Re: [pfSense] Rebuilding confidence
On 13 May 2018, at 15:48, Eero Volotinen wrote: You can replace you apple timemachine with unifi aps. https://www.ubnt.com/unifi/unifi-ap/ I second the recommendation of the UniFi access points. They are excellent. While I advocate strongly for pfSense, Ubiquiti also offers a "security gateway" product that might be worth looking into for your IoT needs. --cro ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Tinc?
I see that Tinc is no longer present in pfSense 2.3. What would it take to take over maintainership of that package? We use it extensively at work. --cro ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Slow speed on 100Base TX full duplex.
First I would switch the interfaces to see if em1 delivers the same low performance as em0 when used as WAN. If that doesn't work, try installing new interfaces. You mentioned earlier that the colo told you to lock the WAN interface at 100Mb/full-duplex. Our ISP was doing the same thing for a while. Autonegotiate used to be unreliable especially when 10Mbit interfaces were common. Currently I am skeptical that the problem is on your end. Your error rate is not that high. Is your customer absolutely sure the colo didn't throttle their bandwidth? Also is the colo sure they know which switch port goes to your customer? On my last go-around with our ISP they kept changing the settings on the wrong switch port on their end. --cro > On Jan 11, 2016, at 06:46, Muhammad Yousuf Khan wrote: > > em0@pci0:4:0:0: class=0x02 card=0x15d9 chip=0x10968086 rev=0x01 > hdr=0x00 >class = network >subclass = ethernet > em1@pci0:4:0:1: class=0x02 card=0x15d9 chip=0x10968086 rev=0x01 > hdr=0x00 >class = network >subclass = ethernet > > We had a switch in b/w Pfsense and Colo uplink. we even removed that switch > and directly plug the cable with pfsense interface. but still getting the > same low bandwidth. > > is it a good idea. to install two new interfaces of 100Mbps and set them to > Auto instead of making it static 100Base TX full dublex out of Gig > Interfaces. ? > > Any help will be highly appreciated. > > Thanks, > Yousuf > > >> On Mon, Jan 11, 2016 at 6:03 PM, C. R. Oldham wrote: >> >> Re: pkg_add, try just 'pkg install' instead. >> >> Like Juan said, did you get them to try a different cable? Those errors >> are indicative of a bad Ethernet cable. >> >> Also, if the Ethernet chipset is a Realtek, there is a bug in the FreeBSD >> driver that affects auto negotiation with some switch hardware. >> >> --cro >> >> >>> On Jan 11, 2016, at 05:40, Muhammad Yousuf Khan >> wrote: >>> >>> Here you go, yes there are error in the interfaces i can not get more >>> detail as i can not run the command pkg_add it is saying that command >> not >>> found however i know its a server board and it has two bultin LAN. 1 i am >>> using for WAN and For LAN. >>> here is CPU details. >>> >>> Intel(R) Xeon(R) CPU E5440 @ 2.83GHz >>> 8 CPUs: 2 package(s) x 4 core(s) >>> >>> Any guide will be highly appreciated. >>> >>> WAN interface (wan, em0)StatusupMAC addressxIPv4 >> address >>> xxSubnet masGateway >> IPv4xxIPv6 >>> Link Locaxxx >>> >>> ISP DNS serversxxxMTU1500Media100baseTX >> In/out >>> packets3709795/2014620 (3.06 GB/551.84 MB)In/out packets >> (pass)3709795/2014620 >>> (3.06 GB/551.84 MB)In/out packets (block)90881/1 (6.59 MB/52 bytes)In/out >>> errors665/0Collisions0LAN interface (lan, em1)StatusupMAC address >>> xxIPv4 addressSubnet mask IPv4 >>> IPv6 Link >>> LocalxxxMTU1500Media100baseTX >>> In/out packets1071425/2719703 (439.25 MB/2.78 GB)In/out >>> packets (pass)1071425/2719703 (439.25 MB/2.78 GB)In/out packets >> (block)2040/0 >>> (174 KB/0 bytes)In/out errors2140/0Collisions0 >>> >>> On Mon, Jan 11, 2016 at 2:16 PM, Juan Pablo >>> wrote: >>> >>>> Hey, yes usually you should set 10/100/g to see when the link state >>>> changes, also if the auto protocol is not working or if the cable goes >> bad >>>> is easier to troubleshoot, have seen this on co-los worldwide. in any >>>> case, setting 10/100 etc shouldnt affect the bandwidth. so the question >>>> here is: which Nic you are using? is it supported? >>>> do you see any network issue/crc issue, alert/errors, or something onthe >>>> logs? via the web interface check if there are any error on the >> interface >>>> counters. >>>> also: check with ifconfig 'interface name' for crc errors, and the >>>> advertised speeds, paste here the full output of the problematic >> interface. >>>> >>>> >>>> let us know how it goes. >>>> >>>> >>>> 2016-01-11 3:23 GMT-03:00 Muhammad Yousuf Khan : >>>> >>>>> I am remotely supporting one of my client who is using pfsense. i have >>>>> been usin
Re: [pfSense] Slow speed on 100Base TX full duplex.
Re: pkg_add, try just 'pkg install' instead. Like Juan said, did you get them to try a different cable? Those errors are indicative of a bad Ethernet cable. Also, if the Ethernet chipset is a Realtek, there is a bug in the FreeBSD driver that affects auto negotiation with some switch hardware. --cro > On Jan 11, 2016, at 05:40, Muhammad Yousuf Khan wrote: > > Here you go, yes there are error in the interfaces i can not get more > detail as i can not run the command pkg_add it is saying that command not > found however i know its a server board and it has two bultin LAN. 1 i am > using for WAN and For LAN. > here is CPU details. > > Intel(R) Xeon(R) CPU E5440 @ 2.83GHz > 8 CPUs: 2 package(s) x 4 core(s) > > Any guide will be highly appreciated. > > WAN interface (wan, em0)StatusupMAC addressxIPv4 address > xxSubnet masGateway IPv4xxIPv6 > Link Locaxxx > > ISP DNS serversxxxMTU1500Media100baseTX In/out > packets3709795/2014620 (3.06 GB/551.84 MB)In/out packets (pass)3709795/2014620 > (3.06 GB/551.84 MB)In/out packets (block)90881/1 (6.59 MB/52 bytes)In/out > errors665/0Collisions0LAN interface (lan, em1)StatusupMAC address > xxIPv4 addressSubnet mask IPv4 > IPv6 Link > LocalxxxMTU1500Media100baseTX > In/out packets1071425/2719703 (439.25 MB/2.78 GB)In/out > packets (pass)1071425/2719703 (439.25 MB/2.78 GB)In/out packets (block)2040/0 > (174 KB/0 bytes)In/out errors2140/0Collisions0 > > On Mon, Jan 11, 2016 at 2:16 PM, Juan Pablo > wrote: > >> Hey, yes usually you should set 10/100/g to see when the link state >> changes, also if the auto protocol is not working or if the cable goes bad >> is easier to troubleshoot, have seen this on co-los worldwide. in any >> case, setting 10/100 etc shouldnt affect the bandwidth. so the question >> here is: which Nic you are using? is it supported? >> do you see any network issue/crc issue, alert/errors, or something onthe >> logs? via the web interface check if there are any error on the interface >> counters. >> also: check with ifconfig 'interface name' for crc errors, and the >> advertised speeds, paste here the full output of the problematic interface. >> >> >> let us know how it goes. >> >> >> 2016-01-11 3:23 GMT-03:00 Muhammad Yousuf Khan : >> >>> I am remotely supporting one of my client who is using pfsense. i have >>> been using pfsense for years and never face such issue in this >>> experience, the Client Co-location is recommending to use 100BaseTX full >>> duplex setting instead of Auto. i do not know why they required that >> since >>> i am not in US i never observe this settings recommended by colo people >> in >>> my country. >>> >>> >>> >>> --Server 1 >>> >>>/ >>> colo switch>[WAN]pfsense[LAN]--+ >>> >>>\ >>> >>> -Server 2 >>> >>> - iperf speed test for LAN, between is 50Mbps up and down >>> - but iperf test on WAN showing 10Mbps down and 5Mbps up. >>> - however my client is saying that assigned speed from colo is 100Mbps. >>> >>> now i can not find where is the issue. i suspect that issue is with >>> 100BaseTX setting. >>> >>> can anyone please guide me where i am doing wrong and what i can do to >> fix >>> this. >>> any help will be highly appreciated. >>> >>> Thanks, >>> Yousuf >>> ___ >>> pfSense mailing list >>> https://lists.pfsense.org/mailman/listinfo/list >>> Support the project with Gold! https://pfsense.org/gold >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] DHCP/Local DNS ping host name
On Sat, Dec 12, 2015 at 8:29 AM, Ryan Coleman wrote: > I’m totally having a brain far weekend on this… but there’s a way (or so I > think) to link the DNS and DHCP hostnames… How do I do that? > > Services->DNS Resolver, DHCP Registration and Static DHCP checkboxes. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] HAproxy question
On Sat, Dec 12, 2015 at 7:38 AM, Kostas Backas wrote: > Do you have Snort in your setup? I've seen IPS causing this behavior. > > Good suggestion. We don't have it installed however. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] HAproxy question
Thanks Chris and Ivo for your responses. I was unaware that our topology for the network was a little unusual and in fact there is another service outside the firewall listening on the IP I wanted to use. This (unsurprisingly) was making anything trying to use that IP very unreliable. --cro On Sat, Dec 12, 2015 at 5:38 AM, Ivo Tonev wrote: > Run "netstat -anl | grep LISTEN | grep 443" ( for tcp ) to verify on whitch > port/ip haproxy and openvpn are running. Openvpn don't listen on VIP. > Em 12/12/2015 10:31, "C. R. Oldham" escreveu: > > > Actually I think I characterized this problem the wrong way. > > > > It appears that neither haproxy nor nginx (when used as a proxy) are > > reliable on our pfSense firewall. They will work for a while, then they > > stop passing traffic for a while, then they work awhile. Restarting them > > doesn't make them responsive immediately. I am at a loss to explain > this. > > I've confirmed there are no other processes listening on port 443 on any > IP > > (virtual or physical). If anyone has ideas I'd love to hear them. > > > > --cro > > > > > > On Fri, Dec 11, 2015 at 8:14 AM, C. R. Oldham wrote: > > > > > Greetings, > > > > > > We've recently replaced both our routers with pfSense. I am using tinc > > > for site-to-site VPN and OpenVPN for clients to connect. > > > > > > Since some of our support engineers often end up onsite with > customers, I > > > want to enable OpenVPN over TCP port 443--we've noticed that many of > our > > > customers block outbound UDP, but using the https port works fine. > > > > > > However, we also have haproxy on our firewall proxying for some web > > > applications on port 443. but on a different virtual IP from OpenVPN. > > If I > > > enable OpenVPN on the TCP port, haproxy stops working, even though they > > are > > > listening on different IPs. > > > > > > I have appropriate firewall rules for both virtual IPs in place. > > > > > > Can anyone shed some insight on how I can fix this? > > > > > > Thanks. > > > > > > --cro > > > > > > > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] HAproxy question
Actually I think I characterized this problem the wrong way. It appears that neither haproxy nor nginx (when used as a proxy) are reliable on our pfSense firewall. They will work for a while, then they stop passing traffic for a while, then they work awhile. Restarting them doesn't make them responsive immediately. I am at a loss to explain this. I've confirmed there are no other processes listening on port 443 on any IP (virtual or physical). If anyone has ideas I'd love to hear them. --cro On Fri, Dec 11, 2015 at 8:14 AM, C. R. Oldham wrote: > Greetings, > > We've recently replaced both our routers with pfSense. I am using tinc > for site-to-site VPN and OpenVPN for clients to connect. > > Since some of our support engineers often end up onsite with customers, I > want to enable OpenVPN over TCP port 443--we've noticed that many of our > customers block outbound UDP, but using the https port works fine. > > However, we also have haproxy on our firewall proxying for some web > applications on port 443. but on a different virtual IP from OpenVPN. If I > enable OpenVPN on the TCP port, haproxy stops working, even though they are > listening on different IPs. > > I have appropriate firewall rules for both virtual IPs in place. > > Can anyone shed some insight on how I can fix this? > > Thanks. > > --cro > > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] HAproxy question
Greetings, We've recently replaced both our routers with pfSense. I am using tinc for site-to-site VPN and OpenVPN for clients to connect. Since some of our support engineers often end up onsite with customers, I want to enable OpenVPN over TCP port 443--we've noticed that many of our customers block outbound UDP, but using the https port works fine. However, we also have haproxy on our firewall proxying for some web applications on port 443. but on a different virtual IP from OpenVPN. If I enable OpenVPN on the TCP port, haproxy stops working, even though they are listening on different IPs. I have appropriate firewall rules for both virtual IPs in place. Can anyone shed some insight on how I can fix this? Thanks. --cro ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] VPN client
Yes, it can do site-to-site VPN as well as be a server for remote clients. --cro On Tue, Dec 8, 2015 at 10:15 PM, Ted Byers wrote: > Is it possible to use pfsense as a client, replacing a Checkpoint > UTM-1 Edge W with AES256 ? You see, I have one of these Checkpoint > routers that has failed, and it had been used as a client to a VPN. I > know I can use pfsense to provide VPN access to machines behind it. I > have done this, and use OpenVPN to connect to to the machines > protected by pfsense. > > I suppose I could use OpenVPN as the client, and will investigate > that. But I need to know if pfsense can function as both a server and > as a client (for the unrelated purpose of configuring clusters of LANs > each of which is protected by pfsense, so that regardless of which LAN > fails, the others in the cluster can take over operation of the VPN > connecting them all). > > Thanks > > Ted > > -- > R.E.(Ted) Byers, Ph.D.,Ed.D. > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Help with provider assigning multiple IP addresses over PPPoE
On Sat, Nov 14, 2015 at 9:14 PM, Chris Bagnall wrote: > On 14 Nov 2015, at 20:19, C. R. Oldham wrote: > > My ISP provides access over PPPoE and has given me 2 static IPs via the > [...] > > I cannot figure out how to make pfSense expose the xxx.yyy.149.218 > address [...] The ‘easiest’ way of getting use out of the other address is to go to > Virtual IPs and add it there, with type Proxy ARP. > I apologize for not following up sooner. This was indeed the solution. Thanks to everyone that replied. I thought this might be the case, some of the options on the Virtual IP Edit page were confusing me (Virtual IP Password, VHID group password, VHID Group, Advertising Frequency). I didn't realize they were optional. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Help with provider assigning multiple IP addresses over PPPoE
Greetings, My ISP provides access over PPPoE and has given me 2 static IPs via the following configuration (public IPs sanitized) Subnet Report -- Subnet Size:4 Usable IP addresses:xxx.yyy.149.218 Gateway address:xxx.yyy.149.217 Subnet mask:255.255.255.252 CIDR number:/30 Broadcast address: xxx.yyy.149.219 Network address:xxx.yyy.149.216 When I login to pfsense on the console I see *** Welcome to pfSense 2.2.5-RELEASE-pfSense (amd64) on pfSense *** WAN (wan) -> pppoe0 -> v4/PPPoE: xxx.yyy.149.217/32 LAN (lan) -> em1-> v4: 172.23.23.1/24 I cannot figure out how to make pfSense expose the xxx.yyy.149.218 address to the public Internet. I don't have any trouble adding NAT rules that forward the .217 through to my internal network. Can someone give me a clue? Exhaustive search of the mailing lists & pfSense handbook reveals similar requests, but nothing that really addresses (ha ha) this issue, unless I missed it. Thank you. --cro ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold