Re: [pfSense] best ipsec cipher for aes-ni on sg-8860

[Erik Anderson]

On Sat, Dec 9, 2017 at 2:56 PM, Chris L  wrote:
> AES-GCM with all hashes disabled in the ESP/Phase 2.

I'm curious why you recommend this. I'm not being contrary, just
curious. I've always had hashing enabled for both P1 and P2s. Is this
something unique to AES-GCM?

-ea
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How To install MySQL on Pfsense 2.4

[Erik Anderson]

pfSense is a purpose-built router distribution, not a general-purpose
OS. While it may be possible to do what you propose, you *should not*
do this. Instead, if you require a database server, host it on a
separate machine.

On Mon, May 15, 2017 at 11:27 PM, mohsen Abbaspour
 wrote:
> Hello  everyone
> English is not my first language , excuse me for mistakes
>
> I know that this is a repetitive questioning   " How  to install Mysql  on
> pfsense ?"
>
> But , I searched  almost  topic about that , and finally I dont understand
> what is correct solution ? maybe  install Mysql on pfsense 2.4 ?? if the
> answer is yes  so How to do that ?  if  the answer is no   what is
> alternative  solution ??
>
> integration  freeradius and  mysql is my reason for  Mysql installation
>  ,  I  want to grouped my internet  user and   have separated   group
> So tnx
>
>
> --
>
>
>
>
> Check out my professional profile and connect with me on LinkedIn.
> http://lnkd.in/RqFEqH
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] What am I doing wrong? <10mbit through SG-1000

[Erik Anderson]

On Tue, Feb 7, 2017 at 11:59 PM, Øyvind 'bolt' Hvidsten  wrote:
> I have an SG-1000 on which I experience very low throughput.

You're not the only one.

I received my SG-1000 in mid December and have been going back and
forth with Netgate support since then, trying to troubleshoot the poor
performance I've been experiencing. To be fair, the Netgate support
team has been very responsive and engaged in the process, but as of
the most recent snapshot, I'm still seeing very poor performance vs.
the SG-2220 (temporarily borrowed from my employer) I'd been using.

I have a 50/5 internet connection, and I can reliably see those speeds
with the SG-2220. With the SG-1k, I'm lucky if I can hit 15Mbit down
reliably, and this is with the bare-bones, factory default config.
Additionally, the SG-1000 seems to remain in a very high-latency state
for some time following speed tests. I'll have (for instance) ~8ms
latency to my ISP's default gateway before a speed test, and then
during the speed test and for some 10 minutes after the test, latency
will spike into the hundreds of ms.

At this point, I've thrown in the towel, and have requested that I
return the SG-1k for credit towards the purchase of an SG-2220.
Support requested that as a last troubleshooting step, that I grant
them remote access to my SG-1k so they can perform some more thorough
real-time troubleshooting and testing. I'll be setting this up with
them this week, and if they're not able to resolve it, I'll be
returning the SG-1000.

I was very hopeful for this device, but at least at this stage of its
maturity, there appear to still be significant issues to overcome.

-Erik
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense on EC2 & IPsec

[Erik Anderson]

Well, as it happens, I resolved this within 60 seconds of hitting send. :)

On the side behind NAT, I need to change my identifier to "IP Address"
instead of "My IP Address", and listed the public IP of the instance.
At that point, everything came up as expected.

-Erik


On Mon, Oct 24, 2016 at 8:55 PM, Erik Anderson <erike...@gmail.com> wrote:
> Hello -
>
> I recently deployed the Netgate pfSense appliance into an AWS VPC. Due
> to how AWS handles their networking, all traffic to/from servers there
> to the public internet transit a 1:1 NAT. So the IP address that is on
> my pfSense router's WAN interface differs from its true public IP.
>
> I should note that I have pfSense on both sides - 2.3_RELEASE on the
> non-AWS side and 2.3.2_RELEASE inside AWS.
>
> As I expected when setting out to do this, I ran into some IPsec
> related issues when trying to bring up a tunnel. I've set up tunnels
> dozens of times between pfsense and other IPsec stacks without issue -
> this is the first time I've been stumped, and I'm certain it has
> something to do with the fact that the traffic transits a NAT on the
> way to the pfsense WAN interface.
>
> When I try and bring up the tunnel, I see these logs on the non-AWS end:
>
> http://hastebin.com/uyodoqubem.css
>
> ...and these on the AWS pfsense:
>
> http://hastebin.com/dinogaliyi.vbs
>
> Any ideas what could be going wrong here?
>
> This log message "found 1 matching config, but none allows pre-shared
> key authentication using Main Mode" seems like a red herring, as I've
> been through the P1 configs on both sides many times to make sure that
> parameters match.
>
> Thanks all -
> Erik
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] pfSense on EC2 & IPsec

[Erik Anderson]

Hello -

I recently deployed the Netgate pfSense appliance into an AWS VPC. Due
to how AWS handles their networking, all traffic to/from servers there
to the public internet transit a 1:1 NAT. So the IP address that is on
my pfSense router's WAN interface differs from its true public IP.

I should note that I have pfSense on both sides - 2.3_RELEASE on the
non-AWS side and 2.3.2_RELEASE inside AWS.

As I expected when setting out to do this, I ran into some IPsec
related issues when trying to bring up a tunnel. I've set up tunnels
dozens of times between pfsense and other IPsec stacks without issue -
this is the first time I've been stumped, and I'm certain it has
something to do with the fact that the traffic transits a NAT on the
way to the pfsense WAN interface.

When I try and bring up the tunnel, I see these logs on the non-AWS end:

http://hastebin.com/uyodoqubem.css

...and these on the AWS pfsense:

http://hastebin.com/dinogaliyi.vbs

Any ideas what could be going wrong here?

This log message "found 1 matching config, but none allows pre-shared
key authentication using Main Mode" seems like a red herring, as I've
been through the P1 configs on both sides many times to make sure that
parameters match.

Thanks all -
Erik
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] client VPN on IOS

[Erik Anderson]

On Thu, Sep 17, 2015 at 2:15 PM, Usama Ahmad  wrote:
> Just a heads up Openvpn TLS Authentication does not work with iOS.

What makes you say that? We've been using it successfully for years.

Just for kicks, I just now tested it on iOS 9, and that works fine as well.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] client VPN on IOS

[Erik Anderson]

On Tue, Sep 15, 2015 at 12:49 PM, WebDawg  wrote:
> It does not require a jailbreak anymore?  Interesting.

Nope, not for several years.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] domain override: multiple IPs?

[Erik Anderson]

On Mon, Sep 14, 2015 at 11:41 PM, Chris Buechler  wrote:
> Add the same domain multiple times.

Haha, I should have known.

Thanks Chris.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] domain override: multiple IPs?

[Erik Anderson]

Hello all -

We're running 2.2.4.

We have a domain override in our DNS Forwarder for our Active
Directory domain. Is there any way to provide multiple IP addresses
for this override? For obvious reasons, I'd like to provide both of
our domain controller IPs.

Thank you!
-Erik
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Using pfSense with an external proxy appliance

[Erik Anderson]

Hello,

Shortly I'm going to need to deal with a situation I've never had to
sort out before - using pfSense to redirect outbound HTTP(S) from
clients to an iPrism proxy/filter appliance.

We're running pfsense v2.2.4.

Is this possible to do with pfSense in a transparent manner? Or will I
be forced to reconfigure each client to go through the proxy?

I've had a search through the forum and mailing list archives, and
haven't seen anything on this topic.

Thank you!
Erik
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] GUI performance on an ALIX 2d3

[Erik Anderson]

On Thu, Aug 13, 2015 at 4:50 PM, Rainer Duffner rai...@ultra-secure.de wrote:
 How much RAM does it have?

The 2d3 has 256MB.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] GUI performance on an ALIX 2d3

[Erik Anderson]

Hello all -

I've been running pfSense on my ALIX 2d3 happily for many years now.
For the most part, it still does its job well. However, with most
recent release, any changes made in the GUI take a *long* time to
commit. By long I mean ~2 minutes. That's how long it takes from
clicking Save to the screen refresh and the Apply changes button
showing up.

Is this slow GUI performance to be expected? Was there some change in
v2.2.4 that would have caused this?

I realize that the 2d3 board is getting quite long in the tooth, so
perhaps this is just something I need to deal with until I finally
cave in and purchase an SG-2220.

Thank you!
-Erik
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Small form factor pfsense box

[Erik Anderson]

Jim, is the SG-2220 still targeted for an Aug 31st ship date?



On Mon, Aug 3, 2015 at 4:57 AM, Jim Thompson j...@netgate.com wrote:
 Thank you.

 These:

 http://store.pfsense.org/SG-2220/
 http://store.netgate.com/mobile/ADI/RCC-DFF-2220.aspx

 Seem like just what Cheyanne asked for.

 -- Jim

 On Aug 3, 2015, at 12:48 AM, Walter Parker walt...@gmail.com wrote:

 The Project sells hardware: http://store.pfsense.org/hardware/

 I bought small form factor routers from Netgate before and I'm happy.
 http://store.netgate.com/Routers-C178.aspx


 Walter

 On Sun, Aug 2, 2015 at 10:04 PM, Cheyenne Deal deal.cheye...@gmail.com
 wrote:

 Does anyone have any recommendations for a small form factor machine for
 pfsense?
 I am looking for dual gb interfaces and able to handle at least a 50mb
 internet connection
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold



 --
 The greatest dangers to liberty lurk in insidious encroachment by men of
 zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] checking on DHCP-PD status?

[Erik Anderson]

Hello-

I receive an IPv6 delegation via DHCP-PD on my WAN. Is there a simple
way to check what was actually delegated in terms of
network/mask/etc.?

CLI is fine.

I'm running pfsense v2.2.3.

Thanks!
-Erik
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] WAN Traffic graph double-counting?

[Erik Anderson]

On Fri, Apr 3, 2015 at 10:07 AM, Heimir Eidskrem pfse...@smart-mail.net wrote:
 We are seeing the same thing on 2.1.5
 It's a reported bug I believe.

Ahh yes:

https://redmine.pfsense.org/issues/3314
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Pfsense 2.2 CPU 100%

[Erik Anderson]

What process is consuming your CPU?

On Tue, Mar 10, 2015 at 8:52 AM, Guillaume JULLIEN g.jull...@aquilog.fr
wrote:

  Hello,

 Since I upgraded my pfsenses to version 2.2, they more than often display
 100% cpu load.
 I'm testing an installation on an Alix APU1D.
 no extra addon installed
 only one service defined : DHCP
 only my laptop connected on lan interface
 If I plug WAN interface to my LAN CPU load can be 100% even with no
 particular network traffic.

 ?

 Any advice ?


 --
  *Guillaume JULLIEN*

 [image: www.aquilog.fr]

   Mobile 06 24 68 25 24  Fax 05 57 96 83 58  Mail   g.jull...@aquilog.fr
 Web www.aquilog.fr

 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Soekris 6501-50/SSD upgrade failure

[Erik Anderson]

I should note that in addition to the symptoms I mentioned earlier
that followed the 2.2.0 upgrade, there were several messages like this
on the console:

cannot get uid for user 'root'

...and similar. Unfortunately I don't have the full context of those logs.

Thank you-
Erik

On Tue, Jan 27, 2015 at 8:23 PM, Erik Anderson erike...@gmail.com wrote:
 I just attempted a self-upgrade from 2.1.5-RELEASE to 2.2.0-RELEASE on
 a Soekris 6501-50. Storage is a 64GB Sandisk SSD with the full install
 on it (not NanoBSD).

 After the upgrade, the router rebooted as expected and then came
 *partially* back up, as in the interfaces were configured and it would
 NAT/route packets, but none of the daemons were started correctly
 (DHCP, DNS Forwarder, SSH, etc.). Even the web configurator was
 throwing 500 errors.

 After attaching to the serial console, I noticed php-fpm errors, which
 would explain the web configurator issues, but not the rest of the
 daemons failure to start.

 Next, I decided to do a fresh 2.2 install, so I downloaded the serial
 memstick image, burned it to a usb drive and booted off of it. I ran
 the installation wizard, which appeared to go just fine (no errors).
 Then rebooted, only to find out that the BIOS doesn't recognize the
 internal SSD as a bootable drive. As such, it's just stuck in a reboot
 cycle.

 As a last resort, I downloaded the 2.1.5 memstick serial image, burned
 that to a USB drive and ran *that* installer, which proceeded
 normally. I rebooted, just as I did with the 2.2 installer, and this
 time it actually booted as expected, and I was able to successfully
 restore my config backup.

 So, I'm back up and running, which is good, but my question is: where
 to go from here? There appears to be some sort of an issue with the
 2.2 memstick installer, perhaps not installing the bootloader
 correctly, or not setting the active flag on the partition? I'm just
 throwing out possibilities here - I really have no idea why 2.2 failed
 to install correctly.

 I'd appreciate any insight on:
 1) What might have caused the 2.2 installation failures
 2) How I might proceed with a successful upgrade from 2.1.5 to 2.2.0

 Thank you!
 -Erik Anderson
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Soekris 6501-50/SSD upgrade failure

[Erik Anderson]

I just attempted a self-upgrade from 2.1.5-RELEASE to 2.2.0-RELEASE on
a Soekris 6501-50. Storage is a 64GB Sandisk SSD with the full install
on it (not NanoBSD).

After the upgrade, the router rebooted as expected and then came
*partially* back up, as in the interfaces were configured and it would
NAT/route packets, but none of the daemons were started correctly
(DHCP, DNS Forwarder, SSH, etc.). Even the web configurator was
throwing 500 errors.

After attaching to the serial console, I noticed php-fpm errors, which
would explain the web configurator issues, but not the rest of the
daemons failure to start.

Next, I decided to do a fresh 2.2 install, so I downloaded the serial
memstick image, burned it to a usb drive and booted off of it. I ran
the installation wizard, which appeared to go just fine (no errors).
Then rebooted, only to find out that the BIOS doesn't recognize the
internal SSD as a bootable drive. As such, it's just stuck in a reboot
cycle.

As a last resort, I downloaded the 2.1.5 memstick serial image, burned
that to a USB drive and ran *that* installer, which proceeded
normally. I rebooted, just as I did with the 2.2 installer, and this
time it actually booted as expected, and I was able to successfully
restore my config backup.

So, I'm back up and running, which is good, but my question is: where
to go from here? There appears to be some sort of an issue with the
2.2 memstick installer, perhaps not installing the bootloader
correctly, or not setting the active flag on the partition? I'm just
throwing out possibilities here - I really have no idea why 2.2 failed
to install correctly.

I'd appreciate any insight on:
1) What might have caused the 2.2 installation failures
2) How I might proceed with a successful upgrade from 2.1.5 to 2.2.0

Thank you!
-Erik Anderson
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] OpenVPN: Unable to contact daemon error

[Erik Anderson]

On Mon, Jan 19, 2015 at 7:46 PM, Chris Buechler c...@pfsense.com wrote:
 OP's issue is likely this one that's fixed in 2.2.
 https://redmine.pfsense.org/issues/3894
 where if an OpenVPN client is delayed trying to do a DNS lookup (or
 potentially other causes, that seemed to be the only replicable one),
 OpenVPN doesn't respond to SIGTERM and would get started a second time
 without stopping the first, which ends up breaking the status display.

Yep, that sounds like it could likely be the cause.

Thanks Chris!
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] issues registering VoIP phone through pfSense

[Erik Anderson]

For some phones, I've found that I need to do the following:

1. Disable automatic outbound NAT  add requisite outbound NAT
mappings for your internal subnets
2. Select Static port in the outbound NAT rule for your whatever
subnet your phones are on.

On Mon, Jan 19, 2015 at 8:24 PM, marc matthes marc.matt...@mchsi.com wrote:
 I’m have difficulty getting my home VoIP system to pass sip through the
 pfSense Firewall.  I have added rules both on the LAN and Wan to pass all
 traffic  and have also tried port forwarding of 5060-5080 to the Asterisk
 box along with 1 to 2 port forward to the asterisk box.  I have Nat
 turned on and to register with proxy enabled but I can’t get the phone  to
 register.





  WKS
 192.168.1.137

   |

   |

   10.0.0.5|PFsense|192.168.1.208  |

 VoIP Phone--|SWITCH|--|  |---|SWITCH|--VoIP
 Phone

 Cisco 7962|   |  |
 Cisco 7970

 10.0.0.10 |
 192.168.1.105

   |

   |

  Asterisk
 Server


 192.168.1.202





 Marc






 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] OpenVPN: Unable to contact daemon error

[Erik Anderson]

On Mon, Jan 19, 2015 at 3:16 PM, Oliver Hansen oliver.han...@gmail.com wrote:
 A bit of a guess but when I've had an issue with the OpenVPN GUI it was
 something in my OpenVPN Advanced Configuration section that I had added long
 ago and was no longer necessary or conflicting in some way.

Thanks, Oliver. I double-checked that config section, and it's empty.

-Erik
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] OpenVPN: Unable to contact daemon error

[Erik Anderson]

Hello all -

Running 2.1.5-RELEASE on a Soekris net6501-50.

Since the 2.1.4 release, I've seen this error message appear
incessantly on the dashboard:

http://photos.smugmug.com/photos/i-qwQLZCV/0/O/i-qwQLZCV.png

Despite the web GUI being unable to determine OpenVPN status, clients
continue to be able to connect and exchange traffic through OpenVPN
without issue.

If I ssh in, kill the OpenVPN processes and then re-start them from
the web GUI, the error goes away temporarily, but will always return
within 24 hours or so.

As I mentioned, this seemed to start in 2.1.4, and I hoped that it
would be resolved in 2.1.5, but that didn't happen.

Any ideas on how to resolve this?

Thanks!
-Erik
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] LAN: IPv6 static configuration

[Erik Anderson]

On Fri, Oct 10, 2014 at 1:50 AM, Seth Mos seth@dds.nl wrote:
 So check your routing with netstat -r before and after changing and see
 if you lost your default gateway.

Thanks, Seth. As it turned out, my second whack at getting v6 set up
this morning worked perfectly. The only change I can think of is that
I did end up rebooting the router the other day after things locked
up, so perhaps there was some odd state that got cleared with the
reboot.

Thanks for your advice!
-Erik
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] LAN: IPv6 static configuration

[Erik Anderson]

Any thoughts on this?

Unfortunately, all of the examples and documentation I can find on
IPv6 configures with pfSense are geared towards consumer-class
circuits using DHCP-PD, and I've not found anything about proper
static configuration.

Again, I thought this would be simple, but at least during my first
attempt at configuration, I ran into major issues.

Thank you all!
-Erik


On Wed, Oct 8, 2014 at 2:19 PM, Erik Anderson erike...@gmail.com wrote:
 Good afternoon-

 This is in regards to pfsense-2.1.4-RELEASE.

 This morning my ISP (finally) turned on IPv6 on our circuit. They
 assigned a /126 P2P link for the WAN and are routing a /48 to us. I
 have the WAN interface configured without issue, and am able to ping6
 from the router itself to external addresses.

 The problem arose when I added the static IPv6 configuration to my LAN
 interface. I chose an arbitrary /64 subnet for the LAN and assigned an
 IP to the interface. When I applied this configuration, *all* traffic
 to and through the router (both v4 and v6) stopped. I couldn't ping
 the v4 address of the router, etc. I ended up having to attach to the
 serial console and restore a previous config file in order to restore
 connectivity.

 My questions are:

 1) How was adding v6 addressing information to the LAN interface able
 to affect v4 traffic?

 2) How can I add static v6 configuration to the LAN interface sucessfully?

 This all seemed like it should be a very simple task, but apparently
 I'm missing something.

 Thank you!
 -Erik
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] upgrade from 1.2.3

[Erik Anderson]

On Wed, Oct 8, 2014 at 9:23 AM, Nick Upson n...@telensa.com wrote:
 Thanks for the input everyone, you confirmed my thoughts. I'll build a 2.x
 system on replacment hardware, manually copy the config (unless I can
 restore from the original ?) and swop them over

You should be able to restore the config without issue. The only
manual bits you may need to configure is re-assigning the interfaces.

I've recently went through a similar upgrade, and didn't have any issues.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] LAN: IPv6 static configuration

[Erik Anderson]

Good afternoon-

This is in regards to pfsense-2.1.4-RELEASE.

This morning my ISP (finally) turned on IPv6 on our circuit. They
assigned a /126 P2P link for the WAN and are routing a /48 to us. I
have the WAN interface configured without issue, and am able to ping6
from the router itself to external addresses.

The problem arose when I added the static IPv6 configuration to my LAN
interface. I chose an arbitrary /64 subnet for the LAN and assigned an
IP to the interface. When I applied this configuration, *all* traffic
to and through the router (both v4 and v6) stopped. I couldn't ping
the v4 address of the router, etc. I ended up having to attach to the
serial console and restore a previous config file in order to restore
connectivity.

My questions are:

1) How was adding v6 addressing information to the LAN interface able
to affect v4 traffic?

2) How can I add static v6 configuration to the LAN interface sucessfully?

This all seemed like it should be a very simple task, but apparently
I'm missing something.

Thank you!
-Erik
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Autostart

[Erik Anderson]

On Thu, Oct 2, 2014 at 11:35 AM, Brian Caouette bri...@dlois.com wrote:
 Is there a way to autostart on occasions like this when we loose power?

Under your ESXi host's configuration tab, there a Virtual Machine
Startup/Shutdown section that you can use to set various VMs to start
up automatically on boot.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] v2.1.5: OpenVPN + IPv6. Any success?

[Erik Anderson]

I recently got IPv6 turned up on my Comcast cable circuit. They're
delegating a /60 to my router. I have successfully configured
interface tracking on the LAN interface and that is working great.

Next, I'd like to get the OpenVPN server configured to enable v6
communication with mobile VPN clients. Has anyone had success with
this? When configuring the LAN interface, it is set to track the WAN
interface, and I can set a prefix ID to provide a unique subnet to LAN
clients. As far as I've seen, there's no equivalent configuration
available for OpenVPN, correct? Sure, I could probably pick an
arbitrary subnet from the block delegated to me and assign IPs from
that to OpenVPN clients, but what happens if my delegated block
changes? Then everything breaks. I'm not certain that Comcast will
always assign the same block.

Is there a graceful way to handle this situation?

Thank you!
-Erik
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] rc.filter_configure_sync error

[Erik Anderson]

Since upgrading to 2.1.4, I've been seeing these alerts quite frequently:

Aug 25 01:19:34 pfsense-01 php: rc.filter_configure_sync: New alert
found: PF was wedged/busy and has been reset.
Aug 25 01:19:34 pfsense-01 php: rc.filter_configure_sync: New alert
found: There were error(s) loading the rules: pfctl: DIOCXCOMMIT:
Device busy - The line in question reads [0]:

Could anyone comment on what would trigger this message? It seems as
if it may be caused by a rules reload, but in my case, this happened
after 1AM, and there was no one working on the pfsense server at that
point. Are there any periodic reloads scheduled via cron or the like?

Thank you!
-Erik
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] rc.filter_configure_sync error

[Erik Anderson]

On Mon, Aug 25, 2014 at 9:16 AM, Vick Khera vi...@khera.org wrote:
 I used to have configuration sync failures regularly when I had vastly
 under-powered servers (ALIX boards). On the modern hardware, I never
 have any issues. I do not recall if I had those same errors as you are
 seeing.

Thanks for the reply, Vick.

This pfsense instance is running on a Soekris 6501, and from the RRD
graphs and my manual monitoring of system utilization, CPU is not the
cause of this.

-Erik
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] rc.filter_configure_sync error

[Erik Anderson]

On Mon, Aug 25, 2014 at 12:30 PM, Sebastian Mannino
sebam2...@outlook.com wrote:
 Hi im new in pfsense and i need help, how can i use joomla web page for 
 cautivé portal? Thanks for all

Hello Sebastian -

When starting a new thread to a mailing list, please do not reply to
an existing message (as you did). This is called thread hijacking,
and is generally considered to be a poor practice, as it messes up
message organization in members' mail user agents.

-Erik
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] pfctl alerts

[Erik Anderson]

Hello all, I've been getting the following errors in my pfsense
(2.1.4-RELEASE) syslog, once a day for the last several days:

Aug 11 15:31:32 pfsense-01.example.com php: rc.filter_configure_sync:
New alert found: PF was wedged/busy and has been reset.
Aug 11 15:31:32 pfsense-01.example.com php: rc.filter_configure_sync:
New alert found: There were error(s) loading the rules: pfctl:
DIOCXCOMMIT: Device busy - The line in question reads [0]:

Any ideas what might be causing this?
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Traffic shaper related error

[Erik Anderson]

Just giving this a bump.

As it turns out, this error appears any time I build a shaper using
the single-wan, multi-lan wizard. I haven't given any of the other
options a try as they don't apply to my situation, and likewise, I
haven't yet tried manually creating all of the traffic shaper queues,
rules, etc.

Has anyone else seen this and if so, any recommendations for resolution?

-Erik


On Thu, Jul 31, 2014 at 2:08 PM, Erik Anderson erike...@gmail.com wrote:
 v 2.1.4...

 I configured a traffic shaper earlier this week (Monday I believe),
 and I just started getting errors on the web UI stating:

 [There were error(s) loading the rules: pfctl: DIOCGIFSPEED: Invalid
 argument - The line in question reads [0]: ]

 Grepping through my syslog server, the first occurrence of this error
 was at 06:43 this morning (the 31st):

 Jul 31 06:43:38 pfsense-01.invenshure.com php:
 rc.filter_configure_sync: New alert found: There were error(s) loading
 the rules: pfctl: DIOCGIFSPEED: Invalid argument - The line in
 question reads [0]:

 No config changes would have happened at this point that would trigger
 configuration reload.

 Googling around, I found this bug:

 https://redmine.pfsense.org/issues/2901

 Following the lead of the user that posted this bug (and then
 abandoned it), I removed my shaper and that fixed the problem. That's
 not a viable long-term solution for me, though.

 Does anyone have guidance as to what the cause of this bug is?

 I'd be glad to provide config snippets if that would be helpful - just
 specify which section(s) of the config would be helpful.

 Thank you!
 -Erik
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Traffic shaper related error

[Erik Anderson]

On Tue, Aug 5, 2014 at 9:37 AM, Jim Pingle li...@pingle.org wrote:
 Ensure that the correct interfaces are being chosen, especially if you
 have reassigned the traditional WAN/LAN interface roles, since the
 single WAN wizard would assume that the first interface is WAN,
 regardless of what it may have been renamed.

Oh, interesting. In my case, my interfaces look like this:

- em0 (802.1q trunk to LAN subnets)
- em1 (WAN)

Does that mean that I'll need to reverse things when going through the wizard?

Additionally, not sure if this affects anything, but my WAN address is
on a P2P circuit, and my ISP routes a /29 to my WAN IP. I have defined
a VIP (IP Alias) which resides in my /29 subnet, and this is the IP I
use as my main egress IP, so all traffic sourced from my network
gets NATed to this IP. Again, not sure if this applies to the traffic
shaper, but I thought it worth mentioning.

-Erik
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] issue with routing between LAN subnets

[Erik Anderson]

Hello -

This evening I upgraded to 2.1.4 and have noticed an odd issue
communicating between two of my LAN subnets.

For the purposes of this example, I have main-LAN (192.168.3.1/24) and
voice-LAN (192.168.5.1/24).

I have firewall rules in place on the main-LAN interface to permit
traffic to the voice-LAN.

When I ping from my workstation on the main-LAN to a server on the
voice-LAN, I get the following:

https://gist.github.com/anderiv/60bac6fb637192eb8419

That ICMP reply is coming from the default gateway of our WAN
interface. It makes sense that comcast is blocking RFC1918 addresses,
but the question is: why is this traffic being routed out the WAN
instead of to the voice-LAN?

Here's a packet capture, taken on the main-LAN interface:

https://www.cloudshark.org/captures/215fcc948bb7

All of this worked perfectly in the previous version of pfsense we
were at (2.0.1).

Any insights into what may be causing this?

Thank you-
Erik
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] issue with routing between LAN subnets

[Erik Anderson]

Thanks Michael -

I actually got this sorted out, and replied to myself and the list
with the resolution.

Thanks!

On Thu, Jul 24, 2014 at 8:26 PM, Michael Schuh michael.sc...@gmail.com wrote:

 2014-07-25 2:52 GMT+02:00 Erik Anderson erike...@gmail.com:

 Hello -

 This evening I upgraded to 2.1.4 and have noticed an odd issue
 communicating between two of my LAN subnets.

 For the purposes of this example, I have main-LAN (192.168.3.1/24) and
 voice-LAN (192.168.5.1/24).

 I have firewall rules in place on the main-LAN interface to permit
 traffic to the voice-LAN.

 When I ping from my workstation on the main-LAN to a server on the
 voice-LAN, I get the following:

 https://gist.github.com/anderiv/60bac6fb637192eb8419

 That ICMP reply is coming from the default gateway of our WAN
 interface. It makes sense that comcast is blocking RFC1918 addresses,
 but the question is: why is this traffic being routed out the WAN
 instead of to the voice-LAN?

 Here's a packet capture, taken on the main-LAN interface:

 https://www.cloudshark.org/captures/215fcc948bb7

 All of this worked perfectly in the previous version of pfsense we
 were at (2.0.1).

 Any insights into what may be causing this?

 Thank you-
 Erik
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list


 Hi Erik,

 i would start with:

 Checking the FW-Logs in - System-Logs - there should be an entry then,
 which tells you also which rule blocks and what the incoming interface was.
 checking the interface configuation - Status Inferfaces in the WebUI
 checking the routing of the pfsense - netstat -nr -  either at the console
 or at - Diagnostics - Command blah in the WebUI
 Cchecking the NAT-Setup of the PfSense

 if i remember correctly for checking the connectivity from the FW-Console,
 one has to pass the source-address and/or the interface to the ping command.

 this should bring you more insights and ideas on what is wrong.

 if i remember correctly, parts of the interface assignment got changed
 between 2.0.1 and 2.1 or so.
 but i can be mistaken with this.

 hth

 michael



 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense slowing wan speed

[Erik Anderson]

On Sat, Jul 5, 2014 at 9:00 PM, Brian Henson marin...@gmail.com wrote:
 I have a PFsense box on a 50/5 DSL connection and when its directly
 connected the to the modem it drops the speed significantly as compared to a
 wireless router directly connected to the modem.

Do you have a traffic shaper enabled? Have you verified that your
ethernet interfaces are linked up at proper speed/duplex?

-Erik
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Embedded 2.0.1 - 2.1.2 upgrade issues

[Erik Anderson]

On Thu, Jul 3, 2014 at 4:46 PM, Chris Buechler c...@pfsense.com wrote:
 Yes but if you run out of RAM while booting, much of the OS may be
 left unconfigured or partially configured. If you ran out of RAM while
 the system was already up and running, generally the things that would
 die wouldn't impact the ability of the system to filter and NAT.

That makes a lot of sense.

 The
 most common way to exhaust 256 MB is several active OpenVPN instances,
 which take up much more RAM for a brief period when they initially
 start up than they do under normal operating conditions. Packages the
 other common way.

I have two OpenVPN servers configured, but the only package I have
installed is the OpenVPN client export package.

I ordered a Soekris 6501 today, which has 1GB of RAM. I presume I'll
have a much better experience with that then I've had trying to
squeeze things into 256M.

Thanks for the reply, Chris. I appreciate it. Have a great 4th weekend.

-Erik
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Embedded 2.0.1 - 2.1.2 upgrade issues

[Erik Anderson]

Hello all -

I'm resurrecting this thread in hopes of getting some advice and/or
clarity on what's going on.

As you can read in my previous email, I attempted an in-place upgrade
from 2.0.1 to 2.1.2, which failed due to it (for some reason) not
NATting packets correctly.

Last night I finally got around to burning a clean 2.1.2 image on a CF
card, installing it, then restoring one of my 2.0.1 backups. After
doing this, I had the *exact* same symptoms as I did after the
in-place upgrade:

- interfaces were configured correctly
- firewall and NAT rules correct
- internet-bound traffic sourced from the pfsense itself worked fine
(pings, DNSmasq, etc.)
- it would not NAT LAN packets out the WAN interface

I saw one anomaly that I doubt has anything to do with this failure,
but I'm not certain, so I'll mention it. This install is on a soekris
net-5501, which only has 256 MB RAM. As such, when pfsense booted, php
was consistently getting killed due to memory contention. I needed to
restart the web configurator from the console. Now, my assumption is
that routing, NAT, firewall, etc. are kernel-level functions and
should not be affected by an out-of-memory condition. Is this correct?

Does anyone have other ideas as to what's going on?

Thank you-
Erik



On Mon, Apr 21, 2014 at 2:23 PM, Erik Anderson erike...@gmail.com wrote:
 I have an embedded (soekris) install running 2.0.1-RELEASE.

 This weekend, I attempted an in-place upgrade to 2.1.2-RELEASE. After the
 upgrade, all interfaces appeared to be configured correctly:

 - while ssh'ed into pfsense, I could access internet hosts
 - all internal VLAN interfaces were configured correctly, and were
 accessible as expected from their respective VLANs
 - from the main internal LAN, I could access the pfsense LAN interface as
 well as the web configurator

 However, it didn't appear to be NATing packets correctly from any of the
 internal interfaces to the WAN. I double-checked and re-applied the NAT and
 firewall rules to no effect.

 Any ideas what could have happened? Are there any known issues with an
 in-place 2.0.1 - 2.1.2 upgrade?

 Next I'm just going to try to burn a clean 2.1.2 image on a CF card and then
 restore the config file, which I *hope* will be successful.

 -Erik
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] routed subnet question

[Erik Anderson]

Hello -

I've been using pfsense for several years on a Comcast business cable
circuit. As many of you have experienced, with this service, Comcast
provides a modem with a 4-port customer-facing L2 switch. The WAN
interface of my pfsense router is connected to this switch. I then
assign the WAN interface one of the IPs from the /29 assigned to us.
The other IPs in that /29 I can then assign as VIPs and use for other
purposes.

Shortly we'll be switching over to Comcast's fiber-based metro
ethernet service. This service is delivered to the premise via fiber
and the comcast provides a managed switch that we connect to via
copper ethernet. This being closer to a professional-grade service,
they assign a P2P address for our router's WAN interface and then they
route our usable subnet to that address.

I have never used pfsense in this capacity (with a routed subnet)
before. Is my assumption correct that I should just be able add IPs in
the usable subnet as VIPs and then alter my NAT rules, etc. to use one
of those addresses for egress, use them for port-forwarding, etc.?

Thank you!
-Erik
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] routed subnet question

[Erik Anderson]

On Mon, Jun 30, 2014 at 2:58 PM, Gordon Russell
gruss...@clarkecounty.gov wrote:
 Your assumption is correct. We have this same service from Comcast, and we 
 have a few of our /28 assigned subnet as VIP's on the WAN. The full /28 is 
 assigned into a third (DMZ) interface on the pfsense box as well in our case. 
 Port forwards and NATs on the WAN utilize the VIP's, and other public traffic 
 destined for our /28 gets routed into the DMZ.

Perfect - thanks Gordon!
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] HP DL160 for pfSense in a datacenter

[Erik Anderson]

On Wed, Apr 23, 2014 at 8:14 AM, mayak ma...@australsat.com wrote:
 The machine has one of those stupid raid chips that works for software
 raid -- pfSense knows about these kinds of cards, but nonetheless, I
 would like to make this machine as bullet proof as possible (in terms of
 disk failure).

You're not going to want to hear this, but...

...purchase a real hardware RAID card. FakeRAID cards are horrible,
and I'd never trust them for something as critical as a
firewall/router device. You don't need anything fancy - you should be
able to source a used RAID controller for a very reasonable price.

-Erik
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] Embedded 2.0.1 - 2.1.2 upgrade issues

[Erik Anderson]

I have an embedded (soekris) install running 2.0.1-RELEASE.

This weekend, I attempted an in-place upgrade to 2.1.2-RELEASE. After the
upgrade, all interfaces appeared to be configured correctly:

- while ssh'ed into pfsense, I could access internet hosts
- all internal VLAN interfaces were configured correctly, and were
accessible as expected from their respective VLANs
- from the main internal LAN, I could access the pfsense LAN interface as
well as the web configurator

However, it didn't appear to be NATing packets correctly from any of the
internal interfaces to the WAN. I double-checked and re-applied the NAT and
firewall rules to no effect.

Any ideas what could have happened? Are there any known issues with an
in-place 2.0.1 - 2.1.2 upgrade?

Next I'm just going to try to burn a clean 2.1.2 image on a CF card and
then restore the config file, which I *hope* will be successful.

-Erik
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] multi-wan traffic shaping question

[Erik Anderson]

Good afternoon, all -

I'm currently running 2.0.1 on a Soekris 5501.

We have three WAN circuits and three LANs. Traffic from each LAN is
policy routed out its own WAN circuit. I'd like to implement some
traffic shaping for outbound traffic on one of the LANs - the other
two have no need for traffic shaping. In this situation, how many WAN
circuits should I tell the wizard I have? The shaped traffic will only
ever touch one of the WAN circuits.

Thank you very much!
-Erik
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Soekris 5501 + SATA drive issues

[Erik Anderson]

On Thu, Dec 22, 2011 at 5:01 AM, Chris Bagnall
pfse...@lists.minotaur.cc wrote:

 Appreciate this isn't really an answer to your original question, but is
 there a reason why you don't use a compact flash card in the socket on the
 board? We have quite a few clients with 5501s, all of which are using CF
 cards, and I don't recall having a problem booting with any of them.

Thanks Chris -

My desire to use an SSD was borne out of the hope that I could have
access to a bit more disk space, and to be able to use packages like
squid without using up the available write cycles of a CF card. That
said, I'm probably going to end up just going with a CF card in the
end for ease of installation.

I will still plan on keeping the SSD attached, and I'll hopefully be
able to use it as cache space for squid.

-Erik
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Soekris 5501 + SATA drive issues

[Erik Anderson]

On Thu, Dec 22, 2011 at 9:32 PM, Jim Spaloss jspal...@gmail.com wrote:
 I missed the part about the memstick image. I will tell you that I had all
 kinds of problems using the nanobsd images, and ended up hooking up the SSD
 to a PC running the PFSense installer and choosing the embedded platform.

No problem, Jim. The memstick image actually contains both the full
kernel as well as the NanoBSD kernel - I chose the full kernel when
installing.

In the end, I think I'm just going to go back to installing on a CF
card. Then I'll mount the SSD somewhere and use it as a cache space
for squid.

Thanks!
-Erik
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Soekris 5501 + SATA drive issues

[Erik Anderson]

I'm at a loss here -

My shiny new 5501 arrived today, along with the SATA mounting kit and
a small SSD drive. Knowing that the 5501 doesn't support USB boot, I
connected the SSD to another system, and installed 2.0.1 to it using
the memstick image. I chose the embedded kernel.

After connecting the SSD to the 5501, the bootloader started just
fine, and it loaded the kernel, but failed when trying to mount the
root partition.

A full transcript of the boot process is here:

http://pastebin.me/82c3fe0bb271a67bf86d5a0d0f0e89f9

You can see on line 161 that the SSD was detected as device ad1, and
the system was trying to mount root from /dev/ad4s1a. Problem.

So, at the mountroot prompt, I assumed I could just type
ufs:/dev/ad1s1a. That didn't work, and gave the same error message.

From the loader prompt, here's the device list:

OK lsdev
cd devices:
disk devices:
disk0:   BIOS drive C:
disk0s1a: FFS
disk0s1b: swap
pxe devices:
zfs devices:

Any pointers?

Thank you!
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] four-interface embedded board for pfSense?

[Erik Anderson]

Hello all -

Historically, I've used the Alix 2d3/2d13 boards - these have three
interfaces, and have worked perfectly for me. I now have an instance
where I'm going to need triple-wan capabilities, and am wondering what
options and/or recommendations are out there for this situation. I
would prefer to stick with an embedded setup if possible.

I guess the other question I have is: instead of looking for a
quad-interface board, can I accomplish the same thing by just adding
an 802.1q switch and trunking a couple of the WAN circuits through the
switch? I would imagine keeping each individual WAN circuit on its own
VLAD ID would be the only way to do this is a secure and reliable
fashion. A couple of the WAN circuits will be ADSL, requiring PPPoE
negotiation - I'm not sure if this changes anything with regards to
being able to terminate the circuit at a switch instead of directly in
one of the router interfaces.

Thank you!
-Erik
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] four-interface embedded board for pfSense?

[Erik Anderson]

On Fri, Dec 16, 2011 at 11:46 AM, Ian Bowers iggd...@gmail.com wrote:
 Sounds like Soekris might be right up your alley if you want physical
 interfaces.   http://soekris.com/  .  I've had a net5501 running openbsd for
 ages, its been one of my longest operating devices, and I've literally never
 had an issue with it.

Thanks for the info, Ian. I've been so happy with the ALIX boards that
I had all but forgotten about Soekris. :)

The 5501 looks perfect for our needs.

-Erik
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list