Re: [pfSense] best ipsec cipher for aes-ni on sg-8860
I had found an older thread saying that the "XCBC" hashes were OK, since they were effectively "free" as long as you used one of the AES-GCM ciphers. Same thread (can't find it now, sorry) also indicated that the GCM mode ciphers were more, uh, completely??/rapidly?? accelerated than CBC. Can't vouch for the accuracy, this is just what I found when I had the same question last year. -Adam On December 9, 2017 2:56:07 PM CST, Chris Lwrote: >AES-GCM with all hashes disabled in the ESP/Phase 2. > > >> On Dec 9, 2017, at 12:03 PM, Karl Fife wrote: >> >> You might try... >> >> (Wait for it) >> >> ...AES. >> >> >> On 12/9/2017 4:02 AM, Eero Volotinen wrote: >>> Hi, >>> >>> What is the best ipsec ciphers for aes-ni ipsec acceleration? >>> >>> Eero >>> ___ >>> pfSense mailing list >>> https://lists.pfsense.org/mailman/listinfo/list >>> Support the project with Gold! https://pfsense.org/gold >> >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold > >___ >pfSense mailing list >https://lists.pfsense.org/mailman/listinfo/list >Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.3.5 to 2.4.2 on SG-2440 failed accessing repository
Well, that explains why the rest isn't working. Fix DNS and you problems will (hopefully) go away. -Adam On December 4, 2017 2:41:25 PM CST, Pete Boyd <petes-li...@thegoldenear.org> wrote: >On 04/12/2017 20:39, Adam Thompson wrote: >> Do you have functional DNS from the CLI? > >No, I can't ping google.com or localdomain names. > > > >-- >Pete Boyd > >Open Plan IT - http://openplanit.co.uk >The Golden Ear - http://thegoldenear.org -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.3.5 to 2.4.2 on SG-2440 failed accessing repository
The "no address record" error is interesting... Do you have functional DNS from the CLI? -Adam On December 4, 2017 2:29:09 PM CST, Pete Boydwrote: >On 04/12/2017 20:11, Steve Yates wrote: >> If you ssh to the device and pick the option to update from its >console menu, does it update there? > >No, those package repository errors are what I'm seeing when doing >that. > >I tried the swapping to different repositories in the GUI, trying >update >from console, back and forth, as described in the page you linked to, >but that hasn't helped, each time it has the same repository errors. > > > >-- >Pete Boyd > >Open Plan IT - http://openplanit.co.uk >The Golden Ear - http://thegoldenear.org >___ >pfSense mailing list >https://lists.pfsense.org/mailman/listinfo/list >Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Using LAGG interfaces with CARP to allow future router replacements
Yes, there's downtime to set up LAGs. So this won't help avoid all downtime. Since the SG-2440 just went EOL, I would expect the SG-4860 will also go EOL soon, perhaps next quarter (Q1’18). There is a small performance hit. It's not large - certainly not large enough that I ever cared to measure it. Unless you are pinning the CPU regularly, I expect it would be undetectable. There is a much bigger hit in complexity, since you still can't set up LAGs during initial setup, necessitating a dedicated mgmt interface to avoid certain types of "oops, oh shit" problems. -Adam On November 28, 2017 5:08:48 PM CST, Steve Yateswrote: > We had two routers set up using CARP and unfortunately had some issues >with them, and currently have a temporary router in place. We will be >replacing the temp router with a SG-4860 1U HA however that >unfortunately has different interface names, so state sync won't work, >and the cutover won't be transparent. > > I understand from >https://doc.pfsense.org/index.php/Redundant_Firewalls_Upgrade_Guide#pfSense_2.2.x_and_pfsync >that using LAGGs can work around this. My question is, is it worth >setting up LAGGs just to allow for future proofing to have the state >sync working on disparate devices if we ever replace a router down the >road? Is there any sort of performance penalty or significant >complexity? > > Note we have five CARP interfaces, IPv4 and IPv6 for WAN and LAN, and >a LAN IPv4 on a second subnet. So as a first run-through on LAGGs, it >seems like we would need at least four LAGGs for the WAN and LAN >interfaces (we can ignore the secondary LAN for this purpose)? So we >would set up four LAGG interfaces using Failover (?) with one interface >each, and have WAN and LAN use those? > > Avoiding downtime would be really nice, but I don't think we can get >around that at this point (for this router replacement) since LAGGs >apparently can't be set on an interface that is in use already and thus >there would be downtime to set up LAGGs on our temp router anyway. > >-- > >Steve Yates >ITS, Inc. > >___ >pfSense mailing list >https://lists.pfsense.org/mailman/listinfo/list >Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.4 Bricked my APU4 Netgate
If you're going to even consider blaming widely-used software for hardware problems, then absolutely, yes, please do this, if only to stop the accusations. If you don't reboot regularly, now's a good time to change that policy, too. We aren't running NetWare 3.1 any more. No reboots = no patches. And of course be aware that many hardware problems only show up at reboot. The Intel Atom flaw being the most recent prominent example I can think of. -Adam On November 25, 2017 5:47:13 AM CST, Manuel Dejonghewrote: >On 24 November 2017 at 01:35, Jim Thompson wrote: >> If there is no response from the bootloader (coreboot) on the serial >port, then the hardware died, and the upgrade’s only involvement was >the reboot at the end. > >Sounds like it's a good advice to reboot manually before the upgrade, >so that if it fails, you know why it failed. Would you agree ? >___ >pfSense mailing list >https://lists.pfsense.org/mailman/listinfo/list >Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] problems with lagg interfaces?
No, you misunderstood the last response. You have not provided enough information yet to determine what the problem is. Three things have been suggested: 1. It *might* be a bug *similar* to one someone else encountered using different hardware (which does not even exist on your firewall), 2. You could open a ticket with Netgate support, 3. You can try running tcpdump on the underlying interfaces to see what's happening there. If you don't know how to manually troubleshoot LACP issues or VLAN issues, I suggest you open that support ticket. If you are reasonably confident in your ability to troubleshoot one or the other, then go ahead and use tcpdump (with the -e option) to figure out which part is broken and why. Also: Since pfSense does not allow LAG creation from the command-line, building a one-armed router like this is a dangerous design unless you have a spare interface for management through the webui. I learned that the hard way :-/. -Adam On October 17, 2017 10:16:24 AM CDT, Eero Volotinenwrote: >so sad. how to downgrade to 2.3? > > >Eero > >2017-10-17 17:57 GMT+03:00 : > >> Am 2017-10-17 16:54, schrieb Ivo Tonev: >> >>> Even if your vlan dont bright up you can capture traffic on >physical >>> interfaces with tcpdump. >>> See what you can capture before any other move. >>> >> >> >> if the lagg(4) works while you run tcpdump(8), it's (most likely) a >driver >> bug like bxe(4) >> >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213606 >> >> >> IMHO. >> >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold >> >___ >pfSense mailing list >https://lists.pfsense.org/mailman/listinfo/list >Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfSense virtualisation
The only thing I would caution against is having your only gateway to the Internet running on a single host or cluster - this makes troubleshooting VERY difficult when the host or cluster fails. Been there, done that. So I have one H/W gateway running the internet pipe, then all the internal firewalls are virtual. -Adam On October 10, 2017 2:57:29 PM CDT, Doug Lytlewrote: Or do you think I am absolutely crazy? Or maybe Just one Hardware >and one virtual? > >Quite a few of my firewalls are virtualized using ESXI and have done so >for a few years now. > >Doug >___ >pfSense mailing list >https://lists.pfsense.org/mailman/listinfo/list >Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense 2.4rc wirespeed?
The speedteet server code is not optimized for high upload speed measurement. When running speedtest from a machine on the same subnet, in the same rack in the same data center as the speedtest server (I worked for an ISP) you will still get funny results. Or even two VMs running on the same hypervisor, more recently at a different ISP. Use iperf or something (anything!) better to make more accurate measurements before questioning pfSense, IMHO. -Adam On September 3, 2017 3:59:24 AM CDT, Eero Volotinenwrote: >Hi, > >Is there any setting to optimize pfsense nat speed? > >Tried with speedtest and upload speed is abit slow? > >Retrieving speedtest.net configuration... >Testing from Suomi Communications (77.246.193.181)... >Retrieving speedtest.net server list... >Selecting best server based on ping... >Hosted by Elisa Oyj (Helsinki) [9.91 km]: 3.648 ms >Testing download >speed >Download: 882.05 Mbit/s >Testing upload >speed >Upload: 249.09 Mbit/s > >Link is symmetric gigabit carrier grade line. Just wondering why upload >speed is so slow and download is much faster? > >-- >Eero >___ >pfSense mailing list >https://lists.pfsense.org/mailman/listinfo/list >Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPsec NAT/BINAT not working
I always thought that this behaviour was because of the way IPSec is bolted on to the network stack in FreeBSD 9, that IPsec literally took over the packet before it could get NAT'd. Certainly, I was recently surprised to discover that IPSec VPN tunnels take precedence over local connected interfaces when the addresses overlap. -Adam > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Kilian Ries > Sent: August 24, 2017 01:43 > To: pfSense Support and Discussion Mailing List> Subject: Re: [pfSense] IPsec NAT/BINAT not working > > Just tried Bypassing Policy Routing, but it doesn't work. Traffic is still > routed through WAN interface. > > > Also tried setting up a gateway and appropriate route, but i can only see > packets on the Lan interface, not on the IPsec interface: > > > https://forum.pfsense.org/index.php?topic=135384.0 > > > Von: List
im Auftrag von Chris L > > Gesendet: Dienstag, 22. August 2017 19:36:05 > An: pfSense Support and Discussion Mailing List > Betreff: Re: [pfSense] IPsec NAT/BINAT not working > > On Aug 22, 2017, at 8:09 AM, Kilian Ries wrote: > > > > Hi, > > > > > > my setup is the following: > > > > > > Site A: > > > > Lan: 192.168.100.0/24 > > > > Lan_IP: 192.168.100.1 > > > > Transfer: 10.2.81.0/24 > > > > Transfer_IP: 10.2.81.1 > > > > > > Site B: > > > > Lan: 10.2.82.0/24 > > > > Lan_IP: 19.2.82.1 > > > > > > I'm doing a site-to-site IPsec wich is working. I can ping from both > routers (pfsense, juniper) to each other (10.2.81.1 <-> 10.2.82.1) but not > from the clients in my LAN (192.168.68.x <-> 10.2.82.x). I'm now trying to > setup a Transfer-Net with NAT / BINAT routing: > > > > > > Site B should reach the clients on site A via an 10.2.81.x ip-address and > not via an 192.168.100.x ip-address. So i want to map 10.2.81.0/24 <-> > 192.168.100.0/24. > > > > > > First i tried to do this via the NAT/BINAT setting inside the IPsec > settings: > > > > > > Site A IPsec Phase2 > > > > > > Local Network: 192.168.100.0/24 > > > > NAT/BINAT translation: 10.2.81.0/24 > > > > Remote Network: 10.2.82.0/24 > > > > > > That didn't work and i tried the same thing with 1:1 NAT from the > Firewall tab: > > > > > > Site A > > > > > > External subnet IP 10.2.81.0 > > > > Internal IP: 192.168.100.0/24 > > > > Destiantion: 10.2.82.0/24 > > > > > > > > No matter which mapping i choose, if i try to ping from 192.168.100.x to > 10.2.82.x, pfsense routes the request through the WAN interface instead > of the IPsec / Transfer-Net Interface. How can i tell pfsense to route the > traffic from my Lan through the IPsec tunnel (not WAN) and do the NAT? > > You might be policy routing that traffic out the WAN interface using rules > that match the traffic on the 192.168.100.0/24 interface with a gateway > or gateway group set. > > Try bypassing policy routing for the remote subnet using a pass rule > above that with the destination 10.2.82.0/24 and no gateway set. > > https://doc.pfsense.org/index.php/Bypassing_Policy_Routing > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Internal Certificate and Internal Network.
Error messages. Log files. Configuration data. Network topology. Route tables. We have nothing to work with yet. -Adam (Yes, I know I'm being hypocritical here because I've done the same thing. Thank you for not reminding me...) On August 17, 2017 10:51:43 AM CDT, Kleber Carvalhowrote: >Hello, > > > The proxy is working well to external sites but we have an >internal environment and the proxy is not able to find it. > > > >Regards. > > > >On Thu, Aug 17, 2017 at 4:30 PM, WebDawg wrote: > >> You say the proxy does not work. >> >> What do you mean? >> >> What errors do you get? What are you observations? >> >> On Wed, Aug 16, 2017 at 8:06 AM, Kleber Carvalho > >> wrote: >> > Hello, >> > >> >We are having difficulties with Internal Certificates >and >> > Internal Network. >> > Below I will try to explain details about that. >> > >> > Our Pfsense is not gateway of our network and it is not transpaent >proxy, >> > all the browsers need the input configurations about proxy. int he >proxy >> is >> > configured "HTTPS/SSL Inspection" and SquidGuard, it is also >integrated >> > with Active Directory. >> > All the outside traffic are working well but all the internal >> sites/network >> > are not working. >> > We have a cerificate CA microsoft to all internal appliation, >however our >> > proxy does not work. >> > I would like to know what i can do to solve this problem. your help >will >> be >> > highly appreciated. >> > >> > Regards. >> > >> > -- >> > >> > *Kleber da Silva CarvalhoProfissional Certificado.* >> > *CCNA R** | **CCNA Security | **CCNP Security | **LPIC-1 | >> > LPIC-2 * *|* *LPIC-3 * *| * *LPIC-3 303 * *| **Novell CLA 11 * >*|* * >> Novell >> > DCTS * *|* * ITIL v3 * *|* * COBIT 4.1* >> > ___ >> > pfSense mailing list >> > https://lists.pfsense.org/mailman/listinfo/list >> > Support the project with Gold! https://pfsense.org/gold >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold >> > > > >-- > >*Kleber da Silva CarvalhoProfissional Certificado.* >*CCNA R** | **CCNA Security | **CCNP Security | **LPIC-1 | >LPIC-2 * *|* *LPIC-3 * *| * *LPIC-3 303 * *| **Novell CLA 11 * *|* * >Novell >DCTS * *|* * ITIL v3 * *|* * COBIT 4.1* >___ >pfSense mailing list >https://lists.pfsense.org/mailman/listinfo/list >Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] IPSec to overlapping subnet - unexpected behaviour
Any ideas how I install an IPSec tunnel to a remote subnet that overlaps with a local subnet while not completely killing the local subnet? This isn’t _quite_ as insane as it sounds at first glance: The SPD (i.e. Phase 2) selectors on my side are from a single /32 IPv4 address on the LAN that needs to monitor half a dozen servers on three subnets in a foreign network. And one of those subnets overlaps with a locally-connected subnet. Despite the /32 selector, it appears that all traffic through pfSense destined for (in this case) 192.168.100.0/24 is getting routed down the tunnel instead of out the connected interface. The kernel routing table still looks correct (i.e. 192.168.100.0/24 via link#2 netif igb0) but packets from other subnets no longer arrive. I vaguely recall that IPSec in FreeBSD 10 doesn’t actually happen at the kernel routing table level, it’s somehow bolted on to the if_input/if_output code path (or something kinda like that). So what *appears* to have happened is that my IPSec tunnel from 192.168.158.11/32 to 192.168.100.0/24 is diverting *all* traffic from 192.168.158.0/24 to 192.168.100.24/0. I guess I’m not terribly surprised, but I wasn’t expecting that to happen when I had set a very narrow selector for the local end. (It’s perfectly OK if 192.168.158.11 can’t talk to the *local* 192.168.100.0 subnet.) Is this a bug in FreeBSD’s IPSec implementation, or is this expected behaviour? Is there a way to accomplish what I want? (That being that I have an IPSec tunnel to a remote subnet that overlaps a local subnet, with both being reachable and reachability being controlled by policy somehow.) I know on certain other firewalls where IPSec tunnels appear as virtual interfaces, I can use policy routing to accomplish my goal, but I don’t know of any way to do that with pfSense. Thanks, -Adam ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPv6 1:1 NAT problems
You could be right, I was writing from memory and ... tbh, I don't care enough to go look it up again :). They shut down, that's a pain in the butt, I was already on HE anyway, end of story for me. I would do the same here, except that (IMHO) Google's refusal to support DHCPv6 on Android is completely asinine. So my phone still doesn't get an IPv6 address here at home :-(. (Note: Apple products work perfectly.) It's interesting to speculate about what will happen at some future date when HE turns off (or starts charging for) their tunnel service... I haven't heard anything credible yet, but I assume it'll happen someday. -Adam > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Moshe > Katz > Sent: August 2, 2017 21:38 > To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> > Subject: Re: [pfSense] IPv6 1:1 NAT problems > > Adam, > > Actually, the reason SIXXS shut down is exactly the opposite of what you > said. SIXXS shut down because IPv6 adoption was going too slow and a > number of ISPs were actually telling their customers "we don't plan to > implement > IPv6 because you can get it from SIXXS if you really want it." In effect, > ISPs were using tunnels as a way of *reducing *IPv6 rollouts. > > Vick, > > I also have an HE tunnel at home because my ISP is dragging their feet > about implementing IPv6. In fact, my main guest WiFi network runs > *only* IPv6. > Most of my guests only care about Gmail and YouTube, and those have > been > IPv6 enabled for ages. It's an experiment to see how many visitors can > get away with not noticing that they have no IPv4 connectivity. > > Moshe > > -- > Moshe Katz > -- mo...@ymkatz.net > -- +1(301)867-3732 <(301)%20867-3732> > > On Wed, Aug 2, 2017 at 10:32 PM, Adam Thompson > <athom...@athompso.net> > wrote: > > > So? Neither do I. I don't have native IPv6 at the office either. > > But both are fully IPv6-connected. > > That's what Hurricane Electric tunnels are for. (And SIXXS, formerly, > > but they've decided that IPv6 penetration has reached a point where > > they're not needed anymore. Hahahaha...) > > > > http://www.tunnelbroker.net/ > > > > Disclaimer: my home situation is a bit of an anomaly - the nearest HE > > IPv6 tunnel endpoint is <5msec away from my home router [wireless, > not > > DSL or cable], and my ISP has a 10Gbps connection to them. > > Performance is VERY satisfactory. However, even my office, where the > > nearest HE tunnel endpoint is 30+msec away gets perfectly acceptable > performance on IPv6. > > Largely because IPv6 paths tend to be shorter and transit fewer > routers. > > (There are a number of factors at play; sometimes IPv6 is tunneled > > over IPv4, which means the path isn't *really* shorter.) > > > > -Adam > > > > > -Original Message- > > > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Vick > > > Khera > > > Sent: August 2, 2017 21:28 > > > To: pfSense Support and Discussion Mailing List > > > <list@lists.pfsense.org> > > > Subject: Re: [pfSense] IPv6 1:1 NAT problems > > > > > > Nice. Thanks for the explanation. My IPv6 knowledge is slowly being > > > built up. Not having IPv6 at my home router makes it hard to play > > > with. I've not had the courage to bring "live" my direct allocation > > > at the data > > center > > > yet. > > > > > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPv6 1:1 NAT problems
So? Neither do I. I don't have native IPv6 at the office either. But both are fully IPv6-connected. That's what Hurricane Electric tunnels are for. (And SIXXS, formerly, but they've decided that IPv6 penetration has reached a point where they're not needed anymore. Hahahaha...) http://www.tunnelbroker.net/ Disclaimer: my home situation is a bit of an anomaly - the nearest HE IPv6 tunnel endpoint is <5msec away from my home router [wireless, not DSL or cable], and my ISP has a 10Gbps connection to them. Performance is VERY satisfactory. However, even my office, where the nearest HE tunnel endpoint is 30+msec away gets perfectly acceptable performance on IPv6. Largely because IPv6 paths tend to be shorter and transit fewer routers. (There are a number of factors at play; sometimes IPv6 is tunneled over IPv4, which means the path isn't *really* shorter.) -Adam > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Vick > Khera > Sent: August 2, 2017 21:28 > To: pfSense Support and Discussion Mailing List> Subject: Re: [pfSense] IPv6 1:1 NAT problems > > Nice. Thanks for the explanation. My IPv6 knowledge is slowly being built > up. Not having IPv6 at my home router makes it hard to play with. I've > not had the courage to bring "live" my direct allocation at the data center > yet. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPv6 1:1 NAT problems
Sadly, yes. Partly due to providers like OVH who don't "get" prefix delegation. Also, how else do you multi-home without running BGP? (Keeping in mind that the overwhelming majority of networks around the world have no access to BGP.) That's one of the specific use cases for Network Prefix Translation. (I don't have the RFC handy, sorry.) -Adam > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Vick > Khera > Sent: August 2, 2017 21:20 > To: pfSense Support and Discussion Mailing List> Subject: Re: [pfSense] IPv6 1:1 NAT problems > > Is NAT even a thing with IPv6? > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] IPv6 1:1 NAT problems
(If you work for Netgate – would a paid support subscription include helping me diagnose the problem here, and get this working? I’m not 100% clear if this is in scope or not.) I’ve encountered an – apparently – unusual problem when trying to enable 1:1 NAT for IPv6. I’m also having a similar problem with NPt, actually, and since they both seem to use the same pf(4) “binat” directive, I suspect they might be related. All IPs here are obfuscated because the list gets archived, but the last two octets/hextets[1] and subnet masks are all coped as-is. I’ll be happy to provide actual IP addresses in private emails, if you think that’s where my problem lies. Scenario: * OVH private cloud (so same non-delegated, NDP-only IPv6 address space I’ve mentioned previously) * pfSense VM was deployed from official OVA file * OVH has allocated 1:2:3:4::/56, 1.2.3.48/28 and a few more IPv4 subnets, all bound to the same router interface on their end, connected to the WAN VLAN on the pfSense VM. The IPv6 allocation is *NOT* delegated, it’s a simple interface binding on their router. * pfSense WAN address is 1.2.3.49/28 and 1:2:3:4::49/56. Default gateways are 1.2.3.62 and 1:2:3:4:::::. * pfSense LAN address is 10.1.1.1/24 and fd60::1/64. It is the default gateway. * One other VM exists on the “LAN” V(X)LAN[2], providing public services over tcp/80, tcp/443 and tcp/22. * Firewall rules are trivial for debugging purposes: Allow Any/Any/Any on WAN and Allow Any/Any/Any on LAN. * IPv4 Proxy ARP VIP exists for 1.2.3.50/28 * 1:1 NAT for 1.2.3.50/32 <- -> 10.1.1.2/32 exists, seems to work fine. Notes: * I have multiple tenants within my OVH private cloud. * I want them all on separate VLANs, both to slightly increase security (no sniffing/snooping/spoofing attacks) and also to simplify IPSec tunnel setup. * I can’t use NPt because OVH isn’t delegating or routing that /56 to me. (If they would just &^%$#@! *route* the blocks to me, I’d be done a month ago…) * I’m “allocating” /64s out of that /56 for each customer purely administratively, i.e. on paper What’s happening (that I think is a bug) * pfSense itself has IPv6 connectivity at this point, yay. * I create a VIP for 1:2:3:4::50/56. * If and only if the VIP type is “IP Alias”, then: * Other VMs on the same WAN segment can ping :50. * External nodes cannot ping :50, until I force a “gratuitous NDP” (that shouldn’t even be a thing…) by pinging the default gw with the source address set to :50. There might be a timer involved and I’m too impatient? Dunno, anyway this gets global traffic routing working. * The moment I create a 1:1 NAT entry for 1:2:3:4::50/128 <- -> fd60::2/128, all IPv6 on the WAN stops working. pfSense no longer replies to Neighbour Solicitations packets from the gateway, which… well… breaks IPv6 pretty thoroughly. I can still see the incoming NDP packets using tcpdump, but no responses. But: * If I do this with “Proxy ARP” VIP instead of “IP Alias” VIP, I can never ping :50, but creating the 1:1 NAT entry still breaks IPv6 on the WAN interface. * If I set the WAN interface address to something elsewhere in the range (e.g. 1:2:3:5::1/56) and then set up NPt between, say, 1:2:3:4:0/64 (WAN) and fd60::/64 (LAN), IPv6 from pfSense itself does not break, but pfSense also does not respond to Neighbour Solicitations for IPs in that range, so I don’t have functional IPv6 to or from the LAN. This is a documented limitation, and it’s not supposed to work. So I’m lost. Why on earth would *creating* a 1:1 NAT entry for a pair of /128s break IPv6 (NDP, anyway) for the firewall itself? Why does creating the equivalent NPt mapping *not* break the firewall? While I’m pissed at OVH for refusing to delegate or route the /56, it seems this should still be *possible*, even if awkward, to deploy. But my IPv6 breakage seems very weird – but what on earth could I be doing SO differently that it breaks for me but no-one else? Thanks, -Adam [1] https://en.wikipedia.org/wiki/Hextet - you got a better word? Let me know! [2] From pfSense’s perspective, it’s just another segment. Internally, OVH uses VMware NSX VXLANs to emulate VLANs to emulate broadcast domains. As far as I can tell, this “just works”. It doesn’t seem to be part of the problem, anyway. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPv6 problem at OVH
I've got IPv4 working, as I said, using the Proxy ARP (or IP Alias, both work) VIP. I still don't have IPv6 working, though. I'm running into a situation where 1:1 NAT for IPv6 seems to either a) simply not work at all, or b) utterly kills all IPv6 on the firewall for reasons I don't understand yet. Before I dive into details, can anyone confirm that they have 1:1 NAT working for IPv6 in production? (Eh, I'll start a new thread anyway.) -Adam > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jon > Copeland > Sent: August 1, 2017 16:10 > To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> > Subject: Re: [pfSense] IPv6 problem at OVH > > We have this exact setup. You are correct, you will need Virtual IP's for > each public WAN IP that OVH have assigned you. We have separate > services listening on x.x.x.1, x.x.x.2, x.x.x.3 etc, works like a charm. > > JC > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Adam > Thompson > Sent: August-01-17 12:57 PM > To: list@lists.pfsense.org > Subject: [pfSense] IPv6 problem at OVH > > Wondering how anyone else manages (or would manage) this scenario: > > * Private Cloud at OVH. (Runs VMware, which isn't terribly relevant > AFAICT.) > * OVH provides a single VLAN that is connected directly to their router > * ALL public IP addresses are terminated on that VLAN (i.e. bound > directly to that interface on their router) including the entire IPv6 /56. > *** As a consequence, all IPv4 addresses must respond to ARP, and all > IPv6 addresses must respond to NDP, in order to be successfully publicly > routed. > (And yes, they gave me an entire /56 of IPv6... that isn't routed or > broken up in any way. And they won't subnet or route anything to me. > Yay.) > * Meanwhile, I have public services (multiple tenants) running on > multiple VLANs, each behind a single pfSense firewall with a WAN > interface in the massive public-address-space VLAN. > * I very much want the service address to be different from the firewall > address, i.e. the firewall WAN i/f might be bound to 1.2.3.4, then I want > the publicly-accessible service to live at 1.2.3.5, so that I can distinguish > based on reverse DNS whether outbound connections are coming from > the firewall or from the customer's server. This works great with IPv4, a > Proxy ARP VIP, and 1:1 NAT. > * I also need to provide IPv6 connectivity inbound AND outbound, ideally > with the same reverse-dns differentiation. > > I've tried 1:1 NAT, which seems to break IPv6 altogether every time I > configure it (although JimP can't reproduce it yet, so presumably it's > somehow environment-specific). I'm unclear whether this will work > anyway with the NDP adjacency requirement. > > I've tried NPt, which doesn't do NDP, and so doesn't work in this > scenario. > > The next thing I can try (but haven't yet) is an IP Alias VIP with Port > Forwarding, and then... maybe a custom Outbound NAT rule? > > Am I missing something fundamental? I know what OVH is doing is > stupid (NDP for an entire /56? Fee fi fo fum, I smell a DoS attack...) , but > they have 2000+ other customers on this exact platform, surely ONE of > them must have a similar situation! I know IPv6 is new, but ... surely one > them must run IPv6? > > Again: IPv4 isn't a problem because Proxy ARP works great and solves > the silliness of them not routing those allocated subnets to me. IPv6 is a > problem because pfSense has to handle NDP *and* do NAT and I can't > find a way to make it do that properly > > > Thoughts/opinions/brickbats welcome. > -Adam > > P.S. I seem to not be receiving emails from the list reliably, kindly CC me > if you don't mind... > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPv6 problem at OVH
I can't speak to their other platforms, but the Private Cloud offering is based on VMware, and does not permit the use of MAC addresses other than the one assigned to the VM. So CARP immediately fails there. Amusingly (not), there's even special plug-in in the VMware client that is supposed to let me enable "OVH CARP" (it appears its function is to toggle the VMware distributed vSwitch setting allowing "forged" MAC addresses and promiscuous mode) but it doesn't actually work as it relies on the cluster being connected to a Cisco Nexus 1000v vSwitch, which OVH appears to have deprecated and removed. So, in any case, anything that requires MAC address changes won't work. -Adam > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Olivier > Mascia > Sent: August 2, 2017 02:31 > To: pfSense Support and Discussion Mailing List> Subject: Re: [pfSense] IPv6 problem at OVH > > > Le 2 août 2017 à 00:39, Matthew Hall
a > écrit : > > > >> The real issue is that HA setup of a couple of pfSense is impossible > >> with such an awkward IPv6 setup as OVH imposes to us. > > > > Just curious: how does it break CARP + pfSync? > > I don't have the exact specifics in memory right now, but I'll see to dust- > off some old notes. I remember it was inextricable. But could be a bug in > VRRP implementation on OVH side and nothing to do with the way they > (don't) route the IPs (as CARP + pfSync works fine on IPv4 on the same > platform and the way they deliver IPv4). > > Without those notes, the most specific I remember is that packets were > coming in randomly on the master (processing them) and the slave > (properly ignoring them). Just as if the same MAC was seen on both on > their OVH side. > > > -- > Best Regards, Meilleures salutations, Met vriendelijke groeten, Olivier > Mascia, http://integral.software > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] IPv6 problem at OVH
Wondering how anyone else manages (or would manage) this scenario: * Private Cloud at OVH. (Runs VMware, which isn't terribly relevant AFAICT.) * OVH provides a single VLAN that is connected directly to their router * ALL public IP addresses are terminated on that VLAN (i.e. bound directly to that interface on their router) including the entire IPv6 /56. *** As a consequence, all IPv4 addresses must respond to ARP, and all IPv6 addresses must respond to NDP, in order to be successfully publicly routed. (And yes, they gave me an entire /56 of IPv6... that isn't routed or broken up in any way. And they won't subnet or route anything to me. Yay.) * Meanwhile, I have public services (multiple tenants) running on multiple VLANs, each behind a single pfSense firewall with a WAN interface in the massive public-address-space VLAN. * I very much want the service address to be different from the firewall address, i.e. the firewall WAN i/f might be bound to 1.2.3.4, then I want the publicly-accessible service to live at 1.2.3.5, so that I can distinguish based on reverse DNS whether outbound connections are coming from the firewall or from the customer's server. This works great with IPv4, a Proxy ARP VIP, and 1:1 NAT. * I also need to provide IPv6 connectivity inbound AND outbound, ideally with the same reverse-dns differentiation. I've tried 1:1 NAT, which seems to break IPv6 altogether every time I configure it (although JimP can't reproduce it yet, so presumably it's somehow environment-specific). I'm unclear whether this will work anyway with the NDP adjacency requirement. I've tried NPt, which doesn't do NDP, and so doesn't work in this scenario. The next thing I can try (but haven't yet) is an IP Alias VIP with Port Forwarding, and then... maybe a custom Outbound NAT rule? Am I missing something fundamental? I know what OVH is doing is stupid (NDP for an entire /56? Fee fi fo fum, I smell a DoS attack...) , but they have 2000+ other customers on this exact platform, surely ONE of them must have a similar situation! I know IPv6 is new, but ... surely one them must run IPv6? Again: IPv4 isn't a problem because Proxy ARP works great and solves the silliness of them not routing those allocated subnets to me. IPv6 is a problem because pfSense has to handle NDP *and* do NAT and I can't find a way to make it do that properly Thoughts/opinions/brickbats welcome. -Adam P.S. I seem to not be receiving emails from the list reliably, kindly CC me if you don't mind... ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense twitter account making rude comments.
Not just default - many MUAs (gmail, outlook, virtually every web-based service) don't correctly handle or in some cases even _permit_ the traditional method at all. Much like IRC and two spaces a a period, in-line or appended replies are now historical relics, broadly replaced by things that completely ignore the older technologies' design decisions and strengths. Welcome to the future. :-( -Adam On February 23, 2017 12:51:44 AM CST, Jim Thompsonwrote: >Because that's what most MUAs default to these days. (joke >intended) > >On Thu, Feb 23, 2017 at 12:38 AM, WebDawg wrote: > >> Why does everyone top post on this list? >___ >pfSense mailing list >https://lists.pfsense.org/mailman/listinfo/list >Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] SG-1000 and VPN
Jim, Asking you to speculate here... Assuming someone *is* working on drivers for the chip's crypto capabilities, when that finally happens, do you have any notion of how much faster IPsec will get? Are we talking 2x or 100x? -Adam On January 25, 2017 7:45:49 PM CST, Jim Thompsonwrote: >Steve, > >It currently does 21mbps IPsec (aes-gcm-128), in a lab environment, >because there is no driver for the crypto core (yet). > >OpenVPN is slightly slower (19 Mbps). > >It's always strange to see your name on the list. The president of ADI >shares your name, so I tend to pay a lot more attention to what you >post. > >Jim > >> On Jan 25, 2017, at 6:15 PM, Steve Yates wrote: >> >> That's what I'm trying to ask, if the SG-1000 would work for that. >> >> -- >> >> Steve Yates >> ITS, Inc. >> >> -Original Message- >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of A >Mohan Rao >> Sent: Tuesday, January 24, 2017 11:41 PM >> To: pfSense Support and Discussion Mailing List > >> Subject: Re: [pfSense] SG-1000 and VPN >> >> better u can use site to site vpn is best solution. >> >>> On Wed, Jan 25, 2017 at 11:08 AM, WebDawg
wrote: >>> On Tue, Jan 17, 2017 at 10:16 AM, Steve Yates >wrote: We have a client who wants to set up one remote user (in a fixed location) with a hardware VPN connection back to the office. The office has about 5 active PCs at any given time. This would be the > only VPN >>> user. Has anyone used one of the new micro SG-1000 units with a VPN yet? Either as a remote site or as a SOHO router + VPN host? Just wondering how the ARM CPU would stack up. The specs say 200k active (non-VPN) connections... >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold >___ >pfSense mailing list >https://lists.pfsense.org/mailman/listinfo/list >Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] IGMP querier?
In pfSense 2.3, how do I cause the firewall to generate IGMPv2 or v3 Query packets? I know there's an IGMP proxy feature, but that's kind of useless without a querier. I don't actually need the firewall to do multicast routing, I just need a querier so snooping works on one of my subnets. Thanks, -Adam ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] USB3 to ethernet adaptor
On 16-05-02 06:20 AM, Rafael Aquino wrote: De: "Frans Meulenbroeks"Has anyone experience using USB3 to ethernet adapters ? I need an extra interface but my HW (Intel NUC) does not have room for another card). Anything recommendable? Best regards, Frans. Hi there, I´ve tried once an USB Multi-function Lan Adapter (it´s also a UBS3 HUB) with PFSense, 2.2.x. I´ve connected the internet on it, and used onboard NIC as LAN Interface. I´ve experienced some strange behaviors, like some instability on the internet when traffic has raised. Some logs was showed on the screen by the time the problems occurred. It was a test to a client, so I´ve replaced the machine to solve those problems, but I believe I was using a cheap adapter (I can´t tell you the manufacturer, because it doesn´t say on it). In general, all USB ethernet adapters will be at least *slightly* unreliable, regardless of whether it's USB3 or USB2. Your best bet is: a) find one with a well-supported chipset in FreeBSD (this is *much* easier said than done, sorry...) b) connect it as close to the on-board USB hub as possible; on some motherboards, the USB ports around the case are not all equal; some are multiplexed via an extra internal (on-chip) hub while some aren't. The fewer hubs between the core chipset and the adapter, the better c) find a way to guarantee electrical and mechanical connection. Consider using LocTite(r) Blue or similar low-strength bonding agent on the USB port to secure against vibration and gravity. (Also consider that you can never get all of it off, so don't plan on re-using that port for anything else later.) d) disable all USB power management related settings in the BIOS -Adam ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] DNS secondary server on 2.3?
OK, I'm lost... In v2.3, what service, and/or where in the GUI, should I go to make pfSense act as a slave (authoritative) DNS server? On a related note, in Services / DNS Resolver / General Settings, what does "DNS Query Forwarding" do? There's no description, so I assume if it's *not* set, unbound starts at the root servers, and if is *is* set, unbound tries my upstream ISP's servers first (based on the system global DNS settings)? Thanks, -Adam ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] IKEv2 with LDAP or RADIUS?
I just watched the last hangout that jimp did on Remote Access VPNs, and I'm wondering: is there no way to do user authentication against a back-end LDAP or RADIUS server when using IKEv2-EAP-MSCHAP2? Thanks, -Adam ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Access Point Recommendations?
Oh, god, not again... Search the list archives from about a month ago. The consensus was, roughly, that the Ubiquity UniFi products were pretty good but had some quirks. As i recall, everything else discussed was either: -insanely expensive, or -crap (or both), or -only works well for one or two people on the list. (Note that the UniFi controller does *not* need to be running 24x7, or ever again for that matter, for basic single AP setups.) -Adam On August 23, 2015 10:36:57 PM CDT, Volker Kuhlmann hid...@paradise.net.nz wrote: Does anyone have any recommendations for a/ac models, AP only, as is only radio, no router/switch stuff? Dumb is good, I use pfsense already and don't need more complexity in closed-source buggy devices. Single-RJ45 perfect, as soon as there are LAN and WAN ports the problems start (like everyone thinking the only secure way to configure the AP is over the wifi!). Thanks, Volker -- Volker Kuhlmannis list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
I'm 95% sure the answer is wait for the developers to fix those issues and/or become a developer and fix those issues :-). Configuration of lighttpd is controlled by the pfSense management framework, so once you discover the correct invocation, you could locally modify the PHP file that generates the configuration. In theory, all you need to add to /var/etc/lighty-webConfigurator.conf would be |ssl.cipher-list DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA EDH-RSA-DES-CBC3-SHA AES256-SHA AES128-SHA DES-CBC3-SHA DES-CBC3-MD5 RC4-SHA RC4-MD5| but you need to find where in the PHP framework that file gets written. I can't find it in under 60 seconds, so you're on your own there. As to updating sshd, that's replacing a core piece of the system. I'm not even going to speculate how or what the impact would be. -Adam On 07/24/2015 03:51 PM, Ted Byers wrote: I have checked our installation of our website (a classic protected LAN with a DMZ formed by two pfsense machines serving as our inner and outer firewall, and one machine in the DMZ and the rest behind the inner firewall) using a PCI scanner. The PCI scan identified two vulnerabilities WRT our pfsense machines. First, the scanner complains that TLS1 is supported and we need to restrict it to TLS1.2. We modified the configuration of lighttpd to use TLS1.2, but that did not make the complaint go away, so is there anything else that uses TLS that we need to reconfigure to use only TLS1.2? Second, it appears that ssh-server on pfsense is version 6.6 and it would be good if we can upgrade that to 6.9 or better (well, if there is better - the scan only complains the version if earlier than 6.9) If we can fix these two things, a little over half of the complaints from the scanner will be resolved. I have spent a couple days using google, trying to resolve these, but to no avail (compounded by the fact the signal to noise ratio in my searches was abysmal). Thanks Ted ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Access Point Recommendations?
On 2015-07-23 10:46 AM, Karl Fife wrote: Your point about having a one-off solution is a great one. Installing a single UniFi AP would be unnecessarily complex. The TP-Link TL-WA801nd is a BGN-only device. Do you (or anyone) have a preferred stand-alone AC access point? Not a recommendation at all, but stay away from EnGenius devices. OK hardware good price, but (e.g.) my AP comes with an open DNS resolver that can't be disabled, and they don't seem to think it's a problem at all... -- -Adam Thompson athom...@athompso.net +1 (204) 291-7950 - cell +1 (204) 489-6515 - fax ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] SG-4860 vs. support pricing question
On 07/21/2015 09:37 AM, Jim Pingle wrote: On 07/20/2015 07:09 PM, Adam Thompson wrote: But I do have one issue/question/comment about the pricing of that bundle: there are still only 2 support incidents bundled. It seems that if I bought two 4860s and tie-wrapped them to my own shelf, I’d wind up paying almost the same amount (maybe $75 more if I had to buy a new shelf) but would get 4 support incidents included with my purchase. Good news! The wording on the page is wrong, it does come with four. Both units can be registered individually. We'll get that wording cleared up Great! Now I can recommend it. Next question: extended warranty, to wit: can I purchase an extended warranty on these units? -Adam ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Multiple IPsec Mobile phase1s?
If I’m using Mobile IPsec, how do I create a Phase 1 for IPv4 and then another Phase 1 for IPv6? The “Create Phase 1” button on the Mobile Clients tab only exists when there is no Phase 1 entry for mobile clients, and it doesn’t seem to be possible to manually create a Phase 1 entry for mobile clients without clicking that button. Help… -- -Adam Thompson athom...@athompso.net ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] SG-4860 vs. support pricing question
I see the redundant SG-4860 bundle with shelf is now available on the pfSense store, and I also see that the 2440 and 4860 appear to be shipping now. This is great! (I’m probably still waiting for the 2220, though, since it’s hard to justify anything else when I can’t get anything faster than DSL or Cable in this building.) But I do have one issue/question/comment about the pricing of that bundle: there are still only 2 support incidents bundled. It seems that if I bought two 4860s and tie-wrapped them to my own shelf, I’d wind up paying almost the same amount (maybe $75 more if I had to buy a new shelf) but would get 4 support incidents included with my purchase. Also, the price for a 2-incident support pack is $399, but I can buy a SG-2220 for only $299 and get the same # of support incidents. Have I missed something? Is this intentional? -- -Adam Thompson athom...@athompso.net ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Multiple IPsec Mobile phase1s?
I figured out part of the answer to my own question: Manually navigate to “https://pfsense/vpn_ipsec_phase1.php?mobile=true” to create Mobile IPsec phase 1 entries. No idea what that breaks, yet. -- -Adam Thompson athom...@athompso.net From: Adam Thompson Sent: Monday, July 20, 2015 17:08 To: pfSense support and discussion If I’m using Mobile IPsec, how do I create a Phase 1 for IPv4 and then another Phase 1 for IPv6? The “Create Phase 1” button on the Mobile Clients tab only exists when there is no Phase 1 entry for mobile clients, and it doesn’t seem to be possible to manually create a Phase 1 entry for mobile clients without clicking that button. Help… -- -Adam Thompson athom...@athompso.net ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] odd issue with pfsense and juniper
My first instinct is to look at PVST+ interoperability issues because of the multi-vendor network, but we need a LOT more detail on the network topology to even make intelligent guesses. You've essentially said I've got this car, with four Goodyear tires, and my trailer makes a funny noise. FYI, my other car works fine. What's wrong? Start anyway by looking on the Cisco switches for spanning tree ports in ErrDisable state. Read the switch logs, look for flapping or inconsistent ports. Also, cross-posting is considered rude. At least provide a link to the related discussion on the forum! -Adam On July 9, 2015 2:55:59 PM CDT, Tom Ryan tom0r...@gmail.com wrote: all, I posted this to the forums but haven't been able to resolve it yet. Our setup is multiple cisco switches trunked together and a juniper router. We have private and public vlans and a pfsense box bridging the two together in a transparent filtering bridge mode. If a device is connected to a private vlan on the same switch that the pfsense box is, everything works ok. If it is on another switch, it can communicate with the pfsense box and other devices on any switch on the private vlan but not pass the gateway (i.e. move it from private vlan x on switch 1 (where it works) to private vlan x on switch 2 and it fails.) This setup worked fine when the router was a cisco model. It also works fine for the private vlan that is currently protected by a sonicwall in transparent mode. Any ideas? Thanks ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] IKEv2 agile VPN from Win7/Win8 to pfSense 2.2.2
OK, I talked to Chris last week and he confirmed that using the built-in IKEv2 VPN client in Win7/win8 with pfSense is definitely possible. He even knows of a few people who do it. The StrongSwan documentation is OK, but I've tried to follow it... and no success. The IKEv2 client itself, of course, is renowned for crummy diagnostics - you get one generic error, almost no matter what happens. (Kind of reminds me of using ed(1). Maybe Rob Pike works for MS now? grin) I need to achieve zero-touch remote VPN users - I don't want to have to send them a file, install a certificate or CA on their device, configure their device, etc. Put another way, I need to be able to use an arbitrary device, never before connected to my network, to establish a VPN connection from anywhere, by anyone. So far, PPTP and IKEv2 (using EAP-MSCHAPv2) appear to be the only options, and while PPTP works fine, it's insecure. (This isn't actually a problem for my use case, but since it's going away and certainly isn't getting any love in pfSense, I'm leaving it behind.) IKEv2 just... never works. I'm pretty darn sure (99.999%) my certificate meets the requirements. Are there any tricks that aren't obvious? Thanks, -Adam Thompson athom...@athompso.net ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IKEv2 agile VPN from Win7/Win8 to pfSense 2.2.2
The issue with OpenVPN is merely that I have to prime each client system with both software and configuration file(s), which isn't always possible or feasible in my environment. -Adam On June 17, 2015 10:22:04 AM CDT, Ermal Luçi e...@pfsense.org wrote: On Wed, Jun 17, 2015 at 4:40 PM, Steve Yates st...@teamits.com wrote: Jim Pingle wrote on Wed, Jun 17 2015 at 9:00 am: are with the certificate, either with generating the cert (missing the SAN, for example) I banged my head against Windows VPN for a bit before finding out it doesn't support wildcard certs...seems *.example.com doesn't match the hostname if the hostname doesn't have the * in it... OpenVPN requires a self-signed cert. Can you report the issue with OpenVPN on self-signed cert? -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Single IP - DMZ a single port
...this is what you wind up with normally, until/unless you create a rule explicitly allowing the DMZ host to talk to the LAN, so yes, it's definitely possible. -Adam On June 6, 2015 8:18:35 AM CDT, Marc R. Meshurle Jr. m...@katotech.com wrote: Here's a question - I have a single IP with my ISP and want to take one TCP port and send it to a DMZ for access from the public WAN and internal LAN but the DMZ can't talk to the LAN, only the WAN port. Yes, I know I can call my ISP and get another IP, but it is for limited use and don't want to spend the extra cash for a limited use port value, but the server needs to be in the DMZ. Can I create a DMZ from a single IP on the WAN with a TCP Port being sent to a DMZ? Thanks! Marc ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] reverse proxy situation
Oh, shoot, that's a good point - I probably do need SNI support for SSL. I may be able to get a wildcard cert, but that will be an issue one way or another. Varnish doesn't support SSL at all, although I could theoretically do it with stunnel and a wildcard cert. Squid does support SSL, but appears to require wildcard cert. Squid3 *may* support SNI, can't tell. Haproxy supports SNI; hopefully the pfSense package is new enough to include that. Apache supports SNI, supposedly. So I'm still left with a (overly, IMHO) large list. I could also just port-forward TCP/{80,443} to a host behind the firewall and do everything there, too. Argh, too many options, not enough clarity on which packages are supported vs. which ones are semi-orphaned. -Adam On May 30, 2015 11:12:01 PM CDT, Travis Hansen travisghan...@yahoo.com wrote: If you're looking for pure proxy frontend I'd stick with haproxy or apache (I use haproxy). haproxy provides load balancing and can do other things besides strictly http(s) such a pure tcp and transparent proxy stuff. Apache provides some things like mod_rewrite (I assume the pfsense build comes with that) etc that aren't easily done with haproxy. I could be wrong but if you're looking for SSL offloading (I ensure all traffic goes over SSL) varnish and squid would be out of the picture. Travis Hansen travisghan...@yahoo.com On Saturday, May 30, 2015 8:25 PM, Adam Thompson athom...@athompso.net wrote: I need to run a reverse proxy on a pfSense gateway - multiple websites, one public IP, the usual reason. However, I see there's a larger selection available than the last time I looked. It appears we now have: * Apache w/mod_security-dev v0.43 / 0.22 * haproxy-1_5 v0.23 * haproxy-devel v0.24 * Proxy Server w/mod_security v0.1.7 / 0.22.999 * squid * squid3 * varnish3 1. Have I missed any? 2. Are Apache w/mod_security-dev and Proxy Server w/mod_security essentially the same thing? 3. For relatively simple cases (straightforward hostname-to-internal-IP mapping), is there any compelling reason to use one over another on pfSense 2.2 today? FWIW, this firewall is relatively underpowered (PowerEdge 1750, dual 2.4GHz P4-era Xeons). -- -Adam Thompson athom...@athompso.net +1 (204) 291-7950 - cell +1 (204) 489-6515 - fax ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] reverse proxy situation
Reverse proxy. Need to multiplex multiple publicly-accessible, secure, websites running on private IPs from a single public IP. It *is* hard to write that both succinctly and unambiguously! -Adam On May 31, 2015 8:54:14 AM CDT, Espen Johansen pfse...@gmail.com wrote: Actually. Are you looking for reverse proxy or a user proxy. I'm confused after reading your mail a few times. Brgds, Espen 31. mai 2015 15:35 skrev Espen Johansen pfse...@gmail.com: Exclude varnish its primarily made for frontend LB proxy. søn. 31. mai 2015, 15:32 skrev Adam Thompson athom...@athompso.net: Oh, shoot, that's a good point - I probably do need SNI support for SSL. I may be able to get a wildcard cert, but that will be an issue one way or another. Varnish doesn't support SSL at all, although I could theoretically do it with stunnel and a wildcard cert. Squid does support SSL, but appears to require wildcard cert. Squid3 *may* support SNI, can't tell. Haproxy supports SNI; hopefully the pfSense package is new enough to include that. Apache supports SNI, supposedly. So I'm still left with a (overly, IMHO) large list. I could also just port-forward TCP/{80,443} to a host behind the firewall and do everything there, too. Argh, too many options, not enough clarity on which packages are supported vs. which ones are semi-orphaned. -Adam On May 30, 2015 11:12:01 PM CDT, Travis Hansen travisghan...@yahoo.com wrote: If you're looking for pure proxy frontend I'd stick with haproxy or apache (I use haproxy). haproxy provides load balancing and can do other things besides strictly http(s) such a pure tcp and transparent proxy stuff. Apache provides some things like mod_rewrite (I assume the pfsense build comes with that) etc that aren't easily done with haproxy. I could be wrong but if you're looking for SSL offloading (I ensure all traffic goes over SSL) varnish and squid would be out of the picture. Travis Hansen travisghan...@yahoo.com On Saturday, May 30, 2015 8:25 PM, Adam Thompson athom...@athompso.net wrote: I need to run a reverse proxy on a pfSense gateway - multiple websites, one public IP, the usual reason. However, I see there's a larger selection available than the last time I looked. It appears we now have: * Apache w/mod_security-dev v0.43 / 0.22 * haproxy-1_5 v0.23 * haproxy-devel v0.24 * Proxy Server w/mod_security v0.1.7 / 0.22.999 * squid * squid3 * varnish3 1. Have I missed any? 2. Are Apache w/mod_security-dev and Proxy Server w/mod_security essentially the same thing? 3. For relatively simple cases (straightforward hostname-to-internal-IP mapping), is there any compelling reason to use one over another on pfSense 2.2 today? FWIW, this firewall is relatively underpowered (PowerEdge 1750, dual 2.4GHz P4-era Xeons). -- -Adam Thompson athom...@athompso.net +1 (204) 291-7950 - cell +1 (204) 489-6515 - fax ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] reverse proxy situation
I need to run a reverse proxy on a pfSense gateway - multiple websites, one public IP, the usual reason. However, I see there's a larger selection available than the last time I looked. It appears we now have: * Apache w/mod_security-dev v0.43 / 0.22 * haproxy-1_5 v0.23 * haproxy-devel v0.24 * Proxy Server w/mod_security v0.1.7 / 0.22.999 * squid * squid3 * varnish3 1. Have I missed any? 2. Are Apache w/mod_security-dev and Proxy Server w/mod_security essentially the same thing? 3. For relatively simple cases (straightforward hostname-to-internal-IP mapping), is there any compelling reason to use one over another on pfSense 2.2 today? FWIW, this firewall is relatively underpowered (PowerEdge 1750, dual 2.4GHz P4-era Xeons). -- -Adam Thompson athom...@athompso.net +1 (204) 291-7950 - cell +1 (204) 489-6515 - fax ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Snort FATAL error
Whenever I try to start Snort, I see this in my system logs: snort[23839]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_51513_em0/snort.conf(414) = Value specified for memcap is out of bounds. Please specify an integer between 1 and 4095. And, sure enough, snort fails to start. This appears to be a mismatch between the GUI and the version of Snort installed - the GUI thinks the value need to be converted from MB to bytes, whereas the Snort binary appears to want megabytes. I think. Turning AppID off makes the problem go away. Am I doing something wrong, or is this a bug? -- -Adam Thompson athom...@athompso.net +1 (204) 291-7950 - cell +1 (204) 489-6515 - fax ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfSense Hardware Sizing Captive Portal Usage
More or less: if you can run pfSense at all, you won't run out of memory for state tables. Captive portal does consume additional memory, but not large amounts. For several hundred users behind a captive portal, I would err on the side if caution and use a system with at least 2GB of RAM, preferably 4GB. The ram requirement depends more on what else you have running inside pfSense than the # of users. One user running bittorrent can potentially create tens of thousands of states, whereas one user browsing the web isn't likely to create more than 10 or 20 at a time (maybe a few hundred if you don't close states aggressively). -Adam On May 27, 2015 7:39:44 AM CDT, Emeric Jarnier / DSI emeric.jarn...@univ-smb.fr wrote: Hello everyone, I am looking ahead to deploy pfSense for a few hundred of concurrent users in a captive portal usage. According to hardware requirements and sizing available on the internet, it is possible to have some idea of some hardware configuration. Problem is, we don't have many tips regarding 'states table' usage. If some of you guys could give us some feedback regarding these aspect, we would really appreciate your help! Anything like a number of states per captive portal user session would be great. Il could help us to estimate our maximum number of simultaneous users with a given amount of memory.. I did some tests in a lab and got over 2 000 opened states for a portal captive user but it cannot be as good as some real production numbers! Thanks for your answers! Regards, Emeric Jarnier ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] ipsec and routing
It's not a routing issue, it's a bug/mis-feature in FreeBSD's IPSec stack. See https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN for more info. -Adam On 04/24/2015 09:37 AM, Gregory K Shenaut wrote: I have two pfSense boxes connected via an IPSEC tunnel. I'm confused about whether a route gets added automatically to the remote network end of an IPSEC tunnel when the tunnel comes up. I was under the impression that there was no need to be concerned with routing between the two subnets within the pfSense boxes, that they would “know” about a remote subnet and route to it automatically. However, currently the tunnel can be up, hosts in either remote subnet can ping each other, but the pfSense boxes themselves can't ping hosts in the remote subnet, including the LAN address of the other pfSense host to which they are connected. And if I do add a static route, what should I use as the gateway? Devices in the local subnet just use the LAN address as the gateway, but that doesn't seem appropriate for the pfSense box. The tunnel goes out over the WAN address, but using that as the pfsense box's gateway to the remote subnet doesn't seem right either. While in this anomalous state, if I look at the IPSEC status, I see the correct networks in Local subnets and Remote subnets in both boxes. Both boxes have only a “pass all ipv4” firewall rule for IPSEC. If I look at the routing tables, there is no route to the remote subnet. I also have dead peer detection enabled, which if I understand it correctly, requires that the other side's LAN address be pingable. What could cause this situation, and what is the solution? Thanks for any suggestions. Greg Shenaut ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] updating testing packages?
I need to test some of the recent fixes to the OpenBGPd package. Other than manually applying the diff(s) to the currently-installed files, how would I go about generating the package and installing it on my system? Also, what's the process for submitting changes to packages? Just do a pull request on the github project? -- -Adam Thompson athom...@athompso.net ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] pf(4) relative performance: opinions?
I know a lot of performance work has gone into both FreeBSD and pfSense, but I haven't tested the limits in a long time, so I'm asking... I'm running a pair of firewalls, each with dual Xeon L5520 cpus (4c/8t, 2.26GHz, 8M L2), 48GB triple-channel RAM, where all networking occurs on carp(4) interfaces on top of vlan(4) interfaces on top of trunk(4) on top of dual onboard em(4) (Intel 82576). (These are Dell C6100 XS23-TY3 blades, if anyone cares...) The question is: would pfSense give me better routing performance than OpenBSD on these systems? Currently these firewalls run OpenBSD, because I needed simultaneous BGP and OSPF, which pfSense [still/once-again] can't do. I no longer need to run an IGP at that location, so switching to pfSense is now an option. OpenBSD's pf(4) engine is still single-threaded, and so are the interrupt handlers, so despite CPU and RAM that would normally be massive overkill, these systems max out at just over 105k-searches per second, which translates to somewhere between 100kpps-200kpps bidirectional. (I found this out the hard way when someone behind that router decided to scan the entire internet.) Beyond that, they start dropping packets. Gracefully, as pf(4) handles queue congestion, but dropped nonetheless. The OpenBSD team claims that their pf(4) implementation is highly optimized, much more so than it was when FreeBSD imported it. On the other hand, I'm given to understand that FreeBSD's, or at least pfSense's pf(4) implementation is now multi-threaded, which should theoretically allow scaling further where OpenBSD simply pegs one core. If I have to, I'll probably just convert one and try to stress-test it. Scanning the entire IPv4 internet should be an adequate stress test :-/. Comparison data? *Educated* guesses? Thoughts? Although it's pointless to ask, please try to keep baseless fanboi-type opinions to yourselves. I'm already a fan of pfSense, and I've explained above why I couldn't use it here. Thanks, -Adam -- -Adam Thompson athom...@athompso.net ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] NTP failure in 2.2.1?
I'm running 2.2.1-RELEASE (i386) in a new install, and everything's working great so far (or as great as the FUBAR layer 2 lets it work...) except for NTP. No matter what NTP server I pick, it sits in .INIT. state forever. Stopping ntpd and using ntpdate on the command-line produces - surprise - a timeout. Yet NTP from *behind* the firewall works fine. Anyone else seeing this problem? Any ideas? -Adam Thompson athom...@athompso.net ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Running as a VM, multiple WAN subnets
So if you don't wind up using them for CARP, use them for something else. Get a smaller subnet from your provider and give back the original subnet. If you have multiple subnets, the provider-facing one should not be used for published services; in fact those addresses don't even have to be public IPs! -Adam On March 2, 2015 7:32:06 PM CST, Steve Yates st...@teamits.com wrote: Using CARP implies that you care about reliability during edge cases and partial failures. If so, then you need to do it right and use 3 IPs where you want 1 carp. I hear you. I guess part of me just dislikes the possibility of wasting 12 or 18 IPs (6 per subnet) a few years down the road, and yet getting a block of 128 that might never get used is possible also... Just wanted to make sure I wasn't missing something. Steve ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Running as a VM, multiple WAN subnets
Steve, Unless you want to impose significant limitations on yourself, you will need a total of 3 IPs for every CARP interface. I've run systems with single-IP CARP, and unless you have absolutely no choice, it's not worth the headache. The unanswered question is how your provider will do routing, and how you expect to accomplish this scenario without NAT. It's too early in the morning for me to figure out your topology right now... -Adam On March 2, 2015 1:05:07 AM CST, Steve Yates st...@teamits.com wrote: Chris L wrote on Fri, Feb 27 2015 at 3:34 pm: On Feb 27, 2015, at 12:37 PM, Steve Yates wrote: Chris L wrote on Fri, Feb 27 2015 at 12:10 pm: Hopefully the provider can just route the additional subnet to your existing WAN IP. Then you don’t need to do anything with CARP/HA except make sure primary and secondary are both set up to deal with the routed traffic. Would that require three LAN side public IPs for the two firewalls out of that second subnet also? It depends on what you want to do with them. If pfSense just routes them to another IP address, then no. You only need 3 IPs when you have to create a pfSense interface with HA. It's been a long weekend and I'm missing something that's probably obvious...the scenario is: no NAT, multiple public IPs in use on the LAN side from two different subnets, and pfSense acting as a firewall. Subnet 1 would need a shared CARP IP and officially two others for WAN on both firewalls (but see below) and the same thing duplicated on the LAN side. The servers on subnet 1 would use the CARP LAN IP from subnet 1 as their gateway. If subnet 2 is routed by the data center to subnet 1's CARP IP, then the way I read the docs it will get to pfSense if I set up an Other virtual IP type, correct? Does pfSense then need to use a public IP Alias from subnet 2 on its LAN side CARP interface to be the gateway for subnet 2? Or if I read the IP Alias section a few more times, does it mean that it would still need the three public IPs for three LAN side aliases (aliases on the two interfaces plus a third alias for the CARP LAN interface). I found this forum thread which points out that, as you suggested in another message, using three public IPs on the WAN side (and hopefully the LAN side) is apparently not required in v2.2. https://forum.pfsense.org/index.php?topic=87546.0 However I found another post which says in part, Without valid IPs on both, the secondary will not be able to independently check for updates or install packages. There would also be no way to directly manage the secondary from a remote location. It couldn't do DNS resolution to a remote DNS server, or even sync its clock to a remote time server. https://forum.pfsense.org/index.php?topic=73584.msg404834#msg404834 ...So those are good points. However does that mean only the second firewall would need a WAN side public IP? (presumably the master would use the CARP WAN IP for its communication, while it is online.). Regarding remote management, my tentative plan was to VPN to the CARP IP so access the firewalls from the LAN side. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] hi every body
pfSense can do that, 600 users is OK. Up to 1gbps is OK on almost any server-grade hardware. VPN is built in. IDS/IPS requires installation and configuration of the Snort add-on package. Firewall is built in. Monitoring and logging are built in, but may or may not meet your needs. pfSense can send data to other, more sophisticated monitoring/logging software if needed. -Adam On January 27, 2015 5:48:31 AM CST, mohsen Abbaspour mohsen.abbaspour2...@gmail.com wrote: hi every body i want to use pfsense in large scale network these service are in my favorite to use in the network and i need them VPN , IDPS , Firewall , Monitoring and log traffic i dont know possible problems aboutusing pfsense on large scale network there are 600 users on my network -- Check out my professional profile and connect with me on LinkedIn. http://lnkd.in/RqFEqH ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] polling pfsense status for a combined dashboard
SNMP support exists, although not everything is available that way. Otherwise the doc wiki has a page on authenticating automated web requests - RTFM. -Adam On January 27, 2015 10:55:00 AM CST, Wolf Noble w...@wolfspyre.com wrote: I'm sure this has been asked, but I've not found anything in the few minutes I poked around on the forums/google. I'm looking to pull some metrics from my pfSense firewall to display on a dashboard. I was wondering what my options are for API-esque access, or curl-able graph images with authentication handled by a token conveyed via a header. What are others doing? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] polling pfsense status for a combined dashboard
On 2015-01-27 11:22 AM, Wolf Noble wrote: Hi Adam, Thanks for the response. Yeah, I know about SNMP. it's a route I might go, but wanted to see what else was available. Strangely enough, I did actually look on the docs site before posting. but I didn't find the page you referenced. That's why I posted here. Would you mind terribly posting a link to the page you mention? When I searched the docs site, I looked for 'api', then 'curl', and then 'header'; but didn't find any relevant results. The closest I found was https://doc.pfsense.org/index.php/Limiting_access_to_web_interface ; but that's not really relevant. My apologies, I can't find it now, either. WTF... I *know* that page used to exist. Looks like jimp is doing most of the wiki updates, perhaps he'll remember what happened to it. The only thing I can find that covers is it this: https://doc.pfsense.org/index.php/Remote_Config_Backup -- -Adam Thompson athom...@athompso.net ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] VFA VPN throughput?
Jim/other: Do you have any guidelines for sizing VPN throughput when using the pfSense Certified VFA ? -- -Adam Thompson athom...@athompso.net ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 4 Byte ASN
OpenBGPd works quite well with CARP interfaces, actually... My primary commercial IPv4 transit uses exactly that. But that functionality might need a newer version of OpenBGPd than we have right now... The package is getting a little long in the tooth. -Adam On January 8, 2015 9:23:10 AM CST, Seth Mos seth@dds.nl wrote: Bryant Zimmerman schreef op 8-1-2015 om 15:28: We are working on getting our own ASN with ARIN so we can get our own blocks of address. We are doing this because we are using multiple ISP's and want to announce our own addresses, For better fail over. It's so much nicer then multi-wan, I don't regret it in the least. We are currently using pfSense boxes with CARP at both our locations. Will the open BGP package available for pfSense work correctly with --4 Byte ASN's Yes --Does carp function correctly with Open BGP for fail over. You do not want to use CARP with with BGP in any situation. Each node needs it's own session with the remote BGP peer. You need to use iBGP between the nodes instead. Regards, Seth ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 4 Byte ASN
On 15-01-08 10:02 AM, Seth Mos wrote: To clarify this a bit better. You speak BGP to your ISP from each pfSense node and generally use CARP as the router address on the internal side. You still need to exchange routes between both pfSense nodes. The moment CARP fails over you drop your BGP session anyhow, so both pfSense nodes need the routing tables (Unless you use default only). Uh... https://doc.pfsense.org/index.php/OpenBGPD_package says it better than I can. Note that there have been a ton of bug-fixes relating to set nexthop and CARP in the last year or so, which don't appear to have made it into the FreeBSD port yet. I run a pair of BGP routers using CARP to an upstream peer who only wants to configure a single IP address and a single session. Works OK in practice under OpenBSD, not sure how well the pfSense package (FreeBSD port) handles it. -- -Adam Thompson athom...@athompso.net ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] BGP in 2.2
First, can anyone tell me what OpenBGPD pacakge v0.9.3 is based on? I'd like to switch a pair of routers from OpenBSD to pfSense, but I need some recent fixes in OpenBGPD that only made it in for OpenBSD 5.5-RELEASE. Looking at the GIT repo doesn't answer my question in any obvious way. Wait, I take that back... pkg_config.8.xml.amd64 shows a version# in the package filename of 5.2. How do I get that updated? There's been a lot of work done recently, in the 5.4-5.5 timeframe including some critical bugfixes when using CARP. Second, I clearly remember that in the 2.0 days, we were moving away from OpenBGPD to (IIRC) quagga/zebra... but OpenBGPD is the only BGP implementation I'm seeing now. What happened there? Third, is there still no way to run BGP and OSPF on the same system?? -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Gold hangout - what time?
On 14-11-25 10:14 AM, Espen Johansen wrote: https://blog.pfsense.org 25. nov. 2014 17:11 skrev Adam Thompson athom...@athompso.net mailto:athom...@athompso.net følgende: I'm looking, but I can't find anywhere what *time* the Gold hangout is going to be (or was...) today. Anyone know? Thanks. I was expecting the time to be shown somewhere in the portal, like maybe along with the joining instructions or the date... *grumble* too many communications channels/. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] terrible performance on NFS CIFS
On 14-11-07 04:58 PM, Paul Heinlein wrote: I know you said that the CPU runs at ca. 5% load, but personally I'd be unsure of a P-III-class machine at LAN speeds. What bus connection do the NICs use? PCI? EISA? A 32-bit PCI bus operating at 33 MHz has a theoretical maximum bandwidth of 133 Mb/s, and the 64-bit expansion did little to improve that in any practical way. Plus, pre-MSI PCI devices notoriously shared interrupts, slowing down device-to-devce transfers. (And just to be cranky, I'll ask if any of the NICs in shared PCI/ISA slots, which would squeeze performance even further.) Dual P-III 1.1GHz is adequate. The 32-bit PCI bus has a theoretical max of 133 MBytes/sec, not 133 Mbits/sec, which is substantially faster than gigabit. The PCI-X standard extended it to 66MHz @ 64bits, quadrupling the theoretical max to ~533MBytes/sec, more than adequate for the dual-port, MSI-capable PCI-X ethernet card in there right now. Have you tested that hardware in a routing capacity with non-pfSense software? I've tested that machine with that pfSense software - the performance hit only occurs in one direction. Does the pfSense box have good DNS service? Yes. Redundant resolvers are directly attached to pfSense's WAN subnet. Is the cabling flaky? No. As I've said several times, the performance hit only occurs in this specific configuration. Performance is perfectly fine for NAT'd SSH and HTTP sessions initiated from the LAN side. It's not a NIC or cabling issue, for an additional reason: every routing interface on the pfSense box is a VLAN on an LACP trunk. If it were a cabling or NIC issue, *all* traffic would by definition be affected, including downloads initiated from the LAN side. Is the pfSense box routing between subnets or just bridging? If the former, what's there when pfSense is not in the middle? Another router? Just a switch? Routing, since it does NAT. When pfSense is not in-circuit (as described), I'm doing one of two things: moving the client (and/or server) to another VLAN off the primary router, and/or moving the client and server together onto the same subnet. My own testing has demonstrated quite clearly that the massive performance hit only occurs on TCP sessions going *inbound* from the WAN to the LAN (relative to pfSense's view of the world). For now, I've simply moved the server semi-permanently; this was an unusual and temporary configuration to begin with. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] terrible performance on NFS CIFS
Well, that would definitely cause a problem if it were the case, but... 1) TCP window size != MTU, 2) all switches and Router (but not pfSense) can both handle 9000-byte frames anyway, 3) MTU on server and client are both standard, at 1514, 4) I can confirm no fragmentation is occurring. Still don't know why performance is so bad, though. -Adam On November 6, 2014 4:58:35 PM CST, Sean m...@thegeekclub.net wrote: Not a TCP expert but the MTU is nearly always 1500 (or just under) hence your limit. Sending packets greater than the MTU will lead to fragmentation. Fragmentation leads to re-transmissions (depends on do not fragment bit?) and performance problems. Performance problems leads to frustration and anger. Anger leads to the dark side of the force. You can increase the MTU to like 9000 or something if you enable jumbo frames but you'd need to support it across the board (pfSense, routers, switches?, servers, etc.). It's a hassle probably not worth the effort in terms of gains. Some people do it as a means to increase iSCSI traffic performance but others say the throughput gain is dubious at best. I would make sure some doofus didn't enable jumbo frames on your NFS server and if so then turn it off and check the MTU setting in the network stack on the NFS server as well. I may not know what the hell i'm talking about though so someone else can feel free to jump in and tell me what an idiot I am. On Wed, Nov 5, 2014 at 6:47 PM, Adam Thompson athom...@athompso.net wrote: Problem: really, really bad performance (10Mbps) on both NFS (both tcp and udp) and CIFS through pfSense. Proximate cause: running a packet capture on the Client shows one smoking gun - the TCP window size on packets sent from the client is always ~1444 bytes. Packets arriving from the server show a TCP window size of ~32k. The Network: +--+ |Router| +--+---+ | --+++-- | | +--+---+ +---+ |Client| |pfSense| +--+ +--++ | --+---+-- | +--+---+ |Server| +--+ - Client and pfSense both have Router as default gateway. - pfSense has custom outbound NAT rules preventing NAT between Server subnet and Client subnet, but NAT'ing all other - outbound connections. - Router has static route pointing to Server subnet via pfSense. Hardware: Router is an OpenBSD system (a CARP cluster, actually) running on silly-overpowered hardware. Client is actually multiple systems, ranging from laptops to high-end servers. Server is a Xeon E3-1230v3 running Linux, exporting a filesystem via both NFS (v2, v3 v4) and CIFS (samba). pfSense is v2.1.5 (i386) on a dual P-III 1.1GHz, CPU usage typically peaks at around 5%. Performance on local Server subnet (i.e. from a same-subnet client) is very good on all protocols, nearly saturating the gigabit link. Traffic outbound from the server subnet to the internet (via Router) moves at a decent pace, this firewall can typically handle ~400Mbps without any trouble, IIRC synthetic benchmarks previously showed it can peak at over 800Mbps. Based on the FUBAR TCP window sizes I've observed, I assume pfSense is doing something to my TCP connections... but why are only the non-NAT'd connections affected? I know there's an option to disable pf scrub, but that's only supposed to affect NFSv3 (AFAIK), and this also affects NFSv4-over-TCP and CIFS. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] terrible performance on NFS CIFS
Ok, recap again... - this affects multiple protocols, not just NFS. I've now confirmed it affects SSH as well. - this only occurs when the server is behind pfSense and the client is on the outside of the firewall. - this problem does not occur in the other direction through pfSense (LAN-WAN). - to repeat myself, NFS works fine at ~1gbps between the same client and server without pfSense in the middle. Ergo, I conclude it's something pfSense-related. Haven't had a chance to turn off of scrub yet. -Adam On November 6, 2014 5:12:59 PM CST, Sean m...@thegeekclub.net wrote: I strongly recommend not tinkering with your MTU setting and instead correct the setting on the server side... I think you should start reading here: http://nfs.sourceforge.net/nfs-howto/ar01s05.html Particularly this section: 5.3. Overflow of Fragmented Packets Using an *rsize* or *wsize* larger than your network's MTU (often set to 1500, in many networks) will cause IP packet fragmentation when using NFS over UDP. IP packet fragmentation and reassembly require a significant amount of CPU resource at both ends of a network connection. In addition, packet fragmentation also exposes your network traffic to greater unreliability, since a complete RPC request must be retransmitted if a UDP packet fragment is dropped for any reason. Any increase of RPC retransmissions, along with the possibility of increased timeouts, are the single worst impediment to performance for NFS over UDP. Packets may be dropped for many reasons. If your network topography is complex, fragment routes may differ, and may not all arrive at the Server for reassembly. NFS Server capacity may also be an issue, since the kernel has a limit of how many fragments it can buffer before it starts throwing away packets. With kernels that support the /proc filesystem, you can monitor the files /proc/sys/net/ipv4/ipfrag_high_thresh and /proc/sys/net/ipv4/ipfrag_low_thresh. Once the number of unprocessed, fragmented packets reaches the number specified by *ipfrag_high_thresh* (in bytes), the kernel will simply start throwing away fragmented packets until the number of incomplete packets reaches the number specified by *ipfrag_low_thresh*. Another counter to monitor is *IP: ReasmFails* in the file /proc/net/snmp; this is the number of fragment reassembly failures. if it goes up too quickly during heavy file activity, you may have a problem. Since this is not an NFS support list I suggest you let this die here lest you incur the spite of the moderators. ;-) On Thu, Nov 6, 2014 at 4:58 PM, Sean m...@thegeekclub.net wrote: Not a TCP expert but the MTU is nearly always 1500 (or just under) hence your limit. Sending packets greater than the MTU will lead to fragmentation. Fragmentation leads to re-transmissions (depends on do not fragment bit?) and performance problems. Performance problems leads to frustration and anger. Anger leads to the dark side of the force. You can increase the MTU to like 9000 or something if you enable jumbo frames but you'd need to support it across the board (pfSense, routers, switches?, servers, etc.). It's a hassle probably not worth the effort in terms of gains. Some people do it as a means to increase iSCSI traffic performance but others say the throughput gain is dubious at best. I would make sure some doofus didn't enable jumbo frames on your NFS server and if so then turn it off and check the MTU setting in the network stack on the NFS server as well. I may not know what the hell i'm talking about though so someone else can feel free to jump in and tell me what an idiot I am. On Wed, Nov 5, 2014 at 6:47 PM, Adam Thompson athom...@athompso.net wrote: Problem: really, really bad performance (10Mbps) on both NFS (both tcp and udp) and CIFS through pfSense. Proximate cause: running a packet capture on the Client shows one smoking gun - the TCP window size on packets sent from the client is always ~1444 bytes. Packets arriving from the server show a TCP window size of ~32k. The Network: +--+ |Router| +--+---+ | --+++-- | | +--+---+ +---+ |Client| |pfSense| +--+ +--++ | --+---+-- | +--+---+ |Server| +--+ - Client and pfSense both have Router as default gateway. - pfSense has custom outbound NAT rules preventing NAT between Server subnet and Client subnet, but NAT'ing all other - outbound connections. - Router has static route pointing to Server subnet via pfSense. Hardware: Router is an OpenBSD system (a CARP cluster, actually) running on silly-overpowered hardware
Re: [pfSense] pfsense h/w
[One public correction, nothing to do with Godwin's law! -Adam] On 14-10-23 08:36 PM, Jim Thompson wrote: Not that UBNT is a paragon of openness, either, “either”? Wow. Strike 2. That wasn't a dig at you or ESF or NG - I was thinking of Brocade when I wrote that. I could also use UBNT's competitor, MikroTik, as a good example of how to build decent products the wrong way, but Brocade was my target here. You're a paragon of open-source stewardship in comparison! -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense h/w
One nit: yes, I can sell something called pfSense, as that's the freely-downloadable software under a (IIRC) BSD license. I can't sell something called NetGate. I can't produce a derivative work and call it pfSense. (This is a gray area, admittedly.) But, at least here, I'm quite sure I can install pfSense on some random hardware and still call it pfSense. Having said that, if there's a high-throughput hardware option that's fully supported and tested and optimized, I don't know why I would *sell* anything else. I'll continue to install pfSense in VMs and on existing repurposed hardware, but that's an entirely different market segment anyway, and all I'm selling is my time. -Adam On October 23, 2014 11:06:42 AM CDT, Jim Thompson j...@netgate.com wrote: On Oct 23, 2014, at 5:18 AM, Zia Nayamuth zedestruc...@gmail.com wrote: Lots of suggestions on the hardware, but I see nobody mention anything based around the new and much more powerful Avoton platform. The platform is officially supported, and the pfSense store has hardware based on it (looks to be the Supermicro 5018A-FTN4, It is. The FW-7551 runs a two core version of the same SoC. The SoC in both is based on Rangeley, which is like Avoton, but more Ethernets and a crypto core named QuickAssist. We have a line of similar hardware coming out early next year. You can see the beginnings of same on the Netgate site. Don't stress about the dev board pricing, it's far higher than production boards / systems will be. This will be the hardware that pfSense is tested on, and released for. Other platforms will continue to work, but if you want to run the solution that the pfSense team uses, develops for, and tests on, look in the store. Before someone accuses (because this always comes up), we don't cripple other solutions (witness the AES-NI acceleration available to all in pfSense version 2.2), but we do polish things we sell. When we decided to sell the C2758 (5018A-FTN4), we made sure all the Ethernets worked (this was released in 2.1.1) and did some tuning such that the platform worked well using pfSense 2.1.x. We don't release the tuning info, and, incredibly, a couple people a month write in demanding it. Anyway, the point is, the community is still free to run pfSense software on a given platform, but, as was always true, YMMV with platforms we don't support. Someone asked in the blog if we would be enabling the crypto part on the Watchguard he had purchased on eBay. The answer is no. Not only because the hardware is slower than a software-only solution on a modern cpu, but also because SafeNet (the company that made that part) no longer supports them, nor is the technical documentation available. And then there is the main reason: We don't have infinite time and other resources. Also, while the end user can change things to enable or even optimize a given platform choice, load additional packages, etc., nobody can distribute the result and call it pfSense. Simple trademark law demands same. Anyway, the point is, things we don't sell aren't on developers desks, and are not in the test rack, and thus, not exercised by the test harness. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense h/w
On 14-10-23 03:06 PM, Chris L wrote: We don't release the tuning info, and, incredibly, a couple people a month write in demanding it. Does this mean there’s a special, hardware-specific version of pfSense (or a package or ?) or is the tuning in the hardware itself? AFAIK it's the same software (plus or minus some logo and CSS changes? not 100% sure...), but with different sysctl values precisely (in theory) matched to the hardware it's running on. I would imagine they also ensure all the BIOS settings are set appropriately, IRQs are distributed appropriately, etc. If you spent a few weeks testing the crap out of your own system, you'd be able to figure out the precise values that maximized throughput for your hardware, too. Note that the precise values that work for any particular piece of hardware are unlikely to be precisely ideal for any other particular piece of hardware... so even copying exactly what Netgate provides on *their* system onto yours doesn't guarantee optimal performance. Besides, given what Jim just said, do you really think he's going to answer your question? ;-) The value-add is technically in the labour, but the secret sauce is knowing precisely where to direct that labour to maximize the value to his paying customers. The rest of us get enough value from the software as it is. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense h/w
On 14-10-23 04:29 PM, Chris L wrote: I’m not asking what the changes are - I’m asking if these boxes require a special version of pfSense for maximum performance. I can't answer that with 100% certainty, but I believe the packaging is tweaked slightly. Whether you call that a special version or not is up to you... AFAIK the kernel is the same, and the pfSense layered code is the same. Netgate may add *more* stuff on top of that, I'm not sure - I don't even own one right now. If it’s just sysctl values then it’s not possible to keep it secret. sysctl -a, sysctl -a, diff Granted... my point stands, it's not the secrecy, it's the time taken to match the values to the hardware. No two systems (models) are identical. If it’s a custom kernel, etc, then I have to take waiting for netgate to issue patches into consideration. Now and in the future. Perhaps you've forgotten that Netgate/ESF is the pfSense project *sponsor* and that all/most (?) of the core developers work for Netgate/ESF? I don't think you'll be waiting very long. I wouldn't be at all surprised if the Netgate build gets updated first, in fact. And I do *not* mean that they deliberately wait before releasing patches for the generic pfSense build, I just mean that I would expect the Netgate update to be available +/- 15 minutes compared to the generic pfSense update. I get that Jim rubs a lot of people the wrong way (myself included), but I don't understand the vitriol and/or suspicion directed at Netgate, which, after all, is who's paying to keep pfSense free. Jim: maybe the Netgate/ESF branding needs to get splashed all over pfSense, to drive home the point? It may be unclear to newbies what the relationship between Netgate, ESF, and pfSense is. Even I'm a little bit vague on the finer points. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense h/w
[Hmm... half of this doesn't need to be on-list. Sorry if I'm polluting. -Adam] On 14-10-23 05:57 PM, Jim Thompson wrote: I get that Jim rubs a lot of people the wrong way (myself included), Darn, you’d think that sharing a last name would count for something... Sorry, no. ;-) Kind of in the same way Theo de Raadt rubs people the wrong way. Mostly just idiots newbies take offense. And it's mostly driven, I think, by having your lifetime supply of tolerance for people who speak first and think second be long-since exhausted. So as long as you don't start saying incorrect or technically-invalid things, your audience sticks around. See closing comments, below. I think some people are waiting for “the other shoe to drop”. For us to take the pfSense project in a direction similar to what happened with Vyatta. Yeah... it's a possibility. OTOH, I'll point out that UBNT essentially forked Vyatta (and renamed it EdgeOS, IIRC) when Brocade started to close it all up. Not that UBNT is a paragon of openness, either, but that's the benefit of the appropriate license - everyone can feel free to copy (or fork!) pfSense from any of the multitude of places it lives online right now, and feel free to burn it to archival WORM media Just In Case Something Bad Happens To The Project. As Jim pointed out, however, when you resurrect it (and somehow replace all the infrastructure and developers in one fell swoop, *ahem*), you can't call your new project pfSense. You can have an FAQ entry explaining how it used to be pfSense, you can even leave the GIT, or SVN, or even SCCS repository up as-is with the pfSense name throughout it, but as soon as you create a derivative work: new project. ... pfSense is going closed source, Technically, this could happen, but realistically, someone will probably fork it. And that project will likely die out or remove itself from public participation, as these things tend to do. For that matter, remember that pfSense is (sort of) a fork of m0n0wall from a decade ago in the first place. For different reasons, but nonetheless. and Jim Thompson is actually a blood thirsty, extra-terrestrial, shapeshifting reptile. Well, that explains a few things! grin Finally, I think there is still a segment of the community who views me with distrust because I put a license agreement and contributor agreement in front of access to the source code for the pfSense project. We didn’t articulate the reasons for doing this very well, and the execution when we did it wasn’t … optimal. I wasn't affected by that, and - AFAIK - neither were most of the people who whine and cadge about a commercial entity being involved. I don't recall what the license used to be, but clearly the current one is a custom license that doesn't even attempt to follow the UCB/BSD license. As long as ESF covered all their legal bases properly, they can do whatever the f*** they want with the license. I can see how old contributors might not like the new CLA, though. And I don't know of any project that has ever pivoted on a license change this way ... optimally. Ugh… were you around for the 2.1.5 release with the “Gold” menu front-and-center (and the resultant shitstorm)? Long before that, yes, but I think I managed to skip the affected versions by accident, so I forgot all about it / never saw it myself. Since I've already renewed my gold subscription once by now, clearly I wasn't one of the shit-flingers in the shitstorm. I like getting paid for my work, too! (Or wonder in silence what it must be like to work in the same place as Jim Thompson.) Can't be any worse than my last corporate job. In fact, would probably be *much* better... I don't have to like you to respect you or work with/for you. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] OT: Good network switch for 10 machines?
+1 for HP ProCurve, except for the stuff they inherited from 3Com... I've also had reasonably good luck with Netgear and D-Link managed switches. The Cisco SMB stuff seems OK hardware-wise, but the software is questionable. Note that all three of these options come with lifetime, free, firmware updates. -Adam On September 23, 2014 12:56:00 PM CDT, Chris Bagnall pfse...@lists.minotaur.cc wrote: On 23/9/14 6:46 pm, RB wrote: I'd suggest at least a managed switch that can do LACP. This. Given how small the price difference often is between unmanaged and semi-managed (aka 'smart') switches these days, it just doesn't make sense to buy unmanaged any more. You never know when things like VLANs, LLDP and LACP might just come in handy, and even if you never use them, a managed switch will also allow you to do other interesting things like graph per-port (and sometimes per-port-VLAN) usage, which can be useful for detecting misbehaving network hardware elsewhere. I've had decent results with the Linksys/Cisco SMB switches and the ZyXel GS1900 range. One of our clients uses the Zyxel switches to good effect. Their 24 port PoE versions are certainly competitively priced. I tend to use HP where possible. At the lower cost end of the market, something like the 1810-24G (web managed) is a good bet, or move up to the 2510/2520 if you need more management functionality and/or a CLI. I've avoided the 1910 range; AIUI they're basically rebadged 3Com units after the HP/3Com buyout. Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Adding Ethernetports
You don't have a pfSense problem at all, you have a VMware problem. Suggest you visit any one of hundreds of VMware support forums or lists to find out how to manage virtual networks. There are also a lot of old threads on the pfSense forum discussing this. -Adam On September 19, 2014 11:28:28 AM CDT, Brian Caouette bri...@dlois.com wrote: Yes VM. I do not see the card listed there either. I do not understand VM and all the plugs and drivers. Can you point me in the right direction? On 9/19/2014 11:17 AM, Paul Beriswill wrote: Your pfSense is running on a VM ... correct? Does vmware recognize the nic? I know some versions of esx need custom drivers for even some intel NIC's. Paul On 09/19/2014 09:31 AM, Brian Caouette wrote: [pfSense] Adding Ethernetports I added a dual port nic to my pfsense box and it doesn't show the additional ports. The new nic doesn't show anywhere. I am using a PowerEdge 2850 and an Intel Card. I am also using vmware on the machine. Any ideas what may be going on? ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- *Paul Beriswill* PDF Complete Inc | www.pdfcomplete.com http://www.pdfcomplete.com/ 550 Club Drive, Ste. 477 | Montgomery, TX 77316 512.263.0868 x 707 direct | paul.berisw...@pdfcomplete.com mailto:paul.berisw...@pdfcomplete.com PDF Complete http://www.pdfcomplete.com/ ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Adding Ethernetports
There's also the unofficial VMware ESXi white-box HCL, but it hasn't really been updated since v4.x. Agreed that if this is anything more than a test system, stick with the HCL and a support contract. Been there, done that, have the scars to prove it ... -Adam On September 19, 2014 12:18:31 PM CDT, Paul Beriswill paul.berisw...@pdfcomplete.com wrote: I have had mixed results trying to find support for hardware that is not on the vmWare HCL and often spend way too much time hunting for solutions. You are much better off sticking with officially supported hardware. That being said, This link may have the drivers that you are looking for ... https://my.vmware.com/web/vmware/details?downloadGroup=DT-ESXI55-INTEL-IGB-42168productId=353 Should probably take this to one of the vmware support groups. Paul On 09/19/2014 11:28 AM, Brian Caouette wrote: Yes VM. I do not see the card listed there either. I do not understand VM and all the plugs and drivers. Can you point me in the right direction? On 9/19/2014 11:17 AM, Paul Beriswill wrote: Your pfSense is running on a VM ... correct? Does vmware recognize the nic? I know some versions of esx need custom drivers for even some intel NIC's. Paul On 09/19/2014 09:31 AM, Brian Caouette wrote: I added a dual port nic to my pfsense box and it doesn't show the additional ports. The new nic doesn't show anywhere. I am using a PowerEdge 2850 and an Intel Card. I am also using vmware on the machine. Any ideas what may be going on? ___ List mailing list List@lists.pfsense.orgmailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Paul Beriswill PDF Complete Inc | www.pdfcomplete.comhttp://www.pdfcomplete.com/ 550 Club Drive, Ste. 477 | Montgomery, TX 77316 512.263.0868 x 707 direct | paul.berisw...@pdfcomplete.commailto:paul.berisw...@pdfcomplete.com [cid:part4.07040609.07060705@pdfcomplete.com]http://www.pdfcomplete.com/ ___ List mailing list List@lists.pfsense.orgmailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Paul Beriswill PDF Complete Inc | www.pdfcomplete.comhttp://www.pdfcomplete.com/ 550 Club Drive, Ste. 477 | Montgomery, TX 77316 512.263.0868 x 707 direct | paul.berisw...@pdfcomplete.commailto:paul.berisw...@pdfcomplete.com [cid:part11.02070006.00010207@pdfcomplete.com]http://www.pdfcomplete.com/ ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Returned mail: Data format error
Yes, but not often. -Adam On September 8, 2014 7:45:10 AM CDT, Bob Gustafson bob...@rcn.com wrote: Is anyone else on this list getting bounce notices? On 09/08/2014 01:50 AM, Bounced mail wrote: The message was not delivered due to the following reason: Your message was not delivered because the destination computer was not reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configura- tion parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message was not delivered within 8 days: Mail server 33.208.96.171 is not responding. The following recipients could not receive this message: list@lists.pfsense.org Please reply to postmas...@lists.pfsense.org if you feel this message to be in error. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Dual IP nets over one ethernet connector
Then don't use pfSense - that's simple. Like I said in a previous email, feel free to do this with your choice of OS. PfSense doesn't give you quite enough rope to do what you want. -Adam On August 16, 2014 11:09:20 PM CDT, Bob Gustafson bob...@rcn.com wrote: I don't need the firewall features of pfsense in my application. The firewall is 'upstream' of the pfsense box - in the ISP furnished modem/router. Please re-think your suggestions - with the pfsense firewall function out of the picture. Bob G On 08/16/2014 03:37 PM, Espen Johansen wrote: Nat traversal is trivial. Firewalling needs physical interfaces. Vlans are possible but vlan jumping is also possible. Vlans to do different zones (lan/wan lan/dmz dmz/wan) is not something I recommend as vlan jumping can be done in most environments. In short. Forget an idea where you firewall with a single interface. Even if this is only to play with at home. Just dont. A vanilla linux/bsd will let you shoot yourself in the foot. So you can do it there. But there are no firewalls that will allow this with out 2 interfaces. Most require 2 physical, but some will allow for 2 or more vlans. Again, do not do it. 16. aug. 2014 22:13 skrev Adam Thompson athom...@athompso.net mailto:athom...@athompso.net følgende: On 14-08-16 01:13 PM, Espen Johansen wrote: You would have to do a major code rewrite to get this done. And it would be insecure and it would make no pf sense :-) this is network basics. You dont seem to understand some network fundamentals. Sorry but this is not doable without using vlans or 2 physical interfaces. 16. aug. 2014 20:06 skrev Bob Gustafson bob...@rcn.com mailto:bob...@rcn.com følgende: I'm interested in doing it all within the Alix using pfsense. A minimum hardware approach. Think of my WAN mentioned below as the LAN network created by the modem/router furnished by the ISP and the LAN mentioned below as devices also connected to the back end of the modem/router, but not accessible by the modem/router. Only by LAN/pfsense. Bob G I would like to pass WAN packets (192.168.1.0/24 http://192.168.1.0/24) and LAN packets (192.168.2.0/24 http://192.168.2.0/24) through the same connector. pfsense would provide the NAT and firewalling within the box. To clarify Espen's comments : yes, it is possible to run two subnets on the same wire. Any _router_ can route between two subnets on the same wire (or the same VLAN, same thing - technically the same broadcast domain). A _firewall_, however, will refuse to do so because it's nonsensical from a security perspective. So pfSense is a router, yes, but it is also a firewall, and in areas where those two roles conflict, the firewall role wins. As previously pointed out, you can't usefully use pf(4) in the circumstance you describe. It is technically possible, on some platforms, to perform NAT between the two subnets. It would be possible, AFAIK, to manually craft a pf rule that does this; it is not possible to get the pfSense GUI to generate that rule. That's where the major code rewrite comes into play. I'm not aware of any firewall GUI that will let you do this - and for a good reason! By hooking your LAN up directly to the WAN, you're effectively eliminating 99% of the security a firewall gives you. (And, yes, it is possible to directly attack private IP addresses on most ISPs.) If you're determined to deploy this model, you'll have to run a bare OS that can route, i.e. Linux, OpenBSD, FreeBSD, etc. and configure the networking stack and NAT rules by hand. -- -Adam Thompson athom...@athompso.net mailto:athom...@athompso.net ___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Change WAN interface address to new subnet
On 14-08-06 02:42 PM, Adam Williams wrote: You've made two contradictory statements here: 1) you want to know how to *change* a WAN interface, but 2) We're moving it over from another firewall... I've got two firewalls, F1 and F2, facing the public internet, each hosting different public subnets, N1 and N2. There are computers behind them which are dual homed - connected to both firewalls. I want to make F2 host both N1 and N2, decommissioning F1. Then I'll decommission N2. Since I want to decommission N2, I thought I should make the WAN interface of F2 configured for N1. Ouch... I'm sure I could create a more difficult setup to work with, but it would take some time and effort to do so! Why do you need to do things one step at a time? Again, that contradicts #2, above. I want to configure 87.54.0.34 (N1) on F2 before having the IP addresses moved from F1, because of the acceptable downtime of... about 60 seconds. Hopefully my following answers will clarify how I think this can be done. asdf You also mention VRRP - pfSense doesn't do VRRP, it does CARP. Is the VRRP from the old firewall? It may be the uplink switches are making these VRRP advertisements. I realize I do not understand perfectly how the protocol is implemented, and assumed there was a relationship with CARP, though it's clear enough now that they are different tech solving similar problems. I suppose I need to read up on VRRP to understand why my F2 WAN address (50.31.0.14) is the SRC address of these advertisements. If F2 is a pfSense firewall, then you have some much larger problem to solve before you worry about switching over to new firewalls. Once I have the configuration I want, I will be adding another pfSense firewall as a sync slave of F2. I would strongly recommend starting with HA, not adding a HA peer later. Adding HA later is much more likely to cause downtime; adding it right away means you'll catch all the problems immediately, (hopefully) before you put the new firewall into production. The switches our old VLANs operated on are being replaced. There were new VLANs created on the new switches, and the computers were made to be dual homed for a time so I could work through getting all the services running over the new switch VLANs/subnets. F2 is the firewall of the new switch VLANs/subnets. Now that the computers behind the firewalls are communicating over the new switches through F2, I'm ready to move the IP addresses of F1 over, as I've mentioned. The ONLY reason we need the old WAN on F2 at all is because outbound connections to third parties must come from addresses in the old WAN. That is happening today because the computers are still routing Internet-bound connections through F1. Don't bother changing WAN, add a new interface (WAN2, let's say...) and configure it with the appropriate IP address and gateway(s), etc. If I understand correctly, you're going to wind up with a dual-WAN setup, right? F1 must hold the N1 address until the last moment, since the computers are still routing Internet-bound connections through F1, and I do not believe I have the option of having F1 and F2 on the same uplink both claiming the N1 address. That's correct; they'll be fighting over the IP address (unless they are a CARP pair, which doesn't sound likely). If I am able to put F2 in a position where it's nearly completely configured to host N1, such that I can have N1 moved to F2, change outbound NAT on F2 to use the address of N1, use N1 as the default gateway of F2, and immediately change the routing of the computers behind the firewall so that they make Internet-bound connections through F2, I'll be happy. If I have to move N1 to F2 before I can configure F2 this way, downtime will be longer. Ugh. You have set yourself a complex task; I would have simply preconfigured a new firewall (F2) exactly the same as the existing firewall (F1), and taken a 2-minute outage to swap firewalls. You're almost sure to have more than 60 seconds of downtime anyway, since ARP data typically has a 5-minute lifetime. If you can cause the new firewall to proactively overwrite each local host's ARP cache (e.g. by pinging each host from the firewall) then you can probably get that down quite a bit. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Change WAN interface address to new subnet
You've made two contradictory statements here: 1) you want to know how to *change* a WAN interface, but 2) We're moving it over from another firewall... Which is it? Why do you need to do things one step at a time? Again, that contradicts #2, above. Also, how much downtime is acceptable? You also mention VRRP - pfSense doesn't do VRRP, it does CARP. Is the VRRP from the old firewall? Are you in fact setting up redundant firewalls, or are you just using CARP as a convenient way to establish additional IP addresses? If you're moving to a new firewall, why do you have it connected directly to the old WAN at all? Right now, it sounds like you're worrying about trivial items (e.g. source IP addresses) without having a good big-picture grasp on the process first. Who cares what source IP address gateway-monitoring ICMP packets or DNS packets come from? I assume anything originating from the firewall will by default use the primary interface IP, but I don't know for sure - that stuff Just Works regardless of which IP address it originates from. I'll stop here for now until you've addressed the contradiction. -Adam On 14-08-06 10:29 AM, Adam Williams wrote: Hello! I need to change the WAN interface address to one that is on another subnet. I need to end up getting off the 50.31.0.0 network altogether, ultimately, but need to do so one step at a time. However, I'm concerned that I don't quite understand the implications of changing the WAN primary IP address. I would very much appreciate any guidance you might offer. Suppose the following current configuration of IP addresses on the WAN interface: WAN 50.31.0.14 GW 50.31.0.1 ALIAS 50.31.0.25 CARP 50.31.0.71 * Gateway is monitored using SRC 50.31.0.14 ICMP * DNS forwarding is configured, so SRC 50.31.0.14 UDP * VRRP packets are SRC 50.31.0.14 TCP * Clients are connecting to 50.31.0.71 (the CARP address) * Outbound connections are masqueraded as 50.31.0.71 (the CARP address) I want to begin the migration by changing the WAN interface address to, say, 87.54.0.34. Here is what I imagine the configuration needs to become: WAN 87.54.0.34 GW2 87.54.0.29 GW (default) 50.31.0.1 ALIAS 50.31.0.25 CARP 50.31.0.71 My first question would be, will this work? More specifically, what will be the SRC IP address of the a) gateway monitoring, b) DNS, and c) VRRP traffic? The gateway monitoring traffic would have to choose the ALIAS address for GW, and the WAN address for GW2; the routes to those subnets would be used (a direct link). It seems the DNS traffic would end up with SRC 87.54.0.34; the default gateway is not on the same subnet and would therefore drop the packets. Would VRRP traffic for 50.31.0.71 choose the ALIAS address, since it's the only one on the subnet of the CARP address? However, perhaps complicating things, we do not yet have the subnet of the new WAN IP address routing over our uplink. We're moving it over from another firewall and want to preconfigure this firewall as much as possible to host the new subnet, so that we might minimize downtime for connections to 87.54.0.34. Therefore, we cannot yet receive packets at 87.54.0.34; the gateway 87.54.0.29 is unreachable. Will this plan work at all, or is the role of the WAN address so critically important that we really cannot preconfigure it for a new subnet like this? Please let me know if this is not clear enough to help. Thank you! ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- -Adam Thompson athom...@athompso.net Cell: +1 204 291-7950 Fax: +1 204 489-6515 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] How can this be done?
On 14-07-31 07:44 PM, Kenward Vaughan wrote: In my quest to set up a computational lab at my school, the IT department has offered us the freedom to create this specialized lab as long as we aren't hooked up to the school's network--we are to be completely isolated. They have no one to maintain it software-wise (we will be doing that), and (I believe) fear security breaches, etc, emanating from there. They would allow us to go outside through the Wifi spots, though, as long as it is through the open (insecure) side. There is an accessible secure (internal) network as well. Is there a way to set up pfSense either on the internal server or a separate Internet side box to control outbound traffic by having it sign into that network then having the other machines have access? I'm not any sort of network person (self-taught in Linux/computers in general), so please accept my apology up front if this is an idiotic question. Thanks! Kenward Short answer: Yes, this can be done. Please have someone with networking experience set this up, unless you want to spend the next few months learning networking! This isn't really a pfSense-related issue at this point. Easiest, surest (but not cheapest) way: get a separate DSL or Cable connection for your lab, and connect to the internet through that link (possibly using pfSense). Don't connect to the existing school [wired] network or WiFi [network] at all, not even the public wifi. Cheaper (and still secure): if the school has a firewall (it most likely does), ask if you can be connected to a dedicated interface on that firewall. That way, IT still has control over what you can and can't access, and they can protect themselves from you. Also cheaper (and still secure): the school's WAN provider may allow you to connect more than one device to the WAN connection. This might require adding a switch between the service provider's equipment and the school's firewall, if the service provider doesn't give you a multi-port device of some sort. Either way, you plug your dedicated (possibly pfSense) firewall into another port on the WAN device. Many DSL Cable providers install a modem that includes a 4- or 5-port switch built right in. Most difficult to get working: install your firewall (possibly running pfSense) as a client on the school's public wireless network. I'm not sure if pfSense even supports this natively; you may have to use an external ethernet-to-wireless bridge (but these are fairly common devices now, anything sold as a travel router can probably do it, most SoHo routers APs can do it, too). There are many variables here, and many things to get wrong. On the other hand, this requires relatively little (i.e. possibly even zero) effort from the existing IT group, and doesn't cost much. If you have to sign in to the public WiFi network, especially through some sort of login web page (like you do at public hotspots) then connecting a firewall to it is probably not going to work well, if at all... -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] ZFS warning message on local console during boot
Faster caching when using squid and/or some of the other packages? But, yes, it would be a bit silly, regardless. -Adam On July 30, 2014 9:43:01 AM CDT, Vick Khera vi...@khera.org wrote: On Wed, Jul 30, 2014 at 9:50 AM, Paul Mather p...@gromit.dlib.vt.edu wrote: Personally, I think ZFS on i386 has become a losing proposition as of late. I ran a ZFS-on-root FreeBSD/i386 10-STABLE system with 2 GB of RAM and it appeared to become very flaky with ZFS in its latter months (I eventually switched it out for a FreeBSD/amd64 system). I cannot fathom a sensible use case for using ZFS on pfSense at all. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Disable antispoofing on an interface
How do you know pfSense is dropping the packet? Does it show up in a packet capture on OPT1? -Adam On July 17, 2014 5:12:07 AM CDT, NetSys Pro netsys...@live.com wrote: Hello Adam,Anything else I could try? Thanks Subject: Re: [pfSense] Disable antispoofing on an interface From: athom...@athompso.net Date: Mon, 14 Jul 2014 20:24:36 -0500 To: list@lists.pfsense.org; netsys...@live.com I suspect you need to be looking not for anti-spoofing but for anti-bogon rules. Can't remember what pfSense calls it offhand. -Adam On July 14, 2014 6:19:22 PM CDT, NetSys Pro netsys...@live.com wrote: Hello everyone, First of all, please note that I have already posted the question below on the pfSense forum (see https://forum.pfsense.org/index.php?topic=79081.0) since about 1 week without any reply. Given the urgency of the matter, I decided to post to the mailing list, hoping for some here. BTW: I don't know if this will be of any help to obtain a reply, please note that I have a Gold membership subscription as well. So, regarding my question, I'll copy/paste from the forum as follows: I have 2 pfSense boxes (both version 2.1.4) connected via the Internet. Each one has 3 interfaces: LAN, WAN OPT1. There is an IPsec VPN between the 2 pfSense boxes. A WAN optimisation (we'll call it WANOPT) appliance is connected to the OPT1 interface on each side. There is a UDP tunnel between the 2 WANOPT appliances. This UDP tunnel goes inside the IPsec tunnel. I use PBR (as a LAN rule) to redirect traffic going to the remote LAN into the WANOPT appliance. This is what I've observed after starting to ping a remote LAN machine from a local LAN machine: 1. On reaching the local LAN interface, the ICMP echo request is properly redirected to the WANOPT appliance. 2. The ICMP request then goes inside the UDP tunnel. 3. The UDP packets go into the IPsec tunnel. 4. On the remote side, a tcpdump shows that the ICMP packet does come out of the WANOPT appliance and therefore the UDP tunnel. 5. It then reaches the OPT1 interface of the remote firewall. 6. However, it does NOT come out any interface!!! 7. I have an Allow all protocols from any to any rule on both the IPsec and OPT1 interfaces, for testing purposes. 8. There's nothing in the log saying that the packet was dropped. In fact, there's a log entry which says that the packet was actually allowed into the OPT1 interface! What has happened to the packet? NB: 1. On the remote side, when the ICMP packet comes out of the UDP tunnel, its source IP is that of the local LAN machine and its destination is that of the remote LAN machine. 2. Is this packet being considered a spoofed packet? I modified the file /etc/inc/filter.inc (around line 3105 in pfSense 2.1.4) to disable antispoofing on the OPT1 interface and rebooted both firewalls without any success. I confirmed that the file /tmp/rules.debug did not contain the antispoof directive for the OPT1 interface after reboot. RFC 1918 private IP addresses are not being blocked either. Thank you for any help. List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Disable antispoofing on an interface
Not really possible. If tcpdump cann't show you the packet, then the problem is occurring before pfSense... i.e. in the WAN optimizer. On July 17, 2014 12:01:12 PM CDT, NetSys Pro netsys...@live.com wrote: Adam, Thanks for your reply.First of all, as I said before, I had already posted the same question on the forum and had not received any reply.However, Chris BUECHLER replied to my posts about 2 days ago.If it is better that I stop the cross-posting, then someone please do advise.Until then, we'll continue on both the forum and here in the mailing list.Of course, I will update both with the findings. So, regarding your question, from the log (see screenshot on the forum) on the remote pfSense, I see that the ICMP request is ALLOWed into the remote OPT1 (aka SILVERPEAK) interface.However, after doing packet captures on the other interfaces, I do not see the packet coming out anywhere!So, I suppose the packet is being silently dropped. Is that possible? Subject: RE: [pfSense] Disable antispoofing on an interface From: athom...@athompso.net Date: Thu, 17 Jul 2014 10:50:27 -0500 To: netsys...@live.com; list@lists.pfsense.org How do you know pfSense is dropping the packet? Does it show up in a packet capture on OPT1? -Adam On July 17, 2014 5:12:07 AM CDT, NetSys Pro netsys...@live.com wrote: Hello Adam,Anything else I could try? Thanks Subject: Re: [pfSense] Disable antispoofing on an interface From: athom...@athompso.net Date: Mon, 14 Jul 2014 20:24:36 -0500 To: list@lists.pfsense.org; netsys...@live.com I suspect you need to be looking not for anti-spoofing but for anti-bogon rules. Can't remember what pfSense calls it offhand. -Adam On July 14, 2014 6:19:22 PM CDT, NetSys Pro netsys...@live.com wrote: Hello everyone, First of all, please note that I have already posted the question below on the pfSense forum (see https://forum.pfsense.org/index.php?topic=79081.0) since about 1 week without any reply. Given the urgency of the matter, I decided to post to the mailing list, hoping for some here. BTW: I don't know if this will be of any help to obtain a reply, please note that I have a Gold membership subscription as well. So, regarding my question, I'll copy/paste from the forum as follows: I have 2 pfSense boxes (both version 2.1.4) connected via the Internet. Each one has 3 interfaces: LAN, WAN OPT1. There is an IPsec VPN between the 2 pfSense boxes. A WAN optimisation (we'll call it WANOPT) appliance is connected to the OPT1 interface on each side. There is a UDP tunnel between the 2 WANOPT appliances. This UDP tunnel goes inside the IPsec tunnel. I use PBR (as a LAN rule) to redirect traffic going to the remote LAN into the WANOPT appliance. This is what I've observed after starting to ping a remote LAN machine from a local LAN machine: 1. On reaching the local LAN interface, the ICMP echo request is properly redirected to the WANOPT appliance. 2. The ICMP request then goes inside the UDP tunnel. 3. The UDP packets go into the IPsec tunnel. 4. On the remote side, a tcpdump shows that the ICMP packet does come out of the WANOPT appliance and therefore the UDP tunnel. 5. It then reaches the OPT1 interface of the remote firewall. 6. However, it does NOT come out any interface!!! 7. I have an Allow all protocols from any to any rule on both the IPsec and OPT1 interfaces, for testing purposes. 8. There's nothing in the log saying that the packet was dropped. In fact, there's a log entry which says that the packet was actually allowed into the OPT1 interface! What has happened to the packet? NB: 1. On the remote side, when the ICMP packet comes out of the UDP tunnel, its source IP is that of the local LAN machine and its destination is that of the remote LAN machine. 2. Is this packet being considered a spoofed packet? I modified the file /etc/inc/filter.inc (around line 3105 in pfSense 2.1.4) to disable antispoofing on the OPT1 interface and rebooted both firewalls without any success. I confirmed that the file /tmp/rules.debug did not contain the antispoof directive for the OPT1 interface after reboot. RFC 1918 private IP addresses are not being blocked either. Thank you for any help. List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Disable antispoofing on an interface
If you run (from memory, here!) clog -f /var/log/filter.log while the packet is arriving, you should see what rule is blocking it. You may want to set up a capture in your terminal emulator, as there will likely be a lot of unrelated output and it'll scroll off-screen quickly. -Adam On July 17, 2014 12:20:10 PM CDT, NetSys Pro netsys...@live.com wrote: I just did a tcpdump on pfSense and I do see the ICMP request coming in on the OPT1 interface.So, this means that the WANOPT appliance is not the culprit. Subject: RE: [pfSense] Disable antispoofing on an interface From: athom...@athompso.net Date: Thu, 17 Jul 2014 12:10:44 -0500 To: netsys...@live.com; list@lists.pfsense.org Not really possible. If tcpdump cann't show you the packet, then the problem is occurring before pfSense... i.e. in the WAN optimizer. On July 17, 2014 12:01:12 PM CDT, NetSys Pro netsys...@live.com wrote: Adam, Thanks for your reply.First of all, as I said before, I had already posted the same question on the forum and had not received any reply.However, Chris BUECHLER replied to my posts about 2 days ago.If it is better that I stop the cross-posting, then someone please do advise.Until then, we'll continue on both the forum and here in the mailing list.Of course, I will update both with the findings. So, regarding your question, from the log (see screenshot on the forum) on the remote pfSense, I see that the ICMP request is ALLOWed into the remote OPT1 (aka SILVERPEAK) interface.However, after doing packet captures on the other interfaces, I do not see the packet coming out anywhere!So, I suppose the packet is being silently dropped. Is that possible? Subject: RE: [pfSense] Disable antispoofing on an interface From: athom...@athompso.net Date: Thu, 17 Jul 2014 10:50:27 -0500 To: netsys...@live.com; list@lists.pfsense.org How do you know pfSense is dropping the packet? Does it show up in a packet capture on OPT1? -Adam On July 17, 2014 5:12:07 AM CDT, NetSys Pro netsys...@live.com wrote: Hello Adam,Anything else I could try? Thanks Subject: Re: [pfSense] Disable antispoofing on an interface From: athom...@athompso.net Date: Mon, 14 Jul 2014 20:24:36 -0500 To: list@lists.pfsense.org; netsys...@live.com I suspect you need to be looking not for anti-spoofing but for anti-bogon rules. Can't remember what pfSense calls it offhand. -Adam On July 14, 2014 6:19:22 PM CDT, NetSys Pro netsys...@live.com wrote: Hello everyone, First of all, please note that I have already posted the question below on the pfSense forum (see https://forum.pfsense.org/index.php?topic=79081.0) since about 1 week without any reply. Given the urgency of the matter, I decided to post to the mailing list, hoping for some here. BTW: I don't know if this will be of any help to obtain a reply, please note that I have a Gold membership subscription as well. So, regarding my question, I'll copy/paste from the forum as follows: I have 2 pfSense boxes (both version 2.1.4) connected via the Internet. Each one has 3 interfaces: LAN, WAN OPT1. There is an IPsec VPN between the 2 pfSense boxes. A WAN optimisation (we'll call it WANOPT) appliance is connected to the OPT1 interface on each side. There is a UDP tunnel between the 2 WANOPT appliances. This UDP tunnel goes inside the IPsec tunnel. I use PBR (as a LAN rule) to redirect traffic going to the remote LAN into the WANOPT appliance. This is what I've observed after starting to ping a remote LAN machine from a local LAN machine: 1. On reaching the local LAN interface, the ICMP echo request is properly redirected to the WANOPT appliance. 2. The ICMP request then goes inside the UDP tunnel. 3. The UDP packets go into the IPsec tunnel. 4. On the remote side, a tcpdump shows that the ICMP packet does come out of the WANOPT appliance and therefore the UDP tunnel. 5. It then reaches the OPT1 interface of the remote firewall. 6. However, it does NOT come out any interface!!! 7. I have an Allow all protocols from any to any rule on both the IPsec and OPT1 interfaces, for testing purposes. 8. There's nothing in the log saying that the packet was dropped. In fact, there's a log entry which says that the packet was actually allowed into the OPT1 interface! What has happened to the packet? NB: 1. On the remote side, when the ICMP packet comes out of the UDP tunnel, its source IP is that of the local LAN machine and its destination is that of the remote LAN machine. 2. Is this packet being considered a spoofed packet? I modified the file /etc/inc/filter.inc (around line 3105 in pfSense 2.1.4) to disable antispoofing on the OPT1 interface and rebooted both firewalls without any success. I confirmed that the file
Re: [pfSense] Disable antispoofing on an interface
On 14-07-17 12:32 PM, NetSys Pro wrote: Here's the output: Jul 17 21:27:50 fw2 pf: 10.6.2.10 192.168.6.106: ICMP echo request, id 43547, seq 0, length 64 Jul 17 21:27:52 fw2 pf: 00:00:01.885014 rule 159/0(match): pass in on re0: (tos 0x0, ttl 62, id 1, offset 0, flags [none], proto ICMP (1), length 84) Jul 17 21:27:52 fw2 pf: 10.6.2.10 192.168.6.106: ICMP echo request, id 43547, seq 2, length 64 Jul 17 21:27:52 fw2 pf: 00:00:00.358395 rule 5/0(match): block in on re2: (tos 0x0, ttl 128, id 1110, offset 0, flags [DF], proto TCP (6), length 40) Jul 17 21:27:52 fw2 pf: 192.168.6.106.54118 23.214.64.109.443: Flags [R.], cksum 0x4fe4 (correct), seq 1951833685, ack 1897326514, win 0, length 0 Jul 17 21:27:53 fw2 pf: 00:00:00.628387 rule 159/0(match): pass in on re0: (tos 0x0, ttl 62, id 2, offset 0, flags [none], proto ICMP (1), length 84) Jul 17 21:27:53 fw2 pf: 10.6.2.10 192.168.6.106: ICMP echo request, id 43547, seq 3, length 64 Jul 17 21:27:54 fw2 pf: 00:00:01.148349 rule 159/0(match): pass in on re0: (tos 0x0, ttl 62, id 3, offset 0, flags [none], proto ICMP (1), length 84) Jul 17 21:27:54 fw2 pf: 10.6.2.10 192.168.6.106: ICMP echo request, id 43547, seq 4, length 64 Jul 17 21:27:55 fw2 pf: 00:00:00.874917 rule 159/0(match): pass in on re0: (tos 0x0, ttl 62, id 4, offset 0, flags [none], proto ICMP (1), length 84) Jul 17 21:27:55 fw2 pf: 10.6.2.10 192.168.6.106: ICMP echo request, id 43547, seq 5, length 64 Jul 17 21:27:56 fw2 pf: 00:00:01.011050 rule 159/0(match): pass in on re0: (tos 0x0, ttl 62, id 5, offset 0, flags [none], proto ICMP (1), length 84) Jul 17 21:27:56 fw2 pf: 10.6.2.10 192.168.6.106: ICMP echo request, id 43547, seq 6, length 64 Jul 17 21:27:57 fw2 pf: 00:00:00.989951 rule 159/0(match): pass in on re0: (tos 0x0, ttl 62, id 6, offset 0, flags [none], proto ICMP (1), length 84) Jul 17 21:27:57 fw2 pf: 10.6.2.10 192.168.6.106: ICMP echo request, id 43547, seq 7, length 64 Jul 17 21:27:58 fw2 pf: 00:00:00.995826 rule 159/0(match): pass in on re0: (tos 0x0, ttl 62, id 7, offset 0, flags [none], proto ICMP (1), length 84) Jul 17 21:27:58 fw2 pf: 10.6.2.10 192.168.6.106: ICMP echo request, id 43547, seq 8, length 64 Jul 17 21:27:59 fw2 pf: 00:00:01.031938 rule 159/0(match): pass in on re0: (tos 0x0, ttl 62, id 8, offset 0, flags [none], proto ICMP (1), length 84) Jul 17 21:27:59 fw2 pf: 10.6.2.10 192.168.6.106: ICMP echo request, id 43547, seq 9, length 64 Jul 17 21:28:00 fw2 pf: 00:00:00.971443 rule 159/0(match): pass in on re0: (tos 0x0, ttl 62, id 9, offset 0, flags [none], proto ICMP (1), length 84) Jul 17 21:28:00 fw2 pf: 10.6.2.10 192.168.6.106: ICMP echo request, id 43547, seq 10, length 64 Jul 17 21:28:01 fw2 pf: 00:00:01.040452 rule 159/0(match): pass in on re0: (tos 0x0, ttl 62, id 10, offset 0, flags [none], proto ICMP (1), length 84) Jul 17 21:28:01 fw2 pf: 10.6.2.10 192.168.6.106: ICMP echo request, id 43547, seq 11, length 64 What do you think? Since there's only one block in that list, I'm going to speculate that it represents your missing packet. Also, it refers to re2 which is likely your OPT1 interface if you did things conventionally. I don't know what rule 5 is, although anything with that low a # is likely to be a system-generated rule. On my system, it's the Default deny rule IPv6, although that doesn't sound likely in your case. You'll want to run pfctl -vv -s rules | more and tell us what rule 5 is. It's almost certainly going to be a Default-Deny rule, which means you're missing a firewall rule somewhere. Do you have a rule allowing all protocols from OPT1 to LAN? -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Disable antispoofing on an interface
I suspect you need to be looking not for anti-spoofing but for anti-bogon rules. Can't remember what pfSense calls it offhand. -Adam On July 14, 2014 6:19:22 PM CDT, NetSys Pro netsys...@live.com wrote: Hello everyone, First of all, please note that I have already posted the question below on the pfSense forum (see https://forum.pfsense.org/index.php?topic=79081.0) since about 1 week without any reply. Given the urgency of the matter, I decided to post to the mailing list, hoping for some here. BTW: I don't know if this will be of any help to obtain a reply, please note that I have a Gold membership subscription as well. So, regarding my question, I'll copy/paste from the forum as follows: I have 2 pfSense boxes (both version 2.1.4) connected via the Internet. Each one has 3 interfaces: LAN, WAN OPT1. There is an IPsec VPN between the 2 pfSense boxes. A WAN optimisation (we'll call it WANOPT) appliance is connected to the OPT1 interface on each side. There is a UDP tunnel between the 2 WANOPT appliances. This UDP tunnel goes inside the IPsec tunnel. I use PBR (as a LAN rule) to redirect traffic going to the remote LAN into the WANOPT appliance. This is what I've observed after starting to ping a remote LAN machine from a local LAN machine: 1. On reaching the local LAN interface, the ICMP echo request is properly redirected to the WANOPT appliance. 2. The ICMP request then goes inside the UDP tunnel. 3. The UDP packets go into the IPsec tunnel. 4. On the remote side, a tcpdump shows that the ICMP packet does come out of the WANOPT appliance and therefore the UDP tunnel. 5. It then reaches the OPT1 interface of the remote firewall. 6. However, it does NOT come out any interface!!! 7. I have an Allow all protocols from any to any rule on both the IPsec and OPT1 interfaces, for testing purposes. 8. There's nothing in the log saying that the packet was dropped. In fact, there's a log entry which says that the packet was actually allowed into the OPT1 interface! What has happened to the packet? NB: 1. On the remote side, when the ICMP packet comes out of the UDP tunnel, its source IP is that of the local LAN machine and its destination is that of the remote LAN machine. 2. Is this packet being considered a spoofed packet? I modified the file /etc/inc/filter.inc (around line 3105 in pfSense 2.1.4) to disable antispoofing on the OPT1 interface and rebooted both firewalls without any success. I confirmed that the file /tmp/rules.debug did not contain the antispoof directive for the OPT1 interface after reboot. RFC 1918 private IP addresses are not being blocked either. Thank you for any help. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Squidguard Issues
On 2014-06-06 08:38, Brian Caouette wrote: For the past few days I was experiencing issues were squidguard did not always work. Finally this morning I stumble into the problem. It turns out that if you enable the save bandwidth feature in chrome you can access all the adult sites. If you shut the feature off everything is blocked as expected. I've test with android phone and iPad and it works the same. I guess my next question is what port is chrome using for this feature and how to we tell squidguard to also watch for content on this port that also needs to be filtered? Based on https://developer.chrome.com/multidevice/data-compression , I suspect the answer is: Good luck! My guess is that it'll be using port 443 to an unpredictable subset of servers inside Google's address space, and I wouldn't be the slightest bit surprised if blocking that traffic pretty much just breaks Chrome on mobile altogether. Google, among others, is moving strongly in the direction of not allowing carriers (including local LAN admins) to silently interfere with HTTP(S) traffic in any way. The remaining way involves blocking all outbound HTTPS and forcing it all to go through a proxy server... although even there, I wouldn't be surprised if Chrome tunnels HTTPS-over-SPDY-over-HTTPS-over-HTTP(proxy). Please let us know what winds up working for you. -Adam ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] vmware
On May 28, 2014 10:33:59 AM CDT, Brian Caouette bri...@dlois.com wrote: 4.1 appears to be the newest this hardware can use. On 5/28/2014 11:19 AM, Ryan Coleman wrote: 4.1? in /5.x/ you can assign VLANs to NICs and then different NICs to VMs. I don't know about 4.1. On May 28, 2014, at 10:11, Brian Caouette bri...@dlois.com mailto:bri...@dlois.com wrote: I'm looking to use vmware 4.1 on my poweredge 2850 when it arrives. I have a question on how virtual machines work. With a hardware configuration of two nics wan/lan how does each vm use them? Do I need a nic for each vm or as long as each ap is using a different port i'm good to go? I'm thinking a vm for pfsense, another vm for a webserver, etc... ___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list Do yourself a favor, then, and don't use VMware on it. That's akin to deliberately installing a Windows 2000 domain controller today... pfSense itself runs quite well on 2750s and 2850s directly. -Adam -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Pix Replacement?
On 14-05-24 06:33 PM, Kevin Tollison wrote: On May 24, 2014 6:41 PM, David Hicks dhi...@509j.net mailto:dhi...@509j.net wrote: Group... I realize that I'm posting to a pfSense list, but figure it is still worth posing the question. We are a school district with approximately 2000 internal devices. We are looking at replacing our aging Cisco pix firewalls and are trying to decide between going with a Juniper SRX240 or moving to pfSense. Our expectation is to use for simple firewall and NAT with an openVPN setup for a small number of remote connections. We've been using pfSense in a very simple configuration at one of our smaller school districts for a year with no issues whatsoever. I'm wondering if it is time to make the leap to pfSense for our larger operation and if there are any major cautions people might have that would suggest it is a safer bet to go with a standard name like Juniper. I apologize if this is too broad a question, but figured I'd see if anyone has any feedback to provide. I'd recommend talking to Chris directly. I'm sure he can generate a support plan that is much more cost effective than anything Juniper has to offer. We have had a support contact for about a year now. Only used it twice. Both issue ended up not being pfSense, but the support team was on the issue almost immediately. Not a direct answer, but a direction I would investigate first for a site(s) of that size. Kevin I would also add that while NetScreen firewalls (aka Juniper SRX devices) are slightly better than the equivalent Cisco PIX, they are *NOT* a best-of-breed firewall by any stretch of the imagination. In fact, since SRXs are (except for the monster units) 100% software routers, pfSense gives you very similar technical capabilities at a much lower price point. If you want a unit you can buy at retail with a built-in warranty, look to FortiGate, Palo Alto, or even Checkpoint. All three are available in a VM if you want to run them on your own hardware, or FG and PA have some hardware acceleration even in the mid-range units. Juniper makes excellent routers, but I wouldn't buy their firewalls if I had any choice in the matter. Particularly since you want to use OpenVPN, pfSense does make sense. For a head-to-head RFP/quote/etc. (potentially including pre-built hardware), talk to Netgate or ESF; both hang out here (in fact, the two entities are closely related). -- -Adam Thompson athom...@athompso.net Cell: +1 204 291-7950 Fax: +1 204 489-6515 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense performance
On 14-05-21 08:27 PM, Joseph H wrote: Hi Everyone, I was having a debate with a new network engineer we have and we were discussing how pfSense performs and how it would handle 10G network connections, setup as a transparent firewall, using snort and a few other packages to help monitor and graph traffic. I was saying that as long as it has plenty of CPU and Memory, plus Intel NIC's for the 10G then it would not have any problems doing transparent mode, and there would be no noticeable slowdown or sluggishness. Does anyone have any statistics they would share or what size server to build, using Intel 10G nic cards? Thanks in advance. Joe Jim just had this argument with Henning Brauer at BSDCan... at those speeds, bandwidth doesn't really matter, packets-per-second matters. In most normal situations, pfSense can pass almost 10Gbit/sec of traffic. However, in a DDOS - or VoIP - scenario, its limited PPS rates (compared to stupidly expensive hardware-accelerated appliances) rapidly will become a bottleneck. Depending on your traffic patterns, you will probably max out on PPS long before you max out on bandwidth. Transparent mode vs. routed mode probably won't make all that much difference at the scales you're talking about, but I admit I've never tried transparent mode at 1Gbps. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] My son is able to bypass my captivate portal
On May 11, 2014 1:37:01 PM CDT, Mehma Sarja mehmasa...@gmail.com wrote: My Samsung Chromebook bypasses my router/OpenDNS because it has it's own DNS entries. Yudhvir Basically it takes a DNS call the first time and goes elsewhere. then it corrects itself. If he’s got a different DNS set up then either CP does not work or, potentially, it could be bypassed. — ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list The simple solution is to block all outbound DNS at the firewall, but this can also break things (like some Google and Apple devices). Even broken devices usually have a fallback mode, but be careful of what breaks when you do this! -Adam -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] ICMPv6 filtering recommendations with pfSense?
On May 8, 2014 12:05:34 PM CDT, Brian Candler b.cand...@pobox.com wrote: On 08/05/2014 11:51, Olivier Mascia wrote: On the WAN interface, I’m currently allowing full ICMPv6 in, albeit only from Global Unicast and Multicast addresses. That is: only from 2000::/3 and ff00::/8. I don't think you'll see any packets with multicast source addresses. It's possible you could see packets with Link-Local source addresses (fe80::/64) from the upstream router, but you may not care. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list Sorry for the late addition... Perhaps this was already covered, but if not: Please don't filter ICMPv6. This is one of the key points every intro-to-v6 class teaches: IPv6 actually *needs* ICMPv6 to function in pretty much every situation. The official guidance on this subject is RFC 4890, Recommendations for Firing ICMPv6 Messages in Firewalls. The TL;DR version is just don't . If a firewall operator can't read the RFC, and accurately distinguish between transit and local traffic, then they shouldn't filter any of it. (Yes, I'm being a hard-ass here, because I already see people breaking IPv6 because they think it's OK to filter ICMP.) It is probably possible to extrapolate a base set of recommendations that pfSense might be able to build in, similar to how there's a lot of automatic IPv4 filtering under the hood, but I don't believe this has been done yet. -Adam -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Interface options for pfsense
On April 22, 2014 4:58:14 PM CDT, Jim Thompson j...@smallworks.com wrote: On Apr 22, 2014, at 3:42 PM, Volker Kuhlmann hid...@paradise.net.nz wrote: On Wed 23 Apr 2014 05:02:59 NZST +1200, Jim Thompson wrote: Are there any USB Ethernet adapters that actually work with pfsense? Reliably? I am looking for reports from those who have tried, not the freebsd supported HW list - that list is too long and not really trustworthy (I have a USB wifi adapter which runs for 10min then makes pfsense kernel panic). WiFi isn't recommended until at least pfSense 2.2, if then. OK, thanks Jim, good to know. Do you mean this to apply to USB wifi only? No. There are cheap mPCIe atheros-based wifi cards for the PCEngine APU board. Are they known to be reliable? Yes, I know. We sell thousands of them every month, but not for use in pfSense. Maybe with 2.2 the situation will improve. You can pick up the 8 port HP switches (e.g. 1810-8G aka J9802A) for less than $100 these days. No fan, so noise-free. 8W maximum. Yes, thank you for mentioning that - I had seen that yesterday and their power specs had escaped me when I looked at them previously (some of those similar models do guzzle it). That's my plan B, but I really don't like to use VLANs when I can avoid the clutter and complexity (more bugs, more time spent). A pfsense box with more ports is much easier. You asked. BTW, VLANs end up as less clutter, not more. jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list Using VLANs when combined with LACP is also (literally, mathematically) infinitely more resilient to many common types of physical failure, and gives you the added bonus of being able to exceed the speed of a single link in many cases. -Adam -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Interface yoyo
On 14-04-21 03:46 PM, Bryan D. wrote: FYI, in my case there was no MAC spoofing and the issue occurred when an hme port was used for a LAN and/or WAN interface. I don't have the resources, right now, but it'd be good if someone could try a raw OS-only install and see whether the issue exists there. Presumably that would eliminate pfSense's code or make it the more likely source. If any of the devs want to test this hardware, I have at least one just sitting on the shelf I can ship to you. (I thought I had 3 or 4 of them, maybe they're still sitting in the E450s that are also sitting on the shelf. Well, actually on the ground, but only because I don't have any shelves that can hold *those*.) -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] 2.1 can't auto-update anymore?
My own 2.1-release pfSense now can't auto-update. After I navigate to Firmware-Auto Update tab, I get: Downloading new version information...done Unable to check for updates. Could not contact pfSense update server http://updates.pfsense.org/_updaters with no corresponding log entries anywhere. Dashboard exhibits corresponding Unable to check for updates. issue. Packages-Available still works. Manual testing (telnet updates.pfsense.org 80) indicates there's no problem talking to that web server. (N.B. appears to work on both IPv4 and IPv6, I tested all three addresses.) I can even use command-line ftp client to download latest.tgz! I have rebooted today, just in case something was stuck. One last thing to try... yup, upgrading from the console works fine. Did I miss something obvious? How can php from the console work, but php from the webserver not work? -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] successor to ALIX is here
On 14-04-05 12:32 PM, Jim Thompson wrote: This SANS paper has a description of the common attacks against a VLAN segmentation architecture, as well as countermeasures to same. It includes code to demonstrate several of the attacks. https://www.sans.org/reading-room/whitepapers/networkdevs/virtual-lan-security-weaknesses-countermeasures-1090 Jim, thank you for that - I've been looking for published references to convince one of the companies I work with that VLANs are secure enough for their needs. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] New intel atom board
On 14-04-05 02:02 PM, Jim Thompson wrote: http://techcrunch.com/2014/04/03/intel-releases-99-minnowboard-max-an-open-source-single-board-computer/?utm_campaign=fbncid=fb An interesting platform for pfSense? It looks like it only has 1 NIC though. I looked at this earlier in the week when it was released. It’s interesting, [...] and Circuitco is just up the highway in Richardson, TX. I’ve considered driving up and seeing what it would take to take the schematics (when they are available) and have a board built with 2 Ethernets (rather than one), and maybe a miniPCIe socket (for an 802.11 NIC, as pfSense 2.2 should make a lot more of these work, or possibly an m-sata drive), in addition to pulling the expansion header off, and connectorizing the serial ‘debug’ header for a proper console. Given the high up-front costs to produce a variant board, wouldn't it be easier, faster and cheaper to just use the expansion header, which IIRC includes two PCIe 1x lanes? If a breakout cable existed that provided 2 PCIe slots, it would be possible to simultaneously have much more flexibility in enclosure design (e.g. PCIe cards underneath the board?) as well as flexibility in choice of add-on. I don't see that a breakout cable exists yet for the high-speed expansion bus, so there's that minor (*cough*) problem... but that seems a much smaller problem than re-tooling the board. We would need a simple enclosure as well.Painted (or powder-coated) steel is less expensive than anodized aluminum, but I think the anodized aluminum looks In case you don't have a local firm you're happy with, talk to Protocase for sample qtys. I've seen them be cheaper than mass mfg for small runs of simple cases (e.g. interlocked-U style). The other issue is single or dual core and 1GB or 2GB ram (4GB?)? The stock 2GB version should be adequate (barely) IMHO for most applications that function with that class of CPU/ethernet/storage anyway. Much more interesting to me would be if a small, low-cost board like that were available with ECC. That CPU does support ECC RAM, after all... How interesting is the m-sata / miniPCIe option? Not to me, as I tend to deploy pfSense at the higher-end of the spectrum, but *some* way to add WiFi would probably be important for the putative target audience. USB probably won't cut it for an AP, so mPCIe is probably needed. Again, expansion-header-to-mPCIe should be possible instead of reworking the board... and unlike PCIe 1x sockets, that wouldn't take up much more room than putting the mPCIe headers on the board. How you can help: Indicate your level of interest. Neat, but not commercially interesting to me right now. Linksys/ASUS/D-Link make cheaper gateways that are good enough for home users, and commercial users will either get a FortiWiFi (or equivalent) or if pfSense, re-use an existing rackmount server. This board would without a doubt cost more than the minnow board. I don’t know how much more, but we’re not going to hit the same volumes as the minnow board. (I could be wrong.) The minnow board could be subsidized by Intel. (I could be wrong.) See above comments :-). I'm not sure if a breakout cable is 100% workable, but if so it's a faster/cheaper option than mPCIe. It’s going to require a significant investment (up-front NRE), an investment in getting a run of these made, and some return on those investments (profit). How important is form-factor? Larger PCBs cost more, but can sometimes relax routing enough to not need additional layers (fewer layers tend to cost less). Smaller is better. Otherwise I may as well just deploy a miniITX or 1U system. Which, yes, argues *against* using a breakout cable for PCIe. - dual core or single core?Remember that pfSense 2.2 (which is based on FreeBSD 10) supports a pf capable of multi-threading. Good question - optimize for today or for tomorrow? -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] DNS resolution issues under heavy load
On Mar 25, 2014, at 8:45 AM, David Noel david.i.n...@gmail.com wrote: Well, it looks like it's the cable modem after all. Under load I'm unable to connect to it's admin panel, even when I'm directly connected to it. I called Comcast's technical support and had them run their diagnostics on it while everything was running and it failed miserably. The tech agreed with the conclusion that the modem was incapable of handling the load. So it looks like I'm in the market for a new cable modem. I'm not sure how to find one that will meet my needs though. Any DOCSIS 3 compatible modem will work on Comcast's network. Does anyone know of any models that are designed for heavy load? I'd probably need something that was built for networks of ~10,000 users. I'm not sure what sort of load 10,000 users generates, but I suspect it would peak around the 10-100 requests per second that my crawlers are putting out. If not, can anyone recommend a place where I might be able to find an answer to this question? Mailing list? Web forum? IRC channel, even? I'd really rather not have to pull specs on every DOCSIS 3 compatible modem and make a best guess based on microcontrollers/CPUs. Short answer: no DOCSIS cable modems are designed for that kind of throughput! Juniper sells MX480 routers to 10,000-customer-ISPs for ~$250k! (Granted, that *is* overkill, but even 10k-user corporations will have fairly high-end routers connected via fiber to handle that much traffic.) Your best bet, I think, would be to find a DOCSIS 3 cable modem that can be put into bridging mode. At that point, the CPU/RAM limitations of the cable modem are no longer relevant. Some confirmation: - http://jkoblovsky.wordpress.com/2012/11/21/how-to-use-your-own-router-with-rogers-docsis-3-0-upgrade/ - http://communityforums.rogers.com/t5/forums/forumtopicpage/board-id/Getting_connected/thread-id/12199 (implies Hitron and Moto/ARRIS modems can also do bridge-mode) - http://digitalhome.ca/forum/showthread.php?t=145997page=6 (implies SMC modem can do bridge mode) - http://www.dslreports.com/faq/comcast/2.1_Modems#17174 (Comcast-specific) Once your modem is in bridge mode, the bottleneck should be your router. As you've mentioned, your ALIX boxes are pretty much at their limit, too, so you're just moving the bottleneck around. Apologies if I've missed something fundamental - I haven't followed this thread from the beginning... -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 802.1q dhcp and pf 2.1 and esxi 5.0
On 14-03-22 01:09 PM, Wade Blackwell wrote: Good morning all from the very dry Central Coast of California, So Still struggling with PF on esxi 5.1 and Charter DHCP responses never being received. Mark I did confirm the cheap SMB switch I have doesn't support DHCP snooping. Sean I did confirm that CDP was disabled on the Charter side. I made 3 changes one at a time and I was hoping that one of them would affect a change, no such luck. Changes in order; moved from a standard virtual switch (esxi 5.1) to a distributed virtual switch changed the interface type in PF to VMXnet2 from e1000 and finally tried trunking all the way down to the OS creating vlan interfaces on the PF (not sure why I thought more abstraction from the hardware would be better) So all that said I can still see allot of layer 2 activity on the interface, Gratuitous arps and dhcp requests and offers being bandied about but I never do see my responses come back. I see them head out never to return. Anyone else seeing this (with any provider) issue with PF in software? I'm fairly remote and ATT PPoE is fine for backup but it's painfully slow for VOIP and every day use. Any suggestions would be fabulous. Thanks all. On Wed, Oct 30, 2013 at 4:54 PM, Sean Cavanaugh millenia2...@hotmail.com mailto:millenia2...@hotmail.com wrote: Make sure to set “no cdp enable” on the port that’s going to your cable modem. A lot of cable companies will shut down connections that broadcast those by default so as not to broadcast the networks together. I had same issue with my Comcast connection until I found out about the CDP issue. *From:*list-boun...@lists.pfsense.org mailto:list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org mailto:list-boun...@lists.pfsense.org] *On Behalf Of *Wade Blackwell *Sent:* Saturday, October 26, 2013 4:00 PM *To:* list@lists.pfsense.org mailto:list@lists.pfsense.org; supp...@pfsense.org mailto:supp...@pfsense.org *Subject:* [pfSense] 802.1q dhcp and pf 2.1 and esxi 5.0 I have *2.1-RELEASE *(amd64) running on esxi 5.0 with a Cisco managed L2 switch (SG200-26) in between esxi and the charter cable modem. I see my dhcp discovers go out (broadcast) I never see any dhcp traffic come back. Charter's been out a few times, they did determine that they see my discover and they respond though I don't see the reply. With a dedicated interface they can get an address off the modem. ASCII art below; charter cable modem--g24 cisco vlan 5---esxi vlan5--pf em0. I've tried this dedicating a vnic to a standalone vswitch with no 802.1q and I've tried 802.1q on the esxi side. The cable modem port is always an access port in vlan 5. STP has been disabled on the charter modem port. Every port has portfast enabled and the mac timers have been cranked down to the minimum, 10 seconds I believe. I've captured traffic from vlan 5 and g24 (cable modem port) and seen the same thing, dhcp discovers go out, nothing comes back. I'm thinking there has to be a handful of folks on this list who have dealt with this and succeeded. Any advice would be fabulous, I'd like to keep my L3 in software if I can. Thanks so much. Start over from first principles, then. 1. Plug a laptop or PC directly into the Charter modem. Verify that it gets a DHCP-assigned IP. 2. Run the pfSense LiveCD or USB image on that same hardware. Verify that it gets an DHCP-assigned IP. 3. Repeat with a different NIC (use another PC/laptop if necessary); maybe Charter limits the # of distinct MAC addresses the modem will learn (my local cableco does this). Rebooting the modem is usually sufficient to clear that, but some carriers require a call to tech support. 4. Connect a dedicated pNIC on the ESXi box to the cable modem; create a dedicated vSwitch and a dedicated vKernel port set to DHCP; verify it gets a DHCP-assigned IP. 5. Remove the vKernel port and create a vNIC; assign that to the pfSense VM. Verify it gets a DHCP-assigned IP. 6. You can also try hardcoding the MAC address of the vNIC to be the same as one of the previously-functional NICs, if it's a #-of-MAC-addresses problem. 7. Lastly, do all this again through the switch. Yes, that's a fair bit of work, but it should show you 100% conclusively where the problem lies. I'm betting the problem will either manifest at step #2 or at step #7. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [v2.1] configuring OPT1 as hosted services firewall?
The obvious problem is that it looks like you have two interfaces in the same subnet. That (generally) doesn't work unless you are a routing guru in the first place and know exactly what you're doing. Which, with apologies for bluntness, you obviously don't. The problem isn't with pfSense, it's with your entire concept of how IP works. Go read a book on IP first, then try again? (Sorry if I'm wrong, but it seems like the problem is at that level...) -Adam On Feb 21, 2014 7:13 PM, Ryan Coleman ryanjc...@me.com wrote: Does anyone have an ideas? Thanks! On Feb 20, 2014, at 4:04 PM, Ryan Coleman ryanjc...@me.com wrote: I’m moving away from single server design on my ESXi box to dedicated guests for each service but I cannot seem to get those dedicated services through the firewall. I have a 29bit subnet (IPs 1 through 5). Everything is internal to the ESXi (5.1) server. .1 = pfSense Firewall .2 = OPT1 interface on pfSense .3 = Customer VM (will port over to OPT2 after this works) .4 = All-in-one hosted VM .5 = Same All-in-one hosted VM I am going to eliminate .4 and .5 as I pull specific services out and into VMs (I’ve already moved the basic part of the FTP, the entire SQL server and LDAP to internal systems). But whenever I set up NAT rules on .2 it seems to be using .1’s stuff. I will have the following pushed through: FTP WWW (one primary, each subserver has functioning Apache for their services) IMAP SSL/SMTP SSH (via pushed ports to each server) Any thoughts would be helpful. The biggest thing I need to get running now is the FTP part - I cannot get it to push through nor will it register on the firewall log that it’s being blocked. — Ryan ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Unbound
On 14-02-16 08:11 AM, Brian Caouette wrote: What do you recommend for settings? Can you provide some screen shots? I also noticed the stats this morning show nothing in the unbound cache. No mater how many sites I visit nothing shows up in there. Yesterday when it first started working there were thousands. Not sure whats going on with it. That may be normal. Unbound actually flushes its cached data when it's supposed to, unlike dnsmasq which deliberately holds on to stale data. Note that this isn't a bug in dnsmasq, it's a way to solve a specific issue that improves most people's experience. Bottom line: using unbound is going to make you a lot more standards-compliant, and potentially a lot more secure, but also slower. There isn't a lot of point running unbound unless you're worried about cache poisoning or you want to do DNSSEC validation. My unbound config starts like this: ---snip--- server: verbosity: 1 interface: 0.0.0.0 interface: ::0 access-control: X.X.X.0/24 allow_snoop access-control: X.X.X.0/24 allow_snoop access-control: X.X.X.186/29 allow_snoop access-control: X:X:X::/48 allow_snoop statistics-interval: 3600 extended-statistics: yes cache-max-ttl: 3600 infra-host-ttl: 600 log-time-ascii: yes log-queries: yes root-hints: named.cache unwanted-reply-threshold: 1000 prefetch: yes prefetch-key: yes module-config: validator iterator val-permissive-mode: no val-log-level: 2 auto-trust-anchor-file: /var/unbound/etc/ta/root.key ---snip--- Do make sure that if you have DNSSEC validation turned on, that you also have updated the trust anchor; stale TAs will cause lots of problems. Turning on prefetch can help in some situations. Having a stale root hints file will also cause problems. I don't run unbound on my pfSense box, so I don't recall if pfSense automatically updates the TA and/or the root-hints for you. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Unbound
On 14-02-15 12:22 PM, Brian Caouette wrote: I've been trying to use unbound with poor results. Currently it resolves very very slowly. About 4 times longer then the default dns forwarder. Once the site is found and loaded however browsing the site is incredibly fast. Curious what might be the cause of the slow down on initial lookup and how I might correct it? Generally, this behaviour is caused by two things: 1. recursing from the root nameservers instead of your ISP's upstream DNS server, which means there is no cache for you to use 2. DNSSEC validation (which unbound does, but most resolvers still don't) takes a noticeable amount of extra time. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] How to monitor left (free) space on hard drive ?
On 14-02-09 02:21 PM, David QuayCendre wrote: Hello, I'm looking for monitoring on the left space on my pfSense hard drive. I found this shell script : http://bash.cyberciti.biz/monitoring/shell-script-monitor-unix-linux-diskspace/ It seem works but the mail fonction not exist ! psSense shell says : mail: not found I'm just looking for a little sript or solution. Do you have already monitor free space ? Can we send mail in the shell ? 1. It's displayed on the main Dashboard, down at the bottom: Disk usage 2. (I think) It's available via SNMP, if you have that turned on. 3. No, you can't send mail via the mail command, however pfSense comes with a different command that you *could* use if you're dead set on sending email from the firewall, /usr/local/bin/mail.php. It requires that you have an SMTP server configured correctly under System-Advanced-Notifications. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Lan Card Support
It should, as that card will either use standard Intel or Broadcom Ethernet chips. There is always a small possibility that any given card may be incompatible, but in your case I would expect that be almost negligible. If the card is a brand-new model or revision, you are more likely to have problems. -Adam On Jan 6, 2014 11:42 AM, rajan agarwal rajanagarwa...@gmail.com wrote: Hi All, I am about to put pfSense in a production box. I will be using IBM Quad Port Gigabit PCIe Ethernet Card P/N.: 39Y6136. Will pfSense version 2.0.1 support this particular LAN card? I can't find the name of this LAN card on the freeBSD 8.1 hardware support page. Regards ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] strange IPv6 routing problem
On 14-01-05 04:57 PM, Nicolas Bélan wrote: Hello :) Sure it is strange, can you launch ssh server in debug mode (non detaching daemon) and check /var/log/message or secure in B ? Can you also provide a packet capture with tcp flags ? It may be different causes ... maybe the cause is located on B, or on pfsense ...not sure ... Never mind. Attached directly to subnet B, still have the same problem so it's not pfSense after all. :-( Now to try and figure out why linux hosts don't like IPv6. -Adam ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Bridging 3 virtual interfaces together?
On 14-01-05 09:44 AM, Benjamin Swatek wrote: Hi all, following up on this thread: Bridge LAN ports to act like a switch http://forum.pfsense.org/index.php?topic=48947.0 I am looking for a way to bridge 3 VLAN interfaces together so they act as one inside the pfSense box for the purpose of traffic shaping on the bridge. Now the 3 interfaces still need to act as single interfaces running 3 different DHCP servers on each. I looked into the above thread, but just bridging the 3 interfaces together they loose their IP addresses, which is something that I can’t afford as they serve 3 different LANs. I want to *join* the interfaces together inside pfSense so I can throw all the traffic together in one big queue and start shaping according to subnet and ports. Any hints? That thread makes my head hurt, it's a bunch of people who don't understand the difference between Layer 2 and Layer 3 arguing about how to make it work. Here's the only hint I could find: http://blog.davidvassallo.me/2012/10/23/traffic-shaping-pfsense/ And... the whole *point* of bridging is that you lose the individuality of each NIC at Layer 3 (where IP lives). I think what you might want is to create 3 VLAN interfaces on the trunk port, then 1 non-VLAN interface on each of 3 independent NICs, then bridge one NIC and one VLAN together... 3 times. You'll wind up with 3 bridges. However, comparing that to the link I provided above doesn't result in any obvious solution for you. Another solution would simply be to route instead of bridging. As usual, I strongly suggest referring to a primer on the OSI model and make sure you fully understand the difference between Layer 2 (ethernet) and Layer 3__ (IP), and the corollary, the difference between switching/bridging and routing. You've also got VLANs thrown in there, which actually live at layer 2 but have layer 3 implications. Despite the fact pfSense supports traffic shaping on bridges, I'm not certain it'll be possible in your exact scenario without several more complicated steps. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] strange IPv6 routing problem
I'm having an issue with IPv6 state tracking, I think. I run a fully dual-stacked environment. pfSense 2.1-RELEASE acts as the gateway between two subnets (two VLANs, but I don't think that makes any difference here). In IPv4, one subnet (A) is publicly-routable address space, the other (B) is RFC1918. In IPv6, both subnets are publicly-routable address space. I have a management workstation on subnet A that needs to reach servers in subnet B. I've added two static routes on the router for subnet A, one IPv4, one IPv6, pointing to pfSense as the next-hop. I've disabled automatic outbound NAT, and modified the three automatically-generated rules to have Destination NOT subnet A, in other words, I don't NAT between subnets A and B, only between B and the outside world (via A). There are no port forwards in place. On the WAN interface, I have four rules: 1. allow all IPv6 to WAN interface 2. allow all IPv4 to WAN interface 3. allow all IPv6 from A to B 4. allow all IPv4 from A to B That's it - the simplest possible configuration I could come up with for this role. (Incidentally, the reason I'm using pfSense at all is because the two routers for subnet A provide non-stateful HA, which makes NAT quite problematic.) What I see is that when I ssh from A to B using IPv4, everything works fine. The session shows up in the firewall state table as expected, and performs as expected. If I ssh from A to B using IPv6, however, the session connects, I log in, and after a short while, the ssh session stalls. The session does NOT show up in the state table, ever, even while it's still working properly. I can restart the SSH session immediately, and it again will work for a while, failing after ~50 packets have been exchanged. I've run simultaneous packet captures on the pfSense WAN and LAN interfaces, but they show me nothing of interest. I looked at filter.log, but it's so noisy I didn't get any value out of it yet. Any ideas or thoughts? How can my session work in the first place without a state table entry, why does it die after ~50-100 packets? Why is only IPv6 affected? Have I missed something fundamental? -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Bridging 3 virtual interfaces together?
On 14-01-05 08:56 PM, Benjamin Swatek wrote: I’m only looking to push 8Mbps through two 3Mbps and one 2 Mbps ADSL lines (MultiWAN) for each of which I pay more than the national minimum wage - this is Bolivia - trying to satisfy my business’s needs to answer to emails asap as well as my clients expectations for a fast WiFi - that is people who don’t have a clue how expensive 1 Mbps is compared to the 1st world. So yes, my links are constantly congested ;-) Oops, I've mixed you up in my mind with someone else who recently asked for assistance with VLANs and trunking, but they wanted to use a pfSense box *as* a switch. I've steered you the wrong way altogether! I have a TP-Link 8 port switch ( http://tinyurl.com/m2rbcdt ) that connects the 3 LANs and the 3 WANs to the pfSense Box. But I’m not sure anymore what help it is. I had the LANs coming in on their own physical NICs, but couldn’t get them together for QoS neither. I can get them all in their own queue for shaping, but that way I could only limit each LAN individually not taking into account what the other one needs. You've got everything you need. The only place you can usefully control QoS in your environment is on the *UP*link to your ADSL provider. If you have NICs dedicated to each subnet, then you're already at 1Gbps dedicated to each subnet. Not really, because pfSense on that hardware can't do 1Gbps, but at least ethernet isn't the bottleneck. By controlling upstream bandwidth, you can have *some* effect on downstream bandwidth. By ensuring that no single upstream link is 100% congested, you will almost certainly improve response time and latency. There will be absolutely no benefit to putting a traffic-shaping policy on inbound traffic; I can explain the logic behind this statement if it's not obvious, but in short: the data has already arrived at the DSL modem (and thereby filled up the pipe) long before pfSense can touch it; by the time pfSense sees the packet, it's far too late to do any traffic shaping. If you could put a matching pfSense box at the ISP's location (hooked up to a 10- or 100-Mbit port), you could then usefully apply QoS in both directions. But, good luck with that, most ISPs (speaking as a former ISP operator, here) won't understand or care, or if they do they'll charge you an arm and a leg. I believe what you need is a standard multi-WAN setup. No VLANs or trunking are needed at all in your situation. You will need to apply a traffic shaping policy on all three WAN connections; you can apply the identical policy on all, or different policies on each. If you're using pfSense's multi-WAN feature with equal weights, I recommend placing the same traffic policies on all three lines. However, bundling the three DSL connections together this way won't produce the results you expect; pfSense doesn't magically bond uplinks and downlinks together - no standard router or firewall really can do a good job of that. pfSense does a decent job of load-balancing, but the end results are imperfect and do not magically reflect a 3x increase in usable bandwidth. Make sure you read https://doc.pfsense.org/index.php/Multi-WAN_2.0 ; you might want to buy the pfSense book, it's included in the $99 Gold subscription from Electric Sheep Fencing (see https://portal.pfsense.org/subscribe-for-access.php). You might want to have a look at Mushroom's Truffle router. Yes, I'm serious, that's the real name of the product. It might be useful to you, or it might not. Latency from Bolivia might suck if you use their cloud service on the far end; you might still have to find somewhere to host the server side to get the most out of the bonding mode they offer. Good luck, feel free to ask for clarification here if needed. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense - pfsense vlans and trunking without the aid of switches
On 13-12-30 11:09 AM, John Wells wrote: Thanks Adam. But I shouldn't have to reduce the MTU across the entire network, since I'm really only using the VLAN tagging on ports which exist within the pfsense box, correct? For example, in my diagram, packets which reach LAN switch A and B won't be tagged...at least, I don't think they will be...what I think *should* happen is that the tagging will get added and stripped at the nics which exist in the pfsense boxes. Additionally, I have two quad port cards, one newer (which I'm not 100% certain supports the additional bytes added by vlans but am hoping to find out) and one older. You seem to imply I only need one port on the newer card to support the inter-pfsense link, but as far as I can tell I'd need it on both pfsense boxes (one port per box) to do what I'm trying to do, since the different networks exist at each end of the trunk, correct? Umm... yes, I think. I've deleted the message that contained the link to your diagram, so I'm going by memory now. From what I recall, in your network, only two ethernet NICs need to be able to fully support VLAN tagging in hardware: the trunk port on each pfSense box that connects to its peer. So, yes, use one port on each quad-port NIC (one per pfSense machine) as the 802.1q-tagged, trunking, inter-pfSense-instance link. The ports connecting to the non-VLAN-aware switches do not need to support VLAN tagging in hardware, as they will not be transmitting or receiving any VLAN-tagged frames at all. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Problems with Realtek 8168/8111 nic
On 13-12-09 06:47 PM, Adrian Zaugg wrote: The only suspicious thing I see on the failing box are some of such messages: kernel: pid 37699 (php), uid 0: exited on signal 11 (core dumped) They are not in an obvious relation to an ethernet event. Spurious signal 11 (SEGV) messages tend to indicate faulty hardware, in my experience. Most typically, bad or marginal RAM. That can in turn be caused by bad or marginal power - both the PSU and the circuitry on the motherboard. Although this may sound bizarre, check your motherboard(s) for bulging or leaking capacitors. It's entirely possible that the increased power draw as both CPU and Ethernet interface start to get busier is enough to cause a transient error. I've seen many motherboard with bad capacitors that work fine at idle and fail under load due to increased power draw. Of course, this may not be your problem at all, but it's worth eliminating. Remember that when it comes to failing components, replacing a suspect piece of hardware with an identical piece of hardware of roughly the same age (e.g. you have a spare in storage) does NOT prove anything - particularly with faulty capacitors, hardware can develop faults while sitting in a box on a shelf. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list