Re: [pfSense] Shell Logout time
Hi, On Thu, Apr 25, 2013 at 12:37:36PM -0400, Jim Pingle wrote: On 4/25/2013 11:20 AM, Odhiambo Washington wrote: Whenever I am logged into my pfSense box via SSH, I always get logged out within some time, even when I am running something. Where can I change that timeout value? As others have mentioned there is no timeout value. pfSense will leave active connections open, even if idle, for 24 hours at least. A WAN getting disconnected would flush its states, or there could be something else involved cutting them off. I've noticed the very same problem when connecting through ssh directly from my PC to our slave pfSense in our cluster of two : automatic disconnect from the slave after maybe one minute or even less. If I first connect to the master pfSense from my PC, then from there to the slave, there's no disconnection. I've never noticed such a problem when connecting to the master. bye -- Jérôme Alet - jerome.a...@univ-nc.nc - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsens 2.1-beta1 Higly unstable
Hi, Christophe Ségui christophe.se...@math.univ-toulouse.fr wrote:I'tried pfsense 2.1-BE5A1 as router/firewall (ospf is used for wan) and /22 network as internal network. With PF activated, the node crash after 2 hours up … since pf is deactivated, node stays up (routing functionnalities are OK). Does someone experienced the same issue ?Here we are using 2.1BETA1 for a long time in production. What we've learnt is that from one day to the other, fixes are incorporated, but sometimes fixes break something else, so while we used to upgrade everyday to benefit from the latest fixes, we now stay with a version which mostly works for us : 2.1-BETA1 (amd64) built on Thu Feb 28 04:29:38 EST 2013 Since we're running a two nodes cluster, testing a new release is easy but takes time : upgrade the slave, shutdown the master, see if all works as expected. If not, restore the full backup, else upgrade the master as well. But this can be very very time consuming especially due to pfSense's full backup (when upgrading from the GUI) which saves, slowly, almost everything including Squid's cache content. We're still stuck with some minor problems but this version doesn't crash at least... We've got planned downtime tomorrow, and planned to try an upgrade, but reading your message I think we'll wait a bit more :-) So my advice to you would be to try daily upgrades until you'll find one that works, and stay with it until a BETA2 or an RC is published. bye -- Jerome Alet___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Problems with DHCP failover
Hi, We've just upgraded our two-nodes failover cluster to 2.1BETA1 built on Thu Feb 28 04:29:38 EST 2013, because we encountered problems with DHCP failover not being in state normal / normal for some interfaces. Searching the web, I've found this link which might be related : http://redmine.pfsense.org/issues/1730 When trying to find filter rules matching ports 519 or 520 in /tmp/rules.debug as described in this bug report, there's no match at all. As far as I understand the answer to this bug report, the required rules should be automatically added. Is this to be expected or is there a problem somewhere ? TIA -- Jérôme Alet - jerome.a...@univ-nc.nc - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Question about DHCP failover
Hi, We're running 2.1BETA1 on a two-nodes failover pfSense cluster. Each node is in a separate physical location, and connected to a different switch. We've got around 15 interfaces, 8 of which have an active DHCP server served by pfSense We encounter synchronization problems between the two nodes but only for DHCP and, it seems, only for some of the 8 DHCP server enabled interfaces. Status/DHCP Leases always report normal / normal for dhcp0, but things like recover / unknown state or communication interrupted / recover done, or even recover / recover for all the other interfaces. I know for sure it used to work with normal / normal for all interfaces, but between pfSense upgrades and configuration changes, something made it break. Now I'm wondering something, because when looking at the generated dhcpd.conf file it's not very clear for me : On the master node, for each interface onto which we've enabled the DHCP server, we've added in the Failover peer IP input box the address the slave node has on the very same interface. Is this really needed for each interface, or is it sufficient to put it only once ? If we set it multiple times I believe the synchronization is done multiple times too, and doing a simple modification and applying changes takes ages. Also, if it's needed for all interfaces, should we specify each time the IP address matching the other node on the same interface, or should we use, for all interfaces, the IP address of the other node has on the pfsync interface ? Please could someone enlighten me wrt the best way to achieve such configuration ? Thanks in advance -- Jérôme Alet - jerome.a...@univ-nc.nc - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Long standing problem with captive portal
Hi there, Here we've got a long standing problem with the Captive Portal, and I've just checked with 2.1-BETA1 (amd64) built on Sat Feb 2 21:38:38 EST 2013 the problem remains, and we believe it was already present in 2.0, at least for us. It always takes ages to stop and start the CP correctly, because we have to do it manually : the CP seems to start both an SSL and a normal lighthttpd daemons, but for some reasons, in some yet unclear cases, the pid of the SSL daemon isn't correctly written in /var/run/ : the file is empty. This problem causes stopping the CP to fail, because the SSL daemon can't be stopped (its pid is unknown), and the Services page is not able to launch the CP either, because since the pid file is empty, it doesn't detect the CP is running correctly (or at least we think so). What we do then usually is we manually kill the lighthttpd daemon and remove the related files in /var/run/ if needed, then we restart it from the Services page, and if both processes are up (it sometimes takes several clicks on Start CP), we put the SSL daemon's pid into the correct pid file in /var/run/ This way stopping the CP from the Services page works again, but the real problem is when starting it : something is not always working correctly and the pid file is empty. Why ? We don't know. We also experience other problems, like user connections which never expire, despite us having put an expiration time at 720 minutes : the minicron job /etc/rc.prunecaptiveportal seems to die, leaving its lock file in /tmp and so launching it manually without removing the lock file first doesn't help. When remong the lock file and launching the job from the command line it expires connections correctly. Not sure if it's related or not to the above problem. We are not seeking for a fix, since we've got a workaround, but we'd like to know if other people experience the same problem or if we are alone with this. Thanks in advance for any help or advice -- Jérôme Alet - jerome.a...@univ-nc.nc - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] BUG in the size computation for a backup
Hi, I've just found out why I thought (my previous message) that our backup was extremely slow to restore... See the attached screenshot : pfSense displays 3.4 GB, but the real size on disk is 27.5 GB, which takes more time to restore... BTW in the full backup Squid cache's content is saved as well. Could there be an option to save Full backup without Squid's cache ? As for our other problems I can only confirm that restoring BETA0 from Nov 10th fixed the CP problems. TIA -- Jerome Alet attachment: pfsense-screenshot.png___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Captive portal and HTTPS homepage
Hi, We've got pfSense 2.1 snapshots running with Squid package 2.7.9 pkg v.4.3.1 (not sure if it's meaningful or not) If a client behind the captive portal is not authenticated yet, and its browser's homepage is an https:// URL (typically our University's webmail), then there's no redirection to the captive portal to force the user to authenticate, and the page keeps loading forever with an empty browser window. If we change the client's browser's homepage to an http:// page, then all is fine. How can we fix this problem ? Thanks in advance -- Jérôme Alet - jerome.a...@univ-nc.nc - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Strange problem after auto update
Hi, Just to let you know that this 2.1 snapshot : FreeBSD 8.3-RELEASE-p4 #1: Thu Nov 8 11:35:37 EST 2012 Fixes my problem. Now the slave can ping and do DNS queries at will, as expected (at least as I expected). bye, and thanks for your work guys ! -- Jérôme Alet - jerome.a...@univ-nc.nc - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Strange problem after auto update
Hi, I was able to do the upgrade just now, finally... and no luck. From: Chris Buechler c...@pfsense.org Sent: Tue Nov 06 17:17:02 NCT 2012 To: pfSense support and discussion list@lists.pfsense.org Subject: Re: [pfSense] Strange problem after auto update You can try either upgrading to a November 6 or newer snapshot, or just removing the line containing Done. This doesn't change the situation unfortunately... set state-policy if-bound from /etc/inc/filter.inc and reloading the filter rules under StatusFilter reload. See if that changes anything. That line isn't even present in /etc/inc/* : [2.1-BETA0][r...@pfsense2.univ-nc.nc]/etc/inc(8): grep state-policy * [2.1-BETA0][r...@pfsense2.univ-nc.nc]/etc/inc(9): [2.1-BETA0][r...@pfsense2.univ-nc.nc]/etc/inc(10): grep if-bound * [2.1-BETA0][r...@pfsense2.univ-nc.nc]/etc/inc(11): I'm restoring again right now. Any other idea ? bye, and thanks so much again for your time -- Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Strange problem after auto update
Hi, From: Mikey van der Worp mvdw...@utelisys.com Sent: Mon Nov 05 15:29:04 NCT 2012 To: pfSense support and discussion list@lists.pfsense.org Subject: Re: [pfSense] Strange problem after auto update According to the details it looks like Ichmp echo is blocked. Does it do the same pinging to google etc? Sorry, forgot to add that I don't see any rejected packet in our central syslog server, for any of these two pfSense boxes. As far as pinging google is concerned, DNS doesn't work either, so I don't think ICMP echo is particular, I mentioned this to expose the connectivity problem. BTW since our DNS server is on the LAN interface, and the default rule in pfSense (IIRC) is to allow all from LAN (and we kept this default rule active), the DNS queries should just work, and they don't. What is strange though is that both the web interface and the ssh server work, even when connecting from LAN. Could this be a misconfiguration on our part, being exposed only because of the update ? Thanks in advance for any hint -- Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Strange problem after auto update
Me, again :-) I've noticed something that might be helpful... When I have upgraded the slave member of my pfSense cluster, the version number of the configuration file changes from 9.0 to 9.1 So I've got two members of the cluster with different versions, since I've not upgraded the master yet, and I'm not sure I want to do it before knowing the source of my problem. So master is still in 9.0 and slave is in 9.1. Could this be the cause of my problem ? I mean, when the master tries to sync its configuration to the slave, doesn't it break the slave's configuration ? Is the proper way to upgrade by upgrading the master first ??? Does this mean that if I upgrade the master now, all will be fine again ? Thanks (again) in advance for any answer. -- Jérôme Alet - jerome.a...@univ-nc.nc - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Strange problem after auto update
Hi, From: Chris Buechler c...@pfsense.org Sent: Tue Nov 06 17:17:02 NCT 2012 To: pfSense support and discussion list@lists.pfsense.org Subject: Re: [pfSense] Strange problem after auto update You're running into some kind of regression and I'm not exactly sure what. I have a suspicion it's related to the various problems with if-bound states, but not sure. You can try either upgrading to a November 6 or newer snapshot, or just removing the line containing set state-policy if-bound from /etc/inc/filter.inc and reloading the filter rules under StatusFilter reload. See if that changes anything. Keep doing that only on the secondary and don't upgrade the primary until the secondary is fixed as it's almost certain it'll break too. Unfortunately I won't be able to test this until Thursday, but I'll let you know how it goes. bye, and thanks a lot for your help -- Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Strange problem after auto update
Hi, We've got two pfsense 2.1-BETA0 snapshots running on AMD64 as a failover cluster. Each of these two Dell R610 has two Intel quad ports Gigabit Ethernet (igb) and one (integrated) Broadcom (bce) quad ports Gigabit Ethernet cards. Both were running 8.3-RELEASE-p4 #1: Thu Sep 27 14:06:33 EDT 2012 just fine. This morning, I've updated the slave to 8.3-RELEASE-p4 #1: Sat Nov 3 16:04:02 EDT 2012. Fortunately I haven't updated the master for now. Since this upgrade, all syslog from the slave host logs to our central syslog server as the CARP VIP address of the LAN. Before, it went to the central syslog server as its own LAN address, just like the master host. This is a really big change and I don't really understand why it would happen or even be a good idea. Finally, the slave host does seem to have big connectivity problems, causing at least DNS to fail : One of our DNS server's IP address is 10.10.0.3, on the LAN. The master's IP address is 10.10.3.252, the slave is 10.10.3.253 and the CARP virtual IP is 10.10.3.254. The network mask is 255.255.252.0 Now here's a ping from our DNS server to the slave : awa:~ # ping pfsense2 PING pfsense2-intra.univ-nc.nc (10.10.3.253) 56(84) bytes of data. 64 bytes from pfsense2-intra.univ-nc.nc (10.10.3.253): icmp_seq=1 ttl=64 time=0.267 ms 64 bytes from pfsense2-intra.univ-nc.nc (10.10.3.253): icmp_seq=2 ttl=64 time=0.205 ms 64 bytes from pfsense2-intra.univ-nc.nc (10.10.3.253): icmp_seq=3 ttl=64 time=0.215 ms 64 bytes from pfsense2-intra.univ-nc.nc (10.10.3.253): icmp_seq=4 ttl=64 time=0.243 ms --- pfsense2-intra.univ-nc.nc ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3012ms rtt min/avg/max/mdev = 0.205/0.232/0.267/0.028 ms The other way around, from the slave to DNS : [2.1-BETA0][r...@pfsense2.univ-nc.nc]/etc(13): ping 10.10.0.3 PING 10.10.0.3 (10.10.0.3): 56 data bytes ^C --- 10.10.0.3 ping statistics --- 9 packets transmitted, 0 packets received, 100.0% packet loss So this way all packets are lost, but traceroute works fine : [2.1-BETA0][r...@pfsense2.univ-nc.nc]/etc(20): traceroute -n 10.10.0.3 traceroute to 10.10.0.3 (10.10.0.3), 64 hops max, 52 byte packets 1 10.10.0.3 0.276 ms 0.308 ms 0.221 ms If I do a full restore (I did a full backup before the slave update), then all works fine again. Any idea of what could be wrong with our setup ? Thanks so much in advance -- Jérôme Alet - jerome.a...@univ-nc.nc - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Squid transparent ssl proxy
Good evening, From: Stefan Baur newsgroups.ma...@stefanbaur.de Sent: Wed Jul 25 17:51:19 NCT 2012 To: list@lists.pfsense.org Subject: Re: [pfSense] Squid transparent ssl proxy Am 25.07.2012 05:17, schrieb Jerome Alet: Any idea what I'm doing wrong ? This is what you're doing wrong: Now I'd like to set it up as an HTTPS transparent proxy as well. HTTPS traffic is encrypted, and squid is lacking the proper keys/certificates to decrypt it. In theory, you could set up squid with its own certificates, but that will turn squid into a man-in-the-middle, i.e. all your clients will complain that the certificate doesn't match the sites they're trying to access. I know this is man in the middle, and I even wrote that we were OK with the browser message which clearly says there's something like a man in the middle attack going on. Since I've added its own certificate to Squid, it isn't lacking them, and so it *should* work from what I've read on the net about this subject. But clearly I'm missing something because instead of having the traffic decrypted by Squid and then encrypted again by Squid for local clients, I've got a Protocol Error. So my original question was not about it being OK to do it or not, but more about why it didn't work as expected. Thanks for your feedback anyway, if I can't do otherwise I'll play with autoconfiguration scripts. bye -- Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Multi-WAN for multiple LANs
Hi, We'd like to setup 2.1 with two different WAN interfaces, each being exclusively used by two sets of several LAN's. So what we've done is create first WAN (WAN1) and set its gateway (GW1) as the default one. And now we've added second WAN (WAN2) and its gateway (GW2) So we've got NETS1 as LAN1+LAN2+DMZ and NETS2 as LAN4+LAN5 Since GW1 is the default gateway, without doing anything all traffic will go through it. We'd like to have NETS1 to never go through GW2, but NETS2 to never go through GW1, and always go through GW2. NETS2 should use the pfSense box as its DNS server, which in turn uses DNS servers located in NETS1, and NETS2 should be able to access to some machines in DMZ without going through GW2, but directly through pfSense. On top of that we want to use manual NAT outbound rules and use NATNETS2 IP Address (which is a CARP type interface address) as the NAT address when NATting clients from NETS2. This address is also defined as the tcp_outgoing_address for clients from NETS2 in pfSense's Squid configuration. Is there an HOWTO about doing this sort of things, or could anyone give us some hints ? What we've found so far are only documents about multi-wan with load balancing or failover, and while we want failover on all our LANs, we specifically don't want this on our WANS : because of legal reasons clients from NETS2 are now allowed to use GW1. Thanks in advance for any help on this matter -- Jérôme Alet - jerome.a...@univ-nc.nc - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Network freezes on IBM x3550, Broadcom NICs
Hi, From: Adam Thompson athom...@athompso.net You're largely correct, pfSense has - sometimes - issues with Broadcom NICs. If you search the mailing list archives and the bug tracker you'll see a number of reports/complaints. Many of these issues have been fixed since the 1.x era, but there are still occasional compatibility issues. The NIC troubleshooting steps often resolve the issue (at least well enough for daily use), but not always. IIRC, there are a couple modern Dell PowerEdge servers (R700, maybe?) that essentially can't be used with pfSense's NIC drivers at all. It's possible your IBM is going to be another problematic platform until the project releases a FreeBSD-9-based version. I can confirm that brand new Dell R610 won't work with stable release because of missing driver for the RAID controller. Devel snapshots of 2.1 work wrt disk controller, but requires some tweaks to /boot/loader.conf.local to fix network issues with Broadcom NIC's, as well as 4 ports Intel NICs... Once you've put the fixes in, network seems to work fine and the machine doesn't behave erratically. Although we're still doing tests and we complexify our setup each day : 15 vlans and 2 unrelated wan links (two sets of clients) all with carp failover, squid and so on, we're confident it now works as expected with this hardware. hth -- Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] DNS problem
Hi there, I've just searched the bug tracker with no luck. I'm using 2.1-BETA0 (amd64) built on Thu Jun 28 09:42:08 EDT 2012 I've got a problem with DNS resolution for the firewall itself. I've added my two DNS servers (in LAN) to General Setup and checked the Do not use DNS Forwarder as a DNS server for the firewall. All works fine for the firewall's point of view wrt DNS. If I uncheck this option, DNS for the firewall itself doesn't work : pfSense has added 127.0.0.1 in /etc/resolv.conf and uses it, but fails. Also, despite checking the box again, and having a resolv.conf without 127.0.0.1, I can see in tcpdump that 127.0.0.1 is still used for DNS (for clients because I've activated DNS masquerading, I suppose), but always answers NXDomain When doing tcpdump, I see that every packet sent to localhost has an incorrect checksum. Could this be the source of my problem ? 11:21:35.461807 IP (tos 0x0, ttl 64, id 35149, offset 0, flags [none], proto UDP (17), length 118, bad cksum 0 (-f327)!) 127.0.0.1.42732 127.0.0.1.53: 41354+[|domain] 11:21:35.461945 IP (tos 0x0, ttl 64, id 64302, offset 0, flags [none], proto UDP (17), length 118, bad cksum 0 (-8146)!) 127.0.0.1.53 127.0.0.1.42732: 41354 NXDomain[|domain] TIA -- Jérôme Alet - jerome.a...@univ-nc.nc - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Possible bug in gateway monitoring in 2.1 snapshot (Sat Jun 16 08:16:08 EDT 2012)
Good evening, Seth Mos seth@dds.nl wrote: Op 22 jun 2012, om 04:30 heeft Moshe Katz het volgende geschreven: On Wed, Jun 20, 2012 at 4:50 PM, Jerome Alet jerome.a...@univ-nc.nc wrote: When you add an alternative IP address to monitor, a static route is added between the gateway address and the address to monitor. But when you delete this alternative IP address, click on save and then on apply changes, the static route is not removed as can be seen with netstat -nr. This is a clear bug, it's supposed to delete the route to that host. Is this a v4 or v6 monitor ip, I could see the delete command failing for ipv6 here. It was IPv4. BTW the route get command fails with an error about the routing socket IIRC, that's why I used netstat -nr, not sure if this is related or not. bye Jerome Alet___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Possible bug in gateway monitoring in 2.1 snapshot (Sat Jun 16 08:16:08 EDT 2012)
Hi, On Thu, Jun 21, 2012 at 10:30:15PM -0400, Moshe Katz wrote: If you know PHP, and have time, maybe you can write a patch to connect the gateway monitor and the static route, and submit it. I'm more a Python and C guy, and I don't know PHP enough to not do something bad. I opened an issue in the pfSense Redmine to track this: http://redmine.pfsense.com/issues/2513 Thanks. Not necessary to fix this if it's difficult, but adding this as an informational message below the Monitor IP input box would be great. Something like this maybe : If later on you remove this IP address from monitoring, take care to manually remove the route to it because it won't be done automatically, or else reboot your pfSense host. bye -- Jérôme Alet - jerome.a...@univ-nc.nc - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Possible bug in gateway monitoring in 2.1 snapshot (Sat Jun 16 08:16:08 EDT 2012)
On Thu, Jun 21, 2012 at 10:36:49PM -0400, Chris Buechler wrote: The static routes aren't even necessary anymore, so they can go in the future. http://redmine.pfsense.org/issues/2514 What a GREAT software and development team !!! Thanks to all -- Jérôme Alet - jerome.a...@univ-nc.nc - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Possible bug in gateway monitoring in 2.1 snapshot (Sat Jun 16 08:16:08 EDT 2012)
Hi there, While playing with gateways and monitoring alternative IP addresses, I've noticed a problem. When you add an alternative IP address to monitor, a static route is added between the gateway address and the address to monitor. But when you delete this alternative IP address, click on save and then on apply changes, the static route is not removed as can be seen with netstat -nr. Once you know this it's OK, but when you don't know and try to monitor the external IP addresses of two links to two different ISP, each one monitoring the other one, this creates some funny routing problems even when you disable this monitoring, and this renders the problem difficult to understand, and then fix. Is this a bug or normal behavior ? TIA -- Jérôme Alet - jerome.a...@univ-nc.nc - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Question about failover setup
Hi, On Tue, Jun 19, 2012 at 08:35:38AM +0200, Seth Mos wrote: Op 18-6-2012 23:26, Jerome Alet schreef: So now that I'm trying to replicate the OpenBSD configuration on my pfSense 2.1 boxes, I'm wondering if I really need 3 distinct IP addresses on each vlan and what are the consequences of using only one on the carp interface ? For pfSense you definitely need 3 addresses per vlan. Thanks for your answer. No, maybe a stupid question... Is it mandatory that all three addresses are in the same subnet, or is it possible to have the virtual one in a different subnet than the two real ones (still all three would be on the same vlan, but on different subnets) ? I'm asking this because on one of our interfaces we've got a dedicated link with a 30 bit subnet mask, leaving only two useable addresses : on on our side, the other on the other side of the link. We don't control the other side of the link unfortunately, so I'm really not sure yet if changing the subnet mask to allow more addresses will be doable (read authorized) or not... Thanks for any advice on this matter. bye -- Jérôme Alet - jerome.a...@univ-nc.nc - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Question about failover setup
Hi there, We currently have two OpenBSD 4.1 boxes acting in failover mode to serve some of our firewalling needs. We are also using pfSense 2.0.1 and 1.2.2 for other firewalling needs. I'm planning to consolidate all these firewalls onto two pfSense 2.1 acting in failover mode, and finally shut down all these old boxes. We need to use 2.1 snapshots because our boxes are Dell PowerEdge R610 with the Perc H200 controller, unsupported in earlier releases. I didn't setup the two OpenBSD boxes, but I've noticed that for some vlans, their configuration doesn't seem to be complete wrt the following pfSense related documentation : http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP) While for most vlans each of two OpenBSD boxes has a distinct IP address and they share a third distinct IP address as the virtual one (for the carp interface), on a few vlans only the carp interface is assigned an IP address : each box doesn't have a distinct IP address. According to the documentation mentionned above, this configuration is incorrect. However I can attest that it works, at least when the two OpenBSD boxes are both online. So now that I'm trying to replicate the OpenBSD configuration on my pfSense 2.1 boxes, I'm wondering if I really need 3 distinct IP addresses on each vlan and what are the consequences of using only one on the carp interface ? Thanks for your advice. bye -- Jérôme Alet - jerome.a...@univ-nc.nc - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Dell R610 with Perc H200I
Hi there, I'd like to know if support for Dell Perc H200i raid controllers is planned in the next release of pfSense, could anyone enlighten me ? Thanks in advance -- Jérôme Alet - jerome.a...@univ-nc.nc - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2 LANs and time based limits
Hi, From: Adam Thompson athom...@athompso.net Sent: Sat May 12 07:36:48 NCT 2012 To: 'jerome alet' jerome.a...@univ-nc.nc Subject: RE: [pfSense] 2 LANs and time based limits I understand (thanks to your explanations) but what I was thinking was not playing with the WAN side of the pipe which is shared, but with the interfaces between pfSense and the two sets of clients, which are not ADSL but traditional Ethernet links. That had not occurred to me. I believe, although I hope someone more expert will confirm or deny this, that inbound and outbound QoS should be applied on the same interface, and since you *will* want to apply outbound limits... However, that's an interesting idea and I don't know right now if your idea is a better way to do it. I've done some testing and it seems to work as expected. I've created two limiters, DownloadOPT1 set to 10 Mbits/s and UploadOPT1 set to 2 Mbits/s, then I've defined a PASS firewall rule on the OPT1 interface, with a 7 a.m. to 6 p.m. from Monday to Friday schedule, and the UploadOPT1 limiter assigned to the IN direction, and DownloadOPT1 limiter assigned to the OUT direction (my naming is backwards I think but the OUT direction is what comes from my WAN interface to my OPT1 interface, i.e. datas downloaded by our students). I've not yet modified anything for the other interface, but I don't think anything is necessary since only OPT1 will have limiters, the other one should be able to consume all the remaining bandwidth, and more if needed (classrooms have priority... of course) I think this will be perfect for our needs. bye, and thanks all for your help Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] 2 LANs and time based limits
Hi, We've got a pfSense 2.0.1 box with a single WAN (in fact it's behind a load balancer with 6 ADSL modems) and currently a single set of client machines which are students' computers in their appartments. We are planning to add a second set of client machines to this pfSense box, which are computers in our classrooms. Actually, and for several years now, we used 2 separate pfSense boxes, with 2 separate sets of modems, but we'd like to consolidate this onto a single box (with the future option of having a second box acting as an instant failover) So in the setup we envision all machines must share the single WAN interface for Internet access. But... Our classrooms computers must have dedicated bandwidth from 7 a.m. to 6 p.m., for example they could have the bandwidth equivalent of 5 (of our 6) ADSL modems, guaranteed, during this period of time, each day from Monday to Friday. The remaining bandwidth should be dedicated to the appartments' computers. Outside of these periods of time, the total available bandwidth should be available for both sets of computers, with an equal share of it, i.e. just as if we don't do anything special. Is this possible with pfSense and if yes please could someone tell me how to proceed ? Thanks in advance -- Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2 LANs and time based limits
Hi again, From: Ermal Luçi e...@pfsense.org Sent: Fri May 11 21:29:17 NCT 2012 To: jerome alet jerome.a...@univ-nc.nc, pfSense support and discussion list@lists.pfsense.org Subject: Re: [pfSense] 2 LANs and time based limits On Fri, May 11, 2012 at 4:11 AM, jerome alet jerome.a...@univ-nc.nc wrote: Our classrooms computers must have dedicated bandwidth from 7 a.m. to 6 p.m., for example they could have the bandwidth equivalent of 5 (of our 6) ADSL modems, guaranteed, during this period of time, each day from Monday to Friday. The remaining bandwidth should be dedicated to the appartments' computers. Outside of these periods of time, the total available bandwidth should be available for both sets of computers, with an equal share of it, i.e. just as if we don't do anything special. Is this possible with pfSense and if yes please could someone tell me how to proceed ? It is possible through time based rules and limiters. You just set up limiters with the limits you want guaranteed during weekdays and use those limiters in time based rules. So am I correct with this scenario : 1 - Create the 7a.m. to 6p.m. schedule 2 - Create a single limiter, say 20 Mbits/s, with no other option, to dedicate 20 Mbits/s to classrooms (so appartments will use the remaining bandwidth that is still available when this limiter applies) 3 - When creating a rule, I add this rule only to the classrooms interface, and use the single limiter's name in both the IN and OUT drop down lists in the Advanced features of rule creation. Then I put this rule with PASS mode at the top for it to be evaluated first (or is it important at all where I put it wrt other rules) ? Am I correct ? Thanks for your feedback, I've never used limiters before and since I'll do this on the production system I'd like to not make too much mistakes. Thanks in advance for your help -- Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2 LANs and time based limits
Hi, From: Adam Thompson athom...@athompso.net Sent: Fri May 11 22:51:08 NCT 2012 To: 'jerome alet' jerome.a...@univ-nc.nc, 'pfSense support and discussion' list@lists.pfsense.org Subject: RE: [pfSense] 2 LANs and time based limits QoS on ADSL is notoriously difficult, and does not usually work quite as expected. There are implementation issues to blame, as well as a theoretical/logical problem. I understand (thanks to your explanations) but what I was thinking was not playing with the WAN side of the pipe which is shared, but with the interfaces between pfSense and the two sets of clients, which are not ADSL but traditional Ethernet links. What I'm in doubt about now, is where to put the limiter rule ? Should the limiter be seen by me as a way to guarantee bandwidth, in which case I should set it high an apply it on the classrooms interface, or should it be seen by me as a bandwidh limiter, in which case I set it low and apply it on the appartments interface ? When you configure your system as described, you will rarely - if ever - get exactly the results you expected. Aim for good enough, instead of perfect and you will likely succeed. good enough is good enough for us : up until now there was only a single ADSL line for each set of clients, needless to say students will be happy whatever the solution. right now there's no limiter in use, so they ENJOY pfSense ;-) thanks for your help. -- Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list