> I switched out the memory and the SSD,
But did you test the ram? Make sure the ram doesn't require a special
voltage - this is usually written on the sticker on the ram. And run
memtest86 on it overnight. And suspect the ssd - try a small hdd. I like to
use laptop drives as boot drives for my se
> But from time to time my Asterisk is still not reachable.
I have freepbx running behind pfSense with no nat or rules configured for it at
all. None are needed.
I use two voip providers - one for incoming calls, and one for outgoing calls.
___
> >I'm happy to announce both 2.1-RELEASE, and our new Gold Subscription,
> >including immediate PDF download to the updated 2.1 book for
>> subscribers!
>I assume this is why snapshots.pfsense.org is offline
At least the .iso for the LiveCD is downloading very quickly. Is it possible
to restor
> All my OpenVPN services report an error contacting the daemon, both on the
status page (as in print-screen) and also on the dashboard page.
I'm getting this error as well.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/
> Any thoughts??
May not answer your question, but you did ask...
I set up my first ipsec tunnel with pfSense and it has been wonderful, but I
had to set System menu > Advanced > Miscellaneous tab > Enable MSS clamping
on VPN traffic, and set it to 1375 before I got a stable connection. Bef
> So if I understand you right, even if I use pfSense 2.1 (FreeBSD 8.3)
>on a motherboard with a brand new chipset (Intel C222) and CPU
>(e.g. Core i3 / Haswell) it should work, eventhough FreeBSD 8.3 is
>older than those technologies and might not fully support the chipset
>yet (e.g. due t
> I would like to know whether you experience similar problems with your
>Realtek 8111 variant (or maybe another Realtek chip using the re
>driver).
If it's an older system, I have seen several onboard versions of these nics
(chips) go bad after a year or so. Luckily, the systems have PCI sl
>How would I pull that off?
Computers have several common points of failure. They are the power supply,
the motherboard, RAM, cooling fans, and the hard drive.
Fans are easy - just make sure they are spinning at the proper speed. This
includes the fan inside the PSU.
If the motherboard
>> I can install pfsense fine, and manually set up a LAN IP address on
>> vboxnet0 so that I can get into the web and use Diagnostics >
>> Backup/Restore to upload an existing XML config. But then the VM
>> refuses to boot properly...
What if you were to install pfSense in the new environment a
> I'm not very familiar with TMG from Microsoft but a client I am helping
> migrate
>to pfsense from TMG has asked me if they'll be able to use the RDP port
>forward
>in the same way as TMG handles it.
It will be interesting to hear if someone knows a way to do what you want, but
I do it
> So what version of OpenSSL is running on 2.1.0? Sorry if this has been
answered already
Type:
openssl version
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
> Is there a way to roll back from 2.1.1 to the previous stable 2.1 version?
I may need to go back as well. My connections aren't stable since the 2.1.1
upgrade. The system seems to spontaneously reboot.
___
List mailing list
List@lists.
> I found that I had problems with FreeBSD using pf + virtio under KVM
Virtio in KVM works fine with pfSense, but you have to modify
the/boot/loader.conf.local file to enable the drivers. And if you load the
storage drivers, you have to modify /etc/fstab.
https://doc.pfsense.org/index.php/VirtIO_
I tried installing a firewall for customer who uses Cbeyond for phones and
internet service. I had Cbeyond set their equipment to bridge mode,
disabling NAT and DHCP.
Everything seemed to work for a while so I left their office, but I soon got
a call saying they couldn't browse the web.
In the d
> However, after about 10 minutes the gateway went offline and I lost access to
> the internet.
I recently had much the same thing happen, but with a wired dual-port network
card. It turned out to the nic.
___
List mailing list
List@list
> I called Comcast and had them remotely reboot the modem.
Whenever I connect a different network card to my home Comcast modem, I have
to power cycle the modem for it come up. I think it keys off the MAC address
of the old card, and won't accept the new one until then. I get a new IP
address ea
> You may want to make sure the DHCP server is disabled on the modem
completely.
It's a cable modem that I guess is in bridge mode, and they don't let me
mess with settings. Anyway, I think the DHCP server is in their headend
somewhere.
I'm just glad it's not like the old days when Comcast
> Even if adding more memory corrects the issue, I still don't like to know
> that pfsense can suddenly die and leave no clues behind :-|.
pfSense is pretty stable. I've tested it in many VMs and 'bare metal' systems
and it doesn’t freeze on me. Of course, I might not be using the same
combi
> Will I have any problems if I install a new version of pfsense on one
>machine and then move the hard drive to another machine?
You probably will have some problem. Let us know how it goes...
___
List mailing list
List@lists.pfsense.org
https://lists
> I have a PFsense box on a 50/5 DSL connection
How much swap is being used? What is swap stored on?
Any overheating of the nic or cpu? What happens if you disable or remove squid?
I have no experience with HT and pfSense. Sometimes HT can help and sometimes
it can hinder. Try disablin
> The VM is configured with VirtIO disks, emulated e1000 network cards.
I use kvm and have had no problems running any of the 2.1 releases. I'm
building a VM server right now that will run pfSense and one other guest OS.
I have used the virtio drivers for nics, storage, and memory ballooning, but
> Did you ever had troubles with virtio drivers?
I have a pfSense guest that runs fine with all virtio drivers (lan,storage)
but you might want to switch back to IDE just to see if your virtio storage
driver is causing the issue.
Your xml file looks very much like a pfSense guest I have running
> Is there a way to make Squid redirect http connections on Wan2 in case Wan1
> is down?
I'm setting up my first dual-wan firewall for a customer. No load balancing
because one wan is a lot faster than the other, so just fall-over with a
gateway group.
It looks to me as though squid listens
By the way, if you ever install vncserver, that port used for the VM will
cause a conflict
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
> When i'm connected to pfsense downloads are failing.
Are there any other packages installed?
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
> With Squid disabled, fail over works as expected.
In the lab I created to test this machine, I have squid with havp set to
transparent. Also have snort. I don’t use squidguard.
If I disconnect wan #1, most browsers will time out. But I can often just
refresh to get them going again. Sq
>I use squid and squid guard
I don't think anything in squid would block, but check to make sure
everything is set to zero and only 'Throttle only specific extensions' is
checked on this page: Proxy server: Traffic management
You mentioned HAVP in another post and some downloads don't work
>Jason M. wrote:
>I'm using the PFW201 hardware from Tranquilnet
According to Tranquilnet:
" *Note: These units may run hot to the touch and we recommend eith a wall
mount or to place them on a cool, dry and hard surface with proper air flow"
I can build systems that are much faster and more pow
> OPT1 interface - actually has the VM's WAN MAC address (the second
interface rather than the third interface)
If you haven't yet, you might want to reassign interfaces on the console
login screen. The Option is number (1) in the list.
Then reboot.
>em1 third MAC address (up) <-- shouldn't that be the second MAC address?
Are you saying two interfaces have the same mac address even after
reassignment? That's not right.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailm
> Hmm, my pfSense 2.1.4 (amd64) release says its on the latest release...
Mine shows the new update. I'll need to wait to apply it...
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
>> Why not try the upgrade. Maybe the problem will go away..
There are also three settings for apinger that can be useful: Alternative
monitor IP, Probe Interval, and Down
Is this a new install, or a machine that recently developed a problem?
>>I have tried the alternate IP. No change. Not sure what the other two do?
Some connections might be slow to respond occasionally, or not handle
constant pings well. You can send fewer pings, (every 3 seconds for
instance) and wait a longer period of time before declaring the link is
down. (l
> I need a recommandation for following setup:
>
> pfsense-cluster
> loadbalancers
> webservers
I can't help with these.
> There are some thousend visits per day and I want to secure with
> pfsense and snort. Snort runs on lan-site.
>
> In the moment there are several thousend alerts per
> Here is a good place to start regarding Suricata or Snort.
>
>http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
Is the free to use version of Snort going away? I scanned the page mentioned
above but it seems unclear.
Suricata sounds like an excellent r
> The Pfsense firewall has to be setup as BRIDGE if want to put it between the
> router and the corporate firewall ???
Connect like this?
www - isp router - pfSense - corporate firewall - lan
Don’t think you have to use bridge mode. Can Snort work in bridge mode?
_
> But you say: one interface for WAN, a second for
>LAN...and which interface is for managing ???
You manage with a browser from LAN, and optional also from the WAN port. And
with ssh from the LAN.
___
List mailing list
List@lists.pfsense.or
> do I have to have 3 network interfaces or 2 interfaces are enough to
> implement the IPS?
With Snort, just need one for wan, one for lan. That’s all. I use a 3rd for
wifi at home.
The office is a virtual machine with two wan ports, one lan, one wifi, and one
connection for the host.
Stefan Fuhrmann, here's my settings. They work well for me, but there may be
some fine-tuning you should do...
First, I choose the rules on the Global Settings tab. I applied for a free
Oinkmaster Code, which I use on a few firewalls. Then I set the Removed
Blocked Hosts Interval to 15 minutes,
>And then an email should be sent, which it is not being sent.
>-Jason
On a firewall with two wan connections, one connection is faster than the
other so I use one for incoming connections and one for outgoing.
User's outgoing traffic is routed to the gateway that's working using
gateway groups
>as close to wirespeed as possible, be happy with a C2758. ?
>
>Very
That C2758 has nice specs and should be able to keep up, however there seems to
be a throughput problem on at least one brand of board running the C2758. (I
think it’s more a problem with the nics than the cpu)
I
> When I speak of the C2758, I speak of the product sold at the pfSense store,
> as sold by the pfSense store, not the generic pfsense release running on
> "some
>brand of board@.
I was speaking of a C2758 board that was tested by someone else, and which
wasn’t able to reach Ethernet's ma
> There has been some testing using BSDRP, but it is not "a tool to test
> hardware".
I used it as a tool to benchmark my hardware. There are several examples on
their website of using it for just that purpose.
It also a tool to build simple routers. It has very little overhead and runs o
> I am well-aware of Olivier’s work in this area, as are many in the FreeBSD
> community.
You’ve failed to disprove anything I've said, even the part about tools.
> You’re still assigning fault to pfSense
Not at all. But it would be nice if any of this pleasant banter becomes usefu
> I am well-aware of Olivier’s work in this area, as are many in the FreeBSD
> community.
> There is no proof, except that which is documented and reproducible. We're
> doing something like science here.
Hmm, proof. Well, maybe a scientist like yourself can appreciate my concern
over this
> The difference between Olivier's setup and ours (assuming pfsense 2.1.1+), is
> tuning
The only way to prove what you say is with numbers. Tuning pfSense won't fix
this hardware problem, *if* it exists in your boards.
>> As I said in my original post, I'm know the C2758 is capable ac
> do you realize who you’re arguing with compdoc?
Yeah, I'm arguing with a guy that not only attacked me for suggesting a person
be careful about buying certain hardware, he also attacked the work of Olivier
from BSDRP.
respeed, then those
devices would be an excellent buy.
More so, because of the tuned software and support they'd be getting along with
it.
compdoc
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
> I've been trying to install 2.1.5 into a
> http://www.mini-itx.com/store/~FX5624
The specs look ok. I would think it supports most 'nix distros.
Unfortunately, that website doesn’t say if it supports booting from USB. Does
the manual say it can?
> I've tried several ways to wri
> A proven hardware platform, available in the UK with at least 6 physical
> network ports, I can probably justify buying
Not much info. Got an url for that?
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listi
> Thanks for that link, none of it seems to apply as the box is not booting
>from the media at all, says there is not a bootable media present
Just a shot in the dark, but is there a bios/firmware update for your system?
Sometimes they correct problems they find after its been sold for a whi
>I can't seem to make an install CD. I downloaded the ISO, unzipped >
it from the gz file using 7-ZIP, and burnt the disk image using win7.
Those are the same tools I use to create bootable CDs/DVDs. Windows 7 can burn
an iso without having to install any programs.
I would have to gu
> Things will get outrageous soon with the advent of M.2 PCI SSDs on a x4
connection.
The speeds of m.2 on x4 do look amazing, but the prices and sizes of them
probably means that not many people will be tossing them into their
firewalls anytime soon.
For projects like firewalls, and to
> Any thoughts on this? Is this known not to work?
If you know vi commands, you can type:
sudo virsh edit pfSense (substitute the actual VM name)
Look for the line like:
hvm
This line will be different depending on the version of KVM and the choices you
made when you created the VM. The exa
> Bottom line, squid and SSD are not a good combo.
Ive used several SSDs over the years running pfSense and linux and windows
OSes. Work just like hard drives, except might actually be more reliable.
There is one exception: none of the SSDs I used were PC Engines.
__
> Can anyone give me a description of, how to change driver ?
Well, you would need to change the NIC itself. I haven't tried this, but the
following url explains the problem and might help fix the problem.
http://www.netservers.co.uk/articles/open-source-howtos/citrix_e1000_gigabit
I switched t
> Is it impossible to try to improve on pfSense 2.2's problem in pfSense
You might not be the only person having the problem, but I haven't
researched to know for sure.
Sometimes, it's possible to do the work and discover the problem yourself.
There are a few areas of experimentation that might
> It is only pfSense 2.2, that has this not usuable speed from other VM's
>in the Xenserver.
I installed xenserver with a pfSense guest on a machine, and had the same
problem. Traffic from hosts on the lan through the pfSense guest to the wan
is nice and fast, but traffic from other guests throug
> Do have more of you had similar problems ?
I upgraded one firewall and everything works fine except that I use the squid
and HAVP packages together, but HAVP is broken. Running commands like clamd
and freshclam don't work.
I don't know how to file a bug report so I created a topic in the for
> The link I'm working with is:
>http://www.malwaredomainlist.com/hostslist/ip.txt
When an alias is created with this url, do you know where the list is stored
on pfSense? I just want to see if I've created the alias correctly and that
the list matches the ip addresses in the url.
Thanks
__
> Where is a good place to monitor for package updates for 2.2?
If you click the text in the Status column on the Available Packages tab,
you're taken to a page that shows the change logs for that package.
___
pfSense mailing list
https://
> Is there any advantage or disadvantage to using the the two port on a dual
port NIC vs. one port each on two different dual port NICs?
Hopefully, the dual-port Intel Nics are pci-e, and so will be the fastest.
The legacy Intel NIC could be PCI, and will be a bit faster than the Marvel
nics.
I
> Is there any advantage or disadvantage to using the two port
>on a dual port NIC vs. one port each on two different dual port
>NICs?
I think it comes down to your motherboard. If any of the nics are sharing
one pci-e lane, then things would slow down. But if the nics share four (x4)
or more lan
> peer client ID returned doesn't match my proposal
I have two ipsec tunnels and after the upgrade, for one tunnel I had to
change the 'Peer identifier' on my side to use the IP address it was seeing.
Been working great since.
___
pfSense mailing li
> With my current systems, segmentation and large receive offloads are
>disabled. I don't remember what the default was (and it's not stated
>on the configurator page) [...]
For me, what happens after enabling or disabling those settings are
immediately apparent.
___
I updated to 2.2.1 yesterday without removing installed packages, and after the
reboot it took only a few minutes to install them (just snort, pfblockerng, and
squid) on a AMD 5350 AM1 apu.
There was one problem - the webgui stopped responding afterwards, and I
rebooted pfSense one more tim
My ipsec connection goes down at least once a day now, maybe more. It’s a 2.2.1
to remote 2.1.5 connection.
After I open Status: IPsec and turn the connection off/on, all is well. Only
have to do that with the 2.2.1 server - doesn't seem to affect the 2.1.5 side.
From: List [mailt
> The command '/usr/pbi/squid-amd64/sbin/squid -k reconfigure' returned exit
code '1'
...
>squid: ERROR: No running copy'
If you type the following on the command line, do you get any output?
squid -k shutdown
Use your browser to start squid again.
useful log:
/var/squid/logs/cache.log
There is an oncology clinic using a Juniper SSG5. They have a couple of
ipsec connections that require policy-based routing with mapped IP
addresses. (MIP)
I can't provide that with pfSense, but I do want to use pfSense to give them
protection like squid w/ antivirus, and snort, and pfblocker.
>
> I use Ms. Windows 7 32 bit, and I use Vmware Workstation 7...
Make sure you use a 32bit version of pfSense. I assume Vmware Workstation 7
is already installed and running?
Always go 64bit Operating Systems in the future.
___
pfSense mailing list
h
> I updated to 2.2.3 over the weekend, and now my tunnel no longer works
correctly, even though my settings havent changed.
The same thing happened to me. I had to change the Encryption algorithm from
AES256 to 3DES to get it to work.
There's talk this will be fixed in the next release.
___
>I ended up spending over an hour trying to get that little system
> to pick up a DHCP address for their Comcast router.
Once upon a time, Comcast used to install their modems and register the mac
address of the NIC of the customer's computer. Sort of a way of preventing
their customers from stea
>Does anyone have any recommendations for small office access points?
I use a Zyxel WAP3205 v1, which was fairly inexpensive. I use pfSense to
provide DHCP and rules for the clients, and have the features in the WAP
that are said to be easy to hack disabled. (like WPA Compatible, and WPS)
So, i
A lot of good info in these posts, but no real hardware recommendations...
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
> Thanks for your response, but my installation is on
>a physical machine, and there was no disk space issue.
Be sure to check the hard drive's SMART info. It's the best way to tell if
the drive is failing.
___
pfSense mailing list
https://lists.pfs
> This message never made it to the list
Received this one...
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
>Does installing pfSense, especially, using the "Quick/Easy Install option",
allow for installation so as to allow for multiple boot options
No, it will erase the hard drive and set up a freebsd file system. Might be
worth using another drive altogether to preserve the old drive, or use
clonezilla
>> The top10-2.txt file has last been updated in July 2015 according to
>> my curl command and is not auto-documented.
I find I'm only using "http://www.malwaredomainlist.com/hostslist/ip.txt";
these days.
Am I already hacked?
___
pfSense mailing li
> Using Intel E3-1270s and Intel 10G Nics
I can't point to a specific setup, but something to look at...
Your xeon is a sandy bridge with a max transfer rate of 5 GT/s, which is
very nice but the new Skylake cpus are 8 GT/s.
Also, there's always a possibility of equipment failure/setup problems.
>Maybe is suricata better? What are the difference?
I've never tried suricata so I cant say if its better, but snort works
pretty well. There is one problem with snort, however. It can watch incoming
traffic as well as outgoing traffic.
But when snort watches outgoing traffic, it flags and block
> How do you have Snort configured to differentiate between incoming and
> outgoing traffic?
I guess used a poor choice of words. It's mainly 'HTTP Inspect' that’s the
problem. It watches any http traffic, which is mainly outgoing in our case.
On the Services / Snort / Interfaces page, e
I think this is complete:
2.3.1-RELEASE-p5 (amd64)
built on Thu Jun 16 12:53:15 CDT 2016
FreeBSD 10.3-RELEASE-p3
arping 1.2.2_1
AutoConfigBackup1.45
Avahi 1.11_2
Backup 0.4_1
bind9.10_8
blinkled0.4.7_1
Cron0.3.6_2
darkstat3.1.2_1
freeradius2 1.7.3_1
FTP
upport and Discussion Mailing List
Subject: Re: [pfSense] How to determine supported packages without
installing
On 2016-Jun-17, at 2:35 PM, compdoc wrote:
> I think this is complete:
>
Thanks. Looks like I can proceed with an update to 2.3.
Regardless, I still think there should be a way to
I didn't even realize that Nut was back. That's great.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
>>Coming back tonight to do memtest, SpinRite on the SSD, etc...,
Spinrite on an ssd is a terrible idea. It's an ancient program thats even a
bad idea to use on hard drives.
It doesn't even work on drives larger than 1TB, because it was written in a
time when drives were not that big. And there
>I'd suggest that before you slag programs, you not rely on old, outdated,
>biased information.
Spinrite 6 is a twelve year program that seemed cool back in the day, but I
would never recommend it to anyone now.
Repairing computers for a living, Im always on the lookout for useful too
>though the web interface is incredibly slow.
I think I remember that if your CPU doesn't support a certain built-in
feature, the gui can be slow.
But then it could be something else. Is cpu use high?
___
pfSense mailing list
https://lists.pfsense.or
On 03/28/2017 08:41 AM, WebDawg wrote:
It seems to me that NAT and general firewalls should be easily handled? Am
I wrong here? I mean, how much hardware do you need for pf to function at
1gbps?? Would not offloading help here too?
Ive run tests on AMD and Intel cpus that I happened to have
On 03/28/2017 10:32 AM, compdoc wrote:
Of the cpus I had to test, only an Intel i5-2400 (sandy bridge) and a
newer model AMD APU could keep up.
I should clarify what I said. You don't need an i5. Any sandy bridge
class cpu, or newer has the ability. Including the 4/8 core Atoms and
(My last email seemed to go to the wrong area. Hope you don't mind if I
try again...)
On 03/28/2017 10:32 AM, compdoc wrote:
Of the cpus I had to test, only an Intel i5-2400 (sandy bridge) and a
newer model AMD APU could keep up.
I wanted to clarify what I said before. You don'
On 03/31/2017 02:15 PM, Jim Thompson wrote:
I claim that a simple "fill the pipe with large packets" test is
useless to understand the performance of the system. All the work is
on a per-packet rather than per byte basis, unless you don't have DMA
or are doing some type of DPI.
I suppose
91 matches
Mail list logo