Re: [pfSense] Planning upgrade from 2.0.1-RELEASE to 2.2.6-RELEASE
Your limiters will no longer function if you are planning to continue using NAT. Here is a link to the bug: https://redmine.pfsense.org/issues/4326 ___ ¯\_(ツ)_/¯ Ryan Clough Information Systems Decision Sciences <http://www.decisionsciencescorp.com/> <http://www.decisionsciencescorp.com/> On Tue, Jan 26, 2016 at 9:04 PM, Ugo Bellavance wrote: > Hi, > > We're in the process of planning the upgrade of our main site's pfSense > firewall. It is currently running 2.0.1-RELEASE and we want it to be at the > latest version. It is running in a VMWare VM (amd64). > > I'm currently using these packages: > > - AutoConfigBackup > - darkstat > - mailreport > - NRPE v2 (instlled but not used yet) > - OpenVPN Client Export Utility > - pfBlocker > > Other features: > > - 2 limiters > - To limit the bandwidth that can be used for Windows Updates > - To limit the bandwidth that can be used by the proxy > - IPv4 only > - Load balancing (configured, working, but not in production yet) > - Single WAN > - 7 NICS (em), including 1 that passes all the VLANS, 6 VLAN interfaces > - Virtual IPs on WAN and on another (internal interface > - NAT on WAN ant on another (internal) interface > - SNMP > - 2 site-to-site IPSec tunnels > - 1 site-to site OpenVPN tunnels (client) > - 1 OpenVPN road warriors config (1 user) > - NTP configured but not used > > Is there something that doesn't look good for this upgrade? > > Thanks, > > Ugo > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > -- This email and its contents are confidential. If you are not the intended recipient, please do not disclose or use the information within this email or its attachments. If you have received this email in error, please report the error to the sender by return email and delete this communication from your records. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] pfBlocker + Transparent Squid/SquidGuard
I am having an issue using pfBlocker with transparent Squid. If I allow users on interface, pfBlocker rules are somehow bypassed and I am able to access IPs from blocked countries. Has anyone else run into this? I would be happy to provide any info that may help. Here is some preliminary info: *2.2.5-RELEASE * (amd64) built on Wed Nov 04 15:49:37 CST 2015 FreeBSD 10.1-RELEASE-p24 Packages: AutoConfigBackup 1.34 Cron 0.3.4 mailreport 2.3_1 ntopng 0.8.2 OpenVPN Client Export Utility 1.3.0 pfBlockerNG 2.0.4 Sarg 0.6.10 squid 4.3.10 squidGuard 1.9.18 suricata 2.1.9.1 Thanks in advance, ___ ¯\_(ツ)_/¯ Ryan Clough Information Systems Decision Sciences International Corporation <http://www.decisionsciencescorp.com/> <http://www.decisionsciencescorp.com/> -- This email and its contents are confidential. If you are not the intended recipient, please do not disclose or use the information within this email or its attachments. If you have received this email in error, please report the error to the sender by return email and delete this communication from your records. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Lost limiter config after upgrade
Might also depend on how the limiters are being used and how the rest of the router is configured. I have been up against this bug for at least six months: https://redmine.pfsense.org/issues/4326 ___ ¯\_(ツ)_/¯ Ryan Clough Information Systems Decision Sciences International Corporation <http://www.decisionsciencescorp.com/> <http://www.decisionsciencescorp.com/> On Sun, Dec 13, 2015 at 5:29 PM, ED Fochler wrote: > Limiters work on 2.2.4, I’m using them. But I didn’t upgrade, I created > the limiters on 2.2.4. Are you asking if limiters work? Or are you just > noting that they don’t cleanly upgrade? If you create them through the GUI > and link them in with the firewall rules, do they work now? > > ED. > > > On 2015, Dec 12, at 1:43 PM, Ugo Bellavance wrote: > > > > Hi, > > > > We upgraded from 2.0.1-RELEASE to 2.2.4-RELEASE and the limiter that > worked on 2.0.1 stopped working. This limiter (and sub-limiters) is > located on an inside interface and its role is to limit the traffic that > can come in. This firewall is at a remote site and we replicate backups > there. We use this limiter because the bandwidth at the remote site is > higher than at our main site. Using this limiter avoids saturating our > main site's WAN link and cause slowdowns. > > > > Looking at the config diffs, it looks like the tags have > changed during the upgrade. It looked like ?1 and ?2 and now it looks like > labels. Also, the tag seem to include more stuff now. > > > > It was 28 and now it looks like > > > > > > 28 > > Mb > > none > > > > > > > > > > Thanks, > > > > Ugo > > > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > -- This email and its contents are confidential. If you are not the intended recipient, please do not disclose or use the information within this email or its attachments. If you have received this email in error, please report the error to the sender by return email and delete this communication from your records. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Internal Clock Broke
Not sure exactly which zone was configured prior to the update but we are in the Pacific time zone. ___ ¯\_(ツ)_/¯ Ryan Clough Information Systems Decision Sciences International Corporation <http://www.decisionsciencescorp.com/> <http://www.decisionsciencescorp.com/> On Mon, Jun 29, 2015 at 11:41 AM, Chris Buechler wrote: > On Sat, Jun 27, 2015 at 7:27 PM, Ryan Clough wrote: > > Check your Timezone on the System::General Settings page. After I > upgraded > > it had been reset to Africa/Abidjan. > > 2.2.3 got updated tz data. That's what would happen if you were using > a timezone that's no longer included in the tz data. The system would > likely be on GMT in that circumstance. When browsing to that page, > it'd just show you the first in the list as there wouldn't be a > matching one to get selected. Do you know what zone you were on > previously? > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > -- This email and its contents are confidential. If you are not the intended recipient, please do not disclose or use the information within this email or its attachments. If you have received this email in error, please report the error to the sender by return email and delete this communication from your records. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Internal Clock Broke
Check your Timezone on the System::General Settings page. After I upgraded it had been reset to Africa/Abidjan. So far this has been the only issue I have had upgrading from 2.2.2 to 2.2.3. Thank you very much pfSense team! We all appreciate your hard work! ___ ¯\_(ツ)_/¯ Ryan Clough Information Systems Decision Sciences International Corporation <http://www.decisionsciencescorp.com/> <http://www.decisionsciencescorp.com/> On Thu, Jun 25, 2015 at 7:54 PM, Brian Caouette wrote: > > > Anyone else notice the clock is broke on 2.2.3? Anything time related is > seriously off. It seems to be about 4 hours early. I also notice the > time/date change today. It went from the 25th to the 26th and back to the > 25th. Can anyone else look at their logs and confirm? Mail reports sent the > logs to email 4 hours early too. > > > Brian Caouette(207) 212-6560 > > Visit my websites:www.djbrianc.uswww.proprintmaine.comwww.realtruth.biz > and Michelle's:www.msphotographymaine.comwww.ltaphoto.com > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > -- This email and its contents are confidential. If you are not the intended recipient, please do not disclose or use the information within this email or its attachments. If you have received this email in error, please report the error to the sender by return email and delete this communication from your records. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] "Packages are currently being reinstalled in the background." since last night... nothing showing on the console...
On my box there was a very long running "rm" process while packages were being reinstalled. Ryan Clough Information Systems Decision Sciences International Corporation <http://www.decisionsciencescorp.com/> <http://www.decisionsciencescorp.com/> On Wed, Mar 18, 2015 at 1:29 PM, WebDawg wrote: > On Wed, Mar 18, 2015 at 1:12 PM, Tiernan OToole > wrote: > >> A reboot seems to have solved the problem here… I had Sarg, Squid3 and >> a few others installed. I did notice that before the reboot, if I went into >> system/packages, I got a message saying packages where being installed… >> >> >> >> The packages I have are: >> >> >> >> Bandwidthd >> >> Ntopng >> >> OpenVPN client Export utility >> >> Sarg >> >> Snort >> >> Squid3 >> >> Squidguard >> >> TFTP >> >> >> >> --Tiernan >> >> >> >> I remember an upgrade that took many hours because of the huge amount of > sarg reports I had. Anyone know why the entire file system is scanned > before upgrade? Or am I just wrong this is why. I deleted the sarg > reports, started again, and it was smooth. > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > -- This email and its contents are confidential. If you are not the intended recipient, please do not disclose or use the information within this email or its attachments. If you have received this email in error, please report the error to the sender by return email and delete this communication from your records. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] "Packages are currently being reinstalled in the background." since last night... nothing showing on the console...
The documentation for updating pfSense firmware recommends noting and removing all installed packages before updating[1]. Then, after a successful update, reinstall the packages that were noted. I have had very good success using this method however, I updated to 2.2.1 last night without removing installed packages and after the reboot it took about 2 hours for my Intel(R) Atom(TM) CPU C2758 @ 2.40GHz with a 7200RPM pfSenseMirror to complete the package re-installation. Other than a little hiccup with Sarg; all is well. I would, if you can, just wait it out. [1] https://doc.pfsense.org/index.php/Upgrade_Guide Ryan Clough Information Systems Decision Sciences International Corporation <http://www.decisionsciencescorp.com/> <http://www.decisionsciencescorp.com/> On Wed, Mar 18, 2015 at 2:55 AM, Tiernan OToole wrote: > Morning all. > > Since i like being on the "bleeding edge" of technology, as soon as the > new version of PFSense 2.2.1 was released yesterday, i downloaded and > installed it on my existing 2.2 box. I told it to do a full backup before > installing, waiting about 10 min and heard my server reboot (2 or 3 beeps, > then lots of fans, then about 5 min later the usual PFSense "boot" charms). > > I was looking at the boot sequence over KVMoIP and it started to install > packages in the background. this took another 10 min... and all was good. > > This morning i logged into the box (both over kvm and web interface) and > the web gives me the following notice: > > Packages are currently being reinstalled in the background. > Do not make changes in the GUI until this is complete. > > but there is nothing showing on the console... Im not in the house > currently, so rebooting is iffy (and i wont have KVM access if i do > reboot). is it a good idea to reboot if this shows? any idea whats going on > here? > > Thanks. > > --Tiernan > > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > -- This email and its contents are confidential. If you are not the intended recipient, please do not disclose or use the information within this email or its attachments. If you have received this email in error, please report the error to the sender by return email and delete this communication from your records. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Traffic routing issue
I am hoping that one of you out there can assist me with this rather interesting problem I am having. Let me set the stage. I am running the latest stable version of pfSense: 2.1.5-RELEASE (amd64) built on Mon Aug 25 07:44:45 EDT 2014 FreeBSD 8.3-RELEASE-p16 I am running transparent Squid and Squidguard, and all IP ranges have access to use the proxy. I have two WAN connections, each with a handful of public IPs. I have created an IP alias virtual IP of one of my public IPs on WAN1, which is used to NAT to a web server. We have an internal DNS server that resolves the domain name of a web server to the local LAN IP address. So, all computers on unrestricted VLANs access the web server without having to hit the pfSense router at all. This works as expected and the valid certificate is served and the web page loads. We have one restricted VLAN that is used for guest WiFi access and this VLAN is assigned external DNS servers and therefore resolve the domain name to the public IP. Now my problem. When connected to the guest WiFi on the restricted VLAN and attempting to access the web server on its public IP, which is assigned to a virtual IP on WAN1, I get served the certificate from the pfSense router. I can tell that this is the pfSense self-signed certificate because of the details of the certificate displayed in the warning. I also get this behavior if I force a computer on an unrestricted VLAN, using the hosts file, to resolve the host name of the web server to its public IP. What is going on here? I can provide more information if needed. Thank you for your time. Ryan Clough Information Systems Decision Sciences International Corporation <http://www.decisionsciencescorp.com/> <http://www.decisionsciencescorp.com/> -- This email and its contents are confidential. If you are not the intended recipient, please do not disclose or use the information within this email or its attachments. If you have received this email in error, please report the error to the sender by return email and delete this communication from your records. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NIC support
Thanks for your quick reply, Vick. By "looking", I mean I have not yet purchased one but have a quote from our supplier. I have looked at the C2758 but one of my requirements is RAID1. Also, I am not comfortable deploying an SSD that will be running Squid. This router needs to have the capability to run for years with minimal maintenance. We are planning to deploy this as part of one of our products. Thanks again for your help. Ryan Clough Information Systems Decision Sciences International Corporation <http://www.decisionsciencescorp.com/> <http://www.decisionsciencescorp.com/> On Mon, Oct 13, 2014 at 10:39 AM, Vick Khera wrote: > On Mon, Oct 13, 2014 at 1:17 PM, Ryan Clough wrote: > > I am looking at the HP ProLiant DL320e Gen8 v2 and having trouble > > determining whether or not the hardware is supported by pfSense > > 2.1.5-RELEASE. I found this > > thread(https://forum.pfsense.org/index.php?topic=71523.0 > > > > ) and it seems like I am going to have trouble with drivers. Here are the > > three hardware components that concern me: > > In general HP servers work really well with FreeBSD. > > When you say "looking" are you in possession of one and need to make > it work, or are you about to buy one? Is there some specific > requirement about that hardware that makes you want to get it over > anything else? > > I personally have found that the C2758 sold by both netgate and > pfsense directly to be a spectacularly capable device and it is fairly > priced and includes support. I would recommend that based on what > you've described above unless there's some other special need you > have. > ___ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list > -- This email and its contents are confidential. If you are not the intended recipient, please do not disclose or use the information within this email or its attachments. If you have received this email in error, please report the error to the sender by return email and delete this communication from your records. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] NIC support
I am looking at the HP ProLiant DL320e Gen8 v2 and having trouble determining whether or not the hardware is supported by pfSense 2.1.5-RELEASE. I found this thread( https://forum.pfsense.org/index.php?topic=71523.0) and it seems like I am going to have trouble with drivers. Here are the three hardware components that concern me: HP B120i on-board SATA controller HP 332i on-board 2-port NIC (Broadcom BCM5720 chipset) HP 361T PCIe 2-port NIC (Intel I350 chipset) Can anyone confirm or deny this hardware's compatibility? Anyone out there running on a Gen8 v2? I do not have the option to run pfSense in a virtual environment. Thanks, Ryan -- This email and its contents are confidential. If you are not the intended recipient, please do not disclose or use the information within this email or its attachments. If you have received this email in error, please report the error to the sender by return email and delete this communication from your records. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list