Re: [pfSense] Vlan Trunk

[Espen Johansen]

What exactly is your question here?
I don't see any issue implementing this.

-lsf

On Wed, May 2, 2012 at 7:08 PM, steel max steelmax11...@gmail.com wrote:

 Dear All,

  I am trying to implement a wireless network on my corporate environment
 using, Authentication by Domain Controller windows AD  Radius on same
 Server as well with Pfsense Captive Portal!
 ***Thanks to you guys for the help, I have done that in my testing zone!

  *ABOUT My Corporate Network:
 *Our Corporate network is pretty much complicate to me. Its back-end is
 powered by a Linux DHCP, Squid Proxy, Cisco Firewall  Layer 3 Switch (Core
 Switch) which has 19 Vlans and all Vlans are trucked and distributed over
 the network using manageable Dlink switches. Vlans are 5 to 95 and the Vlan
 I'm intended to use is Vlan10 which is configured in the Layer 3 Switch as
 a 'Guest Vlan'.
 Vlan5 is for Data Center, which gives IP range: 192.168.1.xxx  Vlan10
 (GuestVlan) IP is 192.168.2.xxx! And goes so on according to VlanID!
 Our Network is more like a Campus Area Network. We have 5 separate
 building in the city connected by Fiber Optic Cable Provided by 3rd Party.
 So Vlan10 will be distributed across the network as like other Vlans
 through trunk ports!


 *About implementation:*

  *I want the Output from pfsense should give:*

 * *
 1.Pfsense should’ve WAN of Vlan5 as all the servers in Datacenter are
 in that range of IP
 2.WAN from Core Switch Vlan10 (WAN from vlan5  10 may be dual WAN or
 something?)
 3.LAN only Vlan10
 4.LAN output Vlan tagging and trucking enabled to distribute across
 the network
 5.Pfsense should be able to talk Windows AD  Radius Server
 6.Any user connected to Vlan10 should pass through captive portal 
 radius Server



 *So above noted 6 points are what I intended to achieve! So Please guys
 help me on this **:)**. Hope I have given Info!
 *

 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Vlan Trunk

[Espen Johansen]

With one exception, it seems you want to use the same vlan as both lan and
wan (Vlan 10)???

On Wed, May 2, 2012 at 8:34 PM, Espen Johansen pfse...@gmail.com wrote:

 What exactly is your question here?
 I don't see any issue implementing this.

 -lsf

 On Wed, May 2, 2012 at 7:08 PM, steel max steelmax11...@gmail.com wrote:

  Dear All,

  I am trying to implement a wireless network on my corporate environment
 using, Authentication by Domain Controller windows AD  Radius on same
 Server as well with Pfsense Captive Portal!
 ***Thanks to you guys for the help, I have done that in my testing zone!

  *ABOUT My Corporate Network:
 *Our Corporate network is pretty much complicate to me. Its back-end is
 powered by a Linux DHCP, Squid Proxy, Cisco Firewall  Layer 3 Switch (Core
 Switch) which has 19 Vlans and all Vlans are trucked and distributed over
 the network using manageable Dlink switches. Vlans are 5 to 95 and the Vlan
 I'm intended to use is Vlan10 which is configured in the Layer 3 Switch as
 a 'Guest Vlan'.
 Vlan5 is for Data Center, which gives IP range: 192.168.1.xxx  Vlan10
 (GuestVlan) IP is 192.168.2.xxx! And goes so on according to VlanID!
 Our Network is more like a Campus Area Network. We have 5 separate
 building in the city connected by Fiber Optic Cable Provided by 3rd Party.
 So Vlan10 will be distributed across the network as like other Vlans
 through trunk ports!


 *About implementation:*

  *I want the Output from pfsense should give:*

 * *
 1.Pfsense should’ve WAN of Vlan5 as all the servers in Datacenter
 are in that range of IP
 2.WAN from Core Switch Vlan10 (WAN from vlan5  10 may be dual WAN
 or something?)
 3.LAN only Vlan10
 4.LAN output Vlan tagging and trucking enabled to distribute across
 the network
 5.Pfsense should be able to talk Windows AD  Radius Server
 6.Any user connected to Vlan10 should pass through captive portal 
 radius Server



 *So above noted 6 points are what I intended to achieve! So Please guys
 help me on this **:)**. Hope I have given Info!
 *

 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense routing and TCP sequence numbers

[Espen Johansen]

After reading this again I'm thinking you might be confused by IP ID vs
sequence numbers?

IP header and TCP header are different things.

see here for IP header : http://en.wikipedia.org/wiki/IPv4

or this might be of help:
http://networkstatic.net/what-are-ethernet-ip-and-tcp-headers-in-wireshark-captures/




On Sat, Sep 14, 2013 at 1:12 PM, Espen Johansen pfse...@gmail.com wrote:

 Try tcpdump + wireshark. Then read this:
 http://packetlife.net/blog/2010/jun/7/understanding-tcp-sequence-acknowledgment-numbers/

 pfSense should not change sequence numbers unless you tell it to do so.

 for packet breakdown read : http://www.daemon.org/tcp.html

 Google is your friend ;-)


 On Fri, Sep 13, 2013 at 4:15 PM, Martin Fuchs mar...@fuchs-kiel.dewrote:

 Hi !

 ** **

 We use pfSense 2.0.1 and have a local LAN, a WAN and remote Offices
 connected by managed VPN-connections  (pfsense does not need to stablish
 VPN tot he remote offices).

 ** **

 LAN - pfSense - remote office

 ** **

 In the LAN we have a HiPath Communications system and in the remote
 offices one remote system each.

 pfSense only routes between these locations. There is no filtering (in
 the floating rules everthing is allowed between LAN and remote offices.**
 **

 ** **

 Firewall-scrub, clear DF and random id generation are disabled.

 ** **

 Does pfSense in this configuration change the TCP sequence numbers oft he
 conections between the communication systems ?

 And is there any simple way how i can check this ?

 ** **

 Regards,

 ** **

 martin

 ** **

 ** **

 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Hardware requirements for gigabit wirespead

[Espen Johansen]

What else is new with thinker as op.
25. okt. 2013 02:18 skrev Jim Thompson j...@netgate.com følgende:

 The topic has wandered away from pfSense.

 -- Jim

  On Oct 24, 2013, at 18:48, Chris Bagnall pfse...@lists.minotaur.cc
 wrote:
 
  On 24/10/13 7:31 pm, Adam Thompson wrote:
  If I upgraded to a better-quality unit, or switched to licensed
  spectrum, I could probably eliminate the variability and increase speed
  simultaneously.
 
  Indeed, we have Ubiquiti kit running point to point links in the 5Ghz
 unlicensed spectrum (band C) over around 18km which deliver ~65Mbps
 throughput. I think our distance record is just shy of 68km.
 
  Within the Ubiquity line, the AirFiber apparently would get me to
  ~99.99% reliability at ~600Mbps, or ~99.9% reliability at ~1Gbps. Still
  using unlicensed spectrum, using the built-in directional antennas.
 
  Do check the 24Ghz spectrum rules carefully in your jurisdiction -
 certainly here in the UK the 24Ghz unlicensed spectrum is limited, and only
 allows fairly low power without a licence.
 
  I do not have personal
  experience with Alvarion, but I can unreservedly recommend Dragonwave.
 
  I'd add Motorola Orthogon kit to that list, based on some offshore
 experience with it a few years ago.
 
  Kind regards,
 
  Chris
  --
  This email is made from 100% recycled electrons
  ___
  List mailing list
  List@lists.pfsense.org
  http://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Restoring from XML prevents VM from booting

[Espen Johansen]

Might be that serial redirection makes it show nothing. Bad drives might
also cause files to be corrupted. same goes for bad memory. Make sure both
are same versions.
5. feb. 2014 18:42 skrev Brian Candler b.cand...@pobox.com følgende:

 This is a really strange behaviour, I wonder if anyone has seen anything
 similar.

 I've just been trying to replicate a production config in a VirtualBox VM
 (vbox 4.3.6, OSX 10.9.1).

 I can install pfsense fine, and manually set up a LAN IP address on
 vboxnet0 so that I can get into the web and use Diagnostics 
 Backup/Restore to upload an existing XML config. But then the VM refuses to
 boot properly. It only gets as far as:

 F1  pfSense

 F6 PXE
 Boot:  F1
 |

 and then hangs at that point (vertical bar, not spinning). This is
 repeatable if I reinstall and re-restore the same XML config.

 I was able to workaround the problem by reinstalling, using scp to copy
 /cf/conf/config.xml directly from another machine, and then reboot. So it's
 not a show stopper, but it's most bizarre - how can a *config* upload
 prevent the kernel from booting??

 Any thoughts welcome :-)

 Regards,

 Brian.

 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Gateway on a gateway...

[Espen Johansen]

Tell your provider to do what mojo said. Or set it up yourself if you have
access to the provider routers. Third option is VPN between the pfsense
boxes so you can override the routing.
17. mai 2014 21:53 skrev Klaus Wunder kl...@net-wunder.de følgende:

 Hello,

 you can use pfSense as a BGP
 Router. There is a paket you can install.

 Also you can ask your ISP about the use of the Dynamic Routing Protokoll.

 Kind Regards

 Klaus

 Am 17.05.2014 um 20:14 schrieb J. Echter 
 j.ech...@echter-kuechen-elektro.de:

 Am 17.05.2014 08:25, schrieb faisal.gill...@akesp.org:

  Thank you for replying MoJo ..
 So you recommend me removing pfsense acting as static routes router with
 real hardware routers ? Or ur asking me to add dynamic routing
 functionality to pfsense ?

  Thanks
 Faisal


  Sent from my HTC

 - Reply message -
 From: mOjO m...@thegeekclub.net m...@thegeekclub.net
 To: pfSense Support and Discussion Mailing List 
 list@lists.pfsense.orglist@lists.pfsense.org,
 dragonator dragona...@sleepydragon.net dragona...@sleepydragon.net
 Subject: [pfSense]Gateway on a gateway...
 Date: Sat, May 17, 2014 10:07 AM

 On the pfSense firewall?  Nothing.
 You need to change your routers.
 Ideally, your MPLS routers are using BGP.  Then on the site 1 router under
 the BGP section you can tell it to advertise the 0.0.0.0 route by adding
 network 0.0.0.0 and make sure you have a static route on that router for
 0.0.0.0 to the firewall. Site 2 should then use the MPLS router as their
 default gateway instead of the firewall.  As an added bonus you can have
 site 2 failover to their local internet when the MPLS is down by adding a
 lower metric (255) default route that will kick in when the BGP advertised
 route disappears when the MPLS goes down.



 - Reply message -
 From: faisal.gill...@akesp.org faisal.gill...@akesp.org
 faisal.gill...@akesp.org faisal.gill...@akesp.org
 To: dragonator dragona...@sleepydragon.netdragona...@sleepydragon.net,
 list@lists.pfsense.org list@lists.pfsense.org
 Subject: [pfSense]Gateway on a gateway...
 Date: Fri, May 16, 2014 11:27 PM

  When i try to do this .. Pfsense gives me error that firewall is not
 local to my subnet which is ..
 172.16.1.16 on subnet 255.255.248.0
 Branch router is on 172.16.11.0/24 which connects to firewall subnet via
 MPLS provider router i.e 10.152.8.117/30

  So what to do ?

  Regards

  Sent from my HTC

 - Reply message -
 From: dragonator dragona...@sleepydragon.netdragona...@sleepydragon.net
 To: faisal.gill...@akesp.org faisal.gill...@akesp.org,
 list@lists.pfsense.org list@lists.pfsense.org
 Subject: [pfSense] Gateway on a gateway...
 Date: Sat, May 17, 2014 12:51 AM

 Change route on the site 2 gateway to route all traffic to that firewall.


  Sent via the Samsung Galaxy S™ III, an ATT 4G LTE smartphone



  Original message 
 From: faisal.gill...@akesp.org
 Date: 05/15/2014 19:39 (GMT-05:00)
 To: pfSense Support and Discussion Mailing List 
 list@lists.pfsense.orglist@lists.pfsense.org
 Subject: [pfSense] Gateway on a gateway...


   II have two networks connected together with an MPLS network all the
 clients on both networks can access each other.
 Site 1( 172.16.0.0/21) has a packet filtering multi WAN firewall
 (172.16.1.16) on its local subnet which local clients connect to use
 internet.
 Site 2  (172.16.11.0/24) clients connects to local router (172.16.11.17)
 which routes all site 1 destend traffic to site 1 router (172.16.0.17). all
 site 2 clients have the ip of site 2 router which is (172.16.11.17) in
 their default gateway.

 Now i want clients on site 2 to use my packet filtering firewall
 (172.16.1.16) for their internet needs so how do i define this which out
 breaking the already communication

 can anyone guide me in this ?

  Sent from my HTC

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




 ___
 List mailing 
 listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list

  anyone able to reply to the list?

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list


 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] default gateway over MPLS VPN

[Espen Johansen]

You asked this already and it has been responded to.
Dont double post!
20. mai 2014 17:54 skrev Michael Schuh michael.sc...@gmail.com følgende:

 2014-05-20 11:31 GMT+02:00 Faisal Gillani faisal.gill...@akesp.org:

 Hello all

 I am using Pfsense with everything, Pfsense based multi homed firewall
 and pfSense based routers

 My Firewall is a has three internet connection which clients see as one
 when accessing internet

 My office recently purchased a MPLS VPN solution to connect one of our
 branch together with our main head office.

 MPLS VPN Settings

 Main site
 Ip  10.152.9.130
 Subnet  255.255.255.252
 Gateway 10..152.9.129

 branch site
 Ip  10.152.9.117
 Subnet  255.255.255.252
 Gateway 10..152.9.116


 I choose Pfsense to do simple routing at both head office and branch
 office.

 The network configuration is as below.

 Main Site

 Subnet 172.16.0.0/21

 Pfsense based internet firewall ip  =
 172.16.1.17
 Pfsense based router (with all nat and packet filtering disabled)   =
 172.16.0.18

 •   The router is configured to static route to branch office subnet
 by using MPLS provider router address.
 •   The router routes all internet based requests to 172.16.1.17 as
 it is set as its default gateway.
 •   All same subnet users are setup to use 172.16.0.18 as their
 default gateway everything is working for them local resource access as
 well as internet.

 Branch Site

 Subnet 172.16.11.0/24

 Pfsense based router (with all nat and packet filtering disabled)   =
 172.16.11.18

 •   The router is configured to static route to branch office subnet
 by using MPLS provider router address.
 •   For internet I found this solution on internet to route all
 internet traffic to the firewall on the main office which is 172.16.1.17
 •   To achieve this is did these commands as the web GUI wasn’t
 accepting a none local subnet address

 # route add -net 172.16.1.17 -iface em0
 # route add default 172.16.1.17

 Now on branch offices computers can access all the resources on the main
 office branch, however they can’t access internet.

 Anyone know what am I doing wrong ?



 Syed Faisal Gillani
  Please consider the environment before printing this e-mail

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list


  Now on branch offices computers can access all the resources on the main
 office branch, however they can’t access internet.

 which seems logically correct to me.

 if i understood correctly, how your setup is:
 in short:
 your default gateways are incorrect, therfore no internet access.

 point your default gateways to the main internet connection and NOT to the
 MPLS-Gateways.
 NAT enabled.

 to get the Net-to-Net (172.16.11.0/24 - 172.16.0.0/21) working:
 just create a IPSEC VPN-Tunnel from each pfsense box to the other one
 through the mpls routing/switching, which (the mpls) is not really
 necessary if you have static WAN-Addresses, but can help to have a stable
 vpn-tunnel.
 i.e.
 IF-MPLS-Address Main Site connects to IF-MPLS-Address-Branch site, et vice
 versa.
 so an IPSEC-VPN between those two endpoints should do it.
 the mpls gateways do not know anything about any 172.16.0.0 net.
 not their job. :8~)

 i _think_ the wish is to have the clients communicating with each other
 like
 172.16.4.5 can talk freely to 172.16.11.45 et vice versa.

 so create each VPN-Side with the access to the certain internal network.
 no NAT necessary.

 further reading for understanding recommended:
 Richard W. Stevens TCP/IP and/or
 Addison Wesley: TCP/IP and ONC/NFS


 hth


 = = =  http://michael-schuh.net/  = = =
 Projektmanagement - IT-Consulting - Professional Services IT
 Postfach 10 21 52
 66021 Saarbrücken
 phone: 0681/8319664
 @: m i c h a e l . s c h u h @ g m a i l . c o m

 = = =  Ust-ID:  DE251072318  = = =



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Disk Space

[Espen Johansen]

1kb size should clue you in. This is however completely normal.
7. juni 2014 12:45 skrev Brian Caouette bri...@dlois.com følgende:

 Mounted Filesystems*Type**Partition**Percent Capacity**Free**Used**Size*
 /dev/da0s1a 17%4.38 GB988.37 MB5.81 GB/dev/md0 2%3.26 MB62.00 KB3.61 MB
 devfs 100%0.00 KB1.00 KB1.00 KBdevfs 100%0.00 KB1.00 KB1.00 KB*Totals :  *
  17%4.38 GB988.43 MB5.81 GB

 I'm *guessing this isn't good.  How do I fix it?*

 Sent from my iPad

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Unbound vs stock

[Espen Johansen]

Add it to pfsense dns list. Remove it from dhcp etc. If it's used there.
12. juli 2014 01:26 skrev Brian Caouette bri...@dlois.com følgende:

 So the fix to make it work the same would be to add 127.0.0.1 to
 resolv.conf manually?

 Sent from my iPad

  On Jul 11, 2014, at 6:19 PM, Dave Warren da...@hireahit.com wrote:
 
  On 2014-07-11 10:04, Brian Caouette wrote:
  Why is it unbound doesn't report dns name for light squid and if I
 return to stock it does? In both  of them I have enabled register static
 mappings yet unbound doesn't give the time to light squid in the reports
 were stock does..
 
  When you use dnsmasq, pfSense adds 127.0.0.1 to the top of resolv.conf,
 and therefore pfSense itself asks dnsmasq for local resolution and is able
 to resolve local hostnames.
 
  However, when you use unbound, dnsmasq is turned off, so pfSense itself
 is just using your configured DNS servers (or ISP DHCP provided ones,
 depending on configuration)
 
  Assuming unbound does full resolution and doesn't forward, you can work
 around this by listing 127.0.0.1 as your primary DNS resolver in pfSense.
 However, if you do that, you'll have to make sure that pfSense isn't
 handing out these DNS servers IPs to clients anywhere (DHCP server?
 OpenVPN?)
 
  And if you have unbound forwarding, obviously you can't include
 127.0.0.1 or unbound will forward to itself.
 
  Finally, pointing to 127.0.0.1 will partially break upgrades since
 pfSense will come up without packages, and therefore without a DNS server,
 then it will find itself unable to find pfsense.org to download packages.
 
  Ultimately the fix will be for pfSense to recognize unbound as a local
 DNS server and add it to resolv.conf by default, similar to dnsmasq.
 
  --
  Dave Warren
  http://www.hireahit.com/
  http://ca.linkedin.com/in/davejwarren
 
 
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Host Connectivity on a Specific Subnet

[Espen Johansen]

You might take a look in the cf/conf/config.xml .if it persists it should
originate from there. Just do a search for the IP.
12. juli 2014 05:04 skrev Stefan Maerz 
stefan.ma...@thecommunitypartnership.org følgende:

 Thank you for the response Espen. This was actually the approach I took
 (flushing arp and reseting switches). It is a moot point now -- I came to
 the conclusion that I accidentally was spoofing the gateway interface using
 my Windows 7 MAC address.

 Darwin award winner? I think so. I misinterpreted Insert my local MAC
 address in the Interface Edit screen. I thought it meant local to the
 interface I was editing. Not so! Lesson learned! My poor network was as
 almost as confused as I was.

 However at this point I had not solved my original problem. I disabled my
 WAN interface just to see what would happen. This allowed me to ping my
 CentOS host. At that point it became clear to me that there was a routing
 issue -- taking down one interface causing another to start working seems
 like a pecking order issue to me. I had not checked the routing table
 before because the pfSense Wiki reads:

 You do not need to add routes for networks which are directly connected
 to any interface of the firewall, and doing so may cause problems. You only
 need to define static routes for networks which cannot be reached via the
 default gateway.

 I made the incorrect assumption that this statement implied that somehow
 no superfluous routes would be added, or if they existed they would
 automatically be removed. However for some reason it was configured to
 forward 10.144.1.8 to my WAN interface.

 A quick route del -host 10.144.1.8 and my network is 100% functional.

 However, still one problem remains. The route del command is not
 persistent when I reboot. How do I get rid of it? SystemRoutingRoutes
 indicates that no static routes are set up. Is there a routing
 configuration file somewhere?

 Best Regards,
 -Stefan

 On 7/11/2014 6:35 PM, Espen Johansen wrote:


 Please provide a network drawing.
 I suspect you have a arp leak or a switch that needs to be restarted to
 clear its arp cache. Restart switche (s) without nothing connected and add
 the cetos and pfsense only and only after you have cleared both units arp
 cache (arp -d). Then take it from there.

 HTH.

 - LSF

 11. juli 2014 21:57 skrev Stefan Maerz stefan.maerz@
 thecommunitypartnership.org mailto:stefan.maerz@
 thecommunitypartnership.org følgende:

 On 7/11/2014 2:03 PM, Stefan Maerz wrote:

 On 7/10/2014 7:52 PM, Stefan Maerz wrote:


 Hi everyone,

 I have a problem I have been unable to solve all day
 (literally *all* day).

 My pfSense box has two LAN interfaces and a WAN interface.
 A CentOS 7.0 server is giving me grief on one of the
 Subnets when configured as static or dynamic.

 When I put the problematic CentOS box on the other subnet
 (and change corresponding host network configurations), it
 works. The CentOS box also works when I put it on my
 trustworthy Linksys WRT router (again, changing host
 network settings along the way). To me this smelled of a
 firewall problem, but there is nothing logged and I have
 both LAN interfaces set up to pass everything. Secondly I
 looked at DHCP for possible DHCP addressing conflicts, but
 the DHCP server is disabled on this subnet. TCPdump
 reveals that literally nothing is making it to the gateway
 interface, however at the same time the activity light on
 the interface blinks corresponding to my pings (there is
 no other traffic).

 Further confusing me is that I am able to get a static IP
 from other devices when I plug them into the problematic
 subnet. Basically this single device does not work on this
 single subnet and that is the only problem. Other devices
 are fine on this subnet and this device is fine on other
 subnets. ...?

 It is also worth noting that all the link lights are
 lighting up and the cables and switch have been tested to
 be working correctly. Nothing that I can see looks out of
 place in pfSense's logs.

 Here are my host configuration files, all generated by
 CentOS's nmtui utility. I tried my own manual
 configurations with the same results (not
 working):http://pastebin.com/HFYYTG09(possible
 http://pastebin.com/HFYYTG09%28possible typos -- this is
 hand written, my apologies if that is the case)

 I am at a loss and have been at this all day. pfSense has
 so little to configure that I'm not really sure what I
 could have done wrong. I feel like it is something really
 simple

Re: [pfSense] Host Connectivity on a Specific Subnet

[Espen Johansen]

Only thing I can think of is that a package with a seperate config file
installs it. Do you have quagga/openbgp or any other routing package
running/installed?
12. juli 2014 23:58 skrev Stefan Maerz 
stefan.ma...@thecommunitypartnership.org følgende:

  Thanks again Espen. I can't find anything in /cf/conf/config.xml related
 to this address *and* routing. The staticroutes/ tag area is also empty
 like the webconfiguration indicates.

 more /cf/conf/config.xml | grep -n 10.144.1.8

 outputs:

 221:dnsserver10.144.1.8/dnsserver
 385:ip10.144.1.8/ip
 1055:  dns110.144.1.8/dns1
 1059:  ntp110.144.1.8/ntp1
 1061:  wins110.144.1.8/wins1

 Line 385 is related to a DNS forwarder.

 I could write an init script to kill the route, but it seems it comes back
 every 20 minutes or so. And since I have no way of knowing precisely when
 the route is re-enabled, I would need to run a cronjob every second or so.
 And even that is not a great solution -- I'd reinstall before that. I'd
 really prefer a more elegant solution if possible.

 Any other ideas? Am I searching for the wrong thing?

 Best Regards,
 -Stefan

 On 7/12/2014 2:46 AM, Espen Johansen wrote:

 You might take a look in the cf/conf/config.xml .if it persists it should
 originate from there. Just do a search for the IP.
 12. juli 2014 05:04 skrev Stefan Maerz 
 stefan.ma...@thecommunitypartnership.org følgende:

 A quick route del -host 10.144.1.8 and my network is 100% functional.

 However, still one problem remains. The route del command is not
 persistent when I reboot. How do I get rid of it? SystemRoutingRoutes
 indicates that no static routes are set up. Is there a routing
 configuration file somewhere?



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Host Connectivity on a Specific Subnet

[Espen Johansen]

Other packages?
OpenVPN?

Please list all your installed packages and I´ll have a look.
Or remove them one by one until the automagic route add stops.

You can always try to grep /* for the IP in question. But it might be part
of a DB file for a pkg. I´t might not be plain text.
Cant help you remote as I´m on vacation with flaky 3G mobile.



On Sun, Jul 13, 2014 at 12:37 AM, Stefan Maerz 
stefan.ma...@thecommunitypartnership.org wrote:

  No 3rd party routing installed.

 -Stefan


 On 7/12/2014 5:19 PM, Espen Johansen wrote:

 Only thing I can think of is that a package with a seperate config file
 installs it. Do you have quagga/openbgp or any other routing package
 running/installed?
 12. juli 2014 23:58 skrev Stefan Maerz 
 stefan.ma...@thecommunitypartnership.org følgende:

  Thanks again Espen. I can't find anything in /cf/conf/config.xml
 related to this address *and* routing. The staticroutes/ tag area is also
 empty like the webconfiguration indicates.

 more /cf/conf/config.xml | grep -n 10.144.1.8

 outputs:

 221:dnsserver10.144.1.8/dnsserver
 385:ip10.144.1.8/ip
 1055:  dns110.144.1.8/dns1
 1059:  ntp110.144.1.8/ntp1
 1061:  wins110.144.1.8/wins1

 Line 385 is related to a DNS forwarder.

 I could write an init script to kill the route, but it seems it comes
 back every 20 minutes or so. And since I have no way of knowing precisely
 when the route is re-enabled, I would need to run a cronjob every second or
 so. And even that is not a great solution -- I'd reinstall before that. I'd
 really prefer a more elegant solution if possible.

 Any other ideas? Am I searching for the wrong thing?

 Best Regards,
 -Stefan

 On 7/12/2014 2:46 AM, Espen Johansen wrote:

 You might take a look in the cf/conf/config.xml .if it persists it should
 originate from there. Just do a search for the IP.
 12. juli 2014 05:04 skrev Stefan Maerz 
 stefan.ma...@thecommunitypartnership.org følgende:

 A quick route del -host 10.144.1.8 and my network is 100% functional.

 However, still one problem remains. The route del command is not
 persistent when I reboot. How do I get rid of it? SystemRoutingRoutes
 indicates that no static routes are set up. Is there a routing
 configuration file somewhere?



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing 
 listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] ZFS warning message on local console during boot

[Espen Johansen]

ZFS = FS+LVM. Its efficient in many ways. Its highly resillient to things
like silent data corruption ( disk FW bugs, power spikes). It has on the
fly checking and repair. Copy on write, snapshoting, NFSv4 native acls and
a few more nice things. I dont understand the bashing?

-lsf
30. juli 2014 21:44 skrev Stefan Baur newsgroups.ma...@stefanbaur.de
følgende:

 Am 30.07.2014 um 16:43 schrieb Vick Khera:
  On Wed, Jul 30, 2014 at 9:50 AM, Paul Mather p...@gromit.dlib.vt.edu
 wrote:
  Personally, I think ZFS on i386 has become a losing proposition as of
  late.  I ran a ZFS-on-root FreeBSD/i386 10-STABLE system with 2 GB of
  RAM and it appeared to become very flaky with ZFS in its latter months
  (I eventually switched it out for a FreeBSD/amd64 system).
 
  I cannot fathom a sensible use case for using ZFS on pfSense at all.

 I'm not consciously using ZFS for anything on pfSense, I *think* I
 performed the default install, but it could be using ntfs or vfat for
 all that I care. ;-) So I don't know why it's trying to use that - is it
 normal for a default pfSense install or not?

 I just saw the warning message and was wondering what to do about it.

 -Stefan
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] ZFS warning message on local console during boot

[Espen Johansen]

Also remeber that pfsense has had packages like freenas (for some the
Ultimate all in one home device).

-lsf
30. juli 2014 22:24 skrev Paul Mather p...@gromit.dlib.vt.edu følgende:

 On Jul 30, 2014, at 4:09 PM, Espen Johansen pfse...@gmail.com wrote:

  ZFS = FS+LVM. Its efficient in many ways. Its highly resillient to
 things like silent data corruption ( disk FW bugs, power spikes). It has on
 the fly checking and repair. Copy on write, snapshoting, NFSv4 native acls
 and a few more nice things. I dont understand the bashing?
 

 I swear by ZFS on my regular FreeBSD systems (though I was having
 trouble with it on FreeBSD/i386 latterly).  I don't think there's any
 bashing of ZFS per se, just a wondering why you'd use it on a
 firewall appliance that's basically a nanobsd setup at heart...

 Cheers,

 Paul.

  -lsf
 
  30. juli 2014 21:44 skrev Stefan Baur newsgroups.ma...@stefanbaur.de
 følgende:
  Am 30.07.2014 um 16:43 schrieb Vick Khera:
   On Wed, Jul 30, 2014 at 9:50 AM, Paul Mather p...@gromit.dlib.vt.edu
 wrote:
   Personally, I think ZFS on i386 has become a losing proposition as of
   late.  I ran a ZFS-on-root FreeBSD/i386 10-STABLE system with 2 GB of
   RAM and it appeared to become very flaky with ZFS in its latter months
   (I eventually switched it out for a FreeBSD/amd64 system).
  
   I cannot fathom a sensible use case for using ZFS on pfSense at all.
 
  I'm not consciously using ZFS for anything on pfSense, I *think* I
  performed the default install, but it could be using ntfs or vfat for
  all that I care. ;-) So I don't know why it's trying to use that - is it
  normal for a default pfSense install or not?
 
  I just saw the warning message and was wondering what to do about it.
 
  -Stefan
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Dual IP nets over one ethernet connector

[Espen Johansen]

If you have a vlan capable switch (most managed switches can do this) then
you can split one interface into several virtuals. Pfsense supports this.
If not, a USB ethernet interface would be an option.
16. aug. 2014 19:48 skrev Bob Gustafson bob...@rcn.com følgende:

 I have a small Alix board with only one Ethernet connector.

 It would be nice to pass packets from two different networks through that
 one Ethernet connector.

 I know it is possible, I'm just wondering whether pfsense can do it and
 whether anyone has some recipes for implementation.

 I would like to pass WAN packets (192.168.1.0/24) and LAN packets (
 192.168.2.0/24) through the same connector.

 pfsense would provide the NAT and firewalling within the box.

 Has anyone any experience with this?

 Bob G
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Dual IP nets over one ethernet connector

[Espen Johansen]

Not doable in a sensible way.
16. aug. 2014 20:06 skrev Bob Gustafson bob...@rcn.com følgende:

  I'm interested in doing it all within the Alix using pfsense. A minimum
 hardware approach.

 Think of my WAN mentioned below as the LAN network created by the
 modem/router furnished by the ISP and the LAN mentioned below as devices
 also connected to the back end of the modem/router, but not accessible by
 the modem/router. Only by LAN/pfsense.

 Bob G

 On 08/16/2014 12:53 PM, Oliver Hansen wrote:

 I would think it's pretty simple if you have a vlan capable switch. Just
 connect the router to the switch on a trunk port and other devices off of
 the switch on specific vlans.
 On Aug 16, 2014 10:48 AM, Bob Gustafson bob...@rcn.com wrote:

 I have a small Alix board with only one Ethernet connector.

 It would be nice to pass packets from two different networks through that
 one Ethernet connector.

 I know it is possible, I'm just wondering whether pfsense can do it and
 whether anyone has some recipes for implementation.

 I would like to pass WAN packets (192.168.1.0/24) and LAN packets (
 192.168.2.0/24) through the same connector.

 pfsense would provide the NAT and firewalling within the box.

 Has anyone any experience with this?

 Bob G
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing 
 listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Dual IP nets over one ethernet connector

[Espen Johansen]

You would have to do a major code rewrite to get this done.  And it would
be insecure and it would make no pf sense :-) this is network basics. You
dont seem to understand some network fundamentals. Sorry but this is not
doable without using vlans or 2 physical interfaces.
16. aug. 2014 20:06 skrev Bob Gustafson bob...@rcn.com følgende:

  I'm interested in doing it all within the Alix using pfsense. A minimum
 hardware approach.

 Think of my WAN mentioned below as the LAN network created by the
 modem/router furnished by the ISP and the LAN mentioned below as devices
 also connected to the back end of the modem/router, but not accessible by
 the modem/router. Only by LAN/pfsense.

 Bob G

 On 08/16/2014 12:53 PM, Oliver Hansen wrote:

 I would think it's pretty simple if you have a vlan capable switch. Just
 connect the router to the switch on a trunk port and other devices off of
 the switch on specific vlans.
 On Aug 16, 2014 10:48 AM, Bob Gustafson bob...@rcn.com wrote:

 I have a small Alix board with only one Ethernet connector.

 It would be nice to pass packets from two different networks through that
 one Ethernet connector.

 I know it is possible, I'm just wondering whether pfsense can do it and
 whether anyone has some recipes for implementation.

 I would like to pass WAN packets (192.168.1.0/24) and LAN packets (
 192.168.2.0/24) through the same connector.

 pfsense would provide the NAT and firewalling within the box.

 Has anyone any experience with this?

 Bob G
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing 
 listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Dual IP nets over one ethernet connector

[Espen Johansen]

Nat traversal is trivial. Firewalling needs physical interfaces. Vlans are
possible but vlan jumping is also possible. Vlans to do different zones
(lan/wan lan/dmz dmz/wan) is not something I recommend as vlan jumping can
be done in most environments. In short. Forget an idea where you firewall
with a single interface. Even if this is only to play with at home. Just
dont. A vanilla linux/bsd will let you shoot yourself in the foot. So you
can do it there. But there are no firewalls that will allow this with out 2
interfaces. Most require 2 physical, but some will allow for 2 or more
vlans. Again, do not do it.
16. aug. 2014 22:13 skrev Adam Thompson athom...@athompso.net følgende:

  On 14-08-16 01:13 PM, Espen Johansen wrote:

 You would have to do a major code rewrite to get this done.  And it would
 be insecure and it would make no pf sense :-) this is network basics. You
 dont seem to understand some network fundamentals. Sorry but this is not
 doable without using vlans or 2 physical interfaces.
 16. aug. 2014 20:06 skrev Bob Gustafson bob...@rcn.com følgende:

  I'm interested in doing it all within the Alix using pfsense. A minimum
 hardware approach.

 Think of my WAN mentioned below as the LAN network created by the
 modem/router furnished by the ISP and the LAN mentioned below as devices
 also connected to the back end of the modem/router, but not accessible by
 the modem/router. Only by LAN/pfsense.

 Bob G

  I would like to pass WAN packets (192.168.1.0/24) and LAN packets (
 192.168.2.0/24) through the same connector.

 pfsense would provide the NAT and firewalling within the box.


 To clarify Espen's comments : yes, it is possible to run two subnets on
 the same wire.
 Any _router_ can route between two subnets on the same wire (or the same
 VLAN, same thing - technically the same broadcast domain).
 A _firewall_, however, will refuse to do so because it's nonsensical from
 a security perspective.
 So pfSense is a router, yes, but it is also a firewall, and in areas where
 those two roles conflict, the firewall role wins.
 As previously pointed out, you can't usefully use pf(4) in the
 circumstance you describe.
 It is technically possible, on some platforms, to perform NAT between the
 two subnets.  It would be possible, AFAIK, to manually craft a pf rule that
 does this; it is not possible to get the pfSense GUI to generate that
 rule.  That's where the major code rewrite comes into play.

 I'm not aware of any firewall GUI that will let you do this - and for a
 good reason!  By hooking your LAN up directly to the WAN, you're
 effectively eliminating 99% of the security a firewall gives you.  (And,
 yes, it is possible to directly attack private IP addresses on most ISPs.)

 If you're determined to deploy this model, you'll have to run a bare OS
 that can route, i.e. Linux, OpenBSD, FreeBSD, etc. and configure the
 networking stack and NAT rules by hand.

 --
 -Adam Thompson
  athom...@athompso.net


 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Delete last Alias IP when CARP address in subnet

[Espen Johansen]

Export config. Edit. Then import.
18. aug. 2014 19:21 skrev Adam Williams a...@spreedly.com følgende:

 Hello.

 I am running 2.1-RELEASE (built on Wed Sep 11 18:16:44 EDT 2013),
 which I believe includes the fix for the bug documented here
 https://redmine.pfsense.org/issues/2406, according to the release
 notes at https://redmine.pfsense.org/versions/5.

 In that ticket, it says:

  You can't remove the last IP alias on the subnet of a CARP IP because
 it'll break CARP, you have to delete the CARP IP first. The only exception
 being when the interface IP is on the CARP IP's subnet, which is also
 handled correctly.

 I believe I meet the only exception clause, since my WAN interface
 is configured for the same subnet of the CARP address.

 I have the following configuration:

 ```
 interfaces
 wan
 enable/
 ifem5/if
 descr![CDATA[WAN]]/descr
 blockpriv/
 blockbogons/
 spoofmac/
 ipaddr2.2.2.1/ipaddr
 subnet28/subnet
 gatewayWANGW/gateway
 /wan
 /interfaces
 virtualip
 vip
 modecarp/mode
 interfacewan/interface
 vhid2/vhid
 advskew0/advskew
 advbase1/advbase
 password/password
 descr![CDATA[CARP]]/descr
 typesingle/type
 subnet_bits28/subnet_bits
 subnet2.2.2.9/subnet
 /vip
 vip
 modeipalias/mode
 interfacewan/interface
 descr![CDATA[Alias]]/descr
 typesingle/type
 subnet_bits28/subnet_bits
 subnet2.2.2.10/subnet
 /vip
 /virtualip
 ```

 However, I cannot delete this IP Alias, being given the message This
 entry cannot be deleted because it is still referenced by a CARP IP
 with the description Alias. Of course, there is no CARP address with
 that description, so it seems to be referencing the Alias itself!

 It's interesting to note that the `subnet` element of the WAN
 interface is `28`, where the similarly named element of the VIP
 address is `2.2.2.10`, but the `subnet_bits` does match the
 `subnet` element of the interface.

 Does anyone know a workaround so that I can delete this IP Alias?

 Thanks!
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Delete last Alias IP when CARP address in subnet

[Espen Johansen]

You can export only portions of the config.
As for deleting the interface in cli withour making the proper changes in
the config xml is not something i would advise at all. If you are sure you
know how to do it you can edit the running config. Then use cli to remove
the vip. If you want to do it cleanly I would suggest config edit followed
by reboot or config export/import. All this would be workarounds since this
seems to be a bug caused by a edge case. See the doc wiki or forum for
propper xml edit procedures.
18. aug. 2014 20:16 skrev Adam Williams a...@spreedly.com følgende:

 If it's that simple, I can use `viconfig` to delete the `ipalias`
 element, then in FreeBSD, simply remove the IP address from the WAN
 interface. I just am not terribly sure of the lifecycle of the config
 file.

 On Mon, Aug 18, 2014 at 1:53 PM, Espen Johansen pfse...@gmail.com wrote:
  Export config. Edit. Then import.
 
  18. aug. 2014 19:21 skrev Adam Williams a...@spreedly.com følgende:
 
  Hello.
 
  I am running 2.1-RELEASE (built on Wed Sep 11 18:16:44 EDT 2013),
  which I believe includes the fix for the bug documented here
  https://redmine.pfsense.org/issues/2406, according to the release
  notes at https://redmine.pfsense.org/versions/5.
 
  In that ticket, it says:
 
   You can't remove the last IP alias on the subnet of a CARP IP because
   it'll break CARP, you have to delete the CARP IP first. The only
 exception
   being when the interface IP is on the CARP IP's subnet, which is also
   handled correctly.
 
  I believe I meet the only exception clause, since my WAN interface
  is configured for the same subnet of the CARP address.
 
  I have the following configuration:
 
  ```
  interfaces
  wan
  enable/
  ifem5/if
  descr![CDATA[WAN]]/descr
  blockpriv/
  blockbogons/
  spoofmac/
  ipaddr2.2.2.1/ipaddr
  subnet28/subnet
  gatewayWANGW/gateway
  /wan
  /interfaces
  virtualip
  vip
  modecarp/mode
  interfacewan/interface
  vhid2/vhid
  advskew0/advskew
  advbase1/advbase
  password/password
  descr![CDATA[CARP]]/descr
  typesingle/type
  subnet_bits28/subnet_bits
  subnet2.2.2.9/subnet
  /vip
  vip
  modeipalias/mode
  interfacewan/interface
  descr![CDATA[Alias]]/descr
  typesingle/type
  subnet_bits28/subnet_bits
  subnet2.2.2.10/subnet
  /vip
  /virtualip
  ```
 
  However, I cannot delete this IP Alias, being given the message This
  entry cannot be deleted because it is still referenced by a CARP IP
  with the description Alias. Of course, there is no CARP address with
  that description, so it seems to be referencing the Alias itself!
 
  It's interesting to note that the `subnet` element of the WAN
  interface is `28`, where the similarly named element of the VIP
  address is `2.2.2.10`, but the `subnet_bits` does match the
  `subnet` element of the interface.
 
  Does anyone know a workaround so that I can delete this IP Alias?
 
  Thanks!
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list
 
 
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Netgate APU2 SSD module question

[Espen Johansen]

I personally don't think you will have an issue with too many writes in a
normal environment. Why squid tho? if its for filtering fine. For
acceleration and 3-6 persons it will most likely not do you much good.
Also check MLC vs SLC. SLC based SSD will last longer. Approximately 10
times longer. And even more with the right write leveling tech.

Just my 2 cents.
25. aug. 2014 19:32 skrev Sergii Cherkashyn ser...@accurategroup.com
følgende:

  I’m planning to purchase the Netgate APU2 with 16 GB mSATA SSD module
 for small office (3-6 persons). planning to install the Squid package on
 the firewall. is this kind of package that is still not recommended to run
 on the firewall with SSD because of intensive writes to the hard drive that
 dramatically reduces the life of SSD hard drive?



 Or the following forum discussion is slightly outdated and quality if SSD
 has improved? Though there are many comments saying that SSD works great
 for them for many years.



 https://forum.pfsense.org/index.php?topic=34381.0





 Best regards*,*



 *Sergii Cherkashyn *



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Netgate APU2 SSD module question

[Espen Johansen]

If I may...
I think Ryan is confused about the usb part. The SD slot is a onboard slot
but its not connnected/wired to IDE/SATA bus, but rather it is connected to
the USB bus just as a external usb card reader would be,  but offcource its
onboard and hardwired. Thus the confusion I assume.
27. aug. 2014 20:01 skrev Jim Thompson j...@netgate.com følgende:

 Ryan,

 I’m not sure what you’re asking.

 This thread started off with Sergii Cherkashyn asking if running on an SSD
 was advisable.

 Obviously, it works, or we wouldn’t offer it. (The thread Sergii
 pointed-to is from early 2011.  Netgate did not ship SSDs for several
 years because the reliability *then* was so poor.  The situation changed,
 and, once quality SSDs were available (*with power-fail capacitors, etc.*),
 we began offering same.

 Then you jumped in asking (is) “SDHC slot on this board is simply for
 show?”

 I honestly though you were trolling.   Since there is a configuration of
 the APU units available for sale both at the Netgate store *and* the
 pfSense store (http://store.pfsense.org) that does not include a m-sata
 drive, how else could the system boot pfSense?

 Now you post on a public list, (a list about pfSense), asking me to change
 an unspecified page on (I assume), the Netgate site.

 Setting aside the whole issue of why we’re talking about this on-list, I
 can’t find the text that confused you.

 Here is what I found on the Netgate site:

 http://store.netgate.com/APU1C4.aspx says: Boot from SD card (connected
 through USB), external USB or m-SATA SSD.”
 http://store.netgate.com/APU1C.aspx says: Boot from SD card (connected
 through USB), external USB or m-SATA SSD.

 You may wish to note that this language exactly matches that found on the
 PC Engines site:
 Boot from SD card (connected through USB), external USB or m-SATA
 SSD.”

 ref: http://pcengines.ch/apu.htm, and http://pcengines.ch/apu1c.htm,

 and page 9 of the schematic for the APU (
 http://pcengines.ch/schema/apu1c.pdf) clearly shows that the “SD card
 interface” runs through a Alcore Micro AU6465 (
 http://www.alcormicro.com/en_content/c_product/product_01b.php?CategoryID=7IndexID=19)
 to USB6 on the AMD T40 SoC.

 If you will be so kind as to make a specific request for change of the
 language you found confusing, I’ll take a look at it.
 You might even send such a request to me in-private, so as not to further
 clutter the list.

 Right now, I can’t find a problem.

 JIm


  On Aug 27, 2014, at 9:26 AM, Ryan Coleman ryanjc...@me.com wrote:
 
  Understood. Thank you for the clarification.
 
  Would it be possible to have the description updated on the sales page?
 It only says you can boot via SD through USB.
 
  --
  Ryan Coleman
  ryanjc...@me.com
  m. 651.373.5015
  o. 612.568.2749
 
  On Aug 27, 2014, at 9:24, Jim Thompson j...@netgate.com wrote:
 
 
  Yes, the system can be booted from an SD (or SDHC) card.  Or from USB,
 or from the m-SATA.
 
  All of these require proper preparation of the requisite ‘disk’ (-like
 device).
 
  Jim
 
  On Aug 27, 2014, at 9:21 AM, Ryan Coleman ryanjc...@me.com wrote:
 
  I understand *that* however it doesn't say on the features page it can
 be booted off the SD slot - is that true? If so I have to change a few
 quotes I have in play as they will need to get mSATA SSDs instead.
 
  On Aug 27, 2014, at 9:20, Jim Thompson j...@smallworks.com wrote:
 
 
  The SD (SDHC describes some cards which work in the slot) card slot
 is a “base feature”.   If people choose to fit a m-SATA drive,
  then they can.  Or they can use the SD card socket.
 
  It’s not like we’re going to de-solder the SD card socket if it’s not
 going to be used.
 
  Neither are we going to carry two different SKUs (one with, one
 without).
 
  Jim
 
  On Aug 27, 2014, at 7:57 AM, Ryan Coleman ryanjc...@me.com wrote:
 
  Why not answer the question?
 
 
  On Aug 27, 2014, at 7:56, Jim Thompson j...@netgate.com wrote:
 
  Ryan,
 
  Don't troll.
 
 
 
  On Aug 27, 2014, at 7:33 AM, Ryan Coleman ryanjc...@me.com wrote:
 
  Wait, so the SDHC slot on this board is simply for show?
 
  On Aug 26, 2014, at 13:56, Sergii Cherkashyn 
 ser...@accurategroup.com wrote:
 
  Thank you Espen,
 
  Squid is for filtering purpose only, not to save bandwidth.
  On Netgate they have only this SSD as an option. But I’ll keep
 your advice in mind.
 
  Best regards,
  Sergii Cherkashyn
 
 
  Date: Mon, 25 Aug 2014 20:45:46 +0200
  From: Espen Johansen pfse...@gmail.com
  To: pfSense support and discussion list@lists.pfsense.org
  Subject: Re: [pfSense] Netgate APU2 SSD module question
  Message-ID:
  
 caadq7-adzhlsv1p6rl7kwaaomaws1uqcet6fxa5ngdn8sl5...@mail.gmail.com
  Content-Type: text/plain; charset=utf-8
 
  I personally don't think you will have an issue with too many
 writes in a normal environment. Why squid tho? if its for filtering fine.
 For acceleration and 3-6 persons it will most likely not do you much good.
  Also check MLC vs SLC. SLC based

Re: [pfSense] Netgate APU2 SSD module question

[Espen Johansen]

Maybe just write (hardwired to USB6)?
27. aug. 2014 20:01 skrev Jim Thompson j...@netgate.com følgende:

 Ryan,

 I’m not sure what you’re asking.

 This thread started off with Sergii Cherkashyn asking if running on an SSD
 was advisable.

 Obviously, it works, or we wouldn’t offer it. (The thread Sergii
 pointed-to is from early 2011.  Netgate did not ship SSDs for several
 years because the reliability *then* was so poor.  The situation changed,
 and, once quality SSDs were available (*with power-fail capacitors, etc.*),
 we began offering same.

 Then you jumped in asking (is) “SDHC slot on this board is simply for
 show?”

 I honestly though you were trolling.   Since there is a configuration of
 the APU units available for sale both at the Netgate store *and* the
 pfSense store (http://store.pfsense.org) that does not include a m-sata
 drive, how else could the system boot pfSense?

 Now you post on a public list, (a list about pfSense), asking me to change
 an unspecified page on (I assume), the Netgate site.

 Setting aside the whole issue of why we’re talking about this on-list, I
 can’t find the text that confused you.

 Here is what I found on the Netgate site:

 http://store.netgate.com/APU1C4.aspx says: Boot from SD card (connected
 through USB), external USB or m-SATA SSD.”
 http://store.netgate.com/APU1C.aspx says: Boot from SD card (connected
 through USB), external USB or m-SATA SSD.

 You may wish to note that this language exactly matches that found on the
 PC Engines site:
 Boot from SD card (connected through USB), external USB or m-SATA
 SSD.”

 ref: http://pcengines.ch/apu.htm, and http://pcengines.ch/apu1c.htm,

 and page 9 of the schematic for the APU (
 http://pcengines.ch/schema/apu1c.pdf) clearly shows that the “SD card
 interface” runs through a Alcore Micro AU6465 (
 http://www.alcormicro.com/en_content/c_product/product_01b.php?CategoryID=7IndexID=19)
 to USB6 on the AMD T40 SoC.

 If you will be so kind as to make a specific request for change of the
 language you found confusing, I’ll take a look at it.
 You might even send such a request to me in-private, so as not to further
 clutter the list.

 Right now, I can’t find a problem.

 JIm


  On Aug 27, 2014, at 9:26 AM, Ryan Coleman ryanjc...@me.com wrote:
 
  Understood. Thank you for the clarification.
 
  Would it be possible to have the description updated on the sales page?
 It only says you can boot via SD through USB.
 
  --
  Ryan Coleman
  ryanjc...@me.com
  m. 651.373.5015
  o. 612.568.2749
 
  On Aug 27, 2014, at 9:24, Jim Thompson j...@netgate.com wrote:
 
 
  Yes, the system can be booted from an SD (or SDHC) card.  Or from USB,
 or from the m-SATA.
 
  All of these require proper preparation of the requisite ‘disk’ (-like
 device).
 
  Jim
 
  On Aug 27, 2014, at 9:21 AM, Ryan Coleman ryanjc...@me.com wrote:
 
  I understand *that* however it doesn't say on the features page it can
 be booted off the SD slot - is that true? If so I have to change a few
 quotes I have in play as they will need to get mSATA SSDs instead.
 
  On Aug 27, 2014, at 9:20, Jim Thompson j...@smallworks.com wrote:
 
 
  The SD (SDHC describes some cards which work in the slot) card slot
 is a “base feature”.   If people choose to fit a m-SATA drive,
  then they can.  Or they can use the SD card socket.
 
  It’s not like we’re going to de-solder the SD card socket if it’s not
 going to be used.
 
  Neither are we going to carry two different SKUs (one with, one
 without).
 
  Jim
 
  On Aug 27, 2014, at 7:57 AM, Ryan Coleman ryanjc...@me.com wrote:
 
  Why not answer the question?
 
 
  On Aug 27, 2014, at 7:56, Jim Thompson j...@netgate.com wrote:
 
  Ryan,
 
  Don't troll.
 
 
 
  On Aug 27, 2014, at 7:33 AM, Ryan Coleman ryanjc...@me.com wrote:
 
  Wait, so the SDHC slot on this board is simply for show?
 
  On Aug 26, 2014, at 13:56, Sergii Cherkashyn 
 ser...@accurategroup.com wrote:
 
  Thank you Espen,
 
  Squid is for filtering purpose only, not to save bandwidth.
  On Netgate they have only this SSD as an option. But I’ll keep
 your advice in mind.
 
  Best regards,
  Sergii Cherkashyn
 
 
  Date: Mon, 25 Aug 2014 20:45:46 +0200
  From: Espen Johansen pfse...@gmail.com
  To: pfSense support and discussion list@lists.pfsense.org
  Subject: Re: [pfSense] Netgate APU2 SSD module question
  Message-ID:
  
 caadq7-adzhlsv1p6rl7kwaaomaws1uqcet6fxa5ngdn8sl5...@mail.gmail.com
  Content-Type: text/plain; charset=utf-8
 
  I personally don't think you will have an issue with too many
 writes in a normal environment. Why squid tho? if its for filtering fine.
 For acceleration and 3-6 persons it will most likely not do you much good.
  Also check MLC vs SLC. SLC based SSD will last longer.
 Approximately 10 times longer. And even more with the right write leveling
 tech.
 
  Just my 2 cents.
 
 
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org

Re: [pfSense] Netgate APU2 SSD module question

[Espen Johansen]

For completeness sake.
Just to clarify. You can get SDHC cards that are SLC based. Pretty much
everything called industrial grade SD/SDHC will be a SLC SSD in SD format.
Understood. Thank you for the clarification.

Would it be possible to have the description updated on the sales page? It
only says you can boot via SD through USB.

--
Ryan Coleman
ryanjc...@me.com
m. 651.373.5015
o. 612.568.2749

On Aug 27, 2014, at 9:24, Jim Thompson j...@netgate.com wrote:


Yes, the system can be booted from an SD (or SDHC) card.  Or from USB, or
from the m-SATA.

All of these require proper preparation of the requisite ‘disk’ (-like
device).

Jim

On Aug 27, 2014, at 9:21 AM, Ryan Coleman ryanjc...@me.com wrote:

I understand *that* however it doesn't say on the features page it can be
booted off the SD slot - is that true? If so I have to change a few quotes
I have in play as they will need to get mSATA SSDs instead.

On Aug 27, 2014, at 9:20, Jim Thompson j...@smallworks.com wrote:


The SD (SDHC describes some cards which work in the slot) card slot is a
“base feature”.   If people choose to fit a m-SATA drive,
then they can.  Or they can use the SD card socket.

It’s not like we’re going to de-solder the SD card socket if it’s not going
to be used.

Neither are we going to carry two different SKUs (one with, one without).

Jim

On Aug 27, 2014, at 7:57 AM, Ryan Coleman ryanjc...@me.com wrote:

Why not answer the question?


On Aug 27, 2014, at 7:56, Jim Thompson j...@netgate.com wrote:

Ryan,

Don't troll.



On Aug 27, 2014, at 7:33 AM, Ryan Coleman ryanjc...@me.com wrote:

Wait, so the SDHC slot on this board is simply for show?

On Aug 26, 2014, at 13:56, Sergii Cherkashyn ser...@accurategroup.com
wrote:

Thank you Espen,

Squid is for filtering purpose only, not to save bandwidth.
On Netgate they have only this SSD as an option. But I’ll keep your advice
in mind.

Best regards*,*
*Sergii Cherkashyn*


Date: Mon, 25 Aug 2014 20:45:46 +0200
From: Espen Johansen pfse...@gmail.com
To: pfSense support and discussion list@lists.pfsense.org
Subject: Re: [pfSense] Netgate APU2 SSD module question
Message-ID:

caadq7-adzhlsv1p6rl7kwaaomaws1uqcet6fxa5ngdn8sl5...@mail.gmail.com
Content-Type: text/plain; charset=utf-8

I personally don't think you will have an issue with too many writes in a
normal environment. Why squid tho? if its for filtering fine. For
acceleration and 3-6 persons it will most likely not do you much good.
Also check MLC vs SLC. SLC based SSD will last longer. Approximately 10
times longer. And even more with the right write leveling tech.

Just my 2 cents.


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Netgate APU2 SSD module question

[Espen Johansen]

All I'm saying is that a normal SLC cell can handle about 10 times more
writes then a MLC if everything else is the same. And as far as I ca tell,
the ability to handle writes is the OPs main concern. A SLC based SDHC card
will have about 10 times longer life span in that regard.
If you want it perfect then sure there are better options and technologies.
I'm just trying to make the choice a easy one based on what the OP asked.
There is allways better cheaper and faster tech just around the corner.
27. aug. 2014 21:26 skrev Jim Thompson j...@smallworks.com følgende:

 SD cards are storage, but not “disks” nor “drives”.

 Beyond m-SATA, eMMC is your best option.  Not only are they faster than SD
 cards (speeds of the larger devices rival those of traditional SSDs, as
 well as supporting a “TRIM”-like operation, priority interruptible READ and
 ERASE operations, background operations, and riding the cost-curve of
 cellular handsets (growing) .vs consumer point-and-shoot cameras
 (shrinking), etc.)

 (This, by the way, is a huge, huge ‘hint’.)
 (You may wish read between the lines.)

 A lot of the SLC / MLC mythos is from before the days of JEDEC standards
 for endurance, advanced wear-leveling algorithms, and before a lof of the
 firmware engineers understood concepts such as “read disturbance”, “write
 disturbance”, and “ECC correction thresholds”.  It’s certainly not as
 simple as you’re making it out to be.

 (This, again, is the big reason that Netgate stayed out of the early
 fracas around SSDs.)

 I’m not going to depend on what someone said in the forum over 3 years
 ago, since it’s unlikely to apply today.

 Jim

 On Aug 27, 2014, at 1:32 PM, Espen Johansen pfse...@gmail.com wrote:

 For completeness sake.
 Just to clarify. You can get SDHC cards that are SLC based. Pretty much
 everything called industrial grade SD/SDHC will be a SLC SSD in SD format.
 Understood. Thank you for the clarification.

 Would it be possible to have the description updated on the sales page? It
 only says you can boot via SD through USB.

 --
 Ryan Coleman
 ryanjc...@me.com
 m. 651.373.5015
 o. 612.568.2749

 On Aug 27, 2014, at 9:24, Jim Thompson j...@netgate.com wrote:


 Yes, the system can be booted from an SD (or SDHC) card.  Or from USB, or
 from the m-SATA.

 All of these require proper preparation of the requisite ‘disk’ (-like
 device).

 Jim

 On Aug 27, 2014, at 9:21 AM, Ryan Coleman ryanjc...@me.com wrote:

 I understand *that* however it doesn't say on the features page it can be
 booted off the SD slot - is that true? If so I have to change a few quotes
 I have in play as they will need to get mSATA SSDs instead.

 On Aug 27, 2014, at 9:20, Jim Thompson j...@smallworks.com wrote:


 The SD (SDHC describes some cards which work in the slot) card slot is a
 “base feature”.   If people choose to fit a m-SATA drive,
 then they can.  Or they can use the SD card socket.

 It’s not like we’re going to de-solder the SD card socket if it’s not
 going to be used.

 Neither are we going to carry two different SKUs (one with, one without).

 Jim

 On Aug 27, 2014, at 7:57 AM, Ryan Coleman ryanjc...@me.com wrote:

 Why not answer the question?


 On Aug 27, 2014, at 7:56, Jim Thompson j...@netgate.com wrote:

 Ryan,

 Don't troll.



 On Aug 27, 2014, at 7:33 AM, Ryan Coleman ryanjc...@me.com wrote:

 Wait, so the SDHC slot on this board is simply for show?

 On Aug 26, 2014, at 13:56, Sergii Cherkashyn ser...@accurategroup.com
 wrote:

 Thank you Espen,

 Squid is for filtering purpose only, not to save bandwidth.
 On Netgate they have only this SSD as an option. But I’ll keep your advice
 in mind.

 Best regards*,*
 *Sergii Cherkashyn*


 Date: Mon, 25 Aug 2014 20:45:46 +0200
 From: Espen Johansen pfse...@gmail.com
 To: pfSense support and discussion list@lists.pfsense.org
 Subject: Re: [pfSense] Netgate APU2 SSD module question
 Message-ID:
 
 caadq7-adzhlsv1p6rl7kwaaomaws1uqcet6fxa5ngdn8sl5...@mail.gmail.com
 Content-Type: text/plain; charset=utf-8

 I personally don't think you will have an issue with too many writes in a
 normal environment. Why squid tho? if its for filtering fine. For
 acceleration and 3-6 persons it will most likely not do you much good.
 Also check MLC vs SLC. SLC based SSD will last longer. Approximately 10
 times longer. And even more with the right write leveling tech.

 Just my 2 cents.


 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list


 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] understand the CARP advskew option

[Espen Johansen]

advbase:
This optional parameter specifies how often, in seconds, to advertise that
we're a member of the redundancy group. The default is 1 second. Acceptable
values are from 1 to 255.

advskew:
This optional parameter specifies how much to skew the advbase when sending
CARP advertisements. By manipulating advskew, the master CARP host can be
chosen. The higher the number, the less preferred the host will be when
choosing a master. The default is 0. Acceptable values are from 0 to 254.

If advbase is long you can risk slow switchover in a failure situation. It
needs to be a sensible time based on system load. And network delay.
However network delay is normally not something you have to take into
account.

Skew will help you force one to become master by default. And if you have
more then 2 hosts you can controll primary secondary thirtiary etc. Lets
say you have a very fast primary. A slower older secondary. And a even
slower older third. This way you can set primary to 1 secondary to 128 and
third to 254 and they will be elected master based on this. I assume that
is why you need both.
Advbase should be the same on all hosts in a carp group. Skew is something
you would want to be different if you want to controll which one will be
active.

-lsf
 11. sep. 2014 12:27 skrev Martin T m4rtn...@gmail.com følgende:

 Jim,

 thanks for the reply! So do you agree that it's not just the advskew
 value, but the system with lowest advbase+advskew value will take
 the master role? And it seems that advbase is byte number 40 and
 advskew is byte number 37 in CARP advertisements. For example in
 this CARP advertisement advbase is 2(02) and advskew is 254(fe):

 0x0020:  0012 2122 fe07 0002 f66a 97c4 8a3a 47f9  ..!.j...:G.


 Last but not least, I still don't quite understand why both advbase
 and advskew are available.. One could determine the master/backup
 role solely with advbase, couldn't he?


 thanks,
 Martin

 On 9/10/14, Jim Pingle li...@pingle.org wrote:
  On 9/10/2014 5:15 AM, Martin T wrote:
  1) Why does the messages interval matter to CARP? Is CARP designed in
  a way that CARP preferres system which announces CARP messages with
  shortest interval?
 
  Yes, the fastest advertisement wins the election and becomes master.
 
  2) Why is advskew needed if one could determine the master/backup
  role solely with advbase?
 
  See above. advbase is a base time added to the skew. (+1 sec per base
  value)
 
  On slower networks you need to use a higher advbase on both to account
  for lag in local network equipment such as when the two nodes are in
  different buildings or similar situations.
 
  Typically, base matches on both and you set the skew to give your
  preferred primary node preference.
 
  Jim
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Routing between LAN interfaces

[Espen Johansen]

This should work wothout any special magic. Can a pc on a vlan segment ping
the gateway and reach internet?
Also did you configure the ip on the vlan interface or the physical? What
does a traceroute show if you trace to an unreachable part. Does arp
register hosts on the vlan interface?

-lsf
12. sep. 2014 12:43 skrev Niklas Fondberg nik...@vireone.com følgende:

  From: Giles Coochey gi...@coochey.net


  I'm not criticizing your choice configuration, there is absolutely no
 reason not to use VLANs, however, in your design you appear to have a
 number of VLANs, but I didn't see that (at the moment) you actually showed
 a need to be using them (4 interfaces in total, one I assume is a WAN
 interface, three interfaces remaining, you say you are not using the
 default VLAN, and you have two VLANs plus an ILO subnet - so you could just
 use physical interfaces). dot1Q VLAN trunks on your interfaces is a good
 design, especially if you might want to add later VLANs to the design...

 VLANs complexify your needed configuration, and might be where other
 admins could trip up.

 Might be good to have a look at your routing table, on the diagnostics
 menu in the Web interface.

 --
 Regards,

 Giles Coochey, CCNP, CCNA, CCNAS
 NetSecSpec Ltd+44 (0) 8444 780677+44 (0) 7584 
 634135http://www.coochey.nethttp://www.netsecspec.co.ukgi...@coochey.net


  Hi Giles,

  My routing table looks like this:
Destination Gateway Flags Refs Use Mtu Netif  default 178.78.221.93 UGS
 0 25456153 1500 em0  10.0.0.0/24 link#10 U 0 2829 1500 em2_vlan2  10.0.0.1
 link#10 UHS 0 0 16384 lo0  10.1.0.0/24 link#4 U 0 7927 1500 em3  10.1.0.1
 link#4 UHS 0 0 16384 lo0  31.211.230.216/30 link#1 U 0 0 1500 em0
 31.211.230.218 link#1 UHS 0 0 16384 lo0  84.246.88.10 178.78.221.93 UGHS 0
 34164 1500 em0  84.246.88.20 178.78.221.93 UGHS 0 25712 1500 em0
 127.0.0.1 link#7 UH 0 37469 16384 lo0  178.78.221.92/30 link#1 U 0 589543
 1500 em0  178.78.221.94 link#1 UHS 0 0 16384 lo0  192.168.1.0/24 link#2 U
 0 672 1500 em1  192.168.1.1 link#2 UHS 0 0 16384 lo0  192.168.2.0/24
 link#9 U 0 1342636 1500 em1_vlan10  192.168.2.1 link#9 UHS 0 0 16384 lo0
 192.168.10.0/24 192.168.10.2 UGS 0 2718508 1500 ovpns1  192.168.10.1
 link#11 UHS 0 0 16384 lo0  192.168.10.2 link#11 UH 0 16 1500 ovpns1
  I can’t see anything wrong in the routing table EVEN if they are on
 different physical interfaces. I guess I could have all VLANs on one
 physical interface but that seems like another discussion and I still don’t
 understand if this why pfsense is struggling with the routing.
 Is it supposed to be supported?



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Adding Ethernetports

[Espen Johansen]

check dmesg and pciconf -lv.
If its not seen at all then try different slots and try to verify that
card/slot is working.

-lsf

On Fri, Sep 19, 2014 at 4:31 PM, Brian Caouette bri...@dlois.com wrote:

 I added a dual port nic to my pfsense box and it doesn't show the
 additional ports.

 The new nic doesn't show anywhere. I am using a PowerEdge 2850 and an
 Intel Card. I am also using vmware on the machine.

 Any ideas what may be going on?
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Pftop confusion.

[Espen Johansen]

Run pftop in interactive mode (-i) then press capital K for who is peaking.
Or capital B for byte amount sorting. Or try capital R for instant speed
rate. See man page for all options in interactive mode.

-lsf
24. sep. 2014 17:04 skrev Muhammad Yousuf Khan sir...@gmail.com
følgende:

 Darkstat and bandwidthD also showing Per IP total bandwidth use. what i
 want is live monitoring. not total bandwidth.
 i think pftop can help but i dont know how to understand the output. it is
 quite confusing.
 i even change sorting type but it is not working as per the sort order
 shows.
 becuase when i sort by RATE or Speed it shows a suspected ip on the
 top but when i close the download on that host/client it always shows on
 top.
 i need a tool like NTOP work on CLI and shows same output as Linux
 Terminal console.

 Thanks,
 MYK


 On Wed, Sep 24, 2014 at 7:55 PM, Muhammad Yousuf Khan sir...@gmail.com
 wrote:

 Exactly this is how i learn that my whole link is eaten by someone. now i
 want to check which client is eating all the bandwidth.
 Traffic graph is showing whole link activity. what i want to find is
 which client IP is using most of it.

 Thanks,
 MYK


 On Wed, Sep 24, 2014 at 7:33 PM, Oliver Hansen oliver.han...@gmail.com
 wrote:

 Status -  Traffic Graph is where I usually look in the GUI.
 On Sep 24, 2014 7:25 AM, Muhammad Yousuf Khan sir...@gmail.com
 wrote:

 hi guys actually i want to check which IP is using most of the internet
 traffic. i see pftop a bit confusing i tried changing sorting via o  but
 it is still confusing me . can you guys please guide me how can i viiew
 live monitoring. what i want to check is which one host is eating up the
 whole bandwidth.

 Thanks,
 MYK

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list


 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Https blocking

[Espen Johansen]

Sorry. That just means you are incompetent at your job.
There is no way in h...l you can demand others to do your job. We are all
here for free. Buy a pfSens support agreement and pay for it!

People like you annoys me.

-lsf
24. sep. 2014 19:22 skrev A Mohan Rao mohanra...@gmail.com følgende:

 Hello
 If u really a expert so then pls resolve bmy problem. I have do all the
 things but still people can access blocked website in pfsense.
  On Sep 24, 2014 9:50 PM, Ryan Coleman ryanjc...@me.com wrote:

  You've asked this question many times and we've given many options for
 resolving it but you keep coming back.

 https://duckduckgo.com/?q=blocking+torrents+in+pfsense
 https://duckduckgo.com/?q=blocking+facebook+in+pfsense
 https://doc.pfsense.org/index.php/Blocking_websites
 https://forum.pfsense.org/index.php?topic=36274.0

 A little web searching will go a long way.


 On 9/24/2014 11:10 AM, A Mohan Rao wrote:

 Actually due to wasting of time employees... management need to block
 these sites if have any solutions pls give..
 I really very appritiate ..
 On Sep 24, 2014 9:00 PM, Ryan Coleman ryanjc...@me.com wrote:

  Block port 443 in the Firewall rules outbound - no need for a
 transparent proxy.

 That said - why do you need to block them? Because you're snooping 100%
 of the traffic to see what people are reading/sending?


 On 9/24/2014 10:16 AM, A Mohan Rao wrote:

 How can i completely and properly block https facebook, torrentz, exe
 download and proxy sites through transparent proxy.

 Thanks
 Mohan


 ___
 List mailing 
 listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing 
 listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list


 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Reports

[Espen Johansen]

You can install time based access control apps on most devices. Same goes
for time based rules. I use this for the kids.
26. sep. 2014 21:23 skrev Brian Caouette bri...@dlois.com følgende:

 Is there a way to do a weekly report based on MAC address showing times
 used, total time and date for the period? Trying to prove a point how much
 the kids use and that they are still online after bedtime.

 Sent from my iPad
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] States Issue with Asterisk behind pfSense

[Espen Johansen]

If this is to be implemented it should be a tick box on each interfance.
Dropping all states if you want to move a cable/reroute it is not a good
idea.
This needs to be user controllable or only affect interface if
is_interface_type=pppoe.

Just my 2 cents.

-lsf
28. sep. 2014 19:19 skrev Hannes Werner jgoe...@gmail.com følgende:

 I would like to repeat Vassilis questions:

 Has this been implemented? Could this be implemented? Do the pfsense
 dev's need some more info? Can we help with testing?

 On Sat, Sep 27, 2014 at 1:02 PM, Vassilis V. bigracc...@gmx.net wrote:
  ADSL over PPPoE with constant changing IPs is the standard in some
  countries, we do not have such connections because we chose them and we
  like the challenge..
 
  Reading again the whole bug report, there seems to be alot of people
  affected by this and Tom De Coninck has made alot of effort to figure
  out what might be the issue.
 
  In the last post of Tom, he comes to a very exact conclusion:
  I think this proves that pfsense not only needs to kill states on 'WAN
  DOWN' , but also on 'WAN UP'. I can't see how it could work otherwise
 
  Has this been implemented? Could this be implemented? Do the pfsense
  dev's need some more info? Can we help with testing?
 
  Vassilis
 
 
  Hannes Werner wrote on 26.09.2014 22:53:
  Thanks Vassilis,
 
  I've these settings already - without any success.
 
  On Fri, Sep 26, 2014 at 9:03 PM, Vassilis V. bigracc...@gmx.net
 wrote:
 
 
  Hannes Werner wrote on 26.09.2014 16:51:
  thank you very much Giles, but unfortunately it doesn't help.
 
  anyone here who is using asterisk behind pfSense on a dynamic IP WAN
  successfully?
 
 
  Hello Hannes!
 
  I have also used asterisk behind a dynamic PPPoE WAN. I had the exact
  same issues that the bug report is describing.
 
  I tried different ways to get it to work and I found that some
 solutions
  work with some providers, but fail at others. There seems to be alot of
  black magic involved when configuring SIP to work in such a
 configuration :)
 
  What worked best was to set nat=no and externip=the local asterisk
 IP.
  I had also not done any port forwards whatsoever on pfsense,  outgoing
  NAT was set to automatic.
 
  I certainly cannot explain why it was working that way!
 
 
  Hope it helps!
  Vassilis
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list
 
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Espen Johansen]

You might want to use google insted og relying on others. Maybe try to do
your own homework?

https://www.google.no/url?sa=tsource=webrct=jei=faYpVJXTH6XGygP554LYBQurl=https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Snorby_and_Barnyard2_set_up_guidecd=1ved=0CBwQFjAAusg=AFQjCNFUY-LZh__z8odZ4G5SwA3s1vGGIAsig2=HKTMIqME00rmj7mj-CHBrQ
29. sep. 2014 20:34 skrev Roberto Carna robertocarn...@gmail.com
følgende:

 Dear Ivo and people, just three short questions:

 1) Using Suricata, can I enable the IPS mode as I can using Snort ???

 2) In IPS mode, do I have to have 3 interfaces in my server ???

 3) The only way to view the IPS blocking events is from into Pfsense
 or can I use Snorby ???

 Thanks again,

 Roberto

 Thanks again,

 Roberto



 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br:
  Use suricata
 
  On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com
 wrote:
 
  Dear, I need to know if it's possible to setup Pfsense with Snort to
  get an IPS (Intrusion Prevention System), and in this case what is the
  graphical interface used to view events and dropped traffic.
 
  Thanks a lot,
 
  Roberto
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list
 
 
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Espen Johansen]

Depends on what you want. A splitt design is normaly better and safer then
a all in one box. If you want suricata +snorby and barnyard its not
recommended to run it all on pfsense. There are many deps. that will cause
a security nightmare and you will probably run out of hw resources as well.
OK, thanks, the last please:

Do you recommend to install an IPS in a Virtual Machine like Vmware
??? Because we have VMweare for all our servers.

Regards,

2014-09-29 15:39 GMT-03:00 Anastasios Stefos anastasios.ste...@gmail.com:
 Roberto

 Here is a good place to start regarding Suricata or Snort.


http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/



 ---
 Anastasios Stefos
 ´αίέν άριστεύειν

 On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna robertocarn...@gmail.com
 wrote:

 Dear Ivo and people, just three short questions:

 1) Using Suricata, can I enable the IPS mode as I can using Snort ???

 2) In IPS mode, do I have to have 3 interfaces in my server ???

 3) The only way to view the IPS blocking events is from into Pfsense
 or can I use Snorby ???

 Thanks again,

 Roberto

 Thanks again,

 Roberto



 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br:
  Use suricata
 
  On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com
  wrote:
 
  Dear, I need to know if it's possible to setup Pfsense with Snort to
  get an IPS (Intrusion Prevention System), and in this case what is the
  graphical interface used to view events and dropped traffic.
 
  Thanks a lot,
 
  Roberto
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list
 
 
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Espen Johansen]

Why bridge? Do you want to hide evrything? Its not that hard to fingerprint
a pfS bridge. If you have practical reasons, sure go ahead.
29. sep. 2014 21:28 skrev Roberto Carna robertocarn...@gmail.com
følgende:

 Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces
 in bridge mode with firewall rules enabled ???

 Really thanks,

 Roberto



 2014-09-29 16:15 GMT-03:00 Espen Johansen pfse...@gmail.com:
  Depends on what you want. A splitt design is normaly better and safer
 then a
  all in one box. If you want suricata +snorby and barnyard its not
  recommended to run it all on pfsense. There are many deps. that will
 cause a
  security nightmare and you will probably run out of hw resources as well.
 
  OK, thanks, the last please:
 
  Do you recommend to install an IPS in a Virtual Machine like Vmware
  ??? Because we have VMweare for all our servers.
 
  Regards,
 
  2014-09-29 15:39 GMT-03:00 Anastasios Stefos 
 anastasios.ste...@gmail.com:
  Roberto
 
  Here is a good place to start regarding Suricata or Snort.
 
 
 
 http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
 
 
 
  ---
  Anastasios Stefos
  ´αίέν άριστεύειν
 
  On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna 
 robertocarn...@gmail.com
  wrote:
 
  Dear Ivo and people, just three short questions:
 
  1) Using Suricata, can I enable the IPS mode as I can using Snort ???
 
  2) In IPS mode, do I have to have 3 interfaces in my server ???
 
  3) The only way to view the IPS blocking events is from into Pfsense
  or can I use Snorby ???
 
  Thanks again,
 
  Roberto
 
  Thanks again,
 
  Roberto
 
 
 
  2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br:
   Use suricata
  
   On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com
   wrote:
  
   Dear, I need to know if it's possible to setup Pfsense with Snort to
   get an IPS (Intrusion Prevention System), and in this case what is
 the
   graphical interface used to view events and dropped traffic.
  
   Thanks a lot,
  
   Roberto
   ___
   List mailing list
   List@lists.pfsense.org
   https://lists.pfsense.org/mailman/listinfo/list
  
  
   ___
   List mailing list
   List@lists.pfsense.org
   https://lists.pfsense.org/mailman/listinfo/list
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list
 
 
 
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list
 
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

[Espen Johansen]

If all you want is a IPS then i dont undertand what you need pfS for?
There are tons of setup guides for a linux flavour of choice to get this
setup done. You can even build a hogwash like setup if you like.
29. sep. 2014 21:38 skrev Roberto Carna robertocarn...@gmail.com
følgende:

 Ivo, I want to locate the IPS between the router and the corporative
 firewall, so I think to use bridge modeis correct???

 2014-09-29 16:34 GMT-03:00 Ivo Tonev i...@tonev.pro.br:
  I recomend to use in router mode.
 
  On Sep 29, 2014 4:29 PM, Roberto Carna robertocarn...@gmail.com
 wrote:
 
  Ok, and do you recommend to setup the Pfsense WAN and LAN interfaces
  in bridge mode with firewall rules enabled ???
 
  Really thanks,
 
  Roberto
 
 
 
  2014-09-29 16:15 GMT-03:00 Espen Johansen pfse...@gmail.com:
   Depends on what you want. A splitt design is normaly better and safer
   then a
   all in one box. If you want suricata +snorby and barnyard its not
   recommended to run it all on pfsense. There are many deps. that will
   cause a
   security nightmare and you will probably run out of hw resources as
   well.
  
   OK, thanks, the last please:
  
   Do you recommend to install an IPS in a Virtual Machine like Vmware
   ??? Because we have VMweare for all our servers.
  
   Regards,
  
   2014-09-29 15:39 GMT-03:00 Anastasios Stefos
   anastasios.ste...@gmail.com:
   Roberto
  
   Here is a good place to start regarding Suricata or Snort.
  
  
  
  
 http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
  
  
  
   ---
   Anastasios Stefos
   ´αίέν άριστεύειν
  
   On Mon, Sep 29, 2014 at 2:34 PM, Roberto Carna
   robertocarn...@gmail.com
   wrote:
  
   Dear Ivo and people, just three short questions:
  
   1) Using Suricata, can I enable the IPS mode as I can using Snort
 ???
  
   2) In IPS mode, do I have to have 3 interfaces in my server ???
  
   3) The only way to view the IPS blocking events is from into Pfsense
   or can I use Snorby ???
  
   Thanks again,
  
   Roberto
  
   Thanks again,
  
   Roberto
  
  
  
   2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br:
Use suricata
   
On Sep 29, 2014 2:27 PM, Roberto Carna 
 robertocarn...@gmail.com
wrote:
   
Dear, I need to know if it's possible to setup Pfsense with Snort
to
get an IPS (Intrusion Prevention System), and in this case what
 is
the
graphical interface used to view events and dropped traffic.
   
Thanks a lot,
   
Roberto
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
   
   
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
   ___
   List mailing list
   List@lists.pfsense.org
   https://lists.pfsense.org/mailman/listinfo/list
  
  
  
   ___
   List mailing list
   List@lists.pfsense.org
   https://lists.pfsense.org/mailman/listinfo/list
   ___
   List mailing list
   List@lists.pfsense.org
   https://lists.pfsense.org/mailman/listinfo/list
  
   ___
   List mailing list
   List@lists.pfsense.org
   https://lists.pfsense.org/mailman/listinfo/list
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list
 
 
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Adding Ethernetports

[Espen Johansen]

Bridge to LAN.
3. okt. 2014 18:05 skrev Brian Caouette bri...@dlois.com følgende:

  Just wanted to thank those of you who replied. Finally got the card
 noticed in pFsense. Had to use the add hardware feature on the VM. Now the
 problem is getting it to route traffic. I am able to ping the two ports
 from the pfsense diag menu but am not able to ping outside the network. I
 did create a rule to pass all traffic but still nothing. Is there something
 special I need to do to get the two new ports to work? Also is there a way
 to have the dhcp range the same as the lan so that it works like a consumer
 of the shelf router? Basically additional ports in the same net range.

 On 9/19/2014 1:37 PM, Adam Thompson wrote:

 There's also the unofficial VMware ESXi white-box HCL, but it hasn't
 really been updated since v4.x.
 Agreed that if this is anything more than a test system, stick with the
 HCL and a support contract. Been there, done that, have the scars to prove
 it ...
 -Adam

 On September 19, 2014 12:18:31 PM CDT, Paul Beriswill
 paul.berisw...@pdfcomplete.com paul.berisw...@pdfcomplete.com wrote:

 I have had mixed results trying to find support for hardware that is not
 on the vmWare HCL and often spend way too much time hunting for solutions.
 You are *much* better off sticking with officially supported hardware.

 That being said, This link *may* have the drivers that you are looking
 for ...

 https://my.vmware.com/web/vmware/details?downloadGroup=DT-ESXI55-INTEL-IGB-42168productId=353

 Should probably take this to one of the vmware support groups.

 Paul

 On 09/19/2014 11:28 AM, Brian Caouette wrote:

 Yes VM. I do not see the card listed there either. I do not understand VM
 and all the plugs and drivers. Can you point me in the right direction?

 On 9/19/2014 11:17 AM, Paul Beriswill wrote:

 Your pfSense is running on a VM ... correct?

 Does vmware recognize the nic?  I know some versions of esx need custom
 drivers for even some intel NIC's.

 Paul
 On 09/19/2014 09:31 AM, Brian Caouette wrote:

 I added a dual port nic to my pfsense box and it doesn't show the
 additional ports.

 The new nic doesn't show anywhere. I am using a PowerEdge 2850 and an
 Intel Card. I am also using vmware on the machine.

 Any ideas what may be going on?
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list


 --

 *Paul Beriswill*
  PDF Complete Inc | www.pdfcomplete.com
 550 Club Drive, Ste. 477 | Montgomery, TX 77316
 512.263.0868 x 707 direct | paul.berisw...@pdfcomplete.com

  [image: PDF Complete] http://www.pdfcomplete.com/


 ___
 List mailing 
 listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list



 --

 *Paul Beriswill*
  PDF Complete Inc | www.pdfcomplete.com
 550 Club Drive, Ste. 477 | Montgomery, TX 77316
 512.263.0868 x 707 direct | paul.berisw...@pdfcomplete.com

  [image: PDF Complete] http://www.pdfcomplete.com/

 --

 List mailing 
 listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list


 --
 Sent from my Android device with K-9 Mail. Please excuse my brevity.

 ___
 List mailing 
 listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Adding Ethernetports

[Espen Johansen]

Pfsense 》interfaces 》add bridge and add lan and your new interfaces to it.
You will then have multiple lan interfaces acting the same as your lan. Or
same as as router with multiple lan ports would.
3. okt. 2014 18:42 skrev Brian Caouette bri...@dlois.com følgende:

  Where do I find that?
 Which of my issues does it solve?

 On 10/3/2014 12:08 PM, Espen Johansen wrote:

 Bridge to LAN.
 3. okt. 2014 18:05 skrev Brian Caouette bri...@dlois.com følgende:

  Just wanted to thank those of you who replied. Finally got the card
 noticed in pFsense. Had to use the add hardware feature on the VM. Now the
 problem is getting it to route traffic. I am able to ping the two ports
 from the pfsense diag menu but am not able to ping outside the network. I
 did create a rule to pass all traffic but still nothing. Is there something
 special I need to do to get the two new ports to work? Also is there a way
 to have the dhcp range the same as the lan so that it works like a consumer
 of the shelf router? Basically additional ports in the same net range.

 On 9/19/2014 1:37 PM, Adam Thompson wrote:

 There's also the unofficial VMware ESXi white-box HCL, but it hasn't
 really been updated since v4.x.
 Agreed that if this is anything more than a test system, stick with the
 HCL and a support contract. Been there, done that, have the scars to prove
 it ...
 -Adam

 On September 19, 2014 12:18:31 PM CDT, Paul Beriswill
 paul.berisw...@pdfcomplete.com paul.berisw...@pdfcomplete.com wrote:

 I have had mixed results trying to find support for hardware that is not
 on the vmWare HCL and often spend way too much time hunting for solutions.
 You are *much* better off sticking with officially supported hardware.

 That being said, This link *may* have the drivers that you are looking
 for ...

 https://my.vmware.com/web/vmware/details?downloadGroup=DT-ESXI55-INTEL-IGB-42168productId=353

 Should probably take this to one of the vmware support groups.

 Paul

 On 09/19/2014 11:28 AM, Brian Caouette wrote:

 Yes VM. I do not see the card listed there either. I do not understand
 VM and all the plugs and drivers. Can you point me in the right direction?

 On 9/19/2014 11:17 AM, Paul Beriswill wrote:

 Your pfSense is running on a VM ... correct?

 Does vmware recognize the nic?  I know some versions of esx need custom
 drivers for even some intel NIC's.

 Paul
 On 09/19/2014 09:31 AM, Brian Caouette wrote:

 I added a dual port nic to my pfsense box and it doesn't show the
 additional ports.

 The new nic doesn't show anywhere. I am using a PowerEdge 2850 and an
 Intel Card. I am also using vmware on the machine.

 Any ideas what may be going on?
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list


 --

 *Paul Beriswill*
  PDF Complete Inc | www.pdfcomplete.com
 550 Club Drive, Ste. 477 | Montgomery, TX 77316
 512.263.0868 x 707 512.263.0868%20x%20707 direct |
 paul.berisw...@pdfcomplete.com

  [image: PDF Complete] http://www.pdfcomplete.com/


 ___
 List mailing 
 listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list



 --

 *Paul Beriswill*
  PDF Complete Inc | www.pdfcomplete.com
 550 Club Drive, Ste. 477 | Montgomery, TX 77316
 512.263.0868 x 707 512.263.0868%20x%20707 direct |
 paul.berisw...@pdfcomplete.com

  [image: PDF Complete] http://www.pdfcomplete.com/

 --

 List mailing 
 listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list


 --
 Sent from my Android device with K-9 Mail. Please excuse my brevity.

 ___
 List mailing 
 listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing 
 listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense crash dump

[Espen Johansen]

Is this a RAID?
Seen this on dells with PERC/megaraid controllers when they run the
sceduled BBU test.
13. okt. 2014 18:44 skrev Mark Loza ml...@morphlabs.com følgende:

  Hi, pfsense is running fine for now. Is there any pfsense package that I
 can perform a live test on the drive?

 On 10/14/14 12:09 AM, Aaron C. de Bruyn wrote:

 To me, it looks like a disk issue:

  mfi0: 35354 (465709273s/0x0002/info) - Patrol Read corrected medium error on 
 PD 02(e0x20/s2) at 1692f3e4
 mfi0: 35355 (465709275s/0x0002/info) - Unexpected sense: PD 02(e0x20/s2) Path 
 539358c92146, CDB: 2f 00 16 92 f3 e5 00 10 00 00, Sense: 1/00/00

  You might want to download something like The Ultimate Boot CD and use the 
 manufacturers test tools on your drive.

  -A


 On Sun, Oct 12, 2014 at 11:43 PM, Mark Loza ml...@morphlabs.com wrote:

 Hi,

 Can anyone happen to know what's of this crash dump in pfsense
 http://sprunge.us/CGDH ? Actually, this already happened twice, the
 first crash happened approximately 30 days ago and second occurred
 yesterday. I suspect this might be a disk issue. Thanks in advance to those
 who would me determine the real cause.



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




 ___
 List mailing 
 listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense crash dump

[Espen Johansen]

This can be several things. Bad controller/memory on the Controller. Bad
BBU. Or simply bad drive(s).
Also check if this occurs when the controller performs BBU tests. (If the
BBU is bad then the controller switches to write thru mode and strange
things can happen).

HTH.
13. okt. 2014 19:27 skrev Mark Loza ml...@morphlabs.com følgende:

  Does this something have to do with faulty PERC controller?

 On 10/14/14 1:29 AM, Mark Loza wrote:

 Yes, a hardware raid and pfsense is physically running on a Dell PE R515
 machine.

 On 10/14/14 12:49 AM, Espen Johansen wrote:

 Is this a RAID?
 Seen this on dells with PERC/megaraid controllers when they run the
 sceduled BBU test.
 13. okt. 2014 18:44 skrev Mark Loza ml...@morphlabs.com følgende:

  Hi, pfsense is running fine for now. Is there any pfsense package that
 I can perform a live test on the drive?

 On 10/14/14 12:09 AM, Aaron C. de Bruyn wrote:

 To me, it looks like a disk issue:

  mfi0: 35354 (465709273s/0x0002/info) - Patrol Read corrected medium error 
 on PD 02(e0x20/s2) at 1692f3e4
 mfi0: 35355 (465709275s/0x0002/info) - Unexpected sense: PD 02(e0x20/s2) 
 Path 539358c92146, CDB: 2f 00 16 92 f3 e5 00 10 00 00, Sense: 1/00/00

 You might want to download something like The Ultimate Boot CD and use the 
 manufacturers test tools on your drive.

 -A


 On Sun, Oct 12, 2014 at 11:43 PM, Mark Loza ml...@morphlabs.com wrote:

 Hi,

 Can anyone happen to know what's of this crash dump in pfsense
 http://sprunge.us/CGDH ? Actually, this already happened twice, the
 first crash happened approximately 30 days ago and second occurred
 yesterday. I suspect this might be a disk issue. Thanks in advance to those
 who would me determine the real cause.



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list




 ___
 List mailing 
 listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing 
 listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list




 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] little problem with pfsense

[Espen Johansen]

Just a hunch. Did you by any chance drop udp port 137/138 traffic between
client and dhcp server? As in, is this traffic allowed? Try tcpdump and
check for requests from a problem machine. You might block something win7
has decided it needs. MS tends to have strange/unexpected needs ;)

-lsf

Hi Everyone,

This is the first time i write a message here and maybe this is not the
place, if i should write this in a forum please let me know…

I am an very happy user of pfsense but right now i have a little problem, i
explain you :

I’m using the last stable version.

I have dhcp server enabled and some static leases for some of my hosts.
Until here nothing special :)

There is different domains in this network so i have to set different DNS
servers and domain search suffix.
My hosts are heterogenes, there is win7, win8, mac, smartphones, tablets…
when i create a lease reservation in the dhcp settings and the machine
connects it obtains the right parameters, so everything is ok, but in fact
it’s NOT :(

What happens (only for the win7 hosts, other are perfects, bad win7 nasty
nasty) after a few second, and especially when you launch i.e. win7 seem to
make some kind of new dhcp request although it already has it’s ip address
and then it looses all it’s specifics parameters, DNS servers, DNS search
suffix… it only keep its ip and gw address…

After a lot of search i found it has to deal with some kind of proxy search
that initiate a new incomplete request and when you add in your dhcp
options « 252  \n »  witch basically say to windows : stop asking, there is
no proxy period ! win7 keep it’s good parameter but sometimes it looses it
again (i couldn’t identify precisely when…)

The 252 option is a workaround but the solution would be dhcpd gives the
whole parameters every time it is requested to, no ?

Is it a bug ? am i doing something wrong ? please i really need help on this

Best regards,

PS Sorry for my english i hope you’ll understand me

Jean-Laurent Ivars
Responsable Technique | Technical Manager
22, rue Robert - 13007 Marseille
Mobile: 06.52.60.86.47 - Tel: 09 84 56 64 30 - Fax: 09 89 56 64 30
Linkedin http://fr.linkedin.com/in/jlivars/  |  Viadeo
http://www.viadeo.com/fr/profile/jean-laurent.ivars  |  www.ipgenius.fr

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] little problem with pfsense

[Espen Johansen]

Tcpdump and you will know the answer to that.
24. nov. 2014 13:35 skrev Jean-Laurent Ivars jl.iv...@ipgenius.fr
følgende:

 Well thank you for your answer, this is exactly the same result that when
 i set the option 252 with null parameters in the DHCP
 (WindowsProxyAutodiscoveryDetection)

 But this is workaround, the real question is why the dhcp server is not
 providing the rights settings ?


 Jean-Laurent Ivars
 Responsable Technique | Technical Manager
 22, rue Robert - 13007 Marseille
 Mobile: 06.52.60.86.47 - Tel: 09 84 56 64 30 - Fax: 09 89 56 64 30
 Linkedin   |  Viadeo   |  www.ipgenius.fr

  Le 24 nov. 2014 à 13:24, Doug Lytle supp...@drdos.info a écrit :
 
  What happens (only for the win7 hosts, other are perfects, bad win7
 nasty nasty) after a few second, and especially when you launch i.e. win7
 seem to make some kind of new dhcp request
 
  Just a hunch,
 
  On the Windows 7 machine, go into Control Panel = Internet Options =
 Connections Tab = Lan Settings
 
  Uncheck 'Automatically Detect Settings'
 
  Doug
  ___
  List mailing list
  List@lists.pfsense.org
  https://lists.pfsense.org/mailman/listinfo/list


 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] little problem with pfsense

[Espen Johansen]

.tutu.local.49185: Flags [P.], ack 1133, win 356, length 139
 14:09:44.502338 IP IPG1.tutu.local.49185 
 par03s14-in-f23.1e100.net.https: Flags [.], ack 5030, win 32614, length 0
 14:09:44.624278 IP IPG1.tutu.local.49184 
 par03s14-in-f23.1e100.net.https: Flags [R.], seq 5252, ack 40591, win 0,
 length 0
 14:09:44.625506 IP IPG1.tutu.local.49185 
 par03s14-in-f23.1e100.net.https: Flags [P.], ack 5030, win 32614, length 849
 14:09:44.676831 IP par03s14-in-f23.1e100.net.https 
 IPG1.tutu.local.49185: Flags [.], ack 1982, win 370, length 0
 14:09:44.704497 IP par03s14-in-f23.1e100.net.https 
 IPG1.tutu.local.49185: Flags [P.], ack 1982, win 370, length 1416
 14:09:44.704534 IP par03s14-in-f23.1e100.net.https 
 IPG1.tutu.local.49185: Flags [P.], ack 1982, win 370, length 234
 14:09:44.704679 IP IPG1.tutu.local.49185 
 par03s14-in-f23.1e100.net.https: Flags [.], ack 6680, win 32890, length 0
 14:09:45.126141 IP par03s14-in-f23.1e100.net.https 
 IPG1.tutu.local.49185: Flags [P.], ack 1982, win 370, length 1416
 14:09:45.126177 IP par03s14-in-f23.1e100.net.https 
 IPG1.tutu.local.49185: Flags [.], ack 1982, win 370, length 1430
 14:09:45.126229 IP par03s14-in-f23.1e100.net.https 
 IPG1.tutu.local.49185: Flags [P.], ack 1982, win 370, length 1402
 14:09:45.126254 IP par03s14-in-f23.1e100.net.https 
 IPG1.tutu.local.49185: Flags [.], ack 1982, win 370, length 1430
 14:09:45.126280 IP par03s14-in-f23.1e100.net.https 
 IPG1.tutu.local.49185: Flags [.], ack 1982, win 370, length 1430
 14:09:45.126314 IP par03s14-in-f23.1e100.net.https 
 IPG1.tutu.local.49185: Flags [P.], ack 1982, win 370, length 1388
 14:09:45.126341 IP par03s14-in-f23.1e100.net.https 
 IPG1.tutu.local.49185: Flags [P.], ack 1982, win 370, length 396
 14:09:45.126445 IP IPG1.tutu.local.49185 
 par03s14-in-f23.1e100.net.https: Flags [.], ack 9526, win 32890, length 0
 14:09:45.126485 IP IPG1.tutu.local.49185 
 par03s14-in-f23.1e100.net.https: Flags [.], ack 10928, win 32539, length 0
 14:09:45.126536 IP IPG1.tutu.local.49185 
 par03s14-in-f23.1e100.net.https: Flags [.], ack 13788, win 32890, length 0
 14:09:45.126591 IP IPG1.tutu.local.49185 
 par03s14-in-f23.1e100.net.https: Flags [.], ack 15176, win 32543, length 0
 14:09:45.126636 IP IPG1.tutu.local.49185 
 par03s14-in-f23.1e100.net.https: Flags [.], ack 15572, win 32890, length 0
 14:09:45.137694 IP par03s14-in-f23.1e100.net.https 
 IPG1.tutu.local.49185: Flags [P.], ack 1982, win 370, length 1416
 14:09:45.137841 IP IPG1.tutu.local.49185 
 par03s14-in-f23.1e100.net.https: Flags [.], ack 16988, win 32536, length 0
 14:09:45.138466 IP par03s14-in-f23.1e100.net.https 
 IPG1.tutu.local.49185: Flags [.], ack 1982, win 370, length 1430
 14:09:45.138508 IP par03s14-in-f23.1e100.net.https 
 IPG1.tutu.local.49185: Flags [P.], ack 1982, win 370, length 1275
 14:09:45.138614 IP IPG1.tutu.local.49185 
 par03s14-in-f23.1e100.net.https: Flags [.], ack 19693, win 32890, length 0
 14:09:45.145145 IP par03s14-in-f23.1e100.net.https 
 IPG1.tutu.local.49185: Flags [P.], ack 1982, win 370, length 239
 14:09:45.145281 IP IPG1.tutu.local.49185 
 par03s14-in-f23.1e100.net.https: Flags [.], ack 19932, win 32830, length 0
 14:09:45.212081 IP IPG1.tutu.local.49185 
 par03s14-in-f23.1e100.net.https: Flags [P.], ack 19932, win 32830, length
 1143
 14:09:45.224186 IP par03s14-in-f23.1e100.net.https 
 IPG1.tutu.local.49185: Flags [.], ack 3125, win 388, length 0
 ^C190 packets captured
 190 packets received by filter
 0 packets dropped by kernel

 --
 *Jean-Laurent Ivars *
 *Responsable Technique | Technical Manager*
 22, rue Robert - 13007 Marseille
 Mobile: 06.52.60.86.47 - Tel: 09 84 56 64 30 - Fax: 09 89 56 64 30
 Linkedin http://fr.linkedin.com/in/jlivars/   |  Viadeo
 http://www.viadeo.com/fr/profile/jean-laurent.ivars   |  www.ipgenius.fr

 Le 24 nov. 2014 à 13:56, Espen Johansen pfse...@gmail.com a écrit :

 Tcpdump and you will know the answer to that.
 24. nov. 2014 13:35 skrev Jean-Laurent Ivars jl.iv...@ipgenius.fr
 følgende:

 Well thank you for your answer, this is exactly the same result that when
 i set the option 252 with null parameters in the DHCP
 (WindowsProxyAutodiscoveryDetection)

 But this is workaround, the real question is why the dhcp server is not
 providing the rights settings ?


 Jean-Laurent Ivars
 Responsable Technique | Technical Manager
 22, rue Robert - 13007 Marseille
 Mobile: 06.52.60.86.47 - Tel: 09 84 56 64 30 - Fax: 09 89 56 64 30
 Linkedin   |  Viadeo   |  www.ipgenius.fr

  Le 24 nov. 2014 à 13:24, Doug Lytle supp...@drdos.info a écrit :
 
  What happens (only for the win7 hosts, other are perfects, bad win7
 nasty nasty) after a few second, and especially when you launch i.e. win7
 seem to make some kind of new dhcp request
 
  Just a hunch,
 
  On the Windows 7 machine, go into Control Panel = Internet Options =
 Connections Tab = Lan Settings
 
  Uncheck 'Automatically Detect Settings'
 
  Doug
  ___
  List

Re: [pfSense] Gold hangout - what time?

[Espen Johansen]

Is should be... i also had to think twice about it.
CMB, maybe you can note that for the future?
25. nov. 2014 17:16 skrev Adam Thompson athom...@athompso.net følgende:

  On 14-11-25 10:14 AM, Espen Johansen wrote:

 https://blog.pfsense.org
 25. nov. 2014 17:11 skrev Adam Thompson athom...@athompso.net
 følgende:

 I'm looking, but I can't find anywhere what *time* the Gold hangout is
 going to be (or was...) today.  Anyone know?


 Thanks.  I was expecting the time to be shown somewhere in the portal,
 like maybe along with the joining instructions or the date... *grumble*
 too many communications channels/.

 --
 -Adam Thompson
  athom...@athompso.net


 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Message could not be delivered

[Espen Johansen]

It's not from list. Sender is spoofed.

-lsf
26. jan. 2015 10:28 skrev Geoff Jankowski geoff.jankow...@me.com:

 Am I the only person to receive this?

 It contains a .scr file which would not do anything to me but will to any
 gamers out there.

 I hope the lists address has not been compromised for other scammers to
 use.


 --
 *Geoff *
 +44 20 7100 1092
 +44 7770 58 48 38
 +33 5 46 97 13 89
 +33 6 22 93 00 53
 --









 On 26 Jan 2015, at 03:41, Bounced mail mailer-dae...@lists.pfsense.org
 wrote:

 Dear user of lists.pfsense.org,

 We have detected that your e-mail account has been used to send a large
 amount of spam during this week.
 Obviously, your computer was compromised and now contains a trojan proxy
 server.

 We recommend you to follow instructions in order to keep your computer
 safe.

 Sincerely yours,
 lists.pfsense.org technical support team.

 letter.zip___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold



 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Visual seperators?

[Espen Johansen]

A seperator might make sense. But grouping and hiding rules is a bad idea
based on my experience.

A tree structure that is allways collapsed is annoying when you need
overview of all rules.
And defaulting to a expanded look will just act as a seperator.
Imho interface tabs acts as grouping enough. And a seperator line on
floating rules might make sense in some cases.
If one would implement a rule type called seperator, it could be
highlighted in the view based on its type. I believe that all rules
affecting a interface should be seen in plain view. To me this smells like
you whish for over engineering.

Just my 2cents.
10. feb. 2015 22:10 skrev kpolb...@olberg.name:


 On 02/10/2015 07:04 PM, Christoph Hanle wrote:

 On 10.02.2015 14:44, kpolb...@olberg.name wrote:

 Hi,

 Is there any possibility to create groups or otherwise have seperators
 between rules on the firewall page? Basically what I'm trying to do is
 make it easier to see which rules are connected could be based on host
 or service. So it would be nice to have some sort of visual seperator to
 create a group.

 Hi KP,
 I am doing this by creating disabled rules and have as description the
 description of the next rules. To differ from real disabled rules a -
 at the end if helpfull.

 not the perfect seperator, but a doable workaround


 bye
 Christoph

  Hi,

 A bit disappointing, but at least I wasn't just blind :)

 What I was hoping for was like a horizontal separator across the whole
 table, maybe even a way of expanding / collapsing a group.

 -kp
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] VIPs : CARP vs IP Alias

[Espen Johansen]

My bad. The IP can be in the same subnet as well as in a different subnet.
As far as a true alias goes it is not implemented afaik. Try ifconfig in a
shell and see if your aliases are listed as ips on the interface. If they
where they would respond to ping and have a derived mac from the main
interface and the firewall itself would be able to use them.

https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses

Just try the ifconfig command and you will see what I mean. Forget what the
GUI says.

Brgds, Espen
9. mars 2015 12:13 skrev Brian Candler b.cand...@pobox.com:

 I guess it's time for me to dig out the actual configurations to settle
 this.

 * the box with a proxy ARP VIP is running pfSense-2.0.1.  (OK, it's
 probably due an upgrade, but when things just work they tend to be left
 alone :-)

 The WAN address is x.x.x.x/6.28, and the proxy ARP virtual IP is
 x.x.x.7/32 (i.e. it *is* in the same subnet)

 * the box with an IP alias VIP is pfSense-2.1. (Also due an upgrade :-)

 It is actually part of a failover pair. The WAN addresses are
 y.y.y.{229,230}/28 and the WAN-CARP interface is y.y.y.228/28.
 The IP Alias interface is y.y.y.238/28 and attached to the WAN-CARP
 interface. I think I did it this way so that the alias moved with the CARP
 master.

 In both cases the alias is being used for NAT, and it's working fine, i.e.
 happily responding to ARP from upstream router.

 The thing to note about the configuration is that the Proxy ARP VIP has a
 /32 netmask (so it only responds to one address) and the IP Alias VIP has a
 /28 netmask (to match the subnet it is aliased on)

 Regards,

 Brian.

 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] VIPs : CARP vs IP Alias

[Espen Johansen]

Just noticed that 2.0 had this fixed. I red the link on my mobile and my
eyes hurt reading that table. It seems propper alias is there and that
means proxy-arp should no longer be used as it was done as a workaround for
the missing alias functionality.

Then I think Brian is right regarding the mac/arp timeout. And if so a
reboot of pfsense and router/modem should clear that up quickly. If the
modem is a true bridge then you might have to wait for the uplink router to
update its arp table. I have had issues with that in the past.

Brgds, Espen
9. mars 2015 12:24 skrev Espen Johansen pfse...@gmail.com:

 My bad. The IP can be in the same subnet as well as in a different subnet.
 As far as a true alias goes it is not implemented afaik. Try ifconfig in a
 shell and see if your aliases are listed as ips on the interface. If they
 where they would respond to ping and have a derived mac from the main
 interface and the firewall itself would be able to use them.

 https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses

 Just try the ifconfig command and you will see what I mean. Forget what
 the GUI says.

 Brgds, Espen
 9. mars 2015 12:13 skrev Brian Candler b.cand...@pobox.com:

 I guess it's time for me to dig out the actual configurations to settle
 this.

 * the box with a proxy ARP VIP is running pfSense-2.0.1.  (OK, it's
 probably due an upgrade, but when things just work they tend to be left
 alone :-)

 The WAN address is x.x.x.x/6.28, and the proxy ARP virtual IP is
 x.x.x.7/32 (i.e. it *is* in the same subnet)

 * the box with an IP alias VIP is pfSense-2.1. (Also due an upgrade :-)

 It is actually part of a failover pair. The WAN addresses are
 y.y.y.{229,230}/28 and the WAN-CARP interface is y.y.y.228/28.
 The IP Alias interface is y.y.y.238/28 and attached to the WAN-CARP
 interface. I think I did it this way so that the alias moved with the CARP
 master.

 In both cases the alias is being used for NAT, and it's working fine,
 i.e. happily responding to ARP from upstream router.

 The thing to note about the configuration is that the Proxy ARP VIP has a
 /32 netmask (so it only responds to one address) and the IP Alias VIP has a
 /28 netmask (to match the subnet it is aliased on)

 Regards,

 Brian.

 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] VIPs : CARP vs IP Alias

[Espen Johansen]

Brian, as a former pfsense dev (5 years) and a freebsd kernel/interface dev
for 15 I do know how it works. Alias ips has worked altleast since freebsd
4. But in pfsense it was apparently added in 2.0. As I said I haven't
messed with interface aliases since 2007 ish. You still did not get what I
told you tho. If ifconfig shows multiple IPs it is a true alias. If not
then they are something else.

Brgds, Espen
9. mars 2015 12:51 skrev Brian Candler b.cand...@pobox.com:

 On 09/03/2015 11:24, Espen Johansen wrote:

 As far as a true alias goes it is not implemented afaik. Try ifconfig in
 a shell and see if your aliases are listed as ips on the interface.


 wan_vip102: flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500
 inet y.y.y.228 netmask 0xfff0
 inet y.y.y.238 netmask 0xfff0
 carp: MASTER vhid 102 advbase 1 advskew 0

 That's how FreeBSD works (i.e. ifconfig vm0 alias x.x.x.x/x). If you
 were expecting to see vm0:0, that's a Linux-ism.

 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] VIPs : CARP vs IP Alias

[Espen Johansen]

Actually you cant use proxy arp as it has a limit affecting you. Proxyarp
IPs cant be in same subnet. Sorry. Carp is what you want/need. As for your
issue with not reaching the firewall when WAN is down is probably something
else.

What you really want is a alias ip on the interface and pfsense does not
support this even if the underlying freebsd does this. There was (is?)
reasons for this but las time I tried to implement that was in 2006/2007 so
I don't recall why we decided not to implement it. There where several
reasons iirc.

Brgds, Espen
9. mars 2015 11:34 skrev Matthias May matth...@may.nu:

 On 09/03/15 11:23, Brian Candler wrote:

 On 09/03/2015 10:10, Bryan D. wrote:

 Nope, it's a fully functioning setup (has been, in this form, for a few
 years) ... just wanted to switch off CARP VIPs since I'm not using
 failover.  The only question is why won't IP Alias VIPs replace the CARP
 VIPs?

 If these extra addresses belong on the firewall's outside (WAN) subnet,
 then they need to respond to ARP.  As far as I can see, both Proxy ARP VIP
 and IP Alias VIP ought to work for this.

 I have one firewall with a similar setup here (extra public IP for
 inbound NAT), and it uses a Proxy ARP VIP. And I have another firewall
 which is using an IP Alias VIP, in this case attached to a WAN-CARP
 interface. Both are working.

 As long as all these NAT rules are attached to WAN interface, and your
 VIP is also attached to WAN interface, I can't see why it wouldn't work.
 As others have said - changing the type while the firewall is running might
 break things. Possibly deleting it and then re-adding it would be better,
 but that's only a guess. If minimising downtime is important then simulate
 the configuration in a virtual environment first.

 Regards,

 Brian.

 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

 A CARP address has it's own MAC. The IP alias shares the MAC of it's
 parent interface.
 If you change this while running, your upstream routers/switches will have
 the wrong MAC address for your IP cached.
 Sending a GARP might help with this.
 Or simply wait for the caches to expire. (This can take a long time)

 Best regards
 Matthias
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] VIPs : CARP vs IP Alias

[Espen Johansen]

9. mars 2015 11:52 skrev Brian Candler b.cand...@pobox.com:

 On 09/03/2015 10:47, Espen Johansen wrote:


 Actually you cant use proxy arp as it has a limit affecting you.
Proxyarp IPs cant be in same subnet. Sorry.

 Are you sure? I have a pfsense box where it's working.

For 2.2 I'm not sure but it used to be a limit afaik.



 What you really want is a alias ip on the interface and pfsense does not
support this even if the underlying freebsd does this.

 Are you sure? I have another pfsense box where that's working too.

Check ifconfig em0 or whatever your wan if is. From diag or ssh shell and
see if the interface has all the alias IPs.

I'm pretty sure yes. The whole reason for adding proxyarp was that normal
alias was hard to implement. Iirc one reason was that any change to a alias
would take down the wan interface and all aliases during config commit.


 There was (is?) reasons for this but las time I tried to implement that
was in 2006/2007

 You don't think there's any possibility pfSense has changed or improved
since then?

I havent read up on ifconfig in that regard for a long time so maybe. I'm
not a active dev anymore so that is for Chris B or Ermal or others to
answer.


 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Have you set up a system with no default route?

[Espen Johansen]

Are you going to load a full internet BGP routing table? Is that why you do
not want a default? Remember that even if you have a default route any
route that is more specific will take preference. I dont see the problem?
And if you want to prevent any unknown IP destination being routed to your
uplink providers I guess you can set a default gw that is part of a
unrouted vlan with a bogus ip. That way all unknown traffic is routed to a
unreachable destination.

HTH.

Brgds, Espen
10. mars 2015 13:21 skrev Shannon Gernyi shannon.ger...@xsv.com.au:

 Hi Mark - this is exactly what I'm seeing - and it would be fine if there
 were a way to not set a static default.

 Unfortunately, when unchecking the Default gateway box in the system
 routing menu, this selection isn't honoured.

 Cheers,

 Shannon
 https://www.linkedin.com/in/shannongernyi

 --
 *From: *Mark Tinka mark.ti...@seacom.mu
 *To: *list@lists.pfsense.org
 *Sent: *Tuesday, 10 March, 2015 10:19:30 PM
 *Subject: *Re: [pfSense] Have you set up a system with no default route?



 On 10/Mar/15 10:21, Shannon Gernyi wrote:

 Hi Guys,

 First time poster to the list - I've spent some time searching without too
 much luck. Could be ambiguity in my search queries.

 I'm putting out some new firewalls shortly, and like many already in
 place, I'll be using openBGPd to interface with our provider.

 I'd like to also make use of BGP for internal failover to an alternate
 route, however, it's become evident that it's not within design to be able
 to have no default router selected as a static route. This is causing
 issues as we receive a default announcement from our providers, and I'd
 also like to use default announcements for alternate paths, etc, however
 openBGPd doesn't seem to want to override the already configured static
 route.

 Have you come up against this, and if so, what hackery did you do to work
 around it?


 I haven't used OpenBGPd, but in general routing, static routing trumps
 dynamic routing on a well-engineered platform. This could be what you're
 seeing.

 Mark.

 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold


 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] VIPs : CARP vs IP Alias

[Espen Johansen]

I beleive the key to this is proxy arp.

Brgds, Espen
8. mars 2015 23:50 skrev Bryan D. pfse...@derman.com:

 While we're on the topic, I have a functioning v2.2 setup that uses a /29
 set of static IPs:
 - 1 IP is the gateway address and 5 IPs are usable (quite common, I
 believe)
 - one of the usable IPs is assigned to the WAN interface
 - the other 4 usable IPs are assigned to VIPs
 - the WAN IP and VIPs have various port-forward and NAT rules associated
 with them
 - the WAN IP and 2 of the VIPs serve 3 different domains
   (e.g., web, email, VPN -- servers are behind the firewall on isolated
 LAN)
 - one of the other VIPs is used by mobile VPNs (IPsec and OpenVPN)

 All this works nicely ... as long as the VIPs are CARP VIPs.  However,
 since I'm not using any fail-over/redundancy, I don't think I should
 require CARP VIPs (and I suspect that using CARP VIPs is the reason that,
 when the cable modem goes down, I can't get at the pfSense webconfigurator
 until I unplug the WAN cable ... it's OK after I plug it back in, even if
 the cable modem is still down, but it does need to be unplugged???).

 My interpretation of the nice chart and notes on
 https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses
 leads me to believe that I can switch the CARP VIPs to be IP Alias VIPs.
 However, when I do that, the 2 servers for the 2 domains tied to the VIPs
 are no longer accessible from the Internet (but IIRC, the mobile VPNs still
 work).

 Can anyone suggest what it is that I don't understand (well, limited to
 this behavior, at least)?

 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] PF 2.15 Release (AMD64) Gateway Monitoring with OSPF

[Espen Johansen]

Based on what you described I'm pretty sure you missed the part that
pfsense does not support ECMP and thus will only accept a single default
kernel route. In other words it cant be done and to be honest a single
pfsense receiving 2 default routes does not give you any redundancy except
2 interfaces. One of them needs to be the default box anyways and all you
can do is policy routing. I would remove osfp between the front routers and
pfsense and set it up as loadbalancing dual wan. That is the only solution
that makes sense. The front routers need a interconnect so that they will
handle a gw failure and ospf itself would clear the routes in case of a wan
failure after ospf looses its neighbour. This will create failover and
redundancy on your wan as well as the ability to policy route based on
cost. And you can enable gw monitoring if you do it this way. You will
offcourse need to static route the path to the monitoring ip on your front
routers so that each front router will allways send it out on the correct
wan.

Hth.

Brgds, Espen
8. mars 2015 00:06 skrev Espen Johansen pfse...@gmail.com:

 Let ne see if i understand this correctly. You have 2 wans on your pfsense
 box. You get a single kernel route from ospf?
 Ospf needs to export its learned routes. And since you export default
 route to pfsense the boxes in front actually does the route selection and
 pfsense only has a single route to one of the two boxes in front? You need
 a kernel with ECMP enabled ( options RADIX_MPATH). I beleive that your
 routers are actually doing the path selection and that of your two wans
 only one is used.

 This might be completely wrong, but based on what little information you
 provided this sound like the issue.

 Brgds, Espen
 7. mars 2015 23:45 skrev Espen Johansen pfse...@gmail.com:

 I dont understand what you want to accomplish. And I dont think others do
 either. If you explain more maybe I can be of assistance :-)
 7. mars 2015 21:25 skrev Wade Blackwell wa...@bablam.com:

 Anyone?
 Bueler?

 Wade Blackwell
 Solutions Architect
 (D) 805.457.8825
 (C) 805.400.8485
 (S) coc.wadeblackwell

 On 6 March 2015 at 10:44, Wade Blackwell wa...@bablam.com wrote:

 Good morning all,
 I currently have a PF VM being used as my core L3 device for a
 small site. No static routes being used, just OSPF. I have two devices in
 front of the core sending default information originate with varying
 weights to prefer the faster connection, one for each carrier. I'd like to
 be able to add a gateway monitor, on the core, without a kernel route being
 installed as it relegates the OSPF routes useless. It appears that even if
 I uncheck default the kernel route still gets installed. Is this
 possible? Thanks.

  -W

 Wade Blackwell
 Solutions Architect
 (D) 805.457.8825
 (C) 805.400.8485
 (S) coc.wadeblackwell



 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] msk or em Legacy?

[Espen Johansen]

Intel em is normally what I prefer. If its old or not does not matter that
much.

Just my 2 cents.
22. feb. 2015 00:17 skrev Joe Laffey j...@laffey.tv:

 Hi,

 Which would you favor the msk driver with some on board Marvel controllers
 (P6T Deluze) or the em driver with a Legacy 10.4 Intel card? This is what
 it says in dmesg... Legacy

 Thanks!




 --
 Joe Laffey
 The Stable
 Visual Effects
 http://TheStable.tv/?e37579M/
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] best way to change WAN interface after migration

[Espen Johansen]

In the past I have edited a config backup and restored it. Maybe there are
better ways, but find and replace in a editor does the trick :-)

Brgds, Espen
11. apr. 2015 20:46 skrev Martin Fuchs mar...@fuchs-kiel.de:

 Hi !



 Does anyone have any experience with changing WAN-interfaces ?



 We migrated out CARP-cluster from one provider to another.

 On em1 we have provider-old and

 On em7 we have provider-new.



 The old provider will switch off his connection soon.



 We changed the gateways and everything, but might it be a cosmetical issue
 or not, how can i change the WAN interface (as set up in the console) from
 em1 to em7 without losing any config ?



 Can i use the console to change it without any harm, what will happen tot
 he
 attached rules ?



 Regards,

 martin



 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Using on Fiber

[Espen Johansen]

Any chance you have set something in the shaper that causes it?

fre. 5. juni 2015, 17:43 skrev Ryan Coleman ryan.cole...@cwis.biz:


  On Jun 5, 2015, at 10:12 AM, Brennan H. McNenly 
 bmcne...@singularisit.com wrote:
 
 
  And those of you with VMware experience… if I run the virtual firewall
 I would need to have at least a VMware Essentials license to come close to
 the throughput, right? Since the IOps are capped at something like 10MB/sec
 in the free version.
 
  There are no IOP or throughput limits on the free version of the ESXi
 hypervisor.  The VMWare Essentials license gets you vSphere which can be
 used to manage up to three ESXi hosts.  This also lets you setup an HA
 cluster with those hosts.
 
  Otherwise you can run ESXi stand alone for free without vSphere and
 without any performance limits.

 Hmm. I wonder why my file transfers never exceed 10MB/sec then… I’ve been
 trying to migrate many TB of data via SCP to the datastore but I also have
 similar caps when doing FTP over the LAN to a server.

 If there’s someone here that would be interested in giving me a hand with
 this off list I’d be most appreciative. Moving 13TB of data at 10MB/sec has
 been very challenging.
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Documentation about Firewall Lookup Process, State Table, Firewall Rules Table

[Espen Johansen]

Don't double post please.

Brgds, Espen
3. juni 2015 15:00 skrev Lukas Hubschmid lukas.hubsch...@pop.agri.ch:

 Hello everybody,

 Is there any documentation about:

  * the process how pfSense firewall handles packets (lookup in firewall
rules, lookup in state table, add new state, ...) e.g. a flow chart
  * how the firewall rules are beeing (data structure)
  * how the connection states are beeing (data structure)

 Any hints are greatly appreciated!

 KR,
 Lukas

 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Documentation about Firewall Lookup Process, State Table, Firewall Rules Table

[Espen Johansen]

Pfsense is based on openbsds PF (PacketFilter) and runs freebsd as base OS.
That should give you enough to google how it works. Also remeber that this
is opensource and everything is freely available. The source code tells you
everything there is to know ;-)

Good luck :-)

ons. 3. juni 2015, 14:33 skrev Lukas Hubschmid (s) 
lukas.hubsch...@students.fhnw.ch:

 Hello everybody,

 Is there any documentation about:

   * the process how pfSense firewall handles packets (lookup in firewall
 rules, lookup in state table, add new state, ...) e.g. a flow chart
   * how the firewall rules are beeing (data structure)
   * how the connection states are beeing (data structure)

 Any hints are greatly appreciated!

 KR,
 Lukas
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] reverse proxy situation

[Espen Johansen]

Exclude varnish its primarily made for frontend LB proxy.

søn. 31. mai 2015, 15:32 skrev Adam Thompson athom...@athompso.net:

 Oh, shoot, that's a good point - I probably do need SNI support for SSL.
 I may be able to get a wildcard cert, but that will be an issue one way or
 another.

 Varnish doesn't support SSL at all, although I could theoretically do it
 with stunnel and a wildcard cert.
 Squid does support SSL, but appears to require wildcard cert.
 Squid3 *may* support SNI, can't tell.
 Haproxy supports SNI; hopefully the pfSense package is new enough to
 include that.
 Apache supports SNI, supposedly.

 So I'm still left with a (overly, IMHO) large list.
 I could also just port-forward TCP/{80,443} to a host behind the firewall
 and do everything there, too.

 Argh, too many options, not enough clarity on which packages are supported
 vs. which ones are semi-orphaned.

 -Adam

 On May 30, 2015 11:12:01 PM CDT, Travis Hansen travisghan...@yahoo.com
 wrote:
 If you're looking for pure proxy frontend I'd stick with haproxy or
 apache (I use haproxy).
 haproxy provides load balancing and can do other things besides
 strictly http(s) such a pure tcp and transparent proxy stuff.
 Apache provides some things like mod_rewrite (I assume the pfsense
 build comes with that) etc that aren't easily done with haproxy.
 I could be wrong but if you're looking for SSL offloading (I ensure all
 traffic goes over SSL) varnish and squid would be out of the
 picture. Travis Hansen
 travisghan...@yahoo.com
 
 
 On Saturday, May 30, 2015 8:25 PM, Adam Thompson
 athom...@athompso.net wrote:
 
 
 I need to run a reverse proxy on a pfSense gateway - multiple websites,
 
 one public IP, the usual reason.
 However, I see there's a larger selection available than the last time
 I
 looked.
 
 It appears we now have:
 * Apache w/mod_security-dev v0.43 / 0.22
 * haproxy-1_5 v0.23
 * haproxy-devel v0.24
 * Proxy Server w/mod_security v0.1.7 / 0.22.999
 * squid
 * squid3
 * varnish3
 
 1. Have I missed any?
 2. Are Apache w/mod_security-dev and Proxy Server w/mod_security
 essentially the same thing?
 3. For relatively simple cases (straightforward hostname-to-internal-IP
 
 mapping), is there any compelling reason to use one over another on
 pfSense 2.2 today?  FWIW, this firewall is relatively underpowered
 (PowerEdge 1750, dual 2.4GHz P4-era Xeons).
 
 --
 -Adam Thompson
   athom...@athompso.net
   +1 (204) 291-7950 - cell
   +1 (204) 489-6515 - fax
 
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

 --
 Sent from my Android device with K-9 Mail. Please excuse my brevity.
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] reverse proxy situation

[Espen Johansen]

Actually. Are you looking for reverse proxy or a user proxy. I'm confused
after reading your mail a few times.

Brgds, Espen
31. mai 2015 15:35 skrev Espen Johansen pfse...@gmail.com:

 Exclude varnish its primarily made for frontend LB proxy.

 søn. 31. mai 2015, 15:32 skrev Adam Thompson athom...@athompso.net:

 Oh, shoot, that's a good point - I probably do need SNI support for SSL.
 I may be able to get a wildcard cert, but that will be an issue one way or
 another.

 Varnish doesn't support SSL at all, although I could theoretically do it
 with stunnel and a wildcard cert.
 Squid does support SSL, but appears to require wildcard cert.
 Squid3 *may* support SNI, can't tell.
 Haproxy supports SNI; hopefully the pfSense package is new enough to
 include that.
 Apache supports SNI, supposedly.

 So I'm still left with a (overly, IMHO) large list.
 I could also just port-forward TCP/{80,443} to a host behind the firewall
 and do everything there, too.

 Argh, too many options, not enough clarity on which packages are
 supported vs. which ones are semi-orphaned.

 -Adam

 On May 30, 2015 11:12:01 PM CDT, Travis Hansen travisghan...@yahoo.com
 wrote:
 If you're looking for pure proxy frontend I'd stick with haproxy or
 apache (I use haproxy).
 haproxy provides load balancing and can do other things besides
 strictly http(s) such a pure tcp and transparent proxy stuff.
 Apache provides some things like mod_rewrite (I assume the pfsense
 build comes with that) etc that aren't easily done with haproxy.
 I could be wrong but if you're looking for SSL offloading (I ensure all
 traffic goes over SSL) varnish and squid would be out of the
 picture. Travis Hansen
 travisghan...@yahoo.com
 
 
 On Saturday, May 30, 2015 8:25 PM, Adam Thompson
 athom...@athompso.net wrote:
 
 
 I need to run a reverse proxy on a pfSense gateway - multiple websites,
 
 one public IP, the usual reason.
 However, I see there's a larger selection available than the last time
 I
 looked.
 
 It appears we now have:
 * Apache w/mod_security-dev v0.43 / 0.22
 * haproxy-1_5 v0.23
 * haproxy-devel v0.24
 * Proxy Server w/mod_security v0.1.7 / 0.22.999
 * squid
 * squid3
 * varnish3
 
 1. Have I missed any?
 2. Are Apache w/mod_security-dev and Proxy Server w/mod_security
 essentially the same thing?
 3. For relatively simple cases (straightforward hostname-to-internal-IP
 
 mapping), is there any compelling reason to use one over another on
 pfSense 2.2 today?  FWIW, this firewall is relatively underpowered
 (PowerEdge 1750, dual 2.4GHz P4-era Xeons).
 
 --
 -Adam Thompson
   athom...@athompso.net
   +1 (204) 291-7950 - cell
   +1 (204) 489-6515 - fax
 
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

 --
 Sent from my Android device with K-9 Mail. Please excuse my brevity.
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Block Torrentz

[Espen Johansen]

Focus on layer 7. Most torrent clients use dynamic ports. And disable upnp
as that will defeat the ports blocking as well.

-lsf

tir. 18. aug. 2015, 21.21 skrev A Mohan Rao mohanra...@gmail.com:

 Hello pfSense experts,

 I find out torrents ports like 6881-6889 etc.
 And create firewall block rule source lan network then destination any with
 torrents ports but still users can download torrents data.
 Also i created in traffic shaper layer 7 BitTorrent still not reached any
 positive result.
 Pls guide Where i m wrong or my rules not work...

 Thanks in advance.

 Mohan Rao
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Multi-Wan Setup, High Availability and Traffic Segmentation

[Espen Johansen]

VLANs ? VLAN is l2 not L3. I have no idea what you are trying to do with
VLANs in the mix. Policy routing is easy and probably what you need.

-lsf

fre. 13. nov. 2015, 23.29 skrev David White :

> I have a unique scenario:
>
> The higher ups require a multi-wan high availability setup, but assuming
> both ISPs are working, some traffic is required to use 1 ISP and some
> traffic is required to use the other.
>
> I've read in some pfSense docs on how I can setup a high availability,
> multi-wan setup, but those docs say nothing about segmenting the traffic.
>
> My idea is to setup 2 VLANS, and route 1 VLAN out of 1 gateway and 1 VLAN
> out the other, but configure them so that if 1 ISP or the other ISP goes
> down, both VLANS will go out whichever ISP is working.
>
> Is this possible?
>
> --
> David White
> Founder & CEO
>
> *Develop CENTS *
> Computing, Equipping, Networking, Training & Supporting
> Organizations Worldwide
> http://developcents.com
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Hostname resolution of OpenVPN-connected clients

[Espen Johansen]

Bsed on your need I think you should convert to l2tp.

https://doc.pfsense.org/index.php/L2TP/IPsec

-lsf

lør. 14. nov. 2015, 03.22 skrev Vick Khera :

> On Thu, Nov 12, 2015 at 5:20 AM, Marco  wrote:
>
> > > Setting up BIND 9 to manage a dynamic zone is not very difficult.
> >
> > Do I need an additional BIND instance besides the unbound that's
> > already running on the pfSense box?
> >
>
> unbound != bind. I do not know anything about setting up dynamic zones in
> unbound. i know how to do it in bind9.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Hostname resolution of OpenVPN-connected clients

[Espen Johansen]

I think you have to set up a radius server and assign ip based on the user.
That way they will be "static" and then add DNS entries to that static IP.

My 2cents,
-lsf

ons. 11. nov. 2015, 15.47 skrev Marco :

> Hello,
>
> we use pfSense since quite a while with success and are very happy overall.
>
> Recently we set up OpenVPN and are facing a DNS issue. Hosts in the LAN
> can be
> addressed using the hostname (thanks to “Register DHCP leases in the DNS
> Resolver”) which is working perfectly fine. Hosts on the OpenVPN network
> can
> also resolve hosts in the LAN. However, from the LAN the OpenVPN-connected
> hosts cannot be reached (only via IP address, not via hostname). Research
> shows¹ that VPN-connected clients don't register their hostnames in the DNS
> which is unfortunate and would probably solve the issue we face. The answer
> seems to be¹:
>
> > Would have to statically assign them via client overrides and manually
> add
> > to DNS forwarder for them to resolve.
>
> This would work for static hosts that are always on the VPN, but this
> wouldn't
> work for mobile hosts (e.g. employee's laptops) which have a different IP
> address, depending on whether they are connected to the LAN or connected
> via
> OpenVPN.
>
> How to access the mobile hosts via the same hostname regardless if
> they are connected to the LAN or VPN?
>
> Marco
>
> ¹ http://serverfault.com/a/361103/102215
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPSec tunnel and routing on a CentOS 7 machine

[Espen Johansen]

Proper way to find out where it all goes wrong is tcpdump on the 192.x.x.x
network interface on both ends. Start at the pfsense and see if the packets
go thru the tunnel as it should. Then check the return packet back. You
need to tell your 192.x.x.x interface not to use your default gw. Centos
manual shows exactly how to do this with multiple interfaces.

-lsf

man. 4. jan. 2016, 23:36 skrev Decker, Ryan C. <rdec...@siena.edu>:

> What do your iptables rules look like? I know you said you temporarily
> stopped firewalld but worth a look anyway.
>
> Run:
>
> iptables -nvL
> iptables -t nat -nvL
>
> then just for good measure:
>
> sysctl net.ipv4.ip_forward
>
> When it comes to firewalld i almost never run it on anything important. You
> can install a systemd unit file for iptables by installing
> iptables-services.
>
> Then after running:
> systemctl stop firewalld; systemctl disable firewalld; systemctl enable
> iptables; systemctl start iptables
>
> You can manage rules the old fashioned way by either editing
> /etc/sysconfig/iptables or by running iptables directly and using
> iptables-save > /etc/sysconfig/iptables.
>
> Ryan
>
> On Mon, Jan 4, 2016 at 3:42 PM, Espen Johansen <pfse...@gmail.com> wrote:
>
> > Try to add;
> > ip route add 192.168.1.0/24 via 192.168.1.1
> > and
> > ip route add 192.168.2.0/24 via 192.168.1.1
> >
> > -lsf
> >
> > man. 4. jan. 2016, 21:08 skrev Sébastien La Madeleine <
> > slamadele...@toolsoft.ca>:
> >
> > > Hi Robert,
> > >
> > > I just tried the following advice and it did not improve my situation.
> > >
> > > Unless there is more to it than just changing those parameters...
> > >
> > > Thanks,
> > >
> > > Sébastien La Madeleine
> > > B.Sc., M.Sc. Informatique
> > > TooLSoft.ca
> > > 514-827-8665
> > >
> > > On 2016-01-04 2:43 PM, Robert wrote:
> > > > you need to enable ip forwarding in the kernel on cento to filter or
> > > use both interfaces.
> > > > http://centoshowtos.org/network-and-security/ip_forward/
> > > >
> > > >
> > > > Robert
> > > >
> > > >
> > > >
> > > >> On Jan 4, 2016, at 12:59 PM, Sébastien La Madeleine <
> > > slamadele...@toolsoft.ca> wrote:
> > > >>
> > > >> Hello, I've searched high and low to elucidate this one but so far
> > > nothing has queued me in the right direction so I'm turning to the
> > network
> > > experts herein.
> > > >>
> > > >> Let me give you a little bit of context and expose my problem.  Feel
> > > free to ask if more details are needed.
> > > >>
> > > >> I have 2 pfSense firewall in 2 separate locations.
> > > >>
> > > >> Both access the internet directly.  An IPSec tunnel has been created
> > so
> > > that the services of both locations are accessible on both sides.
> > > >>
> > > >> I have multiple servers on both sides both Windows and Linux.
> > > >>
> > > >> Some servers have a single nic, others have 2 nics, one in the LAN
> and
> > > one on the WAN for direct service access purposes.
> > > >>
> > > >> Both ends are in separate subnets.
> > > >>
> > > >> Site A:
> > > >> 192.168.1.0/24
> > > >> pfSense 192.168.1.1
> > > >>
> > > >> Site B:
> > > >> 192.168.2.0/24
> > > >> pfSense 192.168.2.1
> > > >>
> > > >> The tunnel is up and running.  Since both sites are for the same
> > > project, both firewalls have a "pass all IPV4" in the IPSec rules.
> > > >>
> > > >> 192.168.1.2 (Windows server with single nic) can ping 192.168.2.2
> > > (Windows server with single nic) and vice-versa.
> > > >> 192.168.1.3 (Windows server with 2 nics) required a new route (route
> > > add -net 192.168.2.0/24 gw 192.168.1.1) to be able to ping 192.168.2.2
> > > and the ping works both ways.
> > > >>
> > > >> Here comes my problem.
> > > >> 192.168.1.4 is a CentOS 7 machine.  It has 2 nics, one on the LAN
> > > (192.168.1.4) and one on the WAN.  The default gateway for this machine
> > is
> > > obviously on the WAN side.
> > > >>
> > > >> Try as much as I can, I never managed to add a route that would
> allow
> > 

Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop

[Espen Johansen]

Firewall disable = no state = asymmetric routing will not get return
packets dropped. Are your servers multihomed?

On Wed, Feb 10, 2016, 22:48 Romain Lapoux 
wrote:

> I am not agree, because how do you explain that all works correctly when I
> disable only the firewall feature in pfSense ?
>
> Romain
>
> -Original Message-
> From: Chris Buechler [mailto:c...@pfsense.com]
> Sent: Wednesday, February 10, 2016 21:50
> To: romain.lap...@octopoos.com; pfSense Support and Discussion Mailing
> List 
> Subject: Re: [pfSense] Bug? Firewall disable no random connection drop,
> firewall enable random connection drop
>
> On Sun, Feb 7, 2016 at 12:24 PM, Romain Lapoux 
> wrote:
> > My last test in conservation optimization, if I upload files with 4
> parallel connections, it drop each in less 10 seconds.
> > (And don't free them on backend server, they stay ESTABLISHED in netstat.
> >
>
> More than likely because one or more of the hosts involved are dual homed
> and you have asymmetric routing.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] WLAN reboot loop

[Espen Johansen]

Do not bridge and do not use same subnet. If you want lan and wlan to talk
add rules for the subnets to talk to each other.

On Wed, Feb 24, 2016, 19:12 Sean Pohl  wrote:

> The problem is an endless boot-loop on my pfSense installation after I
> made one
> change to the WLAN interface.
>
> I have an older x86 32 bit machine with three NICs:
>   1. On-board Ethernet
>   2. Ethernet card
>   3. WLAN 801.11g
>
> I was able to configure the WAN & LAN interfaces just fine.  When I
> enabled the
> WLAN interface and set about configuring and saving WLAN interface things
> went
> well until I set the WLAN as DHCP.  When I did and saved it then the
> monitor
> directly attached to the pfSense box filled completely with random
> characters
> and then it would reboot.  During the boot, it would come to the
> "configuring
> WLAN" and then the screen would fill with random characters and reboot
> again.
>
> I read about creating a bridge between a WLAN interface and a LAN
> interface.  I
> was able to do that successfully and was able to connect to the WLAN on
> the box
> but it never assigned me an IP address.  So, it wasn't until I changed the
> WLAN
> interface setting to DHCP that it would get into this loop.
>
> Should I just set that WLAN interface to be static and then give it a fixed
> address in the same subnet as the LAN that I trying to bridge to or
> something
> else?
>
> Any suggestions are greatly appreciated.
>
> Thanks.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] WLAN reboot loop

[Espen Johansen]

Remove the wlan card. Then remove config. It sounds like you might have a
irq or other resource allocation problem. But without any more details its
hard to say.

On Wed, Feb 24, 2016, 19:51 Sean Pohl <tuxthemagicpeng...@gmail.com> wrote:

> Ok. Thank you very much. Any advice on how to get it out of the endless
> boot loop? Or will my path of least resistance be to simply do a fresh
> install again? Many thanks.
> On Feb 24, 2016 12:26, "Espen Johansen" <pfse...@gmail.com> wrote:
>
> > Do not bridge and do not use same subnet. If you want lan and wlan to
> talk
> > add rules for the subnets to talk to each other.
> >
> > On Wed, Feb 24, 2016, 19:12 Sean Pohl <tuxthemagicpeng...@gmail.com>
> > wrote:
> >
> > > The problem is an endless boot-loop on my pfSense installation after I
> > > made one
> > > change to the WLAN interface.
> > >
> > > I have an older x86 32 bit machine with three NICs:
> > >   1. On-board Ethernet
> > >   2. Ethernet card
> > >   3. WLAN 801.11g
> > >
> > > I was able to configure the WAN & LAN interfaces just fine.  When I
> > > enabled the
> > > WLAN interface and set about configuring and saving WLAN interface
> things
> > > went
> > > well until I set the WLAN as DHCP.  When I did and saved it then the
> > > monitor
> > > directly attached to the pfSense box filled completely with random
> > > characters
> > > and then it would reboot.  During the boot, it would come to the
> > > "configuring
> > > WLAN" and then the screen would fill with random characters and reboot
> > > again.
> > >
> > > I read about creating a bridge between a WLAN interface and a LAN
> > > interface.  I
> > > was able to do that successfully and was able to connect to the WLAN on
> > > the box
> > > but it never assigned me an IP address.  So, it wasn't until I changed
> > the
> > > WLAN
> > > interface setting to DHCP that it would get into this loop.
> > >
> > > Should I just set that WLAN interface to be static and then give it a
> > fixed
> > > address in the same subnet as the LAN that I trying to bridge to or
> > > something
> > > else?
> > >
> > > Any suggestions are greatly appreciated.
> > >
> > > Thanks.
> > > ___
> > > pfSense mailing list
> > > https://lists.pfsense.org/mailman/listinfo/list
> > > Support the project with Gold! https://pfsense.org/gold
> > >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] WLAN reboot loop

[Espen Johansen]

Reboots usually happen when irq is shared and/or memory.

On Wed, Feb 24, 2016, 20:17 Espen Johansen <pfse...@gmail.com> wrote:

> You might try to put the wlan card in another slot on the motherboard.
> Also use bios to disable stuff like sound card, unused usb ports, Lpt, com
> ports etc.
>
> On Wed, Feb 24, 2016, 20:15 Espen Johansen <pfse...@gmail.com> wrote:
>
>> Remove the wlan card. Then remove config. It sounds like you might have a
>> irq or other resource allocation problem. But without any more details its
>> hard to say.
>>
>> On Wed, Feb 24, 2016, 19:51 Sean Pohl <tuxthemagicpeng...@gmail.com>
>> wrote:
>>
>>> Ok. Thank you very much. Any advice on how to get it out of the endless
>>> boot loop? Or will my path of least resistance be to simply do a fresh
>>> install again? Many thanks.
>>> On Feb 24, 2016 12:26, "Espen Johansen" <pfse...@gmail.com> wrote:
>>>
>>> > Do not bridge and do not use same subnet. If you want lan and wlan to
>>> talk
>>> > add rules for the subnets to talk to each other.
>>> >
>>> > On Wed, Feb 24, 2016, 19:12 Sean Pohl <tuxthemagicpeng...@gmail.com>
>>> > wrote:
>>> >
>>> > > The problem is an endless boot-loop on my pfSense installation after
>>> I
>>> > > made one
>>> > > change to the WLAN interface.
>>> > >
>>> > > I have an older x86 32 bit machine with three NICs:
>>> > >   1. On-board Ethernet
>>> > >   2. Ethernet card
>>> > >   3. WLAN 801.11g
>>> > >
>>> > > I was able to configure the WAN & LAN interfaces just fine.  When I
>>> > > enabled the
>>> > > WLAN interface and set about configuring and saving WLAN interface
>>> things
>>> > > went
>>> > > well until I set the WLAN as DHCP.  When I did and saved it then the
>>> > > monitor
>>> > > directly attached to the pfSense box filled completely with random
>>> > > characters
>>> > > and then it would reboot.  During the boot, it would come to the
>>> > > "configuring
>>> > > WLAN" and then the screen would fill with random characters and
>>> reboot
>>> > > again.
>>> > >
>>> > > I read about creating a bridge between a WLAN interface and a LAN
>>> > > interface.  I
>>> > > was able to do that successfully and was able to connect to the WLAN
>>> on
>>> > > the box
>>> > > but it never assigned me an IP address.  So, it wasn't until I
>>> changed
>>> > the
>>> > > WLAN
>>> > > interface setting to DHCP that it would get into this loop.
>>> > >
>>> > > Should I just set that WLAN interface to be static and then give it a
>>> > fixed
>>> > > address in the same subnet as the LAN that I trying to bridge to or
>>> > > something
>>> > > else?
>>> > >
>>> > > Any suggestions are greatly appreciated.
>>> > >
>>> > > Thanks.
>>> > > ___
>>> > > pfSense mailing list
>>> > > https://lists.pfsense.org/mailman/listinfo/list
>>> > > Support the project with Gold! https://pfsense.org/gold
>>> > >
>>> > ___
>>> > pfSense mailing list
>>> > https://lists.pfsense.org/mailman/listinfo/list
>>> > Support the project with Gold! https://pfsense.org/gold
>>> >
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>>>
>>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] WLAN reboot loop

[Espen Johansen]

You might try to put the wlan card in another slot on the motherboard. Also
use bios to disable stuff like sound card, unused usb ports, Lpt, com ports
etc.

On Wed, Feb 24, 2016, 20:15 Espen Johansen <pfse...@gmail.com> wrote:

> Remove the wlan card. Then remove config. It sounds like you might have a
> irq or other resource allocation problem. But without any more details its
> hard to say.
>
> On Wed, Feb 24, 2016, 19:51 Sean Pohl <tuxthemagicpeng...@gmail.com>
> wrote:
>
>> Ok. Thank you very much. Any advice on how to get it out of the endless
>> boot loop? Or will my path of least resistance be to simply do a fresh
>> install again? Many thanks.
>> On Feb 24, 2016 12:26, "Espen Johansen" <pfse...@gmail.com> wrote:
>>
>> > Do not bridge and do not use same subnet. If you want lan and wlan to
>> talk
>> > add rules for the subnets to talk to each other.
>> >
>> > On Wed, Feb 24, 2016, 19:12 Sean Pohl <tuxthemagicpeng...@gmail.com>
>> > wrote:
>> >
>> > > The problem is an endless boot-loop on my pfSense installation after I
>> > > made one
>> > > change to the WLAN interface.
>> > >
>> > > I have an older x86 32 bit machine with three NICs:
>> > >   1. On-board Ethernet
>> > >   2. Ethernet card
>> > >   3. WLAN 801.11g
>> > >
>> > > I was able to configure the WAN & LAN interfaces just fine.  When I
>> > > enabled the
>> > > WLAN interface and set about configuring and saving WLAN interface
>> things
>> > > went
>> > > well until I set the WLAN as DHCP.  When I did and saved it then the
>> > > monitor
>> > > directly attached to the pfSense box filled completely with random
>> > > characters
>> > > and then it would reboot.  During the boot, it would come to the
>> > > "configuring
>> > > WLAN" and then the screen would fill with random characters and reboot
>> > > again.
>> > >
>> > > I read about creating a bridge between a WLAN interface and a LAN
>> > > interface.  I
>> > > was able to do that successfully and was able to connect to the WLAN
>> on
>> > > the box
>> > > but it never assigned me an IP address.  So, it wasn't until I changed
>> > the
>> > > WLAN
>> > > interface setting to DHCP that it would get into this loop.
>> > >
>> > > Should I just set that WLAN interface to be static and then give it a
>> > fixed
>> > > address in the same subnet as the LAN that I trying to bridge to or
>> > > something
>> > > else?
>> > >
>> > > Any suggestions are greatly appreciated.
>> > >
>> > > Thanks.
>> > > ___
>> > > pfSense mailing list
>> > > https://lists.pfsense.org/mailman/listinfo/list
>> > > Support the project with Gold! https://pfsense.org/gold
>> > >
>> > ___
>> > pfSense mailing list
>> > https://lists.pfsense.org/mailman/listinfo/list
>> > Support the project with Gold! https://pfsense.org/gold
>> >
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure with pfSense 2.3.2

[Espen Johansen]

What do you mean by 12Mpps or 80% or 10GE? 12Mpps at 150 packet length is
13.4Gbps. At 1200 (good inet avg.) you should hit 107Gbps. Where does the
80% of 10GE come from?


On Thu, Jan 26, 2017, 07:04 Jim Thompson <j...@netgate.com> wrote:

It does not.

The c2758 SoC is interesting. 8 cores, and the on-die i354 is essentially a
block with 4 i350s on it.
These have 8 queues for each of rx and tx, so 16 each, for a total of 64
queues.

On the c2xxx series (and other) boxes we ship, we increase certain
tunables, because we know what we're installing onto, and can adjust that
factory load. pfSense CE does not have that luxury, it has to run on nearly
anything the community finds to run it on. Some of these systems have ...
constrained RAM.  While we test each release on every model we ship, such
testing takes place only for a handful of other configurations.

There is a decent explanation of some of the tunables here:
https://wiki.freebsd.org/NetworkPerformanceTuning

Incidentally, FreeBSD, and thus pfSense can't take much advantage of those
multqueue NICs, because the forwarding path doesn't have the architure to
advantage them.  Our DPDK-based system can forward l3 frames at over 12Mpps
on this hardware (about 80% of line-rate on a 10g interface).
Neither pfSense or FreeBSD (nor Linux) will do 1/10th of this rate.

Jim

On Thursday, January 26, 2017, Espen Johansen <pfse...@gmail.com> wrote:

> It should autotune by default based on memory iirc.
>
> On Wed, Jan 25, 2017, 23:27 Peder Rovelstad <provels...@comcast.net
> <javascript:;>> wrote:
>
> > FWiW - My nano (4 NICs, 1GB, Community), PuTTY says:
> >
> > kern.ipc.nmbufs: 131925
> > kern.ipc.nmbclusters: 20612
> >
> > but nothing explicitly set on the tunables page, just whatever's built
> in.
> >
> > -Original Message-
> > From: List [mailto:list-boun...@lists.pfsense.org <javascript:;>] On
> Behalf Of Karl Fife
> > Sent: Wednesday, January 25, 2017 4:02 PM
> > To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org
> <javascript:;>>
> > Subject: Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot
> > failure with pfSense 2.3.2
> >
> > This is a good theory, because RRD data from 2.2.6 suggests that the
> > difference in utilization between the versions is slight, and that we
had
> > 'barely' exhausted our system default allocation.
> >
> > Is there a difference between nano and full with respect to the
installer
> > explicitly setting tunables for kern.ipc.nmbclusters and kern.ipc.nmbuf?
> > Vick Khera says he sees explicitly set tunables on his
> > 2.3.2 system, yet my virgin installation of Nano pfSense 2.3.2 has no
> > explicit declarations?
> >
> > Vick, is your Supermicro A1SRi-2758F running an installation that came
> from
> > Netgate, or is it a community edition installation?  If the latter, Full
> or
> > Nano?
> >
> >
> > On 1/25/2017 3:49 PM, Jim Pingle wrote:
> > > On 01/25/2017 01:10 PM, Karl Fife wrote:
> > >> The piece that's still missing for me is that there must have been
> > >> some change in default system setting for FreeBSD, or some other
> > >> change between versions, because the system booted fine with pfSense
> > >> v 2.2.6
> > > Aside from what has already been suggested by others, it's possible
> > > that the newer drivers from FreeBSD 10.3 in pfSense 2.3.x enabled
> > > features on the NIC chipset that consumed more mbufs. For example, it
> > > might be using more queues per NIC by default than it did previously.
> > >
> > > Jim
> > >
> > > ___
> > > pfSense mailing list
> > > https://lists.pfsense.org/mailman/listinfo/list
> > > Support the project with Gold! https://pfsense.org/gold
> >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure with pfSense 2.3.2

[Espen Johansen]

Are you saying worst case is 80%? Its not normal to have all minimum size
packets unless you are under ddos.
Default ethernet is 1526 (1530 with vlan) with a MTU 1500 on a layer 1
frame.
A layer 2 frame is 1518 (1522 with vlan).
If you want to include all layer headers then 1542 including vlan is the
correct number and that will allow a 1500 octet payload.

On Thu, Jan 26, 2017, 18:20 Jim Thompson  wrote:

>
>
> > On Jan 26, 2017, at 5:06 PM, rai...@ultra-secure.de wrote:
> >
> > Am 2017-01-26 07:03, schrieb Jim Thompson:
> >> It does not.
> >> The c2758 SoC is interesting. 8 cores, and the on-die i354 is
> essentially a
> >> block with 4 i350s on it.
> >> These have 8 queues for each of rx and tx, so 16 each, for a total of 64
> >> queues.
> >> On the c2xxx series (and other) boxes we ship, we increase certain
> >> tunables, because we know what we're installing onto, and can adjust
> that
> >> factory load. pfSense CE does not have that luxury, it has to run on
> nearly
> >> anything the community finds to run it on. Some of these systems have
> ...
> >> constrained RAM.  While we test each release on every model we ship,
> such
> >> testing takes place only for a handful of other configurations.
> >> There is a decent explanation of some of the tunables here:
> >> https://wiki.freebsd.org/NetworkPerformanceTuning
> >> Incidentally, FreeBSD, and thus pfSense can't take much advantage of
> those
> >> multqueue NICs, because the forwarding path doesn't have the architure
> to
> >> advantage them.  Our DPDK-based system can forward l3 frames at over
> 12Mpps
> >> on this hardware (about 80% of line-rate on a 10g interface).
> >> Neither pfSense or FreeBSD (nor Linux) will do 1/10th of this rate.
> >
> >
> >
> >
> > Hi, is this DPDK-based system commercially available?
> >
> >
> >
> > Rainer
>
> Still being developed.
>
> Jim
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure with pfSense 2.3.2

[Espen Johansen]

It should autotune by default based on memory iirc.

On Wed, Jan 25, 2017, 23:27 Peder Rovelstad  wrote:

> FWiW - My nano (4 NICs, 1GB, Community), PuTTY says:
>
> kern.ipc.nmbufs: 131925
> kern.ipc.nmbclusters: 20612
>
> but nothing explicitly set on the tunables page, just whatever's built in.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Karl Fife
> Sent: Wednesday, January 25, 2017 4:02 PM
> To: pfSense Support and Discussion Mailing List 
> Subject: Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot
> failure with pfSense 2.3.2
>
> This is a good theory, because RRD data from 2.2.6 suggests that the
> difference in utilization between the versions is slight, and that we had
> 'barely' exhausted our system default allocation.
>
> Is there a difference between nano and full with respect to the installer
> explicitly setting tunables for kern.ipc.nmbclusters and kern.ipc.nmbuf?
> Vick Khera says he sees explicitly set tunables on his
> 2.3.2 system, yet my virgin installation of Nano pfSense 2.3.2 has no
> explicit declarations?
>
> Vick, is your Supermicro A1SRi-2758F running an installation that came from
> Netgate, or is it a community edition installation?  If the latter, Full or
> Nano?
>
>
> On 1/25/2017 3:49 PM, Jim Pingle wrote:
> > On 01/25/2017 01:10 PM, Karl Fife wrote:
> >> The piece that's still missing for me is that there must have been
> >> some change in default system setting for FreeBSD, or some other
> >> change between versions, because the system booted fine with pfSense
> >> v 2.2.6
> > Aside from what has already been suggested by others, it's possible
> > that the newer drivers from FreeBSD 10.3 in pfSense 2.3.x enabled
> > features on the NIC chipset that consumed more mbufs. For example, it
> > might be using more queues per NIC by default than it did previously.
> >
> > Jim
> >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure with pfSense 2.3.2

[Espen Johansen]

1200 was my average packet size when analyzed in Dataguard Core network (a
smb ISP here in .no) . Im sure others can find different averages. My point
is just that if you have normal traffic patterns, even at 600 you should
have no problem pushing 10GE. A MTU of 600 should give you about 53
gigabit/s if you are able yo push 1200 pps with that payload. Your
statement of 80% is just confusing, that is all.

On Fri, Jan 27, 2017, 04:02 Jim Thompson <j...@netgate.com> wrote:

> On Thursday, January 26, 2017, Espen Johansen <pfse...@gmail.com> wrote:
>
> > Are you saying worst case is 80%? Its not normal to have all minimum size
> > packets unless you are under ddos.
> > Default ethernet is 1526 (1530 with vlan) with a MTU 1500 on a layer 1
> > frame.
> > A layer 2 frame is 1518 (1522 with vlan).
> > If you want to include all layer headers then 1542 including vlan is the
> > correct number and that will allow a 1500 octet payload.
>
>
> Yes, I know, but adding a vlan tag means the small frame size isn't
> "smallest". I was just throwing that in for comparison.
>
> Point is, on a 10g network, the maximum frame rate is 14.88 mpps.  This is
> the highest rate required by the network under any circumstance. It's also
> how you have to think about the problem if you're not going to engage in
> making excuses.
>
> If you still don't like it, consider that:
>
> - 40g Ethernet cards exist today, so being able to forward 256 byte packets
> at 40gbps will require the same 14.88 mpps rate,
> - nx25 is the future in the data center vswitches and vrouters are a thing,
> and pfSense should be able to play in this market
> - 10g is starting to appear on lower-end hardware.
> - 10g switches are starting to hit $100/port
>
> And also that netgate has product coming in 2017 that folds multiple
> integrated switch ports into a single 2.5gbps or multiple 10gbps Ethernet
> uplink ports.
>
> Remember, we're doing this in software.  No ASICs required.  That 12mpps
> figure on an 8 core Rangeley includes 50 ACLs in the path.
>
> BTW, average frame size on the Internet is just under 600 bytes, btw. Not
> 1200 as you guessed.
>
> Jim
>
> >
> > On Thu, Jan 26, 2017, 18:20 Jim Thompson <j...@netgate.com
> <javascript:;>>
> > wrote:
> >
> > > > On Jan 26, 2017, at 5:06 PM, rai...@ultra-secure.de <javascript:;>
> > wrote:
> > > >
> > > > Am 2017-01-26 07:03, schrieb Jim Thompson:
> > > >> It does not.
> > > >> The c2758 SoC is interesting. 8 cores, and the on-die i354 is
> > > essentially a
> > > >> block with 4 i350s on it.
> > > >> These have 8 queues for each of rx and tx, so 16 each, for a total
> of
> > 64
> > > >> queues.
> > > >> On the c2xxx series (and other) boxes we ship, we increase certain
> > > >> tunables, because we know what we're installing onto, and can adjust
> > > that
> > > >> factory load. pfSense CE does not have that luxury, it has to run on
> > > nearly
> > > >> anything the community finds to run it on. Some of these systems
> have
> > > ...
> > > >> constrained RAM.  While we test each release on every model we ship,
> > > such
> > > >> testing takes place only for a handful of other configurations.
> > > >> There is a decent explanation of some of the tunables here:
> > > >> https://wiki.freebsd.org/NetworkPerformanceTuning
> > > >> Incidentally, FreeBSD, and thus pfSense can't take much advantage of
> > > those
> > > >> multqueue NICs, because the forwarding path doesn't have the
> architure
> > > to
> > > >> advantage them.  Our DPDK-based system can forward l3 frames at over
> > > 12Mpps
> > > >> on this hardware (about 80% of line-rate on a 10g interface).
> > > >> Neither pfSense or FreeBSD (nor Linux) will do 1/10th of this rate.
> > > >
> > > >
> > > >
> > > >
> > > > Hi, is this DPDK-based system commercially available?
> > > >
> > > >
> > > >
> > > > Rainer
> > >
> > > Still being developed.
> > >
> > > Jim
> > > ___
> > > pfSense mailing list
> > > https://lists.pfsense.org/mailman/listinfo/list
> > > Support the project with Gold! https://pfsense.org/gold
> > >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure with pfSense 2.3.2

[Espen Johansen]

I wrote MTU since you used it. What I am talking about are packet sizes. If
people bulding internet knew what they where doing then a MTU of 1500 (L2)
or more would be mandatory. But because of old ATM stuff this isn't true
for all of internet. When I say our average packet size was 1200 that has
nothing to do with MTU. We had network with a minimum MTU of 1546 and a
minimum pps capability og 40Mpps.

What Im saying is the your statement is confusing. You seem to suggest that
the platform can do maximum 80% of a 10GE inteface. Reality is that it will
do MINUMUM 80% of a 10GE. And to top it all you can not calculate pps to
speed since a spesification of 12Mpps does not tell you if a device can
handle it with any payload. Most of the time a pps to speed conversion will
be a aproximation. A cisco fwsm has a pps spec suggesting it can do full
bacplane speed. Reality is that with 1400-1500 octets payload it is capable
of 5.5 gbits on a 6500/7600 platform. And pfSense has the same issues.
If you set up a Spirent testcenter with propper tests you will see that
12Mpps is best case.

And pleas do not assume that I do not understand MTU. I know exactly how
MTU, PMTUD and friends work. MTU is different depending on what layer you
operate on. A cisco switch with a system mtu of 1500 will transfer a packet
of 1522+1vlan. A system MTU of 1504 will allow a packet of 1526+1vlan=1530
(q-in-q).

On Fri, Jan 27, 2017, 13:22 Jim Thompson <j...@netgate.com> wrote:

>  My point is just that if you have normal traffic patterns, even at 600
you should
have no problem pushing 10GE.   A MTU of 600 should give you about 53
gigabit/s if you are able yo push 1200 pps with that payload.

An "MTU of 600" wouldn't allow IPv6 to pass over a link.  IPv6
requires that every link in the internet have an MTU of 1280 octets or
greater.  See RFC 2460, section 5.

MTU is *maximum transmission unit*, which is decidedly different than
minimum packet size, which is probably what you intended.

> Your statement of 80% is just confusing, that is all.

Your misunderstanding of the issues here is, unfortunately, quite
common.  Nearly all of the work in packet processing is per-packet,
rather than per bit.  The exceptions include VPN, where the encryption
overheads dominate, and DPI, where the payload must be inspected,
rather than merely passed along.

Jim


On Fri, Jan 27, 2017 at 5:59 AM, Espen Johansen <pfse...@gmail.com> wrote:
> 1200 was my average packet size when analyzed in Dataguard Core network (a
> smb ISP here in .no) . Im sure others can find different averages. My
point
> is just that if you have normal traffic patterns, even at 600 you should
> have no problem pushing 10GE. A MTU of 600 should give you about 53
> gigabit/s if you are able yo push 1200 pps with that payload. Your
> statement of 80% is just confusing, that is all.
>
> On Fri, Jan 27, 2017, 04:02 Jim Thompson <j...@netgate.com> wrote:
>
>> On Thursday, January 26, 2017, Espen Johansen <pfse...@gmail.com> wrote:
>>
>> > Are you saying worst case is 80%? Its not normal to have all minimum
size
>> > packets unless you are under ddos.
>> > Default ethernet is 1526 (1530 with vlan) with a MTU 1500 on a layer 1
>> > frame.
>> > A layer 2 frame is 1518 (1522 with vlan).
>> > If you want to include all layer headers then 1542 including vlan is
the
>> > correct number and that will allow a 1500 octet payload.
>>
>>
>> Yes, I know, but adding a vlan tag means the small frame size isn't
>> "smallest". I was just throwing that in for comparison.
>>
>> Point is, on a 10g network, the maximum frame rate is 14.88 mpps.  This
is
>> the highest rate required by the network under any circumstance. It's
also
>> how you have to think about the problem if you're not going to engage in
>> making excuses.
>>
>> If you still don't like it, consider that:
>>
>> - 40g Ethernet cards exist today, so being able to forward 256 byte
packets
>> at 40gbps will require the same 14.88 mpps rate,
>> - nx25 is the future in the data center vswitches and vrouters are a
thing,
>> and pfSense should be able to play in this market
>> - 10g is starting to appear on lower-end hardware.
>> - 10g switches are starting to hit $100/port
>>
>> And also that netgate has product coming in 2017 that folds multiple
>> integrated switch ports into a single 2.5gbps or multiple 10gbps Ethernet
>> uplink ports.
>>
>> Remember, we're doing this in software.  No ASICs required.  That 12mpps
>> figure on an 8 core Rangeley includes 50 ACLs in the path.
>>
>> BTW, average frame size on the Internet is just under 600 bytes, btw. Not
>> 1200 as you guessed.
>>
>> Jim
>>
>>

Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure with pfSense 2.3.2

[Espen Johansen]

Karl fife. Take a look at a config backup. I assume you at some point set
them manually?

On Wed, Jan 25, 2017, 21:42 Peder Rovelstad  wrote:

> There were changes in the defaults from FreeBSD 9 to 10.
>
> https://pleiades.ucsc.edu/hyades/FreeBSD_Network_Tuning
>
> Could that be it?  Old config overwriting new defaults?
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Karl Fife
> Sent: Wednesday, January 25, 2017 12:11 PM
> To: ESF - Electric Sheep Fencing pfSense Support 
> Subject: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure
> with pfSense 2.3.2
>
> pfsense 2.2.6 was running without issue on our Supermicro A1SRi-2758F
> rangeley board (Intel Atom C2758)
>
> When we upgraded to 2.3.2, the new system failed to boot due to having
> insufficient RAM allocated to network memory buffers.  We had to interrupt
> the boot process increase the value of kern.ipc.nmbclusters (as per below),
> then complete the boot process long enough to set system tuneables (below)
> to allow subsequent startup.
>
> What I've read online, the basic issue is that the combination of high CPU
> count, high NIC count, and the igb driver create a (historically)
> atypically
> demand for network buffer RAM.  That is consistent with our fix.
>
> The piece that's still missing for me is that there must have been some
> change in default system setting for FreeBSD, or some other change between
> versions, because the system booted fine with pfSense v 2.2.6 without the
> need for an advanced system tuneables.  Unless there's something
> specific/quirky with our setup, it would seem sensible to me that for
> subsequent releases, there should be system defaults suitable for modern
> boards with resources like those found on boards like Rangeley.  I observe
> that many others have had this same issue, so I doubt that this is a case
> of
> our migrated settings preempting modern suitable defaults.
>
> Any thoughts?
>
> kern.ipc.nmbclustersIncreased to 8x observed MBUF Usage. Default is
> too low for CVP Rangeley board, causing boot failure.   295600
> kern.ipc.nmbufs Increased to 2x default value, ~2.2x observed usage
> (netstat -m). Default is too low for CVP Rangeley board, causing lockups.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Bridging to wireless interface issues (ping not working) on 2.3.2

[Espen Johansen]

Did you add a rule to allow ICMP on the wlan?

-lsf

On Thu, Sep 8, 2016, 15:58 Moshe Katz  wrote:

> Ray,
>
> Can you clarify which IP range is assigned where?
> We can make an educated guess based on the information you provided, but
> it's always better to have confirmation.
>
>
> Moshe
>
> --
> Moshe Katz
> -- mo...@ymkatz.net
> -- +1(301)867-3732
>
> On Thu, Sep 8, 2016 at 6:06 AM, Ray  wrote:
>
> > Hi,
> >
> > I'm running a few ALIX 2D13s with pfsense 2.3.2.
> >
> > All of them have a bridge configured which incorporates two of the
> > Ethernet interfaces and a Wireless interface (some Atheros card).
> >
> > Apart from that there is an OpenVPN client on each box to connect
> > satellite sites.
> >
> > There is something weird with the bridge which I would like to
> understand:
> >
> > When I connect my laptop to one of the Ethernet ports, I get a correct IP
> > from the DHCP server on pfsense and can immediatley ping all the other
> > machines at other sites. The Ping echo enters through the Ethernet
> > interface into the bridge, from there it's forwarded into the tunnel. The
> > echo reply comes back through the tunnel and from there via the
> > bridge/Ethernet interface to my laptop, all sweet and as expected:
> >
> > Here's a tcpdump (while connected via Ethernet) of three consecutive
> pings
> > (separated by empty lines) on the ovpnc1 interface:
> >
> > # tcpdump -n -i ovpnc1 icmp and host 192.168.10.236
> > tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> > listening on ovpnc1, link-type NULL (BSD loopback), capture size 65535
> > bytes
> > 09:49:56.816755 IP 192.168.9.20 > 192.168.10.236: ICMP echo request, id
> > 16470, seq 6, length 64
> > 09:49:56.917771 IP 192.168.10.236 > 192.168.9.20: ICMP echo reply, id
> > 16470, seq 6, length 64
> >
> > 09:50:01.817050 IP 192.168.9.20 > 192.168.10.236: ICMP echo request, id
> > 16470, seq 7, length 64
> > 09:50:01.949133 IP 192.168.10.236 > 192.168.9.20: ICMP echo reply, id
> > 16470, seq 7, length 64
> >
> > 09:50:06.817352 IP 192.168.9.20 > 192.168.10.236: ICMP echo request, id
> > 16470, seq 8, length 64
> > 09:50:06.951798 IP 192.168.10.236 > 192.168.9.20: ICMP echo reply, id
> > 16470, seq 8, length 64
> >
> > ... works just as nice on the bridge0 interface:
> >
> > # tcpdump -n -i bridge0 icmp and host 192.168.10.236
> > tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> > listening on bridge0, link-type EN10MB (Ethernet), capture size 65535
> bytes
> > 09:51:11.820663 IP 192.168.9.20 > 192.168.10.236: ICMP echo request, id
> > 16470, seq 21, length 64
> > 09:51:11.909411 IP 192.168.10.236 > 192.168.9.20: ICMP echo reply, id
> > 16470, seq 21, length 64
> >
> > 09:51:16.820863 IP 192.168.9.20 > 192.168.10.236: ICMP echo request, id
> > 16470, seq 22, length 64
> > 09:51:16.918607 IP 192.168.10.236 > 192.168.9.20: ICMP echo reply, id
> > 16470, seq 22, length 64
> >
> > 09:51:21.821359 IP 192.168.9.20 > 192.168.10.236: ICMP echo request, id
> > 16470, seq 23, length 64
> > 09:51:21.915379 IP 192.168.10.236 > 192.168.9.20: ICMP echo reply, id
> > 16470, seq 23, length 64
> >
> >
> > When I change the laptop's connection from Ethernet to Wireless, however,
> > the same pings no longer work:
> >
> > ovpnc1 interface:
> >
> > # tcpdump -n -i ovpnc1 icmp and host 192.168.10.236
> > tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> > listening on ovpnc1, link-type NULL (BSD loopback), capture size 65535
> > bytes
> > 09:54:58.725486 IP 192.168.9.25 > 192.168.10.236: ICMP echo request, id
> > 20822, seq 14, length 64
> > 09:54:58.865643 IP 192.168.10.236 > 192.168.9.25: ICMP echo reply, id
> > 20822, seq 14, length 64
> > 09:54:58.865735 IP 10.0.9.2 > 192.168.10.236: ICMP host 192.168.9.25
> > unreachable, length 36
> >
> > 09:55:03.726189 IP 192.168.9.25 > 192.168.10.236: ICMP echo request, id
> > 20822, seq 15, length 64
> > 09:55:03.816001 IP 192.168.10.236 > 192.168.9.25: ICMP echo reply, id
> > 20822, seq 15, length 64
> > 09:55:03.816097 IP 10.0.9.2 > 192.168.10.236: ICMP host 192.168.9.25
> > unreachable, length 36
> >
> > 09:55:08.726661 IP 192.168.9.25 > 192.168.10.236: ICMP echo request, id
> > 20822, seq 16, length 64
> > 09:55:08.819202 IP 192.168.10.236 > 192.168.9.25: ICMP echo reply, id
> > 20822, seq 16, length 64
> > 09:55:08.819296 IP 10.0.9.2 > 192.168.10.236: ICMP host 192.168.9.25
> > unreachable, length 36
> >
> > bridge0 interface:
> >
> > # tcpdump -n -i bridge0 icmp and host 192.168.10.236
> > tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> > listening on bridge0, link-type EN10MB (Ethernet), capture size 65535
> bytes
> > 09:53:53.716169 IP 192.168.9.25 > 192.168.10.236: ICMP echo request, id
> > 20822, seq 1, length 64
> >
> > 09:53:58.716987 IP 192.168.9.25 > 192.168.10.236: ICMP echo request, id
> > 20822, seq 2, length 64
> >
> > 09:54:03.717813 IP 192.168.9.25 > 

Re: [pfSense] 3 hard locks this week... any ideas?

[Espen Johansen]

Compdoc:
Your spinrite comments just show how dangerous some knowledge is without
propper understanding. Spinrite does indeed force SSDs to "fix" themselves
because it reads extensively (causes heat) and forces "half" working areas
to be marked bad. Most SSDs has minor defects from day one. Just like most
spinning drives has bad sectors marked when it arrives from the factory.
You can force the same result by reading all parts of a SSD drive
extensively. Spinrite does not per definition fix a SSD drive, but it does
make the firmware (software) in the drive detect read errors that might not
be relocated during normal operation. I have forced SSDs to fix themselves
since i got my first SSD more then 10 years ago. Often with the help of
Spinrite.

-lsf

On Thu, Sep 8, 2016, 22:29 Todd Russell  wrote:

> Final update on this issue. When I took it down, I pulled the drive and
> started a Level 2 SpinRite on it while I took out and reseated the RAM then
> ran memtest. I found no errors in either test, so I also took out the Intel
> 4 port gigabit card and reseated that, then put everything back together.
> It has been running for a week straight now with no hiccups of any kind, so
> either the SpinRite forced the drive to correct some read errors or
> removing and reseating the RAM got around some dust or oxidation on the
> contacts. It wouldn't be the first time reseating the RAM cleared otherwise
> unexplainable issues with a machine for me, so I will assume that was the
> case. I wish I'd had time to run the memtest before and after reseating the
> RAM but... AIN'T NOBODY GOT TIME FOR THAT!
>
> Thanks to all for the feedback last week.
>
>
> Peace,
> Todd Russell
> Director of IT and Webmaster
> Saint Joseph Abbey and Seminary College
> 985-867-2266
> 985-789-4319
>
> Please consider helping Saint Joseph Abbey and Seminary College recover
> from the devastating flood waters that overtook our campus on March 11,
> 2016.
> http://helptheabbey.com
>
> ---
>
> http://saintjosephabbey.com
>
> For IT Requests, please submit a ticket at:
>
> https://docs.google.com/forms/d/1e3PCRvnEVNU5-rVFolf9zivA9-m41Nj07eDjjCtFwpI/viewform?usp=send_form#start=invite
>
> On Thu, Sep 1, 2016 at 8:33 PM, compdoc  wrote:
>
> > >I'd suggest that before you slag programs, you not rely on old,
> outdated,
> > biased information.
> >
> >
> >
> >
> >
> > Spinrite 6 is a twelve year program that seemed cool back in the day, but
> > I would never recommend it to anyone now.
> >
> >
> >
> > Repairing computers for a living, Im always on the lookout for useful
> > tools. I don’t find Spinrite useful.
> >
> >
> >
> > I once watched spinrite work on a failing HDD for a day and a half, and
> > did nothing more than place additional wear on the drive. Does that make
> me
> > biased?
> >
> >
> >
> > Speaking of outdated... In 2013 Steve Gibson said he would finally update
> > it, but nothing so far?
> >
> >
> >
> > Here's an interesting quote:
> >
> >
> >
> > Gibson said that he could "see absolutely no possible benefit to running
> > SpinRite on a solid-state drive" and later "SpinRite is all about
> mechanics
> > and magnetics, neither of which exist, by design, in an SSD"
> >
> >
> >
> > And for your information, SMART records events. Some of those events will
> > happen under load, since that’s the nature of mechanical drives.
> >
> >
> >
> > However, a bad sector is a bad sector and load or no, that does not
> > change. Once they start to fail you replace the HDD, not try to repair
> it.
> >
> >
> >
> > Modern drives automatically reallocate sectors, meaning bad sectors are
> > replaced with spares. Not even spinrite can recover lost data from these
> > spare sectors that have never been used before.
> >
> >
> >
> > As for me, these days I install only SSDs in desktop systems that run
> > 24/7, and also use them as boot drives for servers. Over the years I have
> > had only one SSD fail, and it did show pending sectors in SMART.
> >
> >
> >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2 networks Cards, but OPT1 not acess internet.

[Espen Johansen]

And you need to add a nat rule for the opt1 network as well. Either that or
turn of nat on pfsense and add routes on your router to all networks behind
your pfsense.

-lsf

On Fri, Sep 23, 2016, 21:48 Moshe Katz  wrote:

> You need to add a firewall rule on the OPT1 interface to allow outgoing
> traffic. The easiest way is to copy the outgoing rule from LAN to OPT1.
>
> If you do not want hosts on LAN and OPT1 to access each other, you will
> also need to add "DENY" rules to LAN and OPT1 that are above the default
> outgoing traffic rule on each interface.
>
>
> Moshe
>
> --
> Moshe Katz
> -- mo...@ymkatz.net
> -- +1(301)867-3732
>
> On Fri, Sep 23, 2016 at 2:03 PM, Rodrigo Cunha 
> wrote:
>
> > Ii list, have a problem
> > I make 2 networks wich 2 private ips diferents i have three diferents
> > enernet cards.
> > the Pfsense generator 3 names for this cards
> > 1º WAN
> > 2º LAN
> > 3ª OPT
> > In Wan, i set up this card in IP 192.168.0.2/24 with ip my GateWay
> > 192.168.0.1.
> > In my LAN I set up this card in IP 192.168.1.1/24
> > In my OPT1 set up this card in ip 192.168.2.1/24
> > The problem.
> > My Network card OPT1 not acess internet, but the Card LAN by default is
> the
> > Gateway the network 192.168.1.0/24 but the OPT1 is not a Gateway with
> > acess
> > internet.
> > I think is not error, i think this is default configuration.
> > Other detail, i dont a have routing betwen 192.168.1.1/24 and
> > 192.168.2.1/24
> > i a have only internet acess for this two networks . I just want hosts
> > access their respective networks.
> >
> >
> >
> >
> > --
> > Atenciosamente,
> > Rodrigo da Silva Cunha
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.3.2-p1 RELEASE Now Available

[Espen Johansen]

They usually do. And with kernel updates you have to.

On Mon, Oct 10, 2016, 19:20 Morten Christensen  wrote:

> You should consider to state clearly in such announcements, if the
> upgrade includes a reboot of the box.
>
>
>
> Den 06-10-2016 21:29, skrev Jim Thompson:
> > Details are here: https://blog.pfsense.org/?p=2122 <
> https://blog.pfsense.org/?p=2122>
> > ___
> >
>
> --
> Morten Christensen
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Lightning strike

[Espen Johansen]

Map interfaces based on mac and give them a name. Then adress the
interfaces based on that name. When it comes to reorganization of
interfaces the answer is; don't do it. Let the user remap interfaces
manually only. If the user wants to drop their DMZ to get wan back online
then it should be a manual process.
In order to accomplish this you need a interface database and a simple
interface setup process with a foreach loop. This code was done in 2007 but
it was never comitted.

Ifconfig allows naming of interfaces. So once they are named and mac->name
binding is done, then the binding is remebered "forever" in a config file.
If a new interface is added and not found in the mac->name "DB" it is just
placed in a unassigned state untill the user assigns it manually.

-lsf

On Fri, Oct 14, 2016, 18:00 Vick Khera  wrote:

> On Thu, Oct 13, 2016 at 6:25 PM, Walter Parker  wrote:
> > Problem is that all of the current OS do this sort of renumbering (I'd
> have
> > to check, but I think it could be a hardware/driver issue). IIRC Linux
> > systems have had this sort of problem in even greater measure than the
> > BSDs. The plug and play nature of USB has caused issues for most systems
>
> Current versions of CentOS/RedHat hard-wire ethernet names. You have
> to go dig in and find some file that has the mappings and delete them
> if you do something like replace a motherboard with embedded NICs,
> otherwise it makes all new ethernet device names for you. The mapping
> is base on MAC address.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] massive CARP Failover

[Espen Johansen]

Are you sure you disabled IGMP completely?

On Wed, Jun 7, 2017, 16:44 Mark Wiater  wrote:

>
>
> On 6/7/2017 10:10 AM, Daniel wrote:
> > Hi,
> >
> > the Sync interface is connected directly without a Switch.
> > But Carp is running WAN/LAB for example.
>
> Let's go back to your original email, this behavior can be duplicated
> with different software, it's not a pfSense issue. Is that right? Both
> Sophos UTM and something on Linux both exhibit something similar?
>
> CARP sends broadcast traffic to 224.0.0.18. The device that you
> configured as the primary will send a packet every second by default,
> for each carp ip address, on the relevant interface.
>
> If the secondary does not receive these packets, it starts sending it's
> own, with a higher priority and assumes ownership of the CARP addresses.
>
> When the primary device is again available, it starts sending higher
> priority CARP packets. The secondary receives those, stops sending it's
> CARP packets and reverts to a backup role, because it knows that the
> primary is back up and functional.
>
> All that said, if your devices keep flipping back and forth, I'd guess
> that you don't see these carp packets at the backup device.
>
> tcpdump -ni wan|lan CARP
>
> on the backup device will tell a lot.
>
> Any chance you've got the wan and lan of the primary firewall going to
> the opposite switches as the secondary?
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] massive CARP Failover

[Espen Johansen]

If you want more help with this then you need to provide a network diagram
and some details.
Are your switches linked? If not then that is your problem.
Did you disable mac spoofing on your switches?
What make and model are your switches.
Did you do any LACP bonding between switches?

Since your issue happens with both pfsense and other software. Then your
issue is either your setup itself, your switches or your understanding of
how a carp setup must be made.

Rgds,
LSF

On Thu, Jun 8, 2017, 11:19 Daniel <dan...@linux-nerd.de> wrote:

>
> https://www.dropbox.com/s/pq953p0wbsfseu7/Screenshot%202017-06-08%2011.19.07.png?dl=0
>
> Yes i am sure ;)
>
>
> --
> Grüsse
>
> Daniel
>
> Am 08.06.17, 01:12 schrieb "List im Auftrag von Espen Johansen" <
> list-boun...@lists.pfsense.org im Auftrag von pfse...@gmail.com>:
>
> Are you sure you disabled IGMP completely?
>
> On Wed, Jun 7, 2017, 16:44 Mark Wiater <mark.wia...@greybeam.com>
> wrote:
>
> >
> >
> > On 6/7/2017 10:10 AM, Daniel wrote:
> > > Hi,
> > >
> > > the Sync interface is connected directly without a Switch.
> > > But Carp is running WAN/LAB for example.
> >
> > Let's go back to your original email, this behavior can be duplicated
> > with different software, it's not a pfSense issue. Is that right?
> Both
> > Sophos UTM and something on Linux both exhibit something similar?
> >
> > CARP sends broadcast traffic to 224.0.0.18. The device that you
> > configured as the primary will send a packet every second by default,
> > for each carp ip address, on the relevant interface.
> >
> > If the secondary does not receive these packets, it starts sending
> it's
> > own, with a higher priority and assumes ownership of the CARP
> addresses.
> >
> > When the primary device is again available, it starts sending higher
> > priority CARP packets. The secondary receives those, stops sending
> it's
> > CARP packets and reverts to a backup role, because it knows that the
> > primary is back up and functional.
> >
> > All that said, if your devices keep flipping back and forth, I'd
> guess
> > that you don't see these carp packets at the backup device.
> >
> > tcpdump -ni wan|lan CARP
> >
> > on the backup device will tell a lot.
> >
> > Any chance you've got the wan and lan of the primary firewall going
> to
> > the opposite switches as the secondary?
> >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] massive CARP Failover

[Espen Johansen]

I assume you did a pfsync (HA) interface on each firewall? If so did you
connect this directly without going thru the switch? A direct connection is
prefered for the sync interface. Also make sure that if you do direct
connection then use a 6ft cable first to connect them. Some interfaces have
issues if the cable is too short.

Ivo Tonev: When you bild redundant firewalls you also want redundant
switches. This is the normal approach.


On Wed, Jun 7, 2017, 15:52 Ivo Tonev  wrote:

> Can tou send network diagram? Why 2 switches? How they are connected?
>
> There are any feature like Cisco's arp inspection?
>
> Em 7 de jun de 2017 10:45, "Daniel"  escreveu:
>
> > Both are Physical.
> >
> > --
> > Grüsse
> >
> > Daniel
> >
> > Am 07.06.17, 14:34 schrieb "List im Auftrag von Ivo Tonev" <
> > list-boun...@lists.pfsense.org im Auftrag von i...@tonev.pro.br>:
> >
> > Firewalls are virtual or physical servers?
> >
> > On Wed, Jun 7, 2017 at 9:12 AM, Daniel  wrote:
> >
> > > Hi,
> > >
> > > Firewall on the Switch is the latest installed.
> > > The Switch is just simple installed. No VLANS actually just IGMP
> > disabled.
> > > Carp has for sure 3 IPs. 2 Dedicated for each Server and one CARP
> > (Virtual
> > > Failover per Subnet)
> > >
> > >
> > > --
> > > Grüsse
> > >
> > > Daniel
> > >
> > > Am 06.06.17, 00:04 schrieb "List im Auftrag von Ugo Bellavance" <
> > > list-boun...@lists.pfsense.org im Auftrag von u...@lubik.ca>:
> > >
> > > On 2017-06-02 08:13 AM, Daniel wrote:
> > > > Hi there,
> > > >
> > > > i run 2 pfsense Firewalls. I tried to use CARP but it will
> > turn over
> > > every 1-2-3 hours.
> > > > Sometimes it is so fast the pf1 is master and pf2 has the
> > routes. In
> > > this case I need to reboot the both Servers.
> > > >
> > > > After I tried a lot id ont find any solutions. I took a
> > different
> > > brand (Sophos UTM) and here is the same behave.
> > > > So I think this could be a network problem.
> > > >
> > > > Is there any important thinks which must be enabled or
> > disabled in
> > > the Switch?
> > > > Or need the Switch some special configurations?
> > > >
> > > > When I use Linux with Bondig it also switch the NICs very
> > often.
> > > >
> > > > We use 2 Switches from Netgear JGS524Ev2
> > > >
> > > > Mayme someone has some experience with it?
> > >
> > > Can you give us more information? You do have 3 IP addresses
> per
> > > interface? How is your switch configured? Any tagged vLANs
> > involved? Is
> > > the switch's firmware up to date?
> > >
> > > ___
> > > pfSense mailing list
> > > https://lists.pfsense.org/mailman/listinfo/list
> > > Support the project with Gold! https://pfsense.org/gold
> > >
> > >
> > > ___
> > > pfSense mailing list
> > > https://lists.pfsense.org/mailman/listinfo/list
> > > Support the project with Gold! https://pfsense.org/gold
> >
> >
> >
> >
> > --
> > Ivo R. Tonev
> > +55 61 98409-2642
> > i...@tonev.com.br
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold