Re: [pfSense] Shell Logout time
Hi, On Thu, Apr 25, 2013 at 12:37:36PM -0400, Jim Pingle wrote: > On 4/25/2013 11:20 AM, Odhiambo Washington wrote: > > Whenever I am logged into my pfSense box via SSH, I always get logged > > out within some time, even when I am running something. Where can I > > change that timeout value? > > As others have mentioned there is no timeout value. pfSense will leave > active connections open, even if idle, for 24 hours at least. A WAN > getting disconnected would flush its states, or there could be something > else involved cutting them off. I've noticed the very same problem when connecting through ssh directly from my PC to our slave pfSense in our cluster of two : automatic disconnect from the slave after maybe one minute or even less. If I first connect to the master pfSense from my PC, then from there to the slave, there's no disconnection. I've never noticed such a problem when connecting to the master. bye -- Jérôme Alet - - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsens 2.1-beta1 Higly unstable
Hi, "Christophe Ségui" wrote:I'tried pfsense 2.1-BE5A1 as router/firewall (ospf is used for wan) and /22 network as internal network. With PF activated, the node crash after 2 hours up … since pf is deactivated, node stays up (routing functionnalities are OK). Does someone experienced the same issue ?Here we are using 2.1BETA1 for a long time in production. What we've learnt is that from one day to the other, fixes are incorporated, but sometimes fixes break something else, so while we used to upgrade everyday to benefit from the latest fixes, we now stay with a version which "mostly" works for us : "2.1-BETA1 (amd64) built on Thu Feb 28 04:29:38 EST 2013" Since we're running a two nodes cluster, testing a new release is easy but takes time : upgrade the slave, shutdown the master, see if all works as expected. If not, restore the full backup, else upgrade the master as well. But this can be very very time consuming especially due to pfSense's full backup (when upgrading from the GUI) which saves, slowly, almost everything including Squid's cache content. We're still stuck with some minor problems but this version doesn't crash at least... We've got planned downtime tomorrow, and planned to try an upgrade, but reading your message I think we'll wait a bit more :-) So my advice to you would be to try daily upgrades until you'll find one that works, and stay with it until a BETA2 or an RC is published. bye -- Jerome Alet___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Problems with DHCP failover
Hi, On Fri, Mar 01, 2013 at 02:12:11PM +1100, Jerome Alet wrote: > > We've just upgraded our two-nodes failover cluster to "2.1BETA1 built on > Thu Feb 28 04:29:38 EST 2013", because we encountered problems with DHCP > failover not being in state "normal" / "normal" for some interfaces. > > Searching the web, I've found this link which might be related : > > http://redmine.pfsense.org/issues/1730 > > When trying to find filter rules matching ports 519 or 520 in > /tmp/rules.debug as described in this bug report, there's no match at > all. > > As far as I understand the answer to this bug report, the required rules > should be automatically added. > > Is this to be expected or is there a problem somewhere ? I've just found and fixed one part of our problem : It happens that DHCP was activated on a interface for testing purpose. When it was deactivated when testing was finished, the assigned range wasn't reset to an empty set by the WebUI, and in the config.xml file available from a backup I saw the range still being defined despite DHCP being disabled on this interface. Then I went to the WebUI, checked the "Enable DHCP on XX interface", then manually emptied the range, then unchecked the "Enable DHCP on XX interface" and finally clicked the "Save" button. Immediately DHCP sync worked and all interfaces were in "normal" / "normal" again. We've still got a sync problem when activating/deactivating failover peer ip for one interface, but I suppose the problem is similar and I'll look into this ASAP. Hoping this will help other people in the same situation. bye -- Jérôme Alet - - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Problems with DHCP failover
Hi, We've just upgraded our two-nodes failover cluster to "2.1BETA1 built on Thu Feb 28 04:29:38 EST 2013", because we encountered problems with DHCP failover not being in state "normal" / "normal" for some interfaces. Searching the web, I've found this link which might be related : http://redmine.pfsense.org/issues/1730 When trying to find filter rules matching ports 519 or 520 in /tmp/rules.debug as described in this bug report, there's no match at all. As far as I understand the answer to this bug report, the required rules should be automatically added. Is this to be expected or is there a problem somewhere ? TIA -- Jérôme Alet - - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Question about DHCP failover
Hi again, On Tue, Feb 26, 2013 at 03:45:27PM -0500, Jim Pingle wrote: > > Is this really needed for each interface, or is it sufficient to put it > > only once ? If we set it multiple times I believe the synchronization is > > done multiple times too, and doing a simple modification and applying > > changes takes ages. > > It is really needed for each interface. What I find very strange is that even when removing the failover IP address for one of the interfaces, the synchronization still takes place, that's why I wondered if defining it on each interface was really needed. > > Also, if it's needed for all interfaces, should we specify each time the > > IP address matching the other node on the same interface, or should we > > use, for all interfaces, the IP address of the other node has on the > > pfsync interface ? > > You must use the IP for the other node in the subnet being served on > that interface. So each interface will have a different IP address. > > There was an issue with the way the dhcp server config was being synced > but a commit was made in the last week or so to fix it. Last I heard it > was working better. I'll try to upgrade ASAP and see if it's better. BTW our upgrades with full backup take a very very long time because the full backup script includes Squid's cache. Yesterday I've tried to modify it to add "--exclude var/squid/cache" on tar's command line and launch the full backup manually, but the cache is still included in the full backup. Any idea why ? Shouldn't the full backup script, if the squid package is installed, ignore squid's cache directories ? TIA -- Jérôme Alet - - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Question about DHCP failover
Hi, We're running 2.1BETA1 on a two-nodes failover pfSense cluster. Each node is in a separate physical location, and connected to a different switch. We've got around 15 interfaces, 8 of which have an active DHCP server served by pfSense We encounter synchronization problems between the two nodes but only for DHCP and, it seems, only for some of the 8 DHCP server enabled interfaces. "Status/DHCP Leases" always report "normal" / "normal" for dhcp0, but things like "recover" / "unknown state" or "communication interrupted" / "recover done", or even "recover" / "recover" for all the other interfaces. I know for sure it used to work with "normal" / "normal" for all interfaces, but between pfSense upgrades and configuration changes, something made it break. Now I'm wondering something, because when looking at the generated dhcpd.conf file it's not very clear for me : On the master node, for each interface onto which we've enabled the DHCP server, we've added in the "Failover peer IP" input box the address the slave node has on the very same interface. Is this really needed for each interface, or is it sufficient to put it only once ? If we set it multiple times I believe the synchronization is done multiple times too, and doing a simple modification and applying changes takes ages. Also, if it's needed for all interfaces, should we specify each time the IP address matching the other node on the same interface, or should we use, for all interfaces, the IP address of the other node has on the pfsync interface ? Please could someone enlighten me wrt the best way to achieve such configuration ? Thanks in advance -- Jérôme Alet - - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Long standing problem with captive portal
Hi there, Here we've got a long standing problem with the Captive Portal, and I've just checked with "2.1-BETA1 (amd64) built on Sat Feb 2 21:38:38 EST 2013" the problem remains, and we believe it was already present in 2.0, at least for us. It always takes ages to stop and start the CP correctly, because we have to do it manually : the CP seems to start both an SSL and a normal lighthttpd daemons, but for some reasons, in some yet unclear cases, the pid of the SSL daemon isn't correctly written in /var/run/ : the file is empty. This problem causes stopping the CP to fail, because the SSL daemon can't be stopped (its pid is unknown), and the Services page is not able to launch the CP either, because since the pid file is empty, it doesn't detect the CP is running correctly (or at least we think so). What we do then usually is we manually kill the lighthttpd daemon and remove the related files in /var/run/ if needed, then we restart it from the Services page, and if both processes are up (it sometimes takes several clicks on "Start CP"), we put the SSL daemon's pid into the correct pid file in /var/run/ This way stopping the CP from the Services page works again, but the real problem is when starting it : something is not always working correctly and the pid file is empty. Why ? We don't know. We also experience other problems, like user connections which never expire, despite us having put an expiration time at 720 minutes : the minicron job /etc/rc.prunecaptiveportal seems to die, leaving its lock file in /tmp and so launching it manually without removing the lock file first doesn't help. When remong the lock file and launching the job from the command line it expires connections correctly. Not sure if it's related or not to the above problem. We are not seeking for a fix, since we've got a workaround, but we'd like to know if other people experience the same problem or if we are alone with this. Thanks in advance for any help or advice -- Jérôme Alet - - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Complex (?) traffic shaping question
Hi, In a very old previous message I talked about having successfully set a limiter on an interface by creating a single rule above all the other ones in an interface's tab, which would use and upload and a download limiter and allow all protocols from any to any. But I didn't notice that this rule in fact (I know I'm stupid) allowed all traffic, and so the "pass" rules below this one were never evaluated (this was not in production and we didn't notice until now), neither was the default block rule... In fact what we want to do is complex enough that while having understood the problem (and removed the faulty rule for now), I don't know how to proceed to make it work. Architecture : we have 10 LAN interfaces and three WAN interfaces. One of the WAN interfaces is 30 Mbits/s and is dedicated to two of the LANs. These two LANs are very restricted : one is for the captive portal, which is available both over WiFi and over the wire for our students, from the university campus and from their wired rooms. The other restricted LAN is our dedicated VLAN for computer classrooms. On both of these LAN interfaces, there are only very few "pass" rules, this is a mostly closed setting. We want to ensure that during courses (from 7 a.m. to 6 p.m.), students behind the captive portal (be it over WiFi or wire) can only use at most 10 Mbits/s for download and 2 Mbits/s for upload total from the 30 Mbits of the WAN interface, the remaining 20 Mbits/s being dedicated to computer classrooms. After courses time, we want the 30 Mbits/s to be shared as needed (no limit) between the two LANs. But we also want to have the captive portal, at anytime, limit an user to 4 Mbits/s download and 512 Kbits/s upload. So for the captive portal we have set the correct limits per user and it works fine. But now, I don't know how to play with the limiters (10 Mbits/s download and 2 Mbits/s upload) for the CP interface itself. I've made lots of testing but I don't find the solution. In addition I believe 2.1 added the possibility to apply a schedule to a limiter, in addition to to a rule. I know I should apply some rule with the limiters to our captive portal interface, but I don't know : * if the schedule should be applied to the limiters or to the rule itself, or to both. * if the limiters should be applied to all rules or only to a single rule and if a single rule where should I place it considering our mostly closed setting. * If additional interface or floating rules with or without limiters should be created, where, and with which settings. * if interface limiters and captive portal limiters are compatible, or if one takes precedence over the other. I've tested several combinations of the above things, but unfortunately I'm still not able to make it work as I want. I've read several documentations like the traffic shaping guide on pfsense.org, and looked at examples on the web like this one : http://www.youtube.com/watch?v=Usi195rK35I but all these examples are for the default LAN interface, which always has a pass all protocol from any to any rule, so adding a similar rule with limiters is very easy. But obvisously our setup is not that simple... So I'm lost at what to do now to make this work. This setting is not vital for us, we don't really NEED it, but we'd really like to have this working to improve the life of our students during courses, in order for people behind the CP to not eat all bandwidth. FYI we are using 2.1BETA0, having problems when we recently tried to upgrade to 2.1BETA1, as explained in a previous message, in case this matters. Thanks in advance for any help. -- Jérôme Alet - - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] BUG in the size computation for a backup
Hi, I've just found out why I thought (my previous message) that our backup was extremely slow to restore... See the attached screenshot : pfSense displays 3.4 GB, but the real size on disk is 27.5 GB, which takes more time to restore... BTW in the full backup Squid cache's content is saved as well. Could there be an option to save "Full backup without Squid's cache" ? As for our other problems I can only confirm that restoring BETA0 from Nov 10th fixed the CP problems. TIA -- Jerome Alet <>___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Problem with Captive Portal in latest BETA1 snapshot
Hi and happy new year to all, When going back to work this morning we upgraded from the November 10th BETA0 to January 6th BETA1 snapshot. It seems that the captive portal doesn't work anymore (see second paragraph below), so we had to restore the full backup : we ALWAYS do a full backup prior to upgrade ;-) We notice that the "Restore Full Backup" tab in the firmware menu is usually very very slow, and that the firewall doesn't reboot automatically at the end (or at what we suppose is the end, i.e. when the bsdtar command is not longer running). This is problematic as we don't know for sure if the restoration is finished or not. Is this a known problem and is there a solution ? The problem we encountered is that while the end user being correctly logged-in, as can be seen in the logs or in CP's status, the web browser always return to the captive portal's authentification web form, and not to the user specified URL. Also we encounter, for a very long time now, problems when stopping and starting the CP : it seems it listens both to ports 80 and 8001 and launches two lighthttpd processes, but most of the time only one is launched and/or stopped, even after having manually killed the processes and removing the pid files. Finally, but this is not related to CP, it seems that when booting after the upgrade, all our syslog settings were there but nothing was sent to our syslog server : we had to go to System Logs and save the settings again to make the syslog client resume. Any idea if we did something wrong or if something is really broken ? Thanks so much in advance -- Jérôme Alet - - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Captive portal and HTTPS homepage
Hi, We've got pfSense 2.1 snapshots running with Squid package 2.7.9 pkg v.4.3.1 (not sure if it's meaningful or not) If a client behind the captive portal is not authenticated yet, and its browser's homepage is an https:// URL (typically our University's webmail), then there's no redirection to the captive portal to force the user to authenticate, and the page keeps loading forever with an empty browser window. If we change the client's browser's homepage to an http:// page, then all is fine. How can we fix this problem ? Thanks in advance -- Jérôme Alet - - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Problems with installing pfSense Kernel 8.1 on R420 Poweregde?
Hi, > > From: Luiz Fernando Barros > Sent: Tue Nov 20 04:00:51 NCT 2012 > To: > Subject: [pfSense] Problems with installing pfSense Kernel 8.1 on R420 > Poweregde? > > Recemente got a dell R420 server 6-core 8 GB MM in order to install this > server Pfsenser the 2.0 using freebsd kernel, but am not having success, > someone could let me know if some kind of incopatibilidade, has made ??a > series of attempts solution and got no success. You should install the 2.1 snapshot, with 2.0 I think the disk controller is not supported. bye -- Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Strange problem after auto update
Hi, Just to let you know that this 2.1 snapshot : "FreeBSD 8.3-RELEASE-p4 #1: Thu Nov 8 11:35:37 EST 2012" Fixes my problem. Now the slave can ping and do DNS queries at will, as expected (at least as "I" expected). bye, and thanks for your work guys ! -- Jérôme Alet - - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Strange problem after auto update
Hi, I was able to do the upgrade just now, finally... and no luck. > > From: Chris Buechler > Sent: Tue Nov 06 17:17:02 NCT 2012 > To: pfSense support and discussion > Subject: Re: [pfSense] Strange problem after auto update > > You can try either upgrading to a > November 6 or newer snapshot, or just removing the line containing Done. This doesn't change the situation unfortunately... > "set state-policy if-bound" from /etc/inc/filter.inc and reloading the > filter rules under Status>Filter reload. See if that changes anything. That line isn't even present in /etc/inc/* : [2.1-BETA0][r...@pfsense2.univ-nc.nc]/etc/inc(8): grep "state-policy" * [2.1-BETA0][r...@pfsense2.univ-nc.nc]/etc/inc(9): [2.1-BETA0][r...@pfsense2.univ-nc.nc]/etc/inc(10): grep "if-bound" * [2.1-BETA0][r...@pfsense2.univ-nc.nc]/etc/inc(11): I'm restoring again right now. Any other idea ? bye, and thanks so much again for your time -- Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Strange problem after auto update
Hi, > > From: Chris Buechler > Sent: Tue Nov 06 17:17:02 NCT 2012 > To: pfSense support and discussion > Subject: Re: [pfSense] Strange problem after auto update > > You're running into some kind of regression and I'm not exactly sure > what. I have a suspicion it's related to the various problems with > if-bound states, but not sure. You can try either upgrading to a > November 6 or newer snapshot, or just removing the line containing > "set state-policy if-bound" from /etc/inc/filter.inc and reloading the > filter rules under Status>Filter reload. See if that changes anything. > Keep doing that only on the secondary and don't upgrade the primary > until the secondary is fixed as it's almost certain it'll break too. Unfortunately I won't be able to test this until Thursday, but I'll let you know how it goes. bye, and thanks a lot for your help -- Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Strange problem after auto update
Me, again :-) I've noticed something that might be helpful... When I have upgraded the slave member of my pfSense cluster, the version number of the configuration file changes from 9.0 to 9.1 So I've got two members of the cluster with different versions, since I've not upgraded the master yet, and I'm not sure I want to do it before knowing the source of my problem. So master is still in 9.0 and slave is in 9.1. Could this be the cause of my problem ? I mean, when the master tries to sync its configuration to the slave, doesn't it break the slave's configuration ? Is the proper way to upgrade by upgrading the master first ??? Does this mean that if I upgrade the master now, all will be fine again ? Thanks (again) in advance for any answer. -- Jérôme Alet - - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Strange problem after auto update
Hi again, On Tue, Nov 06, 2012 at 05:45:52AM +1100, jerome alet wrote: > > > > From: Mikey van der Worp > > Sent: Mon Nov 05 15:29:04 NCT 2012 > > To: pfSense support and discussion > > Subject: Re: [pfSense] Strange problem after auto update > > > > According to the details it looks like Ichmp echo is blocked. Does it do > > the same pinging to google etc? > > Sorry, forgot to add that I don't see any rejected packet in our > central syslog server, for any of these two pfSense boxes. I've done additional tests this morning with the "8.3-RELEASE-p4 #1: Sun Nov 4 19:45:08 EST 2012" snapshot. BTW ICMP is not blocked because pinging the slave from any other host works fine, and now I've found that pinging from the slave to some machines on some interfaces (only the ones with public IPs it seems, although I don't understand why). work. And pinging the IP address of www.google.com works fine too. But pinging from slave to LAN doesn't work, despite the "Default allow LAN to any rule" and an additional explicit ICMP allow all rule. And now I've just noticed this : if I disable CARP on the slave, all works fine again from the slave as far as ping and DNS are concerned (the only tests I've done so far). As soon as I re-enable CARP on the slave, the slave encounters the same problem as already reported : no ping to LAN and other "internal" networks, and no DNS either. Again, if I restore my full backup from September 27th, all is perfectly fine for the slave. And of course all this without modifying anything to the configuration... Any other idea ? TIA -- Jérôme Alet - - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Strange problem after auto update
Hi, > > From: Mikey van der Worp > Sent: Mon Nov 05 15:29:04 NCT 2012 > To: pfSense support and discussion > Subject: Re: [pfSense] Strange problem after auto update > > According to the details it looks like Ichmp echo is blocked. Does it do the > same pinging to google etc? Sorry, forgot to add that I don't see any rejected packet in our central syslog server, for any of these two pfSense boxes. As far as pinging google is concerned, DNS doesn't work either, so I don't think ICMP echo is particular, I mentioned this to expose the connectivity problem. BTW since our DNS server is on the LAN interface, and the default rule in pfSense (IIRC) is to allow all from LAN (and we kept this default rule active), the DNS queries should just work, and they don't. What is strange though is that both the web interface and the ssh server work, even when connecting from LAN. Could this be a misconfiguration on our part, being exposed only because of the update ? Thanks in advance for any hint -- Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Strange problem after auto update
Hi, We've got two pfsense 2.1-BETA0 snapshots running on AMD64 as a failover cluster. Each of these two Dell R610 has two Intel quad ports Gigabit Ethernet (igb) and one (integrated) Broadcom (bce) quad ports Gigabit Ethernet cards. Both were running "8.3-RELEASE-p4 #1: Thu Sep 27 14:06:33 EDT 2012" just fine. This morning, I've updated the slave to "8.3-RELEASE-p4 #1: Sat Nov 3 16:04:02 EDT 2012". Fortunately I haven't updated the master for now. Since this upgrade, all syslog from the slave host logs to our central syslog server as the CARP VIP address of the LAN. Before, it went to the central syslog server as its own LAN address, just like the master host. This is a really big change and I don't really understand why it would happen or even be a good idea. Finally, the slave host does seem to have big connectivity problems, causing at least DNS to fail : One of our DNS server's IP address is 10.10.0.3, on the LAN. The master's IP address is 10.10.3.252, the slave is 10.10.3.253 and the CARP virtual IP is 10.10.3.254. The network mask is 255.255.252.0 Now here's a ping from our DNS server to the slave : awa:~ # ping pfsense2 PING pfsense2-intra.univ-nc.nc (10.10.3.253) 56(84) bytes of data. 64 bytes from pfsense2-intra.univ-nc.nc (10.10.3.253): icmp_seq=1 ttl=64 time=0.267 ms 64 bytes from pfsense2-intra.univ-nc.nc (10.10.3.253): icmp_seq=2 ttl=64 time=0.205 ms 64 bytes from pfsense2-intra.univ-nc.nc (10.10.3.253): icmp_seq=3 ttl=64 time=0.215 ms 64 bytes from pfsense2-intra.univ-nc.nc (10.10.3.253): icmp_seq=4 ttl=64 time=0.243 ms --- pfsense2-intra.univ-nc.nc ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3012ms rtt min/avg/max/mdev = 0.205/0.232/0.267/0.028 ms The other way around, from the slave to DNS : [2.1-BETA0][r...@pfsense2.univ-nc.nc]/etc(13): ping 10.10.0.3 PING 10.10.0.3 (10.10.0.3): 56 data bytes ^C --- 10.10.0.3 ping statistics --- 9 packets transmitted, 0 packets received, 100.0% packet loss So this way all packets are lost, but traceroute works fine : [2.1-BETA0][r...@pfsense2.univ-nc.nc]/etc(20): traceroute -n 10.10.0.3 traceroute to 10.10.0.3 (10.10.0.3), 64 hops max, 52 byte packets 1 10.10.0.3 0.276 ms 0.308 ms 0.221 ms If I do a full restore (I did a full backup before the slave update), then all works fine again. Any idea of what could be wrong with our setup ? Thanks so much in advance -- Jérôme Alet - - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] DHCP server questions
Hi, We're running the very latest snapshot of 2.1beta0 on two boxes with failover : it's GREAT !!! However, we like to report some limits of the DHCP server's configuration capabilities, in case these enhancements could be implemented in a future release. * First problem is with the "range" settings : if we want to create a set of static mappings, and check the "Deny unknown clients" checkbox, then the WebUI doesn't accept that we don't fill the start and end range boxes. So we have to fill them in and we use the same IP address for start and end, but this is not very clean. Are we doing something wrong, or as we think, should the WebUI accept such settings ? * Second problem is about network booting : it's not possible to specify a different boot server or none at all for a set of machines behind the same interface. What would be great would be a way to override the "next-server" setting on a host-by-host basis, just like it's possible to do so when modifying ISC's dhcpd.conf manually. So a "next-server" input box should be added in the "edit static mapping" box when network booting is enabled on a particular interface : this page already allows one to specify a different root path and filename than the ones defined at the interface level, so why not add a different next server override option as well ? Would other people like such enhancements ? Thanks in advance. -- Jérôme Alet - - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Squid transparent ssl proxy
Good evening, > > From: Stefan Baur > Sent: Wed Jul 25 17:51:19 NCT 2012 > To: > Subject: Re: [pfSense] Squid transparent ssl proxy > > > Am 25.07.2012 05:17, schrieb Jerome Alet: > > > Any idea what I'm doing wrong ? > > This is what you're doing wrong: > > Now I'd like to set it up as an HTTPS transparent proxy as well. > > HTTPS traffic is encrypted, and squid is lacking the proper > keys/certificates to decrypt it. > > In theory, you could set up squid with its own certificates, but that > will turn squid into a man-in-the-middle, i.e. all your clients will > complain that the certificate doesn't match the sites they're trying to > access. I know this is man in the middle, and I even wrote that we were OK with the browser message which clearly says there's something like a man in the middle attack going on. Since I've added its own certificate to Squid, it isn't lacking them, and so it "*should*" work from what I've read on the net about this subject. But clearly I'm missing something because instead of having the traffic decrypted by Squid and then encrypted again by Squid for local clients, I've got a Protocol Error. So my original question was not about it being OK to do it or not, but more about why it didn't work as expected. Thanks for your feedback anyway, if I can't do otherwise I'll play with autoconfiguration scripts. bye -- Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Squid transparent ssl proxy
Hi there, I've got squid 2.7 setup and running as a transparent HTTP proxy on pfSense 2.1 snapshot from June 28th. Now I'd like to set it up as an HTTPS transparent proxy as well. In the proxy server's custom options box I've added : https_port 127.0.0.1:3129 transparent \ cert=/etc/certs/pfsense.example.org.pem \ key=/etc/certs/pfsense.example.org.key Then I've created a NAT (Port Forward) rule to redirect all HTTPS (destination port) traffic over to 127.0.0.1:3129, and automatically added an associated filter rule which allows such connections. Now when I'm trying to access to https://www.gmail.com for example, I've got the browser warning about the name mismatch wrt the local certificate (we're fine with that), but then I've got this message in my browser : (92) Protocol error Squid's access.log contains : 1343186054.441256 10.10.10.100 TCP_MISS/502 1481 GET https://www.gmail.com/ - DIRECT/74.125.237.150 text/html And Squid's cache.log contains : 2012/07/25 14:14:14| SSL unknown certificate error 20 in /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com 2012/07/25 14:14:14| fwdNegotiateSSL: Error negotiating SSL connection on FD 37: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0) Any idea what I'm doing wrong ? bye -- Jérôme Alet - - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Multi-WAN for multiple LANs
Hi, We'd like to setup 2.1 with two different WAN interfaces, each being exclusively used by two sets of several LAN's. So what we've done is create first WAN (WAN1) and set its gateway (GW1) as the default one. And now we've added second WAN (WAN2) and its gateway (GW2) So we've got NETS1 as LAN1+LAN2+DMZ and NETS2 as LAN4+LAN5 Since GW1 is the default gateway, without doing anything all traffic will go through it. We'd like to have NETS1 to never go through GW2, but NETS2 to never go through GW1, and always go through GW2. NETS2 should use the pfSense box as its DNS server, which in turn uses DNS servers located in NETS1, and NETS2 should be able to access to some machines in DMZ without going through GW2, but directly through pfSense. On top of that we want to use manual NAT outbound rules and use NATNETS2 IP Address (which is a CARP type interface address) as the NAT address when NATting clients from NETS2. This address is also defined as the tcp_outgoing_address for clients from NETS2 in pfSense's Squid configuration. Is there an HOWTO about doing this sort of things, or could anyone give us some hints ? What we've found so far are only documents about multi-wan with load balancing or failover, and while we want failover on all our LANs, we specifically don't want this on our WANS : because of legal reasons clients from NETS2 are now allowed to use GW1. Thanks in advance for any help on this matter -- Jérôme Alet - - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Network "freezes" on IBM x3550, Broadcom NICs
Hi, > > From: Adam Thompson > > You're largely correct, pfSense has - sometimes - issues with Broadcom NICs. > If you search the mailing list archives and the bug tracker you'll see a > number of reports/complaints. > Many of these issues have been fixed since the 1.x era, but there are still > occasional compatibility issues. > The NIC troubleshooting steps often resolve the issue (at least well enough > for daily use), but not always. IIRC, there are a couple modern Dell > PowerEdge servers (R700, maybe?) > that essentially can't be used with pfSense's NIC drivers at all. It's > possible your IBM is going to be another problematic platform until the > project releases a FreeBSD-9-based > version. I can confirm that brand new Dell R610 won't work with stable release because of missing driver for the RAID controller. Devel snapshots of 2.1 work wrt disk controller, but requires some tweaks to /boot/loader.conf.local to fix network issues with Broadcom NIC's, as well as 4 ports Intel NICs... Once you've put the fixes in, network seems to work fine and the machine doesn't behave erratically. Although we're still doing tests and we complexify our setup each day : >15 vlans and 2 unrelated wan links (two sets of clients) all with carp failover, squid and so on, we're confident it now works as expected with this hardware. hth -- Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] DNS problem
Hi there, I've just searched the bug tracker with no luck. I'm using "2.1-BETA0 (amd64) built on Thu Jun 28 09:42:08 EDT 2012" I've got a problem with DNS resolution for the firewall itself. I've added my two DNS servers (in LAN) to "General Setup" and checked the "Do not use DNS Forwarder as a DNS server for the firewall". All works fine for the firewall's point of view wrt DNS. If I uncheck this option, DNS for the firewall itself doesn't work : pfSense has added 127.0.0.1 in /etc/resolv.conf and uses it, but fails. Also, despite checking the box again, and having a resolv.conf without 127.0.0.1, I can see in tcpdump that 127.0.0.1 is still used for DNS (for clients because I've activated DNS masquerading, I suppose), but always answers "NXDomain" When doing tcpdump, I see that every packet sent to localhost has an incorrect checksum. Could this be the source of my problem ? 11:21:35.461807 IP (tos 0x0, ttl 64, id 35149, offset 0, flags [none], proto UDP (17), length 118, bad cksum 0 (->f327)!) 127.0.0.1.42732 > 127.0.0.1.53: 41354+[|domain] 11:21:35.461945 IP (tos 0x0, ttl 64, id 64302, offset 0, flags [none], proto UDP (17), length 118, bad cksum 0 (->8146)!) 127.0.0.1.53 > 127.0.0.1.42732: 41354 NXDomain[|domain] TIA -- Jérôme Alet - - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Possible bug in gateway monitoring in 2.1 snapshot (Sat Jun 16 08:16:08 EDT 2012)
Good evening, Seth Mos wrote: Op 22 jun 2012, om 04:30 heeft Moshe Katz het volgende geschreven: On Wed, Jun 20, 2012 at 4:50 PM, Jerome Alet wrote: When you add an alternative IP address to monitor, a static route is added between the gateway address and the address to monitor. But when you delete this alternative IP address, click on "save" and then on "apply changes", the static route is not removed as can be seen with netstat -nr. This is a clear bug, it's supposed to delete the route to that host. Is this a v4 or v6 monitor ip, I could see the delete command failing for ipv6 here. It was IPv4. BTW the "route get" command fails with an error about the routing socket IIRC, that's why I used "netstat -nr", not sure if this is related or not. bye Jerome Alet___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Possible bug in gateway monitoring in 2.1 snapshot (Sat Jun 16 08:16:08 EDT 2012)
On Thu, Jun 21, 2012 at 10:36:49PM -0400, Chris Buechler wrote: > The static routes aren't even necessary anymore, so they can go in the future. > http://redmine.pfsense.org/issues/2514 What a GREAT software and development team !!! Thanks to all -- Jérôme Alet - - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Possible bug in gateway monitoring in 2.1 snapshot (Sat Jun 16 08:16:08 EDT 2012)
Hi, On Thu, Jun 21, 2012 at 10:30:15PM -0400, Moshe Katz wrote: > > If you know PHP, and have time, maybe you can write a patch to connect the > gateway monitor and the static route, and submit it. I'm more a Python and C guy, and I don't know PHP enough to not do something bad. > I opened an issue in the pfSense Redmine to track this: > http://redmine.pfsense.com/issues/2513 Thanks. Not necessary to fix this if it's difficult, but adding this as an informational message below the "Monitor IP" input box would be great. Something like this maybe : "If later on you remove this IP address from monitoring, take care to manually remove the route to it because it won't be done automatically, or else reboot your pfSense host." bye -- Jérôme Alet - - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Possible bug in gateway monitoring in 2.1 snapshot (Sat Jun 16 08:16:08 EDT 2012)
Hi there, While playing with gateways and monitoring alternative IP addresses, I've noticed a problem. When you add an alternative IP address to monitor, a static route is added between the gateway address and the address to monitor. But when you delete this alternative IP address, click on "save" and then on "apply changes", the static route is not removed as can be seen with netstat -nr. Once you know this it's OK, but when you don't know and try to monitor the external IP addresses of two links to two different ISP, each one monitoring the other one, this creates some funny routing problems even when you disable this monitoring, and this renders the problem difficult to understand, and then fix. Is this a bug or normal behavior ? TIA -- Jérôme Alet - - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Question about failover setup
Good evening, > > From: Seth Mos > Sent: Wed Jun 20 19:47:06 NCT 2012 > To: > Subject: Re: [pfSense] Question about failover setup > > We hope that the CARP overhaul that is included in FreeBSD9 will help us > in this case, but we can't guarantee that it will work this way either. In the meantime the other side of our links has just informed me that another company that was connected to them has just freed their own link, which is on a /30 subnet contiguous to us, so... no problem anymore, we've been assigned a /29 now :-) Thanks for your help -- Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Question about failover setup
Hi, On Tue, Jun 19, 2012 at 08:35:38AM +0200, Seth Mos wrote: > Op 18-6-2012 23:26, Jerome Alet schreef: > > > >So now that I'm trying to replicate the OpenBSD configuration on my > >pfSense 2.1 boxes, I'm wondering if I really need 3 distinct IP > >addresses on each vlan and what are the consequences of using only one > >on the carp interface ? > > For pfSense you definitely need 3 addresses per vlan. Thanks for your answer. No, maybe a stupid question... Is it mandatory that all three addresses are in the same subnet, or is it possible to have the virtual one in a different subnet than the two "real" ones (still all three would be on the same vlan, but on different subnets) ? I'm asking this because on one of our interfaces we've got a dedicated link with a 30 bit subnet mask, leaving only two useable addresses : on on our side, the other on the other side of the link. We don't control the other side of the link unfortunately, so I'm really not sure yet if changing the subnet mask to allow more addresses will be doable (read "authorized") or not... Thanks for any advice on this matter. bye -- Jérôme Alet - - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Question about failover setup
Hi there, We currently have two OpenBSD 4.1 boxes acting in failover mode to serve some of our firewalling needs. We are also using pfSense 2.0.1 and 1.2.2 for other firewalling needs. I'm planning to consolidate all these firewalls onto two pfSense 2.1 acting in failover mode, and finally shut down all these old boxes. We need to use 2.1 snapshots because our boxes are Dell PowerEdge R610 with the Perc H200 controller, unsupported in earlier releases. I didn't setup the two OpenBSD boxes, but I've noticed that for some vlans, their configuration doesn't seem to be complete wrt the following pfSense related documentation : http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP) While for most vlans each of two OpenBSD boxes has a distinct IP address and they share a third distinct IP address as the virtual one (for the carp interface), on a few vlans only the carp interface is assigned an IP address : each box doesn't have a distinct IP address. According to the documentation mentionned above, this configuration is incorrect. However I can attest that it works, at least when the two OpenBSD boxes are both online. So now that I'm trying to replicate the OpenBSD configuration on my pfSense 2.1 boxes, I'm wondering if I really need 3 distinct IP addresses on each vlan and what are the consequences of using only one on the carp interface ? Thanks for your advice. bye -- Jérôme Alet - - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Dell R610 with Perc H200I
On Wed, Jun 13, 2012 at 09:03:23AM +0200, Warren Baker wrote: > On Wed, Jun 13, 2012 at 6:17 AM, Jerome Alet wrote: > > > > I'd like to know if support for Dell Perc H200i raid controllers is > > planned in the next release of pfSense, could anyone enlighten me ? > > > 2.1 is based on FreeBSD-8.3, so have a squizz at FreeBSD's HCL for 8.3 > (http://www.freebsd.org/releases/8.3R/hardware.html) as to what > hardware is supported. It's not listed as such, but at boot the machine (Dell R610) displays LSI SAS-2008-IR, so I suppose it will be supported. Time to check with the 2.1 then :-) Thanks a lot -- Jérôme Alet - - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Dell R610 with Perc H200I
Hi there, I'd like to know if support for Dell Perc H200i raid controllers is planned in the next release of pfSense, could anyone enlighten me ? Thanks in advance -- Jérôme Alet - - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2 LANs and time based limits
Hi, > > From: Adam Thompson > Sent: Sat May 12 07:36:48 NCT 2012 > To: 'jerome alet' > Subject: RE: [pfSense] 2 LANs and time based limits > > > I understand (thanks to your explanations) but what I was thinking > > was not playing with the WAN side of the pipe which is shared, but > > with the interfaces between pfSense and the two sets of clients, > > which are not ADSL but traditional Ethernet links. > > That had not occurred to me. I believe, although I hope someone more > expert will confirm or deny this, that inbound and outbound QoS should be > applied on the same interface, and since you *will* want to apply outbound > limits... > > However, that's an interesting idea and I don't know right now if your > idea is a better way to do it. I've done some testing and it seems to work as expected. I've created two limiters, DownloadOPT1 set to 10 Mbits/s and UploadOPT1 set to 2 Mbits/s, then I've defined a PASS firewall rule on the OPT1 interface, with a 7 a.m. to 6 p.m. from Monday to Friday schedule, and the UploadOPT1 limiter assigned to the IN direction, and DownloadOPT1 limiter assigned to the OUT direction (my naming is backwards I think but the OUT direction is what comes from my WAN interface to my OPT1 interface, i.e. datas downloaded by our students). I've not yet modified anything for the other interface, but I don't think anything is necessary since only OPT1 will have limiters, the other one "should" be able to consume all the remaining bandwidth, and more if needed (classrooms have priority... of course) I think this will be perfect for our needs. bye, and thanks all for your help Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2 LANs and time based limits
Hi, > > From: Adam Thompson > Sent: Fri May 11 22:51:08 NCT 2012 > To: 'jerome alet' , 'pfSense support and discussion' > > Subject: RE: [pfSense] 2 LANs and time based limits > > QoS on ADSL is notoriously difficult, and does not usually work quite as > expected. There are implementation issues to blame, as well as a > theoretical/logical problem. I understand (thanks to your explanations) but what I was thinking was not playing with the WAN side of the pipe which is shared, but with the interfaces between pfSense and the two sets of clients, which are not ADSL but traditional Ethernet links. What I'm in doubt about now, is where to put the limiter rule ? Should the limiter be seen by me as a way to guarantee bandwidth, in which case I should set it high an apply it on the classrooms interface, or should it be seen by me as a bandwidh limiter, in which case I set it low and apply it on the appartments interface ? > When you configure your system as described, you will rarely - if ever - > get exactly the results you expected. Aim for "good enough", instead of > "perfect" and you will likely succeed. good enough is good enough for us : up until now there was only a single ADSL line for each set of clients, needless to say students will be happy whatever the solution. right now there's no limiter in use, so they ENJOY pfSense ;-) thanks for your help. -- Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2 LANs and time based limits
Hi again, > > From: Ermal Luçi > Sent: Fri May 11 21:29:17 NCT 2012 > To: jerome alet , pfSense support and discussion > > Subject: Re: [pfSense] 2 LANs and time based limits > > > On Fri, May 11, 2012 at 4:11 AM, jerome alet wrote: > > > > Our classrooms computers must have dedicated bandwidth from 7 a.m. to 6 > > p.m., for example they could have the bandwidth equivalent of 5 (of our 6) > > ADSL modems, guaranteed, during this period of time, each day from Monday > > to Friday. The remaining bandwidth should be dedicated to the appartments' > > computers. > > > > Outside of these periods of time, the total available bandwidth should be > > available for both sets of computers, with an equal share of it, i.e. just > > as if we don't do anything special. > > > > Is this possible with pfSense and if yes please could someone tell me how > > to proceed ? > > It is possible through time based rules and limiters. > You just set up limiters with the limits you want guaranteed during > weekdays and use those limiters in time based rules. So am I correct with this scenario : 1 - Create the 7a.m. to 6p.m. schedule 2 - Create a single limiter, say 20 Mbits/s, with no other option, to dedicate 20 Mbits/s to classrooms (so appartments will use the remaining bandwidth that is still available when this limiter applies) 3 - When creating a rule, I add this rule only to the "classrooms" interface, and use the single limiter's name in both the IN and OUT drop down lists in the "Advanced features" of rule creation. Then I put this rule with "PASS" mode at the top for it to be evaluated first (or is it important at all where I put it wrt other rules) ? Am I correct ? Thanks for your feedback, I've never used limiters before and since I'll do this on the production system I'd like to not make too much mistakes. Thanks in advance for your help -- Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] 2 LANs and time based limits
Hi, We've got a pfSense 2.0.1 box with a single WAN (in fact it's behind a load balancer with 6 ADSL modems) and currently a single set of client machines which are students' computers in their appartments. We are planning to add a second set of client machines to this pfSense box, which are computers in our classrooms. Actually, and for several years now, we used 2 separate pfSense boxes, with 2 separate sets of modems, but we'd like to consolidate this onto a single box (with the future option of having a second box acting as an instant failover) So in the setup we envision all machines must share the single WAN interface for Internet access. But... Our classrooms computers must have dedicated bandwidth from 7 a.m. to 6 p.m., for example they could have the bandwidth equivalent of 5 (of our 6) ADSL modems, guaranteed, during this period of time, each day from Monday to Friday. The remaining bandwidth should be dedicated to the appartments' computers. Outside of these periods of time, the total available bandwidth should be available for both sets of computers, with an equal share of it, i.e. just as if we don't do anything special. Is this possible with pfSense and if yes please could someone tell me how to proceed ? Thanks in advance -- Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list