Re: [pfSense] Configs or hardware?

2018-02-15 Thread Joseph L. Casale
-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Kyle Marek
Sent: Thursday, February 15, 2018 10:38 AM
To: pfSense Support and Discussion Mailing List ; Eero
Volotinen 
Subject: Re: [pfSense] Configs or hardware?

> This is silly. I shouldn't have to replace my hardware to support a
> feature I will not use...
> 
> I shame Netgate for such an artificial limitation...

Who pays the Netgate developers and employee wages? The commercial side, there
is nothing unreasonable about this or hard to comprehend. The fact we get the 
fruits
of the labor for free is remarkable.

So the question is, should Netgate pay their developers to maintain features 
that
commercial users would never desire, what would their ROI on that be. They may
be able to justify some, but obviously not this one.

I personally don't feel home owner grade hardware is worth their efforts and I 
certainly
don't fault them. However, that is only my opinion for what its worth...

jlc
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Port forwards don't work on one machine

2018-02-12 Thread Joseph L. Casale
-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Marco
Sent: Sunday, February 11, 2018 2:30 PM
To: list@lists.pfsense.org
Subject: Re: [pfSense] Port forwards don't work on one machine

> I ran a wireshark on the destination and it received packets when
> “port testing” from the pfSense, but not when using external access
> (e.g. canyouseeme.org)

So what does a tcpdump on the pfSense instance reveal when the
canyouseeme.org test runs?

Obviously this is not a problem with destination, several test you have
run prove this, and based on the clear statement above, the issue is
somehow related to just the pfSense instance.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

2018-02-11 Thread Joseph L. Casale
-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Marco
Sent: Sunday, February 11, 2018 2:30 PM
To: list@lists.pfsense.org
Subject: Re: [pfSense] Port forwards don't work on one machine

> I ran a wireshark on the destination and it received packets when
> “port testing” from the pfSense, but not when using external access
> (e.g. canyouseeme.org)

Sounds like an ACL with a block or reject somewhere...
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

2018-02-11 Thread Joseph L. Casale
-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris L
Sent: Sunday, February 11, 2018 1:43 PM
To: pfSense Support and Discussion Mailing List 
Subject: Re: [pfSense] Port forwards don't work on one machine

> What interface is that taken on? Take one on the interface the destination
> server is connected to (WLAN?) and test again. While you’re capturing also
> do another Diagnostics > Test Port from the local pfSense itself. Please
> include the capture of both events (from outside and using test port.)
> 
> It looks like the server is not responding.

I'd also suggest running a capture on the destination, if it's actually 
receiving
traffic and/or sending it elsewhere (routing rule) this will provide some 
insight.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense crashing

2017-12-17 Thread Joseph L. Casale
-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
Volotinen
Sent: Sunday, December 17, 2017 11:02 AM
To: pfSense Support and Discussion Mailing List 
Subject: Re: [pfSense] pfsense crashing

> Need to test that tomorrow. Just wondering how to attach remote debugger
> or
> similar to get root cause of crash.

Page 13 in the SG-8860 manual.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense crashing

2017-12-17 Thread Joseph L. Casale
-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
Volotinen
Sent: Sunday, December 17, 2017 5:28 AM
To: pfSense Support and Discussion Mailing List 
Subject: [pfSense] pfsense crashing

> After updating and restoring config to my SG-8860, it goes to endless boot
> - reboot - crash loop.
> 
> Any idea how to test if this is hardware or software issue?

Well, re-install fresh and _dont_ restore the config?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense openvpn speed?

2017-11-25 Thread Joseph L. Casale
-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
Volotinen
Sent: Saturday, November 25, 2017 5:35 AM
To: pfSense Support and Discussion Mailing List 
Subject: [pfSense] pfsense openvpn speed?
 
> We are running pfsense 2.3 on netgate sg-8860.
> 
> Device is connected to internet with gigabit link, but openvpn speed is
> very slow (about 50Mbit/s). Any idea how to get more speed to vpn clients?

Assuming the obvious, low hanging fruit is addressed, there is much more
to getting high throughput with openvpn than just link speed considerations.

The openvpn wiki has good articles which may provide insight:
https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux
https://community.openvpn.net/openvpn/wiki/PerformanceTesting

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] dhcp relay in 2.3.2

2016-09-06 Thread Joseph L. Casale
While working on another issue I noticed that on the lan interface which
does not have dhcp relay enabled, the pfsense box is receiving and 
retransmitting
dhcp requests.

In this case, the dhcp server itself lies on the same vlan and interface that
the client exists on hence the relay is not enabled on this interface.

Is this this is known scenario with the pfsense relay or should it not be
relaying on this interface as configured?

Thanks,
jlc
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pf rule error

2016-08-10 Thread Joseph L. Casale
> The two are unlikely to be related.
>
> The "pf wedged" message can happen in some race conditions if multiple
> actions are happening, attempting to hit pf in the same way at the same
> moment. In most cases it's noteworthy but otherwise harmless.

I had made several rule additions, removals and changes including the same
for aliases. I was the only one accessing the UI and I had only one session.
I have never seen it before so it's certainly not a consistent issue anyway.

> There isn't enough detail in your description to speculate about why a
> VLAN might have stopped passing traffic, but it's unlikely to be related
> to a filter reload or pf in general unless you were changing rules on
> the interface at the time.

At the time we noticed the vlan stop passing dhcp requests there were no
changes. In this scenario, all the devices had leases so when the issue truly
manifested is hard to say. There had not been any rule changes on that
interface anyway and neither with the dhcp relay on it.

Given the nature of the traffic being broadcasts, I am not clear on how that
became affected. Possibly some other technique could have resolved it but
without knowing a reboot was my only option at the time.

Thanks,
jlc
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pf rule error

2016-08-10 Thread Joseph L. Casale
> Check your states table size.

Low, right now it is only at %0.002 full and while I don't have that info
from the time of the failure I think it is safe to say it wasn't much different.

Thanks,
jlc
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] Hardware and usage opinion

2016-08-09 Thread Joseph L. Casale
I have a site that has grown significantly over time and the role pfsense plays
went from only providing internet and vpn connectivity to routing between 2
dozen vlans at gig speeds. We are considering replacing the hardware and aren't
sure if the site is at the point where dedicated equipment is in order or 
possibly
a pair of pfsense units in a cluster. Truth is, managed switches that route 
with acls
are significantly more money that what a pfsense box can do.

How many of you guys have implementations which route lan traffic at these 
speeds
and high volumes? Anyone doing this with lags and a cluster?

Thanks,
jlc

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] pf rule error

2016-08-09 Thread Joseph L. Casale
I recently received an error that the pf table was wedged and had been reset
while making changes. A few days later, a vlan stopped passing dhcp traffic
and filter reload did not resolve it, I actually had to reboot the unit.

Has anyone seen this, are there configurations known to produce this behavior
or would hardware be the first suspect?

Thanks,
jlc
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] openvpn topology subnet with pfsense 2.2.6 server/2.3 client

2016-04-15 Thread Joseph L. Casale
Does a facility exist to bypass the UI and invoke a static config for an 
openvpn server?
I do not see a means through the web ui to create a configuration which permits 
static
addressing in subnet mode?

Thanks,
jlc
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] openvpn topology subnet with pfsense 2.2.6 server/2.3 client

2016-04-14 Thread Joseph L. Casale
I have a 2.2.6 appliance with a server running topology subnet with a pool
defined (172.31.1.0/24) which has "Address Pool" unchecked and a ccd for
a client with a 'push "ifconfig 172.31.1.42 255.255.255.0"' directive.

When a 2.3 client connects, it simply takes the next ip after server. In the 
logs
I see my desired ifconfig followed immediately by the auto-generated ifconfig
for the consecutive ip, 172.31.1.2.

openvpn[14229]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 
255.255.0.0,route-gateway 172.31.1.1,topology subnet,ping 10,ping-restart 
60,ifconfig 172.31.1.42 255.255.255.0,ifconfig 172.31.1.2 255.255.255.0'

How do I stop the server from pushing an ifconfig directive outside the one
defined in the ccd? I assumed unsetting "Address Pool" was required, but it
does not make a difference?

Thanks,
jlc
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Redundant appliances with dynamic wans

2015-08-09 Thread Joseph L. Casale
 hi joseph,

 i use for this scenario two pfsense appliance.

 the devices are two apu.1d4 with 4 gb ram,
 16 gb msata harddisk and 3 nics.

 internal network ( about  
 30 vlan ) vlan s are on the core router with default gateway pfsense 
 appliance.

 for internet access i have two provider. i configured the wan interfaces with 
 dhcp and
 create a loadbalancing gateway over two wan interface for internet access.

 ha synchronisation is over lan interface with carp.

 it works fine...

Hi Ali,
So in my non load balanced setup, I presume I can simply add the single dynamic
wan gw to a group and then make the groups virtual ip a carp member. Seems
there are some caveats to the virtual ip chosen, I am reading up on that.

Thanks for the suggestion,
jlc

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] Backup and rrd option

2014-08-07 Thread Joseph L. Casale
I have a server that includes the rrddata element when choosing not backup this 
data
and duplicates it when you do backup rrd data. I had a look through the issue 
tracker and
did not see anything open or recent that is related.

Anyone seen this before?

Thanks,
jlc
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Backup and rrd option

2014-08-07 Thread Joseph L. Casale
 I have a server that includes the rrddata element when choosing not backup 
 this data
 and duplicates it when you do backup rrd data. I had a look through the issue 
 tracker and
 did not see anything open or recent that is related.

 Anyone seen this before?

Had a chance to look at this again, it was a result of a manual restore of a 
conf file
with rrddata, removing that element brought the expected behavior back.

jlc
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


[pfSense] Restoring config

2014-07-29 Thread Joseph L. Casale
I had to restore a config from a 2.1.4 system to new hardware. The original 
system had
vlans and as expected the restore prompted to re-assign the opt interfaces as 
the nic
types were different but I had to reset the vlans first. After rebooting, it 
kept asking for
the wan/lan assignment and after which only a few opt interfaces showed up.

I ended up renaming the nic abbreviations in a backup config and manually 
moving that in
place and rebooting which worked fine. Given how easy that was, I'm not 
inclined to worry
but I am not sure how robust that approach might be for all possible configs.

Anyone know why the interface assignments may have gone awry?

Thanks,
jlc
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Restoring config

2014-07-29 Thread Joseph L. Casale
 The new hardware has new MAC Addresses - they are assigned based on the MAC 
 and not LAN1, LAN2 and LAN3.

Not from the two systems I just checked...
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] pfSense 2.1-RELEASE and Gold Subscription Now Available!

2013-09-15 Thread Joseph L. Casale
 I assume this is why snapshots.pfsense.org is offline (or at least not 
 answering) right now?

In the release announcement are links to upgrade binaries, not all the mirrors 
are populated
yet, find one. In the same rel announcement is an upgrade guide link that 
explains how to
perform the upgrade manually if you need to.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Question about only routing specific traffic through Mobile VPN connection on pfSense 2

2013-01-03 Thread Joseph L. Casale
 Hello, 

 Thanks, but I believe what you are referring to is only an option for an
 OpenVPN connection. I am referring to Mobile IPSEC, as described at:
 http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0


Oops, my bad. Check 'Provide a list of accessible networks to clients' in
the Mobile Clients Tab, I just tested that and external access worked and
the traffic wasn't seen on the pfsense side.


HTH,
jlc
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Question about only routing specific traffic through Mobile VPN connection on pfSense 2

2013-01-02 Thread Joseph L. Casale
 Is there any way to change this so only traffic destined for the pfSense 

 LAN is routed through the mobile IPSEC connection?


Certainly, uncheck 'Redirect Gateway', define 'Local Network' as required and
push only the applicable additional routes to the client if any...


jlc
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Openvpn site to site problem

2012-12-20 Thread Joseph L. Casale
 lan1 192.168.9.0  --- pfsense1 (client openvpn) -- pfsense2
 (server openvpn) -- lan 2 192.168.8.0

 /var/etc/openvpn/server1.conf

 route 192.168.9.0 255.255.255.0
 push route 192.168.8.0 255.255.255.0

This looks right.


 /var/etc/openvpn-csc/fw-target

 iroute 192.168.9.0 255.255.255.0

You're not pushing the route for the clients on the other side?
Also, you're not setting up a known tunnel interface, can't filter now...


 /var/etc/openvpn/client2.conf

 ifconfig 10.0.8.2 10.0.8.1
 route 192.168.8.0 255.255.255.0

No need for this, server can be authoritive for all configuration using ccd.

If you plan to filter eventually, do not use client-to-client, see:
http://lists.pfsense.org/pipermail/list/2012-July/002587.html

In a server config, a route statement adds a route to the local system routing 
table.
A push route pushes one to a clients. These directives route packets from the 
kernel
to the OpenVPN process The iroute directive routes to the specific client after.

I often see with client-to-client issues that tcpdump bring to light instantly. 
If you
set the interface to listen on the pfsense box to the tun dev and start pinging 
a remote
host, you can see if the traffic gets that far, then for example on the remote 
host as
well. if you see it there, there is no return route likely etc. It usually 
doesn't take long
to sort this out.

jlc
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


[pfSense] MTU/stability issues

2012-05-05 Thread Joseph L. Casale
We switched providers and are utilizing a 3 way bonded dsl setup aggregated
behind a Mikrotik unit.

I am seeing some less than expected throughput and certain types of connections
like rdp/rsync are hanging and need to be restarted.

The provider suggested to enable an MTU on the wan link to 1460 but when I do
this, almost all connectivity is hampered.

Anyone running similar setups and have any insight?

Thanks,
jlc
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] MTU/stability issues

2012-05-05 Thread Joseph L. Casale
You don't want MTU, you want MSS clamping.

Appreciate the confirmation, some reading and trial and error had me try this 
and I am
running at a value of 1360 which has more than tripled my outbound throughput.

How does this affect the similar settings available in an Openvpn instance 
passing
through this interface, I presume --mssfix should be set equivalently?

Before I set the mss value on the wan int, I ran an mtu-test in one of the 
openvpn
instances which suggested the defalt value (1557) was ok, and rerunning after 
setting
mss on the wan int showed no change.

Thanks,
jlc
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] VMWare maximum of 10 vnics

2012-03-06 Thread Joseph L. Casale
I'm currently trying to configure pfSense firewall in a VMWare machine.
  There is apparently a limit of 10 vNICs on Vsphere 5, but I would need
this firewall to access 11 networks.  Since all the networks in VMWare
are already tagged vlans, I don't really how to overcome this limit.

Don't see the issue? Set the vSwitch vlan to All then assign the vlans
inside pfSense all to one or max 10 nics.

What's your vSphere net config look like?
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] OpenVPN - site to site questions

2012-02-26 Thread Joseph L. Casale
For each tunnel with different ip ranges it's neccessarry to use a unique 
OpenVPN server.

I don't, I have several remote sites that connect to one instance, each has its
its own /30 assigned via client configs. There are rules defined with 
source/dest
that control which sites see what on which other sites.

The key here is iroute and 'not' client-to-client, see the man page for openvpn 
for
the important bits on why this works. The important factor that allows 
filtering (without
the use of openvpn's internal packet filter that isn't very configurable) is 
not to use
client-to-client or the packets never leave the openvpn process and are 
therefor not
subject to the kernels filtering rules then.

Keep in mind the appearance of connections from each site depending on where 
they
originate. A connection from a remote sites lan node appears at pfSense with 
its own ip
whereas a connection initiating from the node instantiating the vpn appears 
from its
defined p-t-p address based on the Client Specific Override parameters you 
setup.

jlc
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


[pfSense] Multiwan with same gateway

2011-10-07 Thread Joseph L. Casale

I have a situation where I need a multiple wan ip addresses, the site has 
several
reserved ip’s handed out by a dhcp server, but they all share the same gateway.

I'm not aware of any way this with multiple opt interfaces, a virtual ip won't 
work
as far as I know since its needs it ip dynamically assigned.

Any ideas around this scenario?
 
Thanks,
jlc
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list