Re: [pfSense] best ipsec cipher for aes-ni on sg-8860

[Adam Thompson]

I had found an older thread saying that the "XCBC" hashes were OK, since they 
were effectively "free" as long as you used one of the AES-GCM ciphers.
Same thread (can't find it now, sorry) also indicated that the GCM mode ciphers 
were more, uh, completely??/rapidly?? accelerated than CBC.
Can't vouch for the accuracy, this is just what I found when I had the same 
question last year.
-Adam

On December 9, 2017 2:56:07 PM CST, Chris L  wrote:
>AES-GCM with all hashes disabled in the ESP/Phase 2.
>
>
>> On Dec 9, 2017, at 12:03 PM, Karl Fife  wrote:
>> 
>> You might try...
>> 
>> (Wait for it)
>> 
>> ...AES.
>> 
>> 
>> On 12/9/2017 4:02 AM, Eero Volotinen wrote:
>>> Hi,
>>> 
>>> What is the best ipsec ciphers for aes-ni ipsec acceleration?
>>> 
>>> Eero
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>> 
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>
>___
>pfSense mailing list
>https://lists.pfsense.org/mailman/listinfo/list
>Support the project with Gold! https://pfsense.org/gold

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.3.5 to 2.4.2 on SG-2440 failed accessing repository

[Adam Thompson]

Well, that explains why the rest isn't working.
Fix DNS and you problems will (hopefully) go away.
-Adam

On December 4, 2017 2:41:25 PM CST, Pete Boyd <petes-li...@thegoldenear.org> 
wrote:
>On 04/12/2017 20:39, Adam Thompson wrote:
>> Do you have functional DNS from the CLI?
>
>No, I can't ping google.com or localdomain names.
>
>
>
>-- 
>Pete Boyd
>
>Open Plan IT - http://openplanit.co.uk
>The Golden Ear - http://thegoldenear.org

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.3.5 to 2.4.2 on SG-2440 failed accessing repository

[Adam Thompson]

The "no address record" error is interesting... Do you have functional DNS from 
the CLI?
-Adam

On December 4, 2017 2:29:09 PM CST, Pete Boyd  
wrote:
>On 04/12/2017 20:11, Steve Yates wrote:
>> If you ssh to the device and pick the option to update from its
>console menu, does it update there?
>
>No, those package repository errors are what I'm seeing when doing
>that.
>
>I tried the swapping to different repositories in the GUI, trying
>update
>from console, back and forth, as described in the page you linked to,
>but that hasn't helped, each time it has the same repository errors.
>
>
>
>-- 
>Pete Boyd
>
>Open Plan IT - http://openplanit.co.uk
>The Golden Ear - http://thegoldenear.org
>___
>pfSense mailing list
>https://lists.pfsense.org/mailman/listinfo/list
>Support the project with Gold! https://pfsense.org/gold

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Using LAGG interfaces with CARP to allow future router replacements

[Adam Thompson]

Yes, there's downtime to set up LAGs.  So this won't help avoid all downtime.
Since the SG-2440 just went EOL, I would expect the SG-4860 will also go EOL 
soon, perhaps next quarter (Q1’18).
There is a small performance hit.  It's not large - certainly not large enough 
that I ever cared to measure it.  Unless you are pinning the CPU regularly, I 
expect it would be undetectable.
There is a much bigger hit in complexity, since you still can't set up LAGs 
during initial setup, necessitating a dedicated mgmt interface to avoid certain 
types of "oops, oh shit" problems.
-Adam

On November 28, 2017 5:08:48 PM CST, Steve Yates  wrote:
>   We had two routers set up using CARP and unfortunately had some issues
>with them, and currently have a temporary router in place.  We will be
>replacing the temp router with a SG-4860 1U HA however that
>unfortunately has different interface names, so state sync won't work,
>and the cutover won't be transparent.
>
>   I understand from
>https://doc.pfsense.org/index.php/Redundant_Firewalls_Upgrade_Guide#pfSense_2.2.x_and_pfsync
>that using LAGGs can work around this.  My question is, is it worth
>setting up LAGGs just to allow for future proofing to have the state
>sync working on disparate devices if we ever replace a router down the
>road?  Is there any sort of performance penalty or significant
>complexity?
>
>   Note we have five CARP interfaces, IPv4 and IPv6 for WAN and LAN, and
>a LAN IPv4 on a second subnet.  So as a first run-through on LAGGs, it
>seems like we would need at least four LAGGs for the WAN and LAN
>interfaces (we can ignore the secondary LAN for this purpose)?  So we
>would set up four LAGG interfaces using Failover (?) with one interface
>each, and have WAN and LAN use those?
>
>   Avoiding downtime would be really nice, but I don't think we can get
>around that at this point (for this router replacement) since LAGGs
>apparently can't be set on an interface that is in use already and thus
>there would be downtime to set up LAGGs on our temp router anyway.
>
>--
>
>Steve Yates
>ITS, Inc.
>
>___
>pfSense mailing list
>https://lists.pfsense.org/mailman/listinfo/list
>Support the project with Gold! https://pfsense.org/gold

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.4 Bricked my APU4 Netgate

[Adam Thompson]

If you're going to even consider blaming widely-used software for hardware 
problems, then absolutely, yes, please do this, if only to stop the accusations.
If you don't reboot regularly, now's a good time to change that policy, too.  
We aren't running NetWare 3.1 any more.  No reboots = no patches.
And of course be aware that many hardware problems only show up at reboot.  The 
Intel Atom flaw being the most recent prominent example I can think of.
-Adam

On November 25, 2017 5:47:13 AM CST, Manuel Dejonghe  wrote:
>On 24 November 2017 at 01:35, Jim Thompson  wrote:
>> If there is no response from the bootloader (coreboot) on the serial
>port, then the hardware died, and the upgrade’s only involvement was
>the reboot at the end.
>
>Sounds like it's a good advice to reboot manually before the upgrade,
>so that if it fails, you know why it failed. Would you agree ?
>___
>pfSense mailing list
>https://lists.pfsense.org/mailman/listinfo/list
>Support the project with Gold! https://pfsense.org/gold

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] problems with lagg interfaces?

[Adam Thompson]

No, you misunderstood the last response.
You have not provided enough information yet to determine what the problem is.

Three things have been suggested:
1. It *might* be a bug *similar* to one someone else encountered using 
different hardware (which does not even exist on your firewall),
2. You could open a ticket with Netgate support,
3. You can try running tcpdump on the underlying interfaces to see what's 
happening there.

If you don't know how to manually troubleshoot LACP issues or VLAN issues, I 
suggest you open that support ticket.
If you are reasonably confident in your ability to troubleshoot one or the 
other, then go ahead and use tcpdump (with the -e option) to figure out which 
part is broken and why.

Also:

Since pfSense does not allow LAG creation from the command-line, building a 
one-armed router like this is a dangerous design unless you have a spare 
interface for management through the webui.  I learned that the hard way :-/.

-Adam

On October 17, 2017 10:16:24 AM CDT, Eero Volotinen  
wrote:
>so sad. how to downgrade to 2.3?
>
>
>Eero
>
>2017-10-17 17:57 GMT+03:00 :
>
>> Am 2017-10-17 16:54, schrieb Ivo Tonev:
>>
>>> Even if your vlan dont bright up  you can capture traffic on
>physical
>>> interfaces with tcpdump.
>>> See what you can capture before any other move.
>>>
>>
>>
>> if the lagg(4) works while you run tcpdump(8), it's (most likely) a
>driver
>> bug like bxe(4)
>>
>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213606
>>
>>
>> IMHO.
>>
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
>___
>pfSense mailing list
>https://lists.pfsense.org/mailman/listinfo/list
>Support the project with Gold! https://pfsense.org/gold

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense virtualisation

[Adam Thompson]

The only thing I would caution against is having your only gateway to the 
Internet running on a single host or cluster - this makes troubleshooting VERY 
difficult when the host or cluster fails.  Been there, done that.
So I have one H/W gateway running the internet pipe, then all the internal 
firewalls are virtual.
-Adam


On October 10, 2017 2:57:29 PM CDT, Doug Lytle  wrote:
 Or do you think I am absolutely crazy? Or maybe Just one Hardware
>and one virtual?
>
>Quite a few of my firewalls are virtualized using ESXI and have done so
>for a few years now.
>
>Doug
>___
>pfSense mailing list
>https://lists.pfsense.org/mailman/listinfo/list
>Support the project with Gold! https://pfsense.org/gold

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense 2.4rc wirespeed?

[Adam Thompson]

The speedteet server code is not optimized for high upload speed measurement.  
When running speedtest from a machine on the same subnet, in the same rack in 
the same data center as the speedtest server (I worked for an ISP) you will 
still get funny results.  Or even two VMs running on the same hypervisor, more 
recently at a different ISP.
Use iperf or something (anything!) better to make more accurate measurements 
before questioning pfSense, IMHO.
-Adam

On September 3, 2017 3:59:24 AM CDT, Eero Volotinen  
wrote:
>Hi,
>
>Is there any setting to optimize pfsense nat speed?
>
>Tried with speedtest and upload speed is abit slow?
>
>Retrieving speedtest.net configuration...
>Testing from Suomi Communications (77.246.193.181)...
>Retrieving speedtest.net server list...
>Selecting best server based on ping...
>Hosted by Elisa Oyj (Helsinki) [9.91 km]: 3.648 ms
>Testing download
>speed
>Download: 882.05 Mbit/s
>Testing upload
>speed
>Upload: 249.09 Mbit/s
>
>Link is symmetric gigabit carrier grade line. Just wondering why upload
>speed is so slow and download is much faster?
>
>--
>Eero
>___
>pfSense mailing list
>https://lists.pfsense.org/mailman/listinfo/list
>Support the project with Gold! https://pfsense.org/gold

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPsec NAT/BINAT not working

[Adam Thompson]

I always thought that this behaviour was because of the way IPSec is bolted on 
to the network stack in FreeBSD 9, that IPsec literally took over the packet 
before it could get NAT'd.
Certainly, I was recently surprised to discover that IPSec VPN tunnels take 
precedence over local connected interfaces when the addresses overlap.
-Adam


> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Kilian Ries
> Sent: August 24, 2017 01:43
> To: pfSense Support and Discussion Mailing List 
> Subject: Re: [pfSense] IPsec NAT/BINAT not working
> 
> Just tried Bypassing Policy Routing, but it doesn't work. Traffic is still
> routed through WAN interface.
> 
> 
> Also tried setting up a gateway and appropriate route, but i can only see
> packets on the Lan interface, not on the IPsec interface:
> 
> 
> https://forum.pfsense.org/index.php?topic=135384.0
> 
> 
> Von: List  im Auftrag von Chris L
> 
> Gesendet: Dienstag, 22. August 2017 19:36:05
> An: pfSense Support and Discussion Mailing List
> Betreff: Re: [pfSense] IPsec NAT/BINAT not working
> 
> On Aug 22, 2017, at 8:09 AM, Kilian Ries  wrote:
> >
> > Hi,
> >
> >
> > my setup is the following:
> >
> >
> > Site A:
> >
> > Lan: 192.168.100.0/24
> >
> > Lan_IP: 192.168.100.1
> >
> > Transfer: 10.2.81.0/24
> >
> > Transfer_IP: 10.2.81.1
> >
> >
> > Site B:
> >
> > Lan: 10.2.82.0/24
> >
> > Lan_IP: 19.2.82.1
> >
> >
> > I'm doing a site-to-site IPsec wich is working. I can ping from both
> routers (pfsense, juniper) to each other (10.2.81.1 <-> 10.2.82.1) but not
> from the clients in my LAN (192.168.68.x <-> 10.2.82.x). I'm now trying to
> setup a Transfer-Net with NAT / BINAT routing:
> >
> >
> > Site B should reach the clients on site A via an 10.2.81.x ip-address and
> not via an 192.168.100.x ip-address. So i want to map 10.2.81.0/24 <->
> 192.168.100.0/24.
> >
> >
> > First i tried to do this via the NAT/BINAT setting inside the IPsec
> settings:
> >
> >
> > Site A IPsec Phase2
> >
> >
> > Local Network: 192.168.100.0/24
> >
> > NAT/BINAT translation: 10.2.81.0/24
> >
> > Remote Network: 10.2.82.0/24
> >
> >
> > That didn't work and i tried the same thing with 1:1 NAT from the
> Firewall tab:
> >
> >
> > Site A
> >
> >
> > External subnet IP 10.2.81.0
> >
> > Internal IP: 192.168.100.0/24
> >
> > Destiantion: 10.2.82.0/24
> >
> >
> >
> > No matter which mapping i choose, if i try to ping from 192.168.100.x to
> 10.2.82.x, pfsense routes the request through the WAN interface instead
> of the IPsec / Transfer-Net Interface. How can i tell pfsense to route the
> traffic from my Lan through the IPsec tunnel (not WAN) and do the NAT?
> 
> You might be policy routing that traffic out the WAN interface using rules
> that match the traffic on the 192.168.100.0/24 interface with a gateway
> or gateway group set.
> 
> Try bypassing policy routing for the remote subnet using a pass rule
> above that with the destination 10.2.82.0/24 and no gateway set.
> 
> https://doc.pfsense.org/index.php/Bypassing_Policy_Routing
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Internal Certificate and Internal Network.

[Adam Thompson]

Error messages.
Log files.
Configuration data.
Network topology.
Route tables.


We have nothing to work with yet.

-Adam
(Yes, I know I'm being hypocritical here because I've done the same thing.  
Thank you for not reminding me...)

On August 17, 2017 10:51:43 AM CDT, Kleber Carvalho  
wrote:
>Hello,
>
>
> The proxy is working well to external sites but we have an
>internal environment and the proxy is not able to find it.
>
>
>
>Regards.
>
>
>
>On Thu, Aug 17, 2017 at 4:30 PM, WebDawg  wrote:
>
>> You say the proxy does not work.
>>
>> What do you mean?
>>
>> What errors do you get?  What are you observations?
>>
>> On Wed, Aug 16, 2017 at 8:06 AM, Kleber Carvalho
>
>> wrote:
>> > Hello,
>> >
>> >We are having difficulties with Internal Certificates
>and
>> > Internal Network.
>> >  Below I will try to explain details about that.
>> >
>> > Our Pfsense is not gateway of our network and it is not transpaent
>proxy,
>> > all the browsers need the input configurations about proxy. int he
>proxy
>> is
>> > configured "HTTPS/SSL Inspection" and SquidGuard,  it is also
>integrated
>> > with Active Directory.
>> > All the outside traffic are working well but all the internal
>> sites/network
>> > are not working.
>> > We have a cerificate CA microsoft to all internal appliation,
>however our
>> > proxy does not work.
>> > I would like to know what i can do to solve this problem. your help
>will
>> be
>> > highly appreciated.
>> >
>> > Regards.
>> >
>> > --
>> >
>> > *Kleber da Silva CarvalhoProfissional Certificado.*
>> > *CCNA R**  |  **CCNA Security  |  **CCNP Security  |  **LPIC-1  |
>> >  LPIC-2 * *|*  *LPIC-3 * *|  * *LPIC-3 303 * *| **Novell CLA 11 *
>*|* *
>> Novell
>> > DCTS * *|* * ITIL v3 * *|* * COBIT 4.1*
>> > ___
>> > pfSense mailing list
>> > https://lists.pfsense.org/mailman/listinfo/list
>> > Support the project with Gold! https://pfsense.org/gold
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
>
>
>
>-- 
>
>*Kleber da Silva CarvalhoProfissional Certificado.*
>*CCNA R**  |  **CCNA Security  |  **CCNP Security  |  **LPIC-1  |
>LPIC-2 * *|*  *LPIC-3 * *|  * *LPIC-3 303 * *| **Novell CLA 11 * *|* *
>Novell
>DCTS * *|* * ITIL v3 * *|* * COBIT 4.1*
>___
>pfSense mailing list
>https://lists.pfsense.org/mailman/listinfo/list
>Support the project with Gold! https://pfsense.org/gold

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] IPSec to overlapping subnet - unexpected behaviour

[Adam Thompson]

Any ideas how I install an IPSec tunnel to a remote subnet that overlaps with a 
local subnet while not completely killing the local subnet?

 

This isn’t _quite_ as insane as it sounds at first glance:

The SPD (i.e. Phase 2) selectors on my side are from a single /32 IPv4 address 
on the LAN that needs to monitor half a dozen servers on three subnets in a 
foreign network.  And one of those subnets overlaps with a locally-connected 
subnet.

Despite the /32 selector, it appears that all traffic through pfSense destined 
for (in this case) 192.168.100.0/24 is getting routed down the tunnel instead 
of out the connected interface.

 

The kernel routing table still looks correct (i.e. 192.168.100.0/24 via link#2 
netif igb0) but packets from other subnets no longer arrive.

I vaguely recall that IPSec in FreeBSD 10 doesn’t actually happen at the kernel 
routing table level, it’s somehow bolted on to the if_input/if_output code path 
(or something kinda like that).

 

So what *appears* to have happened is that my IPSec tunnel from 
192.168.158.11/32 to 192.168.100.0/24 is diverting *all* traffic from 
192.168.158.0/24 to 192.168.100.24/0.  I guess I’m not terribly surprised, but 
I wasn’t expecting that to happen when I had set a very narrow selector for the 
local end.  (It’s perfectly OK if 192.168.158.11 can’t talk to the *local* 
192.168.100.0 subnet.)

 

Is this a bug in FreeBSD’s IPSec implementation, or is this expected behaviour?

 

Is there a way to accomplish what I want?  (That being that I have an IPSec 
tunnel to a remote subnet that overlaps a local subnet, with both being 
reachable and reachability being controlled by policy somehow.)

 

I know on certain other firewalls where IPSec tunnels appear as virtual 
interfaces, I can use policy routing to accomplish my goal, but I don’t know of 
any way to do that with pfSense.

 

Thanks,

-Adam

 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 1:1 NAT problems

[Adam Thompson]

You could be right, I was writing from memory and ... tbh, I don't care enough 
to go look it up again :).  They shut down, that's a pain in the butt, I was 
already on HE anyway, end of story for me.
I would do the same here, except that (IMHO) Google's refusal to support DHCPv6 
on Android is completely asinine.  So my phone still doesn't get an IPv6 
address here at home :-(.
(Note: Apple products work perfectly.)

It's interesting to speculate about what will happen at some future date when 
HE turns off (or starts charging for) their tunnel service...  I haven't heard 
anything credible yet, but I assume it'll happen someday.

-Adam

> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Moshe
> Katz
> Sent: August 2, 2017 21:38
> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
> Subject: Re: [pfSense] IPv6 1:1 NAT problems
> 
> Adam,
> 
> Actually, the reason SIXXS shut down is exactly the opposite of what you
> said. SIXXS shut down because IPv6 adoption was going too slow and a
> number of ISPs were actually telling their customers "we don't plan to
> implement
> IPv6 because you can get it from SIXXS if you really want it." In effect,
> ISPs were using tunnels as a way of *reducing *IPv6 rollouts.
> 
> Vick,
> 
> I also have an HE tunnel at home because my ISP is dragging their feet
> about implementing IPv6. In fact, my main guest WiFi network runs
> *only* IPv6.
> Most of my guests only care about Gmail and YouTube, and those have
> been
> IPv6 enabled for ages. It's an experiment to see how many visitors can
> get away with not noticing that they have no IPv4 connectivity.
> 
> Moshe
> 
> --
> Moshe Katz
> -- mo...@ymkatz.net
> -- +1(301)867-3732 <(301)%20867-3732>
> 
> On Wed, Aug 2, 2017 at 10:32 PM, Adam Thompson
> <athom...@athompso.net>
> wrote:
> 
> > So?  Neither do I.  I don't have native IPv6 at the office either.
> > But both are fully IPv6-connected.
> > That's what Hurricane Electric tunnels are for.  (And SIXXS, formerly,
> > but they've decided that IPv6 penetration has reached a point where
> > they're not needed anymore.  Hahahaha...)
> >
> > http://www.tunnelbroker.net/
> >
> > Disclaimer: my home situation is a bit of an anomaly - the nearest HE
> > IPv6 tunnel endpoint is <5msec away from my home router [wireless,
> not
> > DSL or cable], and my ISP has a 10Gbps connection to them.
> > Performance is VERY satisfactory.  However, even my office, where the
> > nearest HE tunnel endpoint is 30+msec away gets perfectly acceptable
> performance on IPv6.
> > Largely because IPv6 paths tend to be shorter and transit fewer
> routers.
> > (There are a number of factors at play; sometimes IPv6 is tunneled
> > over IPv4, which means the path isn't *really* shorter.)
> >
> > -Adam
> >
> > > -Original Message-
> > > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Vick
> > > Khera
> > > Sent: August 2, 2017 21:28
> > > To: pfSense Support and Discussion Mailing List
> > > <list@lists.pfsense.org>
> > > Subject: Re: [pfSense] IPv6 1:1 NAT problems
> > >
> > > Nice. Thanks for the explanation. My IPv6 knowledge is slowly being
> > > built up. Not having IPv6 at my home router makes it hard to play
> > > with. I've not had the courage to bring "live" my direct allocation
> > > at the data
> > center
> > > yet.
> >
> >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 1:1 NAT problems

[Adam Thompson]

So?  Neither do I.  I don't have native IPv6 at the office either.  But both 
are fully IPv6-connected.
That's what Hurricane Electric tunnels are for.  (And SIXXS, formerly, but 
they've decided that IPv6 penetration has reached a point where they're not 
needed anymore.  Hahahaha...)

http://www.tunnelbroker.net/

Disclaimer: my home situation is a bit of an anomaly - the nearest HE IPv6 
tunnel endpoint is <5msec away from my home router [wireless, not DSL or 
cable], and my ISP has a 10Gbps connection to them.  Performance is VERY 
satisfactory.  However, even my office, where the nearest HE tunnel endpoint is 
30+msec away gets perfectly acceptable performance on IPv6.  Largely because 
IPv6 paths tend to be shorter and transit fewer routers.  (There are a number 
of factors at play; sometimes IPv6 is tunneled over IPv4, which means the path 
isn't *really* shorter.)

-Adam

> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Vick
> Khera
> Sent: August 2, 2017 21:28
> To: pfSense Support and Discussion Mailing List 
> Subject: Re: [pfSense] IPv6 1:1 NAT problems
> 
> Nice. Thanks for the explanation. My IPv6 knowledge is slowly being built
> up. Not having IPv6 at my home router makes it hard to play with. I've
> not had the courage to bring "live" my direct allocation at the data center
> yet.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 1:1 NAT problems

[Adam Thompson]

Sadly, yes.  Partly due to providers like OVH who don't "get" prefix delegation.
Also, how else do you multi-home without running BGP?  (Keeping in mind that 
the overwhelming majority of networks around the world have no access to BGP.)  
That's one of the specific use cases for Network Prefix Translation.  (I don't 
have the RFC handy, sorry.)
-Adam

> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Vick
> Khera
> Sent: August 2, 2017 21:20
> To: pfSense Support and Discussion Mailing List 
> Subject: Re: [pfSense] IPv6 1:1 NAT problems
> 
> Is NAT even a thing with IPv6?
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] IPv6 1:1 NAT problems

[Adam Thompson]

(If you work for Netgate – would a paid support subscription include helping me 
diagnose the problem here, and get this working?  I’m not 100% clear if this is 
in scope or not.)

 

I’ve encountered an – apparently – unusual problem when trying to enable 1:1 
NAT for IPv6.

I’m also having a similar problem with NPt, actually, and since they both seem 
to use the same pf(4) “binat” directive, I suspect they might be related.

 

All IPs here are obfuscated because the list gets archived, but the last two 
octets/hextets[1] and subnet masks are all coped as-is.  I’ll be happy to 
provide actual IP addresses in private emails, if you think that’s where my 
problem lies.

 

Scenario:

*   OVH private cloud (so same non-delegated, NDP-only IPv6 address space 
I’ve mentioned previously)
*   pfSense VM was deployed from official OVA file
*   OVH has allocated 1:2:3:4::/56, 1.2.3.48/28 and a few more IPv4 
subnets, all bound to the same router interface on their end, connected to the 
WAN VLAN on the pfSense VM.  The IPv6 allocation is *NOT* delegated, it’s a 
simple interface binding on their router.
*   pfSense WAN address is 1.2.3.49/28 and 1:2:3:4::49/56.  Default 
gateways are 1.2.3.62 and 1:2:3:4:::::.
*   pfSense LAN address is 10.1.1.1/24 and fd60::1/64.  It is the default 
gateway.
*   One other VM exists on the “LAN” V(X)LAN[2], providing public services 
over tcp/80, tcp/443 and tcp/22.
*   Firewall rules are trivial for debugging purposes: Allow Any/Any/Any on 
WAN and Allow Any/Any/Any on LAN.
*   IPv4 Proxy ARP VIP exists for 1.2.3.50/28
*   1:1 NAT for 1.2.3.50/32 <- -> 10.1.1.2/32 exists, seems to work fine.

 

Notes:

*   I have multiple tenants within my OVH private cloud.
*   I want them all on separate VLANs, both to slightly increase security 
(no sniffing/snooping/spoofing attacks) and also to simplify IPSec tunnel setup.
*   I can’t use NPt because OVH isn’t delegating or routing that /56 to me. 
 (If they would just &^%$#@! *route* the blocks to me, I’d be done a month ago…)
*   I’m “allocating” /64s out of that /56 for each customer purely 
administratively, i.e. on paper

 

What’s happening (that I think is a bug)

*   pfSense itself has IPv6 connectivity at this point, yay.
*   I create a VIP for 1:2:3:4::50/56.
*   If and only if the VIP type is “IP Alias”, then:

*   Other VMs on the same WAN segment can ping :50.
*   External nodes cannot ping :50, until I force a “gratuitous NDP” (that 
shouldn’t even be a thing…) by pinging the default gw with the source address 
set to :50.  There might be a timer involved and I’m too impatient? Dunno, 
anyway this gets global traffic routing working.

*   The moment I create a 1:1 NAT entry for 1:2:3:4::50/128 <- -> 
fd60::2/128, all IPv6 on the WAN stops working.  pfSense no longer replies to 
Neighbour Solicitations packets from the gateway, which… well… breaks IPv6 
pretty thoroughly.  I can still see the incoming NDP packets using tcpdump, but 
no responses.

 

But:

*   If I do this with “Proxy ARP” VIP instead of “IP Alias” VIP, I can 
never ping :50, but creating the 1:1 NAT entry still breaks IPv6 on the WAN 
interface.
*   If I set the WAN interface address to something elsewhere in the range 
(e.g. 1:2:3:5::1/56) and then set up NPt between, say, 1:2:3:4:0/64 (WAN) and 
fd60::/64 (LAN), IPv6 from pfSense itself does not break, but pfSense also does 
not respond to Neighbour Solicitations for IPs in that range, so I don’t have 
functional IPv6 to or from the LAN.  This is a documented limitation, and it’s 
not supposed to work.

 

So I’m lost.  Why on earth would *creating* a 1:1 NAT entry for a pair of /128s 
break IPv6 (NDP, anyway) for the firewall itself?  Why does creating the 
equivalent NPt mapping *not* break the firewall? 

 

While I’m pissed at OVH for refusing to delegate or route the /56, it seems 
this should still be *possible*, even if awkward, to deploy.  But my IPv6 
breakage seems very weird – but what on earth could I be doing SO differently 
that it breaks for me but no-one else?

 

Thanks,

-Adam

 

 

[1] https://en.wikipedia.org/wiki/Hextet - you got a better word? Let me know!

[2] From pfSense’s perspective, it’s just another segment.  Internally, OVH 
uses VMware NSX VXLANs to emulate VLANs to emulate broadcast domains.  As far 
as I can tell, this “just works”.  It doesn’t seem to be part of the problem, 
anyway.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 problem at OVH

[Adam Thompson]

I've got IPv4 working, as I said, using the Proxy ARP (or IP Alias, both work) 
VIP.
I still don't have IPv6 working, though.

I'm running into a situation where 1:1 NAT for IPv6 seems to either a) simply 
not work at all, or b) utterly kills all IPv6 on the firewall for reasons I 
don't understand yet.

Before I dive into details, can anyone confirm that they have 1:1 NAT working 
for IPv6 in production?

(Eh, I'll start a new thread anyway.)

-Adam

> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jon
> Copeland
> Sent: August 1, 2017 16:10
> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
> Subject: Re: [pfSense] IPv6 problem at OVH
> 
> We have this exact setup.  You are correct, you will need Virtual IP's for
> each public WAN IP that OVH have assigned you.  We have separate
> services listening on x.x.x.1, x.x.x.2, x.x.x.3 etc, works like a charm.
> 
> JC
> 
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Adam
> Thompson
> Sent: August-01-17 12:57 PM
> To: list@lists.pfsense.org
> Subject: [pfSense] IPv6 problem at OVH
> 
> Wondering how anyone else manages (or would manage) this scenario:
> 
> * Private Cloud at OVH.  (Runs VMware, which isn't terribly relevant
> AFAICT.)
> * OVH provides a single VLAN that is connected directly to their router
> * ALL public IP addresses are terminated on that VLAN (i.e. bound
> directly to that interface on their router) including the entire IPv6 /56.
> *** As a consequence, all IPv4 addresses must respond to ARP, and all
> IPv6 addresses must respond to NDP, in order to be successfully publicly
> routed.
> (And yes, they gave me an entire /56 of IPv6... that isn't routed or
> broken up in any way.  And they won't subnet or route anything to me.
> Yay.)
> * Meanwhile, I have public services (multiple tenants) running on
> multiple VLANs, each behind a single pfSense firewall with a WAN
> interface in the massive public-address-space VLAN.
> * I very much want the service address to be different from the firewall
> address, i.e. the firewall WAN i/f might be bound to 1.2.3.4, then I want
> the publicly-accessible service to live at 1.2.3.5, so that I can distinguish
> based on reverse DNS whether outbound connections are coming from
> the firewall or from the customer's server.  This works great with IPv4, a
> Proxy ARP VIP, and 1:1 NAT.
> * I also need to provide IPv6 connectivity inbound AND outbound, ideally
> with the same reverse-dns differentiation.
> 
> I've tried 1:1 NAT, which seems to break IPv6 altogether every time I
> configure it (although JimP can't reproduce it yet, so presumably it's
> somehow environment-specific).  I'm unclear whether this will work
> anyway with the NDP adjacency requirement.
> 
> I've tried NPt, which doesn't do NDP, and so doesn't work in this
> scenario.
> 
> The next thing I can try (but haven't yet) is an IP Alias VIP with Port
> Forwarding, and then... maybe a custom Outbound NAT rule?
> 
> Am I missing something fundamental?  I know what OVH is doing is
> stupid (NDP for an entire /56?  Fee fi fo fum, I smell a DoS attack...) , but
> they have 2000+ other customers on this exact platform, surely ONE of
> them must have a similar situation!  I know IPv6 is new, but ... surely one
> them must run IPv6?
> 
> Again: IPv4 isn't a problem because Proxy ARP works great and solves
> the silliness of them not routing those allocated subnets to me.  IPv6 is a
> problem because pfSense has to handle NDP *and* do NAT and I can't
> find a way to make it do that properly
> 
> 
> Thoughts/opinions/brickbats welcome.
> -Adam
> 
> P.S. I seem to not be receiving emails from the list reliably, kindly CC me
> if you don't mind...
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 problem at OVH

[Adam Thompson]

I can't speak to their other platforms, but the Private Cloud offering is based 
on VMware, and does not permit the use of MAC addresses other than the one 
assigned to the VM.  So CARP immediately fails there.
Amusingly (not), there's even special plug-in in the VMware client that is 
supposed to let me enable "OVH CARP" (it appears its function is to toggle the 
VMware distributed vSwitch setting allowing "forged" MAC addresses and 
promiscuous mode) but it doesn't actually work as it relies on the cluster 
being connected to a Cisco Nexus 1000v vSwitch, which OVH appears to have 
deprecated and removed.
So, in any case, anything that requires MAC address changes won't work.
-Adam


> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Olivier
> Mascia
> Sent: August 2, 2017 02:31
> To: pfSense Support and Discussion Mailing List 
> Subject: Re: [pfSense] IPv6 problem at OVH
> 
> > Le 2 août 2017 à 00:39, Matthew Hall  a
> écrit :
> >
> >> The real issue is that HA setup of a couple of pfSense is impossible
> >> with such an awkward IPv6 setup as OVH imposes to us.
> >
> > Just curious: how does it break CARP + pfSync?
> 
> I don't have the exact specifics in memory right now, but I'll see to dust-
> off some old notes. I remember it was inextricable. But could be a bug in
> VRRP implementation on OVH side and nothing to do with the way they
> (don't) route the IPs (as CARP + pfSync works fine on IPv4 on the same
> platform and the way they deliver IPv4).
> 
> Without those notes, the most specific I remember is that packets were
> coming in randomly on the master (processing them) and the slave
> (properly ignoring them). Just as if the same MAC was seen on both on
> their OVH side.
> 
> 
> --
> Best Regards, Meilleures salutations, Met vriendelijke groeten, Olivier
> Mascia, http://integral.software
> 
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] IPv6 problem at OVH

[Adam Thompson]

Wondering how anyone else manages (or would manage) this scenario:

* Private Cloud at OVH.  (Runs VMware, which isn't terribly relevant 
AFAICT.)

* OVH provides a single VLAN that is connected directly to their router
* ALL public IP addresses are terminated on that VLAN (i.e. bound 
directly to that interface on their router) including the entire IPv6 
/56.
*** As a consequence, all IPv4 addresses must respond to ARP, and all 
IPv6 addresses must respond to NDP, in order to be successfully publicly 
routed.
(And yes, they gave me an entire /56 of IPv6... that isn't routed or 
broken up in any way.  And they won't subnet or route anything to me.  
Yay.)
* Meanwhile, I have public services (multiple tenants) running on 
multiple VLANs, each behind a single pfSense firewall with a WAN 
interface in the massive public-address-space VLAN.
* I very much want the service address to be different from the firewall 
address, i.e. the firewall WAN i/f might be bound to 1.2.3.4, then I 
want the publicly-accessible service to live at 1.2.3.5, so that I can 
distinguish based on reverse DNS whether outbound connections are coming 
from the firewall or from the customer's server.  This works great with 
IPv4, a Proxy ARP VIP, and 1:1 NAT.
* I also need to provide IPv6 connectivity inbound AND outbound, ideally 
with the same reverse-dns differentiation.


I've tried 1:1 NAT, which seems to break IPv6 altogether every time I 
configure it (although JimP can't reproduce it yet, so presumably it's 
somehow environment-specific).  I'm unclear whether this will work 
anyway with the NDP adjacency requirement.


I've tried NPt, which doesn't do NDP, and so doesn't work in this 
scenario.


The next thing I can try (but haven't yet) is an IP Alias VIP with Port 
Forwarding, and then... maybe a custom Outbound NAT rule?


Am I missing something fundamental?  I know what OVH is doing is stupid 
(NDP for an entire /56?  Fee fi fo fum, I smell a DoS attack...) , but 
they have 2000+ other customers on this exact platform, surely ONE of 
them must have a similar situation!  I know IPv6 is new, but ... surely 
one them must run IPv6?


Again: IPv4 isn't a problem because Proxy ARP works great and solves the 
silliness of them not routing those allocated subnets to me.  IPv6 is a 
problem because pfSense has to handle NDP *and* do NAT and I can't find 
a way to make it do that properly



Thoughts/opinions/brickbats welcome.
-Adam

P.S. I seem to not be receiving emails from the list reliably, kindly CC 
me if you don't mind...

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense twitter account making rude comments.

[Adam Thompson]

Not just default - many MUAs (gmail, outlook, virtually every web-based 
service) don't correctly handle or in some cases even _permit_ the traditional 
method at all.

Much like IRC and two spaces a a period, in-line or appended replies are now 
historical relics, broadly replaced by things that completely ignore the older 
technologies' design decisions and strengths.  Welcome to the future. :-(

-Adam


On February 23, 2017 12:51:44 AM CST, Jim Thompson  wrote:
>Because that's what most MUAs default to these days. (joke
>intended)
>
>On Thu, Feb 23, 2017 at 12:38 AM, WebDawg  wrote:
>
>> Why does everyone top post on this list?
>___
>pfSense mailing list
>https://lists.pfsense.org/mailman/listinfo/list
>Support the project with Gold! https://pfsense.org/gold

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] SG-1000 and VPN

[Adam Thompson]

Jim,
Asking you to speculate here...
Assuming someone *is* working on drivers for the chip's crypto capabilities, 
when that finally happens, do you have any notion of how much faster IPsec will 
get?  Are we talking 2x or 100x?
-Adam


On January 25, 2017 7:45:49 PM CST, Jim Thompson  wrote:
>Steve,
>
>It currently does 21mbps IPsec (aes-gcm-128), in a lab environment,
>because there is no driver for the crypto core (yet).
>
>OpenVPN is slightly slower (19 Mbps).
>
>It's always strange to see your name on the list. The president of ADI
>shares your name, so I tend to pay a lot more attention to what you
>post. 
>
>Jim
>
>> On Jan 25, 2017, at 6:15 PM, Steve Yates  wrote:
>> 
>> That's what I'm trying to ask, if the SG-1000 would work for that.
>> 
>> --
>> 
>> Steve Yates
>> ITS, Inc.
>> 
>> -Original Message-
>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of A
>Mohan Rao
>> Sent: Tuesday, January 24, 2017 11:41 PM
>> To: pfSense Support and Discussion Mailing List
>
>> Subject: Re: [pfSense] SG-1000 and VPN
>> 
>> better u can use site to site vpn is best solution.
>> 
>>> On Wed, Jan 25, 2017 at 11:08 AM, WebDawg  wrote:
>>> 
 On Tue, Jan 17, 2017 at 10:16 AM, Steve Yates 
>wrote:
 
We have a client who wants to set up one remote user (in a 
 fixed
 location) with a hardware VPN connection back to the office.  The 
 office has about 5 active PCs at any given time.  This would be the
>
 only VPN
>>> user.
 
Has anyone used one of the new micro SG-1000 units with a 
 VPN yet?  Either as a remote site or as a SOHO router + VPN host?  
 Just wondering how the ARM CPU would stack up.  The specs say 200k 
 active
 (non-VPN) connections...
 
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>___
>pfSense mailing list
>https://lists.pfsense.org/mailman/listinfo/list
>Support the project with Gold! https://pfsense.org/gold

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] IGMP querier?

[Adam Thompson]

In pfSense 2.3, how do I cause the firewall to generate IGMPv2 or v3 
Query packets?
I know there's an IGMP proxy feature, but that's kind of useless without 
a querier.
I don't actually need the firewall to do multicast routing, I just need 
a querier so snooping works on one of my subnets.

Thanks,
-Adam

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] USB3 to ethernet adaptor

[Adam Thompson]

On 16-05-02 06:20 AM, Rafael Aquino wrote:

De: "Frans Meulenbroeks" 

Has anyone experience using USB3 to ethernet adapters ? I need an extra
interface but my HW (Intel NUC) does not have room for another card).
Anything recommendable?
Best regards, Frans.
Hi there,

I´ve tried once an USB Multi-function Lan Adapter (it´s also a UBS3 HUB) with 
PFSense, 2.2.x.
I´ve connected the internet on it, and used onboard NIC as LAN Interface. I´ve 
experienced some strange behaviors,
like some instability on the internet when traffic has raised. Some logs was 
showed on the screen by the time the problems occurred.
It was a test to a client, so I´ve replaced the machine to solve those 
problems, but I believe I was using a cheap
adapter (I can´t tell you the manufacturer, because it doesn´t say on it).



In general, all USB ethernet adapters will be at least *slightly* 
unreliable, regardless of whether it's USB3 or USB2.


Your best bet is:
  a) find one with a well-supported chipset in FreeBSD (this is *much* 
easier said than done, sorry...)
  b) connect it as close to the on-board USB hub as possible; on some 
motherboards, the USB ports around the case are not all equal; some are 
multiplexed via an extra internal (on-chip) hub while some aren't.  The 
fewer hubs between the core chipset and the adapter, the better
  c) find a way to guarantee electrical and mechanical connection. 
Consider using LocTite(r) Blue or similar low-strength bonding agent on 
the USB port to secure against vibration and gravity.  (Also consider 
that you can never get all of it off, so don't plan on re-using that 
port for anything else later.)

  d) disable all USB power management related settings in the BIOS

-Adam

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] DNS secondary server on 2.3?

[Adam Thompson]

OK, I'm lost...  In v2.3, what service, and/or where in the GUI, should 
I go to make pfSense act as a slave (authoritative) DNS server?


On a related note, in Services / DNS Resolver / General Settings, what 
does "DNS Query Forwarding" do?
There's no description, so I assume if it's *not* set, unbound starts at 
the root servers, and if is *is* set, unbound tries my upstream ISP's 
servers first (based on the system global DNS settings)?


Thanks,
-Adam

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] IKEv2 with LDAP or RADIUS?

[Adam Thompson]

I just watched the last hangout that jimp did on Remote Access VPNs, and 
I'm wondering: is there no way to do user authentication against a 
back-end LDAP or RADIUS server when using IKEv2-EAP-MSCHAP2?

Thanks,
-Adam
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Access Point Recommendations?

[Adam Thompson]

Oh, god, not again...

Search the list archives from about a month ago.

The consensus was, roughly, that the Ubiquity UniFi products were pretty good 
but had some quirks.
As i recall, everything else discussed was either:
-insanely expensive, or
-crap (or both), or
-only works well for one or two people on the list.

(Note that the UniFi controller does *not* need to be running 24x7, or ever 
again for that matter, for basic single AP setups.)

-Adam

On August 23, 2015 10:36:57 PM CDT, Volker Kuhlmann hid...@paradise.net.nz 
wrote:
Does anyone have any recommendations for a/ac models, AP only, as is
only radio, no router/switch stuff? Dumb is good, I use pfsense already
and don't need more complexity in closed-source buggy devices.
Single-RJ45 perfect, as soon as there are LAN and WAN ports the
problems
start (like everyone thinking the only secure way to configure the AP
is
over the wifi!).

Thanks,

Volker

-- 
Volker Kuhlmannis list0570 with the domain in header.
http://volker.top.geek.nz/ Please do not CC list postings to me.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

[Adam Thompson]

I'm 95% sure the answer is wait for the developers to fix those issues 
and/or become a developer and fix those issues :-).


Configuration of lighttpd is controlled by the pfSense management 
framework, so once you discover the correct invocation, you could 
locally modify the PHP file that generates the configuration.


In theory, all you need to add to /var/etc/lighty-webConfigurator.conf 
would be


|ssl.cipher-list DHE-RSA-AES256-SHA
DHE-RSA-AES128-SHA
EDH-RSA-DES-CBC3-SHA
AES256-SHA
AES128-SHA
DES-CBC3-SHA
DES-CBC3-MD5
RC4-SHA
RC4-MD5|

but you need to find where in the PHP framework that file gets written.  
I can't find it in under 60 seconds, so you're on your own there.


As to updating sshd, that's replacing a core piece of the system. I'm 
not even going to speculate how or what the impact would be.


-Adam


On 07/24/2015 03:51 PM, Ted Byers wrote:

I have checked our installation of our website (a classic protected LAN
with a DMZ formed by two pfsense machines serving as our inner and outer
firewall, and one machine in the DMZ and the rest behind the inner
firewall) using a PCI scanner.

The PCI scan identified two vulnerabilities WRT our pfsense machines.

First, the scanner complains that TLS1 is supported and we need to restrict
it to TLS1.2.  We modified the configuration of lighttpd to use TLS1.2, but
that did not make the complaint go away, so is there anything else that
uses TLS that we need to reconfigure to use only TLS1.2?
Second, it appears that ssh-server on pfsense is version 6.6 and it would
be good if we can upgrade that to 6.9 or better (well, if there is better -
the scan only complains the version if earlier than 6.9)

If we can fix these two things, a little over half of the complaints from
the scanner will be resolved.  I have spent a couple days using google,
trying to resolve these, but to no avail (compounded by the fact the signal
to noise ratio in my searches was abysmal).

Thanks

Ted



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Access Point Recommendations?

[Adam Thompson]

On 2015-07-23 10:46 AM, Karl Fife wrote:
Your point about having a one-off solution is a great one. Installing 
a single UniFi AP would be unnecessarily complex.


The TP-Link TL-WA801nd is a BGN-only device.  Do you (or anyone) have 
a preferred stand-alone AC access point?


Not a recommendation at all, but stay away from EnGenius devices. OK 
hardware  good price, but (e.g.) my AP comes with an open DNS resolver 
that can't be disabled, and they don't seem to think it's a problem at 
all...


--
-Adam Thompson
 athom...@athompso.net
 +1 (204) 291-7950 - cell
 +1 (204) 489-6515 - fax

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] SG-4860 vs. support pricing question

[Adam Thompson]

On 07/21/2015 09:37 AM, Jim Pingle wrote:

On 07/20/2015 07:09 PM, Adam Thompson wrote:

But I do have one issue/question/comment about the pricing of that bundle: 
there are still only 2 support incidents bundled.

It seems that if I bought two 4860s and tie-wrapped them to my own shelf, I’d 
wind up paying almost the same amount (maybe $75 more if I had to buy a new 
shelf) but would get 4 support incidents included with my purchase.

Good news! The wording on the page is wrong, it does come with four.
Both units can be registered individually.

We'll get that wording cleared up


Great!  Now I can recommend it.

Next question:  extended warranty, to wit: can I purchase an extended 
warranty on these units?


-Adam

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Multiple IPsec Mobile phase1s?

[Adam Thompson]

If I’m using Mobile IPsec, how do I create a Phase 1 for IPv4 and then another 
Phase 1 for IPv6?  The “Create Phase 1” button on the Mobile Clients tab only 
exists when there is no Phase 1 entry for mobile clients, and it doesn’t seem 
to be possible to manually create a Phase 1 entry for mobile clients without 
clicking that button.


Help…






-- 
-Adam Thompson
 athom...@athompso.net
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] SG-4860 vs. support pricing question

[Adam Thompson]

I see the redundant SG-4860 bundle with shelf is now available on the pfSense 
store, and I also see that the 2440 and 4860 appear to be shipping now.  This 
is great! 


(I’m probably still waiting for the 2220, though, since it’s hard to justify 
anything else when I can’t get anything faster than DSL or Cable in this 
building.)


But I do have one issue/question/comment about the pricing of that bundle: 
there are still only 2 support incidents bundled.

It seems that if I bought two 4860s and tie-wrapped them to my own shelf, I’d 
wind up paying almost the same amount (maybe $75 more if I had to buy a new 
shelf) but would get 4 support incidents included with my purchase.


Also, the price for a 2-incident support pack is $399, but I can buy a SG-2220 
for only $299 and get the same # of support incidents.




Have I missed something?  Is this intentional?




-- 
-Adam Thompson
 athom...@athompso.net
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Multiple IPsec Mobile phase1s?

[Adam Thompson]

I figured out part of the answer to my own question:


Manually navigate to “https://pfsense/vpn_ipsec_phase1.php?mobile=true” to 
create Mobile IPsec phase 1 entries.




No idea what that breaks, yet.


-- 
-Adam Thompson
 athom...@athompso.net






From: Adam Thompson
Sent: ‎Monday‎, ‎July‎ ‎20‎, ‎2015 ‎17‎:‎08
To: pfSense support and discussion





If I’m using Mobile IPsec, how do I create a Phase 1 for IPv4 and then another 
Phase 1 for IPv6?  The “Create Phase 1” button on the Mobile Clients tab only 
exists when there is no Phase 1 entry for mobile clients, and it doesn’t seem 
to be possible to manually create a Phase 1 entry for mobile clients without 
clicking that button.


Help…






-- 
-Adam Thompson
 athom...@athompso.net
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] odd issue with pfsense and juniper

[Adam Thompson]

My first instinct is to look at PVST+ interoperability issues because of the 
multi-vendor network, but we need a LOT more detail on the network topology to 
even make intelligent guesses.

You've essentially said I've got this car, with four Goodyear tires, and my 
trailer makes a funny noise. FYI, my other car works fine. What's wrong?

Start anyway by looking on the Cisco switches for spanning tree ports in 
ErrDisable state.  Read the switch logs, look for flapping or inconsistent 
ports.

Also, cross-posting is considered rude.  At least provide a link to the related 
discussion on the forum!

-Adam



On July 9, 2015 2:55:59 PM CDT, Tom Ryan tom0r...@gmail.com wrote:
all,

I posted this to the forums but haven't been able to resolve it yet.

Our setup is multiple cisco switches trunked together and a juniper
router.

We have private and public vlans and a pfsense box bridging the two
together in a transparent filtering bridge mode.

If a device is connected to a private vlan on the same switch that the
pfsense box is, everything works ok. If it is on another switch, it can
communicate with the pfsense box and other devices on any switch on the
private vlan but not pass the gateway (i.e. move it from private vlan x
on
switch 1 (where it works) to private vlan x on switch 2 and it fails.)

This setup worked fine when the router was a cisco model.

It also works fine for the private vlan that is currently protected by
a
sonicwall in transparent mode.

Any ideas?

Thanks
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] IKEv2 agile VPN from Win7/Win8 to pfSense 2.2.2

[Adam Thompson]

OK, I talked to Chris last week and he confirmed that using the built-in 
IKEv2 VPN client in Win7/win8 with pfSense is definitely possible.

He even knows of a few people who do it.
The StrongSwan documentation is OK, but I've tried to follow it... and 
no success.


The IKEv2 client itself, of course, is renowned for crummy diagnostics - 
you get one generic error, almost no matter what happens.  (Kind of 
reminds me of using ed(1).  Maybe Rob Pike works for MS now? grin)


I need to achieve zero-touch remote VPN users - I don't want to have to 
send them a file, install a certificate or CA on their device, configure 
their device, etc.  Put another way, I need to be able to use an 
arbitrary device, never before connected to my network, to establish a 
VPN connection from anywhere, by anyone.


So far, PPTP and IKEv2 (using EAP-MSCHAPv2) appear to be the only 
options, and while PPTP works fine, it's insecure.  (This isn't actually 
a problem for my use case, but since it's going away and certainly isn't 
getting any love in pfSense, I'm leaving it behind.)


IKEv2 just... never works.  I'm pretty darn sure (99.999%) my 
certificate meets the requirements.


Are there any tricks that aren't obvious?

Thanks,
-Adam Thompson
 athom...@athompso.net

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IKEv2 agile VPN from Win7/Win8 to pfSense 2.2.2

[Adam Thompson]

The issue with OpenVPN is merely that I have to prime each client system with 
both software and configuration file(s), which isn't always possible or 
feasible in my environment.
-Adam


On June 17, 2015 10:22:04 AM CDT, Ermal Luçi e...@pfsense.org wrote:
On Wed, Jun 17, 2015 at 4:40 PM, Steve Yates st...@teamits.com wrote:

 Jim Pingle wrote on Wed, Jun 17 2015 at 9:00 am:

  are with the certificate, either with generating the cert (missing
the
  SAN, for example)

 I banged my head against Windows VPN for a bit before finding
out
 it doesn't support wildcard certs...seems *.example.com doesn't match
the
 hostname if the hostname doesn't have the * in it...

 OpenVPN requires a self-signed cert.


Can you report the issue with OpenVPN on self-signed cert?


 --

 Steve Yates
 ITS, Inc.


 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Single IP - DMZ a single port

[Adam Thompson]

...this is what you wind up with normally, until/unless you create a rule 
explicitly allowing the DMZ host to talk to the LAN, so yes, it's definitely 
possible.
-Adam

On June 6, 2015 8:18:35 AM CDT, Marc R. Meshurle Jr. m...@katotech.com 
wrote:
Here's a question - I have a single IP with my ISP and want to take one
TCP port and send it to a DMZ for access from the public WAN and
internal LAN but the DMZ can't talk to the LAN, only the WAN port. Yes,
I know I can call my ISP and get another IP, but it is for limited use
and don't want to spend the extra cash for a limited use port value,
but the server needs to be in the DMZ.
Can I create a DMZ from a single IP on the WAN with a TCP Port being
sent to a DMZ?

Thanks!

Marc


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] reverse proxy situation

[Adam Thompson]

Oh, shoot, that's a good point - I probably do need SNI support for SSL.  I may 
be able to get a wildcard cert, but that will be an issue one way or another.

Varnish doesn't support SSL at all, although I could theoretically do it with 
stunnel and a wildcard cert.
Squid does support SSL, but appears to require wildcard cert.  
Squid3 *may* support SNI, can't tell.
Haproxy supports SNI; hopefully the pfSense package is new enough to include 
that.
Apache supports SNI, supposedly.

So I'm still left with a (overly, IMHO) large list.
I could also just port-forward TCP/{80,443} to a host behind the firewall and 
do everything there, too.

Argh, too many options, not enough clarity on which packages are supported vs. 
which ones are semi-orphaned.

-Adam

On May 30, 2015 11:12:01 PM CDT, Travis Hansen travisghan...@yahoo.com wrote:
If you're looking for pure proxy frontend I'd stick with haproxy or
apache (I use haproxy).
haproxy provides load balancing and can do other things besides
strictly http(s) such a pure tcp and transparent proxy stuff.
Apache provides some things like mod_rewrite (I assume the pfsense
build comes with that) etc that aren't easily done with haproxy.
I could be wrong but if you're looking for SSL offloading (I ensure all
traffic goes over SSL) varnish and squid would be out of the
picture. Travis Hansen
travisghan...@yahoo.com 


On Saturday, May 30, 2015 8:25 PM, Adam Thompson
athom...@athompso.net wrote:
   

I need to run a reverse proxy on a pfSense gateway - multiple websites,

one public IP, the usual reason.
However, I see there's a larger selection available than the last time
I 
looked.

It appears we now have:
* Apache w/mod_security-dev v0.43 / 0.22
* haproxy-1_5 v0.23
* haproxy-devel v0.24
* Proxy Server w/mod_security v0.1.7 / 0.22.999
* squid
* squid3
* varnish3

1. Have I missed any?
2. Are Apache w/mod_security-dev and Proxy Server w/mod_security 
essentially the same thing?
3. For relatively simple cases (straightforward hostname-to-internal-IP

mapping), is there any compelling reason to use one over another on 
pfSense 2.2 today?  FWIW, this firewall is relatively underpowered 
(PowerEdge 1750, dual 2.4GHz P4-era Xeons).

-- 
-Adam Thompson
  athom...@athompso.net
  +1 (204) 291-7950 - cell
  +1 (204) 489-6515 - fax

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] reverse proxy situation

[Adam Thompson]

Reverse proxy.  Need to multiplex multiple publicly-accessible, secure, 
websites running on private IPs from a single public IP.
It *is* hard to write that both succinctly and unambiguously!
-Adam

On May 31, 2015 8:54:14 AM CDT, Espen Johansen pfse...@gmail.com wrote:
Actually. Are you looking for reverse proxy or a user proxy. I'm
confused
after reading your mail a few times.

Brgds, Espen
31. mai 2015 15:35 skrev Espen Johansen pfse...@gmail.com:

 Exclude varnish its primarily made for frontend LB proxy.

 søn. 31. mai 2015, 15:32 skrev Adam Thompson athom...@athompso.net:

 Oh, shoot, that's a good point - I probably do need SNI support for
SSL.
 I may be able to get a wildcard cert, but that will be an issue one
way or
 another.

 Varnish doesn't support SSL at all, although I could theoretically
do it
 with stunnel and a wildcard cert.
 Squid does support SSL, but appears to require wildcard cert.
 Squid3 *may* support SNI, can't tell.
 Haproxy supports SNI; hopefully the pfSense package is new enough to
 include that.
 Apache supports SNI, supposedly.

 So I'm still left with a (overly, IMHO) large list.
 I could also just port-forward TCP/{80,443} to a host behind the
firewall
 and do everything there, too.

 Argh, too many options, not enough clarity on which packages are
 supported vs. which ones are semi-orphaned.

 -Adam

 On May 30, 2015 11:12:01 PM CDT, Travis Hansen
travisghan...@yahoo.com
 wrote:
 If you're looking for pure proxy frontend I'd stick with haproxy or
 apache (I use haproxy).
 haproxy provides load balancing and can do other things besides
 strictly http(s) such a pure tcp and transparent proxy stuff.
 Apache provides some things like mod_rewrite (I assume the pfsense
 build comes with that) etc that aren't easily done with haproxy.
 I could be wrong but if you're looking for SSL offloading (I ensure
all
 traffic goes over SSL) varnish and squid would be out of the
 picture. Travis Hansen
 travisghan...@yahoo.com
 
 
 On Saturday, May 30, 2015 8:25 PM, Adam Thompson
 athom...@athompso.net wrote:
 
 
 I need to run a reverse proxy on a pfSense gateway - multiple
websites,
 
 one public IP, the usual reason.
 However, I see there's a larger selection available than the last
time
 I
 looked.
 
 It appears we now have:
 * Apache w/mod_security-dev v0.43 / 0.22
 * haproxy-1_5 v0.23
 * haproxy-devel v0.24
 * Proxy Server w/mod_security v0.1.7 / 0.22.999
 * squid
 * squid3
 * varnish3
 
 1. Have I missed any?
 2. Are Apache w/mod_security-dev and Proxy Server
w/mod_security
 essentially the same thing?
 3. For relatively simple cases (straightforward
hostname-to-internal-IP
 
 mapping), is there any compelling reason to use one over another on
 pfSense 2.2 today?  FWIW, this firewall is relatively underpowered
 (PowerEdge 1750, dual 2.4GHz P4-era Xeons).
 
 --
 -Adam Thompson
   athom...@athompso.net
   +1 (204) 291-7950 - cell
   +1 (204) 489-6515 - fax
 
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

 --
 Sent from my Android device with K-9 Mail. Please excuse my brevity.
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] reverse proxy situation

[Adam Thompson]

I need to run a reverse proxy on a pfSense gateway - multiple websites, 
one public IP, the usual reason.
However, I see there's a larger selection available than the last time I 
looked.


It appears we now have:
* Apache w/mod_security-dev v0.43 / 0.22
* haproxy-1_5 v0.23
* haproxy-devel v0.24
* Proxy Server w/mod_security v0.1.7 / 0.22.999
* squid
* squid3
* varnish3

1. Have I missed any?
2. Are Apache w/mod_security-dev and Proxy Server w/mod_security 
essentially the same thing?
3. For relatively simple cases (straightforward hostname-to-internal-IP 
mapping), is there any compelling reason to use one over another on 
pfSense 2.2 today?  FWIW, this firewall is relatively underpowered 
(PowerEdge 1750, dual 2.4GHz P4-era Xeons).


--
-Adam Thompson
 athom...@athompso.net
 +1 (204) 291-7950 - cell
 +1 (204) 489-6515 - fax

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Snort FATAL error

[Adam Thompson]

Whenever I try to start Snort, I see this in my system logs:

snort[23839]: FATAL ERROR: 
/usr/pbi/snort-i386/etc/snort/snort_51513_em0/snort.conf(414) = Value 
specified for memcap is out of bounds. Please specify an integer between 
1 and 4095.


And, sure enough, snort fails to start.  This appears to be a mismatch 
between the GUI and the version of Snort installed - the GUI thinks the 
value need to be converted from MB to bytes, whereas the Snort binary 
appears to want megabytes.  I think.  Turning AppID off makes the 
problem go away.


Am I doing something wrong, or is this a bug?

--
-Adam Thompson
 athom...@athompso.net
 +1 (204) 291-7950 - cell
 +1 (204) 489-6515 - fax

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense Hardware Sizing Captive Portal Usage

[Adam Thompson]

More or less: if you can run pfSense at all, you won't run out of memory for 
state tables.
Captive portal does consume additional memory, but not large amounts.
For several hundred users behind a captive portal, I would err on the side if 
caution and use a system with at least 2GB of RAM, preferably 4GB.
The ram requirement depends more on what else you have running inside pfSense 
than the # of users.
One user running bittorrent can potentially create tens of thousands of states, 
whereas one user browsing the web isn't likely to create more than 10 or 20 at 
a time (maybe a few hundred if you don't close states aggressively).
-Adam

On May 27, 2015 7:39:44 AM CDT, Emeric Jarnier / DSI 
emeric.jarn...@univ-smb.fr wrote:

 Hello everyone,

I am looking ahead to deploy pfSense for a few hundred of concurrent
users 
in a captive portal usage.

According to hardware requirements and sizing available on the
internet, 
it is possible to have some idea of some hardware configuration.
Problem is, we don't have many tips regarding 'states table' usage.
If some of you guys could give us some feedback regarding these aspect,
we 
would really appreciate your help!
Anything like a number of states per captive portal user session would
be 
great. Il could help us to estimate our maximum number of simultaneous 
users with a given amount of memory..

I did some tests in a lab and got over 2 000 opened states for a portal

captive user but it cannot be as good as some real production numbers!

Thanks for your answers!

Regards,

Emeric Jarnier

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ipsec and routing

[Adam Thompson]

It's not a routing issue, it's a bug/mis-feature in FreeBSD's IPSec stack.
See 
https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN 
for more info.

-Adam




On 04/24/2015 09:37 AM, Gregory K Shenaut wrote:

I have two pfSense boxes connected via an IPSEC tunnel.

I'm confused about whether a route gets added automatically to the remote 
network end of an IPSEC tunnel when the tunnel comes up. I was under the 
impression that there was no need to be concerned with routing between the two 
subnets within the pfSense boxes, that they would “know” about a remote subnet 
and route to it automatically.

However, currently the tunnel can be up, hosts in either remote subnet can ping 
each other, but the pfSense boxes themselves can't ping hosts in the remote 
subnet, including the LAN address of the other pfSense host to which they are 
connected.

And if I do add a static route, what should I use as the gateway? Devices in 
the local subnet just use the LAN address as the gateway, but that doesn't seem 
appropriate for the pfSense box. The tunnel goes out over the WAN address, but 
using that as the pfsense box's gateway to the remote subnet doesn't seem right 
either.

While in this anomalous state, if I look at the IPSEC status, I see the correct 
networks in Local subnets and Remote subnets in both boxes. Both boxes have 
only a “pass all ipv4” firewall rule for IPSEC. If I look at the routing 
tables, there is no route to the remote subnet.

I also have dead peer detection enabled, which if I understand it correctly, 
requires that the other side's LAN address be pingable.

What could cause this situation, and what is the solution?

Thanks for any suggestions.

Greg Shenaut
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] updating testing packages?

[Adam Thompson]

I need to test some of the recent fixes to the OpenBGPd package.
Other than manually applying the diff(s) to the currently-installed 
files, how would I go about generating the package and installing it on 
my system?
Also, what's the process for submitting changes to packages?  Just do a 
pull request on the github project?


--
-Adam Thompson
 athom...@athompso.net

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] pf(4) relative performance: opinions?

[Adam Thompson]

I know a lot of performance work has gone into both FreeBSD and pfSense, 
but I haven't tested the limits in a long time, so I'm asking...


I'm running a pair of firewalls, each with dual Xeon L5520 cpus (4c/8t, 
2.26GHz, 8M L2), 48GB triple-channel RAM, where all networking occurs on 
carp(4) interfaces on top of vlan(4) interfaces on top of trunk(4) on 
top of dual onboard em(4) (Intel 82576). (These are Dell C6100 XS23-TY3 
blades, if anyone cares...)


The question is: would pfSense give me better routing performance than 
OpenBSD on these systems?


Currently these firewalls run OpenBSD, because I needed simultaneous BGP 
and OSPF, which pfSense [still/once-again] can't do.
I no longer need to run an IGP at that location, so switching to pfSense 
is now an option.


OpenBSD's pf(4) engine is still single-threaded, and so are the 
interrupt handlers, so despite CPU and RAM that would normally be 
massive overkill, these systems max out at just over 105k-searches per 
second, which translates to somewhere between 100kpps-200kpps 
bidirectional.  (I found this out the hard way when someone behind that 
router decided to scan the entire internet.)  Beyond that, they start 
dropping packets.  Gracefully, as pf(4) handles queue congestion, but 
dropped nonetheless.


The OpenBSD team claims that their pf(4) implementation is highly 
optimized, much more so than it was when FreeBSD imported it.  On the 
other hand, I'm given to understand that FreeBSD's, or at least 
pfSense's pf(4) implementation is now multi-threaded, which should 
theoretically allow scaling further where OpenBSD simply pegs one core.


If I have to, I'll probably just convert one and try to stress-test it.  
Scanning the entire IPv4 internet should be an adequate stress test :-/.


Comparison data?  *Educated* guesses?  Thoughts?  Although it's 
pointless to ask, please try to keep baseless fanboi-type opinions to 
yourselves.  I'm already a fan of pfSense, and I've explained above why 
I couldn't use it here.


Thanks,

-Adam

--
-Adam Thompson
 athom...@athompso.net

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] NTP failure in 2.2.1?

[Adam Thompson]

I'm running 2.2.1-RELEASE (i386) in a new install, and everything's 
working great so far (or as great as the FUBAR layer 2 lets it work...) 
except for NTP.


No matter what NTP server I pick, it sits in .INIT. state forever.
Stopping ntpd and using ntpdate on the command-line produces - surprise 
- a timeout.

Yet NTP from *behind* the firewall works fine.

Anyone else seeing this problem?  Any ideas?

-Adam Thompson
 athom...@athompso.net

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Running as a VM, multiple WAN subnets

[Adam Thompson]

So if you don't wind up using them for CARP, use them for something else.  Get 
a smaller subnet from your provider and give back the original subnet.
If you have multiple subnets, the provider-facing one should not be used for 
published services; in fact those addresses don't even have to be public IPs!
-Adam

On March 2, 2015 7:32:06 PM CST, Steve Yates st...@teamits.com wrote:

  Using CARP implies that you care about reliability during edge cases
and partial failures.  If so, then you need to do it right and use 3
IPs where you want 1 carp.

I hear you. I guess part of me just dislikes the possibility of
wasting 12 or 18 IPs (6 per subnet) a few years down the road, and
yet getting a block of 128 that might never get used is possible
also...  Just wanted to make sure I wasn't missing something. 

Steve
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Running as a VM, multiple WAN subnets

[Adam Thompson]

Steve,
Unless you want to impose significant limitations on yourself, you will need a 
total of 3 IPs for every CARP interface.
I've run systems with single-IP CARP, and unless you have absolutely no choice, 
it's not worth the headache.
The unanswered question is how your provider will do routing, and how you 
expect to accomplish this scenario without NAT.
It's too early in the morning for me to figure out your topology right now...
-Adam

On March 2, 2015 1:05:07 AM CST, Steve Yates st...@teamits.com wrote:
Chris L wrote on Fri, Feb 27 2015 at 3:34 pm:

 On Feb 27, 2015, at 12:37 PM, Steve Yates wrote:
 
 Chris L wrote on Fri, Feb 27 2015 at 12:10 pm:
 
 Hopefully the provider can just route the additional subnet to your
 existing WAN IP.  Then you don’t need to do anything with CARP/HA
 except make sure primary and secondary are both set up to deal with
 the routed traffic.
 
 Would that require three LAN side public IPs for the two
firewalls out
 of that second subnet also?
 
 It depends on what you want to do with them.
 
 If pfSense just routes them to another IP address, then no.  You only
need 3 IPs
 when you have to create a pfSense interface with HA.


   It's been a long weekend and I'm missing something that's probably
obvious...the scenario is: no NAT, multiple public IPs in use on the
LAN side from two different subnets, and pfSense acting as a
firewall.  Subnet 1 would need a shared CARP IP and officially two
others for WAN on both firewalls (but see below) and the same thing
duplicated on the LAN side.  The servers on subnet 1 would use the CARP
LAN IP from subnet 1 as their gateway.  

   If subnet 2 is routed by the data center to subnet 1's CARP IP, then
the way I read the docs it will get to pfSense if I set up an Other
virtual IP type, correct?  Does pfSense then need to use a public IP
Alias from subnet 2 on its LAN side CARP interface to be the gateway
for subnet 2?  Or if I read the IP Alias section a few more times, does
it mean that it would still need the three public IPs for three LAN
side aliases (aliases on the two interfaces plus a third alias for the
CARP LAN interface).


   I found this forum thread which points out that, as you suggested in
another message, using three public IPs on the WAN side (and hopefully
the LAN side) is apparently not required in v2.2.
https://forum.pfsense.org/index.php?topic=87546.0

   However I found another post which says in part, Without valid IPs on
both, the secondary will not be able to independently check for updates
or install packages. There would also be no way to directly manage the
secondary from a remote location. It couldn't do DNS resolution to a
remote DNS server, or even sync its clock to a remote time server.
https://forum.pfsense.org/index.php?topic=73584.msg404834#msg404834

...So those are good points.  However does that mean only the second
firewall would need a WAN side public IP? (presumably the master would
use the CARP WAN IP for its communication, while it is online.). 
Regarding remote management, my tentative plan was to VPN to the CARP
IP so access the firewalls from the LAN side.

--

Steve Yates
ITS, Inc.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] hi every body

[Adam Thompson]

pfSense can do that, 600 users is OK.  Up to 1gbps is OK on almost any 
server-grade hardware.

VPN is built in.
IDS/IPS requires installation and configuration of the Snort add-on package.
Firewall is built in.
Monitoring and logging are built in, but may or may not meet your needs.  
pfSense can send data to other, more sophisticated monitoring/logging software 
if needed.
-Adam

On January 27, 2015 5:48:31 AM CST, mohsen Abbaspour 
mohsen.abbaspour2...@gmail.com wrote:
hi every body

i want  to use  pfsense  in   large scale network

these service are  in my favorite to use  in the network  and i need
them

VPN  , IDPS  , Firewall  ,  Monitoring and log  traffic

i dont  know  possible problems   aboutusing  pfsense on large
scale
network

there are 600   users  on my network

-- 





Check out my professional profile and connect with me on LinkedIn.
http://lnkd.in/RqFEqH




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] polling pfsense status for a combined dashboard

[Adam Thompson]

SNMP support exists, although not everything is available that way.
Otherwise the doc wiki has a page on authenticating automated web requests - 
RTFM.
-Adam

On January 27, 2015 10:55:00 AM CST, Wolf Noble w...@wolfspyre.com wrote:
I'm sure this has been asked, but I've not found anything in the few 
minutes I poked around on the forums/google.

I'm looking to pull some metrics from my pfSense firewall to display on

a dashboard. I was wondering what my options are for API-esque access, 
or curl-able graph images with authentication handled by a token 
conveyed via a header.

What are others doing?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] polling pfsense status for a combined dashboard

[Adam Thompson]

On 2015-01-27 11:22 AM, Wolf Noble wrote:

Hi Adam,

Thanks for the response.  Yeah, I know about SNMP. it's a route I 
might go, but wanted to see what else was available.


Strangely enough, I did actually look on the docs site before posting. 
but I didn't find the page you referenced. That's why I posted here. 
Would you mind terribly posting a link to the page you mention?


When I searched the docs site, I looked for 'api', then  'curl', and 
then  'header'; but didn't find any relevant results. The closest I 
found was 
https://doc.pfsense.org/index.php/Limiting_access_to_web_interface ; 
but that's not really relevant.


My apologies, I can't find it now, either.  WTF... I *know* that page 
used to exist.  Looks like jimp is doing most of the wiki updates, 
perhaps he'll remember what happened to it.


The only thing I can find that covers is it this: 
https://doc.pfsense.org/index.php/Remote_Config_Backup


--
-Adam Thompson
 athom...@athompso.net

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] VFA VPN throughput?

[Adam Thompson]

Jim/other:

Do you have any guidelines for sizing VPN throughput when using the 
pfSense Certified VFA ?


--
-Adam Thompson
 athom...@athompso.net

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 4 Byte ASN

[Adam Thompson]

OpenBGPd works quite well with CARP interfaces, actually... My primary 
commercial IPv4 transit uses exactly that.
But that functionality might need a newer version of OpenBGPd than we have 
right now... The package is getting a little long in the tooth.
-Adam

On January 8, 2015 9:23:10 AM CST, Seth Mos seth@dds.nl wrote:
Bryant Zimmerman schreef op 8-1-2015 om 15:28:
 We are working on getting our own ASN with ARIN so we can get our own
 blocks of address.
 We are doing this because we are using multiple ISP's and want to
 announce our own addresses, For better fail over.

It's so much nicer then multi-wan, I don't regret it in the least.

 We are currently using pfSense boxes with CARP at both our locations.
 Will the open BGP package available for pfSense work correctly with
--4
 Byte ASN's

Yes

 --Does carp function correctly with Open BGP for fail over.

You do not want to use CARP with with BGP in any situation. Each node
needs it's own session with the remote BGP peer. You need to use iBGP
between the nodes instead.

Regards,

Seth


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 4 Byte ASN

[Adam Thompson]

On 15-01-08 10:02 AM, Seth Mos wrote:
To clarify this a bit better. You speak BGP to your ISP from each 
pfSense node and generally use CARP as the router address on the 
internal side. You still need to exchange routes between both pfSense 
nodes. The moment CARP fails over you drop your BGP session anyhow, so 
both pfSense nodes need the routing tables (Unless you use default only). 


Uh...

https://doc.pfsense.org/index.php/OpenBGPD_package

says it better than I can.  Note that there have been a ton of bug-fixes 
relating to set nexthop and CARP in the last year or so, which don't 
appear to have made it into the FreeBSD port yet.


I run a pair of BGP routers using CARP to an upstream peer who only 
wants to configure a single IP address and a single session.  Works OK 
in practice under OpenBSD, not sure how well the pfSense package 
(FreeBSD port) handles it.


--
-Adam Thompson
 athom...@athompso.net

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] BGP in 2.2

[Adam Thompson]

First, can anyone tell me what OpenBGPD pacakge v0.9.3 is based on? I'd 
like to switch a pair of routers from OpenBSD to pfSense, but I need 
some recent fixes in OpenBGPD that only made it in for OpenBSD 
5.5-RELEASE.  Looking at the GIT repo doesn't answer my question in any 
obvious way.
Wait, I take that back... pkg_config.8.xml.amd64 shows a version# in the 
package filename of 5.2.
How do I get that updated?  There's been a lot of work done recently, in 
the 5.4-5.5 timeframe including some critical bugfixes when using CARP.


Second, I clearly remember that in the 2.0 days, we were moving away 
from OpenBGPD to (IIRC) quagga/zebra... but OpenBGPD is the only BGP 
implementation I'm seeing now.  What happened there?


Third, is there still no way to run BGP and OSPF on the same system??

--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Gold hangout - what time?

[Adam Thompson]

On 14-11-25 10:14 AM, Espen Johansen wrote:


https://blog.pfsense.org

25. nov. 2014 17:11 skrev Adam Thompson athom...@athompso.net 
mailto:athom...@athompso.net følgende:


I'm looking, but I can't find anywhere what *time* the Gold
hangout is going to be (or was...) today.  Anyone know?



Thanks.  I was expecting the time to be shown somewhere in the portal, 
like maybe along with the joining instructions or the date... *grumble* 
too many communications channels/.


--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] terrible performance on NFS CIFS

[Adam Thompson]

On 14-11-07 04:58 PM, Paul Heinlein wrote:
I know you said that the CPU runs at ca. 5% load, but personally I'd 
be unsure of a P-III-class machine at LAN speeds. What bus connection 
do the NICs use? PCI? EISA? A 32-bit PCI bus operating at 33 MHz has a 
theoretical maximum bandwidth of 133 Mb/s, and the 64-bit expansion 
did little to improve that in any practical way. Plus, pre-MSI PCI 
devices notoriously shared interrupts, slowing down device-to-devce 
transfers. (And just to be cranky, I'll ask if any of the NICs in 
shared PCI/ISA slots, which would squeeze performance even further.)
Dual P-III 1.1GHz is adequate.  The 32-bit PCI bus has a theoretical max 
of 133 MBytes/sec, not 133 Mbits/sec, which is substantially faster than 
gigabit.  The PCI-X standard extended it to 66MHz @ 64bits, quadrupling 
the theoretical max to ~533MBytes/sec, more than adequate for the 
dual-port, MSI-capable PCI-X ethernet card in there right now.


Have you tested that hardware in a routing capacity with non-pfSense 
software?
I've tested that machine with that pfSense software - the performance 
hit only occurs in one direction.



Does the pfSense box have good DNS service?

Yes.  Redundant resolvers are directly attached to pfSense's WAN subnet.


Is the cabling flaky?
No.  As I've said several times, the performance hit only occurs in this 
specific configuration.  Performance is perfectly fine for NAT'd SSH and 
HTTP sessions initiated from the LAN side.


It's not a NIC or cabling issue, for an additional reason: every routing 
interface on the pfSense box is a VLAN on an LACP trunk.  If it were a 
cabling or NIC issue, *all* traffic would by definition be affected, 
including downloads initiated from the LAN side.



Is the pfSense box routing between subnets or just bridging? If the 
former, what's there when pfSense is not in the middle? Another 
router? Just a switch?
Routing, since it does NAT.  When pfSense is not in-circuit (as 
described), I'm doing one of two things: moving the client (and/or 
server) to another VLAN off the primary router, and/or moving the client 
and server together onto the same subnet.


My own testing has demonstrated quite clearly that the massive 
performance hit only occurs on TCP sessions going *inbound* from the WAN 
to the LAN (relative to pfSense's view of the world).


For now, I've simply moved the server semi-permanently; this was an 
unusual and temporary configuration to begin with.


--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] terrible performance on NFS CIFS

[Adam Thompson]

Well, that would definitely cause a problem if it were the case, but...
1) TCP window size != MTU,
2) all switches and Router (but not pfSense) can both handle 9000-byte frames 
anyway,
3) MTU on server and client are both standard, at 1514,
4) I can confirm no fragmentation is occurring.

Still don't know why performance is so bad, though.

-Adam


On November 6, 2014 4:58:35 PM CST, Sean m...@thegeekclub.net wrote:
Not a TCP expert but the MTU is nearly always 1500 (or just under)
hence
your limit.  Sending packets greater than the MTU will lead to
fragmentation.  Fragmentation leads to re-transmissions (depends on do
not
fragment bit?) and performance problems.  Performance problems leads to
frustration and anger.  Anger leads to the dark side of the force.

You can increase the MTU to like 9000 or something if you enable jumbo
frames but you'd need to support it across the board (pfSense, routers,
switches?, servers, etc.).  It's a hassle probably not worth the effort
in
terms of gains.  Some people do it as a means to increase iSCSI traffic
performance but others say the throughput gain is dubious at best.  I
would
make sure some doofus didn't enable jumbo frames on your NFS server and
if
so then turn it off and check the MTU setting in the network stack on
the
NFS server as well.

I may not know what the hell i'm talking about though so someone else
can
feel free to jump in and tell me what an idiot I am.



On Wed, Nov 5, 2014 at 6:47 PM, Adam Thompson athom...@athompso.net
wrote:

 Problem: really, really bad performance (10Mbps) on both NFS (both
tcp
 and udp) and CIFS through pfSense.

 Proximate cause: running a packet capture on the Client shows one
smoking
 gun - the TCP window size on packets sent from the client is always
~1444
 bytes.  Packets arriving from the server show a TCP window size of
~32k.


 The Network:
 +--+
 |Router|
 +--+---+
|
 --+++--
   | |
+--+---+  +---+
|Client|  |pfSense|
+--+  +--++
 |
   --+---+--
 |
  +--+---+
  |Server|
  +--+

 - Client and pfSense both have Router as default gateway.
 - pfSense has custom outbound NAT rules preventing NAT between
Server
 subnet and Client subnet, but NAT'ing all other - outbound
connections.
 - Router has static route pointing to Server subnet via pfSense.

 Hardware:
 Router is an OpenBSD system (a CARP cluster, actually) running on
 silly-overpowered hardware.
 Client is actually multiple systems, ranging from laptops to
high-end
 servers.
 Server is a Xeon E3-1230v3 running Linux, exporting a filesystem
via
 both NFS (v2, v3  v4) and CIFS (samba).
 pfSense is v2.1.5 (i386) on a dual P-III 1.1GHz, CPU usage
typically
 peaks at around 5%.


 Performance on local Server subnet (i.e. from a same-subnet client)
is
 very good on all protocols, nearly saturating the gigabit link.
 Traffic outbound from the server subnet to the internet (via Router)
moves
 at a decent pace, this firewall can typically handle ~400Mbps without
any
 trouble, IIRC synthetic benchmarks previously showed it can peak at
over
 800Mbps.

 Based on the FUBAR TCP window sizes I've observed, I assume pfSense
is
 doing something to my TCP connections... but why are only the
non-NAT'd
 connections affected?  I know there's an option to disable pf scrub,
but
 that's only supposed to affect NFSv3 (AFAIK), and this also affects
 NFSv4-over-TCP and CIFS.

 --
 -Adam Thompson
  athom...@athompso.net

 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list





___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] terrible performance on NFS CIFS

[Adam Thompson]

Ok, recap again...
- this affects multiple protocols, not just NFS.  I've now confirmed it affects 
SSH as well.
- this only occurs when the server is behind pfSense and the client is on the 
outside of the firewall.
- this problem does not occur in the other direction through pfSense (LAN-WAN).
- to repeat myself, NFS works fine at ~1gbps between the same client and server 
without pfSense in the middle.

Ergo, I conclude it's something pfSense-related.  Haven't had a chance to turn 
off of scrub yet.
-Adam

On November 6, 2014 5:12:59 PM CST, Sean m...@thegeekclub.net wrote:
I strongly recommend not tinkering with your MTU setting and instead
correct the setting on the server side...

I think you should start reading here:
http://nfs.sourceforge.net/nfs-howto/ar01s05.html

Particularly this section:

 5.3. Overflow of Fragmented Packets

 Using an *rsize* or *wsize* larger than your network's MTU (often set
to
 1500, in many networks) will cause IP packet fragmentation when using
NFS
 over UDP. IP packet fragmentation and reassembly require a
significant
 amount of CPU resource at both ends of a network connection. In
addition,
 packet fragmentation also exposes your network traffic to greater
 unreliability, since a complete RPC request must be retransmitted if
a UDP
 packet fragment is dropped for any reason. Any increase of RPC
 retransmissions, along with the possibility of increased timeouts,
are the
 single worst impediment to performance for NFS over UDP.

 Packets may be dropped for many reasons. If your network topography
is
 complex, fragment routes may differ, and may not all arrive at the
Server
 for reassembly. NFS Server capacity may also be an issue, since the
kernel
 has a limit of how many fragments it can buffer before it starts
throwing
 away packets. With kernels that support the /proc filesystem, you can
 monitor the files /proc/sys/net/ipv4/ipfrag_high_thresh and
 /proc/sys/net/ipv4/ipfrag_low_thresh. Once the number of unprocessed,
 fragmented packets reaches the number specified by
*ipfrag_high_thresh* (in
 bytes), the kernel will simply start throwing away fragmented packets
until
 the number of incomplete packets reaches the number specified by
 *ipfrag_low_thresh*.

 Another counter to monitor is *IP: ReasmFails* in the file
/proc/net/snmp;
 this is the number of fragment reassembly failures. if it goes up too
 quickly during heavy file activity, you may have a problem.

Since this is not an NFS support list I suggest you let this die here
lest
you incur the spite of the moderators. ;-)



On Thu, Nov 6, 2014 at 4:58 PM, Sean m...@thegeekclub.net wrote:

 Not a TCP expert but the MTU is nearly always 1500 (or just under)
hence
 your limit.  Sending packets greater than the MTU will lead to
 fragmentation.  Fragmentation leads to re-transmissions (depends on
do not
 fragment bit?) and performance problems.  Performance problems leads
to
 frustration and anger.  Anger leads to the dark side of the force.

 You can increase the MTU to like 9000 or something if you enable
jumbo
 frames but you'd need to support it across the board (pfSense,
routers,
 switches?, servers, etc.).  It's a hassle probably not worth the
effort in
 terms of gains.  Some people do it as a means to increase iSCSI
traffic
 performance but others say the throughput gain is dubious at best.  I
would
 make sure some doofus didn't enable jumbo frames on your NFS server
and if
 so then turn it off and check the MTU setting in the network stack on
the
 NFS server as well.

 I may not know what the hell i'm talking about though so someone else
can
 feel free to jump in and tell me what an idiot I am.



 On Wed, Nov 5, 2014 at 6:47 PM, Adam Thompson athom...@athompso.net
 wrote:

 Problem: really, really bad performance (10Mbps) on both NFS (both
tcp
 and udp) and CIFS through pfSense.

 Proximate cause: running a packet capture on the Client shows one
smoking
 gun - the TCP window size on packets sent from the client is always
~1444
 bytes.  Packets arriving from the server show a TCP window size of
~32k.


 The Network:
 +--+
 |Router|
 +--+---+
|
 --+++--
   | |
+--+---+  +---+
|Client|  |pfSense|
+--+  +--++
 |
   --+---+--
 |
  +--+---+
  |Server|
  +--+

 - Client and pfSense both have Router as default gateway.
 - pfSense has custom outbound NAT rules preventing NAT between
Server
 subnet and Client subnet, but NAT'ing all other - outbound
connections.
 - Router has static route pointing to Server subnet via pfSense.

 Hardware:
 Router is an OpenBSD system (a CARP cluster, actually) running
on
 silly-overpowered hardware

Re: [pfSense] pfsense h/w

[Adam Thompson]

[One public correction, nothing to do with Godwin's law!  -Adam]

On 14-10-23 08:36 PM, Jim Thompson wrote:

Not that UBNT is a paragon of openness, either,

“either”? Wow. Strike 2.
That wasn't a dig at you or ESF or NG - I was thinking of Brocade when I 
wrote that.  I could also use UBNT's competitor, MikroTik, as a good 
example of how to build decent products the wrong way, but Brocade was 
my target here.  You're a paragon of open-source stewardship in comparison!


--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense h/w

[Adam Thompson]

One nit: yes, I can sell something called pfSense, as that's the 
freely-downloadable software under a (IIRC) BSD license.
I can't sell something called NetGate.
I can't produce a derivative work and call it pfSense.  (This is a gray area, 
admittedly.)
But, at least here, I'm quite sure I can install pfSense on some random 
hardware and still call it pfSense.

Having said that, if there's a high-throughput hardware option that's fully 
supported and tested and optimized, I don't know why I would *sell* anything 
else.
I'll continue to install pfSense in VMs and on existing repurposed hardware, 
but that's an entirely different market segment anyway, and all I'm selling is 
my time.

-Adam

On October 23, 2014 11:06:42 AM CDT, Jim Thompson j...@netgate.com wrote:


 On Oct 23, 2014, at 5:18 AM, Zia Nayamuth zedestruc...@gmail.com
wrote:
 
 Lots of suggestions on the hardware, but I see nobody mention
anything based around the new and much more powerful Avoton platform.
The platform is officially supported, and the pfSense store has
hardware based on it (looks to be the Supermicro 5018A-FTN4,

It is. The FW-7551 runs a two core version of the same SoC. 

The SoC in both is based on Rangeley, which is like Avoton, but more
Ethernets and a crypto core named QuickAssist. 

We have a line of similar hardware coming out early next year.   You
can see the beginnings of same on the Netgate site.  Don't stress about
the dev board pricing, it's far higher than production boards / systems
will be. 

This will be the hardware that pfSense is tested on, and released for. 
Other platforms will continue to work, but if you want to run the
solution that the pfSense team uses, develops for, and tests on, look
in the store. 

Before someone accuses (because this always comes up), we don't cripple
other solutions (witness the AES-NI acceleration available to all in
pfSense version 2.2), but we do polish things we sell.  When we decided
to sell the C2758 (5018A-FTN4), we made sure all the Ethernets worked
(this was released in 2.1.1) and did some tuning such that the platform
worked well using pfSense 2.1.x.

We don't release the tuning info, and, incredibly, a couple people a
month write in demanding it.

Anyway, the point is, the community is still free to run pfSense
software on a given platform, but, as was always true, YMMV with
platforms we don't support. 

Someone asked in the blog if we would be enabling the crypto part on
the Watchguard he had purchased on eBay. 

The answer is no.  Not only because the hardware is slower than a
software-only solution on a modern cpu, but also because SafeNet (the
company that made that part) no longer supports them, nor is the
technical documentation available.

And then there is the main reason:  We don't have infinite time and
other resources.

Also, while the end user can change things to enable or even optimize a
given platform choice, load additional packages, etc., nobody can
distribute the result and call it pfSense.  Simple trademark law
demands same. 

Anyway, the point is, things we don't sell aren't on developers desks,
and are not in the test rack, and thus, not exercised by the test
harness. 

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense h/w

[Adam Thompson]

On 14-10-23 03:06 PM, Chris L wrote:

We don't release the tuning info, and, incredibly, a couple people a month 
write in demanding it.

Does this mean there’s a special, hardware-specific version of pfSense (or a 
package or ?) or is the tuning in the hardware itself?


AFAIK it's the same software (plus or minus some logo and CSS changes? 
not 100% sure...), but with different sysctl values precisely (in 
theory) matched to the hardware it's running on.  I would imagine they 
also ensure all the BIOS settings are set appropriately, IRQs are 
distributed appropriately, etc.


If you spent a few weeks testing the crap out of your own system, you'd 
be able to figure out the precise values that maximized throughput for 
your hardware, too.
Note that the precise values that work for any particular piece of 
hardware are unlikely to be precisely ideal for any other particular 
piece of hardware... so even copying exactly what Netgate provides on 
*their* system onto yours doesn't guarantee optimal performance.


Besides, given what Jim just said, do you really think he's going to 
answer your question? ;-)
The value-add is technically in the labour, but the secret sauce is 
knowing precisely where to direct that labour to maximize the value to 
his paying customers.

The rest of us get enough value from the software as it is.

--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense h/w

[Adam Thompson]

On 14-10-23 04:29 PM, Chris L wrote:

I’m not asking what the changes are - I’m asking if these boxes require a 
special version of pfSense for maximum performance.
I can't answer that with 100% certainty, but I believe the packaging is 
tweaked slightly.  Whether you call that a special version or not is 
up to you...  AFAIK the kernel is the same, and the pfSense layered code 
is the same.  Netgate may add *more* stuff on top of that, I'm not sure 
- I don't even own one right now.



If it’s just sysctl values then it’s not possible to keep it secret.  sysctl 
-a, sysctl -a, diff
Granted... my point stands, it's not the secrecy, it's the time taken to 
match the values to the hardware.  No two systems (models) are identical.



If it’s a custom kernel, etc, then I have to take waiting for netgate to issue 
patches into consideration.  Now and in the future.
Perhaps you've forgotten that Netgate/ESF is the pfSense project 
*sponsor* and that all/most (?) of the core developers work for 
Netgate/ESF?  I don't think you'll be waiting very long.  I wouldn't be 
at all surprised if the Netgate build gets updated first, in fact.  And 
I do *not* mean that they deliberately wait before releasing patches for 
the generic pfSense build, I just mean that I would expect the Netgate 
update to be available +/- 15 minutes compared to the generic pfSense 
update.



I get that Jim rubs a lot of people the wrong way (myself included), but 
I don't understand the vitriol and/or suspicion directed at Netgate, 
which, after all, is who's paying to keep pfSense free.


Jim: maybe the Netgate/ESF branding needs to get splashed all over 
pfSense, to drive home the point?  It may be unclear to newbies what the 
relationship between Netgate, ESF, and pfSense is.  Even I'm a little 
bit vague on the finer points.


--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense h/w

[Adam Thompson]

[Hmm... half of this doesn't need to be on-list.  Sorry if I'm 
polluting. -Adam]



On 14-10-23 05:57 PM, Jim Thompson wrote:

I get that Jim rubs a lot of people the wrong way (myself included),

Darn, you’d think that sharing a last name would count for something...

Sorry, no.  ;-)
Kind of in the same way Theo de Raadt rubs people the wrong way. Mostly 
just idiots  newbies take offense.  And it's mostly driven, I think, by 
having your lifetime supply of tolerance for people who speak first and 
think second be long-since exhausted.  So as long as you don't start 
saying incorrect or technically-invalid things, your audience sticks 
around.  See closing comments, below.



I think some people are waiting for “the other shoe to drop”.  For us to take 
the pfSense project in a direction similar to what happened with Vyatta.
Yeah... it's a possibility.  OTOH, I'll point out that UBNT essentially 
forked Vyatta (and renamed it EdgeOS, IIRC) when Brocade started to 
close it all up.  Not that UBNT is a paragon of openness, either, but 
that's the benefit of the appropriate license - everyone can feel free 
to copy (or fork!) pfSense from any of the multitude of places it lives 
online right now, and feel free to burn it to archival WORM media Just 
In Case Something Bad Happens To The Project.


As Jim pointed out, however, when you resurrect it (and somehow replace 
all the infrastructure and developers in one fell swoop, *ahem*), you 
can't call your new project pfSense.  You can have an FAQ entry 
explaining how it used to be pfSense, you can even leave the GIT, or 
SVN, or even SCCS repository up as-is with the pfSense name throughout 
it, but as soon as you create a derivative work: new project.



... pfSense is going closed source,
Technically, this could happen, but realistically, someone will probably 
fork it.  And that project will likely die out or remove itself from 
public participation, as these things tend to do.
For that matter, remember that pfSense is (sort of) a fork of m0n0wall 
from a decade ago in the first place.  For different reasons, but 
nonetheless.



  and Jim Thompson is actually a blood thirsty, extra-terrestrial, 
shapeshifting reptile.

Well, that explains a few things!  grin


Finally, I think there is still a segment of the community who views me with 
distrust because I put a license agreement and contributor agreement in front 
of access to the source code for the pfSense project.   We didn’t articulate 
the reasons for doing this very well, and the execution when we did it wasn’t … 
optimal.
I wasn't affected by that, and - AFAIK - neither were most of the people 
who whine and cadge about a commercial entity being involved.


I don't recall what the license used to be, but clearly the current one 
is a custom license that doesn't even attempt to follow the UCB/BSD 
license.  As long as ESF covered all their legal bases properly, they 
can do whatever the f*** they want with the license. I can see how old 
contributors might not like the new CLA, though. And I don't know of any 
project that has ever pivoted on a license change this way ... optimally.



Ugh…  were you around for the 2.1.5 release with the “Gold” menu 
front-and-center (and the resultant shitstorm)?
Long before that, yes, but I think I managed to skip the affected 
versions by accident, so I forgot all about it / never saw it myself.  
Since I've already renewed my gold subscription once by now, clearly I 
wasn't one of the shit-flingers in the shitstorm.  I like getting paid 
for my work, too!



(Or wonder in silence what it must be like to work in the same place as Jim 
Thompson.)
Can't be any worse than my last corporate job.  In fact, would probably 
be *much* better...  I don't have to like you to respect you or work 
with/for you.


--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] OT: Good network switch for 10 machines?

[Adam Thompson]

+1 for HP ProCurve, except for the stuff they inherited from 3Com...
I've also had reasonably good luck with Netgear and D-Link managed switches.
The Cisco SMB stuff seems OK hardware-wise, but the software is questionable.
Note that all three of these options come with lifetime, free, firmware updates.
-Adam

On September 23, 2014 12:56:00 PM CDT, Chris Bagnall 
pfse...@lists.minotaur.cc wrote:
On 23/9/14 6:46 pm, RB wrote:
 I'd suggest at least a managed switch that can do LACP.

This.

Given how small the price difference often is between unmanaged and 
semi-managed (aka 'smart') switches these days, it just doesn't make 
sense to buy unmanaged any more. You never know when things like VLANs,

LLDP and LACP might just come in handy, and even if you never use them,

a managed switch will also allow you to do other interesting things
like 
graph per-port (and sometimes per-port-VLAN) usage, which can be useful

for detecting misbehaving network hardware elsewhere.

 I've
 had decent results with the Linksys/Cisco SMB switches and the ZyXel
 GS1900 range.

One of our clients uses the Zyxel switches to good effect. Their 24
port 
PoE versions are certainly competitively priced.

I tend to use HP where possible. At the lower cost end of the market, 
something like the 1810-24G (web managed) is a good bet, or move up to 
the 2510/2520 if you need more management functionality and/or a CLI. 
I've avoided the 1910 range; AIUI they're basically rebadged 3Com units

after the HP/3Com buyout.

Kind regards,

Chris
-- 
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Adding Ethernetports

[Adam Thompson]

You don't have a pfSense problem at all, you have a VMware problem.
Suggest you visit any one of hundreds of VMware support forums or lists to find 
out how to manage virtual networks.
There are also a lot of old threads on the pfSense forum discussing this.
-Adam


On September 19, 2014 11:28:28 AM CDT, Brian Caouette bri...@dlois.com wrote:
Yes VM. I do not see the card listed there either. I do not understand 
VM and all the plugs and drivers. Can you point me in the right
direction?

On 9/19/2014 11:17 AM, Paul Beriswill wrote:
 Your pfSense is running on a VM ... correct?

 Does vmware recognize the nic?  I know some versions of esx need 
 custom drivers for even some intel NIC's.

 Paul
 On 09/19/2014 09:31 AM, Brian Caouette wrote:
 [pfSense] Adding Ethernetports

 I added a dual port nic to my pfsense box and it doesn't show the
 additional ports.

 The new nic doesn't show anywhere. I am using a PowerEdge 2850 and
an
 Intel Card. I am also using vmware on the machine.

 Any ideas what may be going on?
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list


 -- 

 *Paul Beriswill*
 PDF Complete Inc | www.pdfcomplete.com http://www.pdfcomplete.com/
 550 Club Drive, Ste. 477 | Montgomery, TX 77316
 512.263.0868 x 707 direct | paul.berisw...@pdfcomplete.com 
 mailto:paul.berisw...@pdfcomplete.com

 PDF Complete http://www.pdfcomplete.com/



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list





___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Adding Ethernetports

[Adam Thompson]

There's also the unofficial VMware ESXi white-box HCL, but it hasn't really 
been updated since v4.x.
Agreed that if this is anything more than a test system, stick with the HCL and 
a support contract.  Been there, done that, have the scars to prove it ...
-Adam

On September 19, 2014 12:18:31 PM CDT, Paul Beriswill 
paul.berisw...@pdfcomplete.com wrote:
I have had mixed results trying to find support for hardware that is
not on the vmWare HCL and often spend way too much time hunting for
solutions.  You are much better off sticking with officially supported
hardware.

That being said, This link may have the drivers that you are looking
for ...
https://my.vmware.com/web/vmware/details?downloadGroup=DT-ESXI55-INTEL-IGB-42168productId=353

Should probably take this to one of the vmware support groups.

Paul

On 09/19/2014 11:28 AM, Brian Caouette wrote:
Yes VM. I do not see the card listed there either. I do not understand
VM and all the plugs and drivers. Can you point me in the right
direction?

On 9/19/2014 11:17 AM, Paul Beriswill wrote:
Your pfSense is running on a VM ... correct?

Does vmware recognize the nic?  I know some versions of esx need custom
drivers for even some intel NIC's.

Paul
On 09/19/2014 09:31 AM, Brian Caouette wrote:

I added a dual port nic to my pfsense box and it doesn't show the
additional ports.

The new nic doesn't show anywhere. I am using a PowerEdge 2850 and an
Intel Card. I am also using vmware on the machine.

Any ideas what may be going on?
___
List mailing list
List@lists.pfsense.orgmailto:List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

--

Paul Beriswill
PDF Complete Inc | www.pdfcomplete.comhttp://www.pdfcomplete.com/
550 Club Drive, Ste. 477 | Montgomery, TX 77316
512.263.0868 x 707 direct |
paul.berisw...@pdfcomplete.commailto:paul.berisw...@pdfcomplete.com

[cid:part4.07040609.07060705@pdfcomplete.com]http://www.pdfcomplete.com/



___
List mailing list
List@lists.pfsense.orgmailto:List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


--

Paul Beriswill
PDF Complete Inc | www.pdfcomplete.comhttp://www.pdfcomplete.com/
550 Club Drive, Ste. 477 | Montgomery, TX 77316
512.263.0868 x 707 direct |
paul.berisw...@pdfcomplete.commailto:paul.berisw...@pdfcomplete.com

[cid:part11.02070006.00010207@pdfcomplete.com]http://www.pdfcomplete.com/




___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Returned mail: Data format error

[Adam Thompson]

Yes, but not often.
-Adam

On September 8, 2014 7:45:10 AM CDT, Bob Gustafson bob...@rcn.com wrote:
Is anyone else on this list getting bounce notices?

On 09/08/2014 01:50 AM, Bounced mail wrote:
 The message was not delivered due to the following reason:

 Your message was not delivered because the destination computer was
 not reachable within the allowed queue period. The amount of time
 a message is queued before it is returned depends on local configura-
 tion parameters.

 Most likely there is a network problem that prevented delivery, but
 it is also possible that the computer is turned off, or does not
 have a mail system running right now.

 Your message was not delivered within 8 days:
 Mail server 33.208.96.171 is not responding.

 The following recipients could not receive this message:
 list@lists.pfsense.org

 Please reply to postmas...@lists.pfsense.org
 if you feel this message to be in error.


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Dual IP nets over one ethernet connector

[Adam Thompson]

Then don't use pfSense - that's simple.
Like I said in a previous email, feel free to do this with your choice of OS.
PfSense doesn't give you quite enough rope to do what you want.
-Adam

On August 16, 2014 11:09:20 PM CDT, Bob Gustafson bob...@rcn.com wrote:
I don't need the firewall features of pfsense in my application. The 
firewall is 'upstream' of the pfsense box - in the ISP furnished 
modem/router.

Please re-think your suggestions - with the pfsense firewall function 
out of the picture.

Bob G

On 08/16/2014 03:37 PM, Espen Johansen wrote:

 Nat traversal is trivial. Firewalling needs physical interfaces.
Vlans 
 are possible but vlan jumping is also possible. Vlans to do different

 zones (lan/wan lan/dmz dmz/wan) is not something I recommend as vlan 
 jumping can be done in most environments. In short. Forget an idea 
 where you firewall with a single interface. Even if this is only to 
 play with at home. Just dont. A vanilla linux/bsd will let you shoot 
 yourself in the foot. So you can do it there. But there are no 
 firewalls that will allow this with out 2 interfaces. Most require 2 
 physical, but some will allow for 2 or more vlans. Again, do not do
it.

 16. aug. 2014 22:13 skrev Adam Thompson athom...@athompso.net 
 mailto:athom...@athompso.net følgende:

 On 14-08-16 01:13 PM, Espen Johansen wrote:

 You would have to do a major code rewrite to get this done.  And
 it would be insecure and it would make no pf sense :-) this is
 network basics. You dont seem to understand some network
 fundamentals. Sorry but this is not doable without using vlans
or
 2 physical interfaces.

 16. aug. 2014 20:06 skrev Bob Gustafson bob...@rcn.com
 mailto:bob...@rcn.com følgende:

 I'm interested in doing it all within the Alix using
pfsense.
 A minimum hardware approach.

 Think of my WAN mentioned below as the LAN network created
by
 the modem/router furnished by the ISP and the LAN mentioned
 below as devices also connected to the back end of the
 modem/router, but not accessible by the modem/router. Only
by
 LAN/pfsense.

 Bob G

 I would like to pass WAN packets (192.168.1.0/24
 http://192.168.1.0/24) and LAN packets
(192.168.2.0/24
 http://192.168.2.0/24) through the same connector.

 pfsense would provide the NAT and firewalling within
the
 box.


 To clarify Espen's comments : yes, it is possible to run two
 subnets on the same wire.
 Any _router_ can route between two subnets on the same wire (or
 the same VLAN, same thing - technically the same broadcast
domain).
 A _firewall_, however, will refuse to do so because it's
 nonsensical from a security perspective.
 So pfSense is a router, yes, but it is also a firewall, and in
 areas where those two roles conflict, the firewall role wins.
 As previously pointed out, you can't usefully use pf(4) in the
 circumstance you describe.
 It is technically possible, on some platforms, to perform NAT
 between the two subnets.  It would be possible, AFAIK, to
manually
 craft a pf rule that does this; it is not possible to get the
 pfSense GUI to generate that rule. That's where the major code
 rewrite comes into play.

 I'm not aware of any firewall GUI that will let you do this - and
 for a good reason!  By hooking your LAN up directly to the WAN,
 you're effectively eliminating 99% of the security a firewall
 gives you.  (And, yes, it is possible to directly attack private
 IP addresses on most ISPs.)

 If you're determined to deploy this model, you'll have to run a
 bare OS that can route, i.e. Linux, OpenBSD, FreeBSD, etc. and
 configure the networking stack and NAT rules by hand.

 -- 
 -Adam Thompson
   athom...@athompso.net  mailto:athom...@athompso.net


 ___
 List mailing list
 List@lists.pfsense.org mailto:List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list





___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Change WAN interface address to new subnet

[Adam Thompson]

On 14-08-06 02:42 PM, Adam Williams wrote:

You've made two contradictory statements here:
1) you want to know how to *change* a WAN interface, but
2) We're moving it over from another firewall...

I've got two firewalls, F1 and F2, facing the public internet, each
hosting different public subnets, N1 and N2. There are computers
behind them which are dual homed - connected to both firewalls. I want
to make F2 host both N1 and N2, decommissioning F1. Then I'll
decommission N2. Since I want to decommission N2, I thought I should
make the WAN interface of F2 configured for N1.


Ouch... I'm sure I could create a more difficult setup to work with, but 
it would take some time and effort to do so!



Why do you need to do things one step at a time?  Again, that contradicts
#2, above.

I want to configure 87.54.0.34 (N1) on F2 before having the IP
addresses moved from F1, because of the acceptable downtime of...
about 60 seconds. Hopefully my following answers will clarify how I
think this can be done.

asdf

You also mention VRRP - pfSense doesn't do VRRP, it does CARP.  Is the VRRP
from the old firewall?

It may be the uplink switches are making these VRRP advertisements. I
realize I do not understand perfectly how the protocol is implemented,
and assumed there was a relationship with CARP, though it's clear
enough now that they are different tech solving similar problems. I
suppose I need to read up on VRRP to understand why my F2 WAN address
(50.31.0.14) is the SRC address of these advertisements.


If F2 is a pfSense firewall, then you have some much larger problem to 
solve before you worry about switching over to new firewalls.



Once I have the configuration I want, I will be adding another pfSense
firewall as a sync slave of F2.


I would strongly recommend starting with HA, not adding a HA peer 
later.  Adding HA later is much more likely to cause downtime; adding it 
right away means you'll catch all the problems immediately, (hopefully) 
before you put the new firewall into production.



The switches our old VLANs operated on are being replaced. There were
new VLANs created on the new switches, and the computers were made to
be dual homed for a time so I could work through getting all the
services running over the new switch VLANs/subnets. F2 is the firewall
of the new switch VLANs/subnets. Now that the computers behind the
firewalls are communicating over the new switches through F2, I'm
ready to move the IP addresses of F1 over, as I've mentioned. The ONLY
reason we need the old WAN on F2 at all is because outbound
connections to third parties must come from addresses in the old WAN.
That is happening today because the computers are still routing
Internet-bound connections through F1.


Don't bother changing WAN, add a new interface (WAN2, let's say...) and 
configure it with the appropriate IP address and gateway(s), etc.
If I understand correctly, you're going to wind up with a dual-WAN 
setup, right?



F1 must hold the N1 address until the last moment, since the computers
are still routing Internet-bound connections through F1, and I do not
believe I have the option of having F1 and F2 on the same uplink both
claiming the N1 address.


That's correct; they'll be fighting over the IP address (unless they are 
a CARP pair, which doesn't sound likely).



If I am able to put F2 in a position where it's nearly completely
configured to host N1, such that I can have N1 moved to F2, change
outbound NAT on F2 to use the address of N1, use N1 as the default
gateway of F2, and immediately change the routing of the computers
behind the firewall so that they make Internet-bound connections
through F2, I'll be happy. If I have to move N1 to F2 before I can
configure F2 this way, downtime will be longer.


Ugh.  You have set yourself a complex task; I would have simply 
preconfigured a new firewall (F2) exactly the same as the existing 
firewall (F1), and taken a 2-minute outage to swap firewalls.


You're almost sure to have more than 60 seconds of downtime anyway, 
since ARP data typically has a 5-minute lifetime.  If you can cause the 
new firewall to proactively overwrite each local host's ARP cache (e.g. 
by pinging each host from the firewall) then you can probably get that 
down quite a bit.


--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Change WAN interface address to new subnet

[Adam Thompson]

You've made two contradictory statements here:
1) you want to know how to *change* a WAN interface, but
2) We're moving it over from another firewall...

Which is it?
Why do you need to do things one step at a time?  Again, that 
contradicts #2, above.

Also, how much downtime is acceptable?
You also mention VRRP - pfSense doesn't do VRRP, it does CARP.  Is the 
VRRP from the old firewall?  Are you in fact setting up redundant 
firewalls, or are you just using CARP as a convenient way to establish 
additional IP addresses?
If you're moving to a new firewall, why do you have it connected 
directly to the old WAN at all?


Right now, it sounds like you're worrying about trivial items (e.g. 
source IP addresses) without having a good big-picture grasp on the 
process first.  Who cares what source IP address gateway-monitoring ICMP 
packets or DNS packets come from?  I assume anything originating from 
the firewall will by default use the primary interface IP, but I don't 
know for sure - that stuff Just Works regardless of which IP address 
it originates from.


I'll stop here for now until you've addressed the contradiction.

-Adam



On 14-08-06 10:29 AM, Adam Williams wrote:

Hello!

I need to change the WAN interface address to one that is on another
subnet. I need to end up getting off the 50.31.0.0 network altogether,
ultimately, but need to do so one step at a time. However, I'm
concerned that I don't quite understand the implications of changing
the WAN primary IP address. I would very much appreciate any guidance
you might offer.

Suppose the following current configuration of IP addresses on the WAN
interface:

   WAN 50.31.0.14
   GW 50.31.0.1
   ALIAS 50.31.0.25
   CARP 50.31.0.71

* Gateway is monitored using SRC 50.31.0.14 ICMP
* DNS forwarding is configured, so SRC 50.31.0.14 UDP
* VRRP packets are SRC 50.31.0.14 TCP
* Clients are connecting to 50.31.0.71 (the CARP address)
* Outbound connections are masqueraded as 50.31.0.71 (the CARP address)

I want to begin the migration by changing the WAN interface address
to, say, 87.54.0.34. Here is what I imagine the configuration needs to
become:

   WAN 87.54.0.34
   GW2 87.54.0.29
   GW (default) 50.31.0.1
   ALIAS 50.31.0.25
   CARP 50.31.0.71

My first question would be, will this work? More specifically, what
will be the SRC IP address of the a) gateway monitoring, b) DNS, and
c) VRRP traffic?

The gateway monitoring traffic would have to choose the ALIAS address
for GW, and the WAN address for GW2; the routes to those subnets would
be used (a direct link). It seems the DNS traffic would end up with
SRC 87.54.0.34; the default gateway is not on the same subnet and
would therefore drop the packets. Would VRRP traffic for 50.31.0.71
choose the ALIAS address, since it's the only one on the subnet of the
CARP address?

However, perhaps complicating things, we do not yet have the subnet of
the new WAN IP address routing over our uplink. We're moving it over
from another firewall and want to preconfigure this firewall as much
as possible to host the new subnet, so that we might minimize downtime
for connections to 87.54.0.34. Therefore, we cannot yet receive
packets at 87.54.0.34; the gateway 87.54.0.29 is unreachable.

Will this plan work at all, or is the role of the WAN address so
critically important that we really cannot preconfigure it for a new
subnet like this?

Please let me know if this is not clear enough to help.

Thank you!
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list



--
-Adam Thompson
 athom...@athompso.net
 Cell: +1 204 291-7950
 Fax: +1 204 489-6515

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How can this be done?

[Adam Thompson]

On 14-07-31 07:44 PM, Kenward Vaughan wrote:
In my quest to set up a computational lab at my school, the IT 
department has offered us the freedom to create this specialized lab 
as long as we aren't hooked up to the school's network--we are to be 
completely isolated.  They have no one to maintain it software-wise 
(we will be doing that), and (I believe) fear security breaches, etc, 
emanating from there.


They would allow us to go outside through the Wifi spots, though, as 
long as it is through the open (insecure) side.  There is an 
accessible secure (internal) network as well.


Is there a way to set up pfSense either on the internal server or a 
separate Internet side box to control outbound traffic by having it 
sign into that network then having the other machines have access?


I'm not any sort of network person (self-taught in Linux/computers in 
general), so please accept my apology up front if this is an idiotic 
question.


Thanks!


Kenward


Short answer: Yes, this can be done.  Please have someone with 
networking experience set this up, unless you want to spend the next few 
months learning networking!  This isn't really a pfSense-related issue 
at this point.


Easiest, surest (but not cheapest) way: get a separate DSL or Cable 
connection for your lab, and connect to the internet through that link 
(possibly using pfSense).  Don't connect to the existing school [wired] 
network or WiFi [network] at all, not even the public wifi.


Cheaper (and still secure): if the school has a firewall (it most likely 
does), ask if you can be connected to a dedicated interface on that 
firewall.  That way, IT still has control over what you can and can't 
access, and they can protect themselves from you.


Also cheaper (and still secure): the school's WAN provider may allow you 
to connect more than one device to the WAN connection.  This might 
require adding a switch between the service provider's equipment and the 
school's firewall, if the service provider doesn't give you a multi-port 
device of some sort.  Either way, you plug your dedicated (possibly 
pfSense) firewall into another port on the WAN device.  Many DSL  Cable 
providers install a modem that includes a 4- or 5-port switch built 
right in.


Most difficult to get working: install your firewall (possibly running 
pfSense) as a client on the school's public wireless network.  I'm not 
sure if pfSense even supports this natively; you may have to use an 
external ethernet-to-wireless bridge (but these are fairly common 
devices now, anything sold as a travel router can probably do it, most 
SoHo routers  APs can do it, too). There are many variables here, and 
many things to get wrong.  On the other hand, this requires relatively 
little (i.e. possibly even zero) effort from the existing IT group, and 
doesn't cost much.


If you have to sign in to the public WiFi network, especially through 
some sort of login web page (like you do at public hotspots) then 
connecting a firewall to it is probably not going to work well, if at all...


--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] ZFS warning message on local console during boot

[Adam Thompson]

Faster caching when using squid and/or some of the other packages?

But, yes, it would be a bit silly, regardless.

-Adam

On July 30, 2014 9:43:01 AM CDT, Vick Khera vi...@khera.org wrote:
On Wed, Jul 30, 2014 at 9:50 AM, Paul Mather p...@gromit.dlib.vt.edu
wrote:
 Personally, I think ZFS on i386 has become a losing proposition as of
 late.  I ran a ZFS-on-root FreeBSD/i386 10-STABLE system with 2 GB of
 RAM and it appeared to become very flaky with ZFS in its latter
months
 (I eventually switched it out for a FreeBSD/amd64 system).

I cannot fathom a sensible use case for using ZFS on pfSense at all.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Disable antispoofing on an interface

[Adam Thompson]

How do you know pfSense is dropping the packet?  Does it show up in a packet 
capture on OPT1?
-Adam

On July 17, 2014 5:12:07 AM CDT, NetSys Pro netsys...@live.com wrote:
Hello Adam,Anything else I could try?
Thanks

Subject: Re: [pfSense] Disable antispoofing on an interface
From: athom...@athompso.net
Date: Mon, 14 Jul 2014 20:24:36 -0500
To: list@lists.pfsense.org; netsys...@live.com

I suspect you need to be looking not for anti-spoofing but for
anti-bogon rules.

Can't remember what pfSense calls it offhand.

-Adam



On July 14, 2014 6:19:22 PM CDT, NetSys Pro netsys...@live.com wrote:

  


  
  
Hello everyone,

  

  First of all, please note that I have already posted the question
  below on the pfSense forum (see
  https://forum.pfsense.org/index.php?topic=79081.0) since about 1
  week without any reply.

  Given the urgency of the matter, I decided to post to the mailing
  list, hoping for some here.

  

  BTW: I don't know if this will be of any help to obtain a reply,
  please note that I have a Gold membership subscription as well.

  

  So, regarding my question, I'll copy/paste from the forum as
  follows:

  



I have 2 pfSense boxes (both version 2.1.4) connected via the
Internet. Each one has 3 interfaces: LAN, WAN  OPT1.

There is an IPsec VPN between the 2 pfSense boxes.

A WAN optimisation (we'll call it WANOPT) appliance is connected to
the OPT1 interface on each side.

There is a UDP tunnel between the 2 WANOPT appliances. This UDP
tunnel goes inside the IPsec tunnel.

I use PBR (as a LAN rule) to redirect traffic going to the remote
LAN into the WANOPT appliance.



This is what I've observed after starting to ping a remote LAN
machine from a local LAN machine:

1. On reaching the local LAN interface, the ICMP echo request is
properly redirected to the WANOPT appliance.

2. The ICMP request then goes inside the UDP tunnel.

3. The UDP packets go into the IPsec tunnel.

4. On the remote side, a tcpdump shows that the ICMP packet does
come out of the WANOPT appliance and therefore the UDP tunnel.

5. It then reaches the OPT1 interface of the remote firewall.

6. However, it does NOT come out any interface!!!

7. I have an Allow all protocols from any to any rule on both the
IPsec and OPT1 interfaces, for testing purposes.

   8. There's nothing in the log saying that the packet was dropped. In
fact, there's a log entry which says that the packet was actually
allowed into the OPT1 interface!



What has happened to the packet?



NB:

1. On the remote side, when the ICMP packet comes out of the UDP
tunnel, its source IP is that of the local LAN machine and its
destination is that of the remote LAN machine.

2. Is this packet being considered a spoofed packet?



   I modified the file /etc/inc/filter.inc (around line 3105 in pfSense
2.1.4) to disable antispoofing on the OPT1 interface and rebooted
both firewalls without any success.

I confirmed that the file /tmp/rules.debug did not contain the
antispoof directive for the OPT1 interface after reboot.

RFC 1918 private IP addresses are not being blocked either.



Thank you for any help.
  


List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

-- 

Sent from my Android device with K-9 Mail. Please excuse my brevity.   
 

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Disable antispoofing on an interface

[Adam Thompson]

Not really possible.  If tcpdump cann't show you the packet, then the problem 
is occurring before pfSense... i.e. in the WAN optimizer.

On July 17, 2014 12:01:12 PM CDT, NetSys Pro netsys...@live.com wrote:
Adam,
Thanks for your reply.First of all, as I said before, I had already
posted the same question on the forum and had not received any
reply.However, Chris BUECHLER replied to my posts about 2 days ago.If
it is better that I stop the cross-posting, then someone please do
advise.Until then, we'll continue on both the forum and here in the
mailing list.Of course, I will update both with the findings.
So, regarding your question, from the log (see screenshot on the forum)
on the remote pfSense, I see that the ICMP request is ALLOWed into the
remote OPT1 (aka SILVERPEAK) interface.However, after doing packet
captures on the other interfaces, I do not see the packet coming out
anywhere!So, I suppose the packet is being silently dropped. Is that
possible?

Subject: RE: [pfSense] Disable antispoofing on an interface
From: athom...@athompso.net
Date: Thu, 17 Jul 2014 10:50:27 -0500
To: netsys...@live.com; list@lists.pfsense.org

How do you know pfSense is dropping the packet?  Does it show up in a
packet capture on OPT1?

-Adam

On July 17, 2014 5:12:07 AM CDT, NetSys Pro netsys...@live.com wrote:



Hello Adam,Anything else I could try?
Thanks

Subject: Re: [pfSense] Disable antispoofing on an interface
From: athom...@athompso.net
Date: Mon, 14 Jul 2014 20:24:36 -0500
To: list@lists.pfsense.org; netsys...@live.com

I suspect you need to be looking not for anti-spoofing but for
anti-bogon rules.

Can't remember what pfSense calls it offhand.

-Adam



On July 14, 2014 6:19:22 PM CDT, NetSys Pro netsys...@live.com wrote:

  


  
  
Hello everyone,

  

  First of all, please note that I have already posted the question
  below on the pfSense forum (see
  https://forum.pfsense.org/index.php?topic=79081.0) since about 1
  week without any reply.

  Given the urgency of the matter, I decided to post to the mailing
  list, hoping for some here.

  

  BTW: I don't know if this will be of any help to obtain a reply,
  please note that I have a Gold membership subscription as well.

  

  So, regarding my question, I'll copy/paste from the forum as
  follows:

  



I have 2 pfSense boxes (both version 2.1.4) connected via the
Internet. Each one has 3 interfaces: LAN, WAN  OPT1.

There is an IPsec VPN between the 2 pfSense boxes.

A WAN optimisation (we'll call it WANOPT) appliance is connected to
the OPT1 interface on each side.

There is a UDP tunnel between the 2 WANOPT appliances. This UDP
tunnel goes inside the IPsec tunnel.

I use PBR (as a LAN rule) to redirect traffic going to the remote
LAN into the WANOPT appliance.



This is what I've observed after starting to ping a remote LAN
machine from a local LAN machine:

1. On reaching the local LAN interface, the ICMP echo request is
properly redirected to the WANOPT appliance.

2. The ICMP request then goes inside the UDP tunnel.

3. The UDP packets go into the IPsec tunnel.

4. On the remote side, a tcpdump shows that the ICMP packet does
come out of the WANOPT appliance and therefore the UDP tunnel.

5. It then reaches the OPT1 interface of the remote firewall.

6. However, it does NOT come out any interface!!!

7. I have an Allow all protocols from any to any rule on both the
IPsec and OPT1 interfaces, for testing purposes.

   8. There's nothing in the log saying that the packet was dropped. In
fact, there's a log entry which says that the packet was actually
allowed into the OPT1 interface!



What has happened to the packet?



NB:

1. On the remote side, when the ICMP packet comes out of the UDP
tunnel, its source IP is that of the local LAN machine and its
destination is that of the remote LAN machine.

2. Is this packet being considered a spoofed packet?



   I modified the file /etc/inc/filter.inc (around line 3105 in pfSense
2.1.4) to disable antispoofing on the OPT1 interface and rebooted
both firewalls without any success.

I confirmed that the file /tmp/rules.debug did not contain the
antispoof directive for the OPT1 interface after reboot.

RFC 1918 private IP addresses are not being blocked either.



Thank you for any help.
  


List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


-- 

Sent from my Android device with K-9 Mail. Please excuse my brevity.   
 

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Disable antispoofing on an interface

[Adam Thompson]

If you run (from memory, here!) clog -f /var/log/filter.log while the packet 
is arriving, you should see what rule is blocking it.
You may want to set up a capture in your terminal emulator, as there will 
likely be a lot of unrelated output and it'll scroll off-screen quickly.
-Adam

On July 17, 2014 12:20:10 PM CDT, NetSys Pro netsys...@live.com wrote:
I just did a tcpdump on pfSense and I do see the ICMP request coming in
on the OPT1 interface.So, this means that the WANOPT appliance is not
the culprit.

Subject: RE: [pfSense] Disable antispoofing on an interface
From: athom...@athompso.net
Date: Thu, 17 Jul 2014 12:10:44 -0500
To: netsys...@live.com; list@lists.pfsense.org

Not really possible.  If tcpdump cann't show you the packet, then the
problem is occurring before pfSense... i.e. in the WAN optimizer.

On July 17, 2014 12:01:12 PM CDT, NetSys Pro netsys...@live.com
wrote:



Adam,
Thanks for your reply.First of all, as I said before, I had already
posted the same question on the forum and had not received any
reply.However, Chris BUECHLER replied to my posts about 2 days ago.If
it is better that I stop the cross-posting, then someone please do
advise.Until then, we'll continue on both the forum and here in the
mailing list.Of course, I will update both with the findings.
So, regarding your question, from the log (see screenshot on the forum)
on the remote pfSense, I see that the ICMP request is ALLOWed into the
remote OPT1 (aka SILVERPEAK) interface.However, after doing packet
captures on the other interfaces, I do not see the packet coming out
anywhere!So, I suppose the packet is being silently dropped. Is that
possible?

Subject: RE: [pfSense] Disable antispoofing on an
interface
From: athom...@athompso.net
Date: Thu, 17 Jul 2014 10:50:27 -0500
To: netsys...@live.com; list@lists.pfsense.org

How do you know pfSense is dropping the packet?  Does it show up in a
packet capture on OPT1?

-Adam

On July 17, 2014 5:12:07 AM CDT, NetSys Pro netsys...@live.com wrote:



Hello Adam,Anything else I could try?
Thanks

Subject: Re: [pfSense] Disable antispoofing on an interface
From: athom...@athompso.net
Date: Mon, 14 Jul 2014 20:24:36 -0500
To: list@lists.pfsense.org; netsys...@live.com

I suspect you need to be looking not for anti-spoofing but for
anti-bogon rules.

Can't remember what pfSense calls it offhand.

-Adam



On July 14, 2014 6:19:22 PM CDT, NetSys Pro netsys...@live.com wrote:

  


  
  
Hello everyone,

  

  First of all, please note that I have already posted the question
  below on the pfSense forum (see
  https://forum.pfsense.org/index.php?topic=79081.0) since about 1
  week without any reply.

  Given the urgency of the matter, I decided to post to the mailing
  list, hoping for some here.

  

  BTW: I don't know if this will be of any help to obtain a reply,
  please note that I have a Gold membership subscription as well.

  

  So, regarding my question, I'll copy/paste from the forum as
  follows:

  



I have 2 pfSense boxes (both version 2.1.4) connected via the
Internet. Each one has 3 interfaces: LAN, WAN  OPT1.

There is an IPsec VPN between the 2 pfSense boxes.

A WAN optimisation (we'll call it WANOPT) appliance is connected to
the OPT1 interface on each side.

There is a UDP tunnel between the 2 WANOPT appliances. This UDP
tunnel goes inside the IPsec tunnel.

I use PBR (as a LAN rule) to redirect traffic going to the remote
LAN into the WANOPT appliance.



This is what I've observed after starting to ping a remote LAN
machine from a local LAN machine:

1. On reaching the local LAN interface, the ICMP echo request is
properly redirected to the WANOPT appliance.

2. The ICMP request then goes inside the UDP tunnel.

3. The UDP packets go into the IPsec tunnel.

4. On the remote side, a tcpdump shows that the ICMP packet does
come out of the WANOPT appliance and therefore the UDP tunnel.

5. It then reaches the OPT1 interface of the remote firewall.

6. However, it does NOT come out any interface!!!

7. I have an Allow all protocols from any to any rule on both the
IPsec and OPT1 interfaces, for testing purposes.

   8. There's nothing in the log saying that the packet was dropped. In
fact, there's a log entry which says that the packet was actually
allowed into the OPT1 interface!



What has happened to the packet?



NB:

1. On the remote side, when the ICMP packet comes out of the UDP
tunnel, its source IP is that of the local LAN machine and its
destination is that of the remote LAN machine.

2. Is this packet being considered a spoofed packet?



   I modified the file /etc/inc/filter.inc (around line 3105 in pfSense
2.1.4) to disable antispoofing on the OPT1 interface and rebooted
both firewalls without any success.

I confirmed that the file 

Re: [pfSense] Disable antispoofing on an interface

[Adam Thompson]

On 14-07-17 12:32 PM, NetSys Pro wrote:

Here's the output:

Jul 17 21:27:50 fw2 pf: 10.6.2.10  192.168.6.106: ICMP echo request, 
id 43547, seq 0, length 64
Jul 17 21:27:52 fw2 pf: 00:00:01.885014 rule 159/0(match): pass in on 
re0: (tos 0x0, ttl 62, id 1, offset 0, flags [none], proto ICMP (1), 
length 84)
Jul 17 21:27:52 fw2 pf: 10.6.2.10  192.168.6.106: ICMP echo request, 
id 43547, seq 2, length 64
Jul 17 21:27:52 fw2 pf: 00:00:00.358395 rule 5/0(match): block in on 
re2: (tos 0x0, ttl 128, id 1110, offset 0, flags [DF], proto TCP (6), 
length 40)
Jul 17 21:27:52 fw2 pf: 192.168.6.106.54118  23.214.64.109.443: Flags 
[R.], cksum 0x4fe4 (correct), seq 1951833685, ack 1897326514, win 0, 
length 0
Jul 17 21:27:53 fw2 pf: 00:00:00.628387 rule 159/0(match): pass in on 
re0: (tos 0x0, ttl 62, id 2, offset 0, flags [none], proto ICMP (1), 
length 84)
Jul 17 21:27:53 fw2 pf: 10.6.2.10  192.168.6.106: ICMP echo request, 
id 43547, seq 3, length 64
Jul 17 21:27:54 fw2 pf: 00:00:01.148349 rule 159/0(match): pass in on 
re0: (tos 0x0, ttl 62, id 3, offset 0, flags [none], proto ICMP (1), 
length 84)
Jul 17 21:27:54 fw2 pf: 10.6.2.10  192.168.6.106: ICMP echo request, 
id 43547, seq 4, length 64
Jul 17 21:27:55 fw2 pf: 00:00:00.874917 rule 159/0(match): pass in on 
re0: (tos 0x0, ttl 62, id 4, offset 0, flags [none], proto ICMP (1), 
length 84)
Jul 17 21:27:55 fw2 pf: 10.6.2.10  192.168.6.106: ICMP echo request, 
id 43547, seq 5, length 64
Jul 17 21:27:56 fw2 pf: 00:00:01.011050 rule 159/0(match): pass in on 
re0: (tos 0x0, ttl 62, id 5, offset 0, flags [none], proto ICMP (1), 
length 84)
Jul 17 21:27:56 fw2 pf: 10.6.2.10  192.168.6.106: ICMP echo request, 
id 43547, seq 6, length 64
Jul 17 21:27:57 fw2 pf: 00:00:00.989951 rule 159/0(match): pass in on 
re0: (tos 0x0, ttl 62, id 6, offset 0, flags [none], proto ICMP (1), 
length 84)
Jul 17 21:27:57 fw2 pf: 10.6.2.10  192.168.6.106: ICMP echo request, 
id 43547, seq 7, length 64
Jul 17 21:27:58 fw2 pf: 00:00:00.995826 rule 159/0(match): pass in on 
re0: (tos 0x0, ttl 62, id 7, offset 0, flags [none], proto ICMP (1), 
length 84)
Jul 17 21:27:58 fw2 pf: 10.6.2.10  192.168.6.106: ICMP echo request, 
id 43547, seq 8, length 64
Jul 17 21:27:59 fw2 pf: 00:00:01.031938 rule 159/0(match): pass in on 
re0: (tos 0x0, ttl 62, id 8, offset 0, flags [none], proto ICMP (1), 
length 84)
Jul 17 21:27:59 fw2 pf: 10.6.2.10  192.168.6.106: ICMP echo request, 
id 43547, seq 9, length 64
Jul 17 21:28:00 fw2 pf: 00:00:00.971443 rule 159/0(match): pass in on 
re0: (tos 0x0, ttl 62, id 9, offset 0, flags [none], proto ICMP (1), 
length 84)
Jul 17 21:28:00 fw2 pf: 10.6.2.10  192.168.6.106: ICMP echo request, 
id 43547, seq 10, length 64
Jul 17 21:28:01 fw2 pf: 00:00:01.040452 rule 159/0(match): pass in on 
re0: (tos 0x0, ttl 62, id 10, offset 0, flags [none], proto ICMP (1), 
length 84)
Jul 17 21:28:01 fw2 pf: 10.6.2.10  192.168.6.106: ICMP echo request, 
id 43547, seq 11, length 64


What do you think?


Since there's only one block in that list, I'm going to speculate that 
it represents your missing packet.  Also, it refers to re2 which is 
likely your OPT1 interface if you did things conventionally.
I don't know what rule 5 is, although anything with that low a # is 
likely to be a system-generated rule.
On my system, it's the Default deny rule IPv6, although that doesn't 
sound likely in your case.
You'll want to run pfctl -vv -s rules | more and tell us what rule 5 
is.  It's almost certainly going to be a Default-Deny rule, which means 
you're missing a firewall rule somewhere.

Do you have a rule allowing all protocols from OPT1 to LAN?

--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Disable antispoofing on an interface

[Adam Thompson]

I suspect you need to be looking not for anti-spoofing but for anti-bogon rules.
Can't remember what pfSense calls it offhand.
-Adam


On July 14, 2014 6:19:22 PM CDT, NetSys Pro netsys...@live.com wrote:
Hello everyone,

First of all, please note that I have already posted the question below

on the pfSense forum (see 
https://forum.pfsense.org/index.php?topic=79081.0) since about 1 week 
without any reply.
Given the urgency of the matter, I decided to post to the mailing list,

hoping for some here.

BTW: I don't know if this will be of any help to obtain a reply, please

note that I have a Gold membership subscription as well.

So, regarding my question, I'll copy/paste from the forum as follows:


I have 2 pfSense boxes (both version 2.1.4) connected via the Internet.

Each one has 3 interfaces: LAN, WAN  OPT1.
There is an IPsec VPN between the 2 pfSense boxes.
A WAN optimisation (we'll call it WANOPT) appliance is connected to the

OPT1 interface on each side.
There is a UDP tunnel between the 2 WANOPT appliances. This UDP tunnel 
goes inside the IPsec tunnel.
I use PBR (as a LAN rule) to redirect traffic going to the remote LAN 
into the WANOPT appliance.

This is what I've observed after starting to ping a remote LAN machine 
from a local LAN machine:
1. On reaching the local LAN interface, the ICMP echo request is 
properly redirected to the WANOPT appliance.
2. The ICMP request then goes inside the UDP tunnel.
3. The UDP packets go into the IPsec tunnel.
4. On the remote side, a tcpdump shows that the ICMP packet does come 
out of the WANOPT appliance and therefore the UDP tunnel.
5. It then reaches the OPT1 interface of the remote firewall.
6. However, it does NOT come out any interface!!!
7. I have an Allow all protocols from any to any rule on both the 
IPsec and OPT1 interfaces, for testing purposes.
8. There's nothing in the log saying that the packet was dropped. In 
fact, there's a log entry which says that the packet was actually 
allowed into the OPT1 interface!

What has happened to the packet?

NB:
1. On the remote side, when the ICMP packet comes out of the UDP
tunnel, 
its source IP is that of the local LAN machine and its destination is 
that of the remote LAN machine.
2. Is this packet being considered a spoofed packet?

I modified the file /etc/inc/filter.inc (around line 3105 in pfSense 
2.1.4) to disable antispoofing on the OPT1 interface and rebooted both 
firewalls without any success.
I confirmed that the file /tmp/rules.debug did not contain the
antispoof 
directive for the OPT1 interface after reboot.
RFC 1918 private IP addresses are not being blocked either.

Thank you for any help.




___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Squidguard Issues

[Adam Thompson]

 

On 2014-06-06 08:38, Brian Caouette wrote: 

 For the past few days
I was experiencing issues were squidguard did not always work. Finally
this morning I stumble into the problem. It turns out that if you enable
the save bandwidth feature in chrome you can access all the adult sites.
If you shut the feature off everything is blocked as expected. I've test
with android phone and iPad and it works the same. I guess my next
question is what port is chrome using for this feature and how to we
tell squidguard to also watch for content on this port that also needs
to be filtered?

Based on
https://developer.chrome.com/multidevice/data-compression , I suspect
the answer is: Good luck! 

My guess is that it'll be using port 443 to
an unpredictable subset of servers inside Google's address space, and I
wouldn't be the slightest bit surprised if blocking that traffic pretty
much just breaks Chrome on mobile altogether. 

Google, among others, is
moving strongly in the direction of not allowing carriers (including
local LAN admins) to silently interfere with HTTP(S) traffic in any way.
The remaining way involves blocking all outbound HTTPS and forcing it
all to go through a proxy server... although even there, I wouldn't be
surprised if Chrome tunnels HTTPS-over-SPDY-over-HTTPS-over-HTTP(proxy).


Please let us know what winds up working for you. 

-Adam 
 ___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] vmware

[Adam Thompson]

On May 28, 2014 10:33:59 AM CDT, Brian Caouette bri...@dlois.com wrote:
4.1 appears to be the newest this hardware can use.

On 5/28/2014 11:19 AM, Ryan Coleman wrote:
 4.1?

 in /5.x/ you can assign VLANs to NICs and then different NICs to VMs.

 I don't know about 4.1.

 On May 28, 2014, at 10:11, Brian Caouette bri...@dlois.com 
 mailto:bri...@dlois.com wrote:

 I'm looking to use vmware 4.1 on my poweredge 2850 when it arrives.
I 
 have a question on how virtual machines work. With a hardware 
 configuration of two nics wan/lan how does each vm use them? Do I 
 need a nic for each vm or as long as each ap is using a different 
 port i'm good to go?

 I'm thinking a vm for pfsense, another vm for a webserver, etc...
 ___
 List mailing list
 List@lists.pfsense.org mailto:List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list





___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Do yourself a favor, then, and don't use VMware on it.  That's akin to 
deliberately installing a Windows 2000 domain controller today...
pfSense itself runs quite well on 2750s and 2850s directly.
-Adam
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Pix Replacement?

[Adam Thompson]

On 14-05-24 06:33 PM, Kevin Tollison wrote:


On May 24, 2014 6:41 PM, David Hicks dhi...@509j.net 
mailto:dhi...@509j.net wrote:


 Group...

 I realize that I'm posting to a pfSense list, but figure it is still 
worth posing the question.  We are a school district with 
approximately 2000 internal devices.  We are looking at replacing our 
aging Cisco pix firewalls and are trying to decide between going with 
a Juniper SRX240 or moving to pfSense.  Our expectation is to use for 
simple firewall and NAT with an openVPN setup for a small number of 
remote connections.  We've been using pfSense in a very simple 
configuration at one of our smaller school districts for a year with 
no issues whatsoever. I'm wondering if it is time to make the leap to 
pfSense for our larger operation and if there are any major cautions 
people might have that would suggest it is a safer bet to go with a 
standard name like Juniper.


 I apologize if this is too broad a question, but figured I'd see if 
anyone has any feedback to provide.


I'd recommend talking to Chris directly. I'm sure he can generate a 
support plan that is much more cost effective than anything Juniper 
has to offer.


We have had a support contact for about a year now. Only used it 
twice. Both issue ended up not being pfSense, but the support team was 
on the issue almost immediately.


Not a direct answer, but a direction I would investigate first for a 
site(s) of that size.


Kevin



I would also add that while NetScreen firewalls (aka Juniper SRX 
devices) are slightly better than the equivalent Cisco PIX, they are 
*NOT* a best-of-breed firewall by any stretch of the imagination. In 
fact, since SRXs are (except for the monster units) 100% software 
routers, pfSense gives you very similar technical capabilities at a much 
lower price point.


If you want a unit you can buy at retail with a built-in warranty, look 
to FortiGate, Palo Alto, or even Checkpoint.  All three are available in 
a VM if you want to run them on your own hardware, or FG and PA have 
some hardware acceleration even in the mid-range units.


Juniper makes excellent routers, but I wouldn't buy their firewalls if I 
had any choice in the matter.


Particularly since you want to use OpenVPN, pfSense does make sense.

For a head-to-head RFP/quote/etc. (potentially including pre-built 
hardware), talk to Netgate or ESF; both hang out here (in fact, the two 
entities are closely related).


--
-Adam Thompson
 athom...@athompso.net
 Cell: +1 204 291-7950
 Fax: +1 204 489-6515

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense performance

[Adam Thompson]

On 14-05-21 08:27 PM, Joseph H wrote:

Hi Everyone,

I was having a debate with a new network engineer we have and we were 
discussing how pfSense performs and how it would handle 10G network 
connections, setup as a transparent firewall, using snort and a few 
other packages to help monitor and graph traffic.


I was saying that as long as it has plenty of CPU and Memory, plus 
Intel NIC's for the 10G then it would not have any problems doing 
transparent mode, and there would be no noticeable slowdown or 
sluggishness.


Does anyone have any statistics they would share or what size server 
to build, using Intel 10G nic cards?


Thanks in advance.

Joe



Jim just had this argument with Henning Brauer at BSDCan... at those 
speeds, bandwidth doesn't really matter, packets-per-second matters.
In most normal situations, pfSense can pass almost 10Gbit/sec of 
traffic.  However, in a DDOS - or VoIP - scenario, its limited PPS rates 
(compared to stupidly expensive hardware-accelerated appliances) rapidly 
will become a bottleneck.
Depending on your traffic patterns, you will probably max out on PPS 
long before you max out on bandwidth.


Transparent mode vs. routed mode probably won't make all that much 
difference at the scales you're talking about, but I admit I've never 
tried transparent mode at 1Gbps.


--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] My son is able to bypass my captivate portal

[Adam Thompson]

On May 11, 2014 1:37:01 PM CDT, Mehma Sarja mehmasa...@gmail.com wrote:
My Samsung Chromebook bypasses my router/OpenDNS because it has it's
own
DNS entries.

Yudhvir



 Basically it takes a DNS call the first time and goes elsewhere. then
it
 corrects itself. If he’s got a different DNS set up then either CP
does not
 work or, potentially, it could be bypassed.

 —





___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

The simple solution is to block all outbound DNS at the firewall, but this can 
also break things (like some Google and Apple devices).
Even broken devices usually have a fallback mode, but be careful of what breaks 
when you do this!
-Adam
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] ICMPv6 filtering recommendations with pfSense?

[Adam Thompson]

On May 8, 2014 12:05:34 PM CDT, Brian Candler b.cand...@pobox.com wrote:
On 08/05/2014 11:51, Olivier Mascia wrote:
 On the WAN interface, I’m currently allowing full ICMPv6 in, albeit
only from Global Unicast and Multicast addresses.
 That is: only from 2000::/3 and ff00::/8.
I don't think you'll see any packets with multicast source addresses. 
It's possible you could see packets with Link-Local source addresses 
(fe80::/64) from the upstream router, but you may not care.


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Sorry for the late addition... Perhaps this was already covered, but if not:

Please don't filter ICMPv6.  This is one of the key points every intro-to-v6 
class teaches: IPv6 actually *needs* ICMPv6 to function in pretty much every 
situation.

The official guidance on this subject is RFC 4890, Recommendations for Firing 
ICMPv6 Messages in Firewalls.
The TL;DR version is  just don't .
If a firewall operator can't read the RFC, and accurately distinguish between 
transit and local traffic, then they shouldn't filter any of it.

(Yes, I'm being a hard-ass here, because I already see people breaking IPv6 
because they think it's OK to filter ICMP.)

It is probably possible to extrapolate a base set of recommendations that 
pfSense might be able to build in, similar to how there's a lot of automatic 
IPv4 filtering under the hood, but I don't believe this has been done yet.

-Adam
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Interface options for pfsense

[Adam Thompson]

On April 22, 2014 4:58:14 PM CDT, Jim Thompson j...@smallworks.com wrote:

On Apr 22, 2014, at 3:42 PM, Volker Kuhlmann hid...@paradise.net.nz
wrote:

 On Wed 23 Apr 2014 05:02:59 NZST +1200, Jim Thompson wrote:
 
 Are there any USB Ethernet adapters that actually work with
pfsense?
 Reliably? I am looking for reports from those who have tried, not
the
 freebsd supported HW list - that list is too long and not really
 trustworthy (I have a USB wifi adapter which runs for 10min then
makes
 pfsense kernel panic).
 
 WiFi isn't recommended until at least pfSense 2.2, if then.
 
 OK, thanks Jim, good to know. Do you mean this to apply to USB wifi
only?

No.

 There are cheap mPCIe atheros-based wifi cards for the PCEngine APU
 board. Are they known to be reliable?

Yes, I know.   We sell thousands of them every month, but not for use
in pfSense.  Maybe with 2.2 the situation will improve.

 You can pick up the 8 port HP switches (e.g. 1810-8G aka J9802A) for
less than $100 these days.
 No fan, so noise-free.   8W maximum.
 
 Yes, thank you for mentioning that - I had seen that yesterday and
their
 power specs had escaped me when I looked at them previously (some of
 those similar models do guzzle it).
 
 That's my plan B, but I really don't like to use VLANs when I can
avoid
 the clutter and complexity (more bugs, more time spent). A pfsense
box
 with more ports is much easier.

You asked.   BTW, VLANs end up as less clutter, not more.

jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Using VLANs when combined with LACP is also (literally, mathematically) 
infinitely more resilient to many common types of physical failure, and gives 
you the added bonus of being able to exceed the speed of a single link in many 
cases.
-Adam
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Interface yoyo

[Adam Thompson]

On 14-04-21 03:46 PM, Bryan D. wrote:

FYI, in my case there was no MAC spoofing and the issue occurred when an hme port was 
used for a LAN and/or WAN interface.  I don't have the resources, right now, but it'd be 
good if someone could try a raw OS-only install and see whether the issue 
exists there.  Presumably that would eliminate pfSense's code or make it the more likely 
source.
If any of the devs want to test this hardware, I have at least one just 
sitting on the shelf I can ship to you.  (I thought I had 3 or 4 of 
them, maybe they're still sitting in the E450s that are also sitting on 
the shelf.  Well, actually on the ground, but only because I don't have 
any shelves that can hold *those*.)


--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] 2.1 can't auto-update anymore?

[Adam Thompson]

My own 2.1-release pfSense now can't auto-update.
After I navigate to Firmware-Auto Update tab, I get:

Downloading new version information...done
Unable to check for updates.
Could not contact pfSense update server 
http://updates.pfsense.org/_updaters


with no corresponding log entries anywhere.  Dashboard exhibits 
corresponding  Unable to check for updates. issue.

Packages-Available still works.
Manual testing (telnet updates.pfsense.org 80) indicates there's no 
problem talking to that web server.  (N.B. appears to work on both IPv4 
and IPv6, I tested all three addresses.)

I can even use command-line ftp client to download latest.tgz!
I have rebooted today, just in case something was stuck.
One last thing to try... yup, upgrading from the console works fine.

Did I miss something obvious?  How can php from the console work, but 
php from the webserver not work?


--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] successor to ALIX is here

[Adam Thompson]

On 14-04-05 12:32 PM, Jim Thompson wrote:
This SANS paper has a description of the common attacks against a VLAN 
segmentation architecture, as well as countermeasures to same.  It 
includes code to demonstrate several of the attacks.

https://www.sans.org/reading-room/whitepapers/networkdevs/virtual-lan-security-weaknesses-countermeasures-1090


Jim, thank you for that - I've been looking for published references to 
convince one of the companies I work with that VLANs are secure enough 
for their needs.


--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] New intel atom board

[Adam Thompson]

On 14-04-05 02:02 PM, Jim Thompson wrote:

http://techcrunch.com/2014/04/03/intel-releases-99-minnowboard-max-an-open-source-single-board-computer/?utm_campaign=fbncid=fb
An interesting platform for pfSense?
It looks like it only has 1 NIC though.

I looked at this earlier in the week when it was released.
It’s interesting,
[...]
and Circuitco is just up the highway in Richardson, TX.   I’ve considered 
driving up and seeing what it would take to take
the schematics (when they are available) and have a board built with 2 
Ethernets (rather than one), and maybe
a miniPCIe socket (for an 802.11 NIC, as pfSense 2.2 should make a lot more of 
these work, or possibly an m-sata drive),
in addition to pulling the expansion header off, and connectorizing the serial 
‘debug’ header for a proper console.
Given the high up-front costs to produce a variant board, wouldn't it be 
easier, faster and cheaper to just use the expansion header, which IIRC 
includes two PCIe 1x lanes?  If a breakout cable existed that provided 2 
PCIe slots, it would be possible to simultaneously have much more 
flexibility in enclosure design (e.g. PCIe cards underneath the board?) 
as well as flexibility in choice of add-on.
I don't see that a breakout cable exists yet for the high-speed 
expansion bus, so there's that minor (*cough*) problem... but that seems 
a much smaller problem than re-tooling the board.



We would need a simple enclosure as well.Painted (or powder-coated) steel 
is less expensive than anodized aluminum, but I think the anodized aluminum 
looks
In case you don't have a local firm you're happy with, talk to Protocase 
for sample qtys.  I've seen them be cheaper than mass mfg for small runs 
of simple cases (e.g. interlocked-U style).



The other issue is single or dual core and 1GB or 2GB ram (4GB?)?
The stock 2GB version should be adequate (barely) IMHO for most 
applications that function with that class of CPU/ethernet/storage anyway.
Much more interesting to me would be if a small, low-cost board like 
that were available with ECC.  That CPU does support ECC RAM, after all...



How interesting is the m-sata / miniPCIe option?
Not to me, as I tend to deploy pfSense at the higher-end of the 
spectrum, but *some* way to add WiFi would probably be important for the 
putative target audience.  USB probably won't cut it for an AP, so mPCIe 
is probably needed.  Again, expansion-header-to-mPCIe should be possible 
instead of reworking the board... and unlike PCIe 1x sockets, that 
wouldn't take up much more room than putting the mPCIe headers on the board.



How you can help:

Indicate your level of interest.
Neat, but not commercially interesting to me right now. 
Linksys/ASUS/D-Link make cheaper gateways that are good enough for 
home users, and commercial users will either get a FortiWiFi (or 
equivalent) or if pfSense, re-use an existing rackmount server.



This board would without a doubt cost more than the minnow board.   I don’t 
know how much more, but we’re not going to hit the
same volumes as the minnow board.  (I could be wrong.)   The minnow board could 
be subsidized by Intel. (I could be wrong.)
See above comments :-).  I'm not sure if a breakout cable is 100% 
workable, but if so it's a faster/cheaper option than mPCIe.



It’s going to require a significant investment (up-front NRE), an investment in 
getting a run of these made, and some return on those investments (profit).

How important is form-factor?   Larger PCBs cost more, but can sometimes relax 
routing enough to not need additional layers (fewer layers tend
to cost less).
Smaller is better.  Otherwise I may as well just deploy a miniITX or 1U 
system.  Which, yes, argues *against* using a breakout cable for PCIe.



- dual core or single core?Remember that pfSense 2.2 (which is based on 
FreeBSD 10)  supports a pf capable of multi-threading.

Good question - optimize for today or for tomorrow?

--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] DNS resolution issues under heavy load

[Adam Thompson]

On Mar 25, 2014, at 8:45 AM, David Noel david.i.n...@gmail.com wrote:

Well, it looks like it's the cable modem after all. Under load I'm
unable to connect to it's admin panel, even when I'm directly
connected to it. I called Comcast's technical support and had them run
their diagnostics on it while everything was running and it failed
miserably. The tech agreed with the conclusion that the modem was
incapable of handling the load. So it looks like I'm in the market for
a new cable modem. I'm not sure how to find one that will meet my
needs though. Any DOCSIS 3 compatible modem will work on Comcast's
network.

Does anyone know of any models that are designed for heavy load? I'd
probably need something that was built for networks of ~10,000 users.
I'm not sure what sort of load 10,000 users generates, but I suspect
it would peak around the 10-100 requests per second that my crawlers
are putting out.

If not, can anyone recommend a place where I might be able to find an
answer to this question? Mailing list? Web forum? IRC channel, even?
I'd really rather not have to pull specs on every DOCSIS 3 compatible
modem and make a best guess based on microcontrollers/CPUs.


Short answer: no DOCSIS cable modems are designed for that kind of 
throughput!


Juniper sells MX480 routers to 10,000-customer-ISPs for ~$250k! 
(Granted, that *is* overkill, but even 10k-user corporations will have 
fairly high-end routers connected via fiber to handle that much traffic.)


Your best bet, I think, would be to find a DOCSIS 3 cable modem that can 
be put into bridging mode.  At that point, the CPU/RAM limitations of 
the cable modem are no longer relevant.


Some confirmation:
- 
http://jkoblovsky.wordpress.com/2012/11/21/how-to-use-your-own-router-with-rogers-docsis-3-0-upgrade/
- 
http://communityforums.rogers.com/t5/forums/forumtopicpage/board-id/Getting_connected/thread-id/12199

(implies Hitron and Moto/ARRIS modems can also do bridge-mode)
- http://digitalhome.ca/forum/showthread.php?t=145997page=6
(implies SMC modem can do bridge mode)
- http://www.dslreports.com/faq/comcast/2.1_Modems#17174
(Comcast-specific)

Once your modem is in bridge mode, the bottleneck should be your 
router.  As you've mentioned, your ALIX boxes are pretty much at their 
limit, too, so you're just moving the bottleneck around.


Apologies if I've missed something fundamental - I haven't followed this 
thread from the beginning...


--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 802.1q dhcp and pf 2.1 and esxi 5.0

[Adam Thompson]

On 14-03-22 01:09 PM, Wade Blackwell wrote:

Good morning all from the very dry Central Coast of California,
So Still struggling with PF on esxi 5.1 and Charter DHCP 
responses never being received. Mark I did confirm the cheap SMB 
switch I have doesn't support DHCP snooping. Sean I did confirm that 
CDP was disabled on the Charter side. I made 3 changes one at a time 
and I was hoping that one of them would affect a change, no such luck. 
Changes in order;


moved from a standard virtual switch (esxi 5.1) to a distributed 
virtual switch

changed the interface type in PF to VMXnet2 from e1000
and finally
tried trunking all the way down to the OS creating vlan interfaces on 
the PF (not sure why I thought more abstraction from the hardware 
would be better)


So all that said I can still see allot of layer 2 activity on the 
interface, Gratuitous arps and dhcp requests and offers being bandied 
about but I never do see my responses come back. I see them head out 
never to return. Anyone else seeing this (with any provider) issue 
with PF in software? I'm fairly remote and ATT PPoE is fine for backup 
but it's painfully slow for VOIP and every day use. Any suggestions 
would be fabulous. Thanks all.


On Wed, Oct 30, 2013 at 4:54 PM, Sean Cavanaugh 
millenia2...@hotmail.com mailto:millenia2...@hotmail.com wrote:


Make sure to set “no cdp enable” on the port that’s going to your
cable modem. A lot of cable companies will shut down connections
that broadcast those by default so as not to broadcast the
networks together.

I had same issue with my Comcast connection until I found out
about the CDP issue.

*From:*list-boun...@lists.pfsense.org
mailto:list-boun...@lists.pfsense.org
[mailto:list-boun...@lists.pfsense.org
mailto:list-boun...@lists.pfsense.org] *On Behalf Of *Wade Blackwell
*Sent:* Saturday, October 26, 2013 4:00 PM
*To:* list@lists.pfsense.org mailto:list@lists.pfsense.org;
supp...@pfsense.org mailto:supp...@pfsense.org
*Subject:* [pfSense] 802.1q dhcp and pf 2.1 and esxi 5.0

   I have *2.1-RELEASE *(amd64) running on esxi 5.0 with a
Cisco managed L2 switch (SG200-26) in between esxi and the charter
cable modem. I see my dhcp discovers go out (broadcast) I never
see any dhcp traffic come back. Charter's been out a few times,
they did determine that they see my discover and they respond
though I don't see the reply. With a dedicated interface they can
get an address off the modem. ASCII art below;

charter cable modem--g24 cisco vlan 5---esxi vlan5--pf em0.

I've tried this dedicating a vnic to a standalone vswitch with no
802.1q and I've tried 802.1q on the esxi side. The cable modem
port is always an access port in vlan 5. STP has been disabled on
the charter modem port. Every port has portfast enabled and the
mac timers have been cranked down to the minimum, 10 seconds I
believe. I've captured traffic from vlan 5 and g24 (cable modem
port) and seen the same thing, dhcp discovers go out, nothing
comes back. I'm thinking there has to be a handful of folks on
this list who have dealt with this and succeeded. Any advice would
be fabulous, I'd like to keep my L3 in software if I can. Thanks
so much.



Start over from first principles, then.
1. Plug a laptop or PC directly into the Charter modem.  Verify that it 
gets a DHCP-assigned IP.
2. Run the pfSense LiveCD or USB image on that same hardware. Verify 
that it gets an DHCP-assigned IP.
3. Repeat with a different NIC (use another PC/laptop if necessary); 
maybe Charter limits the # of distinct MAC addresses the modem will 
learn (my local cableco does this).  Rebooting the modem is usually 
sufficient to clear that, but some carriers require a call to tech support.
4. Connect a dedicated pNIC on the ESXi box to the cable modem; create a 
dedicated vSwitch and a dedicated vKernel port set to DHCP; verify it 
gets a DHCP-assigned IP.
5. Remove the vKernel port and create a vNIC; assign that to the pfSense 
VM.  Verify it gets a DHCP-assigned IP.
6. You can also try hardcoding the MAC address of the vNIC to be the 
same as one of the previously-functional NICs, if it's a 
#-of-MAC-addresses problem.

7. Lastly, do all this again through the switch.

Yes, that's a fair bit of work, but it should show you 100% conclusively 
where the problem lies.  I'm betting the problem will either manifest at 
step #2 or at step #7.


--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] [v2.1] configuring OPT1 as hosted services firewall?

[Adam Thompson]

The obvious problem is that it looks like you have two interfaces in the same 
subnet.  That (generally) doesn't work unless you are a routing guru in the 
first place and know exactly what you're doing.  Which, with apologies for 
bluntness, you obviously don't.

The  problem isn't with pfSense, it's with your entire concept of how IP works.
Go read a book on IP first, then try again?  (Sorry if I'm wrong, but it seems 
like the problem is at that level...)

-Adam

On Feb 21, 2014 7:13 PM, Ryan Coleman ryanjc...@me.com wrote:

 Does anyone have an ideas? 

 Thanks! 


 On Feb 20, 2014, at 4:04 PM, Ryan Coleman ryanjc...@me.com wrote: 

  I’m moving away from single server design on my ESXi box to dedicated 
  guests for each service but I cannot seem to get those dedicated services 
  through the firewall. 
  
  I have a 29bit subnet (IPs 1 through 5). Everything is internal to the ESXi 
  (5.1) server. 
  
  .1 = pfSense Firewall 
  .2 = OPT1 interface on pfSense 
  .3 = Customer VM (will port over to OPT2 after this works) 
  .4 = All-in-one hosted VM 
  .5 = Same All-in-one hosted VM 
  
  I am going to eliminate .4 and .5 as I pull specific services out and into 
  VMs (I’ve already moved the basic part of the FTP, the entire SQL server 
  and LDAP to internal systems). 
  
  But whenever I set up NAT rules on .2 it seems to be using .1’s stuff. 
  
  I will have the following pushed through: 
  FTP 
  WWW (one primary, each subserver has functioning Apache for their services) 
  IMAP SSL/SMTP 
  SSH (via pushed ports to each server) 
  
  Any thoughts would be helpful. The biggest thing I need to get running now 
  is the FTP part - I cannot get it to push through nor will it register on 
  the firewall log that it’s being blocked. 
  — 
  Ryan 
  ___ 
  List mailing list 
  List@lists.pfsense.org 
  http://lists.pfsense.org/mailman/listinfo/list 

 ___ 
 List mailing list 
 List@lists.pfsense.org 
 http://lists.pfsense.org/mailman/listinfo/list 
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Unbound

[Adam Thompson]

On 14-02-16 08:11 AM, Brian Caouette wrote:

What do you recommend for settings? Can you provide some screen shots?

I also noticed the stats this morning show nothing in the unbound 
cache. No mater how many sites I visit nothing shows up in there. 
Yesterday when it first started working there were thousands. Not sure 
whats going on with it.


That may be normal.  Unbound actually flushes its cached data when it's 
supposed to, unlike dnsmasq which deliberately holds on to stale data.  
Note that this isn't a bug in dnsmasq, it's a way to solve a specific 
issue that improves most people's experience.


Bottom line: using unbound is going to make you a lot more 
standards-compliant, and potentially a lot more secure, but also 
slower.  There isn't a lot of point running unbound unless you're 
worried about cache poisoning or you want to do DNSSEC validation.


My unbound config starts like this:

---snip---
server:
verbosity: 1
interface: 0.0.0.0
interface: ::0
access-control: X.X.X.0/24 allow_snoop
access-control: X.X.X.0/24 allow_snoop
access-control: X.X.X.186/29 allow_snoop
access-control: X:X:X::/48 allow_snoop
statistics-interval: 3600
extended-statistics: yes
cache-max-ttl: 3600
infra-host-ttl: 600
log-time-ascii: yes
log-queries: yes
root-hints: named.cache

unwanted-reply-threshold: 1000
prefetch: yes
prefetch-key: yes

module-config: validator iterator
val-permissive-mode: no
val-log-level: 2
auto-trust-anchor-file: /var/unbound/etc/ta/root.key
---snip---

Do make sure that if you have DNSSEC validation turned on, that you also 
have updated the trust anchor; stale TAs will cause lots of problems.  
Turning on prefetch can help in some situations.  Having a stale root 
hints file will also cause problems.  I don't run unbound on my pfSense 
box, so I don't recall if pfSense automatically updates the TA and/or 
the root-hints for you.


--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Unbound

[Adam Thompson]

On 14-02-15 12:22 PM, Brian Caouette wrote:
I've been trying to use unbound with poor results. Currently it 
resolves very very slowly. About 4 times longer then the default dns 
forwarder. Once the site is found and loaded however browsing the site 
is incredibly fast. Curious what might be the cause of the slow down 
on initial lookup and how I might correct it?


Generally, this behaviour is caused by two things:
1. recursing from the root nameservers instead of your ISP's upstream 
DNS server, which means there is no cache for you to use
2. DNSSEC validation (which unbound does, but most resolvers still 
don't) takes a noticeable amount of extra time.


--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How to monitor left (free) space on hard drive ?

[Adam Thompson]

On 14-02-09 02:21 PM, David QuayCendre wrote:

Hello,
I'm looking for monitoring on the left space on my pfSense hard drive.
I found this shell script :
http://bash.cyberciti.biz/monitoring/shell-script-monitor-unix-linux-diskspace/
It seem works but the mail fonction not exist !
psSense shell says : mail: not found

I'm just looking for a little sript or solution.

Do you have already monitor free space ?
Can we send mail in the shell ?


1. It's displayed on the main Dashboard, down at the bottom: Disk usage
2. (I think) It's available via SNMP, if you have that turned on.
3. No, you can't send mail via the mail command, however pfSense comes 
with a different command that you *could* use if you're dead set on 
sending email from the firewall, /usr/local/bin/mail.php.  It requires 
that you have an SMTP server configured correctly under 
System-Advanced-Notifications.


--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Lan Card Support

[Adam Thompson]

It should, as that card will either use standard Intel or Broadcom Ethernet 
chips.
There is always a small possibility that any given card may be incompatible, 
but in your case I would expect that be almost negligible.
If the card is a brand-new model or revision, you are more likely to have 
problems.
-Adam

On Jan 6, 2014 11:42 AM, rajan agarwal rajanagarwa...@gmail.com wrote:

 Hi All,

 I am about to put pfSense in a production box. I will be using IBM Quad Port 
 Gigabit PCIe Ethernet Card P/N.: 39Y6136. Will pfSense version 2.0.1 support 
 this particular LAN card? I can't find the name of this LAN card on the 
 freeBSD 8.1 hardware support page. 

 Regards

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] strange IPv6 routing problem

[Adam Thompson]

On 14-01-05 04:57 PM, Nicolas Bélan wrote:

Hello :)

Sure it is strange, can you launch ssh server in debug mode (non
detaching daemon) and check /var/log/message or secure in B ?
Can you also provide a packet capture with tcp flags ?
It may be different causes ...

maybe the cause is located on B, or on pfsense ...not sure ...



Never mind.
Attached directly to subnet B, still have the same problem so it's not 
pfSense after all.  :-(

Now to try and figure out why linux hosts don't like IPv6.
-Adam

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Bridging 3 virtual interfaces together?

[Adam Thompson]

On 14-01-05 09:44 AM, Benjamin Swatek wrote:

Hi all,

following up on this thread: Bridge LAN ports to act like a switch
http://forum.pfsense.org/index.php?topic=48947.0

I am looking for a way to bridge 3 VLAN interfaces together so they 
act as one inside the pfSense box for the purpose of traffic shaping 
on the bridge.
Now the 3 interfaces still need to act as single interfaces running 3 
different DHCP servers on each.


I looked into the above thread, but just bridging the 3 interfaces 
together they loose their IP addresses, which is something that I 
can’t afford as they serve 3 different LANs.


I want to *join* the interfaces together inside pfSense so I can throw 
all the traffic together in one big queue and start shaping according 
to subnet and ports.


Any hints?


That thread makes my head hurt, it's a bunch of people who don't 
understand the difference between Layer 2 and Layer 3 arguing about how 
to make it work.


Here's the only hint I could find:
http://blog.davidvassallo.me/2012/10/23/traffic-shaping-pfsense/

And... the whole *point* of bridging is that you lose the individuality 
of each NIC at Layer 3 (where IP lives).


I think what you might want is to create 3 VLAN interfaces on the trunk 
port, then 1 non-VLAN interface on each of 3 independent NICs, then 
bridge one NIC and one VLAN together... 3 times.  You'll wind up with 3 
bridges.


However, comparing that to the link I provided above doesn't result in 
any obvious solution for you.


Another solution would simply be to route instead of bridging.

As usual, I strongly suggest referring to a primer on the OSI model and 
make sure you fully understand the difference between Layer 2 (ethernet) 
and Layer 3__ (IP), and the corollary, the difference between 
switching/bridging and routing.  You've also got VLANs thrown in there, 
which actually live at layer 2 but have layer 3 implications.


Despite the fact pfSense supports traffic shaping on bridges, I'm not 
certain it'll be possible in your exact scenario without several more 
complicated steps.


--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] strange IPv6 routing problem

[Adam Thompson]

I'm having an issue with IPv6 state tracking, I think.

I run a fully dual-stacked environment.
pfSense 2.1-RELEASE acts as the gateway between two subnets (two VLANs, 
but I don't think that makes any difference here).
In IPv4, one subnet (A) is publicly-routable address space, the other 
(B) is RFC1918.

In IPv6, both subnets are publicly-routable address space.
I have a management workstation on subnet A that needs to reach servers 
in subnet B.


I've added two static routes on the router for subnet A, one IPv4, one 
IPv6, pointing to pfSense as the next-hop.
I've disabled automatic outbound NAT, and modified the three 
automatically-generated rules to have Destination NOT subnet A, in other 
words, I don't NAT between subnets A and B, only between B and the 
outside world (via A).  There are no port forwards in place.

On the WAN interface, I have four rules:
1. allow all IPv6 to WAN interface
2. allow all IPv4 to WAN interface
3. allow all IPv6 from A to B
4. allow all IPv4 from A to B

That's it - the simplest possible configuration I could come up with for 
this role.  (Incidentally, the reason I'm using pfSense at all is 
because the two routers for subnet A provide non-stateful HA, which 
makes NAT quite problematic.)


What I see is that when I ssh from A to B using IPv4, everything works 
fine.  The session shows up in the firewall state table as expected, and 
performs as expected.
If I ssh from A to B using IPv6, however, the session connects, I log 
in, and after a short while, the ssh session stalls.  The session does 
NOT show up in the state table, ever, even while it's still working 
properly.
I can restart the SSH session immediately, and it again will work for a 
while, failing after ~50 packets have been exchanged.


I've run simultaneous packet captures on the pfSense WAN and LAN 
interfaces, but they show me nothing of interest.  I looked at 
filter.log, but it's so noisy I didn't get any value out of it yet.


Any ideas or thoughts?  How can my session work in the first place 
without a state table entry, why does it die after ~50-100 packets?  Why 
is only IPv6 affected?  Have I missed something fundamental?


--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Bridging 3 virtual interfaces together?

[Adam Thompson]

On 14-01-05 08:56 PM, Benjamin Swatek wrote:
I’m only looking to push 8Mbps through two 3Mbps and one 2 Mbps ADSL 
lines (MultiWAN) for each of which I pay more than the national 
minimum wage - this is Bolivia - trying to satisfy my business’s needs 
to answer to emails asap as well as my clients expectations for a fast 
WiFi - that is people who don’t have a clue how expensive 1 Mbps is 
compared to the 1st world.

So yes, my links are constantly congested ;-)


Oops, I've mixed you up in my mind with someone else who recently asked 
for assistance with VLANs and trunking, but they wanted to use a pfSense 
box *as* a switch.

I've steered you the wrong way altogether!

I have a TP-Link 8 port switch ( http://tinyurl.com/m2rbcdt ) that 
connects the 3 LANs and the 3 WANs to the pfSense Box.

But I’m not sure anymore what help it is.
I had the LANs coming in on their own physical NICs, but couldn’t get 
them together for QoS neither.
I can get them all in their own queue for shaping, but that way I 
could only limit each LAN individually not taking into account what 
the other one needs.


You've got everything you need.

The only place you can usefully control QoS in your environment is on 
the *UP*link to your ADSL provider.  If you have NICs dedicated to each 
subnet, then you're already at 1Gbps dedicated to each subnet.  Not 
really, because pfSense on that hardware can't do 1Gbps, but at least 
ethernet isn't the bottleneck.


By controlling upstream bandwidth, you can have *some* effect on 
downstream bandwidth.  By ensuring that no single upstream link is 100% 
congested, you will almost certainly improve response time and latency.


There will be absolutely no benefit to putting a traffic-shaping policy 
on inbound traffic; I can explain the logic behind this statement if 
it's not obvious, but in short: the data has already arrived at the DSL 
modem (and thereby filled up the pipe) long before pfSense can touch it; 
by the time pfSense sees the packet, it's far too late to do any traffic 
shaping.  If you could put a matching pfSense box at the ISP's location 
(hooked up to a 10- or 100-Mbit port), you could then usefully apply QoS 
in both directions.  But, good luck with that, most ISPs (speaking as a 
former ISP operator, here) won't understand or care, or if they do 
they'll charge you an arm and a leg.


I believe what you need is a standard multi-WAN setup.  No VLANs or 
trunking are needed at all in your situation.  You will need to apply a 
traffic shaping policy on all three WAN connections; you can apply the 
identical policy on all, or different policies on each. If you're using 
pfSense's multi-WAN feature with equal weights, I recommend placing the 
same traffic policies on all three lines.


However, bundling the three DSL connections together this way won't 
produce the results you expect; pfSense doesn't magically bond uplinks 
and downlinks together - no standard router or firewall really can do a 
good job of that.  pfSense does a decent job of load-balancing, but the 
end results are imperfect and do not magically reflect a 3x increase in 
usable bandwidth.


Make sure you read https://doc.pfsense.org/index.php/Multi-WAN_2.0 ; you 
might want to buy the pfSense book, it's included in the $99 Gold 
subscription from Electric Sheep Fencing (see 
https://portal.pfsense.org/subscribe-for-access.php).


You might want to have a look at Mushroom's Truffle router.  Yes, I'm 
serious, that's the real name of the product.  It might be useful to 
you, or it might not.  Latency from Bolivia might suck if you use their 
cloud service on the far end; you might still have to find somewhere to 
host the server side to get the most out of the bonding mode they offer.


Good luck, feel free to ask for clarification here if needed.

--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense - pfsense vlans and trunking without the aid of switches

[Adam Thompson]

On 13-12-30 11:09 AM, John Wells wrote:

Thanks Adam.

But I shouldn't have to reduce the MTU across the entire network, 
since I'm really only using the VLAN tagging on ports which exist 
within the pfsense box, correct? For example, in my diagram, packets 
which reach LAN switch A and B won't be tagged...at least, I don't 
think they will be...what I think *should* happen is that the tagging 
will get added and stripped at the nics which exist in the pfsense boxes.


Additionally, I have two quad port cards, one newer (which I'm not 
100% certain supports the additional bytes added by vlans but am 
hoping to find out) and one older. You seem to imply I only need one 
port on the newer card to support the inter-pfsense link, but as far 
as I can tell I'd need it on both pfsense boxes (one port per box) to 
do what I'm trying to do, since the different networks exist at each 
end of the trunk, correct?




Umm... yes, I think.  I've deleted the message that contained the link 
to your diagram, so I'm going by memory now.


From what I recall, in your network, only two ethernet NICs need to be 
able to fully support VLAN tagging in hardware: the trunk port on each 
pfSense box that connects to its peer.  So, yes, use one port on each 
quad-port NIC (one per pfSense machine) as the 802.1q-tagged, trunking, 
inter-pfSense-instance link.


The ports connecting to the non-VLAN-aware switches do not need to 
support VLAN tagging in hardware, as they will not be transmitting or 
receiving any VLAN-tagged frames at all.


--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Problems with Realtek 8168/8111 nic

[Adam Thompson]

On 13-12-09 06:47 PM, Adrian Zaugg wrote:

The only suspicious thing I see on the failing box are some of such
messages:
   kernel: pid 37699 (php), uid 0: exited on signal 11 (core dumped)
They are not in an obvious relation to an ethernet event.


Spurious signal 11 (SEGV) messages tend to indicate faulty hardware, in 
my experience.

Most typically, bad or marginal RAM.
That can in turn be caused by bad or marginal power - both the PSU and 
the circuitry on the motherboard.
Although this may sound bizarre, check your motherboard(s) for bulging 
or leaking capacitors.
It's entirely possible that the increased power draw as both CPU and 
Ethernet interface start to get busier is enough to cause a transient 
error.  I've seen many motherboard with bad capacitors that work fine at 
idle and fail under load due to increased power draw.


Of course, this may not be your problem at all, but it's worth 
eliminating.  Remember that when it comes to failing components, 
replacing a suspect piece of hardware with an identical piece of 
hardware of roughly the same age (e.g. you have a spare in storage) does 
NOT prove anything - particularly with faulty capacitors, hardware can 
develop faults while sitting in a box on a shelf.


--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list