcn.com følgende: I have a small Alix board with only one Ethernet connector. It would be nice to pass packets from two different networks through that one Ethernet connector. I know it is possible, I'm just wondering whether pfsense can do it and whether anyone has some recipes for implementation. I would like to pass WAN packets (192.168.1.0/24) and LAN packets ( 192.168.2.0/24) through the same connector. pfsense would provide the NAT and firewalling within the box. Has anyone any experience with this? Bob G ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Dual IP nets over one ethernet connector
Not doable in a sensible way. 16. aug. 2014 20:06 skrev Bob Gustafson bob...@rcn.com følgende: I'm interested in doing it all within the Alix using pfsense. A minimum hardware approach. Think of my WAN mentioned below as the LAN network created by the modem/router furnished by the ISP and the LAN mentioned below as devices also connected to the back end of the modem/router, but not accessible by the modem/router. Only by LAN/pfsense. Bob G On 08/16/2014 12:53 PM, Oliver Hansen wrote: I would think it's pretty simple if you have a vlan capable switch. Just connect the router to the switch on a trunk port and other devices off of the switch on specific vlans. On Aug 16, 2014 10:48 AM, Bob Gustafson bob...@rcn.com wrote: I have a small Alix board with only one Ethernet connector. It would be nice to pass packets from two different networks through that one Ethernet connector. I know it is possible, I'm just wondering whether pfsense can do it and whether anyone has some recipes for implementation. I would like to pass WAN packets (192.168.1.0/24) and LAN packets ( 192.168.2.0/24) through the same connector. pfsense would provide the NAT and firewalling within the box. Has anyone any experience with this? Bob G ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Dual IP nets over one ethernet connector
You would have to do a major code rewrite to get this done. And it would be insecure and it would make no pf sense :-) this is network basics. You dont seem to understand some network fundamentals. Sorry but this is not doable without using vlans or 2 physical interfaces. 16. aug. 2014 20:06 skrev Bob Gustafson bob...@rcn.com følgende: I'm interested in doing it all within the Alix using pfsense. A minimum hardware approach. Think of my WAN mentioned below as the LAN network created by the modem/router furnished by the ISP and the LAN mentioned below as devices also connected to the back end of the modem/router, but not accessible by the modem/router. Only by LAN/pfsense. Bob G On 08/16/2014 12:53 PM, Oliver Hansen wrote: I would think it's pretty simple if you have a vlan capable switch. Just connect the router to the switch on a trunk port and other devices off of the switch on specific vlans. On Aug 16, 2014 10:48 AM, Bob Gustafson bob...@rcn.com wrote: I have a small Alix board with only one Ethernet connector. It would be nice to pass packets from two different networks through that one Ethernet connector. I know it is possible, I'm just wondering whether pfsense can do it and whether anyone has some recipes for implementation. I would like to pass WAN packets (192.168.1.0/24) and LAN packets ( 192.168.2.0/24) through the same connector. pfsense would provide the NAT and firewalling within the box. Has anyone any experience with this? Bob G ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Dual IP nets over one ethernet connector
Nat traversal is trivial. Firewalling needs physical interfaces. Vlans are possible but vlan jumping is also possible. Vlans to do different zones (lan/wan lan/dmz dmz/wan) is not something I recommend as vlan jumping can be done in most environments. In short. Forget an idea where you firewall with a single interface. Even if this is only to play with at home. Just dont. A vanilla linux/bsd will let you shoot yourself in the foot. So you can do it there. But there are no firewalls that will allow this with out 2 interfaces. Most require 2 physical, but some will allow for 2 or more vlans. Again, do not do it. 16. aug. 2014 22:13 skrev Adam Thompson athom...@athompso.net følgende: On 14-08-16 01:13 PM, Espen Johansen wrote: You would have to do a major code rewrite to get this done. And it would be insecure and it would make no pf sense :-) this is network basics. You dont seem to understand some network fundamentals. Sorry but this is not doable without using vlans or 2 physical interfaces. 16. aug. 2014 20:06 skrev Bob Gustafson bob...@rcn.com følgende: I'm interested in doing it all within the Alix using pfsense. A minimum hardware approach. Think of my WAN mentioned below as the LAN network created by the modem/router furnished by the ISP and the LAN mentioned below as devices also connected to the back end of the modem/router, but not accessible by the modem/router. Only by LAN/pfsense. Bob G I would like to pass WAN packets (192.168.1.0/24) and LAN packets ( 192.168.2.0/24) through the same connector. pfsense would provide the NAT and firewalling within the box. To clarify Espen's comments : yes, it is possible to run two subnets on the same wire. Any _router_ can route between two subnets on the same wire (or the same VLAN, same thing - technically the same broadcast domain). A _firewall_, however, will refuse to do so because it's nonsensical from a security perspective. So pfSense is a router, yes, but it is also a firewall, and in areas where those two roles conflict, the firewall role wins. As previously pointed out, you can't usefully use pf(4) in the circumstance you describe. It is technically possible, on some platforms, to perform NAT between the two subnets. It would be possible, AFAIK, to manually craft a pf rule that does this; it is not possible to get the pfSense GUI to generate that rule. That's where the major code rewrite comes into play. I'm not aware of any firewall GUI that will let you do this - and for a good reason! By hooking your LAN up directly to the WAN, you're effectively eliminating 99% of the security a firewall gives you. (And, yes, it is possible to directly attack private IP addresses on most ISPs.) If you're determined to deploy this model, you'll have to run a bare OS that can route, i.e. Linux, OpenBSD, FreeBSD, etc. and configure the networking stack and NAT rules by hand. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Delete last Alias IP when CARP address in subnet
Export config. Edit. Then import. 18. aug. 2014 19:21 skrev Adam Williams a...@spreedly.com følgende: Hello. I am running 2.1-RELEASE (built on Wed Sep 11 18:16:44 EDT 2013), which I believe includes the fix for the bug documented here https://redmine.pfsense.org/issues/2406, according to the release notes at https://redmine.pfsense.org/versions/5. In that ticket, it says: You can't remove the last IP alias on the subnet of a CARP IP because it'll break CARP, you have to delete the CARP IP first. The only exception being when the interface IP is on the CARP IP's subnet, which is also handled correctly. I believe I meet the only exception clause, since my WAN interface is configured for the same subnet of the CARP address. I have the following configuration: ``` interfaces wan enable/ ifem5/if descr![CDATA[WAN]]/descr blockpriv/ blockbogons/ spoofmac/ ipaddr2.2.2.1/ipaddr subnet28/subnet gatewayWANGW/gateway /wan /interfaces virtualip vip modecarp/mode interfacewan/interface vhid2/vhid advskew0/advskew advbase1/advbase password/password descr![CDATA[CARP]]/descr typesingle/type subnet_bits28/subnet_bits subnet2.2.2.9/subnet /vip vip modeipalias/mode interfacewan/interface descr![CDATA[Alias]]/descr typesingle/type subnet_bits28/subnet_bits subnet2.2.2.10/subnet /vip /virtualip ``` However, I cannot delete this IP Alias, being given the message This entry cannot be deleted because it is still referenced by a CARP IP with the description Alias. Of course, there is no CARP address with that description, so it seems to be referencing the Alias itself! It's interesting to note that the `subnet` element of the WAN interface is `28`, where the similarly named element of the VIP address is `2.2.2.10`, but the `subnet_bits` does match the `subnet` element of the interface. Does anyone know a workaround so that I can delete this IP Alias? Thanks! ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Delete last Alias IP when CARP address in subnet
You can export only portions of the config. As for deleting the interface in cli withour making the proper changes in the config xml is not something i would advise at all. If you are sure you know how to do it you can edit the running config. Then use cli to remove the vip. If you want to do it cleanly I would suggest config edit followed by reboot or config export/import. All this would be workarounds since this seems to be a bug caused by a edge case. See the doc wiki or forum for propper xml edit procedures. 18. aug. 2014 20:16 skrev Adam Williams a...@spreedly.com følgende: If it's that simple, I can use `viconfig` to delete the `ipalias` element, then in FreeBSD, simply remove the IP address from the WAN interface. I just am not terribly sure of the lifecycle of the config file. On Mon, Aug 18, 2014 at 1:53 PM, Espen Johansen pfse...@gmail.com wrote: Export config. Edit. Then import. 18. aug. 2014 19:21 skrev Adam Williams a...@spreedly.com følgende: Hello. I am running 2.1-RELEASE (built on Wed Sep 11 18:16:44 EDT 2013), which I believe includes the fix for the bug documented here https://redmine.pfsense.org/issues/2406, according to the release notes at https://redmine.pfsense.org/versions/5. In that ticket, it says: You can't remove the last IP alias on the subnet of a CARP IP because it'll break CARP, you have to delete the CARP IP first. The only exception being when the interface IP is on the CARP IP's subnet, which is also handled correctly. I believe I meet the only exception clause, since my WAN interface is configured for the same subnet of the CARP address. I have the following configuration: ``` interfaces wan enable/ ifem5/if descr![CDATA[WAN]]/descr blockpriv/ blockbogons/ spoofmac/ ipaddr2.2.2.1/ipaddr subnet28/subnet gatewayWANGW/gateway /wan /interfaces virtualip vip modecarp/mode interfacewan/interface vhid2/vhid advskew0/advskew advbase1/advbase password/password descr![CDATA[CARP]]/descr typesingle/type subnet_bits28/subnet_bits subnet2.2.2.9/subnet /vip vip modeipalias/mode interfacewan/interface descr![CDATA[Alias]]/descr typesingle/type subnet_bits28/subnet_bits subnet2.2.2.10/subnet /vip /virtualip ``` However, I cannot delete this IP Alias, being given the message This entry cannot be deleted because it is still referenced by a CARP IP with the description Alias. Of course, there is no CARP address with that description, so it seems to be referencing the Alias itself! It's interesting to note that the `subnet` element of the WAN interface is `28`, where the similarly named element of the VIP address is `2.2.2.10`, but the `subnet_bits` does match the `subnet` element of the interface. Does anyone know a workaround so that I can delete this IP Alias? Thanks! ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate APU2 SSD module question
I personally don't think you will have an issue with too many writes in a normal environment. Why squid tho? if its for filtering fine. For acceleration and 3-6 persons it will most likely not do you much good. Also check MLC vs SLC. SLC based SSD will last longer. Approximately 10 times longer. And even more with the right write leveling tech. Just my 2 cents. 25. aug. 2014 19:32 skrev Sergii Cherkashyn ser...@accurategroup.com følgende: I’m planning to purchase the Netgate APU2 with 16 GB mSATA SSD module for small office (3-6 persons). planning to install the Squid package on the firewall. is this kind of package that is still not recommended to run on the firewall with SSD because of intensive writes to the hard drive that dramatically reduces the life of SSD hard drive? Or the following forum discussion is slightly outdated and quality if SSD has improved? Though there are many comments saying that SSD works great for them for many years. https://forum.pfsense.org/index.php?topic=34381.0 Best regards*,* *Sergii Cherkashyn * ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate APU2 SSD module question
If I may... I think Ryan is confused about the usb part. The SD slot is a onboard slot but its not connnected/wired to IDE/SATA bus, but rather it is connected to the USB bus just as a external usb card reader would be, but offcource its onboard and hardwired. Thus the confusion I assume. 27. aug. 2014 20:01 skrev Jim Thompson j...@netgate.com følgende: Ryan, I’m not sure what you’re asking. This thread started off with Sergii Cherkashyn asking if running on an SSD was advisable. Obviously, it works, or we wouldn’t offer it. (The thread Sergii pointed-to is from early 2011. Netgate did not ship SSDs for several years because the reliability *then* was so poor. The situation changed, and, once quality SSDs were available (*with power-fail capacitors, etc.*), we began offering same. Then you jumped in asking (is) “SDHC slot on this board is simply for show?” I honestly though you were trolling. Since there is a configuration of the APU units available for sale both at the Netgate store *and* the pfSense store (http://store.pfsense.org) that does not include a m-sata drive, how else could the system boot pfSense? Now you post on a public list, (a list about pfSense), asking me to change an unspecified page on (I assume), the Netgate site. Setting aside the whole issue of why we’re talking about this on-list, I can’t find the text that confused you. Here is what I found on the Netgate site: http://store.netgate.com/APU1C4.aspx says: Boot from SD card (connected through USB), external USB or m-SATA SSD.” http://store.netgate.com/APU1C.aspx says: Boot from SD card (connected through USB), external USB or m-SATA SSD. You may wish to note that this language exactly matches that found on the PC Engines site: Boot from SD card (connected through USB), external USB or m-SATA SSD.” ref: http://pcengines.ch/apu.htm, and http://pcengines.ch/apu1c.htm, and page 9 of the schematic for the APU ( http://pcengines.ch/schema/apu1c.pdf) clearly shows that the “SD card interface” runs through a Alcore Micro AU6465 ( http://www.alcormicro.com/en_content/c_product/product_01b.php?CategoryID=7IndexID=19) to USB6 on the AMD T40 SoC. If you will be so kind as to make a specific request for change of the language you found confusing, I’ll take a look at it. You might even send such a request to me in-private, so as not to further clutter the list. Right now, I can’t find a problem. JIm On Aug 27, 2014, at 9:26 AM, Ryan Coleman ryanjc...@me.com wrote: Understood. Thank you for the clarification. Would it be possible to have the description updated on the sales page? It only says you can boot via SD through USB. -- Ryan Coleman ryanjc...@me.com m. 651.373.5015 o. 612.568.2749 On Aug 27, 2014, at 9:24, Jim Thompson j...@netgate.com wrote: Yes, the system can be booted from an SD (or SDHC) card. Or from USB, or from the m-SATA. All of these require proper preparation of the requisite ‘disk’ (-like device). Jim On Aug 27, 2014, at 9:21 AM, Ryan Coleman ryanjc...@me.com wrote: I understand *that* however it doesn't say on the features page it can be booted off the SD slot - is that true? If so I have to change a few quotes I have in play as they will need to get mSATA SSDs instead. On Aug 27, 2014, at 9:20, Jim Thompson j...@smallworks.com wrote: The SD (SDHC describes some cards which work in the slot) card slot is a “base feature”. If people choose to fit a m-SATA drive, then they can. Or they can use the SD card socket. It’s not like we’re going to de-solder the SD card socket if it’s not going to be used. Neither are we going to carry two different SKUs (one with, one without). Jim On Aug 27, 2014, at 7:57 AM, Ryan Coleman ryanjc...@me.com wrote: Why not answer the question? On Aug 27, 2014, at 7:56, Jim Thompson j...@netgate.com wrote: Ryan, Don't troll. On Aug 27, 2014, at 7:33 AM, Ryan Coleman ryanjc...@me.com wrote: Wait, so the SDHC slot on this board is simply for show? On Aug 26, 2014, at 13:56, Sergii Cherkashyn ser...@accurategroup.com wrote: Thank you Espen, Squid is for filtering purpose only, not to save bandwidth. On Netgate they have only this SSD as an option. But I’ll keep your advice in mind. Best regards, Sergii Cherkashyn Date: Mon, 25 Aug 2014 20:45:46 +0200 From: Espen Johansen pfse...@gmail.com To: pfSense support and discussion list@lists.pfsense.org Subject: Re: [pfSense] Netgate APU2 SSD module question Message-ID: caadq7-adzhlsv1p6rl7kwaaomaws1uqcet6fxa5ngdn8sl5...@mail.gmail.com Content-Type: text/plain; charset=utf-8 I personally don't think you will have an issue with too many writes in a normal environment. Why squid tho? if its for filtering fine. For acceleration and 3-6 persons it will most likely not do you much good. Also check MLC vs SLC. SLC based
Re: [pfSense] Netgate APU2 SSD module question
Maybe just write (hardwired to USB6)? 27. aug. 2014 20:01 skrev Jim Thompson j...@netgate.com følgende: Ryan, I’m not sure what you’re asking. This thread started off with Sergii Cherkashyn asking if running on an SSD was advisable. Obviously, it works, or we wouldn’t offer it. (The thread Sergii pointed-to is from early 2011. Netgate did not ship SSDs for several years because the reliability *then* was so poor. The situation changed, and, once quality SSDs were available (*with power-fail capacitors, etc.*), we began offering same. Then you jumped in asking (is) “SDHC slot on this board is simply for show?” I honestly though you were trolling. Since there is a configuration of the APU units available for sale both at the Netgate store *and* the pfSense store (http://store.pfsense.org) that does not include a m-sata drive, how else could the system boot pfSense? Now you post on a public list, (a list about pfSense), asking me to change an unspecified page on (I assume), the Netgate site. Setting aside the whole issue of why we’re talking about this on-list, I can’t find the text that confused you. Here is what I found on the Netgate site: http://store.netgate.com/APU1C4.aspx says: Boot from SD card (connected through USB), external USB or m-SATA SSD.” http://store.netgate.com/APU1C.aspx says: Boot from SD card (connected through USB), external USB or m-SATA SSD. You may wish to note that this language exactly matches that found on the PC Engines site: Boot from SD card (connected through USB), external USB or m-SATA SSD.” ref: http://pcengines.ch/apu.htm, and http://pcengines.ch/apu1c.htm, and page 9 of the schematic for the APU ( http://pcengines.ch/schema/apu1c.pdf) clearly shows that the “SD card interface” runs through a Alcore Micro AU6465 ( http://www.alcormicro.com/en_content/c_product/product_01b.php?CategoryID=7IndexID=19) to USB6 on the AMD T40 SoC. If you will be so kind as to make a specific request for change of the language you found confusing, I’ll take a look at it. You might even send such a request to me in-private, so as not to further clutter the list. Right now, I can’t find a problem. JIm On Aug 27, 2014, at 9:26 AM, Ryan Coleman ryanjc...@me.com wrote: Understood. Thank you for the clarification. Would it be possible to have the description updated on the sales page? It only says you can boot via SD through USB. -- Ryan Coleman ryanjc...@me.com m. 651.373.5015 o. 612.568.2749 On Aug 27, 2014, at 9:24, Jim Thompson j...@netgate.com wrote: Yes, the system can be booted from an SD (or SDHC) card. Or from USB, or from the m-SATA. All of these require proper preparation of the requisite ‘disk’ (-like device). Jim On Aug 27, 2014, at 9:21 AM, Ryan Coleman ryanjc...@me.com wrote: I understand *that* however it doesn't say on the features page it can be booted off the SD slot - is that true? If so I have to change a few quotes I have in play as they will need to get mSATA SSDs instead. On Aug 27, 2014, at 9:20, Jim Thompson j...@smallworks.com wrote: The SD (SDHC describes some cards which work in the slot) card slot is a “base feature”. If people choose to fit a m-SATA drive, then they can. Or they can use the SD card socket. It’s not like we’re going to de-solder the SD card socket if it’s not going to be used. Neither are we going to carry two different SKUs (one with, one without). Jim On Aug 27, 2014, at 7:57 AM, Ryan Coleman ryanjc...@me.com wrote: Why not answer the question? On Aug 27, 2014, at 7:56, Jim Thompson j...@netgate.com wrote: Ryan, Don't troll. On Aug 27, 2014, at 7:33 AM, Ryan Coleman ryanjc...@me.com wrote: Wait, so the SDHC slot on this board is simply for show? On Aug 26, 2014, at 13:56, Sergii Cherkashyn ser...@accurategroup.com wrote: Thank you Espen, Squid is for filtering purpose only, not to save bandwidth. On Netgate they have only this SSD as an option. But I’ll keep your advice in mind. Best regards, Sergii Cherkashyn Date: Mon, 25 Aug 2014 20:45:46 +0200 From: Espen Johansen pfse...@gmail.com To: pfSense support and discussion list@lists.pfsense.org Subject: Re: [pfSense] Netgate APU2 SSD module question Message-ID: caadq7-adzhlsv1p6rl7kwaaomaws1uqcet6fxa5ngdn8sl5...@mail.gmail.com Content-Type: text/plain; charset=utf-8 I personally don't think you will have an issue with too many writes in a normal environment. Why squid tho? if its for filtering fine. For acceleration and 3-6 persons it will most likely not do you much good. Also check MLC vs SLC. SLC based SSD will last longer. Approximately 10 times longer. And even more with the right write leveling tech. Just my 2 cents. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org
Re: [pfSense] Netgate APU2 SSD module question
For completeness sake. Just to clarify. You can get SDHC cards that are SLC based. Pretty much everything called industrial grade SD/SDHC will be a SLC SSD in SD format. Understood. Thank you for the clarification. Would it be possible to have the description updated on the sales page? It only says you can boot via SD through USB. -- Ryan Coleman ryanjc...@me.com m. 651.373.5015 o. 612.568.2749 On Aug 27, 2014, at 9:24, Jim Thompson j...@netgate.com wrote: Yes, the system can be booted from an SD (or SDHC) card. Or from USB, or from the m-SATA. All of these require proper preparation of the requisite ‘disk’ (-like device). Jim On Aug 27, 2014, at 9:21 AM, Ryan Coleman ryanjc...@me.com wrote: I understand *that* however it doesn't say on the features page it can be booted off the SD slot - is that true? If so I have to change a few quotes I have in play as they will need to get mSATA SSDs instead. On Aug 27, 2014, at 9:20, Jim Thompson j...@smallworks.com wrote: The SD (SDHC describes some cards which work in the slot) card slot is a “base feature”. If people choose to fit a m-SATA drive, then they can. Or they can use the SD card socket. It’s not like we’re going to de-solder the SD card socket if it’s not going to be used. Neither are we going to carry two different SKUs (one with, one without). Jim On Aug 27, 2014, at 7:57 AM, Ryan Coleman ryanjc...@me.com wrote: Why not answer the question? On Aug 27, 2014, at 7:56, Jim Thompson j...@netgate.com wrote: Ryan, Don't troll. On Aug 27, 2014, at 7:33 AM, Ryan Coleman ryanjc...@me.com wrote: Wait, so the SDHC slot on this board is simply for show? On Aug 26, 2014, at 13:56, Sergii Cherkashyn ser...@accurategroup.com wrote: Thank you Espen, Squid is for filtering purpose only, not to save bandwidth. On Netgate they have only this SSD as an option. But I’ll keep your advice in mind. Best regards*,* *Sergii Cherkashyn* Date: Mon, 25 Aug 2014 20:45:46 +0200 From: Espen Johansen pfse...@gmail.com To: pfSense support and discussion list@lists.pfsense.org Subject: Re: [pfSense] Netgate APU2 SSD module question Message-ID: caadq7-adzhlsv1p6rl7kwaaomaws1uqcet6fxa5ngdn8sl5...@mail.gmail.com Content-Type: text/plain; charset=utf-8 I personally don't think you will have an issue with too many writes in a normal environment. Why squid tho? if its for filtering fine. For acceleration and 3-6 persons it will most likely not do you much good. Also check MLC vs SLC. SLC based SSD will last longer. Approximately 10 times longer. And even more with the right write leveling tech. Just my 2 cents. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate APU2 SSD module question
All I'm saying is that a normal SLC cell can handle about 10 times more writes then a MLC if everything else is the same. And as far as I ca tell, the ability to handle writes is the OPs main concern. A SLC based SDHC card will have about 10 times longer life span in that regard. If you want it perfect then sure there are better options and technologies. I'm just trying to make the choice a easy one based on what the OP asked. There is allways better cheaper and faster tech just around the corner. 27. aug. 2014 21:26 skrev Jim Thompson j...@smallworks.com følgende: SD cards are storage, but not “disks” nor “drives”. Beyond m-SATA, eMMC is your best option. Not only are they faster than SD cards (speeds of the larger devices rival those of traditional SSDs, as well as supporting a “TRIM”-like operation, priority interruptible READ and ERASE operations, background operations, and riding the cost-curve of cellular handsets (growing) .vs consumer point-and-shoot cameras (shrinking), etc.) (This, by the way, is a huge, huge ‘hint’.) (You may wish read between the lines.) A lot of the SLC / MLC mythos is from before the days of JEDEC standards for endurance, advanced wear-leveling algorithms, and before a lof of the firmware engineers understood concepts such as “read disturbance”, “write disturbance”, and “ECC correction thresholds”. It’s certainly not as simple as you’re making it out to be. (This, again, is the big reason that Netgate stayed out of the early fracas around SSDs.) I’m not going to depend on what someone said in the forum over 3 years ago, since it’s unlikely to apply today. Jim On Aug 27, 2014, at 1:32 PM, Espen Johansen pfse...@gmail.com wrote: For completeness sake. Just to clarify. You can get SDHC cards that are SLC based. Pretty much everything called industrial grade SD/SDHC will be a SLC SSD in SD format. Understood. Thank you for the clarification. Would it be possible to have the description updated on the sales page? It only says you can boot via SD through USB. -- Ryan Coleman ryanjc...@me.com m. 651.373.5015 o. 612.568.2749 On Aug 27, 2014, at 9:24, Jim Thompson j...@netgate.com wrote: Yes, the system can be booted from an SD (or SDHC) card. Or from USB, or from the m-SATA. All of these require proper preparation of the requisite ‘disk’ (-like device). Jim On Aug 27, 2014, at 9:21 AM, Ryan Coleman ryanjc...@me.com wrote: I understand *that* however it doesn't say on the features page it can be booted off the SD slot - is that true? If so I have to change a few quotes I have in play as they will need to get mSATA SSDs instead. On Aug 27, 2014, at 9:20, Jim Thompson j...@smallworks.com wrote: The SD (SDHC describes some cards which work in the slot) card slot is a “base feature”. If people choose to fit a m-SATA drive, then they can. Or they can use the SD card socket. It’s not like we’re going to de-solder the SD card socket if it’s not going to be used. Neither are we going to carry two different SKUs (one with, one without). Jim On Aug 27, 2014, at 7:57 AM, Ryan Coleman ryanjc...@me.com wrote: Why not answer the question? On Aug 27, 2014, at 7:56, Jim Thompson j...@netgate.com wrote: Ryan, Don't troll. On Aug 27, 2014, at 7:33 AM, Ryan Coleman ryanjc...@me.com wrote: Wait, so the SDHC slot on this board is simply for show? On Aug 26, 2014, at 13:56, Sergii Cherkashyn ser...@accurategroup.com wrote: Thank you Espen, Squid is for filtering purpose only, not to save bandwidth. On Netgate they have only this SSD as an option. But I’ll keep your advice in mind. Best regards*,* *Sergii Cherkashyn* Date: Mon, 25 Aug 2014 20:45:46 +0200 From: Espen Johansen pfse...@gmail.com To: pfSense support and discussion list@lists.pfsense.org Subject: Re: [pfSense] Netgate APU2 SSD module question Message-ID: caadq7-adzhlsv1p6rl7kwaaomaws1uqcet6fxa5ngdn8sl5...@mail.gmail.com Content-Type: text/plain; charset=utf-8 I personally don't think you will have an issue with too many writes in a normal environment. Why squid tho? if its for filtering fine. For acceleration and 3-6 persons it will most likely not do you much good. Also check MLC vs SLC. SLC based SSD will last longer. Approximately 10 times longer. And even more with the right write leveling tech. Just my 2 cents. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] understand the CARP advskew option
advbase: This optional parameter specifies how often, in seconds, to advertise that we're a member of the redundancy group. The default is 1 second. Acceptable values are from 1 to 255. advskew: This optional parameter specifies how much to skew the advbase when sending CARP advertisements. By manipulating advskew, the master CARP host can be chosen. The higher the number, the less preferred the host will be when choosing a master. The default is 0. Acceptable values are from 0 to 254. If advbase is long you can risk slow switchover in a failure situation. It needs to be a sensible time based on system load. And network delay. However network delay is normally not something you have to take into account. Skew will help you force one to become master by default. And if you have more then 2 hosts you can controll primary secondary thirtiary etc. Lets say you have a very fast primary. A slower older secondary. And a even slower older third. This way you can set primary to 1 secondary to 128 and third to 254 and they will be elected master based on this. I assume that is why you need both. Advbase should be the same on all hosts in a carp group. Skew is something you would want to be different if you want to controll which one will be active. -lsf 11. sep. 2014 12:27 skrev Martin T m4rtn...@gmail.com følgende: Jim, thanks for the reply! So do you agree that it's not just the advskew value, but the system with lowest advbase+advskew value will take the master role? And it seems that advbase is byte number 40 and advskew is byte number 37 in CARP advertisements. For example in this CARP advertisement advbase is 2(02) and advskew is 254(fe): 0x0020: 0012 2122 fe07 0002 f66a 97c4 8a3a 47f9 ..!.j...:G. Last but not least, I still don't quite understand why both advbase and advskew are available.. One could determine the master/backup role solely with advbase, couldn't he? thanks, Martin On 9/10/14, Jim Pingle li...@pingle.org wrote: On 9/10/2014 5:15 AM, Martin T wrote: 1) Why does the messages interval matter to CARP? Is CARP designed in a way that CARP preferres system which announces CARP messages with shortest interval? Yes, the fastest advertisement wins the election and becomes master. 2) Why is advskew needed if one could determine the master/backup role solely with advbase? See above. advbase is a base time added to the skew. (+1 sec per base value) On slower networks you need to use a higher advbase on both to account for lag in local network equipment such as when the two nodes are in different buildings or similar situations. Typically, base matches on both and you set the skew to give your preferred primary node preference. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Routing between LAN interfaces
This should work wothout any special magic. Can a pc on a vlan segment ping the gateway and reach internet? Also did you configure the ip on the vlan interface or the physical? What does a traceroute show if you trace to an unreachable part. Does arp register hosts on the vlan interface? -lsf 12. sep. 2014 12:43 skrev Niklas Fondberg nik...@vireone.com følgende: From: Giles Coochey gi...@coochey.net I'm not criticizing your choice configuration, there is absolutely no reason not to use VLANs, however, in your design you appear to have a number of VLANs, but I didn't see that (at the moment) you actually showed a need to be using them (4 interfaces in total, one I assume is a WAN interface, three interfaces remaining, you say you are not using the default VLAN, and you have two VLANs plus an ILO subnet - so you could just use physical interfaces). dot1Q VLAN trunks on your interfaces is a good design, especially if you might want to add later VLANs to the design... VLANs complexify your needed configuration, and might be where other admins could trip up. Might be good to have a look at your routing table, on the diagnostics menu in the Web interface. -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd+44 (0) 8444 780677+44 (0) 7584 634135http://www.coochey.nethttp://www.netsecspec.co.ukgi...@coochey.net Hi Giles, My routing table looks like this: Destination Gateway Flags Refs Use Mtu Netif default 178.78.221.93 UGS 0 25456153 1500 em0 10.0.0.0/24 link#10 U 0 2829 1500 em2_vlan2 10.0.0.1 link#10 UHS 0 0 16384 lo0 10.1.0.0/24 link#4 U 0 7927 1500 em3 10.1.0.1 link#4 UHS 0 0 16384 lo0 31.211.230.216/30 link#1 U 0 0 1500 em0 31.211.230.218 link#1 UHS 0 0 16384 lo0 84.246.88.10 178.78.221.93 UGHS 0 34164 1500 em0 84.246.88.20 178.78.221.93 UGHS 0 25712 1500 em0 127.0.0.1 link#7 UH 0 37469 16384 lo0 178.78.221.92/30 link#1 U 0 589543 1500 em0 178.78.221.94 link#1 UHS 0 0 16384 lo0 192.168.1.0/24 link#2 U 0 672 1500 em1 192.168.1.1 link#2 UHS 0 0 16384 lo0 192.168.2.0/24 link#9 U 0 1342636 1500 em1_vlan10 192.168.2.1 link#9 UHS 0 0 16384 lo0 192.168.10.0/24 192.168.10.2 UGS 0 2718508 1500 ovpns1 192.168.10.1 link#11 UHS 0 0 16384 lo0 192.168.10.2 link#11 UH 0 16 1500 ovpns1 I can’t see anything wrong in the routing table EVEN if they are on different physical interfaces. I guess I could have all VLANs on one physical interface but that seems like another discussion and I still don’t understand if this why pfsense is struggling with the routing. Is it supposed to be supported? ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Adding Ethernetports
check dmesg and pciconf -lv. If its not seen at all then try different slots and try to verify that card/slot is working. -lsf On Fri, Sep 19, 2014 at 4:31 PM, Brian Caouette bri...@dlois.com wrote: I added a dual port nic to my pfsense box and it doesn't show the additional ports. The new nic doesn't show anywhere. I am using a PowerEdge 2850 and an Intel Card. I am also using vmware on the machine. Any ideas what may be going on? ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Pftop confusion.
Run pftop in interactive mode (-i) then press capital K for who is peaking. Or capital B for byte amount sorting. Or try capital R for instant speed rate. See man page for all options in interactive mode. -lsf 24. sep. 2014 17:04 skrev Muhammad Yousuf Khan sir...@gmail.com følgende: Darkstat and bandwidthD also showing Per IP total bandwidth use. what i want is live monitoring. not total bandwidth. i think pftop can help but i dont know how to understand the output. it is quite confusing. i even change sorting type but it is not working as per the sort order shows. becuase when i sort by RATE or Speed it shows a suspected ip on the top but when i close the download on that host/client it always shows on top. i need a tool like NTOP work on CLI and shows same output as Linux Terminal console. Thanks, MYK On Wed, Sep 24, 2014 at 7:55 PM, Muhammad Yousuf Khan sir...@gmail.com wrote: Exactly this is how i learn that my whole link is eaten by someone. now i want to check which client is eating all the bandwidth. Traffic graph is showing whole link activity. what i want to find is which client IP is using most of it. Thanks, MYK On Wed, Sep 24, 2014 at 7:33 PM, Oliver Hansen oliver.han...@gmail.com wrote: Status - Traffic Graph is where I usually look in the GUI. On Sep 24, 2014 7:25 AM, Muhammad Yousuf Khan sir...@gmail.com wrote: hi guys actually i want to check which IP is using most of the internet traffic. i see pftop a bit confusing i tried changing sorting via o but it is still confusing me . can you guys please guide me how can i viiew live monitoring. what i want to check is which one host is eating up the whole bandwidth. Thanks, MYK ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Https blocking
Sorry. That just means you are incompetent at your job. There is no way in h...l you can demand others to do your job. We are all here for free. Buy a pfSens support agreement and pay for it! People like you annoys me. -lsf 24. sep. 2014 19:22 skrev A Mohan Rao mohanra...@gmail.com følgende: Hello If u really a expert so then pls resolve bmy problem. I have do all the things but still people can access blocked website in pfsense. On Sep 24, 2014 9:50 PM, Ryan Coleman ryanjc...@me.com wrote: You've asked this question many times and we've given many options for resolving it but you keep coming back. https://duckduckgo.com/?q=blocking+torrents+in+pfsense https://duckduckgo.com/?q=blocking+facebook+in+pfsense https://doc.pfsense.org/index.php/Blocking_websites https://forum.pfsense.org/index.php?topic=36274.0 A little web searching will go a long way. On 9/24/2014 11:10 AM, A Mohan Rao wrote: Actually due to wasting of time employees... management need to block these sites if have any solutions pls give.. I really very appritiate .. On Sep 24, 2014 9:00 PM, Ryan Coleman ryanjc...@me.com wrote: Block port 443 in the Firewall rules outbound - no need for a transparent proxy. That said - why do you need to block them? Because you're snooping 100% of the traffic to see what people are reading/sending? On 9/24/2014 10:16 AM, A Mohan Rao wrote: How can i completely and properly block https facebook, torrentz, exe download and proxy sites through transparent proxy. Thanks Mohan ___ List mailing listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Reports
You can install time based access control apps on most devices. Same goes for time based rules. I use this for the kids. 26. sep. 2014 21:23 skrev Brian Caouette bri...@dlois.com følgende: Is there a way to do a weekly report based on MAC address showing times used, total time and date for the period? Trying to prove a point how much the kids use and that they are still online after bedtime. Sent from my iPad ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] States Issue with Asterisk behind pfSense
If this is to be implemented it should be a tick box on each interfance. Dropping all states if you want to move a cable/reroute it is not a good idea. This needs to be user controllable or only affect interface if is_interface_type=pppoe. Just my 2 cents. -lsf 28. sep. 2014 19:19 skrev Hannes Werner jgoe...@gmail.com følgende: I would like to repeat Vassilis questions: Has this been implemented? Could this be implemented? Do the pfsense dev's need some more info? Can we help with testing? On Sat, Sep 27, 2014 at 1:02 PM, Vassilis V. bigracc...@gmx.net wrote: ADSL over PPPoE with constant changing IPs is the standard in some countries, we do not have such connections because we chose them and we like the challenge.. Reading again the whole bug report, there seems to be alot of people affected by this and Tom De Coninck has made alot of effort to figure out what might be the issue. In the last post of Tom, he comes to a very exact conclusion: I think this proves that pfsense not only needs to kill states on 'WAN DOWN' , but also on 'WAN UP'. I can't see how it could work otherwise Has this been implemented? Could this be implemented? Do the pfsense dev's need some more info? Can we help with testing? Vassilis Hannes Werner wrote on 26.09.2014 22:53: Thanks Vassilis, I've these settings already - without any success. On Fri, Sep 26, 2014 at 9:03 PM, Vassilis V. bigracc...@gmx.net wrote: Hannes Werner wrote on 26.09.2014 16:51: thank you very much Giles, but unfortunately it doesn't help. anyone here who is using asterisk behind pfSense on a dynamic IP WAN successfully? Hello Hannes! I have also used asterisk behind a dynamic PPPoE WAN. I had the exact same issues that the bug report is describing. I tried different ways to get it to work and I found that some solutions work with some providers, but fail at others. There seems to be alot of black magic involved when configuring SIP to work in such a configuration :) What worked best was to set nat=no and externip=the local asterisk IP. I had also not done any port forwards whatsoever on pfsense, outgoing NAT was set to automatic. I certainly cannot explain why it was working that way! Hope it helps! Vassilis ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
You might want to use google insted og relying on others. Maybe try to do your own homework? https://www.google.no/url?sa=tsource=webrct=jei=faYpVJXTH6XGygP554LYBQurl=https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Snorby_and_Barnyard2_set_up_guidecd=1ved=0CBwQFjAAusg=AFQjCNFUY-LZh__z8odZ4G5SwA3s1vGGIAsig2=HKTMIqME00rmj7mj-CHBrQ 29. sep. 2014 20:34 skrev Roberto Carna robertocarn...@gmail.com følgende: Dear Ivo and people, just three short questions: 1) Using Suricata, can I enable the IPS mode as I can using Snort ??? 2) In IPS mode, do I have to have 3 interfaces in my server ??? 3) The only way to view the IPS blocking events is from into Pfsense or can I use Snorby ??? Thanks again, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
Depends on what you want. A splitt design is normaly better and safer then a all in one box. If you want suricata +snorby and barnyard its not recommended to run it all on pfsense. There are many deps. that will cause a security nightmare and you will probably run out of hw resources as well. OK, thanks, the last please: Do you recommend to install an IPS in a Virtual Machine like Vmware ??? Because we have VMweare for all our servers. Regards, 2014-09-29 15:39 GMT-03:00 Anastasios Stefos anastasios.ste...@gmail.com: Roberto Here is a good place to start regarding Suricata or Snort. http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/ --- Anastasios Stefos ´αίέν άριστεύειν On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear Ivo and people, just three short questions: 1) Using Suricata, can I enable the IPS mode as I can using Snort ??? 2) In IPS mode, do I have to have 3 interfaces in my server ??? 3) The only way to view the IPS blocking events is from into Pfsense or can I use Snorby ??? Thanks again, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
Why bridge? Do you want to hide evrything? Its not that hard to fingerprint a pfS bridge. If you have practical reasons, sure go ahead. 29. sep. 2014 21:28 skrev Roberto Carna robertocarn...@gmail.com følgende: Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces in bridge mode with firewall rules enabled ??? Really thanks, Roberto 2014-09-29 16:15 GMT-03:00 Espen Johansen pfse...@gmail.com: Depends on what you want. A splitt design is normaly better and safer then a all in one box. If you want suricata +snorby and barnyard its not recommended to run it all on pfsense. There are many deps. that will cause a security nightmare and you will probably run out of hw resources as well. OK, thanks, the last please: Do you recommend to install an IPS in a Virtual Machine like Vmware ??? Because we have VMweare for all our servers. Regards, 2014-09-29 15:39 GMT-03:00 Anastasios Stefos anastasios.ste...@gmail.com: Roberto Here is a good place to start regarding Suricata or Snort. http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/ --- Anastasios Stefos ´αίέν άριστεύειν On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear Ivo and people, just three short questions: 1) Using Suricata, can I enable the IPS mode as I can using Snort ??? 2) In IPS mode, do I have to have 3 interfaces in my server ??? 3) The only way to view the IPS blocking events is from into Pfsense or can I use Snorby ??? Thanks again, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
If all you want is a IPS then i dont undertand what you need pfS for? There are tons of setup guides for a linux flavour of choice to get this setup done. You can even build a hogwash like setup if you like. 29. sep. 2014 21:38 skrev Roberto Carna robertocarn...@gmail.com følgende: Ivo, I want to locate the IPS between the router and the corporative firewall, so I think to use bridge modeis correct??? 2014-09-29 16:34 GMT-03:00 Ivo Tonev i...@tonev.pro.br: I recomend to use in router mode. On Sep 29, 2014 4:29 PM, Roberto Carna robertocarn...@gmail.com wrote: Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces in bridge mode with firewall rules enabled ??? Really thanks, Roberto 2014-09-29 16:15 GMT-03:00 Espen Johansen pfse...@gmail.com: Depends on what you want. A splitt design is normaly better and safer then a all in one box. If you want suricata +snorby and barnyard its not recommended to run it all on pfsense. There are many deps. that will cause a security nightmare and you will probably run out of hw resources as well. OK, thanks, the last please: Do you recommend to install an IPS in a Virtual Machine like Vmware ??? Because we have VMweare for all our servers. Regards, 2014-09-29 15:39 GMT-03:00 Anastasios Stefos anastasios.ste...@gmail.com: Roberto Here is a good place to start regarding Suricata or Snort. http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/ --- Anastasios Stefos ´αίέν άριστεύειν On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear Ivo and people, just three short questions: 1) Using Suricata, can I enable the IPS mode as I can using Snort ??? 2) In IPS mode, do I have to have 3 interfaces in my server ??? 3) The only way to view the IPS blocking events is from into Pfsense or can I use Snorby ??? Thanks again, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks a lot, Roberto ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Adding Ethernetports
Bridge to LAN. 3. okt. 2014 18:05 skrev Brian Caouette bri...@dlois.com følgende: Just wanted to thank those of you who replied. Finally got the card noticed in pFsense. Had to use the add hardware feature on the VM. Now the problem is getting it to route traffic. I am able to ping the two ports from the pfsense diag menu but am not able to ping outside the network. I did create a rule to pass all traffic but still nothing. Is there something special I need to do to get the two new ports to work? Also is there a way to have the dhcp range the same as the lan so that it works like a consumer of the shelf router? Basically additional ports in the same net range. On 9/19/2014 1:37 PM, Adam Thompson wrote: There's also the unofficial VMware ESXi white-box HCL, but it hasn't really been updated since v4.x. Agreed that if this is anything more than a test system, stick with the HCL and a support contract. Been there, done that, have the scars to prove it ... -Adam On September 19, 2014 12:18:31 PM CDT, Paul Beriswill paul.berisw...@pdfcomplete.com paul.berisw...@pdfcomplete.com wrote: I have had mixed results trying to find support for hardware that is not on the vmWare HCL and often spend way too much time hunting for solutions. You are *much* better off sticking with officially supported hardware. That being said, This link *may* have the drivers that you are looking for ... https://my.vmware.com/web/vmware/details?downloadGroup=DT-ESXI55-INTEL-IGB-42168productId=353 Should probably take this to one of the vmware support groups. Paul On 09/19/2014 11:28 AM, Brian Caouette wrote: Yes VM. I do not see the card listed there either. I do not understand VM and all the plugs and drivers. Can you point me in the right direction? On 9/19/2014 11:17 AM, Paul Beriswill wrote: Your pfSense is running on a VM ... correct? Does vmware recognize the nic? I know some versions of esx need custom drivers for even some intel NIC's. Paul On 09/19/2014 09:31 AM, Brian Caouette wrote: I added a dual port nic to my pfsense box and it doesn't show the additional ports. The new nic doesn't show anywhere. I am using a PowerEdge 2850 and an Intel Card. I am also using vmware on the machine. Any ideas what may be going on? ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- *Paul Beriswill* PDF Complete Inc | www.pdfcomplete.com 550 Club Drive, Ste. 477 | Montgomery, TX 77316 512.263.0868 x 707 direct | paul.berisw...@pdfcomplete.com [image: PDF Complete] http://www.pdfcomplete.com/ ___ List mailing listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list -- *Paul Beriswill* PDF Complete Inc | www.pdfcomplete.com 550 Club Drive, Ste. 477 | Montgomery, TX 77316 512.263.0868 x 707 direct | paul.berisw...@pdfcomplete.com [image: PDF Complete] http://www.pdfcomplete.com/ -- List mailing listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ List mailing listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Adding Ethernetports
Pfsense 》interfaces 》add bridge and add lan and your new interfaces to it. You will then have multiple lan interfaces acting the same as your lan. Or same as as router with multiple lan ports would. 3. okt. 2014 18:42 skrev Brian Caouette bri...@dlois.com følgende: Where do I find that? Which of my issues does it solve? On 10/3/2014 12:08 PM, Espen Johansen wrote: Bridge to LAN. 3. okt. 2014 18:05 skrev Brian Caouette bri...@dlois.com følgende: Just wanted to thank those of you who replied. Finally got the card noticed in pFsense. Had to use the add hardware feature on the VM. Now the problem is getting it to route traffic. I am able to ping the two ports from the pfsense diag menu but am not able to ping outside the network. I did create a rule to pass all traffic but still nothing. Is there something special I need to do to get the two new ports to work? Also is there a way to have the dhcp range the same as the lan so that it works like a consumer of the shelf router? Basically additional ports in the same net range. On 9/19/2014 1:37 PM, Adam Thompson wrote: There's also the unofficial VMware ESXi white-box HCL, but it hasn't really been updated since v4.x. Agreed that if this is anything more than a test system, stick with the HCL and a support contract. Been there, done that, have the scars to prove it ... -Adam On September 19, 2014 12:18:31 PM CDT, Paul Beriswill paul.berisw...@pdfcomplete.com paul.berisw...@pdfcomplete.com wrote: I have had mixed results trying to find support for hardware that is not on the vmWare HCL and often spend way too much time hunting for solutions. You are *much* better off sticking with officially supported hardware. That being said, This link *may* have the drivers that you are looking for ... https://my.vmware.com/web/vmware/details?downloadGroup=DT-ESXI55-INTEL-IGB-42168productId=353 Should probably take this to one of the vmware support groups. Paul On 09/19/2014 11:28 AM, Brian Caouette wrote: Yes VM. I do not see the card listed there either. I do not understand VM and all the plugs and drivers. Can you point me in the right direction? On 9/19/2014 11:17 AM, Paul Beriswill wrote: Your pfSense is running on a VM ... correct? Does vmware recognize the nic? I know some versions of esx need custom drivers for even some intel NIC's. Paul On 09/19/2014 09:31 AM, Brian Caouette wrote: I added a dual port nic to my pfsense box and it doesn't show the additional ports. The new nic doesn't show anywhere. I am using a PowerEdge 2850 and an Intel Card. I am also using vmware on the machine. Any ideas what may be going on? ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- *Paul Beriswill* PDF Complete Inc | www.pdfcomplete.com 550 Club Drive, Ste. 477 | Montgomery, TX 77316 512.263.0868 x 707 512.263.0868%20x%20707 direct | paul.berisw...@pdfcomplete.com [image: PDF Complete] http://www.pdfcomplete.com/ ___ List mailing listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list -- *Paul Beriswill* PDF Complete Inc | www.pdfcomplete.com 550 Club Drive, Ste. 477 | Montgomery, TX 77316 512.263.0868 x 707 512.263.0868%20x%20707 direct | paul.berisw...@pdfcomplete.com [image: PDF Complete] http://www.pdfcomplete.com/ -- List mailing listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ List mailing listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense crash dump
Is this a RAID? Seen this on dells with PERC/megaraid controllers when they run the sceduled BBU test. 13. okt. 2014 18:44 skrev Mark Loza ml...@morphlabs.com følgende: Hi, pfsense is running fine for now. Is there any pfsense package that I can perform a live test on the drive? On 10/14/14 12:09 AM, Aaron C. de Bruyn wrote: To me, it looks like a disk issue: mfi0: 35354 (465709273s/0x0002/info) - Patrol Read corrected medium error on PD 02(e0x20/s2) at 1692f3e4 mfi0: 35355 (465709275s/0x0002/info) - Unexpected sense: PD 02(e0x20/s2) Path 539358c92146, CDB: 2f 00 16 92 f3 e5 00 10 00 00, Sense: 1/00/00 You might want to download something like The Ultimate Boot CD and use the manufacturers test tools on your drive. -A On Sun, Oct 12, 2014 at 11:43 PM, Mark Loza ml...@morphlabs.com wrote: Hi, Can anyone happen to know what's of this crash dump in pfsense http://sprunge.us/CGDH ? Actually, this already happened twice, the first crash happened approximately 30 days ago and second occurred yesterday. I suspect this might be a disk issue. Thanks in advance to those who would me determine the real cause. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense crash dump
This can be several things. Bad controller/memory on the Controller. Bad BBU. Or simply bad drive(s). Also check if this occurs when the controller performs BBU tests. (If the BBU is bad then the controller switches to write thru mode and strange things can happen). HTH. 13. okt. 2014 19:27 skrev Mark Loza ml...@morphlabs.com følgende: Does this something have to do with faulty PERC controller? On 10/14/14 1:29 AM, Mark Loza wrote: Yes, a hardware raid and pfsense is physically running on a Dell PE R515 machine. On 10/14/14 12:49 AM, Espen Johansen wrote: Is this a RAID? Seen this on dells with PERC/megaraid controllers when they run the sceduled BBU test. 13. okt. 2014 18:44 skrev Mark Loza ml...@morphlabs.com følgende: Hi, pfsense is running fine for now. Is there any pfsense package that I can perform a live test on the drive? On 10/14/14 12:09 AM, Aaron C. de Bruyn wrote: To me, it looks like a disk issue: mfi0: 35354 (465709273s/0x0002/info) - Patrol Read corrected medium error on PD 02(e0x20/s2) at 1692f3e4 mfi0: 35355 (465709275s/0x0002/info) - Unexpected sense: PD 02(e0x20/s2) Path 539358c92146, CDB: 2f 00 16 92 f3 e5 00 10 00 00, Sense: 1/00/00 You might want to download something like The Ultimate Boot CD and use the manufacturers test tools on your drive. -A On Sun, Oct 12, 2014 at 11:43 PM, Mark Loza ml...@morphlabs.com wrote: Hi, Can anyone happen to know what's of this crash dump in pfsense http://sprunge.us/CGDH ? Actually, this already happened twice, the first crash happened approximately 30 days ago and second occurred yesterday. I suspect this might be a disk issue. Thanks in advance to those who would me determine the real cause. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] little problem with pfsense
Just a hunch. Did you by any chance drop udp port 137/138 traffic between client and dhcp server? As in, is this traffic allowed? Try tcpdump and check for requests from a problem machine. You might block something win7 has decided it needs. MS tends to have strange/unexpected needs ;) -lsf Hi Everyone, This is the first time i write a message here and maybe this is not the place, if i should write this in a forum please let me know… I am an very happy user of pfsense but right now i have a little problem, i explain you : I’m using the last stable version. I have dhcp server enabled and some static leases for some of my hosts. Until here nothing special :) There is different domains in this network so i have to set different DNS servers and domain search suffix. My hosts are heterogenes, there is win7, win8, mac, smartphones, tablets… when i create a lease reservation in the dhcp settings and the machine connects it obtains the right parameters, so everything is ok, but in fact it’s NOT :( What happens (only for the win7 hosts, other are perfects, bad win7 nasty nasty) after a few second, and especially when you launch i.e. win7 seem to make some kind of new dhcp request although it already has it’s ip address and then it looses all it’s specifics parameters, DNS servers, DNS search suffix… it only keep its ip and gw address… After a lot of search i found it has to deal with some kind of proxy search that initiate a new incomplete request and when you add in your dhcp options « 252 \n » witch basically say to windows : stop asking, there is no proxy period ! win7 keep it’s good parameter but sometimes it looses it again (i couldn’t identify precisely when…) The 252 option is a workaround but the solution would be dhcpd gives the whole parameters every time it is requested to, no ? Is it a bug ? am i doing something wrong ? please i really need help on this Best regards, PS Sorry for my english i hope you’ll understand me Jean-Laurent Ivars Responsable Technique | Technical Manager 22, rue Robert - 13007 Marseille Mobile: 06.52.60.86.47 - Tel: 09 84 56 64 30 - Fax: 09 89 56 64 30 Linkedin http://fr.linkedin.com/in/jlivars/ | Viadeo http://www.viadeo.com/fr/profile/jean-laurent.ivars | www.ipgenius.fr ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] little problem with pfsense
Tcpdump and you will know the answer to that. 24. nov. 2014 13:35 skrev Jean-Laurent Ivars jl.iv...@ipgenius.fr følgende: Well thank you for your answer, this is exactly the same result that when i set the option 252 with null parameters in the DHCP (WindowsProxyAutodiscoveryDetection) But this is workaround, the real question is why the dhcp server is not providing the rights settings ? Jean-Laurent Ivars Responsable Technique | Technical Manager 22, rue Robert - 13007 Marseille Mobile: 06.52.60.86.47 - Tel: 09 84 56 64 30 - Fax: 09 89 56 64 30 Linkedin | Viadeo | www.ipgenius.fr Le 24 nov. 2014 à 13:24, Doug Lytle supp...@drdos.info a écrit : What happens (only for the win7 hosts, other are perfects, bad win7 nasty nasty) after a few second, and especially when you launch i.e. win7 seem to make some kind of new dhcp request Just a hunch, On the Windows 7 machine, go into Control Panel = Internet Options = Connections Tab = Lan Settings Uncheck 'Automatically Detect Settings' Doug ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] little problem with pfsense
.tutu.local.49185: Flags [P.], ack 1133, win 356, length 139 14:09:44.502338 IP IPG1.tutu.local.49185 par03s14-in-f23.1e100.net.https: Flags [.], ack 5030, win 32614, length 0 14:09:44.624278 IP IPG1.tutu.local.49184 par03s14-in-f23.1e100.net.https: Flags [R.], seq 5252, ack 40591, win 0, length 0 14:09:44.625506 IP IPG1.tutu.local.49185 par03s14-in-f23.1e100.net.https: Flags [P.], ack 5030, win 32614, length 849 14:09:44.676831 IP par03s14-in-f23.1e100.net.https IPG1.tutu.local.49185: Flags [.], ack 1982, win 370, length 0 14:09:44.704497 IP par03s14-in-f23.1e100.net.https IPG1.tutu.local.49185: Flags [P.], ack 1982, win 370, length 1416 14:09:44.704534 IP par03s14-in-f23.1e100.net.https IPG1.tutu.local.49185: Flags [P.], ack 1982, win 370, length 234 14:09:44.704679 IP IPG1.tutu.local.49185 par03s14-in-f23.1e100.net.https: Flags [.], ack 6680, win 32890, length 0 14:09:45.126141 IP par03s14-in-f23.1e100.net.https IPG1.tutu.local.49185: Flags [P.], ack 1982, win 370, length 1416 14:09:45.126177 IP par03s14-in-f23.1e100.net.https IPG1.tutu.local.49185: Flags [.], ack 1982, win 370, length 1430 14:09:45.126229 IP par03s14-in-f23.1e100.net.https IPG1.tutu.local.49185: Flags [P.], ack 1982, win 370, length 1402 14:09:45.126254 IP par03s14-in-f23.1e100.net.https IPG1.tutu.local.49185: Flags [.], ack 1982, win 370, length 1430 14:09:45.126280 IP par03s14-in-f23.1e100.net.https IPG1.tutu.local.49185: Flags [.], ack 1982, win 370, length 1430 14:09:45.126314 IP par03s14-in-f23.1e100.net.https IPG1.tutu.local.49185: Flags [P.], ack 1982, win 370, length 1388 14:09:45.126341 IP par03s14-in-f23.1e100.net.https IPG1.tutu.local.49185: Flags [P.], ack 1982, win 370, length 396 14:09:45.126445 IP IPG1.tutu.local.49185 par03s14-in-f23.1e100.net.https: Flags [.], ack 9526, win 32890, length 0 14:09:45.126485 IP IPG1.tutu.local.49185 par03s14-in-f23.1e100.net.https: Flags [.], ack 10928, win 32539, length 0 14:09:45.126536 IP IPG1.tutu.local.49185 par03s14-in-f23.1e100.net.https: Flags [.], ack 13788, win 32890, length 0 14:09:45.126591 IP IPG1.tutu.local.49185 par03s14-in-f23.1e100.net.https: Flags [.], ack 15176, win 32543, length 0 14:09:45.126636 IP IPG1.tutu.local.49185 par03s14-in-f23.1e100.net.https: Flags [.], ack 15572, win 32890, length 0 14:09:45.137694 IP par03s14-in-f23.1e100.net.https IPG1.tutu.local.49185: Flags [P.], ack 1982, win 370, length 1416 14:09:45.137841 IP IPG1.tutu.local.49185 par03s14-in-f23.1e100.net.https: Flags [.], ack 16988, win 32536, length 0 14:09:45.138466 IP par03s14-in-f23.1e100.net.https IPG1.tutu.local.49185: Flags [.], ack 1982, win 370, length 1430 14:09:45.138508 IP par03s14-in-f23.1e100.net.https IPG1.tutu.local.49185: Flags [P.], ack 1982, win 370, length 1275 14:09:45.138614 IP IPG1.tutu.local.49185 par03s14-in-f23.1e100.net.https: Flags [.], ack 19693, win 32890, length 0 14:09:45.145145 IP par03s14-in-f23.1e100.net.https IPG1.tutu.local.49185: Flags [P.], ack 1982, win 370, length 239 14:09:45.145281 IP IPG1.tutu.local.49185 par03s14-in-f23.1e100.net.https: Flags [.], ack 19932, win 32830, length 0 14:09:45.212081 IP IPG1.tutu.local.49185 par03s14-in-f23.1e100.net.https: Flags [P.], ack 19932, win 32830, length 1143 14:09:45.224186 IP par03s14-in-f23.1e100.net.https IPG1.tutu.local.49185: Flags [.], ack 3125, win 388, length 0 ^C190 packets captured 190 packets received by filter 0 packets dropped by kernel -- *Jean-Laurent Ivars * *Responsable Technique | Technical Manager* 22, rue Robert - 13007 Marseille Mobile: 06.52.60.86.47 - Tel: 09 84 56 64 30 - Fax: 09 89 56 64 30 Linkedin http://fr.linkedin.com/in/jlivars/ | Viadeo http://www.viadeo.com/fr/profile/jean-laurent.ivars | www.ipgenius.fr Le 24 nov. 2014 à 13:56, Espen Johansen pfse...@gmail.com a écrit : Tcpdump and you will know the answer to that. 24. nov. 2014 13:35 skrev Jean-Laurent Ivars jl.iv...@ipgenius.fr følgende: Well thank you for your answer, this is exactly the same result that when i set the option 252 with null parameters in the DHCP (WindowsProxyAutodiscoveryDetection) But this is workaround, the real question is why the dhcp server is not providing the rights settings ? Jean-Laurent Ivars Responsable Technique | Technical Manager 22, rue Robert - 13007 Marseille Mobile: 06.52.60.86.47 - Tel: 09 84 56 64 30 - Fax: 09 89 56 64 30 Linkedin | Viadeo | www.ipgenius.fr Le 24 nov. 2014 à 13:24, Doug Lytle supp...@drdos.info a écrit : What happens (only for the win7 hosts, other are perfects, bad win7 nasty nasty) after a few second, and especially when you launch i.e. win7 seem to make some kind of new dhcp request Just a hunch, On the Windows 7 machine, go into Control Panel = Internet Options = Connections Tab = Lan Settings Uncheck 'Automatically Detect Settings' Doug ___ List
Re: [pfSense] Gold hangout - what time?
Is should be... i also had to think twice about it. CMB, maybe you can note that for the future? 25. nov. 2014 17:16 skrev Adam Thompson athom...@athompso.net følgende: On 14-11-25 10:14 AM, Espen Johansen wrote: https://blog.pfsense.org 25. nov. 2014 17:11 skrev Adam Thompson athom...@athompso.net følgende: I'm looking, but I can't find anywhere what *time* the Gold hangout is going to be (or was...) today. Anyone know? Thanks. I was expecting the time to be shown somewhere in the portal, like maybe along with the joining instructions or the date... *grumble* too many communications channels/. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Message could not be delivered
It's not from list. Sender is spoofed. -lsf 26. jan. 2015 10:28 skrev Geoff Jankowski geoff.jankow...@me.com: Am I the only person to receive this? It contains a .scr file which would not do anything to me but will to any gamers out there. I hope the lists address has not been compromised for other scammers to use. -- *Geoff * +44 20 7100 1092 +44 7770 58 48 38 +33 5 46 97 13 89 +33 6 22 93 00 53 -- On 26 Jan 2015, at 03:41, Bounced mail mailer-dae...@lists.pfsense.org wrote: Dear user of lists.pfsense.org, We have detected that your e-mail account has been used to send a large amount of spam during this week. Obviously, your computer was compromised and now contains a trojan proxy server. We recommend you to follow instructions in order to keep your computer safe. Sincerely yours, lists.pfsense.org technical support team. letter.zip___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Visual seperators?
A seperator might make sense. But grouping and hiding rules is a bad idea based on my experience. A tree structure that is allways collapsed is annoying when you need overview of all rules. And defaulting to a expanded look will just act as a seperator. Imho interface tabs acts as grouping enough. And a seperator line on floating rules might make sense in some cases. If one would implement a rule type called seperator, it could be highlighted in the view based on its type. I believe that all rules affecting a interface should be seen in plain view. To me this smells like you whish for over engineering. Just my 2cents. 10. feb. 2015 22:10 skrev kpolb...@olberg.name: On 02/10/2015 07:04 PM, Christoph Hanle wrote: On 10.02.2015 14:44, kpolb...@olberg.name wrote: Hi, Is there any possibility to create groups or otherwise have seperators between rules on the firewall page? Basically what I'm trying to do is make it easier to see which rules are connected could be based on host or service. So it would be nice to have some sort of visual seperator to create a group. Hi KP, I am doing this by creating disabled rules and have as description the description of the next rules. To differ from real disabled rules a - at the end if helpfull. not the perfect seperator, but a doable workaround bye Christoph Hi, A bit disappointing, but at least I wasn't just blind :) What I was hoping for was like a horizontal separator across the whole table, maybe even a way of expanding / collapsing a group. -kp ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] VIPs : CARP vs IP Alias
My bad. The IP can be in the same subnet as well as in a different subnet. As far as a true alias goes it is not implemented afaik. Try ifconfig in a shell and see if your aliases are listed as ips on the interface. If they where they would respond to ping and have a derived mac from the main interface and the firewall itself would be able to use them. https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses Just try the ifconfig command and you will see what I mean. Forget what the GUI says. Brgds, Espen 9. mars 2015 12:13 skrev Brian Candler b.cand...@pobox.com: I guess it's time for me to dig out the actual configurations to settle this. * the box with a proxy ARP VIP is running pfSense-2.0.1. (OK, it's probably due an upgrade, but when things just work they tend to be left alone :-) The WAN address is x.x.x.x/6.28, and the proxy ARP virtual IP is x.x.x.7/32 (i.e. it *is* in the same subnet) * the box with an IP alias VIP is pfSense-2.1. (Also due an upgrade :-) It is actually part of a failover pair. The WAN addresses are y.y.y.{229,230}/28 and the WAN-CARP interface is y.y.y.228/28. The IP Alias interface is y.y.y.238/28 and attached to the WAN-CARP interface. I think I did it this way so that the alias moved with the CARP master. In both cases the alias is being used for NAT, and it's working fine, i.e. happily responding to ARP from upstream router. The thing to note about the configuration is that the Proxy ARP VIP has a /32 netmask (so it only responds to one address) and the IP Alias VIP has a /28 netmask (to match the subnet it is aliased on) Regards, Brian. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] VIPs : CARP vs IP Alias
Just noticed that 2.0 had this fixed. I red the link on my mobile and my eyes hurt reading that table. It seems propper alias is there and that means proxy-arp should no longer be used as it was done as a workaround for the missing alias functionality. Then I think Brian is right regarding the mac/arp timeout. And if so a reboot of pfsense and router/modem should clear that up quickly. If the modem is a true bridge then you might have to wait for the uplink router to update its arp table. I have had issues with that in the past. Brgds, Espen 9. mars 2015 12:24 skrev Espen Johansen pfse...@gmail.com: My bad. The IP can be in the same subnet as well as in a different subnet. As far as a true alias goes it is not implemented afaik. Try ifconfig in a shell and see if your aliases are listed as ips on the interface. If they where they would respond to ping and have a derived mac from the main interface and the firewall itself would be able to use them. https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses Just try the ifconfig command and you will see what I mean. Forget what the GUI says. Brgds, Espen 9. mars 2015 12:13 skrev Brian Candler b.cand...@pobox.com: I guess it's time for me to dig out the actual configurations to settle this. * the box with a proxy ARP VIP is running pfSense-2.0.1. (OK, it's probably due an upgrade, but when things just work they tend to be left alone :-) The WAN address is x.x.x.x/6.28, and the proxy ARP virtual IP is x.x.x.7/32 (i.e. it *is* in the same subnet) * the box with an IP alias VIP is pfSense-2.1. (Also due an upgrade :-) It is actually part of a failover pair. The WAN addresses are y.y.y.{229,230}/28 and the WAN-CARP interface is y.y.y.228/28. The IP Alias interface is y.y.y.238/28 and attached to the WAN-CARP interface. I think I did it this way so that the alias moved with the CARP master. In both cases the alias is being used for NAT, and it's working fine, i.e. happily responding to ARP from upstream router. The thing to note about the configuration is that the Proxy ARP VIP has a /32 netmask (so it only responds to one address) and the IP Alias VIP has a /28 netmask (to match the subnet it is aliased on) Regards, Brian. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] VIPs : CARP vs IP Alias
Brian, as a former pfsense dev (5 years) and a freebsd kernel/interface dev for 15 I do know how it works. Alias ips has worked altleast since freebsd 4. But in pfsense it was apparently added in 2.0. As I said I haven't messed with interface aliases since 2007 ish. You still did not get what I told you tho. If ifconfig shows multiple IPs it is a true alias. If not then they are something else. Brgds, Espen 9. mars 2015 12:51 skrev Brian Candler b.cand...@pobox.com: On 09/03/2015 11:24, Espen Johansen wrote: As far as a true alias goes it is not implemented afaik. Try ifconfig in a shell and see if your aliases are listed as ips on the interface. wan_vip102: flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500 inet y.y.y.228 netmask 0xfff0 inet y.y.y.238 netmask 0xfff0 carp: MASTER vhid 102 advbase 1 advskew 0 That's how FreeBSD works (i.e. ifconfig vm0 alias x.x.x.x/x). If you were expecting to see vm0:0, that's a Linux-ism. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] VIPs : CARP vs IP Alias
Actually you cant use proxy arp as it has a limit affecting you. Proxyarp IPs cant be in same subnet. Sorry. Carp is what you want/need. As for your issue with not reaching the firewall when WAN is down is probably something else. What you really want is a alias ip on the interface and pfsense does not support this even if the underlying freebsd does this. There was (is?) reasons for this but las time I tried to implement that was in 2006/2007 so I don't recall why we decided not to implement it. There where several reasons iirc. Brgds, Espen 9. mars 2015 11:34 skrev Matthias May matth...@may.nu: On 09/03/15 11:23, Brian Candler wrote: On 09/03/2015 10:10, Bryan D. wrote: Nope, it's a fully functioning setup (has been, in this form, for a few years) ... just wanted to switch off CARP VIPs since I'm not using failover. The only question is why won't IP Alias VIPs replace the CARP VIPs? If these extra addresses belong on the firewall's outside (WAN) subnet, then they need to respond to ARP. As far as I can see, both Proxy ARP VIP and IP Alias VIP ought to work for this. I have one firewall with a similar setup here (extra public IP for inbound NAT), and it uses a Proxy ARP VIP. And I have another firewall which is using an IP Alias VIP, in this case attached to a WAN-CARP interface. Both are working. As long as all these NAT rules are attached to WAN interface, and your VIP is also attached to WAN interface, I can't see why it wouldn't work. As others have said - changing the type while the firewall is running might break things. Possibly deleting it and then re-adding it would be better, but that's only a guess. If minimising downtime is important then simulate the configuration in a virtual environment first. Regards, Brian. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold A CARP address has it's own MAC. The IP alias shares the MAC of it's parent interface. If you change this while running, your upstream routers/switches will have the wrong MAC address for your IP cached. Sending a GARP might help with this. Or simply wait for the caches to expire. (This can take a long time) Best regards Matthias ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] VIPs : CARP vs IP Alias
9. mars 2015 11:52 skrev Brian Candler b.cand...@pobox.com: On 09/03/2015 10:47, Espen Johansen wrote: Actually you cant use proxy arp as it has a limit affecting you. Proxyarp IPs cant be in same subnet. Sorry. Are you sure? I have a pfsense box where it's working. For 2.2 I'm not sure but it used to be a limit afaik. What you really want is a alias ip on the interface and pfsense does not support this even if the underlying freebsd does this. Are you sure? I have another pfsense box where that's working too. Check ifconfig em0 or whatever your wan if is. From diag or ssh shell and see if the interface has all the alias IPs. I'm pretty sure yes. The whole reason for adding proxyarp was that normal alias was hard to implement. Iirc one reason was that any change to a alias would take down the wan interface and all aliases during config commit. There was (is?) reasons for this but las time I tried to implement that was in 2006/2007 You don't think there's any possibility pfSense has changed or improved since then? I havent read up on ifconfig in that regard for a long time so maybe. I'm not a active dev anymore so that is for Chris B or Ermal or others to answer. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Have you set up a system with no default route?
Are you going to load a full internet BGP routing table? Is that why you do not want a default? Remember that even if you have a default route any route that is more specific will take preference. I dont see the problem? And if you want to prevent any unknown IP destination being routed to your uplink providers I guess you can set a default gw that is part of a unrouted vlan with a bogus ip. That way all unknown traffic is routed to a unreachable destination. HTH. Brgds, Espen 10. mars 2015 13:21 skrev Shannon Gernyi shannon.ger...@xsv.com.au: Hi Mark - this is exactly what I'm seeing - and it would be fine if there were a way to not set a static default. Unfortunately, when unchecking the Default gateway box in the system routing menu, this selection isn't honoured. Cheers, Shannon https://www.linkedin.com/in/shannongernyi -- *From: *Mark Tinka mark.ti...@seacom.mu *To: *list@lists.pfsense.org *Sent: *Tuesday, 10 March, 2015 10:19:30 PM *Subject: *Re: [pfSense] Have you set up a system with no default route? On 10/Mar/15 10:21, Shannon Gernyi wrote: Hi Guys, First time poster to the list - I've spent some time searching without too much luck. Could be ambiguity in my search queries. I'm putting out some new firewalls shortly, and like many already in place, I'll be using openBGPd to interface with our provider. I'd like to also make use of BGP for internal failover to an alternate route, however, it's become evident that it's not within design to be able to have no default router selected as a static route. This is causing issues as we receive a default announcement from our providers, and I'd also like to use default announcements for alternate paths, etc, however openBGPd doesn't seem to want to override the already configured static route. Have you come up against this, and if so, what hackery did you do to work around it? I haven't used OpenBGPd, but in general routing, static routing trumps dynamic routing on a well-engineered platform. This could be what you're seeing. Mark. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] VIPs : CARP vs IP Alias
I beleive the key to this is proxy arp. Brgds, Espen 8. mars 2015 23:50 skrev Bryan D. pfse...@derman.com: While we're on the topic, I have a functioning v2.2 setup that uses a /29 set of static IPs: - 1 IP is the gateway address and 5 IPs are usable (quite common, I believe) - one of the usable IPs is assigned to the WAN interface - the other 4 usable IPs are assigned to VIPs - the WAN IP and VIPs have various port-forward and NAT rules associated with them - the WAN IP and 2 of the VIPs serve 3 different domains (e.g., web, email, VPN -- servers are behind the firewall on isolated LAN) - one of the other VIPs is used by mobile VPNs (IPsec and OpenVPN) All this works nicely ... as long as the VIPs are CARP VIPs. However, since I'm not using any fail-over/redundancy, I don't think I should require CARP VIPs (and I suspect that using CARP VIPs is the reason that, when the cable modem goes down, I can't get at the pfSense webconfigurator until I unplug the WAN cable ... it's OK after I plug it back in, even if the cable modem is still down, but it does need to be unplugged???). My interpretation of the nice chart and notes on https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses leads me to believe that I can switch the CARP VIPs to be IP Alias VIPs. However, when I do that, the 2 servers for the 2 domains tied to the VIPs are no longer accessible from the Internet (but IIRC, the mobile VPNs still work). Can anyone suggest what it is that I don't understand (well, limited to this behavior, at least)? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] PF 2.15 Release (AMD64) Gateway Monitoring with OSPF
Based on what you described I'm pretty sure you missed the part that pfsense does not support ECMP and thus will only accept a single default kernel route. In other words it cant be done and to be honest a single pfsense receiving 2 default routes does not give you any redundancy except 2 interfaces. One of them needs to be the default box anyways and all you can do is policy routing. I would remove osfp between the front routers and pfsense and set it up as loadbalancing dual wan. That is the only solution that makes sense. The front routers need a interconnect so that they will handle a gw failure and ospf itself would clear the routes in case of a wan failure after ospf looses its neighbour. This will create failover and redundancy on your wan as well as the ability to policy route based on cost. And you can enable gw monitoring if you do it this way. You will offcourse need to static route the path to the monitoring ip on your front routers so that each front router will allways send it out on the correct wan. Hth. Brgds, Espen 8. mars 2015 00:06 skrev Espen Johansen pfse...@gmail.com: Let ne see if i understand this correctly. You have 2 wans on your pfsense box. You get a single kernel route from ospf? Ospf needs to export its learned routes. And since you export default route to pfsense the boxes in front actually does the route selection and pfsense only has a single route to one of the two boxes in front? You need a kernel with ECMP enabled ( options RADIX_MPATH). I beleive that your routers are actually doing the path selection and that of your two wans only one is used. This might be completely wrong, but based on what little information you provided this sound like the issue. Brgds, Espen 7. mars 2015 23:45 skrev Espen Johansen pfse...@gmail.com: I dont understand what you want to accomplish. And I dont think others do either. If you explain more maybe I can be of assistance :-) 7. mars 2015 21:25 skrev Wade Blackwell wa...@bablam.com: Anyone? Bueler? Wade Blackwell Solutions Architect (D) 805.457.8825 (C) 805.400.8485 (S) coc.wadeblackwell On 6 March 2015 at 10:44, Wade Blackwell wa...@bablam.com wrote: Good morning all, I currently have a PF VM being used as my core L3 device for a small site. No static routes being used, just OSPF. I have two devices in front of the core sending default information originate with varying weights to prefer the faster connection, one for each carrier. I'd like to be able to add a gateway monitor, on the core, without a kernel route being installed as it relegates the OSPF routes useless. It appears that even if I uncheck default the kernel route still gets installed. Is this possible? Thanks. -W Wade Blackwell Solutions Architect (D) 805.457.8825 (C) 805.400.8485 (S) coc.wadeblackwell ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] msk or em Legacy?
Intel em is normally what I prefer. If its old or not does not matter that much. Just my 2 cents. 22. feb. 2015 00:17 skrev Joe Laffey j...@laffey.tv: Hi, Which would you favor the msk driver with some on board Marvel controllers (P6T Deluze) or the em driver with a Legacy 10.4 Intel card? This is what it says in dmesg... Legacy Thanks! -- Joe Laffey The Stable Visual Effects http://TheStable.tv/?e37579M/ ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] best way to change WAN interface after migration
In the past I have edited a config backup and restored it. Maybe there are better ways, but find and replace in a editor does the trick :-) Brgds, Espen 11. apr. 2015 20:46 skrev Martin Fuchs mar...@fuchs-kiel.de: Hi ! Does anyone have any experience with changing WAN-interfaces ? We migrated out CARP-cluster from one provider to another. On em1 we have provider-old and On em7 we have provider-new. The old provider will switch off his connection soon. We changed the gateways and everything, but might it be a cosmetical issue or not, how can i change the WAN interface (as set up in the console) from em1 to em7 without losing any config ? Can i use the console to change it without any harm, what will happen tot he attached rules ? Regards, martin ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Using on Fiber
Any chance you have set something in the shaper that causes it? fre. 5. juni 2015, 17:43 skrev Ryan Coleman ryan.cole...@cwis.biz: On Jun 5, 2015, at 10:12 AM, Brennan H. McNenly bmcne...@singularisit.com wrote: And those of you with VMware experience… if I run the virtual firewall I would need to have at least a VMware Essentials license to come close to the throughput, right? Since the IOps are capped at something like 10MB/sec in the free version. There are no IOP or throughput limits on the free version of the ESXi hypervisor. The VMWare Essentials license gets you vSphere which can be used to manage up to three ESXi hosts. This also lets you setup an HA cluster with those hosts. Otherwise you can run ESXi stand alone for free without vSphere and without any performance limits. Hmm. I wonder why my file transfers never exceed 10MB/sec then… I’ve been trying to migrate many TB of data via SCP to the datastore but I also have similar caps when doing FTP over the LAN to a server. If there’s someone here that would be interested in giving me a hand with this off list I’d be most appreciative. Moving 13TB of data at 10MB/sec has been very challenging. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Documentation about Firewall Lookup Process, State Table, Firewall Rules Table
Don't double post please. Brgds, Espen 3. juni 2015 15:00 skrev Lukas Hubschmid lukas.hubsch...@pop.agri.ch: Hello everybody, Is there any documentation about: * the process how pfSense firewall handles packets (lookup in firewall rules, lookup in state table, add new state, ...) e.g. a flow chart * how the firewall rules are beeing (data structure) * how the connection states are beeing (data structure) Any hints are greatly appreciated! KR, Lukas ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Documentation about Firewall Lookup Process, State Table, Firewall Rules Table
Pfsense is based on openbsds PF (PacketFilter) and runs freebsd as base OS. That should give you enough to google how it works. Also remeber that this is opensource and everything is freely available. The source code tells you everything there is to know ;-) Good luck :-) ons. 3. juni 2015, 14:33 skrev Lukas Hubschmid (s) lukas.hubsch...@students.fhnw.ch: Hello everybody, Is there any documentation about: * the process how pfSense firewall handles packets (lookup in firewall rules, lookup in state table, add new state, ...) e.g. a flow chart * how the firewall rules are beeing (data structure) * how the connection states are beeing (data structure) Any hints are greatly appreciated! KR, Lukas ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] reverse proxy situation
Exclude varnish its primarily made for frontend LB proxy. søn. 31. mai 2015, 15:32 skrev Adam Thompson athom...@athompso.net: Oh, shoot, that's a good point - I probably do need SNI support for SSL. I may be able to get a wildcard cert, but that will be an issue one way or another. Varnish doesn't support SSL at all, although I could theoretically do it with stunnel and a wildcard cert. Squid does support SSL, but appears to require wildcard cert. Squid3 *may* support SNI, can't tell. Haproxy supports SNI; hopefully the pfSense package is new enough to include that. Apache supports SNI, supposedly. So I'm still left with a (overly, IMHO) large list. I could also just port-forward TCP/{80,443} to a host behind the firewall and do everything there, too. Argh, too many options, not enough clarity on which packages are supported vs. which ones are semi-orphaned. -Adam On May 30, 2015 11:12:01 PM CDT, Travis Hansen travisghan...@yahoo.com wrote: If you're looking for pure proxy frontend I'd stick with haproxy or apache (I use haproxy). haproxy provides load balancing and can do other things besides strictly http(s) such a pure tcp and transparent proxy stuff. Apache provides some things like mod_rewrite (I assume the pfsense build comes with that) etc that aren't easily done with haproxy. I could be wrong but if you're looking for SSL offloading (I ensure all traffic goes over SSL) varnish and squid would be out of the picture. Travis Hansen travisghan...@yahoo.com On Saturday, May 30, 2015 8:25 PM, Adam Thompson athom...@athompso.net wrote: I need to run a reverse proxy on a pfSense gateway - multiple websites, one public IP, the usual reason. However, I see there's a larger selection available than the last time I looked. It appears we now have: * Apache w/mod_security-dev v0.43 / 0.22 * haproxy-1_5 v0.23 * haproxy-devel v0.24 * Proxy Server w/mod_security v0.1.7 / 0.22.999 * squid * squid3 * varnish3 1. Have I missed any? 2. Are Apache w/mod_security-dev and Proxy Server w/mod_security essentially the same thing? 3. For relatively simple cases (straightforward hostname-to-internal-IP mapping), is there any compelling reason to use one over another on pfSense 2.2 today? FWIW, this firewall is relatively underpowered (PowerEdge 1750, dual 2.4GHz P4-era Xeons). -- -Adam Thompson athom...@athompso.net +1 (204) 291-7950 - cell +1 (204) 489-6515 - fax ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] reverse proxy situation
Actually. Are you looking for reverse proxy or a user proxy. I'm confused after reading your mail a few times. Brgds, Espen 31. mai 2015 15:35 skrev Espen Johansen pfse...@gmail.com: Exclude varnish its primarily made for frontend LB proxy. søn. 31. mai 2015, 15:32 skrev Adam Thompson athom...@athompso.net: Oh, shoot, that's a good point - I probably do need SNI support for SSL. I may be able to get a wildcard cert, but that will be an issue one way or another. Varnish doesn't support SSL at all, although I could theoretically do it with stunnel and a wildcard cert. Squid does support SSL, but appears to require wildcard cert. Squid3 *may* support SNI, can't tell. Haproxy supports SNI; hopefully the pfSense package is new enough to include that. Apache supports SNI, supposedly. So I'm still left with a (overly, IMHO) large list. I could also just port-forward TCP/{80,443} to a host behind the firewall and do everything there, too. Argh, too many options, not enough clarity on which packages are supported vs. which ones are semi-orphaned. -Adam On May 30, 2015 11:12:01 PM CDT, Travis Hansen travisghan...@yahoo.com wrote: If you're looking for pure proxy frontend I'd stick with haproxy or apache (I use haproxy). haproxy provides load balancing and can do other things besides strictly http(s) such a pure tcp and transparent proxy stuff. Apache provides some things like mod_rewrite (I assume the pfsense build comes with that) etc that aren't easily done with haproxy. I could be wrong but if you're looking for SSL offloading (I ensure all traffic goes over SSL) varnish and squid would be out of the picture. Travis Hansen travisghan...@yahoo.com On Saturday, May 30, 2015 8:25 PM, Adam Thompson athom...@athompso.net wrote: I need to run a reverse proxy on a pfSense gateway - multiple websites, one public IP, the usual reason. However, I see there's a larger selection available than the last time I looked. It appears we now have: * Apache w/mod_security-dev v0.43 / 0.22 * haproxy-1_5 v0.23 * haproxy-devel v0.24 * Proxy Server w/mod_security v0.1.7 / 0.22.999 * squid * squid3 * varnish3 1. Have I missed any? 2. Are Apache w/mod_security-dev and Proxy Server w/mod_security essentially the same thing? 3. For relatively simple cases (straightforward hostname-to-internal-IP mapping), is there any compelling reason to use one over another on pfSense 2.2 today? FWIW, this firewall is relatively underpowered (PowerEdge 1750, dual 2.4GHz P4-era Xeons). -- -Adam Thompson athom...@athompso.net +1 (204) 291-7950 - cell +1 (204) 489-6515 - fax ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Block Torrentz
Focus on layer 7. Most torrent clients use dynamic ports. And disable upnp as that will defeat the ports blocking as well. -lsf tir. 18. aug. 2015, 21.21 skrev A Mohan Rao mohanra...@gmail.com: Hello pfSense experts, I find out torrents ports like 6881-6889 etc. And create firewall block rule source lan network then destination any with torrents ports but still users can download torrents data. Also i created in traffic shaper layer 7 BitTorrent still not reached any positive result. Pls guide Where i m wrong or my rules not work... Thanks in advance. Mohan Rao ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Multi-Wan Setup, High Availability and Traffic Segmentation
VLANs ? VLAN is l2 not L3. I have no idea what you are trying to do with VLANs in the mix. Policy routing is easy and probably what you need. -lsf fre. 13. nov. 2015, 23.29 skrev David White: > I have a unique scenario: > > The higher ups require a multi-wan high availability setup, but assuming > both ISPs are working, some traffic is required to use 1 ISP and some > traffic is required to use the other. > > I've read in some pfSense docs on how I can setup a high availability, > multi-wan setup, but those docs say nothing about segmenting the traffic. > > My idea is to setup 2 VLANS, and route 1 VLAN out of 1 gateway and 1 VLAN > out the other, but configure them so that if 1 ISP or the other ISP goes > down, both VLANS will go out whichever ISP is working. > > Is this possible? > > -- > David White > Founder & CEO > > *Develop CENTS * > Computing, Equipping, Networking, Training & Supporting > Organizations Worldwide > http://developcents.com > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Hostname resolution of OpenVPN-connected clients
Bsed on your need I think you should convert to l2tp. https://doc.pfsense.org/index.php/L2TP/IPsec -lsf lør. 14. nov. 2015, 03.22 skrev Vick Khera: > On Thu, Nov 12, 2015 at 5:20 AM, Marco wrote: > > > > Setting up BIND 9 to manage a dynamic zone is not very difficult. > > > > Do I need an additional BIND instance besides the unbound that's > > already running on the pfSense box? > > > > unbound != bind. I do not know anything about setting up dynamic zones in > unbound. i know how to do it in bind9. > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Hostname resolution of OpenVPN-connected clients
I think you have to set up a radius server and assign ip based on the user. That way they will be "static" and then add DNS entries to that static IP. My 2cents, -lsf ons. 11. nov. 2015, 15.47 skrev Marco: > Hello, > > we use pfSense since quite a while with success and are very happy overall. > > Recently we set up OpenVPN and are facing a DNS issue. Hosts in the LAN > can be > addressed using the hostname (thanks to “Register DHCP leases in the DNS > Resolver”) which is working perfectly fine. Hosts on the OpenVPN network > can > also resolve hosts in the LAN. However, from the LAN the OpenVPN-connected > hosts cannot be reached (only via IP address, not via hostname). Research > shows¹ that VPN-connected clients don't register their hostnames in the DNS > which is unfortunate and would probably solve the issue we face. The answer > seems to be¹: > > > Would have to statically assign them via client overrides and manually > add > > to DNS forwarder for them to resolve. > > This would work for static hosts that are always on the VPN, but this > wouldn't > work for mobile hosts (e.g. employee's laptops) which have a different IP > address, depending on whether they are connected to the LAN or connected > via > OpenVPN. > > How to access the mobile hosts via the same hostname regardless if > they are connected to the LAN or VPN? > > Marco > > ¹ http://serverfault.com/a/361103/102215 > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPSec tunnel and routing on a CentOS 7 machine
Proper way to find out where it all goes wrong is tcpdump on the 192.x.x.x network interface on both ends. Start at the pfsense and see if the packets go thru the tunnel as it should. Then check the return packet back. You need to tell your 192.x.x.x interface not to use your default gw. Centos manual shows exactly how to do this with multiple interfaces. -lsf man. 4. jan. 2016, 23:36 skrev Decker, Ryan C. <rdec...@siena.edu>: > What do your iptables rules look like? I know you said you temporarily > stopped firewalld but worth a look anyway. > > Run: > > iptables -nvL > iptables -t nat -nvL > > then just for good measure: > > sysctl net.ipv4.ip_forward > > When it comes to firewalld i almost never run it on anything important. You > can install a systemd unit file for iptables by installing > iptables-services. > > Then after running: > systemctl stop firewalld; systemctl disable firewalld; systemctl enable > iptables; systemctl start iptables > > You can manage rules the old fashioned way by either editing > /etc/sysconfig/iptables or by running iptables directly and using > iptables-save > /etc/sysconfig/iptables. > > Ryan > > On Mon, Jan 4, 2016 at 3:42 PM, Espen Johansen <pfse...@gmail.com> wrote: > > > Try to add; > > ip route add 192.168.1.0/24 via 192.168.1.1 > > and > > ip route add 192.168.2.0/24 via 192.168.1.1 > > > > -lsf > > > > man. 4. jan. 2016, 21:08 skrev Sébastien La Madeleine < > > slamadele...@toolsoft.ca>: > > > > > Hi Robert, > > > > > > I just tried the following advice and it did not improve my situation. > > > > > > Unless there is more to it than just changing those parameters... > > > > > > Thanks, > > > > > > Sébastien La Madeleine > > > B.Sc., M.Sc. Informatique > > > TooLSoft.ca > > > 514-827-8665 > > > > > > On 2016-01-04 2:43 PM, Robert wrote: > > > > you need to enable ip forwarding in the kernel on cento to filter or > > > use both interfaces. > > > > http://centoshowtos.org/network-and-security/ip_forward/ > > > > > > > > > > > > Robert > > > > > > > > > > > > > > > >> On Jan 4, 2016, at 12:59 PM, Sébastien La Madeleine < > > > slamadele...@toolsoft.ca> wrote: > > > >> > > > >> Hello, I've searched high and low to elucidate this one but so far > > > nothing has queued me in the right direction so I'm turning to the > > network > > > experts herein. > > > >> > > > >> Let me give you a little bit of context and expose my problem. Feel > > > free to ask if more details are needed. > > > >> > > > >> I have 2 pfSense firewall in 2 separate locations. > > > >> > > > >> Both access the internet directly. An IPSec tunnel has been created > > so > > > that the services of both locations are accessible on both sides. > > > >> > > > >> I have multiple servers on both sides both Windows and Linux. > > > >> > > > >> Some servers have a single nic, others have 2 nics, one in the LAN > and > > > one on the WAN for direct service access purposes. > > > >> > > > >> Both ends are in separate subnets. > > > >> > > > >> Site A: > > > >> 192.168.1.0/24 > > > >> pfSense 192.168.1.1 > > > >> > > > >> Site B: > > > >> 192.168.2.0/24 > > > >> pfSense 192.168.2.1 > > > >> > > > >> The tunnel is up and running. Since both sites are for the same > > > project, both firewalls have a "pass all IPV4" in the IPSec rules. > > > >> > > > >> 192.168.1.2 (Windows server with single nic) can ping 192.168.2.2 > > > (Windows server with single nic) and vice-versa. > > > >> 192.168.1.3 (Windows server with 2 nics) required a new route (route > > > add -net 192.168.2.0/24 gw 192.168.1.1) to be able to ping 192.168.2.2 > > > and the ping works both ways. > > > >> > > > >> Here comes my problem. > > > >> 192.168.1.4 is a CentOS 7 machine. It has 2 nics, one on the LAN > > > (192.168.1.4) and one on the WAN. The default gateway for this machine > > is > > > obviously on the WAN side. > > > >> > > > >> Try as much as I can, I never managed to add a route that would > allow > >
Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop
Firewall disable = no state = asymmetric routing will not get return packets dropped. Are your servers multihomed? On Wed, Feb 10, 2016, 22:48 Romain Lapouxwrote: > I am not agree, because how do you explain that all works correctly when I > disable only the firewall feature in pfSense ? > > Romain > > -Original Message- > From: Chris Buechler [mailto:c...@pfsense.com] > Sent: Wednesday, February 10, 2016 21:50 > To: romain.lap...@octopoos.com; pfSense Support and Discussion Mailing > List > Subject: Re: [pfSense] Bug? Firewall disable no random connection drop, > firewall enable random connection drop > > On Sun, Feb 7, 2016 at 12:24 PM, Romain Lapoux
> wrote: > > My last test in conservation optimization, if I upload files with 4 > parallel connections, it drop each in less 10 seconds. > > (And don't free them on backend server, they stay ESTABLISHED in netstat. > > > > More than likely because one or more of the hosts involved are dual homed > and you have asymmetric routing. > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] WLAN reboot loop
Do not bridge and do not use same subnet. If you want lan and wlan to talk add rules for the subnets to talk to each other. On Wed, Feb 24, 2016, 19:12 Sean Pohlwrote: > The problem is an endless boot-loop on my pfSense installation after I > made one > change to the WLAN interface. > > I have an older x86 32 bit machine with three NICs: > 1. On-board Ethernet > 2. Ethernet card > 3. WLAN 801.11g > > I was able to configure the WAN & LAN interfaces just fine. When I > enabled the > WLAN interface and set about configuring and saving WLAN interface things > went > well until I set the WLAN as DHCP. When I did and saved it then the > monitor > directly attached to the pfSense box filled completely with random > characters > and then it would reboot. During the boot, it would come to the > "configuring > WLAN" and then the screen would fill with random characters and reboot > again. > > I read about creating a bridge between a WLAN interface and a LAN > interface. I > was able to do that successfully and was able to connect to the WLAN on > the box > but it never assigned me an IP address. So, it wasn't until I changed the > WLAN > interface setting to DHCP that it would get into this loop. > > Should I just set that WLAN interface to be static and then give it a fixed > address in the same subnet as the LAN that I trying to bridge to or > something > else? > > Any suggestions are greatly appreciated. > > Thanks. > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] WLAN reboot loop
Remove the wlan card. Then remove config. It sounds like you might have a irq or other resource allocation problem. But without any more details its hard to say. On Wed, Feb 24, 2016, 19:51 Sean Pohl <tuxthemagicpeng...@gmail.com> wrote: > Ok. Thank you very much. Any advice on how to get it out of the endless > boot loop? Or will my path of least resistance be to simply do a fresh > install again? Many thanks. > On Feb 24, 2016 12:26, "Espen Johansen" <pfse...@gmail.com> wrote: > > > Do not bridge and do not use same subnet. If you want lan and wlan to > talk > > add rules for the subnets to talk to each other. > > > > On Wed, Feb 24, 2016, 19:12 Sean Pohl <tuxthemagicpeng...@gmail.com> > > wrote: > > > > > The problem is an endless boot-loop on my pfSense installation after I > > > made one > > > change to the WLAN interface. > > > > > > I have an older x86 32 bit machine with three NICs: > > > 1. On-board Ethernet > > > 2. Ethernet card > > > 3. WLAN 801.11g > > > > > > I was able to configure the WAN & LAN interfaces just fine. When I > > > enabled the > > > WLAN interface and set about configuring and saving WLAN interface > things > > > went > > > well until I set the WLAN as DHCP. When I did and saved it then the > > > monitor > > > directly attached to the pfSense box filled completely with random > > > characters > > > and then it would reboot. During the boot, it would come to the > > > "configuring > > > WLAN" and then the screen would fill with random characters and reboot > > > again. > > > > > > I read about creating a bridge between a WLAN interface and a LAN > > > interface. I > > > was able to do that successfully and was able to connect to the WLAN on > > > the box > > > but it never assigned me an IP address. So, it wasn't until I changed > > the > > > WLAN > > > interface setting to DHCP that it would get into this loop. > > > > > > Should I just set that WLAN interface to be static and then give it a > > fixed > > > address in the same subnet as the LAN that I trying to bridge to or > > > something > > > else? > > > > > > Any suggestions are greatly appreciated. > > > > > > Thanks. > > > ___ > > > pfSense mailing list > > > https://lists.pfsense.org/mailman/listinfo/list > > > Support the project with Gold! https://pfsense.org/gold > > > > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] WLAN reboot loop
Reboots usually happen when irq is shared and/or memory. On Wed, Feb 24, 2016, 20:17 Espen Johansen <pfse...@gmail.com> wrote: > You might try to put the wlan card in another slot on the motherboard. > Also use bios to disable stuff like sound card, unused usb ports, Lpt, com > ports etc. > > On Wed, Feb 24, 2016, 20:15 Espen Johansen <pfse...@gmail.com> wrote: > >> Remove the wlan card. Then remove config. It sounds like you might have a >> irq or other resource allocation problem. But without any more details its >> hard to say. >> >> On Wed, Feb 24, 2016, 19:51 Sean Pohl <tuxthemagicpeng...@gmail.com> >> wrote: >> >>> Ok. Thank you very much. Any advice on how to get it out of the endless >>> boot loop? Or will my path of least resistance be to simply do a fresh >>> install again? Many thanks. >>> On Feb 24, 2016 12:26, "Espen Johansen" <pfse...@gmail.com> wrote: >>> >>> > Do not bridge and do not use same subnet. If you want lan and wlan to >>> talk >>> > add rules for the subnets to talk to each other. >>> > >>> > On Wed, Feb 24, 2016, 19:12 Sean Pohl <tuxthemagicpeng...@gmail.com> >>> > wrote: >>> > >>> > > The problem is an endless boot-loop on my pfSense installation after >>> I >>> > > made one >>> > > change to the WLAN interface. >>> > > >>> > > I have an older x86 32 bit machine with three NICs: >>> > > 1. On-board Ethernet >>> > > 2. Ethernet card >>> > > 3. WLAN 801.11g >>> > > >>> > > I was able to configure the WAN & LAN interfaces just fine. When I >>> > > enabled the >>> > > WLAN interface and set about configuring and saving WLAN interface >>> things >>> > > went >>> > > well until I set the WLAN as DHCP. When I did and saved it then the >>> > > monitor >>> > > directly attached to the pfSense box filled completely with random >>> > > characters >>> > > and then it would reboot. During the boot, it would come to the >>> > > "configuring >>> > > WLAN" and then the screen would fill with random characters and >>> reboot >>> > > again. >>> > > >>> > > I read about creating a bridge between a WLAN interface and a LAN >>> > > interface. I >>> > > was able to do that successfully and was able to connect to the WLAN >>> on >>> > > the box >>> > > but it never assigned me an IP address. So, it wasn't until I >>> changed >>> > the >>> > > WLAN >>> > > interface setting to DHCP that it would get into this loop. >>> > > >>> > > Should I just set that WLAN interface to be static and then give it a >>> > fixed >>> > > address in the same subnet as the LAN that I trying to bridge to or >>> > > something >>> > > else? >>> > > >>> > > Any suggestions are greatly appreciated. >>> > > >>> > > Thanks. >>> > > ___ >>> > > pfSense mailing list >>> > > https://lists.pfsense.org/mailman/listinfo/list >>> > > Support the project with Gold! https://pfsense.org/gold >>> > > >>> > ___ >>> > pfSense mailing list >>> > https://lists.pfsense.org/mailman/listinfo/list >>> > Support the project with Gold! https://pfsense.org/gold >>> > >>> ___ >>> pfSense mailing list >>> https://lists.pfsense.org/mailman/listinfo/list >>> Support the project with Gold! https://pfsense.org/gold >>> >> ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] WLAN reboot loop
You might try to put the wlan card in another slot on the motherboard. Also use bios to disable stuff like sound card, unused usb ports, Lpt, com ports etc. On Wed, Feb 24, 2016, 20:15 Espen Johansen <pfse...@gmail.com> wrote: > Remove the wlan card. Then remove config. It sounds like you might have a > irq or other resource allocation problem. But without any more details its > hard to say. > > On Wed, Feb 24, 2016, 19:51 Sean Pohl <tuxthemagicpeng...@gmail.com> > wrote: > >> Ok. Thank you very much. Any advice on how to get it out of the endless >> boot loop? Or will my path of least resistance be to simply do a fresh >> install again? Many thanks. >> On Feb 24, 2016 12:26, "Espen Johansen" <pfse...@gmail.com> wrote: >> >> > Do not bridge and do not use same subnet. If you want lan and wlan to >> talk >> > add rules for the subnets to talk to each other. >> > >> > On Wed, Feb 24, 2016, 19:12 Sean Pohl <tuxthemagicpeng...@gmail.com> >> > wrote: >> > >> > > The problem is an endless boot-loop on my pfSense installation after I >> > > made one >> > > change to the WLAN interface. >> > > >> > > I have an older x86 32 bit machine with three NICs: >> > > 1. On-board Ethernet >> > > 2. Ethernet card >> > > 3. WLAN 801.11g >> > > >> > > I was able to configure the WAN & LAN interfaces just fine. When I >> > > enabled the >> > > WLAN interface and set about configuring and saving WLAN interface >> things >> > > went >> > > well until I set the WLAN as DHCP. When I did and saved it then the >> > > monitor >> > > directly attached to the pfSense box filled completely with random >> > > characters >> > > and then it would reboot. During the boot, it would come to the >> > > "configuring >> > > WLAN" and then the screen would fill with random characters and reboot >> > > again. >> > > >> > > I read about creating a bridge between a WLAN interface and a LAN >> > > interface. I >> > > was able to do that successfully and was able to connect to the WLAN >> on >> > > the box >> > > but it never assigned me an IP address. So, it wasn't until I changed >> > the >> > > WLAN >> > > interface setting to DHCP that it would get into this loop. >> > > >> > > Should I just set that WLAN interface to be static and then give it a >> > fixed >> > > address in the same subnet as the LAN that I trying to bridge to or >> > > something >> > > else? >> > > >> > > Any suggestions are greatly appreciated. >> > > >> > > Thanks. >> > > ___ >> > > pfSense mailing list >> > > https://lists.pfsense.org/mailman/listinfo/list >> > > Support the project with Gold! https://pfsense.org/gold >> > > >> > ___ >> > pfSense mailing list >> > https://lists.pfsense.org/mailman/listinfo/list >> > Support the project with Gold! https://pfsense.org/gold >> > >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold >> > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure with pfSense 2.3.2
What do you mean by 12Mpps or 80% or 10GE? 12Mpps at 150 packet length is 13.4Gbps. At 1200 (good inet avg.) you should hit 107Gbps. Where does the 80% of 10GE come from? On Thu, Jan 26, 2017, 07:04 Jim Thompson <j...@netgate.com> wrote: It does not. The c2758 SoC is interesting. 8 cores, and the on-die i354 is essentially a block with 4 i350s on it. These have 8 queues for each of rx and tx, so 16 each, for a total of 64 queues. On the c2xxx series (and other) boxes we ship, we increase certain tunables, because we know what we're installing onto, and can adjust that factory load. pfSense CE does not have that luxury, it has to run on nearly anything the community finds to run it on. Some of these systems have ... constrained RAM. While we test each release on every model we ship, such testing takes place only for a handful of other configurations. There is a decent explanation of some of the tunables here: https://wiki.freebsd.org/NetworkPerformanceTuning Incidentally, FreeBSD, and thus pfSense can't take much advantage of those multqueue NICs, because the forwarding path doesn't have the architure to advantage them. Our DPDK-based system can forward l3 frames at over 12Mpps on this hardware (about 80% of line-rate on a 10g interface). Neither pfSense or FreeBSD (nor Linux) will do 1/10th of this rate. Jim On Thursday, January 26, 2017, Espen Johansen <pfse...@gmail.com> wrote: > It should autotune by default based on memory iirc. > > On Wed, Jan 25, 2017, 23:27 Peder Rovelstad <provels...@comcast.net > <javascript:;>> wrote: > > > FWiW - My nano (4 NICs, 1GB, Community), PuTTY says: > > > > kern.ipc.nmbufs: 131925 > > kern.ipc.nmbclusters: 20612 > > > > but nothing explicitly set on the tunables page, just whatever's built > in. > > > > -Original Message- > > From: List [mailto:list-boun...@lists.pfsense.org <javascript:;>] On > Behalf Of Karl Fife > > Sent: Wednesday, January 25, 2017 4:02 PM > > To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org > <javascript:;>> > > Subject: Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot > > failure with pfSense 2.3.2 > > > > This is a good theory, because RRD data from 2.2.6 suggests that the > > difference in utilization between the versions is slight, and that we had > > 'barely' exhausted our system default allocation. > > > > Is there a difference between nano and full with respect to the installer > > explicitly setting tunables for kern.ipc.nmbclusters and kern.ipc.nmbuf? > > Vick Khera says he sees explicitly set tunables on his > > 2.3.2 system, yet my virgin installation of Nano pfSense 2.3.2 has no > > explicit declarations? > > > > Vick, is your Supermicro A1SRi-2758F running an installation that came > from > > Netgate, or is it a community edition installation? If the latter, Full > or > > Nano? > > > > > > On 1/25/2017 3:49 PM, Jim Pingle wrote: > > > On 01/25/2017 01:10 PM, Karl Fife wrote: > > >> The piece that's still missing for me is that there must have been > > >> some change in default system setting for FreeBSD, or some other > > >> change between versions, because the system booted fine with pfSense > > >> v 2.2.6 > > > Aside from what has already been suggested by others, it's possible > > > that the newer drivers from FreeBSD 10.3 in pfSense 2.3.x enabled > > > features on the NIC chipset that consumed more mbufs. For example, it > > > might be using more queues per NIC by default than it did previously. > > > > > > Jim > > > > > > ___ > > > pfSense mailing list > > > https://lists.pfsense.org/mailman/listinfo/list > > > Support the project with Gold! https://pfsense.org/gold > > > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure with pfSense 2.3.2
Are you saying worst case is 80%? Its not normal to have all minimum size packets unless you are under ddos. Default ethernet is 1526 (1530 with vlan) with a MTU 1500 on a layer 1 frame. A layer 2 frame is 1518 (1522 with vlan). If you want to include all layer headers then 1542 including vlan is the correct number and that will allow a 1500 octet payload. On Thu, Jan 26, 2017, 18:20 Jim Thompsonwrote: > > > > On Jan 26, 2017, at 5:06 PM, rai...@ultra-secure.de wrote: > > > > Am 2017-01-26 07:03, schrieb Jim Thompson: > >> It does not. > >> The c2758 SoC is interesting. 8 cores, and the on-die i354 is > essentially a > >> block with 4 i350s on it. > >> These have 8 queues for each of rx and tx, so 16 each, for a total of 64 > >> queues. > >> On the c2xxx series (and other) boxes we ship, we increase certain > >> tunables, because we know what we're installing onto, and can adjust > that > >> factory load. pfSense CE does not have that luxury, it has to run on > nearly > >> anything the community finds to run it on. Some of these systems have > ... > >> constrained RAM. While we test each release on every model we ship, > such > >> testing takes place only for a handful of other configurations. > >> There is a decent explanation of some of the tunables here: > >> https://wiki.freebsd.org/NetworkPerformanceTuning > >> Incidentally, FreeBSD, and thus pfSense can't take much advantage of > those > >> multqueue NICs, because the forwarding path doesn't have the architure > to > >> advantage them. Our DPDK-based system can forward l3 frames at over > 12Mpps > >> on this hardware (about 80% of line-rate on a 10g interface). > >> Neither pfSense or FreeBSD (nor Linux) will do 1/10th of this rate. > > > > > > > > > > Hi, is this DPDK-based system commercially available? > > > > > > > > Rainer > > Still being developed. > > Jim > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure with pfSense 2.3.2
It should autotune by default based on memory iirc. On Wed, Jan 25, 2017, 23:27 Peder Rovelstadwrote: > FWiW - My nano (4 NICs, 1GB, Community), PuTTY says: > > kern.ipc.nmbufs: 131925 > kern.ipc.nmbclusters: 20612 > > but nothing explicitly set on the tunables page, just whatever's built in. > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Karl Fife > Sent: Wednesday, January 25, 2017 4:02 PM > To: pfSense Support and Discussion Mailing List > Subject: Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot > failure with pfSense 2.3.2 > > This is a good theory, because RRD data from 2.2.6 suggests that the > difference in utilization between the versions is slight, and that we had > 'barely' exhausted our system default allocation. > > Is there a difference between nano and full with respect to the installer > explicitly setting tunables for kern.ipc.nmbclusters and kern.ipc.nmbuf? > Vick Khera says he sees explicitly set tunables on his > 2.3.2 system, yet my virgin installation of Nano pfSense 2.3.2 has no > explicit declarations? > > Vick, is your Supermicro A1SRi-2758F running an installation that came from > Netgate, or is it a community edition installation? If the latter, Full or > Nano? > > > On 1/25/2017 3:49 PM, Jim Pingle wrote: > > On 01/25/2017 01:10 PM, Karl Fife wrote: > >> The piece that's still missing for me is that there must have been > >> some change in default system setting for FreeBSD, or some other > >> change between versions, because the system booted fine with pfSense > >> v 2.2.6 > > Aside from what has already been suggested by others, it's possible > > that the newer drivers from FreeBSD 10.3 in pfSense 2.3.x enabled > > features on the NIC chipset that consumed more mbufs. For example, it > > might be using more queues per NIC by default than it did previously. > > > > Jim > > > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure with pfSense 2.3.2
1200 was my average packet size when analyzed in Dataguard Core network (a smb ISP here in .no) . Im sure others can find different averages. My point is just that if you have normal traffic patterns, even at 600 you should have no problem pushing 10GE. A MTU of 600 should give you about 53 gigabit/s if you are able yo push 1200 pps with that payload. Your statement of 80% is just confusing, that is all. On Fri, Jan 27, 2017, 04:02 Jim Thompson <j...@netgate.com> wrote: > On Thursday, January 26, 2017, Espen Johansen <pfse...@gmail.com> wrote: > > > Are you saying worst case is 80%? Its not normal to have all minimum size > > packets unless you are under ddos. > > Default ethernet is 1526 (1530 with vlan) with a MTU 1500 on a layer 1 > > frame. > > A layer 2 frame is 1518 (1522 with vlan). > > If you want to include all layer headers then 1542 including vlan is the > > correct number and that will allow a 1500 octet payload. > > > Yes, I know, but adding a vlan tag means the small frame size isn't > "smallest". I was just throwing that in for comparison. > > Point is, on a 10g network, the maximum frame rate is 14.88 mpps. This is > the highest rate required by the network under any circumstance. It's also > how you have to think about the problem if you're not going to engage in > making excuses. > > If you still don't like it, consider that: > > - 40g Ethernet cards exist today, so being able to forward 256 byte packets > at 40gbps will require the same 14.88 mpps rate, > - nx25 is the future in the data center vswitches and vrouters are a thing, > and pfSense should be able to play in this market > - 10g is starting to appear on lower-end hardware. > - 10g switches are starting to hit $100/port > > And also that netgate has product coming in 2017 that folds multiple > integrated switch ports into a single 2.5gbps or multiple 10gbps Ethernet > uplink ports. > > Remember, we're doing this in software. No ASICs required. That 12mpps > figure on an 8 core Rangeley includes 50 ACLs in the path. > > BTW, average frame size on the Internet is just under 600 bytes, btw. Not > 1200 as you guessed. > > Jim > > > > > On Thu, Jan 26, 2017, 18:20 Jim Thompson <j...@netgate.com > <javascript:;>> > > wrote: > > > > > > On Jan 26, 2017, at 5:06 PM, rai...@ultra-secure.de <javascript:;> > > wrote: > > > > > > > > Am 2017-01-26 07:03, schrieb Jim Thompson: > > > >> It does not. > > > >> The c2758 SoC is interesting. 8 cores, and the on-die i354 is > > > essentially a > > > >> block with 4 i350s on it. > > > >> These have 8 queues for each of rx and tx, so 16 each, for a total > of > > 64 > > > >> queues. > > > >> On the c2xxx series (and other) boxes we ship, we increase certain > > > >> tunables, because we know what we're installing onto, and can adjust > > > that > > > >> factory load. pfSense CE does not have that luxury, it has to run on > > > nearly > > > >> anything the community finds to run it on. Some of these systems > have > > > ... > > > >> constrained RAM. While we test each release on every model we ship, > > > such > > > >> testing takes place only for a handful of other configurations. > > > >> There is a decent explanation of some of the tunables here: > > > >> https://wiki.freebsd.org/NetworkPerformanceTuning > > > >> Incidentally, FreeBSD, and thus pfSense can't take much advantage of > > > those > > > >> multqueue NICs, because the forwarding path doesn't have the > architure > > > to > > > >> advantage them. Our DPDK-based system can forward l3 frames at over > > > 12Mpps > > > >> on this hardware (about 80% of line-rate on a 10g interface). > > > >> Neither pfSense or FreeBSD (nor Linux) will do 1/10th of this rate. > > > > > > > > > > > > > > > > > > > > Hi, is this DPDK-based system commercially available? > > > > > > > > > > > > > > > > Rainer > > > > > > Still being developed. > > > > > > Jim > > > ___ > > > pfSense mailing list > > > https://lists.pfsense.org/mailman/listinfo/list > > > Support the project with Gold! https://pfsense.org/gold > > > > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure with pfSense 2.3.2
I wrote MTU since you used it. What I am talking about are packet sizes. If people bulding internet knew what they where doing then a MTU of 1500 (L2) or more would be mandatory. But because of old ATM stuff this isn't true for all of internet. When I say our average packet size was 1200 that has nothing to do with MTU. We had network with a minimum MTU of 1546 and a minimum pps capability og 40Mpps. What Im saying is the your statement is confusing. You seem to suggest that the platform can do maximum 80% of a 10GE inteface. Reality is that it will do MINUMUM 80% of a 10GE. And to top it all you can not calculate pps to speed since a spesification of 12Mpps does not tell you if a device can handle it with any payload. Most of the time a pps to speed conversion will be a aproximation. A cisco fwsm has a pps spec suggesting it can do full bacplane speed. Reality is that with 1400-1500 octets payload it is capable of 5.5 gbits on a 6500/7600 platform. And pfSense has the same issues. If you set up a Spirent testcenter with propper tests you will see that 12Mpps is best case. And pleas do not assume that I do not understand MTU. I know exactly how MTU, PMTUD and friends work. MTU is different depending on what layer you operate on. A cisco switch with a system mtu of 1500 will transfer a packet of 1522+1vlan. A system MTU of 1504 will allow a packet of 1526+1vlan=1530 (q-in-q). On Fri, Jan 27, 2017, 13:22 Jim Thompson <j...@netgate.com> wrote: > My point is just that if you have normal traffic patterns, even at 600 you should have no problem pushing 10GE. A MTU of 600 should give you about 53 gigabit/s if you are able yo push 1200 pps with that payload. An "MTU of 600" wouldn't allow IPv6 to pass over a link. IPv6 requires that every link in the internet have an MTU of 1280 octets or greater. See RFC 2460, section 5. MTU is *maximum transmission unit*, which is decidedly different than minimum packet size, which is probably what you intended. > Your statement of 80% is just confusing, that is all. Your misunderstanding of the issues here is, unfortunately, quite common. Nearly all of the work in packet processing is per-packet, rather than per bit. The exceptions include VPN, where the encryption overheads dominate, and DPI, where the payload must be inspected, rather than merely passed along. Jim On Fri, Jan 27, 2017 at 5:59 AM, Espen Johansen <pfse...@gmail.com> wrote: > 1200 was my average packet size when analyzed in Dataguard Core network (a > smb ISP here in .no) . Im sure others can find different averages. My point > is just that if you have normal traffic patterns, even at 600 you should > have no problem pushing 10GE. A MTU of 600 should give you about 53 > gigabit/s if you are able yo push 1200 pps with that payload. Your > statement of 80% is just confusing, that is all. > > On Fri, Jan 27, 2017, 04:02 Jim Thompson <j...@netgate.com> wrote: > >> On Thursday, January 26, 2017, Espen Johansen <pfse...@gmail.com> wrote: >> >> > Are you saying worst case is 80%? Its not normal to have all minimum size >> > packets unless you are under ddos. >> > Default ethernet is 1526 (1530 with vlan) with a MTU 1500 on a layer 1 >> > frame. >> > A layer 2 frame is 1518 (1522 with vlan). >> > If you want to include all layer headers then 1542 including vlan is the >> > correct number and that will allow a 1500 octet payload. >> >> >> Yes, I know, but adding a vlan tag means the small frame size isn't >> "smallest". I was just throwing that in for comparison. >> >> Point is, on a 10g network, the maximum frame rate is 14.88 mpps. This is >> the highest rate required by the network under any circumstance. It's also >> how you have to think about the problem if you're not going to engage in >> making excuses. >> >> If you still don't like it, consider that: >> >> - 40g Ethernet cards exist today, so being able to forward 256 byte packets >> at 40gbps will require the same 14.88 mpps rate, >> - nx25 is the future in the data center vswitches and vrouters are a thing, >> and pfSense should be able to play in this market >> - 10g is starting to appear on lower-end hardware. >> - 10g switches are starting to hit $100/port >> >> And also that netgate has product coming in 2017 that folds multiple >> integrated switch ports into a single 2.5gbps or multiple 10gbps Ethernet >> uplink ports. >> >> Remember, we're doing this in software. No ASICs required. That 12mpps >> figure on an 8 core Rangeley includes 50 ACLs in the path. >> >> BTW, average frame size on the Internet is just under 600 bytes, btw. Not >> 1200 as you guessed. >> >> Jim >> >>
Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure with pfSense 2.3.2
Karl fife. Take a look at a config backup. I assume you at some point set them manually? On Wed, Jan 25, 2017, 21:42 Peder Rovelstadwrote: > There were changes in the defaults from FreeBSD 9 to 10. > > https://pleiades.ucsc.edu/hyades/FreeBSD_Network_Tuning > > Could that be it? Old config overwriting new defaults? > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Karl Fife > Sent: Wednesday, January 25, 2017 12:11 PM > To: ESF - Electric Sheep Fencing pfSense Support > Subject: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure > with pfSense 2.3.2 > > pfsense 2.2.6 was running without issue on our Supermicro A1SRi-2758F > rangeley board (Intel Atom C2758) > > When we upgraded to 2.3.2, the new system failed to boot due to having > insufficient RAM allocated to network memory buffers. We had to interrupt > the boot process increase the value of kern.ipc.nmbclusters (as per below), > then complete the boot process long enough to set system tuneables (below) > to allow subsequent startup. > > What I've read online, the basic issue is that the combination of high CPU > count, high NIC count, and the igb driver create a (historically) > atypically > demand for network buffer RAM. That is consistent with our fix. > > The piece that's still missing for me is that there must have been some > change in default system setting for FreeBSD, or some other change between > versions, because the system booted fine with pfSense v 2.2.6 without the > need for an advanced system tuneables. Unless there's something > specific/quirky with our setup, it would seem sensible to me that for > subsequent releases, there should be system defaults suitable for modern > boards with resources like those found on boards like Rangeley. I observe > that many others have had this same issue, so I doubt that this is a case > of > our migrated settings preempting modern suitable defaults. > > Any thoughts? > > kern.ipc.nmbclustersIncreased to 8x observed MBUF Usage. Default is > too low for CVP Rangeley board, causing boot failure. 295600 > kern.ipc.nmbufs Increased to 2x default value, ~2.2x observed usage > (netstat -m). Default is too low for CVP Rangeley board, causing lockups. > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Bridging to wireless interface issues (ping not working) on 2.3.2
Did you add a rule to allow ICMP on the wlan? -lsf On Thu, Sep 8, 2016, 15:58 Moshe Katzwrote: > Ray, > > Can you clarify which IP range is assigned where? > We can make an educated guess based on the information you provided, but > it's always better to have confirmation. > > > Moshe > > -- > Moshe Katz > -- mo...@ymkatz.net > -- +1(301)867-3732 > > On Thu, Sep 8, 2016 at 6:06 AM, Ray wrote: > > > Hi, > > > > I'm running a few ALIX 2D13s with pfsense 2.3.2. > > > > All of them have a bridge configured which incorporates two of the > > Ethernet interfaces and a Wireless interface (some Atheros card). > > > > Apart from that there is an OpenVPN client on each box to connect > > satellite sites. > > > > There is something weird with the bridge which I would like to > understand: > > > > When I connect my laptop to one of the Ethernet ports, I get a correct IP > > from the DHCP server on pfsense and can immediatley ping all the other > > machines at other sites. The Ping echo enters through the Ethernet > > interface into the bridge, from there it's forwarded into the tunnel. The > > echo reply comes back through the tunnel and from there via the > > bridge/Ethernet interface to my laptop, all sweet and as expected: > > > > Here's a tcpdump (while connected via Ethernet) of three consecutive > pings > > (separated by empty lines) on the ovpnc1 interface: > > > > # tcpdump -n -i ovpnc1 icmp and host 192.168.10.236 > > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > > listening on ovpnc1, link-type NULL (BSD loopback), capture size 65535 > > bytes > > 09:49:56.816755 IP 192.168.9.20 > 192.168.10.236: ICMP echo request, id > > 16470, seq 6, length 64 > > 09:49:56.917771 IP 192.168.10.236 > 192.168.9.20: ICMP echo reply, id > > 16470, seq 6, length 64 > > > > 09:50:01.817050 IP 192.168.9.20 > 192.168.10.236: ICMP echo request, id > > 16470, seq 7, length 64 > > 09:50:01.949133 IP 192.168.10.236 > 192.168.9.20: ICMP echo reply, id > > 16470, seq 7, length 64 > > > > 09:50:06.817352 IP 192.168.9.20 > 192.168.10.236: ICMP echo request, id > > 16470, seq 8, length 64 > > 09:50:06.951798 IP 192.168.10.236 > 192.168.9.20: ICMP echo reply, id > > 16470, seq 8, length 64 > > > > ... works just as nice on the bridge0 interface: > > > > # tcpdump -n -i bridge0 icmp and host 192.168.10.236 > > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > > listening on bridge0, link-type EN10MB (Ethernet), capture size 65535 > bytes > > 09:51:11.820663 IP 192.168.9.20 > 192.168.10.236: ICMP echo request, id > > 16470, seq 21, length 64 > > 09:51:11.909411 IP 192.168.10.236 > 192.168.9.20: ICMP echo reply, id > > 16470, seq 21, length 64 > > > > 09:51:16.820863 IP 192.168.9.20 > 192.168.10.236: ICMP echo request, id > > 16470, seq 22, length 64 > > 09:51:16.918607 IP 192.168.10.236 > 192.168.9.20: ICMP echo reply, id > > 16470, seq 22, length 64 > > > > 09:51:21.821359 IP 192.168.9.20 > 192.168.10.236: ICMP echo request, id > > 16470, seq 23, length 64 > > 09:51:21.915379 IP 192.168.10.236 > 192.168.9.20: ICMP echo reply, id > > 16470, seq 23, length 64 > > > > > > When I change the laptop's connection from Ethernet to Wireless, however, > > the same pings no longer work: > > > > ovpnc1 interface: > > > > # tcpdump -n -i ovpnc1 icmp and host 192.168.10.236 > > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > > listening on ovpnc1, link-type NULL (BSD loopback), capture size 65535 > > bytes > > 09:54:58.725486 IP 192.168.9.25 > 192.168.10.236: ICMP echo request, id > > 20822, seq 14, length 64 > > 09:54:58.865643 IP 192.168.10.236 > 192.168.9.25: ICMP echo reply, id > > 20822, seq 14, length 64 > > 09:54:58.865735 IP 10.0.9.2 > 192.168.10.236: ICMP host 192.168.9.25 > > unreachable, length 36 > > > > 09:55:03.726189 IP 192.168.9.25 > 192.168.10.236: ICMP echo request, id > > 20822, seq 15, length 64 > > 09:55:03.816001 IP 192.168.10.236 > 192.168.9.25: ICMP echo reply, id > > 20822, seq 15, length 64 > > 09:55:03.816097 IP 10.0.9.2 > 192.168.10.236: ICMP host 192.168.9.25 > > unreachable, length 36 > > > > 09:55:08.726661 IP 192.168.9.25 > 192.168.10.236: ICMP echo request, id > > 20822, seq 16, length 64 > > 09:55:08.819202 IP 192.168.10.236 > 192.168.9.25: ICMP echo reply, id > > 20822, seq 16, length 64 > > 09:55:08.819296 IP 10.0.9.2 > 192.168.10.236: ICMP host 192.168.9.25 > > unreachable, length 36 > > > > bridge0 interface: > > > > # tcpdump -n -i bridge0 icmp and host 192.168.10.236 > > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > > listening on bridge0, link-type EN10MB (Ethernet), capture size 65535 > bytes > > 09:53:53.716169 IP 192.168.9.25 > 192.168.10.236: ICMP echo request, id > > 20822, seq 1, length 64 > > > > 09:53:58.716987 IP 192.168.9.25 > 192.168.10.236: ICMP echo request, id > > 20822, seq 2, length 64 > > > > 09:54:03.717813 IP 192.168.9.25 >
Re: [pfSense] 3 hard locks this week... any ideas?
Compdoc: Your spinrite comments just show how dangerous some knowledge is without propper understanding. Spinrite does indeed force SSDs to "fix" themselves because it reads extensively (causes heat) and forces "half" working areas to be marked bad. Most SSDs has minor defects from day one. Just like most spinning drives has bad sectors marked when it arrives from the factory. You can force the same result by reading all parts of a SSD drive extensively. Spinrite does not per definition fix a SSD drive, but it does make the firmware (software) in the drive detect read errors that might not be relocated during normal operation. I have forced SSDs to fix themselves since i got my first SSD more then 10 years ago. Often with the help of Spinrite. -lsf On Thu, Sep 8, 2016, 22:29 Todd Russellwrote: > Final update on this issue. When I took it down, I pulled the drive and > started a Level 2 SpinRite on it while I took out and reseated the RAM then > ran memtest. I found no errors in either test, so I also took out the Intel > 4 port gigabit card and reseated that, then put everything back together. > It has been running for a week straight now with no hiccups of any kind, so > either the SpinRite forced the drive to correct some read errors or > removing and reseating the RAM got around some dust or oxidation on the > contacts. It wouldn't be the first time reseating the RAM cleared otherwise > unexplainable issues with a machine for me, so I will assume that was the > case. I wish I'd had time to run the memtest before and after reseating the > RAM but... AIN'T NOBODY GOT TIME FOR THAT! > > Thanks to all for the feedback last week. > > > Peace, > Todd Russell > Director of IT and Webmaster > Saint Joseph Abbey and Seminary College > 985-867-2266 > 985-789-4319 > > Please consider helping Saint Joseph Abbey and Seminary College recover > from the devastating flood waters that overtook our campus on March 11, > 2016. > http://helptheabbey.com > > --- > > http://saintjosephabbey.com > > For IT Requests, please submit a ticket at: > > https://docs.google.com/forms/d/1e3PCRvnEVNU5-rVFolf9zivA9-m41Nj07eDjjCtFwpI/viewform?usp=send_form#start=invite > > On Thu, Sep 1, 2016 at 8:33 PM, compdoc wrote: > > > >I'd suggest that before you slag programs, you not rely on old, > outdated, > > biased information. > > > > > > > > > > > > Spinrite 6 is a twelve year program that seemed cool back in the day, but > > I would never recommend it to anyone now. > > > > > > > > Repairing computers for a living, Im always on the lookout for useful > > tools. I don’t find Spinrite useful. > > > > > > > > I once watched spinrite work on a failing HDD for a day and a half, and > > did nothing more than place additional wear on the drive. Does that make > me > > biased? > > > > > > > > Speaking of outdated... In 2013 Steve Gibson said he would finally update > > it, but nothing so far? > > > > > > > > Here's an interesting quote: > > > > > > > > Gibson said that he could "see absolutely no possible benefit to running > > SpinRite on a solid-state drive" and later "SpinRite is all about > mechanics > > and magnetics, neither of which exist, by design, in an SSD" > > > > > > > > And for your information, SMART records events. Some of those events will > > happen under load, since that’s the nature of mechanical drives. > > > > > > > > However, a bad sector is a bad sector and load or no, that does not > > change. Once they start to fail you replace the HDD, not try to repair > it. > > > > > > > > Modern drives automatically reallocate sectors, meaning bad sectors are > > replaced with spares. Not even spinrite can recover lost data from these > > spare sectors that have never been used before. > > > > > > > > As for me, these days I install only SSDs in desktop systems that run > > 24/7, and also use them as boot drives for servers. Over the years I have > > had only one SSD fail, and it did show pending sectors in SMART. > > > > > > > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2 networks Cards, but OPT1 not acess internet.
And you need to add a nat rule for the opt1 network as well. Either that or turn of nat on pfsense and add routes on your router to all networks behind your pfsense. -lsf On Fri, Sep 23, 2016, 21:48 Moshe Katzwrote: > You need to add a firewall rule on the OPT1 interface to allow outgoing > traffic. The easiest way is to copy the outgoing rule from LAN to OPT1. > > If you do not want hosts on LAN and OPT1 to access each other, you will > also need to add "DENY" rules to LAN and OPT1 that are above the default > outgoing traffic rule on each interface. > > > Moshe > > -- > Moshe Katz > -- mo...@ymkatz.net > -- +1(301)867-3732 > > On Fri, Sep 23, 2016 at 2:03 PM, Rodrigo Cunha > wrote: > > > Ii list, have a problem > > I make 2 networks wich 2 private ips diferents i have three diferents > > enernet cards. > > the Pfsense generator 3 names for this cards > > 1º WAN > > 2º LAN > > 3ª OPT > > In Wan, i set up this card in IP 192.168.0.2/24 with ip my GateWay > > 192.168.0.1. > > In my LAN I set up this card in IP 192.168.1.1/24 > > In my OPT1 set up this card in ip 192.168.2.1/24 > > The problem. > > My Network card OPT1 not acess internet, but the Card LAN by default is > the > > Gateway the network 192.168.1.0/24 but the OPT1 is not a Gateway with > > acess > > internet. > > I think is not error, i think this is default configuration. > > Other detail, i dont a have routing betwen 192.168.1.1/24 and > > 192.168.2.1/24 > > i a have only internet acess for this two networks . I just want hosts > > access their respective networks. > > > > > > > > > > -- > > Atenciosamente, > > Rodrigo da Silva Cunha > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfSense 2.3.2-p1 RELEASE Now Available
They usually do. And with kernel updates you have to. On Mon, Oct 10, 2016, 19:20 Morten Christensenwrote: > You should consider to state clearly in such announcements, if the > upgrade includes a reboot of the box. > > > > Den 06-10-2016 21:29, skrev Jim Thompson: > > Details are here: https://blog.pfsense.org/?p=2122 < > https://blog.pfsense.org/?p=2122> > > ___ > > > > -- > Morten Christensen > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Lightning strike
Map interfaces based on mac and give them a name. Then adress the interfaces based on that name. When it comes to reorganization of interfaces the answer is; don't do it. Let the user remap interfaces manually only. If the user wants to drop their DMZ to get wan back online then it should be a manual process. In order to accomplish this you need a interface database and a simple interface setup process with a foreach loop. This code was done in 2007 but it was never comitted. Ifconfig allows naming of interfaces. So once they are named and mac->name binding is done, then the binding is remebered "forever" in a config file. If a new interface is added and not found in the mac->name "DB" it is just placed in a unassigned state untill the user assigns it manually. -lsf On Fri, Oct 14, 2016, 18:00 Vick Kherawrote: > On Thu, Oct 13, 2016 at 6:25 PM, Walter Parker wrote: > > Problem is that all of the current OS do this sort of renumbering (I'd > have > > to check, but I think it could be a hardware/driver issue). IIRC Linux > > systems have had this sort of problem in even greater measure than the > > BSDs. The plug and play nature of USB has caused issues for most systems > > Current versions of CentOS/RedHat hard-wire ethernet names. You have > to go dig in and find some file that has the mappings and delete them > if you do something like replace a motherboard with embedded NICs, > otherwise it makes all new ethernet device names for you. The mapping > is base on MAC address. > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] massive CARP Failover
Are you sure you disabled IGMP completely? On Wed, Jun 7, 2017, 16:44 Mark Wiaterwrote: > > > On 6/7/2017 10:10 AM, Daniel wrote: > > Hi, > > > > the Sync interface is connected directly without a Switch. > > But Carp is running WAN/LAB for example. > > Let's go back to your original email, this behavior can be duplicated > with different software, it's not a pfSense issue. Is that right? Both > Sophos UTM and something on Linux both exhibit something similar? > > CARP sends broadcast traffic to 224.0.0.18. The device that you > configured as the primary will send a packet every second by default, > for each carp ip address, on the relevant interface. > > If the secondary does not receive these packets, it starts sending it's > own, with a higher priority and assumes ownership of the CARP addresses. > > When the primary device is again available, it starts sending higher > priority CARP packets. The secondary receives those, stops sending it's > CARP packets and reverts to a backup role, because it knows that the > primary is back up and functional. > > All that said, if your devices keep flipping back and forth, I'd guess > that you don't see these carp packets at the backup device. > > tcpdump -ni wan|lan CARP > > on the backup device will tell a lot. > > Any chance you've got the wan and lan of the primary firewall going to > the opposite switches as the secondary? > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] massive CARP Failover
If you want more help with this then you need to provide a network diagram and some details. Are your switches linked? If not then that is your problem. Did you disable mac spoofing on your switches? What make and model are your switches. Did you do any LACP bonding between switches? Since your issue happens with both pfsense and other software. Then your issue is either your setup itself, your switches or your understanding of how a carp setup must be made. Rgds, LSF On Thu, Jun 8, 2017, 11:19 Daniel <dan...@linux-nerd.de> wrote: > > https://www.dropbox.com/s/pq953p0wbsfseu7/Screenshot%202017-06-08%2011.19.07.png?dl=0 > > Yes i am sure ;) > > > -- > Grüsse > > Daniel > > Am 08.06.17, 01:12 schrieb "List im Auftrag von Espen Johansen" < > list-boun...@lists.pfsense.org im Auftrag von pfse...@gmail.com>: > > Are you sure you disabled IGMP completely? > > On Wed, Jun 7, 2017, 16:44 Mark Wiater <mark.wia...@greybeam.com> > wrote: > > > > > > > On 6/7/2017 10:10 AM, Daniel wrote: > > > Hi, > > > > > > the Sync interface is connected directly without a Switch. > > > But Carp is running WAN/LAB for example. > > > > Let's go back to your original email, this behavior can be duplicated > > with different software, it's not a pfSense issue. Is that right? > Both > > Sophos UTM and something on Linux both exhibit something similar? > > > > CARP sends broadcast traffic to 224.0.0.18. The device that you > > configured as the primary will send a packet every second by default, > > for each carp ip address, on the relevant interface. > > > > If the secondary does not receive these packets, it starts sending > it's > > own, with a higher priority and assumes ownership of the CARP > addresses. > > > > When the primary device is again available, it starts sending higher > > priority CARP packets. The secondary receives those, stops sending > it's > > CARP packets and reverts to a backup role, because it knows that the > > primary is back up and functional. > > > > All that said, if your devices keep flipping back and forth, I'd > guess > > that you don't see these carp packets at the backup device. > > > > tcpdump -ni wan|lan CARP > > > > on the backup device will tell a lot. > > > > Any chance you've got the wan and lan of the primary firewall going > to > > the opposite switches as the secondary? > > > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] massive CARP Failover
I assume you did a pfsync (HA) interface on each firewall? If so did you connect this directly without going thru the switch? A direct connection is prefered for the sync interface. Also make sure that if you do direct connection then use a 6ft cable first to connect them. Some interfaces have issues if the cable is too short. Ivo Tonev: When you bild redundant firewalls you also want redundant switches. This is the normal approach. On Wed, Jun 7, 2017, 15:52 Ivo Tonevwrote: > Can tou send network diagram? Why 2 switches? How they are connected? > > There are any feature like Cisco's arp inspection? > > Em 7 de jun de 2017 10:45, "Daniel" escreveu: > > > Both are Physical. > > > > -- > > Grüsse > > > > Daniel > > > > Am 07.06.17, 14:34 schrieb "List im Auftrag von Ivo Tonev" < > > list-boun...@lists.pfsense.org im Auftrag von i...@tonev.pro.br>: > > > > Firewalls are virtual or physical servers? > > > > On Wed, Jun 7, 2017 at 9:12 AM, Daniel wrote: > > > > > Hi, > > > > > > Firewall on the Switch is the latest installed. > > > The Switch is just simple installed. No VLANS actually just IGMP > > disabled. > > > Carp has for sure 3 IPs. 2 Dedicated for each Server and one CARP > > (Virtual > > > Failover per Subnet) > > > > > > > > > -- > > > Grüsse > > > > > > Daniel > > > > > > Am 06.06.17, 00:04 schrieb "List im Auftrag von Ugo Bellavance" < > > > list-boun...@lists.pfsense.org im Auftrag von u...@lubik.ca>: > > > > > > On 2017-06-02 08:13 AM, Daniel wrote: > > > > Hi there, > > > > > > > > i run 2 pfsense Firewalls. I tried to use CARP but it will > > turn over > > > every 1-2-3 hours. > > > > Sometimes it is so fast the pf1 is master and pf2 has the > > routes. In > > > this case I need to reboot the both Servers. > > > > > > > > After I tried a lot id ont find any solutions. I took a > > different > > > brand (Sophos UTM) and here is the same behave. > > > > So I think this could be a network problem. > > > > > > > > Is there any important thinks which must be enabled or > > disabled in > > > the Switch? > > > > Or need the Switch some special configurations? > > > > > > > > When I use Linux with Bondig it also switch the NICs very > > often. > > > > > > > > We use 2 Switches from Netgear JGS524Ev2 > > > > > > > > Mayme someone has some experience with it? > > > > > > Can you give us more information? You do have 3 IP addresses > per > > > interface? How is your switch configured? Any tagged vLANs > > involved? Is > > > the switch's firmware up to date? > > > > > > ___ > > > pfSense mailing list > > > https://lists.pfsense.org/mailman/listinfo/list > > > Support the project with Gold! https://pfsense.org/gold > > > > > > > > > ___ > > > pfSense mailing list > > > https://lists.pfsense.org/mailman/listinfo/list > > > Support the project with Gold! https://pfsense.org/gold > > > > > > > > > > -- > > Ivo R. Tonev > > +55 61 98409-2642 > > i...@tonev.com.br > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold